Microsoft released 17 security bulletins last night for its latest Patch Tuesday, nine of which were critical.
Pete Voss, senior response communications manager at Microsoft Trustworthy Computing, confirmed that the bulletins addressed 64 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, SMB, .NET Framework and GDI+.
He said: “I did want to point out that 30 of these vulnerabilities are addressed by a single bulletin, MS11-034, and they all share the same couple of root causes. The bulletin is rated important. This month, there are three top priority bulletins, all rated critical: MS11-020 (SMB Server); MS11-019 (SMB Client); and MS11-018 (Internet Explorer). As always, Microsoft recommends that customers test and deploy all bulletins as soon as possible.”
Voss also thanked ‘industry collaboration' for the community's part in keeping customers and the overall ecosystem free from threats.
“Microsoft truly appreciates coordination with industry experts working together to keep customers protected. In total, 21 finders coordinated with Microsoft for the April release. Microsoft actively partners with the security community to assess threats and better protect customers, and April is an example of coordinated vulnerability disclosure at work,” he said.
Wolfgang Kandek, CTO at Qualys, called this ‘a full plate for system administrators of companies both large and small'. Joshua Talbot, security intelligence manager at Symantec Security Response, noted that this was the heaviest load for some time with 64 patches eclipsing the previous single month record of 49 set in October last year.
Commentators were unified in agreeing that bulletin MS11-018, that addresses two vulnerabilities in Internet Explorer that are already being used by attackers in the wild to gain control over machines, should be applied first.
Tyler Reguly, technical manager of security research and development at nCircle, said that the most impressive part of this month's patch is the speed with which Microsoft is shipping a patch for the vulnerability from Pwn2Own.
Alan Bentley, SVP international at Lumension, said: “Most noteworthy of the patches is MS11-018, a critical patch for IE6, IE7 and IE8 on Windows clients. Without the patch, browsers are instantly compromised from the moment a user visits a malicious site.”
Jason Miller, data and security team leader at Shavlik Technologies, said: “Microsoft is releasing their bi-monthly update for Internet Explorer. MS11-018 fixes five vulnerabilities and two of the vulnerabilities addressed with this security bulletin fix zero-day vulnerabilities.
“Just yesterday, Microsoft's MSRC tweeted about reports of limited attacks on one of these zero-day vulnerabilities. It is extremely important to patch as soon as possible, regardless of which browser you are running. Web browsers are still and will continue to be, one of the most common attack vectors. The urgency to patch gets exponentially bigger when there are zero-day exploits actively being attacked against web browsers. It is important to note, however, that the newly-released Internet Explorer 9 browser is not affected by this security bulletin.”
Reguly also commented that MS11-020 had him ‘a little worried', as it would be the patch that he would be applying to his systems first. “At first glance it appears to have all the criteria to be another MS08-067, the vulnerability utilised by Conficker,” he said.
Bentley said that MS11-020 and MS11-019, the two SMB-related bulletins, are both geared towards fixing vulnerabilities in SMB Server and SMB Client and both could leave servers available for hackers to take control of them.
Kandek said: “With MS11-020, attackers can send a specially crafted packet to a server running this file sharing service and take control of the machine. The exploitability index is a low ‘1', meaning that attackers will have little difficulty in reverse engineering the exploit, once they have the patch for MS11-020 in hand.
“Companies that make SMB accessible over the internet are especially at risk. However the main attack opportunity is going to be inside of enterprise networks. MS11-019 is the third vulnerability that we rank as highly critical. It also affects the SMB protocol, but this time on the client side. This typical attack vector is an email that contains a link to an external malicious file server. The client opens the file which responds with malicious content and then gains control over the client workstation.”
Finally, commentators also highlighted MS11-026, which covers an MHTML vulnerability in Windows. Kandek said that this vulnerability has seen a number of attacks since first disclosed by Google on 11th March and Microsoft had previously addressed it with a ‘Fix-it' script that locked down the MHTML protocol inside of Windows Explorer and Internet Explorer.
Miller said: “There have been reports of this vulnerability being publicly exploited. Microsoft did supply a workaround for the vulnerability that disabled MHTML functionality and if the workaround has been applied, it should be removed to return MHTML functionality back to end-users."