Alan Bentley, VP international for Lumension, commented that following a light month of patches in March, April gears up to be a patch-heavy month. He said: “Overall, April's Patch Tuesday bulletin is addressing at least two critical vulnerabilities for every popular Microsoft platform in use today, so the impact will be widespread regardless of which Windows operating systems companies are currently running.
“This means that IT departments are addressing and patching almost every endpoint including servers, laptops and desktops in the organisation. Ideally, they should already have a plan in place as to how they are going to test and then deploy these patches with minimal interruptions to employee productivity levels.”
Wolfgang Kandek, CTO at Qualys, also commented that the amount of patches was a ‘big release for Microsoft, addressing a wide selection of software'. He said: “IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins.”
Commentators claimed that patches MS10-026, MS10-027 and MS10-019, all rated as critical, were the most important. Kandek said that MS10-026 addresses a DirectShow vulnerability that can be exploited through visualising a media file which can lead to remote code execution, while MS10-027 is a Windows Media Player Active X control vulnerability which can lead to similar results.
On MS10-019, Kandek said: “This addresses a flaw in the Windows Authenticode algorithm involved during the installation process of new software. The flaw allows for a downgrade from the current v2 Authenticode algorithm to the deprecated v1 algorithm. If an attacker follows this downgrade with an attack on v1 (a sophisticated multi-stage attack), he could pass off malicious install packages as legitimately signed by major manufacturers.
“This vulnerability has a exploit rating of difficult, meaning that even advanced attackers will take a while to come up with the necessary exploit code - still we recommend patching this during the normal cycle for all machines.”
Bentley suggested that users should make these patches as their highest priority. Jason Miller, data and security team leader at Shavlik, said that MS10-019 was ‘very interesting as well as disturbing'. He said: “It is very common to rely on a digital signature to verify the integrity of the file. If the signature is valid, the file came from the original source, making this a simple and secure process.
“However, with this vulnerability, attackers can trick people into thinking the file is valid. With this bulletin, systems will have two patches required to fix this vulnerability which are Authenticode Signature Verification and Cabinet File Viewer Shell Extension.”
He also drew attention to bulletin MS10-021 that addresses a vulnerability in the Windows Kernel. He said: “As you might remember, MS10-015, released earlier this year, addressed the Windows Kernel as well and had adverse affects on some systems. If MS10-015 was applied to a system infected with the Alurean rootkit, the system would bluescreen on reboot. Microsoft changed the logic for MS10-015 and is applying the same logic to MS10-021. The update will look for abnormalities in the Windows Kernel, and if found, the update will fail to install.”
Andrew Storms, director of security operations at nCircle, claimed that with fixes for critical bugs in Windows Media Player and DirectShow this month, if you put these fixes together with Apple's recent patch of QuickTime, it is pretty obvious that attackers are finding a lot of victims through video.
Miller said: “MS10-026 addresses one vulnerability in a Windows Operating System component that handles media codec. Opening a malicious AVI multimedia file can lead to remote code execution. MS10-027 addresses one vulnerability in Windows Media Player 9 on Windows 2000 and Windows XP. Visiting a malicious website with Internet Explorer that hosts specially crafted media content can lead to remote code execution.
“How common is viewing media files? I am sure there are some users on corporate networks who are, at this moment, looking online for the latest Dancing with the Stars' Kate Gosselin's latest dance routine. Given the popularity of the show, how sure are you that the user will not be downloading a malicious file?”
Tyler Reguly, lead security engineer at nCircle, said: “This month is quite a mixed bag. Windows Media Player to SMTP, Office to SMB - there's something for everyone. While people should be looking to patch the more dangerous MS10-027 in Windows Media Player and MS10-026 in DirectShow, there's still something interesting for researchers like me, namely MS10-024 (SMTP) and MS10-025 (Windows Media Services).”
Looking at the patch releases by Oracle and Adobe, Miller commented that this will make this a challenging month for IT administrators. Bentley pointed to Adobe, saying that a critical security issue recently, identified in the ISO standard PDF, that could potentially allow malicious code to be executed is expected to be patched in the next quarterly patch update from Adobe.
Joshua Talbot, security intelligence manager at Symantec Security Response, said: “This is going to be quite the month for IT administrators. With a large number of patches coming from Microsoft and Oracle, including two from Microsoft for public vulnerabilities, and a handful more patches from Adobe, automating the patching process becomes even more critical to ensure that nothing slips through the cracks.”