Qualys Blog

www.qualys.com
wkandek

Patch Tuesday – Preview for April 2010

Today Microsoft released their advance notification for next week’s Patch Tuesday. There will be 11 security bulletins (5 critical) affecting a range of Windows operating system components as well as Microsoft Office and Microsoft Exchange. This is a fairly large update and will keep system administrators busy.

Of particular interest is that Microsoft will fix 2 open 0-day vulnerabilities – the F1 attack through the Internet Explorer KB981169 and the SMBv2 Denial of Service vulnerability, only present on Windows 7 and Windows Server 2008 KB977544.

The 5 critical bulletins affect Windows 2000, XP, Vista, 2003, 2008 and Windows 7. An attacker can use these vulnerabilities to remotely execute code on the victim’s machine and they should be addressed as quickly as possible.

An additional 5 security bulletins are rated as important and apply to Microsoft Office, Microsoft Exchange and Windows. If left un-patched, an attacker could execute code, cause a denial of service or obtain elevated privileges on the victim’s machine. The remaining security bulletin is rated as Important.

Most of the patches require a machine reboot after installation.

Similar to past Patch Tuesdays, Windows 7 has less critical updates to install than the older operating systems versions, an indication that the newer version of Windows are more robust and secure out of the box.

In addition to the Microsoft patches, administrators will also have to pay attention to the security fixes coming out from Adobe for the Reader and Acrobat products. The Adobe update is rated as critical and a successful exploit will allow the attacker to take control of the target machine.

Leave a Reply