Patch Tuesday April 2011

In April 2011 Microsoft is releasing 17 security bulletins fixing a total of 64 vulnerabilities. Nine bulletins are rated critical and eight bulletins are rated important. All Windows operating systems and all versions of Office are affected, so this is a full plate for system administrators of companies both large and small.

On the top of the priority list of Qualys' vulnerability team is MS11-018, a bulletin for Windows Internet Explorer that addresses two vulnerabilities that are already being used used by attackers in the wild to gain control over machines. We recommend deploying this patch immediately.

Next on our list is MS11-020, a server side vulnerability in the SMB protocol. Attackers can send a specially crafted packet to a server running this file sharing service and take control of the machine. The exploitability index is a low "1", meaning that attackers will have little difficulty in reverse engineering the exploit, once they have the patch for MS11-020 in hand. Companies that make SMB accessible over the Internet are especially at risk. However the main attack opportunity is going to be inside of enterprise networks, once an attacker has established a presence on the network, for example, through one of the more frequent client side vulnerabilities in browsers, browser plug-ins or applications.

MS11-019 is the third vulnerability that we rank as highly critical. It also affects the SMB protocol, but this time on the client side. This typical attack vector is an e-mail that contains a link to an external malicious file server. The client opens the file which responds with malicious content and then gains control over the client workstation.

MS11-021, MS11-022, MS11-023 are all vulnerabilities in the Microsoft Office Suite. Rodrigo Branco, Director of Vulnerability Research at Qualys who reported the Excel vulnerability fixed by MS11-021 to Microsoft in 2010, emphasizes that an attacker can relatively easily craft an Excel file that will trigger this critical flaw and assume control of the target machine. He recommends installing this patch as quickly as possible.

Microsoft also shipped a fix (MS11-026) for the MHTML vulnerability in Windows. This vulnerability has seen a number of attacks since first disclosed by Google on March 11th. Microsoft had previously addressed it with a "Fix-it" script that locked-down the MHTML protocol inside of Windows Explorer and Internet Explorer.

As in all months, IT administrators should review all remaining bulletins for applicability to their environments, but this month this is especially important with such a large number of vulnerabilities.

Note that Adobe released a security advisory for a critical vulnerability in Adobe Flash (APSA11-02) that is being used in the wild to attack workstations. As all current attacks use a Flash file embedded in Microsoft Word, we recommend looking into the possibility of disabling Flash content in Word files altogether through the Trust Center, as described in this Microsoft Tech Document.