It's Microsoft's "Patch Tuesday" today!
It is going to be a busy week for all the IT professionals since Microsoft is going to deliver a record patch that addresses 64 security vulnerabilities. There will be patches for bugs in Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, GDI+ and .NET framework. In this update, the most frequently used office applications like Excel (2003-2010) and Powerpoint (2002-2010) will also be affected. There will be 17 bulletins, of which more than half, that is nine, are critical. The critical bulletins will affect all Windows systems including Server 2008 and Windows 7 and hence Microsoft urges system administrators to plan for a deployment.
Pete Voss, a senior response communication manager at Microsoft says that according to the assessment of Microsoft, the vulnerability could theoretically allow remote code execution. However, he adds that such an event is extremely unlikely and no evidence of attacks have been recorded so far. Apart from the 9 critical bulletins out of 17, the other 8 bulletins are marked to be important. Among those rated as important is a fix for the MHTML script injection vulnerability in Windows. The security bulletins will be released by Microsoft at about 1 pm EDT on 12th April.
The MHTML script injection vulnerability was disclosed in March and the security bulletins also include a Windows browser protocol vulnerability which was disclosed in February this year. Paul Henry, forensic and security analyst at Lumension says that the patch is ugly, no matter how we look at it. He points out that more than half of the updates are critical and all but only two of the updates require remote code execution. Henry also pointed out the recent discovery by RSA that the exploit of its tokens began with an Adobe Flash module embedded within a Microsoft Excel spreadsheet.
He says that every time spear-fishing exploits just take advantage of weaknesses in third party applications. He quoted the fall of Conde Nast for a $8 million breach as spear-fishing. The guys involved in spear fishing take advantage of the applications the companies are not patching with the free patching software provided by Microsoft.
Coming back to the story with the Tuesday patch bulletin, there will be two non-security updates one of which when applied to 64-bit versions of Microsoft Windows Server 2008 R2 and Windows 7 returns an issue that is identified that could allow a user with administrative permissions to load an unsigned driver. Hence, this update seems to be associated with one of the important security measures and hence you should treat it as critical.
Therefore, let's be prepared for the upcoming big event! One among the upcoming features will include a critical SMB browser bug that will involve all versions of Windows. This April patch is therefore a bigger deal when compared with the December 2010 patch which addressed 40 vulnerabilities and only two out of them were deemed critical. Qualys, a security vulnerability scanning firm, has issued a warning that all supported versions of Office and Windows will need to be updated. System administrators will therefore have to spend a lot of extra time in the process.