Patch Tuesday Analysis for April 2011
Today Microsoft reports 64 vulnerabilities in 17 bulletins. We recommend giving priority attention to domain controllers, the heart of an Active Directory domain. Here are two bulletins that could affect them:
For MS11-019 the browser pool vulnerability puts domain controllers at risk. Microsoft refers to the ‘Primary Domain Controller” which is interesting since that designation is not used for any supported OS. At any rate the system that is the master browser is the one at risk. Domain controllers are the preferred master browser but any system can become the master browser for a network segment.
A similar vulnerability also exists in SMB Server and is addressed with MS11-020. Any Windows computer can be a server but Domain Controllers are especially at risk. This is because DCs always have a share open.
MS11-018 is a cumulative update for Internet Explorer. IE 9 is not affected so if you are planning to upgrade now might be the time to do it. IE 9 is only available for Vista or newer operating systems. If you are still using IE 6 or 7, be aware that not all of the vulnerabilities in those products are addressed with this update. Specifically it is the “clickjacking” vulnerability which could result in information disclosure. Two of the vulnerabilities are currently being exploited.
The vulnerabilities with MS11-031 are also avoided if IE 9 is installed.
As many as 9 vulnerabilities in Excel are addressed with MS11-021. This will affect primarily Terminal Servers and Workstations that have Office installed.
MS11-022 also addresses multiple vulnerabilities, this time in PowerPoint. PowerPoint Viewers are included. Some users may have viewers that are not supported and these should be upgraded or removed.
MS11-023 also addresses multiple vulnerabilities in Office.
Fax Cover Page Editor has vulnerability and two patches are offered with Bulletin MS11-024. This is because two components are involved. The Fax Cover Page Editor is installed by default in some versions of Windows and optionally in others.
Developers will also want to give attention to apps they have created that may be vulnerable as described in MS11-025.
MS11-026 is publicly disclosed and is currently being exploited. This primarily will affect workstations and Terminal Servers.
MS11-027 updates kill-bits in ActiveX controls.
The vulnerability in .NET Framework addressed with MS11-028 has several vectors. Some of these are with web hosting servers, application servers and workstations.
Workarounds are offered in MS11-029 that may give admins more time to consider the patch.
Link-local Multicast Name Resolution (LLMNR) is a new protocol for DNS that also introduces a new vulnerability addressed in MS11-030
Microsoft points out that while Internet Explorer is not vulnerable (as mentioned in bulletin MS11-032), third-party browsers may be. The technology that is vulnerable however is a part of Windows: OpenType CFF fonts.
WordPad for Windows XP and Server 2003 incorrectly parse some info causing vulnerability when converting .doc and .wri files. MS11-033 introduces a patch for this.
MS11-034 addresses 30 vulnerabilities, all in kernel mode drivers. A user would have to log on locally to exploit these. Microsoft indicates that consistent exploit code is likely.
| Bulletin | Exploit Types
/Technologies Affected | System Types Affected | Exploit
details public?
/ Being exploited? | Comprehensive,
practical
workaround
available? | MS severity rating | Products Affected | Notes | Randy's recommendation | MS11-028
2484015 | Arbitrary code
/ .Net Framework | Workstations
Servers
Web Hosting Servers
| Yes/No | No | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| | Patch after testing | MS11-033
2485663 | Arbitrary code
/ Wordpad | Workstations
Terminal Servers
| No/No | Yes | Important | XP
Server 2003
| | Patch after testing | MS11-021
2489279 | Arbitrary code
/ Microsoft Office | Workstations
Terminal Servers
| No/No | No | Important | Office XP
Office 2003
Office 2007
Office 2004 for Mac
Office 2008 for Mac
Excel Viewer
Open XML Converter for MAC
Office 2010
Office 2011 for MAC
| | Patch after testing | MS11-022
2489283 | Arbitrary code
/ Powerpoint | Workstations
Terminal Servers
| No/No | No | Important | Office 2003
Office 2007
Office 2004 for Mac
Office 2008 for Mac
Office Converter Pack
PowerPoint Viewer 2007
Open XML Converter for MAC
Web Apps
Office 2010
Office 2011 for MAC
Powerpoint Viewer
| | Patch after testing | MS11-023
2489293 | Arbitrary code
/ Office | Workstations
Terminal Servers
| Yes/No | No | Important | Office XP
Office 2003
Office 2007
Office 2004 for Mac
Office 2008 for Mac
Open XML Format Converter Mac
| | Patch after testing | MS11-029
2489979 | Arbitrary code
/ GDI+ | Workstations
Terminal Servers
| No/No | Yes | Critical | XP
Vista
Office XP
Server 2003
Server 2008
| Restart Req'd | Patch after testing | MS11-018
2497640 | Arbitrary code
/ Internet Explorer | Workstations
Terminal Servers
| Yes/Yes | No | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Cumulative Update; Restart Req'd; IE 9 not affected | Patch after minimal testing | MS11-025
2500212 | Arbitrary code
/ Microsoft Foundation Classes | Workstations
Terminal Servers
Developer Workstations
| Yes/No | No | Important | Visual Studio .NET 2003
Visual Studio 2005
Visual Studio 2008
Visual C++ 2005
Visual C++ 2008
Visual C++ 2010 Redist
| Apps created with these products may be a vector | Patch after testing; update apps | MS11-026
2503658 | Information disclosure
/ MHTML | Workstations
Terminal Servers
| Yes/Yes | Yes | Important | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing | MS11-034
2506223 | Privilege elevation
/ Windows kernal mode drivers | Workstations
Terminal Servers
| No/No | No | Important | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing | MS11-032
2507618 | Arbitrary code
/ OpenType CFF | Workstations
Terminal Servers
| No/No | No | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing | MS11-027
2508272 | Arbitrary code
/ ActiveX | Workstations
Terminal Servers
| Yes/No | Yes | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| | Patch after testing | MS11-020
2508429 | Arbitrary code
/ SMB Server | Workstations
Servers
| No/No | Yes | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing | MS11-030
2509553 | Arbitrary code
/ DNS Resolution | Workstations
Terminal Servers
| No/No | No | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing | MS11-019
2511455 | Arbitrary code
/ SMB Client | Workstations
Servers
| Yes/No | Yes | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after minimal testing | MS11-031
2514666 | Arbitrary code
/ JScript and VBScript Scripting Engine | Workstations
Terminal Servers
| No/No | No | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| | Patch after testing | MS11-024
2527308 | Arbitrary code
/ Windows | Workstations
Terminal Servers
| Yes/No | Yes | Important | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| | Patch after testing |
Receive Randy's same-day, independent analysis each Patch Tuesday
Email:
We will not share your address. Unsubscribe anytime.
|
"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"
- John K.
"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"
-Susan D.
"Thanks, Randy. Your regular updates have streamlined my
monthly patching. Much appreciated,"
- Steve T.
"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."
- Tess G.
"Many thanks for this Randy"
- Roger G.
"The chart is a REAAALLY good idea :)"
- Phil J.
"I like the table. Your insight is very valuable. "
Tom C.
"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."
- David A.
"Your Patch Tuesday Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."
- Gerard T.
|