Patch Tuesday Analysis for April 2011

Today Microsoft reports 64 vulnerabilities in 17 bulletins. We recommend giving priority attention to domain controllers, the heart of an Active Directory domain. Here are two bulletins that could affect them:

For MS11-019 the browser pool vulnerability puts domain controllers at risk. Microsoft refers to the ‘Primary Domain Controller” which is interesting since that designation is not used for any supported OS. At any rate the system that is the master browser is the one at risk. Domain controllers are the preferred master browser but any system can become the master browser for a network segment.
A similar vulnerability also exists in SMB Server and is addressed with MS11-020. Any Windows computer can be a server but Domain Controllers are especially at risk. This is because DCs always have a share open.
MS11-018 is a cumulative update for Internet Explorer. IE 9 is not affected so if you are planning to upgrade now might be the time to do it. IE 9 is only available for Vista or newer operating systems. If you are still using IE 6 or 7, be aware that not all of the vulnerabilities in those products are addressed with this update. Specifically it is the “clickjacking” vulnerability which could result in information disclosure. Two of the vulnerabilities are currently being exploited.
The vulnerabilities with MS11-031 are also avoided if IE 9 is installed.
As many as 9 vulnerabilities in Excel are addressed with MS11-021. This will affect primarily Terminal Servers and Workstations that have Office installed.
MS11-022 also addresses multiple vulnerabilities, this time in PowerPoint. PowerPoint Viewers are included. Some users may have viewers that are not supported and these should be upgraded or removed.
MS11-023 also addresses multiple vulnerabilities in Office.
Fax Cover Page Editor has vulnerability and two patches are offered with Bulletin MS11-024. This is because two components are involved. The Fax Cover Page Editor is installed by default in some versions of Windows and optionally in others.
Developers will also want to give attention to apps they have created that may be vulnerable as described in MS11-025.
MS11-026 is publicly disclosed and is currently being exploited. This primarily will affect workstations and Terminal Servers.
MS11-027 updates kill-bits in ActiveX controls.
The vulnerability in .NET Framework addressed with MS11-028 has several vectors. Some of these are with web hosting servers, application servers and workstations.
Workarounds are offered in MS11-029 that may give admins more time to consider the patch.
Link-local Multicast Name Resolution (LLMNR) is a new protocol for DNS that also introduces a new vulnerability addressed in MS11-030
Microsoft points out that while Internet Explorer is not vulnerable (as mentioned in bulletin MS11-032), third-party browsers may be. The technology that is vulnerable however is a part of Windows: OpenType CFF fonts.
WordPad for Windows XP and Server 2003 incorrectly parse some info causing vulnerability when converting .doc and .wri files. MS11-033 introduces a patch for this.
MS11-034 addresses 30 vulnerabilities, all in kernel mode drivers. A user would have to log on locally to exploit these. Microsoft indicates that consistent exploit code is likely.
BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS11-028

2484015
Arbitrary code

/ .Net Framework
Workstations
Servers
Web Hosting Servers
Yes/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
 Patch after testing
MS11-033

2485663
Arbitrary code

/ Wordpad
Workstations
Terminal Servers
No/NoYesImportant XP
Server 2003
 Patch after testing
MS11-021

2489279
Arbitrary code

/ Microsoft Office
Workstations
Terminal Servers
No/NoNoImportant Office XP
Office 2003
Office 2007
Office 2004 for Mac
Office 2008 for Mac
Excel Viewer
Open XML Converter for MAC
Office 2010
Office 2011 for MAC
 Patch after testing
MS11-022

2489283
Arbitrary code

/ Powerpoint
Workstations
Terminal Servers
No/NoNoImportant Office 2003
Office 2007
Office 2004 for Mac
Office 2008 for Mac
Office Converter Pack
PowerPoint Viewer 2007
Open XML Converter for MAC
Web Apps
Office 2010
Office 2011 for MAC
Powerpoint Viewer
 Patch after testing
MS11-023

2489293
Arbitrary code

/ Office
Workstations
Terminal Servers
Yes/NoNoImportant Office XP
Office 2003
Office 2007
Office 2004 for Mac
Office 2008 for Mac
Open XML Format Converter Mac
 Patch after testing
MS11-029

2489979
Arbitrary code

/ GDI+
Workstations
Terminal Servers
No/NoYesCritical XP
Vista
Office XP
Server 2003
Server 2008
Restart Req'dPatch after testing
MS11-018

2497640
Arbitrary code

/ Internet Explorer
Workstations
Terminal Servers
Yes/YesNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Cumulative Update; Restart Req'd; IE 9 not affectedPatch after minimal testing
MS11-025

2500212
Arbitrary code

/ Microsoft Foundation Classes
Workstations
Terminal Servers
Developer Workstations
Yes/NoNoImportant Visual Studio .NET 2003
Visual Studio 2005
Visual Studio 2008
Visual C++ 2005
Visual C++ 2008
Visual C++ 2010 Redist
Apps created with these products may be a vectorPatch after testing; update apps
MS11-026

2503658
Information disclosure

/ MHTML
Workstations
Terminal Servers
Yes/YesYesImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-034

2506223
Privilege elevation

/ Windows kernal mode drivers
Workstations
Terminal Servers
No/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-032

2507618
Arbitrary code

/ OpenType CFF
Workstations
Terminal Servers
No/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-027

2508272
Arbitrary code

/ ActiveX
Workstations
Terminal Servers
Yes/NoYesCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
 Patch after testing
MS11-020

2508429
Arbitrary code

/ SMB Server
Workstations
Servers
No/NoYesCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-030

2509553
Arbitrary code

/ DNS Resolution
Workstations
Terminal Servers
No/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-019

2511455
Arbitrary code

/ SMB Client
Workstations
Servers
Yes/NoYesCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after minimal testing
MS11-031

2514666
Arbitrary code

/ JScript and VBScript Scripting Engine
Workstations
Terminal Servers
No/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
 Patch after testing
MS11-024

2527308
Arbitrary code

/ Windows
Workstations
Terminal Servers
Yes/NoYesImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
 Patch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.