Patch Tuesday promises to keep IT busy this April
by Steve Ragan - Apr 13 2010, 19:30Microsoft pushed 11 security bulletins addressing 25 vulnerabilities on Tuesday, which will translate into a good deal of work for IT departments across the globe. Included in the releases are fixes to address problems for Windows, Exchange, and Office.
“Despite 11 patches covering 25 vulnerabilities, this is really the month of Media updates. There are only 3 updates rated Critical that also have an Exploitability Index of 1 and all 3 are for Media-enabling technologies,” said Rapid7’s Josh Abraham, addressing the patches for Media Services, MPEG Decoder, and Media Player.
“This is a much busier April than we've seen in the past. We generally see 5-8 updates and 25 vulnerabilities beats 2009's April record of 21 vulnerabilities addressed,” he added.
As an aside, Abraham noted that had Microsoft not addressed the Internet Explorer rollup with an out-of-band update last month, April would have been even larger, with 12 updates across 35 vulnerabilities.
When asked, Wolfgang Kandek, CTO for Qualys, noted that in addition to the media patches, the “bulletins address a wide array of operating systems and software packages, IT administrators with a good inventory of their installed base will have an easier time to evaluating which machines need patches.”
Kandek noted that MS10-020 and MS10-022 each deal with open Zero-Day vulnerabilities. MS10-020 addresses the SMBv2 Denial of Service vulnerability on windows7 and Server 2008, while addressing other SMB problems as well.
MS10-022 addressed the F1 vulnerability, which was seen and reported earlier this year due to limited attacks on Internet Explorer.
Commenting on the SMB fix, Andrew Storms of nCircle said that, “It’s a bit out of character for Microsoft to wait six months to deliver a fix for a bug that has been publicly disclosed. Microsoft probably lowered the priority on this one so they could put more resources towards higher risk problems like the IE and server-side bugs they’ve been fixing since November.”
While MS10-20 is listed as Critical, another patch listed as Important (MS10-021) covers the Windows Kernel and needs consideration. According to Abraham, it is arguably more concerning, as two of the eight underlying vulnerabilities have an Exploitability Index of 1.
“If Microsoft's Exploitability Index holds true, this one should be next in line after the 3 Critical Media updates for prioritization,” he said.
One of the recommended patches, according to guidance from Microsoft to IT administrators, is MS10-019, which affects all versions of Windows. This patch covers the WinVerifyTrust signature validation vulnerability.
“[It] can be used to really enhance social engineering efforts,” said Joshua Talbot, security intelligence manager, Symantec Security Response.
In its base form the vulnerability allows an attacker to force Windows to report to the user that the application was created by any vendor the attacker chooses to impersonate.
“It allows an attacker to fool Windows into thinking that a malicious program was created by a legitimate vendor. Targeted attacks are popular and since social engineering plays such a large role in them, plan on seeing exploits developed for this vulnerability,” Talbot added.
Along with the patches, Microsoft also reminded administrators that Windows XP SP 2 will no longer be supported as of July 13, and Windows 2000 will retire on the same day. In the case of XP, users are encouraged to upgrade to Windows 7 or SP 3. As for Windows 2000, there will be no further updates or security patches, so they should be phased out as soon as possible.
For those of you on Windows Vista RTM, Tuesday was the last day of support. Service Pack 1 will still be supported until July 12, 2011, but Microsoft is encouraging anyone who hasn’t upgraded to move to Service Pack 2.
The complete listing for this month’s patches can be seen here.
Comment on this Story