News

April Patch Arrives, With Critical Fixes and More

Microsoft rolled out eight fixes in its monthly security release, addressing some 23 vulnerabilities.

• By Jabulani Leffall
• 04/14/2009

The volume of security bulletins in the April patch marks this release as another historic Patch Tuesday event. Five items are deemed "critical" and two are labeled "important." Finally, Microsoft rounded out the slate with a "moderate" fix.

"Since Microsoft started providing exploitability information, this is the first time we've seen as many six vulnerabilities being exploited in the wild at the time the corresponding bulletins were released," said Don Leatham, director of solutions and strategy at Lumension. "This is definitely putting pressure on IT Teams to get these patches tested in their environments and out to the endpoints in their organizations."

This month's security update touches on a wide array of Windows applications and services. The usual suspects -- Internet Explorer, Excel and Word -- all get fixes this time.

Items associated with remote code execution attacks by hackers get the critical status. The important fixes are designed to stave off two instances of elevation-of-privilege exploits. The moderate item is supposed to stop a denial-of-service attack.

Critical Items
The first critical fix is said to remedy "two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters." Affected operating systems include Windows 2000, Windows XP and Windows Server 2003.

The second critical fix affects every known and supported Windows OS in circulation. The item up for patching is Microsoft Windows HTTP Services, a URL coding mechanism used in loading Web pages and transmitting data over the Internet. The fix addresses one publicly reported bug and two privately disclosed vulnerabilities.

Critical fix No. 3 in this month's slate hits on a privately disclosed vulnerability that could allow remote code execution. The attack can happen if a user opens a specially crafted MJPEG file via Microsoft's DirectShow, which is an API function. This vulnerability is also present in DirectX versions 8.1 and 9.0 running on Windows 2000, Windows XP and Windows Server 2003. Vectors for attack are multimedia activities, such as gaming, as well as video and audio through Windows Media Player.

The fourth critical fix will probably be the most important one in the slate. It affects Internet Explorer versions 5.01, 6 and 7 running on Windows 2000, Windows XP and Windows Vista, as well as Windows Server 2003 and Windows Server 2008.

"This [cumulative patch] has proof-of-concept code available for at least one of its covered vulnerabilities and thus has a high exploitability index of one," said Qualys Inc.'s Chief Technology Officer Wolfgang Kandek. "For IT administrators, this means that their window to patch is rapidly shrinking. Where, before, weeks were an acceptable timeframe [to patch], now days seems more adequate."

According to Redmond, the update resolves four privately reported vulnerabilities and two publicly disclosed vulnerabilities in IE, which has been a target of hacker activity. Users who have updated already to Internet Explorer 8 are not affected by this update.

The last critical fix on the agenda addresses an Excel vulnerability that can occur if a user opens a corrupt spreadsheet file, as outlined in a recent security advisory. It affects various Microsoft Office versions, such as 2000, 2003, 2007 Office System, XP and Office 2004 and 2008 for Macs.

Important and Moderate Items
The first important fix for this month pertains to Microsoft's Distributed Transaction Coordinator (MSDTC), which is a Windows-based administrative tool. It affects every supported Windows OS. MSDTC supports information and commands passed over the network via resource managers, SQL Server databases and various file systems.

"The [security] update addresses the vulnerabilities by correcting the way that Microsoft Windows addresses tokens requested by the Microsoft Distributed Transaction Coordinator, and by properly isolating WMI providers and processes that run under the NetworkService or LocalService accounts," Microsoft stated in the bulletin notes for this particular fix.

The second and final important fix affects Microsoft's Forefront Edge Security platform, as well as its Internet Security and Acceleration (ISA) Server. The ISA Server helps stave off malware and firewall-compromising attacks. This fix plugs a hole where hackers could gain access a network. The exploit can happen if a hacker sends "specially crafted network packages to the affected system," or if a user clicks on a URL for a Web page containing malicious content, Redmond said.

The lone moderate item in the security rollout addresses one publicly reported vulnerability in the Windows SearchPath function that can lead to an elevation-of-privilege attack. A hacker could use SearchPath to increase access after a user downloads a malicious file, Microsoft said. This fix affects all Windows operating systems.

This April patch likely will keep IT pros busy as all eight patches may require restarts.

Microsoft is referring those interested in nonsecurity updates delivered through Windows Update, Microsoft Update and Windows Server Updates to this Knowledgebase article. It links to IE 8 updates, along with junk-mail filter upgrades and malicious software removal tool updates.