As expected, Microsoft released a record-breaking, massive number of patches today that affects all versions of Windows and Office -- including its cloud apps -- and addresses some long-standing holes that hackers have been exploiting in the wild.
By the numbers: 17 security bulletins fix a whopping 64 holes. These include nine critical patches and eight important. Of the critical patches, five of them have the highest "exploitability index" rating of 1, meaning that the risk of attack is high and the impact of being pwned is also high. Today's Patch Tuesday is a record-breaker in the number of holes fixed. In December, 2010, Microsoft released 17 patches, too, but these fixed a total of 40 holes.
Affected software runs the gamut. There are patches for all supported versions of Windows, including XP, Vista, Windows 7, Windows Server 2008 R2 and even the non-GUI WS2008 Server Core version.
Additionally, Microsoft issued patches for all versions of Office, including patch MS11-022, for the local, companion app for its cloud-hosted Microsoft PowerPoint Web app. Microsoft explains, "A security vulnerability exists in Microsoft Office Web Access Companion 2010 that could allow arbitrary code to run when a maliciously modified file is opened."
The three patches that all agree are the most important to roll out ASAP:
MS11-020 (SMB Server)
MS11-019 (SMB Client)
and MS11-018 (Internet Explorer 8 and earlier)
"With this release, we finally have our patches for the MHTML (MS11-026) and SMB issues that reportedly have been causing some targeted pain on the Internet. From a priority perspective then, you will want to get MS11-018 and MS11-019 installed first followed by the remaining seven critical vulnerabilities and then 8 important ones," says Paul Henry, forensic and security analyst at Lumension.
Microsoft's recommended order to roll out patches. Click to enlarge.
If you recall, the MHTML bug was disclosed in January and caused a lot of concern because it was a drive-by bug in Windows that could be accessed via IE9's native use of MHTML. Yet the fix for it (MS11-026) and is rated as important because researchers have "not seen evidence that the impact of the MHTML vulnerability is more significant than other zero-day code execution vulnerabilities we’ve seen recently,” said McAfee Labs Director of Security Research and Communication, Dave Marcus
Nevertheless, it is good to see Microsoft patch a bug that's been publicly acknowledged in the wild for four months.
The dangers of holes fixed by today's patches. Click to enlarge.
Another surprise is how many bugs are being fixed in the Windows kernel. "Something that may shock people for today’s Patch Tuesday is Microsoft is not only patching Powerpoint, Excel, and WordPad; they are also updating Win35K. People will certainly question why. Microsoft is patching 32 bugs in Win35k because this many were reported. No need to fret however because these all collapse down to three that actually cause vulnerabilities," says Henry.
Additionally, Microsoft is pushing out two new software updates that it says don't qualify to be called a security patch: the Rootkit Evasion Prevention tool and Office File Validation. (That file validation tool was originally announced in December 2010 only for Office 2010, but it’s now available for Office 2003 and 2007).
Microsoft has not labeled the so-called Rootkit Evasion tool as a security fix but it does update "winload.exe to address an issue in driver signing enforcement ... this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection."
The rootkit issue affects, and the update is available for, x64-based editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
A summary of all patches can be found in the April Microsoft Security bulletin.