Microsoft Fixing 64 Security Flaws for April’s Patch Tuesday

Microsoft’s massive April Patch Tuesday will tie the record for the most security bulletins released at one time. It is a dramatic contrast to last month’s skimpy Patch Tuesday release, which only contained three security bulletins.

On April 12, Microsoft plans to release 17 security bulletins, including nine that are rated “Critical” and eight rated “Important.” Fifteen of the bulletins address vulnerabilities that allow attackers to remotely execute code.

All totaled, the bulletins will address a stunning 64 vulnerabilities spanning Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and the Graphics Device Interface (GDI+).

The last time Microsoft included this many bulletins in one update was in December, according to Jason Miller, a data team manager with Israel-based Shavlik Technologies. Microsoft will set another record with the number of vulnerabilities patched in one release. The previous Microsoft record was 49 vulnerabilities fixed for October’s Patch Tuesday, according to Miller.

While the advance notification bulletin released April 7 did not include any specific details about the individual patches, Microsoft said some of the fixes will address the Windows MHTML vulnerability and the Server Message Block Browser bug in Windows XP.

First reported last January (Security Advisory 2501696), the MHTML flaw allows attackers to run scripts in the wrong security context on Windows XP, Vista, Windows 7 and all supported Windows Server releases. An attacker could exploit the vulnerability to inject a client-side script in a Website the user is viewing in Internet Explorer. Once executed, the script could collect user information and spoof content. Attackers have exploited the vulnerability in “limited, targeted attacks” using the public proof-of-concept code, according to Microsoft.

The Server Message Block Browser bug in Windows XP, which could trigger a blue screen in kernel mode, was publicly disclosed on Feb. 15. French security firm Vupen rated the flaw as “Critical” and warned that the exploit could cause a denial-of-service attack or completely take over the compromised system.

“While RCE [remote code execution] is theoretically possible, we feel it is not likely in practice. DoS [denial of service] is much more likely,” Microsoft Security Research Center Engineering’s Mark Wodrich said on Feb. 17.

“This is a huge update and system administrators should plan for deployment,” Wolfgang Kandek, CTO of Qualys, wrote on The Laws of Vulnerabilities blog.

Affected operating systems include Windows XP, Windows XP Professional x64 Edition, Windows Server 2003, Windows Server 2003 x64 Edition, Windows Vista (32-bit and 64-bit), Windows Server 2008 and Windows 7.

There are updates for Internet Explorer 6 through 8. Despite Microsoft’s attempts to sunset IE6, it appears IE6 bugs in Windows XP and Windows Server 2003 have been addressed.

The patches cover commonly used Office applications, including Microsoft Excel 2002 through 2010, Microsoft PowerPoint 2002 through 2010, and Microsoft Office 2004 for Mac through 2011.

Other included applications are Open XML File Format Converter, Microsoft Visual Studio .NET 2003 Service Pack 1 through Visual Studio 2010, Microsoft Visual C++ 2005 through 2010, Microsoft Excel Viewer Service, Microsoft PowerPoint views 2007, Microsoft Office Compatibility Pack, and Microsoft PowerPoint Web App.