In the midst of a wave of zero-day targeted attacks hitting big businesses, Microsoft has shipped a monster batch of security patches to cover 64 vulnerabilities Microsoft Windows, Office, Internet Explorer, Visual Studio, .NET Framework and GDI+.
The Internet Explorer browser patch (MS11-018), rated "critical," covers at least five documents security holes, including one that was used to hijack a Windows 7 machine at this year's CanSecWest Pwn2Own hacker challenge.
[ SEE: Pwn2Own 2011: IE8 on Windows 7 hijacked with 3 vulnerabilities ]Of the 17 bulletins released this month, nine and rated "critical," Microsoft's highest severity rating. The remaining eight bulletins carry an "important" rating, which means they can be exploited to result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
Microsoft is urging Windows users to treat the following bulletins with the utmost priority:
- MS11-018 (Internet Explorer). This security bulletin resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. This bulletin is rated Critical for IE 6, IE 7 and IE 8 on Windows clients; and Moderate for IE6, IE7, and IE8 on Windows servers. Internet Explorer 9 is not affected by the vulnerabilities. Microsoft is aware of limited attacks leveraging vulnerabilities addressed by this bulletin, including the vulnerability used at the CanSecWest 2011 Conference, which we tweeted about yesterday. We encourage all customers apply this bulletin first of all our April bulletins. We encourage all customers apply this bulletin first of all our April bulletin.
- MS11-019 (SMB Client). This bulletin resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow remote code executions if an attacker sent a specially crafted SMB response to a client-initiated SMB request. The publicly disclosed vulnerability was posted to full disclosure on February 15. Microsoft investigated the issue and found that remote-code execution was extremely unlikely. As Microsoft has not seen any active attacks, we opted not to disrupt customers with an out-of-band bulletin.
- MS11-020 (SMB Server). This bulletin resolves an internally discovered vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system.
According to Wolfgang Kandek of Qualys, all Windows operating systems and all versions of Office are affected by this Patch Tuesday, making it a "full plate for system administrators of companies both large and small."
In addition the three high-priority updates listed above, Kandek also calls attention to MS11-021, MS11-022, MS11-023 -- vulnerabilities in the Microsoft Office Suite.
Rodrigo Branco, Director of Vulnerability Research at Qualys who reported the Excel vulnerability fixed by MS11-021 to Microsoft in 2010, emphasizes that an attacker can relatively easily craft an Excel file that will trigger the flaw. He recommends installing this patch as quickly as possible.
Noting that ongoing attacks against Adobe Flash vulnerabilities are being used in the wild to attack workstations, Kandek recommends that IT administrators look into the possibility of disabling Flash content in Word or Excel files.