Microsoft Fixes 64 Bugs In Biggest Ever Patch Tuesday Update

Software giant Microsoft released 17 security bulletins, addressing 64 vulnerabilities in its biggest ever patch Tuesday update.

In December's Patch Tuesday update, Microsoft issued 17 bulletins, but fixed only 40 bugs, while the October 2010 update fixed 49 bugs.

Patch Tuesday is the second Tuesday of each month, on which Microsoft releases security patches.

Out of the 17 security bulletins released on April 12, 9 were rated Critical and 8 rated Important and the bulletins would fix bugs across various platforms including Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and GDI+.

A single bulletin -MS11-034 - would patch 30 bugs, Pete Voss Sr. Response Communications Manager, Microsoft Trustworthy Computing, said in a blog post.

This month, there are three top priority bulletins, all rated Critical: MS11-020 (SMB Server), MS11-019 (SMB Client) and MS11-018 (Internet Explorer), Voss said.

Following are three top priority bulletins issued by Microsoft:

MS11-018 (Internet Explorer): This security bulletin resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. This bulletin is rated Critical for IE 6, IE 7 and IE 8 on Windows clients; and Moderate for IE6, IE7, and IE8 on Windows servers.

However, Internet Explorer 9 is not affected by the vulnerabilities. Microsoft is aware of limited attacks leveraging vulnerabilities addressed by this bulletin, including the vulnerability used at the CanSecWest 2011 Conference.

MS11-019 (SMB Client): This bulletin fixes one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow remote code executions if an attacker sent a specially crafted SMB response to a client-initiated SMB request. The publicly disclosed vulnerability was posted to full disclosure on February 15.

MS11-020 (SMB Server): This bulletin resolves an internally discovered vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system.

Office File Validation:

Microsoft also announced an Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007 to block malware disguised as Office documents, a bug that was originally announced in December 2010.

The feature, previously only available for supported editions of Microsoft Office 2010, will scan and validate office files before they are opened. This will make easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources.

This feature, which is included in Word, Excel, PowerPoint and Publisher (.doc, .xls, .ppt and .pub file formats), will validate the file structure as it is being opened by the user. The validation will check the file to make sure it conforms to expected Office specifications. If this process fails the user will be notified of potential issues. Modesto Estrada, Office Program Manager, said.

The Office File Validation feature described in this advisory applies when opening an Office file using Microsoft Excel 2003, Microsoft PowerPoint 2003, Microsoft Word 2003, Microsoft Publisher 2003, Microsoft Excel 2007, Microsoft PowerPoint 2007, Microsoft Word 2007, or Microsoft Publisher 2007.

Microsoft's Office File Validation helps detect and prevent a kind of exploit known as a file format attack. File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code.

Usually the malicious code is run remotely and is used to elevate the privilege of restricted accounts on the computer, allowing hackers to gain access to a computer and read sensitive information from the computer's hard disk drive or to install malware, such as a worm or a key logging program.

The Office File Validation feature helps prevent file format attacks by scanning and validating files before they are opened. To validate files, Office File Validation compares a file's structure to a predefined file schema, which is a set of rules that define what a readable file looks like. If Office File Validation detects that a file's structure does not follow all rules described in the schema, the file does not pass validation.

File format attacks occur most frequently in files that are stored in Office binary file formats. For this reason, Office File Validation scans and validates the following kinds of files:

* Excel 2.0, Excel 3.0, Excel 4.0, Excel 5.0, Excel 97-2003 Workbook files. These types of files have an .xls extension and include all Binary Interchange File Format 2 (BIFF2), BIFF3, BIFF4, and BIFF8 files.

* Excel 2.0, Excel 3.0, Excel 4.0, Excel 5.0, Excel 97-2003 Template files. These types of files have an .xlt extension and include BIFF2, BIFF3, BIFF4, and BIFF8 files.

* PowerPoint 97-2003 Presentation files. These files have a .ppt extension.

* PowerPoint 97-2003 Show files. These files have a .pps extension.

* PowerPoint 97-2003 Template files. These files have a .pot extension.

* Word 6.0, Word 7.0, and Word 97-2003 Document files. These files have a .doc extension.

* Word 6.0, Word 7.0, and Word 97-2003 Template files. These files have a .dot extension.

Update to Windows OS Loader:

Microsoft announced an update for the Windows Operating System loader to help prevent rootkit evasion and addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection.

The issue affects, and the update is available for, x64-based editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe. While the update itself won't remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit, said Dustin Childs, senior security program manager, Microsoft Security Response Center.