Microsoft Issues Five 'Critical' Patches
In a busy 'Patch Tuesday', Microsoft fixed 25 security flaws--mostly in Windows--with its latest patch drop, even fixing a nasty zero-day in the Help system.
For any PC administrators that thought April might be a slow month for installing security patches, Tuesday was a rude awakening -- not that they weren't warned.
Microsoft (NASDAQ: MSFT) rolled out 11 patches in April's "Patch Tuesday" release, five of them ranked as "critical" by Microsoft. All-in-all, they fix a total of nine separate critical vulnerabilities.
The company sent out an advance warning notice of the scale and scope of the April patch release last Thursday. The advance notifications are intended to give IT pros a heads-up of what to expect when the patches are released.
"This is going to be quite the month for IT administrators," Joshua Talbot, security intelligence manager at Symantec Security Response said in an e-mail to InternetNews.com.
One flaw, in particular, is a zero-day vulnerability that IT professionals have been on tenterhooks about since it surfaced in early March. That vulnerability can be exploited by writing a rogue VBScript that attacks through the Windows help file system via Internet Explorer.
Another patch fixes a critical hole in the way all versions of Windows handle what's called "Windows Authenticode Signature Verification function, or WinVerifyTrust." Authenticode is technology used to ensure that, for instance, a program is actually from the company it says it's from.
An exploit for the hole -- which has experienced no attacks so far, according to Microsoft -- would theoretically let a hacker send users a program that pretended to be verified and, therefore, safe to run.
"The issue would allow an attacker to alter signed executable content ... without invalidating the signature," Jerry Bryant, a group manager in the Microsoft Security Response Center (MSRC) said in a blog post.
Additionally, it is rated critical for all supported versions of Windows, from Windows 2000 Service Pack 4 (SP4) through Windows 7, including the server editions of those systems.
April's batch of patches is not the busiest in recent months. February's patch drop included 13 patches that fixed a total of 26 problems, five of which were rated critical on Microsoft's four-tiered severity scale.
Other critical flaws
Other patches in Tuesday's drop fix a critical flaw in Windows Media Services running on Windows 2000 Server, as well as five holes in a Microsoft networking protocol called Server Message Block (SMB) -- a problem that also vexed Microsoft last fall. Another patch blocks a hole in Microsoft MPEG Layer-3 audio codecs.
Microsoft's April Patch Tuesday releases are available here.