Microsoft will deliver six security bulletins on April 10, 2012 as part of its monthly security update, the Redmond-based company said in an advance notification Thursday. The six security bulletins will, between them, address 11 vulnerabilities in Windows, Office, Internet Explorer, SQL Server. .NET Framework and Forefront Unified Access Gateway. Hit the jump for more.
Microsoft ended 2011 with a late out-of-band patch that took the total number of security bulletins in the year to 100. If the first Patch Tuesday of 2012 is anything to go by, the software giant may not have too much trouble going past last year’s patch tally. The year’s first Patch Tuesday delivered seven vulnerabilities, one more than the last three January Patch Tuesdays combined.
Microsoft had a slight breather in September after it delivered a record 14 security bulletins on Patch Tuesday in August. The company was actually preserving its energy for an even more hectic Patch Tuesday in October, which, according to the Security Bulletin Advance Notification, will include 16 updates to patch 49 vulnerabilities – a new record. Out of the 16 security bulletins, four are labeled “critical,” ten “important,” and the remaining two “moderate.” Ten of the security updates address flaws that could allow remote code execution.
Last month's Patch Tuesday was a record-shattering affair. Microsoft delivered 14 security bulletins covering 34 vulnerabilities in its software. On account of the sheer size of the last Patch Tuesday, it would only be fair to expect the next one to address a considerably smaller number of issues. Moreover, Microsoft usually delivers relatively fewer security updates during odd-numbered months like this one.
However, the company will be releasing nine security updates covering 13 vulnerabilities in Windows, Office and its IIS web server software on September 14, 2010 – twice as many as the maximum during an odd-numbered month so far this year.
Although surprised by the unexpectedly large number of security bulletins, analysts believe the large number could be due to the “DLL load hijacking” vulnerability. According to some estimates, the bug affects hundreds of Windows applications. Four out of the nine security bulletins are rated “critical” with all the rest being labeled “important.”
This month's Patch Tuesday, unlike October's, is a quiet one, with just two security bulletins:
MS08-069 solves a remote code execution vulnerability in Microsoft's XML Core Service that is rated as Critical for version 3.0 and Important for later versions. All 32-bit and 64-bit desktop versions of Windows from Windows 2000 SP4 through Windows Vista SP1 are affected, as well as Microsoft Office 2003 and 2007. The Exploitability Index is 1 (Consistent Exploit Code Likely - the most serious ranking) or 2 (Inconsistent Exploit Code Likely), depending upon the version of XML Core Services installed. Windows Server 2003 and some installations of Windows Server 2008 are also affected.
MS08-068 patches a remote code execution vulnerability in the SMB protocol. MS08-068 is rated as Important for Windows 2000 SP4 and Windows XP, and Moderate for Windows Vista. Windows Server 2003 and all Windows Server 2008 installations are also affected. Despite Microsoft's rating this vulnerability as only Important rather than Critical, MS08-068's Exploitability Index is 1 because exploit code targeting Windows XP is already public.
That's it for Patch Tuesday security bulletins, both of which will be arriving soon via Windows Update (or can be downloaded manually if you prefer). What else has Microsoft served up?
The only non-security content this time is the usual monthly update for the Malicious Software Removal Tool (KB890830; not yet updated as this article was posted now updated) and the usual monthly update for the Windows Mail junk mail filter (KB905866), available in 32-bit and 64-bit versions.
Be informed, dear readers, Microsoft’s next installment of security bulletins is going to be on September 9 – Patch Tuesday. Microsoft revealed in the security bulletin advance notification for September that it will release four security bulletins on the following Patch Tuesday. All four of them merit immediate attention as they have been rated critical. The security bulletins will all fix vulnerabilities pertaining to remote code execution. The Patch Tuesday in August also carried quite a few security bulletins related to remote code execution including a patch for the “MS Access Snapshot Viewer ActiveX control," which hackers had begun to exploit using a malicious toolkit.
MAPP provides advance notification to third-party security providers of vulnerabilities that are being addressed by Microsoft security updates, such as the ones rolled out each month on "Patch Tuesday." MAPP is designed to help stop exploits that are launched between the announcement of upcoming patches and the availability of patches. MAPP starts in October, according to eWeek.
Security providers can learn more about MAPP by downloading the fact sheet (MS Word 97-2003 format). For additional insight from a former military and government security specialist who now works for Microsoft, see Steve Adegbite's blog entry about MAPP.
The Microsoft Exploitability Index will provide ratings of how likely each vulnerability is to being successfully exploited. The index will rate each vulnerability at one of three levels:
Consistent exploit code likely
Inconsistent exploit code likely
Functioning exploit code unlikely
Microsoft's fact sheet suggests (MS Word 97-2003 format) that vulnerabilities with the "Consistent" rating should be treated as the most serious threats, followed by the others. To get more insight into the need for this index, see Microsoftie Mike Reavey's blog entry (Reavey is part of the Microsoft Security Response Center). The index will be included with each new security bulletin, also starting in October.
For your chance to sound off about Microsoft's newest security initiatives, see us after the jump.