Microsoft has released 11 patches in its April Patch Tuesday monthly security update to cover 25 vulnerabilities...
across a range of operating systems and software packages.
IT administrators with a good inventory of their installed IT base will have an easier time evaluating which machines need patches, said Wolfgang Kandek, chief technology officer at security firm Qualys.
"Although this is a big release, IT administrators probably will not have all of the included software packages and configurations installed in their environment and therefore will need to install only a subset of the 11 bulletins," he said.
But five of the patches are critical, involve remote code execution and affect all major versions of Windows software. They could cause an interruption in services affecting workflow and productivity levels, said Alan Bentley, vice president international at security firm Lumension.
The patches include two open zero-day vulnerabilities, MS10-020 for the SMBv2 Denial of Service vulnerability, in Windows 7 and Windows Server 2008 (KB977544) and MS10-022 for the F1 attack through Internet Explorer (KB981169).
MS10-020 fixes other SMB vulnerabilities as well and is a critical update for all platforms, said Kandek.
MS10-026 addresses a DirectShow vulnerability that can be exploited through visualizing a media file which can lead to remote code execution.
MS10-027 is a Windows Media Player Active X control vulnerability which can lead to similar results.
"Both are relatively easy to exploit and have a low exploitability index, however Windows 7 users are not affected by either of the vulnerabilities," said Kandek.
MS10-019 addresses a flaw in the Windows Authenticode algorithm involved during the installation process of new software.
"This vulnerability has a exploit rating of difficult, meaning that even advanced attackers will take a while to come up with the necessary exploit code, but we still recommend patching this during the normal cycle for all machines," said Kandek.
MS10-025 is a critical Windows Media Services vulnerability, but affects only Windows 2000, he said.
The remaining bulletins are ranked as important and moderate.
MS10-028 is a file format attack against Visio, which can result in remote code execution. MS10-023 is a similar attack against Microsoft Publisher.
"As these software packages are not widely installed a good inventory will be helpful in evaluating the exposure," said Kandek.
MS10-021 is a side effect created by registry linking. MS10-024 is a Denial of Service vulnerability in the SMTP server of Windows 2003-64bit only and MS10-029 an IPv6/IPv4 packet envelope vulnerability that can lead to information disclosure, he said.
Adobe has also released its quarterly patches for Adobe Reader and Acrobat on Windows, Mac OS X and Unix.
"The update is critical and fixes multiple 15 vulnerabilities with a maximum exposure of remote code execution," said Kandek.