Microsoft Issues Monster Patch Update – Krebs on Security

Microsoft released a record number of software updates yesterday to fix at least 64 security vulnerabilities in its Windows operating systems and Office products, including at least one that attackers are actively exploiting.

Updates are available for all versions of Windows via Windows Update or Automatic Update. Nine of the patches earned Microsoft’s “critical” rating, which means the vulnerabilities they fix could be exploited to compromise PCs with little or no action on the part of the user, apart from visiting a booby-trapped Web site or opening a tainted file.

Redmond said three of patches should be top priorities. Two of them fix critical vulnerabilities in the “server message block” or SMB service, which handles Windows networking. Attackers could exploit the flaw addressed by MS11-020 by sending a single, specially crafted evil data packet to a targeted system. This is the type of flaw that should concern any network administrator, because it has high potential to be used to power an automated computer worm.

Microsoft also called attention to MS11-018, which is a cumulative security update for Internet Explorer that fixes critical flaws in all versions of the browser except the latest IE9, which is not affected. One of the IE vulnerabilities — the MHTML flaw I wrote about in January — is currently being exploited; another was discovered at the Pwn2Own hacking competition earlier this year.

Most XP users will find that a total of 22 to 30 patches will be installed, and more if Office 2010 is installed.  The PC will be very busy after reboot and will need about four to five minutes to catch up and finish finalizing all the patches.  Included in this month’s patch batch is a .NET Framework update, which usually takes a while to download and install.

In addition to the security updates, Microsoft released two security related tools. The Rootkit Evasion Prevention Tool “will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit,” wrote Dustin Childs, a senior security program manager at Microsoft. “For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe.”

Microsoft expanded the applicability of its Office File Validation tool, a security feature the company initially released in December 2010 for Office 2010 that has now been extended to work with Office 2003 and 2007. “This feature, which is included in Word, Excel, PowerPoint and Publisher (.doc, .xls, .ppt and .pub file formats), will validate the file structure as it is being opened by the user,” wrote Modesto Estrada, Microsoft’s Office Program Manager. The validation will check the file to make sure it conforms to expected Office specifications.  If this process fails the user will be notified of potential issues.”

As always, please leave a comment if you experience any difficulties during or after installing these patches.