April Patch Arrives, With Critical Fixes and More

Microsoft rolled out eight fixes in its monthly security release, addressing some 23 vulnerabilities.

Microsoft rolled out eight fixes today in its monthly security release, addressing some 23 vulnerabilities.

The volume of security bulletins in the April patch marks this release as another historic Patch Tuesday event. Five items are deemed "critical" and two are labeled "important." Finally, Microsoft rounded out the slate with a "moderate" fix.

"Since Microsoft started providing exploitability information, this is the first time we've seen as many six vulnerabilities being exploited in the wild at the time the corresponding bulletins were released," said Don Leatham, director of solutions and strategy at Lumension. "This is definitely putting pressure on IT Teams to get these patches tested in their environments and out to the endpoints in their organizations."

This month's security update touches on a wide array of Windows applications and services. The usual suspects -- Internet Explorer, Excel and Word -- all get fixes this time.

Items associated with remote code execution attacks by hackers get the critical status. The important fixes are designed to stave off two instances of elevation-of-privilege exploits. The moderate item is supposed to stop a denial-of-service attack.

Critical Items
The first critical fix is said to remedy "two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters." Affected operating systems include Windows 2000, Windows XP and Windows Server 2003.

The second critical fix affects every known and supported Windows OS in circulation. The item up for patching is Microsoft Windows HTTP Services, a URL coding mechanism used in loading Web pages and transmitting data over the Internet. The fix addresses one publicly reported bug and two privately disclosed vulnerabilities.

Critical fix No. 3 in this month's slate hits on a privately disclosed vulnerability that could allow remote code execution. The attack can happen if a user opens a specially crafted MJPEG file via Microsoft's DirectShow, which is an API function. This vulnerability is also present in DirectX versions 8.1 and 9.0 running on Windows 2000, Windows XP and Windows Server 2003. Vectors for attack are multimedia activities, such as gaming, as well as video and audio through Windows Media Player.

The fourth critical fix will probably be the most important one in the slate. It affects Internet Explorer versions 5.01, 6 and 7 running on Windows 2000, Windows XP and Windows Vista, as well as Windows Server 2003 and Windows Server 2008.

"This [cumulative patch] has proof-of-concept code available for at least one of its covered vulnerabilities and thus has a high exploitability index of one," said Qualys Inc.'s Chief Technology Officer Wolfgang Kandek. "For IT administrators, this means that their window to patch is rapidly shrinking. Where, before, weeks were an acceptable timeframe [to patch], now days seems more adequate."

According to Redmond, the update resolves four privately reported vulnerabilities and two publicly disclosed vulnerabilities in IE, which has been a target of hacker activity. Users who have updated already to Internet Explorer 8 are not affected by this update.

The last critical fix on the agenda addresses an Excel vulnerability that can occur if a user opens a corrupt spreadsheet file, as outlined in a recent security advisory. It affects various Microsoft Office versions, such as 2000, 2003, 2007 Office System, XP and Office 2004 and 2008 for Macs.

Important and Moderate Items
The first important fix for this month pertains to Microsoft's Distributed Transaction Coordinator (MSDTC), which is a Windows-based administrative tool. It affects every supported Windows OS. MSDTC supports information and commands passed over the network via resource managers, SQL Server databases and various file systems.

"The [security] update addresses the vulnerabilities by correcting the way that Microsoft Windows addresses tokens requested by the Microsoft Distributed Transaction Coordinator, and by properly isolating WMI providers and processes that run under the NetworkService or LocalService accounts," Microsoft stated in the bulletin notes for this particular fix.

The second and final important fix affects Microsoft's Forefront Edge Security platform, as well as its Internet Security and Acceleration (ISA) Server. The ISA Server helps stave off malware and firewall-compromising attacks. This fix plugs a hole where hackers could gain access a network. The exploit can happen if a hacker sends "specially crafted network packages to the affected system," or if a user clicks on a URL for a Web page containing malicious content, Redmond said.

The lone moderate item in the security rollout addresses one publicly reported vulnerability in the Windows SearchPath function that can lead to an elevation-of-privilege attack. A hacker could use SearchPath to increase access after a user downloads a malicious file, Microsoft said. This fix affects all Windows operating systems.

This April patch likely will keep IT pros busy as all eight patches may require restarts.

Microsoft is referring those interested in nonsecurity updates delivered through Windows Update, Microsoft Update and Windows Server Updates to this Knowledgebase article. It links to IE 8 updates, along with junk-mail filter upgrades and malicious software removal tool updates.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Updates IBM Mainframe Integration Tool

    This week Microsoft released Host Integration Server 2020, a tool that lets Microsoft solutions communicate with IBM mainframes.

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Microsoft Rolls Out Home Sites and Multilingual Publishing for SharePoint Online

    SharePoint Online tenancies are getting new features that Microsoft released in May, which are mostly arriving for so-called "targeted release" recipients.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.