April 2011 Security Bulletin Release

Hello again everyone,

Pete Voss here, and as I previously mentioned in the Advanced Notification blog on Thursday, today we are releasing 17 security bulletins, nine of which are Critical, and eight rated Important.

These bulletins will increase protection by addressing 64 unique vulnerabilities in the following Microsoft products: Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, SMB, .NET Framework and GDI+. I did want to point out that 30 of these vulnerabilities are addressed by a single bulletin, MS11-034, and they all share the same couple of root causes. The bulletin is rated Important.

This month, there are three top priority bulletins, all rated Critical: MS11-020 (SMB Server), MS11-019 (SMB Client) and MS11-018 (Internet Explorer). As always, Microsoft recommends that customers test and deploy all bulletins as soon as possible.

MS11-018 (Internet Explorer). This security bulletin resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. This bulletin is rated Critical for IE 6, IE 7 and IE 8 on Windows clients; and Moderate for IE6, IE7, and IE8 on Windows servers. Internet Explorer 9 is not affected by the vulnerabilities. Microsoft is aware of limited attacks leveraging vulnerabilities addressed by this bulletin, including the vulnerability used at the CanSecWest 2011 Conference, which we tweeted about yesterday.

We encourage all customers apply this bulletin first of all our April bulletins.

MS11-019 (SMB Client). This bulletin resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow remote code executions if an attacker sent a specially crafted SMB response to a client-initiated SMB request. The publicly disclosed vulnerability was posted to full disclosure on February 15. Microsoft investigated the issue and found that remote-code execution was extremely unlikely. As Microsoft has not seen any active attacks, we opted not to disrupt customers with an out-of-band bulletin.

MS11-020 (SMB Server). This bulletin resolves an internally discovered vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system.

In this video, Jerry Bryant discusses this month’s bulletins in further detail, focusing on these three bulletins:

As always, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).


Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

More information about this month’s security updates can be found on the Microsoft Security Bulletin summary web page.

This was a great month for industry collaboration. As we’ve said time and time again, it truly takes a community to keep customers and the overall ecosystem free from threats. Microsoft truly appreciates coordination with industry experts working together to keep customers protected. In total, 21 finders coordinated with Microsoft for the April release. Microsoft actively partners with the security community to assess threats and better protect customers, and April is an example of Coordinated Vulnerability Disclosure (CVD) at work.

I also wanted to shed some light on some interesting security enhancements our engineers have been working on. As you know, we’re always looking to find new ways we can help protect people from current and future potential threats, and today, we’re announcing two new tools:

Office File Validation: Blocks malware disguised as Office documents- Originally announced in December 2010, Microsoft Office File Validation is now available to Office 2003 and Office 2007 users via Security Advisory 2501584. According to Modesto Estrada, Office program manager:

“This feature, which is included in Word, Excel, PowerPoint and Publisher (.doc, .xls, .ppt and .pub file formats), will validate the file structure as it is being opened by the user.  The validation will check the file to make sure it conforms to expected Office specifications.  If this process fails the user will be notified of potential issues.”  Modesto Estrada, Office Program Manager.  For further information visit the Microsoft Office blog.

Update for the Windows Operating System Loader to help prevent rootkit evasion-In the words of Dustin Childs, senior security program manager, MSRC:

“For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe. While the update itself won’t remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit.”

These security features, combined with today’s bulletins are reminders that Microsoft remains committed to protecting customers. We encourage you to apply these updates and features right away. Additionally, please feel free to visit the SRD blog where Microsoft engineers have offered technical insight into some of these security enhancements.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the April security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, April 13, 2011 at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing