Assessing the risk of the April security updates - Security Research & Defense - Site Home

Today we released 17 security bulletins. Nine have a maximum severity rating of Critical and eight have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin	Most likely attack vector	Max Bulletin Severity	Max Exploit-ability Index	Likely first 30 days impact	Platform mitigations and key notes
MS11-018 (IE)	Victim browses to a malicious webpage.	Critical	1	We are aware of targeted attacks leveraging both CVE-2011-0094 and CVE-2011-1345.	IE8 and IE9 not vulnerable to CVE-2011-0094. IE9 not vulnerable to CVE-2011-1345.
MS11-019 (SMB Client)	Victim makes an outbound connection to a malicious SMB server which responds with a malicious SMB packet, potentially executing code on the client in ring0.	Critical	1	Likely to see reliable exploits developed within next 30 days for CVE-2011-0660.	Windows 7 SP1 vulnerable to CVE-2011-0660 for denial of service only.
MS11-020 (SMB Server)	Attacker sends malicious network traffic to a victim running the Server service, potentially executing code in ring0.	Critical	1	Likely to see reliable exploits developed within next 30 days.	Many home routers and enterprise perimeter firewalls block SMB ports (139, 445).
MS11-027 (IE killbits)	Victim browses to a malicious webpage.	Critical	1	Likely to see reliable exploits developed for one or more of these ActiveX controls.	CVE-2011-1243 affects only Windows XP users who have never used Windows Messenger.
MS11-028 (.NET)	Victim browses to a malicious webpage that offers an XBAP application. Could also be used by a malicious ASP.Net application to bypass CAS restrictions.	Critical	1	Vulnerability itself is exploitable (hence the “1” rating). However, we do not typically see XBAP exploits in the wild. Remains to be seen if attackers will attempt to exploit this.	Silverlight not affected.
MS11-032 (Opentype Font driver)	Victim using explorer.exe browses to a folder containing a malicious OTF file. Could also be used as a local elevation of privilege for an attacker already able to run code on a machine.	Critical	1*	Likely to see reliable exploits developed within next 30 days.	Windows XP and Windows Server 2003 not vulnerable to the shell preview attack vector.
MS11-029 (GDIplus.dll)	Victim opens malicious Word document or opens a malicious EMF file.	Critical	1	Likely to see reliable exploit developed in next 30 days.	Office 2003 and later versions of Office are not affected. Windows 7 also not affected.
MS11-031 (VBScript / JScript)	Victim browses to a malicious webpage.	Critical	2	Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in next 30 days.	32-bit platforms unlikely to be exploited for code execution unless running with /3GB boot option.
MS11-030 (DNS link-local name resolution)	Attacker sends a malicious link local multicast name resolution (LLMNR) request to victims on the same local link, potentially executing code as NetworkService on nearby systems.	Critical	2	Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in first 30 days.	Does not affect systems using the (default) Public network profile.
MS11-026 (MHTML)	Victim browses to a malicious website that steals browser cookies for other trusted website.	Important	n/a	We are aware of public exploits that attempt to leverage CVE-2011-0096.	No direct code execution. This is an information disclosure threat.
MS11-021 (Excel)	Victim opens a malicious Excel spreadsheet (XLS).	Important	1	Likely to see reliable exploit developed in next 30 days.
MS11-022 (PowerPoint)	Victim opens a malicious PowerPoint presentation (PPT).	Important	1	Likely to see reliable exploit developed in next 30 days.
MS11-023 (Excel)	Victim opens a malicious Excel spreadsheet (XLS).	Important	1	CVE-2011-0107 (DLL Preloading vulnerability) has been disclosed publicly. The other CVE addressed in this bulletin (CVE-2011-0977) would be more difficult to exploit for code execution.	Office 2010 not affected.
MS11-033 (Wordpad converter)	Victim opens malicious RTF, WRI, or DOC file with Wordpad.	Important	2	Difficult to build a reliable exploit. Less likely to see this issue exploited for code execution in first 30 days.	Windows Vista and later versions of Windows are not affected.
MS11-034 (win32k.sys)	Attacker running code on a machine already elevates from low-privileged account to SYSTEM.	Important	1	Likely to see an exploit released granting a local attacker SYSTEM level access.	30 of this month’s 64 vulnerabilities being addressed in this bulletin. More information about the high vulnerability count in this month’s SRD blog post.
MS11-025 (DLL Preloading)	Victim browses to a malicious WebDAV share and launches an application by double-clicking a content file hosted on the attacker-controlled WebDAV share.	Important	1	Exploiting DLL preloading cases is straightforward. Therefore, exploit code is likely to appear.
MS11-024 (Fax cover sheet)	Victim opens a malicious fax cover sheet (COV, CPE).	Important	3	Less likely to see real-world effective exploits for this filetype due to mitigating factors.	No version of Windows will open a .cov file by default via a registered file extension (double-clicking the file). The affected component is not installed by default or is not registered.

In addition to the bulletins, two interesting advisories are being released today. Security advisory 2501584 describes a great protection mechanism available for Office 2003 and Office 2007 customers to download and install. The Office team’s blog post about the tool is available at http://blogs.technet.com/b/office_sustained_engineering/archive/2011/04/11/office-file-validation-general-availability-announcement.aspx.

The second advisory, KB 2506014, hardens Windows against kernel-mode rootkits. This specifically breaks the hiding mechanism used by the current Alureon/TDL4 rootkit family. It is an update available on WU and WSUS, pushed out automatically to customers who have opt-in to Automatic Updates.

If you have any questions about these updates, please email us at switech [at] microsoft [dot] com. You can also tune into the MSRC webcast tomorrow where I’ll be answering questions on-the-air. The MSRC blog post has all the information for that.

Update April 13: Corrected the MS11-028 bulletin severity and affected products. Also moved this bulletin up higher in priority due to this correction.

*Update April 15: Corrected the MS11-032 bulletin exploitability due to a rating error. Also moved MS11-032 higher in priority order.

- Jonathan Ness, MSRC Engineering