Microsoft's massive early Easter gift: 17 security bulletins fix 64 vulnerabilities

Stephen Withers
Wednesday, 13 April 2011 08:57

Business IT - Security

April 2011 brings Easter, Anzac Day, a royal wedding... and an unusually busy Patch Tuesday from Microsoft.

As expected, Microsoft has issued 17 security bulletins covering an unusually large 64 vulnerabilities. 

One bulletin covers 30 of those vulnerabilities which have the same two root causes. They concern elevation of privilege in Windows kernel-mode drivers, but as they can only be exploited locally the bulletin is only rated important.

More pressing are the month's critical bulletins. Microsoft is headlining an update for Internet Explorer which fixes five vulnerabilities in versions 6, 7, and 8 (Internet Explorer 9 is not affected). At least one of the issues allows remote code execution when viewing a maliciously crafted web page. Microsoft is aware of "limited attacks" that take advantage of vulnerabilities, and Pete Voss, senior response communications manager in Microsoft's trustworthy computing group said "We encourage all customers apply this bulletin first of all our April bulletins."

The other two bulletins the company has called out relate to the SMB client and SMB server in all currently supported versions of Windows. Both could allow remote code execution via maliciously crafted SMB packets.

However, those three are not the only critical updates this month. There are also updates for the .NET framework, GDI+, DNS resolution, the JScript and VBScript engines, and the OpenType Compact Font Format driver,  as well as an ActiveX kill bit update.

Other important updates for Windows involve the Windows Fax Cover Page Editor, the MHTML handler and WordPad.

Additional Microsoft programs are also affected, so please read on.