Microsoft has released its April Patch Tuesday fixes, a large group of patches that includes updates for several critical holes in Internet Explorer as well as a patch that finally fixes the SMB client bug that disclosed publicly in February.
The most critical of the 17 bulletins that Microsoft released on Tuesday is MS11-018, which fixes a total of five vulnerabilities in Internet Explorer. Among those bugs is one that was used to compromise IE 8 at the Pwn2Own contest last month at CanSecWest. Microsoft security officials said that they are aware of some targeted attacks against that vulnerability (CVE-2011-0094), as well as another IE vulnerability, an object management memory corruption flaw (CVE-2011-1345).
“It took three vulnerabilities to successfully compromise IE8 and meet all the requirements of the organizers. The vulnerability we are fixing today, a use-after-free which does
not affect IE9, was the primary vulnerability used to gain code
execution. A second vulnerability was used to make the exploit more
reliable and a third was used to escape IE’s protected mode,” Fermin J. Serna of the MSRC Engineering Team wrote in a blog post.
One of the other critical vulnerabilities fixed in April was the SMB client bug that was disclosed in mid-February on Full Disclosure. Microsoft patched that flaw, as well as a separate SMB server-side bug that was found internally by Microsoft’s own researchers. The company has spent about a year looking for ways to improve the security of SMB as well as the reliability of updates to it, officials said.
“Over the past two years SMB has been a target for security
researchers, and Microsoft released several security updates as new
issues were reported. As part of each of the preceding updates, we
followed our standard “hacking for variations” approach, but with a
tighter timeline mandated by the need to address reported issues as
quickly as possible,” Microsoft’s Mark Wodrich said.
“It was clear that even without additional issues being reported,
there were things we could focus on and improve in terms of our internal
security testing, code auditing and design reviews. As a result, we
kicked off a longer-term project to identify additional security issues
in the SMB code, with an eye on releasing fixes in a future security
bulletin. This “SMB Security Scrub” led to the fixes included in the
April bulletin release.”
Microsoft also patched five other ciritcal vulnerabilities, including an ActiveX problem in Windows. The full list of patches and the software that’s affected is available on the Microsoft TechNet site.