Microsoft breaks record with huge April security patch

Microsoft has broken its own record for vulnerability fixes with a security update covering Windows, Office, Internet Explorer, Visual Studio, .NET Framework and GDI+.

Nine of the patches are rated 'critical' and eight as 'important'. Three patches - MS11-020 (SMB Server), MS11-019 (SMB Client) and MS11-018 (Internet Explorer) - are of the highest priority for IT managers, as they allow remote code execution. Attacks using one of the flaws have already been seen in the wild.

"MS11-018 already has a zero-day exploit out there being used to compromise consumers machines. It was disclosed at the Pwn2Own contest at CanSecWest," Amol Sarwate, vulnerabilities lab manager at Qualys, told V3.co.uk.

"Meanwhile, MS11-020 is dangerous because it's an old school attack and doesn't require any user interaction, and uses an SMB service that runs on all computers."

Pete Voss, Microsoft's senior response communications manager for Trustworthy Computing, said that the unusual size of today's patch release, which breaks December 2010's record, was largely down to a single patch, MS11-034, which fixes 30 flaws that share a common root.

Voss also praised the response of 21 non-Microsoft researchers who contributed data to the patch released today.

"This was a great month for industry collaboration. As we've said time and time again, it truly takes a community to keep customers and the overall ecosystem free from threats," Voss wrote on the Microsoft Security Response Center blog.

"Microsoft truly appreciates co-ordination with industry experts to keep customers protected."

Microsoft has also added two new pieces of security software to its overall protection suite. Firstly the Windows operating system loader has been upgraded to detect and block rootkits from bypassing existing security screening.

"For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe," said Dustin Childs, senior security program manager at the Microsoft Security Response Center.

"While the update itself won't remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit."

Secondly Microsoft has extended a feature that blocks malware-infested Word, Excel, PowerPoint and Publisher files. Office 2010 already blocks some forms of this attack, and the same functionality has been added to the 2007 and 2003 versions.