Massive Microsoft Updates for All Windows and Macs This Week

The biggest fix of the bunch appears to be MS11-018, a bulletin for Windows Internet Explorer that addresses two security holes already used by attackers to hijack machines.

Microsoft says in that bulletin:

This security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 is not affected by the vulnerabilities.

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, content during certain processes, and script during certain processes.

Microsoft shipped a massive Patch Tuesday update this week that resolves a total of 64 vulnerabilities spread across 17 security bulletins. Affected system components include a broad swathe of Microsoft's products, such as Windows, Office, Internet Explorer, Visual Studio, the .NET Framework and GDI+. More importantly, nine of the bulletins were graded at the highest rating of "critical," while the remaining eight were ranked as "important."



Given the number of serious updates involved, small- and mid-sized businesses thinking of holding off on this update are advised not to put it off. This is because all but two of the bulletins allow for the possibility of remote code execution, which are scenarios where remote hackers are able to run unauthorized applications.

Computerworld - Microsoft plans to turn on the Windows Update spigot for Internet Explorer 9 (IE9) on Monday, April 18.

Starting then, Windows Vista and Windows 7 PCs will begin to automatically offer users the upgrade, Microsoft said Thursday.

"IE9 will not install automatically on machines," Roger Capriotti, who heads IE marketing at Microsoft, said in a blog post. "Users will have to agree to install IE9."

Adobe said Friday that it has identified and issued a patch for Adobe Flash Player, just days after issuing a similar patch.

Adobe issued Adobe Flash Player 10.2.159.1 on Friday, for users of Flash version 10.2.153.1, and Adobe Flash Player 10.2.154.25 for those that use Chrome. Adobe also said it recommends users of Adobe AIR 2.6.19120 and earlier versions for Windows, Macintosh and Linux update to Adobe AIR 2.6.19140.

Adobe expects to make available an update for Adobe Flash Player 10.2.156.12 and earlier versions for Android no later than the week of April 25, 2011, the company added.

Why? According to Adobe, there have been reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform. The updates resolve a memory corruption vulnerability that could lead to code execution, Adobe said.

That's basically the same vector that a previous vulnerability exploited on Wednesday.. Adobe said then that it was not aware of PDF-related attacks in Reader or Acrobat, and Adobe Reader X Protected Mode mitigations would prevent that type of exploit from happening.

As PCMag's Larry Seltzer points out, this type of vulernability might sound familiar. It's quite similar to another Flash zero-day from several weeks ago that was embedded in an Excel file and used to attack RSA.

Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue, Seltzer noted.

Microsoft updated Office 2011 for Mac on Tuesday, but what of earlier versions of Office? They're not about to be left out in the cold: Microsoft has also released Office 2008 for Mac version 12.2.9, bringing security patches and a couple of other updates to the previous version of its productivity suite.

The bulk of the update is a handful of security fixes cataloged in three separate bulletins. The patches repair vulnerabilities in Excel, PowerPoint, and Office that could lead to remote code execution. Also included in the update are a fix for stability problems, which ought to help prevent Office applications from unexpectedly quitting. And there's now support for Microsoft's SkyDrive cloud storage service, as well as Forms Based Authentication, which is needed for compatibility with SharePoint.

Beyond those changes, there are a couple of application-specific updates: PowerPoint 2008 for Mac boasts improved compatibility with its Windows counterpart, as numbered lists should now display correctly when you open a Mac presentation in Windows. And Entourage 2008 for Mac now displays conversation headers correctly, showing the correct number of unread messages when you're viewing by conversation.

Office 2008 for Mac 12.2.9 requires Mac OS X 10.4.9 or later and can be downloaded from Microsoft's Website or via Microsoft's AutoUpdate.