Security

It's Microsoft Patch Tuesday: April 2010

Justin James gathers the information you need to make the right decision on applying Microsoft's April 2010 patches in your organization.

It is very refreshing to see that the number of out-of-band Microsoft updates has been kept to a minimum this time around! Unfortunately, we have 11 patches fixing a total of 25 security holes. Do not forget, if you are using the RTM version of Vista (one without any service packs installed), you are no longer supported and will not be offered these patches; you will need to get at least SP1 installed to have user support again.

This blog post is also available in PDF format in a free TechRepublic download. The previous month's Microsoft Patch Tuesday blog entries are also available.

Security patches

  • MS10-019/KB981210 - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): Problems with the Authenticode Verification system can allow remote code execution attacks, which are not mitigated by lower user permissions. Install this fix immediately. 98KB - 870KB
  • MS10-020/KB980232 - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): This patch fixes a problem in SMB handling where an attacker could send a specially crafted response to an SMB request that would allow a remote code execution attack. You will want to install this patch immediately, because the attacker gets full privileges regardless of the user's permission level. 235KB - 1.2MB
  • MS10-021/KB979683 - Important (2000, XP, Vista, 2003)/Moderate (7, 2008, 2008 R2): This patch addresses a number of problems. Luckily, even the worst of them requires the attacker to be logged on. Some of the problems fixed are escalation of privileges; others are denial-of-service problems. Install the patch during your next patch cycle. 1.6MB - 7.8MB
  • MS10-022/KB981169 - Important (XP, 2003)/Low (Vista, 7, 2008, 2008 R2): This is the fix for the already exploited F1 problem. The severity on this one is not critical, since it requires a user to perform certain actions under certain circumstances to be exploited. Install the patch during your usual window. 221KB - 1.1MB
  • MS10-023/KB981160 - Important (Publisher 2002, Publisher 2003, Publisher 2007): If you are using Publisher, this patch fixes a remote code execution exploit when opening specially crafted files. Install this for the folks who use Publisher. 2.9MB - 5.2M
  • MS10-024/KB976323 - Important (2000, XP, 2003, 2008, 2008 R2, Exchange 2000, Exchange 2003, Exchange 2007, Exchange 2010): A bug in the SMTP server system can allow denial-of-service attacks. Install this patch on any servers running SMTP. 434KB - 1.4MB
  • MS10-025/KB980858 - Critical (2000): Windows Media Services on Windows 2000 can allow remote code execution attacks. Install this patch immediately on those servers. 700KB
  • MS10-026/KB977816 - Critical (2000, XP, 2003, 2008)/Important (Vista): If you open a specially crafted AVI file or view a stream of malicious MPEG-3 encoded media, your system could be open to a remote code execution attack. Accounts with lower permissions may mitigate the risks slightly, but do not count on it, because the information I have read says that could be trouble. Install this patch immediately to protect against this. 159KB - 865KB
  • MS10-027/KB979402 - Critical (2000, XP): Another Windows Media Player vulnerability. Again, if you open media that has been specially crafted, remote code execution may result, with the attacker's rights hopefully being lowered by the user having lowered rights. Install the patch as soon as you can. 2.3MB
  • MS10-028/KB980094 - Important (Visio 2002, Visio 2003, Visio 2007): This remote code execution exploit is triggered by opening malicious Visio files. The attacker should get the user's rights, so lowered privileges should prevent some of the damage. Install for Visio users as soon as you can. 10.9MB - 15.5MB
  • MS10-029/KB978338 - Moderate (XP, Vista, 2003, 2008): A lack of filtering capabilities (included in later versions of Windows) allows an attacker to spoof an IPv4 address; this patch fixes it. Update your systems with this patch during your normal time for patching. 637KB - 2.9MB

Other updates

There are none to report this month.

"The Usual Suspects": Updates to the Malicious Software Removal Tool (9.8MB - 10.1MB) and Junk Email filters (2.2MB).

Changed, but not significantly:

Updates since the last Patch Tuesday

MS10-018/KB980182 - Critical (2000, XP, Vista, 7, 2003, 2008, 2008 R2): This is a giant cumulative update for every version of Internet Explorer that Microsoft supports. It fixes a total of 10 security holes, some of which allow remote code execution and others that let the attacker get data they should not. There is also a huge pile of nonsecurity fixes. You should install this immediately if you have not yet done so. 3.3MB - 40.6MB

There have been a number of minor items added and updated since the last Patch Tuesday:

Changed, but not significantly:

Stay on top of the latest XP tips and tricks with TechRepublic's Windows XP newsletter, delivered every Thursday. Automatically sign up today!

About

Justin James is the Lead Architect for Conigent.

36 comments
Who Am I Really
Who Am I Really

the only problem I have is that most updates fail on all my systems unless I install them individually meaning select custom install, empty the check boxes of all but one update and then install it when I did that this time around the first few installed and then over half of the rest vanished from the list and won't come back even if I go delete them from the "\Software Distribution\Download" folder and stop the update service and restart it they never come back? huh? if I do allow all to install at once I can check with the MS Updates site and it will tell me if any failed and usually there's at least one that shows as failed, but usually they all report installation success with the little round green check when I do the updates as individual installs.

RedDawg
RedDawg

Beware on 64 bit OS'. (I only had problems on 64 bit systems) On Win7 Ultimate and XP Pro 64bit OS' I had to restore the system. Trying to find the problem was only partially successful; the problem disappeared when I installed the office10 updates individually, while trying to isolate the problem.

drue
drue

Whats the problem here.. Is everything that microsoft produces a piece of junk.. What are they worth.. a few billion, maybe into the trilions.. and they cant hire a crack squad of hackers to debunk their stuff before it releases.. patch after patch.. after security release.. enough.. really its pathetic that the microsoft team wont get on board with protecting his product better. Is it really that hard to do so? Linux does it every day.. heck even apple.. why is their such continuous problems with microsoft.. it gets old.. and they can do something about it.. realy Justin, you need to start leaning on why microsoft leaves their product so open to abuse.. perhaps if a global group come together to say HEY, then maybe we can get some performance out of microsoft.. For real.. this is rediculous.. week after week.. the same ole slide of hand routine.. Its like getting up in the morning and taking a shower.. Oh.. my computer needs an update to security vulnerbility, 234556.. cause their multibillion opertion cant do their job right.. It doesnt make sense why higher accountability is not held to microsoft, why we the consumer should have to interpret reasoning for the application of a patch or fix. If you read justins remarks.. each patch or fix is based on a vulnerability to take over a machine. Can somebody please show me each of those vulnerabilities? It seems like each one is always about taking over your computer.. has anyone actually reality checked this? Confirmed that in fact.. your operating system, prior to this patch, is in fact, what the patch claims to do, then apply the patch, to show that it is fixed. I think allot more time needs to be spent auditing microsoft for accuracy to their statements or is it fear tactics. The boogieman will get into your computer if you dont apply this patch???

jdwagers
jdwagers

Kb980469 Wont install? Win XP ?? KB981432 " " " XP ?? It has tried 30-40 times just says Update failed, no Explanation It was also trying to update a program I removed a month ago??

Encinodoc
Encinodoc

Sandboxie stopped working after installing the Microsoft patch but a fix is available on the Sandboxie website

Mr. Tinker
Mr. Tinker

6 systems, all 6 hung during the reboot process. Not good - everything from XP pro to 7 pro and 1 2k3 server. Non-Reboot Wednesday morning sucks.

bands55
bands55

if operating systems were more like Mac,there would be no need for all of these upadtes and don't get me wrong I use windows 7,works great, but all of these patches and updates I'm not sure, think I AM GOING TO RETHINK Mac.

tjc
tjc

I had about 8 security downloads pop-up, installed and on restart I got a black screen with ntoskrnl.exe is corrupt, reinstall this file. I have boot files in a separate dir off the root so not a problem, but I would consider the error significant. Unfortunately I do not know which download caused it, so I am not installing any of these again until I know which one is at fault.

nschwantes
nschwantes

I applied them to my XP pc at the office and have had no problems. All applications are working just fine. I applied to my home XP laptop last night and had no issues there either. I plan on applying on my home Win 7 this afternoon.

jck
jck

Since I was a noble Vista user and applied all the patches they gave me to apply... My IE has become so bogged down that it's not even funny, and Vista 32-bit Home Premium works at a crawl. I'm about ready to just backup my data, wipe the drive, and install XP Pro x64 on the thing. Never had this much trouble with an OS in my life, and the issues all coming over time from MS's own updates.

plns
plns

I've had two cases of systems booting to a blank screen after apply the April 2010 updates. Got a windows splash screen then blank. Tried multiple reboots but no joy. 1 XP 1 win7 was able to boot in safe and use system restore to repair.

DWalker88001
DWalker88001

Well, since I received the TechRepublic e-mail containing this item on Wednesday, April 14th, it's a little late.

Mark W. Kaelin
Mark W. Kaelin

Are the patches described by Justin giving you trouble this month? Share your experience with your peers, maybe we can help?

jstasyszen
jstasyszen

Well said! Why can't a multibillion dollar company like Microsoft release a product that is not going to need to be patched on a daily basis. Windows looks like a Hobo's quilt

Justin James
Justin James

Many of the problems with these vulnernerabilities come about because the code is written in C and C++, where a simple typo can result in a security hole, and it is very hard to find. On top of that, these are million line applications... if you can write a million line novel, or do some task in your job a million times, without a single mistake, you are a better person that I am! J.Ja

Mark W. Kaelin
Mark W. Kaelin

Bill Gates is not really involved anymore. You might also remember that the other operating systems you mentioned get security patches on a regular basis. Modern operating systems are complicated, they have security holes and bugs that need to be fixed. This not just a Microsoft or Windows thing - it is just a reality of the age in which we live.

steven.taylor
steven.taylor

I know the perception is that MAC / Unix / Linux don't require the number of patches that Windows systems do, but it is only perception. The actual reality is that MACs and other systems do need regular updates and patches. When I worked for a larger company, our Unix team patches their servers just about every week. From MAC web site: Apple frequently releases software updates that you can download. The Software Update feature in Mac OS X makes it very easy to determine and get exactly what you need. Microsoft makes is easier, IMHO.

TimH.
TimH.

I applied the patches to my Windows 7 Professional 64 bit laptop last night and have had no problems so far either.

geekynerd
geekynerd

First of all most issues with Vista crawling is lack of adequate hardware, second of all, if a x86 version of OS is going slow, why make the jump to x64!? XP in 64bit mode, prob uses more resources then Vista in 32.

SgtPappy
SgtPappy

Did you install the updates without researching them? Couldn't wait another day?

Justin James
Justin James

If you want to get the notification faster, subscribe to the RSS feed, or check this area on Patch Tuesday in the afternoon. We almost always have this piece posted before the end of the work day (Eastern Time) on Patch Tuesday. J.Ja

jamiecoutts
jamiecoutts

Be aware that MS10-024/KB976323 removes IIS6 SMTP settings on 2008 servers. So be careful to export setting before applying this patch.

hreagon
hreagon

Why would anyone respond by posting mindless banter about Bill Gates, MAC vs PC, or Windows 7 vs Vista? The question is are you having any issues related to installing the April patches. I support at least 1500 computers, and roll-out through WSUS only after I come here and check a few other resources on the web. I would never just blindly let patches go out without first having a test period. My point is, please don't respond unless you are actually having a problem with a specific patch.

pac_muthama
pac_muthama

Breaks BlackBerry Administration Service. The service keeps terminating unexpectedly. I had to remove it & reboot. The service ran successfully thereafter! Ofcourse not the best solution considering this is a security update but what to do? Unless someone else has a better solution. Microsoft? Blackberry?

zhumar
zhumar

After the Windows XP loader/splash screen does its thing, I just get a black screen. It won't go to the login. I tried running in safe mode, and it just freezes before anything comes up. Did the update just force me to format?

harry
harry

KB979683 keeps trying to install but is unable to do so, yet I get no error messages.

shah4373
shah4373

My organization has many users on various OSes and after last month's update issues, I'm more careful now in approving updates in WSUS. What I do now is approve the updates for spare laptops/desktops that I have with various OSes and monitor the situation for a few days to a week and if nothing serious crops up, I then roll out the updates, even then, I do it at dept level and not company wide. A bit long winded I guess but saves me the trouble of a company-wide chaos. :)

gypkap
gypkap

The patches came in when I was working on something, and changing that document was put on hold for at least a half hour if not more. That's a lot of patches.

tlauerma
tlauerma

I rolled out the new patches via WSUS last night to my test group. So far no complaints or issues.

drue
drue

So your take away from my comments was the word bill gates.. ohh boy.. Granted BG isnt involved as much, who cares.. that isnt and wasnt my point by any means.. you have to look at the principal of my comments. How many files again are being updated based on the same explaination. Your computer can be taken over.. is that virtually or physically and can you prove it or should we take what you say at face value? I fully disagree with you regarding your comments on other OS's.. and know upfront, I'm a windows guy across the board. BUT.. We have a mac shop in house here, they rarely need anything, rarely give us any troubles, they just run and operate far better then windows products. Yes they do update every so often, but 9 times out of 10.. its something minor. And if its something important, its called Critical.. which really doesnt happen that often. Compare that to week after week on windows of "update with this patch or your computer will get taken over, appears to me to say, CRITICAL" every week.. Fact is our mac's are 6+ year old G5's and they run faster and better then our 2-3 year old Commercial IBM Intellistations, think bricks and similar machines... hands down. sad but true.. Our commercial servers and NAS boxes on linux are the same scenerio, rarely give a problem, most updates are minor. I dont remember the last time something Critical was updated. Our windows machines.. a whole different animal.. their soo buggy, unreliable, constantly have problems from every angle imaginable. If its not a virus, its malware, if not malware, then logs filed up and performance is shot, slow boots, exchange connections are lost and restored, printing hassels, you have to live off task manager, click a bunch of OK's to bring it up and start shutting down processes just to get some extra apps open so you dont trigger a virtual memory is low warning. Active directory.. i have a phrase for that.. "Security security, we're insecure". and if we are secure, who can actually guarentee it, with microsoft pushing umpteen security patches every week and giving very little support on it.. how do you test it and for that matter, whats the cost assocaited with reauditing your entire network on a bunch of security patches that state the same issues???? Really.. just to apply the patches of the april version.. think about it.. give us full factual ability to test this in our own networks first.. for example, a patch TEST and reproduction TOOL.. To simply say, "This patch will elimante a security threat that could enable someone to remotely take over your computer" isnt acceptible. Then if you click more details.. it says the same thing.. or refer to KB article 12345..which essentially says the same thing. A vulnerbility was reported that could enable a attacker to.. Show me proof of each patch's claim. Show me straight forward how to test what you say, to recreate such exploitation, show me the documented effect of how it was done, how it was discovered, document why they didnt know this would happen when the code was originally written by them. Provide testing procedures and tools for each set of patches to see how it will affect an array of networks from a AD security level, server level, network level, to a workstation and remote operational level. Show me the performance change such will likely cause. How to measure and benchmark it, provide any other better solutions then updating the code, like, close a port, harden a server, tweek the registry.. I personally can not think of a single reliable tride and true, out of the box product from microsoft that has ever just done what it says it will do. Your comment of, this is the age we live in.. Are you for real.. thats a cop-out and weak at best.. The age we live in expects and demands more. Accountability is mandatory in today's age we live in at minimal. People expect their best interests to be accomondated, when that doesnt happen.. the public looses trust. Something quite influential out there is called public opinion, and just about everything that happens in the country occurs by public opinion. From who should be prosecuted, or what war to start, to the stability of financial market is channeled by public opinion. My public opinion on this Patch Tuesday quarrel is microsoft is being non-affirmative, not being forthcoming to present facts and well rounded solutions across the board. I guess for lack of a better example, like that mac commercial, where it shows the history of windows and BG saying, "this windows wont have problems".. seems to confirm what im saying. Heck if the latest vulnerabilities are going to cause an attacker to take over my computer.. GREAT.. maybe they'll be nice enough and do my work for me also since their soo interested in what im doing.. Have at it, i'll leave a To Do list on my desktop.. Hello people, a dozen patches all about the same thing... dont you think thats a CRITICAL problem.

jck
jck

XP Pro uses less resources out of the box for sure than Vista. Since the box is a 64-bit CPU and memory architecture, I doubt it would use any more resources. Probably less, since it wouldn't have to track big/little endian. I'm not paying for a Win 7 x64 upgrade. Dell forced me to take Vista with the laptop when I bought it, then 2 months later offered XP again and would not give me a free conversion. Hence, I now buy other brand laptops. BTW, I have 4GB RAM, 250GB HD, dual-core AMD Turion processor, etc. It's not a lack of hardware in it. It's poor patching to Vista.

Justin James
Justin James

I patched all of my VM'ed servers last night and pushed them out to my desktops, no complaints so far. J.Ja

Mark W. Kaelin
Mark W. Kaelin

You are very passionate about this I can see, but here is what I said: Bill Gates is not really involved anymore. You might also remember that the other operating systems you mentioned get security patches on a regular basis. Modern operating systems are complicated, they have security holes and bugs that need to be fixed. This not just a Microsoft or Windows thing - it is just a reality of the age in which we live. To sum it up, I said all operating systems receive patches and life is complicated. You can disagree with that statement, but I think most would agree that is just the way it is. As to your trouble with Microsoft products, I can only say that I have not experienced as much trouble as you have. And that, as much as I would like to, I am not really in a position to do much to help you except offer a brief explanation of the patches each month.

sswb
sswb

My Vista Business died, try to repair. it say that I have attached a new Camera ? can cannot do anything ?

SgtPappy
SgtPappy

I think every computer running vista would be slow. Mine purrs along like a finely tuned sports car. I think you are having other issues with your computer.