Software

It's Microsoft Patch Tuesday: April 2011

Justin James gathers the information you need to make the right decision on applying Microsoft's April 2011 patches in your organization.

This month we're getting hit with a big one-two punch from Microsoft: the delivery of Internet Explorer 9 via Windows Update (not in the WSUS pipeline yet though) and an enormous drop of seventeen security patches.

Internet Explorer 9 is definitely a must-upgrade from IE8. The problem is, can you upgrade from IE8 yet and not break too many applications? For organizations, that is the million dollar question. While I recommend that everyone upgrade from IE 8 to IE 9, and I suggest that users of other browsers consider looking at it (just as I suggest that IE users take a look at Firefox 4 and Chrome 10), the truth is that most organizations will want to test very thoroughly before upgrading from IE8 to IE9, which is why I'm giving it a "one flag" rating.

Also of note is the root certificate update (KB2524375). This is actually addressing a security related issue. It is also very disappointing that there was only one security issue that newer versions of Windows did not have but older ones did; in fact, for a few of them, the more recent editions of Windows actually had a worse vulnerability! As an added "bonus" we even have a fix for Visual Studio, to correct problems with applications created in it using a standard library. This was not a good month for Microsoft!

This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS11-018/KB2497640 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): This is a big update for IE6 - IE8 that fixes five vulnerabilities (one publically disclosed). You will want to install this as soon as you can. 7.6MB - 47.3MB MS11-019/KB2511455 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): Attackers can use malformed SMB packets to perform remote code execution attacks. This would be a bit less critical (since SMB traffic should be blocked at the firewall) except that one of the vulnerabilities fixed is already public knowledge. You should patch this immediately. 295KB - 1.5MB MS11-020/KB2508429 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): Another remote code execution via SMB packet issue is fixed with this patch, this time on the server side of the equation. Again, get this patch on as soon as you can. 348KB - 1.5MB MS11-021/KB2489279 - Important (Office XP, Office 2007, Office 2010, Excel Viewer, Office Compatibility Pack for Office 2007 file formats, Office 2004 for Max, Office 2008 for Mac, Office 2011 for Mac, and Open XML File Format Converter for Mac): Opening a malformed Excel file can cause remote code execution attacks. While the attacker only gets the locally logged on user's rights, Excel files are common enough to justify extra haste in installing this patch. 5.0 - 331.1MB MS11-022/KB2489283 - Important (Office XP, Office 2007, Office 2010, PowerPoint Viewer, Office Compatibility Pack for Office 2007 file formats, Office 2004 for Max, Office 2008 for Mac, Office 2011 for Mac, Open XML File Format Converter for Mac): More remote code execution issues via Office files, this time it is PowerPoint. Again, the breach itself is not as serious as it could be, but the ubiquity of Office files makes this patch a "must do" item. 2.1MB - 333.1MB MS11-023/KB2489293 - Important (Office XP, Office 2003, Office 2007, Office 2004 Mac, Office 2008 Mac, Open XML File Format Converter for Mac): This is our old friend, the issue where file opening can be exploited to open DLLs on network drivers and attack the system (remote code execution). Patch immediately. 4.6MB - 333.1MB MS11-024/KB2491683 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): Attackers can use malformed fax cover page files to perform remote code execution attacks. The fax application is rarely used or installed, so this patch can wait until your next normal patch cycle. 536KB - 5.0MB MS11-025/KB2500212 - Important (VS 2003, VS 2005, VS 2008, VS 20010, Visual C++ 2005 Redistributable, Visual C++ 2008 Redistributable, Visual C++ 2010 Redistributable): A problem with one of the MFC libraries can cause remote code execution attacks in applications built with it. If you use MFC in your apps, install this update and rebuild your apps to protect them from this security problem. Even if you don't write applications, this patch is important due to the number of apps that use it. Install on your normal cycle. 2.6MB - 365.8MB MS11-026/KB2503658 - Important (XP, Vista, W7)/Low(2003, 2008, 2008 R2): Malformed Web pages using MHTML can be used to get the Web browser to provide data that it shouldn't. Install this patch at your scheduled time. 413KB - 3.0MB MS11-027/KB2508272 - Critical (XP, Vista, W7)/Moderate(2003, 2008, 2008 R2): This is one of Microsoft's regular updates to the ActiveX Kill Bits system, which blocks malicious ActiveX controls (save the cynical jokes!). You'll want to get this patch put on your desktop systems quickly. 36KB - 991KB MS11-028/KB2484015 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): This update addresses a remote code execution vulnerability in the way the .NET Framework handles XAML Browser Applications (XBAPs). You should install this patch as soon as you can. Some of the specific patches have known bugs, you will want to check the individualKB article for your specific patch to see what they are if you have any issues. 110KB - 14.4MB MS11-029/KB2412687 - Critical (XP, Vista, 2003, 2008): Malformed image files can be used to perform remote code execution attacks against Windows when they are viewed (including on Web sites). You should get this patch put on your systems immediately. 1.2MB - 3.6MB MS11-030/KB2509553 - Critical (Vista, W7, 2008, 2008 R2)/Important (XP, 2003): This patch fixes issues with DNS lookups that can cause escalation of privilege attacks in XP and 2003, and remote code execution attacks in more recent versions of Windows. You'll want to get this patch put on as soon as possible. 195KB - 4.7MB MS11-031/KB2514666 - Critical (XP, Vista, W7, 2003, 2008, 2008 R2): Issues with the JScript and VBScript engines can allow remote code execution attacks, which this patch resolves. These attacks can be delivered via Web sites, so you should get this patch installed as soon as you can. 456KB - 3.0MB MS11-032/KB2507618 - Critical (Vista, W7, 2008, 2008 R2)/Important (XP, 2003): An issue with OpenType font handling can cause security problems ranging from escalation of privileges on XP and 2003 to remote code execution attacks on new Windows versions. Install the update quickly. 254KB - 1.3MB MS11-033/KB2485663 - Important (XP, 2003): Opening files in WordPad can allow remote code execution attacks. This patch can wait, unless you have users who actually use WordPad. 603KB - 1.3MB MS11-034/KB2506223 - Important (XP, Vista, W7, 2003, 2008, 2008 R2): Locally logged on users can run an application to gain higher rights. This patch should be installed the next time you normally patch. 1.1MB - 5.5MB

Other Updates

KB2506014 - This patch fixes a problem where you would receive the error message "Error Code FFFFFFFE" when installing Windows updates. 1.8MB - 3.2MB KB2511250 - As of the time of writing, there is no information available on this patch for W7 and 2008 R2. 122KB - 353KB

"The Usual Suspects": Updates to the Malicious Software Removal Tool (12.3 - 12.7MB) and the Junk Email Filter (2.1MB).

Changed, but not significantly:

KB976932 - Windows 7 and 2008 R2 SP1

Updates since the last Patch Tuesday

There were no security updates released out-of-band.

Minor items added or updated since the last Patch Tuesday:

KB982861 - Internet Explorer 9 KB2505189 - Update for DirectWrite and XPS problems in Vista SP2 and 2008 SP2 KB931125 - Update for root certificates KB2524375 - Fix for the spoofed Comodo root certificates

    Changed, but not significantly:

    • KB976932 - Windows 7 and 2008 R2 SP1
    • KB2505438 - Performance update to the DirectWrite API
    • KB971029 - AutoPlay update for Windows

    About

    Justin James is the Lead Architect for Conigent.

    33 comments
    rpr.nospam
    rpr.nospam

    MS11-022 also applies to MS PowerPoint 2003, which this article does not mention (see http://support.microsoft.com/kb/2489283). There is a nasty issue with the update for MS PowerPoint 2003 - see http://support.microsoft.com/kb/2464588. When opening a presentation PP may report an error: ???PowerPoint was unable to display some of the text, images, or objects on slides in the file, "filename", because they have become corrupted. Affected slides have been replaced by blank slides in the presentation and it not possible to recover the lost information. To ensure that the file can be opened in previous versions of PowerPoint, use the Save As command (File menu) and save the file with either the same or a new name.??? Users informed me that if you try to edit the file after the error, PowerPoint hangs and causes high CPU usage. To fix the problem KB2464588 has to be removed. See more at: http://blogs.technet.com/b/bgp/archive/2011/04/14/new-security-update-ms11-022.aspx http://www.pptfaq.com/FAQ01108.htm

    slatus
    slatus

    I just found out via the Windows Secrets Lounge site that installing IE9 makes this update unnecessary.

    slatus
    slatus

    I just performed some selective Windows updates yesterday, installing some and holding off on others per recommendations from Woody Leonard's site as well as Susan Bradley's "column" in the "Windows Secrets" newsletter. Before I downloaded or installed any of the updates, I printed out a list of available updates. One of the updates on this list was "Security Update for Windows 7 for x64-based Systems (KB2510531)". I chose NOT to install this particular update at this time. After installing the desired updates and rebooting, I checked the Windows Update site for a list of the remaining updates. I did not see the update KB2510531 listed. Odd, I thought. Perhaps I had installed it unknowingly? I checked my Windows Update history and did not see it listed there either. Feeling a bit confused, I then went to Programs and Features (FKA Add/Remove Programs), and told it to view installed updates. It wasn't shown there either. OK, maybe somehow it got put into Hidden Updates by Windows Update? Nope, also not listed there (I had NO hidden updates). I also counted up the number of updates on my printed list mentioned above. The number was 26. I then counted the number of updates I had installed per the Windows Update history (16) and the number of updates remaining to install per the Windows Update site (9), which totals 25 - one less than the number of updates on my original printed list. Makes sense since KB2510531 is missing from both of the current Windows Updates lists. FWIW, I had installed the IE8 security updates in the first wave and installed IE9 in the second wave of updates that I did yesterday. I did NOT install SP1. Does anyone know what the explanation is for security update KB2510531 not currently showing up on any list? It looks like it just disappeared!

    wwgorman
    wwgorman

    I put IE9 onto my Vista and Win 7 units and, of course not onto my XP machines (IE9 won't work in XP). I ran into problems caused by the IE9 installation on the Vista machine and removed it with a system restore. The Win 7 unit which is just being loaded with programs does not appear to be affected.

    SCilentC
    SCilentC

    It is easy to forget that Windows 2000 Professional machines still get MS Security Updates (W2KP is not in the above article's list of OSes). The 12 APR 2011 Security updates for C++ redistributibles: Security Update for Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package (KB2467174) and Security Update for Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package (KB2467175) when downloaded and installed by the MS Update may be implicated in producing a bust on the kernel32.dll for the W2KP operating system which could affect certain widely used real time protection antivirus software. The resultant error is: "The procedure entry point FindActCtxSectionStringW could not be located in the dynamick link library KERNEL32.dll" Microsoft has been phoned and their PCSafety crew has been made aware.

    chinglung
    chinglung

    I had 27 updates yesterday on my main box, including security updates for Office 2007. During the installation, my machine turned itself off and during the Win 7 start up, displayed a remark about installing an update to the registry. When the log in finally appeared, the custom background and log in icon was there, but after I entered my password, my whole profile was gone. The desktop, icons, documents, pictures, everything was gone. It had my name in the Start Menu, but all the library folders were empty. I was able to do a system restore as I had made a restore point the day before when installing an earlier update. Luckily, everything came back. I have an Acronis copy from three months ago, so it wouldn't have been a total disaster, but the s.r. worked. I ran the updates on three other machines the same day without any problems. The problem machine was the last one to update. Today, it's letting me know there are available updates, but I'm just going to hide them for now until I can figure out what went wrong.

    tech
    tech

    Can I ditto pipesmokers request

    joy64
    joy64

    I tried IE9 after it updated and I still can't spool my email to print later. Not worth the hassle. Went back to Firefox. I guess I'll continue to use IE only for pages that won't load in Firefox.

    robertr
    robertr

    I guess Microsoft is making up for last month's light patch cycle. I wish they would fix the Word 2010 Font issue (crashes when an older document contains Type-1 Fonts). They are aware of this issue, but there Work around doesn't work. They must be waiting for Service Pack 1. There is an Excel Security update 20.3 Mbytes (wow). My laptop's Primary partition Disk Space is getting low with the hundreds of updates since Service Pack-1 (XP) OS. I'm about to archive all these files to DVD and delete them from Drive C: to recover the wasted Gbytes of space I will wait to hear from others before I install all these patches (looks like it has been smooth sailing for WIN 7).

    netman4ttm
    netman4ttm

    Well, they managed to blow out the integration features on the XP mode running on Win 7 64bit.

    pgit
    pgit

    I haven't put IE9 on any machines yet. One thing at a time, I do plan on trying it on a couple non critical win7 machines first. Of course on the XP machines it's a non issue.

    pgit
    pgit

    I'm in the midst of updating dozens of boxes running just about every OS from XP to 7, absent only server 2008. No problems so far, a pleasant surprise given the magnitude of this update. The only quarter I have yet to hear from is the MSOffice users, but otherwise nothing is broken yet. I assume the cynical joke would be "but ActiveX IS a 'malicious control!'" ...?

    Mark W. Kaelin
    Mark W. Kaelin

    Are the patches described by Justin giving you trouble this month? Share your experience with your peers, maybe the TechRepublic Community can help? Did you install IE9 or are you waiting?

    pgit
    pgit

    I had troubles on a couple vista boxes I tested IE9 on. Win7 seems to be fine with it. Both vista machines were totally up to date, btw.

    Who Am I Really
    Who Am I Really

    support for the OS itself ended from the MS lifecycle pages [b]Support for Windows 2000 ended on July 13, 2010[/b] I haven't seen one update pushed since then the products you speak of are still in support but are not part of win2K they are separate standalone products

    pgit
    pgit

    Wouldn't ccleaner give you the option to uninstall earlier updates? If it does, it'd be the way to go, it'd handle the registry side for you at the same time.

    Gis Bun
    Gis Bun

    You mean SP3 - not SP1. Unsure why you are keeping all the updates. In the Win XP days, I'd routinely keep a couple of months worth at the most. Anything before is deleted. If it hasn't caused a problem in 2 months, it won't just start now. Remember to remove the KB from the registry as well.

    myers
    myers

    Happily the fix is easy - go to Good luck

    JCitizen
    JCitizen

    and distorted system explorer bad enough that I couldn't get to my files. It would simply crash and recover every time you tried anything like opening documents or accessing control panel. I made Microsoft spend nearly half a week, and an unGodly amount of hours, trying to troubleshoot it. Two system restores and a lot of expletives deleted later, the last technician finally figured out all you had to do was click the [b] [Restore advanced settings][/b] button on the [i]Advanced[/i] tab in Internet Options!! Instant fix!! I had to repeat it for every profile on the PC, but no problems now! :-bd IE9 did break a lot of critical security add-ons, but they will be updated soon enough, I wager. Meanwhile I'm using FireFox until everything gets updated. I would give up on Internet Exploder if it weren't that it still is the only browser that resolves some web-page controls at some of my sites. Otherwise I'd abandon it. I gotta admit it does video(silverlight) and high def images better than the competitors too. Chrome and FF are slower than the seven year itch on those factors. (edit) - I'm running Vista Home Premium x64 on that machine.

    Gis Bun
    Gis Bun

    So far I found a few sites that aren't compatible with IE9. So I'm using compatibility mode. I also dislike that they disabled the various [built in] bars like status and menu bars. You have to go and re-enable them after the install.

    Justin James
    Justin James

    "I assume the cynical joke would be "but ActiveX IS a 'malicious control!'" ...?" Yup. :) There really needs to just be a group policy controlled ActiveX whitelist... or if there is, I would love for someone to point me to it. You need ActiveX for Flash and similar plugins but you don't want users being able to run unknown controls... J.Ja

    randyd@sji
    randyd@sji

    I have had prior issues with the .NET updates with several systems running Win XP Pro 32 bit in an enterprise network via WSUS. WSUS does not allow to remove or at least the old server did not (crashed and burned, starting from fresh now). So many MS updates have .NET updates again. The updates just would not install and kept coming back to nag users to install..again and again... Don't want to go around to 69 different systems and tell it not to remind me....again! What am I missing here?

    mousebooster
    mousebooster

    Could you please give a short description of the whole Cleanup task on XP? (Files to delete, Registry keys / actions etc.) Thanks a lot. ;-)

    robertr
    robertr

    The original OS was XP-SP1, but Yes I'm running SP3 and Yes I plan to rid my hard drive of these numerous patch restore files since SP1. Good point about the Registry, I have left them behind on another laptop so I should clean that out (as time permits).

    pgit
    pgit

    Sounds like a nightmare. Maybe it'll be easier on win7 than it is on vista? (I hope) I only have 2 vista machines that I work on, that I can think of... minus the random home user types I occasionally work for. (I saw winME as recently as last fall, and have several one-task, isolated machines running win98!) I can test on my own primary use machine, it's dual boot with Linux and vista. I don't use the vista half much, but this sounds like a very opportune time to have it laying around. Thanks for putting up with the grief and finally coming up with the quick fix. I wonder if there are patches to address problems with IE9 like you've had in the works. Maybe it's worth waiting a month or two before going to IE9?

    jams772
    jams772

    IE9 RC1 crashes as soon as you move from one TAB to another. I think we should wait for the RC2.

    pgit
    pgit

    That's so simply logical you'd think there has to be such an animal. Could this be an opportunity for some coder to at least get their name in lights?

    mousebooster
    mousebooster

    Thanks seanferd. After long studies I could find Tab Windows, Section Advanced, Checkbox Hotfix Uninstaller. In fact I do not really want to UNINSTALL (Rollback) the updates already made; my systems works well. I only would like to free Diskspace and Registry from obsolete Installation stuff. A terminology Problem: Is as simple "purge" the same as "Uninstall" ?? ;-|

    seanferd
    seanferd

    Tick the settings box that removes hotfix uninstallers.

    robertr
    robertr

    Make sure you have "Hidden Files" shown. Look in C:\WINDOWS and you will see a list of folders like: $NtUninstallKB890175$ There should be a reference to each one of these in the registry. Service Pack Folders look like: $NtServicePackUninstall$

    Justin James
    Justin James

    IE9 got a full release a month ago, why are you still using the Release Candidate? J.Ja

    pgit
    pgit

    I'll look into this SpywareBlaster, hadn't heard of this particular feature, a list of known ActiveX objects... There's so many anti-malware tools out there it's hard to know what they actually do. I've had a tendency to use the ones a lot of people have endorsed and ignore the rest. I've used mbam, superantispyware and microsoft security essentials. Definitely room for one more. And I'd imagine having a quick list of known-bad objects means those objects don't need to be scanned and hashed in order to compare signatures every time they're encountered, a bit of a resource saver, no?

    JCitizen
    JCitizen

    at least it is a pretty good active x blocker for known malicious active x objects; and that would be SpywareBlaster. It has saved my bacon several times. It also has a host file, but that is weaker than No Script or MVPS. A white list would be better for enterprise work.