April’s Patch Tuesday (APT) coming your way

This month, Microsoft is releasing 17 bulletins to address 63 security vulnerabilities across a wide range of Windows products. Out of these vulnerabilities, 12 are rated critical and 51 important.

About half of these vulnerabilities are being patched with the MS11-034 bulletin. They all involve Elevation of Privilege vulnerabilities in the Windows kernel.

Elevation of privilege vulnerabilities have gained a lot in popularity as Windows 7 and the use of sandboxes have been gaining traction. These vulnerabilities could be used for instance to circumvent UAC and immediately give a program full admin privileges without warning.

With Microsoft’s newer products there’s been somewhat of a trend where the number of EoP vulnerabilities outweigh the number of Remote Code Execution vulnerabilities. This trend is likely to persist over the coming months.

Microsoft will also be releasing two advisories this month. One for Windows and one for Office.

The advisory for Windows affects the 64-bit versions of the 6.0 and 6.1 kernels – the Windows Vista and 7 code-base respectively. This update addresses an issue in driver signing enforcement.
I think this advisory should have been pushed as a security update as it involves some of the core integrity of the OS. As attacks have become more sophisticated it’s become more obvious integrity is crucial.
To not see Microsoft recognize this is rather surprising.

The Office advisory will be bringing “Office File Validation” to Office 2003 and 2007.

This feature is native to Office 2010 and determines if an (older) Office document is adhering to the file format specification. It will not allow malformed documents to be opened.
While this is obviously a good development this feature doesn’t stop the recent Flash zero-days we’ve seen. After all, those are simply using a feature from Word and not a bug.

Hopefully Microsoft will be able to back-port the Office 2010 sandbox at a later date, as the sandbox is able to stop the Adobe Flash zero-days.

With this release Microsoft is also finally fixing the MHTML vulnerability.
This vulnerability – CVE-2011-0096 – has been known for a while now and was seen in targeted attacks shortly after the previous patch Tuesday.

MS11-019 will address the SMB Browser vulnerability disclosed in February.

As always, we recommend to apply these patches as soon as possible.

April’s Patch Tuesday (APT) coming your way

Your email address will not be published.



The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox