April’s Patch Tuesday (APT) coming your way

This month, Microsoft is releasing 17 bulletins to address 63 security vulnerabilities across a wide range of Windows products. Out of these vulnerabilities, 12 are rated critical and 51 important.

About half of these vulnerabilities are being patched with the MS11-034 bulletin. They all involve Elevation of Privilege vulnerabilities in the Windows kernel.

Elevation of privilege vulnerabilities have gained a lot in popularity as Windows 7 and the use of sandboxes have been gaining traction. These vulnerabilities could be used for instance to circumvent UAC and immediately give a program full admin privileges without warning.

With Microsoft’s newer products there’s been somewhat of a trend where the number of EoP vulnerabilities outweigh the number of Remote Code Execution vulnerabilities. This trend is likely to persist over the coming months.

Microsoft will also be releasing two advisories this month. One for Windows and one for Office.

The advisory for Windows affects the 64-bit versions of the 6.0 and 6.1 kernels – the Windows Vista and 7 code-base respectively. This update addresses an issue in driver signing enforcement.
I think this advisory should have been pushed as a security update as it involves some of the core integrity of the OS. As attacks have become more sophisticated it’s become more obvious integrity is crucial.
To not see Microsoft recognize this is rather surprising.

The Office advisory will be bringing “Office File Validation” to Office 2003 and 2007.

This feature is native to Office 2010 and determines if an (older) Office document is adhering to the file format specification. It will not allow malformed documents to be opened.
While this is obviously a good development this feature doesn’t stop the recent Flash zero-days we’ve seen. After all, those are simply using a feature from Word and not a bug.

Hopefully Microsoft will be able to back-port the Office 2010 sandbox at a later date, as the sandbox is able to stop the Adobe Flash zero-days.

With this release Microsoft is also finally fixing the MHTML vulnerability.
This vulnerability – CVE-2011-0096 – has been known for a while now and was seen in targeted attacks shortly after the previous patch Tuesday.

MS11-019 will address the SMB Browser vulnerability disclosed in February.

As always, we recommend to apply these patches as soon as possible.

April’s Patch Tuesday (APT) coming your way

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox