April’s Patch Tuesday (APT) coming your way

This month, Microsoft is releasing 17 bulletins to address 63 security vulnerabilities across a wide range of Windows products. Out of these vulnerabilities, 12 are rated critical and 51 important.

About half of these vulnerabilities are being patched with the MS11-034 bulletin. They all involve Elevation of Privilege vulnerabilities in the Windows kernel.

Elevation of privilege vulnerabilities have gained a lot in popularity as Windows 7 and the use of sandboxes have been gaining traction. These vulnerabilities could be used for instance to circumvent UAC and immediately give a program full admin privileges without warning.

With Microsoft’s newer products there’s been somewhat of a trend where the number of EoP vulnerabilities outweigh the number of Remote Code Execution vulnerabilities. This trend is likely to persist over the coming months.

Microsoft will also be releasing two advisories this month. One for Windows and one for Office.

The advisory for Windows affects the 64-bit versions of the 6.0 and 6.1 kernels – the Windows Vista and 7 code-base respectively. This update addresses an issue in driver signing enforcement.
I think this advisory should have been pushed as a security update as it involves some of the core integrity of the OS. As attacks have become more sophisticated it’s become more obvious integrity is crucial.
To not see Microsoft recognize this is rather surprising.

The Office advisory will be bringing “Office File Validation” to Office 2003 and 2007.

This feature is native to Office 2010 and determines if an (older) Office document is adhering to the file format specification. It will not allow malformed documents to be opened.
While this is obviously a good development this feature doesn’t stop the recent Flash zero-days we’ve seen. After all, those are simply using a feature from Word and not a bug.

Hopefully Microsoft will be able to back-port the Office 2010 sandbox at a later date, as the sandbox is able to stop the Adobe Flash zero-days.

With this release Microsoft is also finally fixing the MHTML vulnerability.
This vulnerability – CVE-2011-0096 – has been known for a while now and was seen in targeted attacks shortly after the previous patch Tuesday.

MS11-019 will address the SMB Browser vulnerability disclosed in February.

As always, we recommend to apply these patches as soon as possible.

April’s Patch Tuesday (APT) coming your way

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox