April’s Patch Tuesday (APT) coming your way

This month, Microsoft is releasing 17 bulletins to address 63 security vulnerabilities across a wide range of Windows products. Out of these vulnerabilities, 12 are rated critical and 51 important.

About half of these vulnerabilities are being patched with the MS11-034 bulletin. They all involve Elevation of Privilege vulnerabilities in the Windows kernel.

Elevation of privilege vulnerabilities have gained a lot in popularity as Windows 7 and the use of sandboxes have been gaining traction. These vulnerabilities could be used for instance to circumvent UAC and immediately give a program full admin privileges without warning.

With Microsoft’s newer products there’s been somewhat of a trend where the number of EoP vulnerabilities outweigh the number of Remote Code Execution vulnerabilities. This trend is likely to persist over the coming months.

Microsoft will also be releasing two advisories this month. One for Windows and one for Office.

The advisory for Windows affects the 64-bit versions of the 6.0 and 6.1 kernels – the Windows Vista and 7 code-base respectively. This update addresses an issue in driver signing enforcement.
I think this advisory should have been pushed as a security update as it involves some of the core integrity of the OS. As attacks have become more sophisticated it’s become more obvious integrity is crucial.
To not see Microsoft recognize this is rather surprising.

The Office advisory will be bringing “Office File Validation” to Office 2003 and 2007.

This feature is native to Office 2010 and determines if an (older) Office document is adhering to the file format specification. It will not allow malformed documents to be opened.
While this is obviously a good development this feature doesn’t stop the recent Flash zero-days we’ve seen. After all, those are simply using a feature from Word and not a bug.

Hopefully Microsoft will be able to back-port the Office 2010 sandbox at a later date, as the sandbox is able to stop the Adobe Flash zero-days.

With this release Microsoft is also finally fixing the MHTML vulnerability.
This vulnerability – CVE-2011-0096 – has been known for a while now and was seen in targeted attacks shortly after the previous patch Tuesday.

MS11-019 will address the SMB Browser vulnerability disclosed in February.

As always, we recommend to apply these patches as soon as possible.

April’s Patch Tuesday (APT) coming your way

Your email address will not be published. Required fields are marked *



Focus on DroxiDat/SystemBC

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

APT trends report Q2 2023

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Subscribe to our weekly e-mails

The hottest research right in your inbox