Regular Release for Microsoft This April
April 13 is here and for Windows users, this means it is Patch Tuesday. According to the advance notification from Microsoft almost a week ago, the company will be releasing 11 bulletins to address 25 vulnerabilities, 11 of which have been dubbed “critical.” These vulnerabilities were found in Microsoft Office and Windows. Affected users could be exposed to remote code execution attacks if they leave their software unpatched.
Included in this Patch Tuesday release are patches for the following notable vulnerabilities:
- Vulnerability in VBScript Could Allow Remote Code Execution
- Vulnerability in SMB Could Allow Denial of Service
Trend Micro has documented these vulnerabilities in the following respective posts:
Adobe Automates Updates
The same day Microsoft’s patches are released, Adobe will also issue a patch that can address several high-risk vulnerabilities found in Adobe Reader and Acrobat. The patch will be deployed without actual user download and installation. Adobe will release the patch alongside an automatic (silent) updater software, which the company hopes will make downloading and patch deployment a breeze. The said updater can be used by Adobe Reader and Acrobat 9.3.2 and 8.2.2 users for both Windows and Mac OS X.
Windows users of the said software and versions can activate the silent updater by visiting the Preferences setting under the Updater category and choosing option 2: “Automatically download updates, but let me choose to install them.”
In 2009, ZDNet released an article about silent patching being the best solution to securing users’ Internet browsers. Please refer here for the complete article.
To Be Silent or Not to Be Silent
Security specialists, on the other hand, are not keen on advising silent patching as the best practice to adhere to for enterprise users. The need to have a scheduled patch release, for them, is still a must. “Patching in enterprises is a serious issue. Auto updates are generally not used by administrators because patching can make systems unstable, cause software to have compatibility and performance issues, and the like. They like to test updates first then patch systems in a phased manner,” says Trend Micro researcher Rajiv Motwani.
This is not to say that there are no positive points on silent updating. In fact, there are several. By simply letting the software quietly update itself once patches are available, users will not be disrupted from their work to do something they consider as tedious and time-consuming. Furthermore, auto updating also helps ensure that most users are secure at any time.
However, Motwani stresses that there is a downside to it. He explains, “If a flaw is discovered in patching mechanisms and a malicious patch is somehow issued, more customers will be affected. An example was the recent bug in Adobe Download Manager (ADM) wherein any user having ADM could be forced to install software from Adobe’s website because of a design flaw.” More on the story on ADM here.
A security specialist commented that it is imperative that software companies disclose information regarding security holes found in their software for the sake of their customers.
“I hope Adobe continues to release security notifications/advisories so that administrators who do not use auto updates can properly prioritize patches. Also, they should continue to disclose the CVEs of all vulnerabilities being patched and none should be silently patched,” Motwani concluded.
Update as of April 14, 2010, 5:13 a.m. (GMT +8:00):
Microsoft released the security update that resolves the 25 reported vulnerabilities. Users are advised to download the updates in this security bulletin.
Update as of April 28, 2010 3:00 p.m. (GMT+8:00):
Microsoft has rereleased MS10-025 to address a specific vulnerability found only on units running Windows 2000 using a nondefault configuration with Windows Media Services. This bulletin addresses the flaw that allows remote code execution once an attacker sends a specially crafted transport information packet. Microsoft advised users using the said configuration to install the rereleased update.