Five of which rated Critical

Apr 14, 2010 14:33 GMT  ·  By

Microsoft has release patches for no less than 25 vulnerabilities affecting various releases of Windows, Office and Exchange Server. In total, the Redmond company produced 11 security bulletins which went live on April 13th, 2010 and are currently being served to customers worldwide through Windows Update. Jerry Bryant, group manager, Response Communications, underlined that there were three security bulletins which should be considered a top priority when it came down to deployment: MS10-019, MS10-026, and MS10-027. However, this does not mean in any way that customers should not install the additional patches offered this month as soon as possible.

“MS10-019 affects all versions of Windows. While we give this a 2 on the exploitability index, the issue would allow an attacker to alter signed executable content (PE and CAB files) without invalidating the signature. MS10-026 does not affect Windows 7, Windows Server 2008 R2, or Itanium versions of Windows Server 2008 and Windows Server 2003. However, it is critical on Windows 2000, XP, Server 2003 and Server 2008. The vulnerability could be triggered simply by visiting a web page hosting a specially crafted AVI file that began streaming when the page loads. MS10-027 affects only Windows 2000 and Windows XP users who could potentially be exploited simply by visiting a specially crafted web page,” Bryant explained.

One aspect worth mentioning is the fact that Microsoft has taken extra care in order to make sure that the April patch releases do not break users’ computers, under any circumstances. A Windows kernel patch released in February caused PCs infected with the Alureon rootkit to crash with Blue Screen errors.

This month, Microsoft is offering another Windows Kernel update, MS10-021. However, this time around, the company has included detection logic for unusual conditions or modifications to the Windows Kernel binaries. According to Bryant, this will be the norm going forward for all Windows Kernel updated. In the eventuality that a refresh detects abnormal changes to the Windows Kernel binaries, the update will produce an error message and fail to deploy. Customers thereafter can use the information provided by the error message in order to resolve issues with their machines that they might have not been aware.

Bryant provided a list with all the security bulletins released this week:

·         MS10-019 addresses two vulnerabilities in Windows, has a maximum severity rating of Critical and an Exploitability Index rating of 2.

·         MS10-020 addresses five vulnerabilities in Windows, has a maximum severity rating of Critical and an Exploitability Index rating of 2.

·         MS10-021 addresses eight vulnerabilities in Windows, has a maximum severity rating of Important and an Exploitability Index rating of 1.

·         MS10-022 addresses a vulnerability in Windows, has a maximum severity rating of Important and an Exploitability Index rating of 1.

·         MS10-023 addresses a vulnerability in Office has a maximum severity rating of Important and an Exploitability Index rating of 1.

·         MS10-024 addresses two vulnerabilities in Exchange, has a maximum severity rating of Important and an Exploitability Index rating of 3

·         MS10-025 addresses a vulnerability in Windows, has a maximum severity rating of Critical and an Exploitability Index rating of 1.

·         MS10-026 addresses a vulnerability in Windows, has a maximum severity rating of Critical and an Exploitability Index rating of 1.

·         MS10-027 addresses a vulnerability in Windows, has a maximum severity rating of Critical and an Exploitability Index rating of 1.

·         MS10-028 addresses two vulnerabilities in Office, has a maximum severity rating of Important and an Exploitability Index rating of 1.

·         MS10-029 addresses a vulnerability in Windows, has a maximum severity rating of Moderate and an Exploitability Index rating of N/A.

Get Microsoft Silverlight

Photo Gallery (4 Images)

Windows Update
Deployment priority guidanceApril 2010 Security Bulletins
+1more