April 2010 – Patch Tuesday’s Vulnerability Analysis

April thus far has been a busy month for administrators tasked with applying updates.

As announced, Microsoft released 11 bulletins today. 8 RCEs, 1 DoS, 1 spoofing and 1 privilege escalation. Microsoft’s breakdown went along the lines of: 5 critical, 5 important and 1 moderate.  We here at SophosLabs see it slightly differently. We’ve only rated one of the bulletins as high (MS10-020), and the rest as medium(5) or low(5).

VMWare released VMSA-2010-0006 on April 1st.

Tavis Ormandy publically disclosed a Java zero day on April 9th. “Java Webstart Arbitrary Commandline Injection”

( mitigation instructions available here )

Expected later today are Adobe’s quarterly ‘Patch Tuesday’ updates. Today’s Adobe updates should introduce the ability to automatically update Adobe Reader and Acrobat ( on Windows, Mac and Unix versions ).  Users will have to manually enable this feature – as it’s reported that automatic updating will be disabled by default.

Although Apple hasn’t released anything so far this month – the end of March was a busy time for them, as they released an OSX update on Mach 29th, Quicktime and iTunes updates on March 30th, and an AirPort Base Station update on March 31st.

You can find  more information on this month’s Microsoft Advisories and Bulletins at the SophosLabs vulnerability analysis page.

If you’ve found our vulnerability posts to be valuable, or have some suggestions for how we can better serve you, please let us know at sophosblog@sophos.com