April 2010 – Patch Tuesday’s Vulnerability Analysis

April thus far has been a busy month for administrators tasked with applying updates.
As announced, Microsoft released 11 bulletins today. 8 RCEs, 1 DoS, 1 spoofing and 1 privilege escalation. Microsoft’s breakdown went along the lines of: 5 critical, 5 important and 1 moderate.  We here at SophosLabs see it slightly differently. We’ve only rated one of the bulletins as high (MS10-020), and the rest as medium(5) or low(5).
VMWare released VMSA-2010-0006 on April 1st.
Tavis Ormandy publically disclosed a Java zero day on April 9th. “Java Webstart Arbitrary Commandline Injection”

( mitigation instructions available here )
Expected later today are Adobe’s quarterly ‘Patch Tuesday’ updates. Today’s Adobe updates should introduce the ability to automatically update Adobe Reader and Acrobat ( on Windows, Mac and Unix versions ).  Users will have to manually enable this feature - as it’s reported that automatic updating will be disabled by default.
Although Apple hasn’t released anything so far this month - the end of March was a busy time for them, as they released an OSX update on Mach 29th, Quicktime and (continue reading...)