This month Microsoft has released 11 updates, with four rated as critical and the remaining seven rated as important. At first glance, this looks like another large update release from Microsoft, similar to last month's massive release of 15 patches. However, if you are running a modern Microsoft platform (Windows 7 and Server 2008 and later) you will find that most of the updates rated as important only apply to older systems. The four critical updates need careful attention, and the Windows GDI component update will need some testing, but overall it looks like this month should be a little easier on your system administrators than last month.
MS15-032 -- Critical
The first update from Microsoft for this April Patch Tuesday is MS15-032, which attempts to resolve ten vulnerabilities in Microsoft Internet Explorer (IE) that at worst could lead to a remote code execution scenario. These security vulnerabilities, if exploited, could allow an attacker to gain the same privileges as the logged on user and affects all currently released and supported versions of IE. Like the many IE security updates released by Microsoft over the past year, this update includes a full update of all IE related files. As Microsoft has given eight of the ten security issues its second highest exploitability rating of "exploitation more likely" (Rating 1), this is a "Patch Now" update from Microsoft.
MS15-033 -- Critical
The second critical update for April is MS15-033, which attempts to resolve five reported security vulnerabilities in Microsoft Office 2007, Office 2010 and Office Web Apps Server 2010. Some of these issues may lead to another remote code execution scenario if a user opens a specially crafted Office file. Unlike the IE security issue, this vulnerability may allow an attacker to execute arbitrary code on the compromised system. In addition to attempting to resolve these vulnerabilities, Microsoft has also included a "defense-in-depth" update to the Office Mac 2011 client update. Add this to your standard update deployment effort.
MS15-034 -- Critical
The penultimate update from Microsoft for April is MS15-034, which relates to a remote code execution scenario if an attacker sends a specially crafted message using the popular Internet protocol HTTP to someone using any supported versions of Microsoft Windows 7, 8, 8.1, Server 2008 R2 and Windows Server 2012 R2. Microsoft has not published any mitigating factors for this vulnerability but has recommended that you can "Disable IIS kernel caching" until your systems are suitably updated. This update affects a single file (HTTP.SYS). This security vulnerability has a Microsoft exploitability rating of 1 (“exploitation more likely”) and in addition, a rarely allocated "permanent" status under its "Denial of Service" assessment. Giving these issues, I think that we will see more updates to this critical Windows component in the near future. Include this update in your standard patch deployment program.
MS15-035 -- Critical
The last update rated as critical for April Patch Tuesday is MS15-035, which also updates a single file (GDI32.DLL) in the attempt to resolve a single remote code execution vulnerability in the core Windows graphics component GDI. We have had a few updates to the Windows GDI component in the past (including MS13-096) and numerous updates to the Windows GDI+ component. Given the nature of this core Windows component, and the single but core Windows vulnerability that this update attempts to resolve, I might suggest that a thorough testing of your application portfolio is completed before a full deployment of this update.
MS15-036 -- Important
This first update from Microsoft rated as important for April is MS15-036, which attempts to resolve two reported vulnerabilities in Microsoft SharePoint and Microsoft Project Server. These vulnerabilities could lead to an elevation of privilege scenario, whereby an attacker could potentially use the compromised systems credentials to change or delete content and potentially inject malicious code in the victim's browser session. You may want to pay careful attention to this update -- it's massive. The heavily compressed download is almost 650 MB and the update manifest contains over twelve thousand updated files, most of which are XML, JS and ASPX (text files) which are not currently versioned. Rolling back from this update may be tough: Test this patch thoroughly before rolling out to your corporate SharePoint and Project server farms.
MS15-037 -- Important
The next important update for this April is patch MS15-037, which updates a single security vulnerability which could lead to an elevation of privilege scenario, where an attacker could run specially crafted applications in the security context of the local system account. This could result in the execution of arbitrary applications, viewing, changing or deleting data and most importantly the ability to create new local system level accounts (with full user privileges). This is a serious vulnerability that Microsoft has only rated as important as the latest systems (fully patched) are less vulnerable to this risk. If you are running an older version (or an un-patched version), this security issue would receive Microsoft's second highest exploitability warning of 1 (“exploitation more likely,” and probably with a corresponding update rating of critical). If you are behind in your patching, then this patch should be a top priority for your update team.
MS15-038 -- Important
MS15-038 addresses two vulnerabilities in the Windows Common Log Marshalling feature that could result in an elevation of privilege scenario, resulting in the same security privileges as the logged in user for all currently supported versions of Windows desktop and server platforms. In this case this issue relates to how Windows manages volatile memory into more permanent file system objects known as Marshalling Areas. The Windows Common Log feature has few statically linked files and therefore the update impact profile for this update should be pretty low. I would recommend that you deploy this update to the IT department first, as they are most likely to use applications that may have some hardwired or other deep-level dependency on the Windows Common Log system that may not behave well with this latest update.
MS15-039 -- Important
MS15-039 is rated as important by Microsoft as it deals with a potential security feature bypass scenario in Microsoft XML Core Services Version 3, if a user clicks on a specially crafted file. MSXML Version 3.0 is old and if you are worrying about this update, then you probably are running a very aged version of Windows XP, or IE6 or MDAC 2.7. If this is the case, you have many, many other worries. Please update your system -- MSXML Version 6 SP3 works really well. In fact, it may be time to move off of Windows XP. If you are on Windows 7 or later systems, you will not need to worry about this Microsoft update.
MS15-040 -- Important
MS15-040 only affects Windows Server 2012 R2 and it attempts to resolve an information disclosure related vulnerability in the Active Directory Federation Services feature in modern Windows Server platforms. This vulnerability could lead to unintentional information disclosure if a user does not log off their system properly, although the worst case scenario here is that the attacker could see information that the compromised user could view. You know -- I am not sure about this one. This could be one of those patches where everything goes fine (e.g. no reported problems) at HQ (if you live in the U.S) but then you have difficult-to-troubleshoot (i.e. time-consuming) support issues in your foreign branch offices. If you have a non US-English environment or foreign branch offices using Active Directory, I would create a test lab prior to deployment that incorporates at least one non-English language.
MS15-041 -- Important
MS15-041 is rated as important and attempts to resolve a single vulnerability in the ASP.NET framework that could lead to an information disclosure scenario. This vulnerability affects all versions of Microsoft .NET (Versions 1 to 4.5.2) and if exploited could lead to the exposure of sensitive information on all modern Microsoft desktop and server platforms. Microsoft has noted that only development servers are likely to be affected by this vulnerability (due to the relation of this vulnerability to verbose diagnostic and error messages) and that if you need to delay deploying this update, there is a work-around where you can suppress most error messages by putting the relevant server into "retail mode," which will suppress all error messages and fully mitigate this vulnerability. You can find more here. Include this update in your standard patch deployment effort.
MS15-042 -- Important
The final patch from Microsoft for April is MS15-042 which relates to a denial of service vulnerability in the Windows Hyper-V feature that could damage or stop the ongoing management of other virtual machines (VM's). This update only affects Windows 8.1 (x64) and Windows Server 2012 R2. Also, this update only affects the primary Hyper-V management function (VMMS.EXE) and its limited number of associated libraries (DLL's). The testing surface area for this update should be pretty small, and with some with testing should be included in your standard Microsoft Update deployment effort.