Microsoft is readying 17 security bulletins to address 64 vulnerabilities for its April security update, to be released Tuesday.
Nine of the fixes are rated “critical,” while the other eight have been deemed “important,” according to Microsoft's advance notification, released Thursday. The patches will address flaws in Windows, Office, Internet Explorer, Visual Studio, the .NET Framework and GDI+.
“The bug count is a whopping new record,” Andrew Storms, director of security operations for vulnerability management firm nCircle, told SCMagazineUS.com in an email Thursday. “My guess is we will find out that most of the bugs will be attributed to a single bulletin.”
Administrators should expect to see patches for several publicly known issues, including a vulnerability disclosed in January that is present in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, used by applications to render certain types of documents. The flaw, rated important, has been abused in “limited, targeted attacks," Microsoft said.
“This bug garnered a fair amount of attention, and Microsoft released a Fix It tool to thwart attacks,” Storms said. “I'm relieved this bug has finally been fixed. The longer it's out there, the more time attackers have to find other ways to exploit it.”
Microsoft is also planning a patch for a critical Windows Server Message Block (SMB) vulnerability, disclosed in February, that affects all versions of the operating system, Pete Voss, senior response communications manager at Microsoft Trustworthy Computing, said in a blog post Thursday.
The flaw could be exploited to cause a denial-of-service condition or to take complete control of an affected system, but Microsoft said it has not seen any attacks in the wild.