Microsoft Security Bulletins for April 2008

Another “Super Tuesday” patched this week but I just got around to firing up my Windows VM’s today (actually it’s been about 12 days since I’ve been in Windows). There were ten updates waiting for me on Windows Vista and eight on Windows XP Home, although not all were security related.

This month’s updates included:

KB945553 (MS08-020) – Vulnerability in DNS client could allow spoofing. This is rated as “Important” for all supported desktop OS’s except Windows Vista SP1, which doesn’t need the update.

KB948590 (MS08-021) – Vulnerability in GDI could allow remote code execution. This is rated as “Critical” for all supported desktop OS’s.

KB944338 (MS08-022) – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution. This is rated as “Critical” for all desktop OS’s except Windows Vista, which doesn’t need the update.

KB948881 (MS08-023) – Critical security update for ActiveX killbits. This is required for all supported desktop OS’s, although the severity ranges from “Important” to “Critical”.

KB947864 (MS08-024) – Cumulative security update for Internet Explorer. As expected, all supported versions of IE get the update and all are rated “Critical”.

KB941693 (MS08-025) – Vulnerability in Windows Kernel could allow elevation of privileges. This one has an “Important” rating for all supported desktop OS’s.

There were also some security patched for applications. MS08-018 patches a Project vulnerability while MS08-019 patches a vulnerability in Visio. I don’t run either Project or Visio so I didn’t install the updates.

The Malicious Software Removal Tool, Junk Email Filter update (Vista only, in my case at least) and Windows Defender definition updates were also included.

I also received KB938371 (on my Vista SP1 vm) which is an updated needed to add or remove Vista SP1. Since I received Vista SP1 successfully I already had some of the components. According to the bulletin Vista SP1 install “will only install the new components in this rereleased update.”

Non-security related patches included an update to Live Writer and a optional Group Policy patch. For some reason my Windows XP Home installation also received .NET 2.0 SP1 although it appears that it was released back in December and I installed the base .NET 2.0 in early January, two patch Tuesday’s ago.

As expected, a reboot was required. So far I haven’t encountered an differences or problems since applying the updates.