Microsoft's October Patch Tuesday release addressed flaws in Internet Explorer, .NET Framework and Silverlight, Windows, Forefront UAG and Host Integration Server.
fixed 23 vulnerabilities across eight security bulletins as part of its October
Patch Tuesday release.
release resolved issues in Internet Explorer versions 6
through 9, all versions of Microsoft Windows from XP through 7, .NET and
Silverlight, Microsoft Forefront Unified Access Gateway and Host Integration
Server, Microsoft said Oct. 11. Two of the patches are rated "critical,"
and six are rated "important," Microsoft said.
recommended that organizations apply the Internet Explorer and .NET/Silverlight
patches first as attackers are likely to come out with a reliable exploit
within 30 days. Malware developers often reverse-engineer the patches after
they are released to develop exploits that target unpatched systems.
Lab senior security researcher Kurt Baumgertner said that reliable exploitation
will lead to remote code execution across a wide variety of Windows versions
because Internet Explorer and Silverlight are heavily used software clients.
would be surprising to not see related exploits added to packs and widely used
in attack attempts over the coming months," Baumgartner wrote on the Securelist
critical update for Internet Explorer fixed at least eight known security flaws
in all versions of Microsoft's Web browser, including the latest Internet
Explorer 9. The bugs were in the way IE handled objects in memory and the way
memory was allocated and accessed.
exploited, the bugs in Internet Explorer would expose the user to drive-by
download attacks just by merely browsing to a booby-trapped site, according to
Microsoft. The attacker can gain the same user rights as the user, but users
who have accounts with fewer user rights are likely to be less impacted than
those who have administrative rights.
browsers will be top priority because the vulnerabilities fixed with each
security bulletin release in browsers are top exploit targets for
attackers," Jason Miller, manager of research and development at VMware,
second critical update fixed a remote code execution flaw in .NET Framework and
Silverlight. Users could be compromised just by viewing a malicious page
specifically running XAML Browser Applications or Silverlight applications,
Microsoft said. The vulnerability would also allow remote code execution on a
server running IIS if that system allowed processing ASP.NET pages and
specially crafted ASP.NET pages are uploaded to the server and executed. The .NET
issue also affects Mac OS clients, according to Dave Marcus, director of
security research and communications at McAfee Labs.
.NET framework class inheritance vulnerability is "complex to
exploit" but can be exploited in a "number of ways," including
traditional downloads, drive-by-downloads and by hosting a malicious .NET
application, said Joshua Talbot, security intelligence manager at Symantec
fixed five privately reported vulnerabilities in Microsoft Forefront Unified
Access Gateway. The cross-site scripting vulnerability in Microsoft Forefront,
if exploited, will allow attackers to steal log-in credentials used for VPN
access and gain access to sensitive data. The patch for Microsoft Forefront
will likely affect the "smallest number" of organizations because
Microsoft generally doesn't have a big presence in corporate security
infrastructure, Marcus Carey, a security researcher at Rapid7, told eWEEK
has two bulletins to fix the DLL preload vulnerabilities in Windows Media
Center and Microsoft Active Accessibility. Microsoft has released a patch 17
times to close this issue in various programs since it was first identified Aug.
23, 2010, according to Miller.
this Patch Tuesday is fairly moderate. Three of the included vulnerabilities
have been previously disclosed, and there is an available proof-of-concept
code," Marcus said.
is often the last month in which administrators at financial and retail
organizations apply patches before going into "lock-down" mode for
the holiday shopping season, according to Andrew Storms, director of security
operations at nCircle. "Enterprise IT teams should get ready to pull out
all the stops," Storms said.