Microsoft released 13 security bulletins addressing 22 unique vulnerabilities for its August Patch Tuesday update.
Of the 13 bulletins, two were rated as “critical,” nine as “important” and two as “moderate,” Microsoft said Aug. 9 in its Patch Tuesday notification announcement. The patches addressed bugs in both desktop and server versions of Microsoft Windows, Office, Internet Explorer, .NET and Visual Studio.
“Everything from Microsoft operating system kernel and networking components to their Microsoft Internet Explorer web browser and development products are impacted to patch information disclosure, denial of service, memory corruption, and elevation of privilege vulnerabilities,” wrote Kurt Baumgartner, a senior malware researcher at Kaspersky Lab, on the Securelist blog.
Administrators should prioritize the two critical updates fixing vulnerabilities in Internet Explorer and the Microsoft DNS server running in Windows Server 2003 and 2008 first, Angela Gunn, senior response communications manager at Microsoft Trustworthy Computing, wrote on the Microsoft Security Response Center blog on TechNet. Even though there are no exploits currently targeting the flaw in the wild, according to Gunn, the exploitability index on the IE issue is “1,” meaning a reliable exploit is expected soon. The DNS issue has an exploitability index of “3,” meaning an exploit is not expected within the next 30 days.
The Internet Explorer patch resolves five “privately reported” bugs and two publicly disclosed flaws in the Web browser, Gunn said. The most severe vulnerability would allow attackers to remotely execute code if the user viewed a specially crafted Website on an unpatched version of Internet Explorer. All versions of Internet Explorer, even IE6 and IE9, need to be patched.
The DNS Server patch fixes two vulnerabilities, of which the most severe one would result in remote code execution if the attacker sets up a malicious DNS server to send a specially crafted Naming Authority Pointer query to an unpatched server to obtain a DNS record. Windows servers that don’t have DNS turned on are not at risk, Gunn said.
The DNS vulnerability could result in a “complete system compromise,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Because no user interaction is needed, a vulnerable service simply needs to be up and running for the vulnerability to be exploited,” Talbot said.
“The fact that vulnerabilities such as these continue to be so common is one reason why web-based attacks are so prevalent,” Talbot said.
It’s rare, Talbot said, that half of all the vulnerabilities patched this month are “low-profile” issues relating to information disclosure and denial of service attacks.
The information disclosure flaws in Remote Desktop Web Access Login and Microsoft Chat Web control are cross-site scripting issues, said Wolfgang Kandek, CTO of Qualys. The issue in Report Viewer Web control could be used to reveal contents of files stored on the web server, Wolfgang Kandek, CTO of Qualys, said.
Microsoft also fixed a Data Access Components issue that would have allowed attackers to link an Excel file with a maliciously modified library located on the same network directory. When opened, the library would load and execute on the system with the same privileges as the user opening the Excel file. Another remote code execution flaw was patched in Visio this month.
For the Excel vulnerability, “we will be monitoring for related exploit inclusion in underground market exploit packs like BlackHole, NeoSploit and Phoenix,” Baumgartner said.
Even though Microsoft didn’t rate the denial of service issues in Windows Vista and Windows 7 patch as “Critical,” administrators should pay “special attention” to the MS11-064 bulletin, according to Andrew Storms, director of security at nCircle. Attackers can remotely reboot a Windows system by sending malicious TCP/IP packets, even if it is running a local firewall, according to Storms, adding that the bug used to be called the “ping of death” in the early 1990s.
“Although these are not remote code execution issues, they could be used in conjunction with other attacks or just for playing pranks,” said Kandek.