Microsoft addressed 34 security vulnerabilities across 16 security bulletins in June’s Patch Tuesday update. This will be Microsoft’s second-largest Patch Tuesday in 2011 after April’s gargantuan release.
Microsoft patched the Windows operating system, all supported versions of Internet Explorer, Microsoft Office, SQL Server, Forefront, .NET/Silverlight, Active Directory and Hyper-V, the company said in its Patch Tuesday advisory released June 14. Of the patches, nine have been rated as “critical,” and seven have been ranked as “important,” according to Microsoft.
Microsoft called out four critical updates as top priorities on the Microsoft Security Response Center blog. They include a fix for all versions of the SMB Client on Windows (MS11-043), 11 bugs in all versions of Internet Explorer (MS11-050), another Windows flaw (MS11-052) and two issues in the DFS client for all versions of Windows (MS11-042), according to Trustworthy Computing’s Angela Gunn.
“There’s going to be a lot of heavy lifting for IT administrators this month,” said Dave Marcus, director of security research and communications at McAfee Labs, noting that administrators will also have to evaluate and prioritize patches from Adobe and Oracle’s Java updates.
Microsoft expects to see a reliable exploit developed in the next 30 days for six of the critical bulletins and two important ones, Jonathan Ness wrote on the Security Research and Defense blog. The only vulnerability currently being exploited in the wild is an escalation of privilege flaw in the Ancillary Function Driver, rated as important, according to Ness.
Microsoft fixed 11 remote code execution vulnerabilities in Internet Explorer, versions 6 through 9 (MS11-050), and patched VML, a markup language used by the browser (MS11-052). Most of them were rated as critical.
Even though none of these vulnerabilities is currently being exploited in the wild, security administrators should make the IE patches a high priority, said Joshua Talbot, security intelligence manager for Symantec Security Response.
“The slew of Internet Explorer vulnerabilities presents a significant attack surface for cyber-criminals to poke at,” Talbot said, noting that “at least one” of the recent data breaches exploited a similar, previously patched flaw in IE.
Browser and plug-in vulnerabilities are also the main infection vector for Zeus and SpyEye Trojans, said Wolfgang Kandek, CTO of Qualys. Patching IE and applying the recent Java updates and expected Adobe Acrobat/Reader updates will allow IT administrators to “keep ahead of the ‘ExploitKit’ writers” and make their infrastructure more robust, Kandek said.
Combining an exploit targeting one of the IE remote code execution flaws with the existing escalation of privilege exploit for the Ancillary Function Driver could give an attacker complete system access, Talbot said. On its own, the IE flaws would give only user-level access on the compromised machine.
Administrators should also focus on the patch for Excel (MS11-045) addressing eight vulnerabilities in all versions of Excel, including Mac OS X. Microsoft rated it as “important” because the attack requires the user to open the malicious file, but recent breaches have proved that attackers can trick even the savviest users into opening up unknown documents, Kandek said. This is particularly the case for Excel, which is used overwhelmingly in business-related communication.
Microsoft patched a denial-of-service vulnerability in Hyper-V (MS11-047) on Windows Server 2008 and 2008 R2. An attacker with local administrator privileges on a guest virtual machine can exploit the flaw (CVE-2011-1872) to cause a resource exhaustion denial-of-service on the host, affecting all other virtual machines installed on that machine.
Microsoft also addressed the “cookie-jacking” vulnerability in HTML5 (MS11-037), rated as important, which would allow a malicious Website to steal cookies from users. There are no chances for direct code execution even though proof of concept code is publicly available, Ness said. McAfee said the vulnerability “should be a lesser concern.”
Even though the DFS and SMB client bugs are rated top-priority, many enterprise and perimeter firewalls and Internet service providers can block outbound ports 139 and 445, which would prevent Internet-based attacks, according to Ness. Even though it is possible to keep exposure low, administrators should schedule them as soon as possible, Kandek said.