Today was Microsoft Patch Tuesday, and Microsoft released 12 new security patches, addressing a total of 22 vulnerabilities. The patches address a variety of issues on Windows workstations and servers, including the obligatory OMG-install-now-or-suffer-unbelievable-pain critical patch to Microsoft Internet Explorer.
Most notable this month is a vulnerability in Internet Explorer (CVE-2010-3971, part of MS11-003) that was first disclosed back in December 2010. This is a fairly typical browser exploit, where an attacker must lure the unsuspecting victim to a specially-crafted web page. Users who are unlucky enough to get drawn into such a trap (perhaps via a clever email, instant message, Facebook link, or malicious banner add in an exploited site) are exploited behind the scenes, and the attacker is then free to install malware or take other actions.
Microsoft disclosed that there have been attacks in the wild exploiting this vulnerability since late December, and there has been speculation that Microsoft would be forced to release an out-of-band patch to address it. Thankfully, that wasn’t necessary. Microsoft has published some really interesting data showing how the onslaught against this vuln unfolded over time, and compared it with other recent vulns that did warrant the expense of an out-of-band patch. It’s worth a look, as it shows some of the though process that goes on behind the scenes in Microsoft’s threat research teams.
Another noteworthy item: today Microsoft released a non-security update that changes the behavior of AutoRun on Windows XP and other Windows OSs. AutoRun is a common vector used by malware to spread, generally via USB removable media; it was used to particular success by Conficker. Essentially, MS has disabled AutoRun on USB devices and other “non-shiny” media (CDs and DVDs continue to work as they always have). This is already the default behavior on Windows 7, and Microsoft’s data shows that Windows 7 hosts are ten times less likely to be infected than XP. This is a good move on Microsoft’s part, and it will be interesting to see what impact it has in the field.
McAfee’s protection for this month’s vulnerabilities is good:
- McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 8 out of 22 vulns.
- McAfee's Host Intrusion Prevention is expected to provide proactive protection against exploits of 8 out of 22.
- McAfee's Network Security Platform will very shortly have content to protect against exploits of 13 out of 22 new vulnerabilities.
- McAfee Vulnerability Manager and Policy Auditor will shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
Additional analysis is underway to determine the protection level to be expected by McAfee Application Control and Web Gateway. Keep an eye on the McAfee Threat Center for more details as they become available.