Hi all,


Yesterday was Microsoft Patch Tuesday, and as you may have heard by now, Microsoft broke another record by patching more new vulnerabilities than ever before.  Today Microsoft released 17 patches, addressing a whopping 64 unique vulnerabilities.  You can see from the chart below that MS has a habit of alternating between light patch months and heavy months, though this month (far right) is clearly a doozy by any measure.


4-13-2011 11-12-04 AM.jpg



While the volume of vulnerabilities this month is catching everyone’s attention, it’s worth noting that almost half of the vulns (30) are addressed by a single patch (MS11-034).  These vulns were all reported privately to Microsoft by one particularly industrious researcher, and they represent 30 different instances of the same couple of root issues.  So at the end of the day, the level of change and potential instability introduced by these patches is probably not as great as the raw numbers might imply.


The 30 vulnerabilities covered by MS11-034 allow an attacker to escalate their privileges in the Windows OS, after gaining an initial toehold into a compromised system.  While it would be easy to discount the importance of these vulns, we have seen several significant APT-style attacks in the last year that rely heavily on privilege escalation (Stuxnet, Night Dragon, and the RSA APT attack, among others).   It would clearly be wrong to dismiss these as unimportant.


There are other noteworthy patches in this month’s batch.  MS11-018 addresses several vulnerabilities in MS Internet Explorer, which allow an attacker to install malware on a victim’s system if they can convince the user to click on a malicious link.  Two of these have been reported by Microsoft to have been used in targeted attacks, and we’re glad to see them addressed.  On top of this, you’ll find high priority patches to the Windows SMB client and server, .NET, the Windows DNS resolver,  MS Excel and PowerPoint, and even WordPad.  The variety and volume combine to make this a challenging month to be in patch operations.


As you would expect, the McAfee Labs team has been very hard at work analyzing the new vulnerabilities and mapping them to the protection offered by our products.  In many cases we have proactive zero-day protection (for example, courtesy of VirusScan Buffer Overflow Protection)  In many other cases the McAfee Labs team is able to augment our proactive protection with additional content to very quickly enhance our coverage.  McAfee’s protection for this month’s vulnerabilities is good:


  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of at least 21 of this month’s vulnerabilities.
  • McAfee's Host Intrusion Prevention is expected to provide proactive protection against exploits of 22 of the vulns.
  • McAfee's Network Security Platform will very shortly have content to confirmed to protect against exploits of 27 of the new vulnerabilities.
  • McAfee Vulnerability Manager and Policy Auditor will shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
  • Analysis is still underway for many other countermeasures, including Application Control.


4-13-2011 11-11-44 AM.jpg 


Most of the vulns that are not covered by the countermeasures listed above are the 30 privilege escalation vulns addressed via MS11-034.  These are vulns in low-level Windows kernel-mode drivers, which are out-of-scope for VSE, HIPS, and NSP.  Additional analysis is underway to determine the protection level to be expected by other countermeasures, including McAfee Application Control, Firewall Enterprise, and Web Gateway.  As this analysis continues, you can expect that coverage for App Control and other countermeasures will improve significantly.  Keep an eye on the McAfee Threat Center for more details as they become available.




Happy patching!