It’s happened again…another MS Patch Tuesday.  This week MS released just 2 patches, addressing 3 new vulnerabilities in the WINS service and MS PowerPoint.  You might recall that last month was a record bumper crop, so this month MS offers a nice reprieve.   The new vulns are:


(MS11-035) Microsoft WINS Service Failed Response (2524426)

(MS11-036) Microsoft PowerPoint Memory Corruption RCE (2545814)

(MS11-036) Microsoft PowerPoint Buffer Overrrun RCE (2545814)


The WINS vulnerability is the most concerning of the bunch.  It allows an attacker to remotely exploit a WINS server over the network without human involvement.  This kind of server vuln can be a big deal, as it could potentially serve as a wedge for an automated worm like Conficker in 2008-2009.  Thankfully, the risk associated with this one is reduced quite a lot as WINS has been largely phased out by most enterprises.  On top of this, WINS servers that are still deployed are typically buried deep in the data center, and are not available to be exploited by untrusted outsiders.


McAfee’s coverage for these vulns is about as good as it gets:   


  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of all 3 of this month’s vulnerabilities.
  • Ditto for McAfee's Host Intrusion Prevention…
  • …and McAfee's Application Control is expected to provide proactive protection across the board as well.
  • McAfee's Network Security Platform has new signatures confirmed to protect against exploits of all 3 of the new vulnerabilities.
  • McAfee Vulnerability Manager and Policy Auditor will shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.


In short, we’ve got 100% coverage via multiple vectors, and more analysis is underway.  As more details become available, you’ll find them on the McAfee Threat Center.


One other interesting point is that MS has made some changes in how they report the risk associated with their vulnerabilities.  In recent years MS has made some fundamental changes in their OS and many applications to make it harder for malware authors to get a foothold on a vulnerable system.  These mitigations, such as Address Space Layout Randomization, tend to make the newer MS operating systems and applications less exposed than the older ones that lack these controls. 


To reflect this improved resistance for their customers, MS has begun to report two different sets of “Exploitability Index” metrics: one for the latest version of the relevant OS or application, and one for the legacy versions.  Over the last 8 months, Microsoft’s data shows that their new mitigations would reduce or eliminate the risk associated with approximately 38% of the vulns they have patched.  This is a significant step in the right direction, although it’s clear that there will be room for security vendors like McAfee for a long time to come.


Until next month, happy patching!