This week brings us another Microsoft Patch Tuesday, and Microsoft released 16 patches addressing 34 new vulnerabilities. This is a fairly high volume of vulnerabilities, on the heels of a very light May, where MS released only 2 patches. This follows a pattern that MS has followed for the last year or so now, alternating months with light and heavy patch workloads. As far as I’m aware they have made no formal announcement that this is a policy, but the trend has gone on long enough that we can probably expect it to continue. If that holds true, July should bring a relatively light workload.
The bulk of the MS vulnerabilities this month were in two applications: Internet Explorer (11 vulns addressed in a single rollup patch, along with a couple other related singletons) and Excel (8 vulns patched). The rest of the patches resolved individual vulnerabilities in a wide range of Windows OS services and applications. Of the 34 vulns, 3 had been previously disclosed in public forums, and one of those has seen limited exploits in the wild (MS11-046). While several are identified as high priority, none stick out as especially worrisome.
On top of the MS vulns, this month also brought us Adobe’s quarterly patch release, including patches to Acrobat, Reader, Flash, Shockwave, and other Adobe applications. And this is after last week’s release by Oracle of critical patches to Java SE, and another critical zero-day Flash patch by Adobe. Adding all this together makes for some busy time ahead for operations staff, as they prioritize and roll out security patches to their endpoints. The Adobe vulns are most noteworthy when you consider that, according to McAfee Labs Quarterly Threat Briefing, Adobe exploits outnumber MS exploits 100 to 1.
All is not entirely lost, however. In a blog entry on the MS Security Research Blog, Microsoft trumpets the successes of some of their security program efforts that went into the recently-released IE 9. The new rollup patch MS11-050 addresses 11 distinct vulnerabilities in IE. Of these 11, IE9 is only at risk to 4 of them. Microsoft has put in considerable work removing deprecated insecure features and performing advanced security testing prior to the release of IE 9, resulting in a more secure browser. However, given that more than 10% of the world is still on IE 6, we can expect that it will be a while before IE9 makes a significant impact on enterprise security.
McAfee’s coverage for this month’s MS vulns is good across the board:
- McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 18 out of 34 vulnerabilities this month.
- McAfee Host Intrusion Prevention is expected to provide proactive protection against exploits of 18 out of 34 vulnerabilities this month.
- McAfee's Application Control is expected to provide proactive protection against exploits of 19 out of 34 vulnerabilities this month.
- McAfee's Network Security Platform has new signatures confirmed to protect exploits of 30 out of 34 vulnerabilities this month..
- McAfee Vulnerability Manager and Policy Auditor now have content to assess whether your systems are exposed to any of these new vulnerabilities.
Additional research is underway to determine coverage for McAfee’s Web Gateway and other countermeasures.
As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time update via email.