Hello all,

 

It’s here again…this week brings us another MS Patch Tuesday.  This week Microsoft released 4 new patches, addressing a total of 22 vulnerabilities.  Only 1 of 22 the vulnerabilities is rated critical, and even that one has some pretty serious limitations that limit its usefulness to the bad guys.  On top of that, we have no other noteworthy vulns announced by other vendors like Adobe or Apple.  July 2011 shouldn’t be causing anyone any significant heartburn from a patching perspective. 

 

Before we get into this month’s specifics, mid-year is a good time to take stock of where we are in general.  After a slow start, 2011 is once again shaping up to be the most prolific year in history for Microsoft vulnerabilities, due largely to the April bumper crop.  Job security for all!

 

chart072011.gif

 

As for this month, the vuln that is most interesting is a Bluetooth vulnerability in Vista and Windows 7 (MS11-053).  In theory, it allows an attacker to sneak up behind you while you’re enjoying a café latte in your neighborhood coffee shop, beam a few malicious Bluetooth packets your way, and take over your box.  In practice, a bad guy would need some fairly expensive equipment, or few hours, to actually pull this off, and even then they’re more likely to execute an annoying DoS on your box than actually succeed in running their own code.  In short, it’s probably easier for them to simply grab your laptop and run.

 

Beyond this, we have a few lower-criticality patches:

 

  • MS11-055 addresses a vulnerability in MS Visio, which allows an attacker to execute malicious code on your workstation if they can convince you to save and open a properly-crafted Visio document in a specific directory that also contains a malicious DLL.  This vuln has been known publically since August 2010, but as far as we’re aware, has not been leveraged for any real mischief.

 

  • MS11-054 addresses 15 different privilege escalation vulnerabilities in the Windows kernel. 

 

  • MS110-56 addresses 5 additional privilege escalation vulnerabilities Windows Client/Server Run-time Subsystem (CSRSS).

 

This month’s vulnerabilities are a bit of an odd batch, with an unusually high level of host-based privilege escalation vulns.  Impact of these is limited, as they require an attacker to first obtain at least limited access to a target system.  While none of these represents a serious imminent threat, they are also difficult to mitigate with countermeasures such as Host and Network IPS.  Only the Visio vuln (MS11-055) has a network vector associated with it, and McAfee’s Network Security Platform introduced a signature in August 2010 to detect and block exploits. 

 

As for the rest, McAfee Labs is still performing analysis, but at this point it does not appear that we have additional countermeasures that are effective against exploits of this month’s vulns.  The one shining spot should be McAfee Application Control.  While AC might not be able to stop the privilege escalation exploits, it very likely can prevent the attacker from gaining an initial foothold in the first place, as well as prevent any additional payload from executing after the attacker has gained enhanced privileges.

 

As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time update via email.

 

Happy patching!

 

Scott