This week Microsoft released 13 patches, addressing a total of 22 new vulnerabilities.  Two of the patches are rated critical by Microsoft (addressing issues in Internet Explorer and DNS Server).  One additional patch (Visio) is also worth watching closely.  Most of the vulns this month are fairly low in severity, leading to information disclosure, server crashes, or privilege escalation, but very little by way of code execution. 

 

In addition to the MS patches, Adobe simultaneously released patches to much of their suite of software, including Shockwave Player, Flash Player, and others, making these busy times indeed.

 

The new MS patches included the following:

 

  • (MS11-057) Cumulative Security Update for Internet Explorer (2559049)
  • (MS11-058) Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)
  • (MS11-059) Vulnerability in Data Access Components Could Allow Remote Code Execution (2560656)
  • (MS11-060) Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978)
  • (MS11-061) Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege (2546250)
  • (MS11-062) Vulnerability in Remote Access Service NDISTAPI Driver Could Allow Elevation of Privilege (2566454)
  • (MS11-063) Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2567680)
  • (MS11-064) Vulnerabilities in TCP/IP Stack Could Allow Denial of Service (2563894)
  • (MS11-065) Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)
  • (MS11-066) Vulnerability in Microsoft Chart Control Could Allow Information Disclosure (2567943)
  • (MS11-067) Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)
  • (MS11-068) Vulnerability in Windows Kernel Could Allow Denial of Service (2556532)
  • (MS11-069) Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)

 

Top-of-mind for most folks will be the new rollup patch for Internet Explorer (MS11-057), which addresses 7 distinct vulnerabilities, including two for which proof-of-concept code has been publically released by security researchers.  In several cases, these vulns allow an attacker to deliver a payload to a vulnerable user simply by luring the user to visit a malicious web page.  IE continues to be the single most dangerous application on the typical user’s desktop, and smart organizations are using techniques like web reputation analysis (GTI) and behavioral detection to combat these threats in a proactive manner. 

 

In addition to the IE vulns, there were a couple serious issues disclosed in MS Visio (MS11-060), where an attacker could take over a user’s workstation by tricking them into opening a specially crafted Visio doc.  While Visio is not as widely deployed as the core MS Office suite, it’s often used to organize highly sensitive data such as network diagrams and critical business processes.  Vulns like this are tempting to downplay, but are tailor made for use in targeted, APT-style attacks.

 

Of note on the server side, MS patched a pair of vulnerabilities in their DNS server (MS11-058).  This patch has attracted a lot of attention, since a vulnerability in a widely-used server process like DNS is an excellent candidate for an automated worm like Conficker or SQL Slammer.  Fortunately, exploiting these vulnerabilities requires a configuration that is rarely used for Internet-facing DNS servers, making exploitation impossible for an external attacker in most circumstances.  Even in the case of an internal attacker, MS reports that there are a number of technical issues around this vuln that make code execution unlikely in practice; exploits are much more likely to introduce a denial-of-service.  This patch merits a quick rollout, but it’s unlikely to lead to any sort of global Armageddon.

 

McAfee’s coverage for this month’s MS vulns is good:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 3 out of 22 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 8 out of 22 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 15 out of 22 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor now have content to assess whether your systems are exposed to any of these new vulnerabilities.
  • Additional research is underway to determine coverage for McAfee’s Web Gateway, Application Control, and other countermeasures.

 

As mentioned above, Adobe also released multiple security updates (including critical patches to Flash Player, Flash Media Server, Shockwave Player, and Photoshop) making this a particularly busy month.  As more details become available, you’ll find them on the McAfee Threat Center.

 

 

You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

 

Happy patching!

 

Scott