This week brings another Microsoft Patch Tuesday. Microsoft has released 8 new patches, addressing a total of 23 new vulnerabilities. None of them are especially concerning, although two are rated Critical by Microsoft, and the rest are rated Important. Overall, the patch volume this month is moderate, reflecting very similar patch rates to the previous 5 months or so. Three of the vulnerabilities had been disclosed in public forums (one vuln affecting Windows Media Center and two in Host Integration Server). None are being actively exploited in the wild at this time.
This month’s patches include the following:
- (MS11-075) Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)
- (MS11-076) Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)
- (MS11-077) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)
- (MS11-078) Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)
- (MS11-079) Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)
- (MS11-080) Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)
- (MS11-081) Cumulative Security Update for Internet Explorer (2586448)
- (MS11-082) Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)
Most noteworthy this month is MS11-081, which patches 8 new vulnerabilities affecting various versions of MS Internet Explorer. None of these have been previously disclosed, and none are being actively exploited yet, but it’s interesting to consider the plight of IE for a moment. By any measure, MS IE is surely the most patched application on the planet, and has been for some time. You would think, eventually, researchers would have uncovered all the low-hanging fruit, and the rate of vulnerability disclosure would decrease as they move on to other applications. Here we are, 10 years after the release of IE6, and researchers are still discovering new security bugs in it (as well as v7, 8, and 9) at a rate that shows no sign of slowing. See below for a quarterly summary of IE6 vulns patched over the last 5 years:
This is not an indictment of IE. Any piece of complex code written by humans comes with its share of bugs. The data do show, however, that security researchers are still find IE to be an irresistible, juicy target. As new vulns are discovered and disclosed, it will also continue to be a major target for criminals. Wise enterprises take browser security seriously; technologies like web reputation (as seen in McAfee SiteAdvisor and HIPS) and code intent analysis (McAfee Web Gateway) can be very helpful in ensuring that users surf safely, even if the browser they’re using is imperfect.
Of the remaining vulns, 7 exist in various parts of the Windows OS itself (addressed by MS11-075, -077, -078, and -080), and will require broad distribution. The rest are in applications that generally do not see widespread deployments in enterprise environments (Windows Media Center, Forefront Unified Access Gateway, and Host Integration Server), and should not troubling to most organizations.
McAfee’s coverage for this month’s MS vulns is good:
- McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 7 out of 23 vulnerabilities this month (all issues in MS IE).
- McAfee Host Intrusion Prevention is expected to provide protection against exploits of 9 out of 22 vulnerabilities this month.
- McAfee's Network Security Platform has new signatures confirmed to protect exploits of 18 out of 22 vulnerabilities this month.
- McAfee Vulnerability Manager and Policy Auditor now have content to assess whether your systems are exposed to any of these new vulnerabilities.
Additional research is underway to determine coverage for McAfee’s Web Gateway, Application Control, and other countermeasures. As more details become available, you’ll find them on the McAfee Threat Center:
You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
Finally, I just need to point out that one of the vulns addressed by MS11-079 has the coolest name in recent memory: “Poisoned Cup of Code Execution”. I’m not sure what it means exactly, but I’m pretty sure my elfin paladin got one of those from an evil wizard after a World of Warcraft dungeon raid once. Nice to see that poetry is not dead in the world of vulnerability research.