Microsoft yesterday released 16 security updates to address 24 vulnerabilities on its Patch Tuesday for June.
June's 16 security updates, the second largest of 2011 after April's update where 64 vulnerabilities covered 17 bulletins, addressed 34 vulnerabilities affecting Windows, IE, Office, SQL Servers and other products. Of the patches, nine have been rated as ‘critical' and seven have been ranked as ‘important'.
According to commentators, the first patches to be addressed should be those affecting Internet Explorer. Andrew Storms, director of security operations at nCircle, said that this is the first IE9 patch since it was released in April and it has to be uncomfortable for Microsoft to have to patch their brand new browser so quickly.
Wolfgang Kandek, CTO of Qualys, said: “We rank as the highest priority Microsoft bulletins MS11-050, which addresses 11 vulnerabilities in Microsoft Internet Explorer version 6,7, 8 and 9, and MS11-052, which patches VML, a markup language that is used mainly in Internet Explorer. Browser and plug-in vulnerabilities together have been the point of entry for many recent security incidents and is the main infection vector for mass malware such as Zeus and SpyEye.”
Joshua Talbot, security intelligence manager at Symantec Security Response, said: “The slew of Internet Explorer vulnerabilities presents a significant attack surface for cyber criminals to poke at. None of these are being exploited in the wild yet, but you can bet they will be in the near future.
“Given that at least one of the recent high profile data breaches exploited a similar previously patched vulnerability, these should be a high priority. Some IT administrators might also be feeling safe because they recently updated their systems to the new Internet Explorer 9, but with several critical vulnerabilities being patched in this the newest version of the browser, they should avoid being lulled away into a false sense of security.”
Jason Miller, manager of research and development at VMware, who recently acquired Shavlik, agreed with Kandek on prioritising MS11-050 and MS11-052. He said: “The first batch of security bulletins that need immediate attention all have web browsing to a malicious website as an attack vector. As this is the number one way to be exploited, these bulletins should be rolled out first.”
Miller also pointed to MS11-039, one of two updates affecting the Microsoft .NET Framework. “This bulletin fixes a vulnerability that could lead to remote code execution if a user browses to a web page containing malicious ASP.NET applications. In addition, malicious web pages hosting XBAP applications can also lead to remote code execution if browsed to with an unpatched .NET Framework. It is important to note that XBAP vulnerabilities are not commonly used as attack vectors to date,” he said.
Kandek looked at MS11-045 as another priority, as this fixes eight vulnerabilities in all versions of Excel, including for Mac OS X. Even though Microsoft ranks this as ‘important' because the end-user is required to open an attacker-provided file, Kandek said he believes that attackers have shown often enough that they have the skills to make opening the file enticing enough for end-users. He also said that other high priority bulletins are MS11-042 and MS11-043, which address critical flaws in the DFS and SMB clients on Windows.
Talking about MS11-043, Miller said: “This addresses a vulnerability with the SMB client on all supported operating systems. If an attacker can convince a user to make a SMB connection to a malicious SMB server, the attacker can gain full control of the user's machine. This attack is unauthenticated, meaning the attacker only needs to convince the user to make a connection to the malicious machine to gain full control of the target.
“Most home routers and firewalls block SMB connections externally to the internet but on an internal corporate network, a SMB connection is typically a business critical service that is not blocked by the firewall on the local system.”
In terms of exploits, Storms said that seven of the nine bulletins that are rated critical also come with an exploit index of one, indicating that it is very likely that an exploit will be developed within the next 30 days.
Kandek said: “The only bulletin with a known exploit in the wild is MS11-046, a local privilege escalation flaw in the ‘afd.sys' driver. IT administrators can check with their endpoint security providers for coverage, but should include this bulletin high on their to-do lists in any case, as it is only a matter of time until we see more attackers use malware taking advantage of this exploit to gain control of your workstations.”