Microsoft patches critical Internet Explorer and Stuxnet vulnerabilities with heavy load on Patch Tuesday

News by Dan Raywood

Microsoft rounded off 2010 with the release of 17 bulletins addressing 40 vulnerabilities on yesterday's Patch Tuesday.

Microsoft rounded off 2010 with the release of 17 bulletins addressing 40 vulnerabilities on yesterday's Patch Tuesday.

As revealed by SC Magazine last week, this release addressed vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint Server and Exchange. Only two of the bulletins carry a critical rating, while 14 are rated important and one is rated moderate.

Angela Gunn, senior marketing communications manager at Microsoft, said that it had assigned its highest deployment priority to the two critical bulletins in Internet Explorer and Windows' OpenType Font driver, although she recommended that customers deploy all updates as soon as possible.

“The other 15 bulletins this month carry lower severity ratings, including MS10-092, the bulletin that closes out the last known vulnerability exploited by the Stuxnet malware. We are also releasing updated Malicious Software Removal Tool signatures this month. The MMPC blog goes into detail on QakBot, the subject of this month's update,” she said.

Alan Bentley, SVP International at Lumension commented that the two critical Microsoft updates, MS10-090 and MS10-091 will take priority, not purely for their critical rating but for the high-profile vulnerabilities they address.

He said: “MS10-091 is closing the Stuxnet vulnerability which has plagued thousands of businesses worldwide, whilst the MS10-090 addresses the Internet Explorer ‘Uninitialized Memory Corruption Vulnerability - CVE-2010-3962' which left users exposed to ‘drive-by' hacks and was surprisingly neglected in last month's patch cycle.”

Joshua Talbot, security intelligence manager at Symantec Security Response said that the most notable patch this month is MS10-091. He said: “The Task Scheduler issue allows a regular user to schedule a task that will run with elevated privileges, allowing the newly created task full access to the system. This could lead to a complete compromise of the affected computer. Symantec has also seen two additional threats recently begin leveraging this vulnerability.”

Howeve Jason Miller, data and security team leader at Shavlik Technologies, said that the first bulletin that needs to be addressed is MS10-090 as it addresses seven vulnerabilities in Internet Explorer.

“One of the vulnerabilities, as explained in Microsoft Security Advisory 2458511, is being actively exploited in the wild. Over the weekend, Microsoft saw an uptick in attacks against the vulnerability. With any security bulletin that is being actively attacked it is critical that you deploy this to your network immediately,” he said.

Commenting on MS10-091, he said this was worth addressing immediately too as it addresses an issue with the OpenType Font Driver where if a shared folder that contains a malicious OpenType font file is viewed, an attacker could run code in the Windows kernel.

He said: “In order for a successful exploit, an attacker must convince a user to open a share that contains a malicious OpenType font file. If the folder has thumbnail view set, no user interaction is required for a successful exploit. If the folder has any other folder view set (such as detail), the user must open the malicious file to be exploited.”

In agreement was Andrew Storms, director of security operations at nCircle. He said: “The most important bug this month is clearly the IE update that includes a fix for the outstanding zero-day bug discovered in early November. With more and more people shopping online this time of year, it is important for everyone to patch their browsers.”

Looking at bulletin MS10-105, Wolfgang Kandek, CTO at Qualys, said that this fixes a flaw in the graphics filters of Microsoft Office, which can be used to take control of the targeted machine if a user opens a specifically crafted input file. “Attackers have specialised in the delivery of malicious files through email and web downloads and MS10-105 should be high on the priority list as well,” he said.

He also pointed to MS10-092 as another interesting fix, as it is the last patch for the Stuxnet family of vulnerabilities following MS10-046, MS10-061 and MS10-073. He said: “MS10-092 addresses a flaw in the Task Scheduler that can be used by a local user to gain system privileges and applies only to Windows Vista, Windows 7 and Windows 2008.”

Looking at the other bulletins, Miller said: “Five of the bulletins released today address a common issue, but each bulletin affects different components. All five bulletins (MS10-093, MS10-094, MS10-095, MS10-096, and MS10-097) address the Insecure Library Loading issue identified in August by Microsoft. This issue was detailed in Microsoft Security Advisory 2269637.”

At the time of the release of the advisory, Microsoft announced that patches would be coming for any affected products they found and he said that it is not surprising that these five bulletins were released, although products that are affected by this vulnerability are still being found by Microsoft. “If you have applied the workaround detailed in the Microsoft knowledge base article 2264107, machines on your network cannot be attacked by this vulnerability. It is still important though to apply any security patches that vendors release,” Miller said.

Kandek said: “While these fix specific Microsoft products (similar to MS10-083), we recommend applying the patch and workarounds described in this Knowledgebase article.”

Tyler Reguly, technical manager of security research and defense at nCircle, said: “Sharepoint and Exchange were both covered in the advanced notification and I was curious about the vulnerabilities they covered. Now that I've seen the descriptions, it turns out they are not very interesting. I was happy to see most of the issues in this patch were not that serious; this is very good news for all Microsoft users.”

Bentley said: “This final bumper patch load of the year is reflective of the more rigorous effort we are now seeing from the industry as a whole to identify and address vulnerabilities. Whilst the hacking community is not going to take a break any time soon, this more concerted effort to plug the gaps should certainly be of some comfort to businesses and government organisations as we move into 2011 and threat levels continue to evolve.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews