Last night saw Microsoft release 16 security bulletins to address 49 vulnerabilities, including five rated as critical.
Carlene Chmaj, security response senior communications manager at Microsoft, claimed that the large quantity of patches 'represents our commitment to provide predictable, high-quality updates as part of the service our customers get when they buy Microsoft products'.
Chmaj said: “Looking at the number and type of updates this month, we have a fairly standard number of bulletins affecting products like Windows and Office. This month we also have a few bulletins originating from product groups that we don't see on a regular basis. For example, SharePoint, the Microsoft Foundation Class (MFC) Library (which is an application framework for programming in Windows), and the .NET Framework. It's worth noting that only six of the 49 total vulnerabilities being addressed have a critical rating. Further, three of the bulletins account for 34 of the total vulnerabilities.”
Joshua Talbot, security intelligence manager at Symantec Security Response, commented that Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all, particularly with the number that facilitate remote code execution. Jason Miller, data and security team leader at Shavlik Technologies, said that the 49 vulnerabilities will be alarming for IT administrators, but 26 include two for Microsoft Office updates and 12 for Internet Explorer.
Miller pointed out that with this new Patch Tuesday behind us, Microsoft has now released 86 new security bulletins this year so far, compared with 74 in 2009, 78 in 2008 and 69 in 2007. He said: “A common question asked is 'Why are there so many bulletins and vulnerabilities being released/updated by Microsoft?' There are a couple of factors that are coming into play for this.
“First, Microsoft is the grandfather of patching and has spent years refining their process to develop the mature patching process we see today. Second, Microsoft is working closer than ever with security researchers in their Coordinated Vulnerability Disclosure (CVD) program. By working with researchers, Microsoft is closing the gap on the time to release fixes for vulnerabilities found. This is a key factor that a lot of people have been asking for, so we shouldn't be too surprised that we are seeing an uptake in security bulletins.”
Miller claimed that there are two bulletins that administrators should be looking to patch immediately, the first being MS10-071, which is the bi-monthly cumulative update for Internet Explorer. He said: “This bulletin fixes 12 vulnerabilities. With the critical vulnerabilities in this bulletin, navigating to a malicious website can lead to remote code execution. With any web browser vulnerability, it is critical to patch them as soon as possible. One of the most common attack vectors for attackers is malicious websites that exploit unpatched browsers.”
The other patch he looked at was MS10-076, which affects Embedded OpenType Font and can lead to remote code execution. “Like MS10-071, navigating to a malicious website with an unpatched system can result in remote code execution. The result of exploiting the vulnerability with this bulletin can vary depending on what operating system you are running. Newer versions of the Microsoft Windows operating system, Windows Vista and higher, have ASLR (address space layout randomisation) built in which makes this vulnerability more difficult to attack,” he said.
In agreement was Wolfgang Kandek, CTO of Qualys, who also considered MS10-071 to be the most important patch, particularly as it has an exploitability index of one, indicating that Microsoft believes the vulnerability is relatively easy to exploit. Looking at MS10-076, he said: “This comes in as a close second in our ranking, it is a critical vulnerability in the way Windows handles fonts and can be triggered by a simple malicious web page without interaction from the user, making it a good candidate for a 'drive-by' infection campaign.”
Andrew Storms, director of security operations at nCircle, said: “The Internet Explorer bulletin, along with the Embedded OpenType bug fixes should make it to the top of the list for everyone because they can both be used for dangerous drive-by attacks. Consumers and corporate enterprise teams must make sure these patches get installed as quickly as possible.”
Storms also pointed to MS10-073, which patches one of the two remaining Stuxnet-related zero-day vulnerabilities. He said: “According to the Microsoft security research team in September, there were two outstanding elevation of privilege bugs being used by the infamous Stuxnet worm. We aren't out of the woods with Stuxnet yet since only one of these is being patched today as part of the MS10-073 bulletin.”
Talbot said: “Stuxnet uses the Win32 Keyboard Layout Vulnerability to gain administrator privileges on infected computer systems. This functionality ensures that none of the threat's malicious actions get blocked on targeted systems due to lack of permission.”
Another patch to claim the attention of researchers was MS10-077. Kandek said that this was the most interesting of the other critical vulnerabilities, as it has a server side component. He said: “It is a vulnerability in the .NET Framework running under 64-bit versions of Windows and allows the attacker to take over the target computer. In addition to the client-side component, it is possible for the attacker to use this vulnerability on a server if it allows the upload of ASP.NET code. This is a plausible scenario in web hosting companies, they should patch as quickly as possible, given that the exploitability index is given as 'likely'.”
Miller said: “MS10-077 affects the .NET Framework and can lead to remote code execution by navigating to a malicious website on an unpatched system. It is important to note that this vulnerability only affects 64-bit operating systems. If your network contains mostly 64-bit operating systems, you will want to raise the criticality of this bulletin.”