Microsoft released nine security bulletins addressing 11 vulnerabilities on its September Patch Tuesday.
Containing four ‘critical' and five ‘important' updates that affect Windows, Office and Internet Information Server (IIS), Jason Miller, data and security team manager at Shavlik, called it ‘another big month for patching', as in last year's September Patch Tuesday, Microsoft released 49 new security bulletins, compared with 69 this year.
Commentators claimed that MS10-061 was the most crucial patch as it fixes the Stuxnet vulnerability. Wolfgang Kandek, CTO at Qualys, said: “In cooperation with Kaspersky and Symantec, Microsoft analysed samples of the Stuxnet malware and found that in addition of using the zero-day LNK vulnerability, addressed in August by MS10-046, it is using a second unknown vulnerability in the Windows print spooler to spread itself to other machines in the network.
“They further found two new unknown local vulnerabilities that the malware uses to gain the required admin privileges, if necessary. The use of two zero-day vulnerabilities shows a dedicated effort to make the malware succeed and remember this was the malware that had the password for the Siemens SCADA software embedded. MS10-061 fixes this second zero-day and is the most important patch of the month; it should be applied immediately.”
Andrew Storms, director of security operations at nCircle, said: “The Stuxnet worm continues to get plenty of attention from security researchers and one bulletin in today's release targets a secondary propagation methodology the worm is using. Unfortunately, worms are like zombies; you can't really kill them but you can make them weaker, and this patch does exactly that.”
Tyler Reguly, lead security engineer at nCircle, said: “MS10-061, which is currently being exploited by Stuxnet, is a welcome patch. Another nail in Stuxnet's coffin can only be a good thing, especially since my past experience working with residences at post secondary institutions has left me with the knowledge that printer sharing is a common occurrence among students.”
Also highlighted for interest was patch MS10-062 that fixes a critical vulnerability in the Windows MPEG-4 codec, which allows an attacker that manages to entice a user to play a specially crafted video file to take control of the victim's machine. Kandek said that it is ranked as easy to exploit and could become part of the popular malicious exploit kits.
Miller said: “Viewing media formats is becoming more and more common for both work and home users. It is not safe to assume that media viewing only occurs at home and not on your network. Media file distribution can happen in many ways such as visiting a website that hosts malicious media files, viewing media files from a streaming server or opening the slapstick funny email attachment from your friends.”
In other patches, Miller highlighted MS10-064, which addresses a problem in Microsoft Outlook 2002, where opening a malicious RTF format document in the Outlook preview pane can lead to remote code execution.
Don Leatham, senior director of solutions and strategy at Lumension, pointed to MS10-065. He said: “This addresses a vulnerability in Microsoft's popular IIS and is rated as ‘important' and has the lowest possible score on Microsoft's ‘exploitability' ranking. Vulnerabilities in Microsoft IIS are always of high concern for the IT security community."
Kandek said: “The majority of installed IIS servers will not be affected, but a check at Shodan shows that there are more than 30,000 servers that advertise running PHP under IIS, this update should be high on your list if you run this configuration.”
In conclusion, Leatham said: “This Patch Tuesday clearly demonstrates the fruit of Microsoft's efforts to make their latest platforms and products more secure and should encourage organisations to continue to move away from the Windows XP and Windows Server 2003.
“These results show that organisations running Windows 7 and Server 2008 R2 are running much more secure environments and, as an added benefit, this Patch Tuesday will practically be a non-event for them. Organisations stuck on Windows XP and Server 2003 need to take a hard look at the cost and risk factors associated with staying on these dated platforms.”