Microsoft released five bulletins rated as "important" yesterday – its lightest Patch Tuesday of the year.
Pete Voss, from Microsoft's Trustworthy Computing, said because nothing was rated as "critical", none of the patches were given a level one deployment priority. However, Tyler Reguly, technical manager of security research and development at nCircle, said priority should be given to the Excel patch because Microsoft accidentally released the patches last Friday.
Wolfgang Kandek, CTO of Qualys, said: “Out of the Patch Tuesday bulletins released today, top priority should be given to MS11-072, which fixes an arbitrary code execution vulnerability in Excel. It affects all versions of Excel including the most recent 2010 version.
“To exploit this issue, attackers could create malicious Excel files, which when opened on vulnerable hosts can take control of the system. Priority should also be given to MS11-073, which fixes a code execution vulnerability in Microsoft Office versions 2003, 2007 and 2010, including Microsoft Word. Attackers could use a malicious word file (CVE-2011-1982) to execute code on victim machines.”
Jason Miller, manager of research and development at Vmware, said: “MS11-073 addresses an issue with Microsoft Office. This vulnerability will be quite difficult for an attacker to exploit due to the user interaction required. Scenario one: An attacker entices a user to open an Office file located in a directory with a malicious DLL (this scenario would most likely have an attacker already on a corporate network in order to plant the malicious DLL).
“Scenario two: An attacker sends a malicious Office document and entices the user to save the file, and subsequently open the file in a directory that contains a malicious DLL. Both of these scenarios can be prevented if the Microsoft Office File Validation Add-in is installed. This feature was originally introduced in Microsoft Office 2010. Microsoft has since provided this defence-in-depth measure through an update.”
Kandek also highlighted bulletin MS11-070, which patches a DLL preloading issue that affects the deskpan.dll component in all versions of Windows.
“Only Microsoft server operating systems are affected by this vulnerability (Windows 2003, Windows 2008, Windows 2008 R2). In order for an attacker to carry out an exploit, the attacker must have access and login credentials to the machine. Once on the machine, the attacker could send a malicious WINS request to the local loopback network address of the machine. This could result in elevation of privilege,” said Miller.
Microsoft has also issued a new update to add six additional DigiNotar root certificates to the Untrusted Certificate Store. These are cross-signed by Entrust and GTE.
Andrew Storms, director of security at nCircle, said: “Microsoft is nuking more certificates related to DigiNotar, specifically ones that were cross-signed by other certificate authorities. Anything and everything associated with DigiNotar is getting purged.”
Kandek said: “The update revokes certificates signed by two Certificate Authorities, Entrust and Cybertrust, which issued certificates on behalf of DigiNotar. Today's update will revoke six more certificates issued by Entrust and Cybertrust on behalf of DigiNotar and will replace 2607712, released out-of-band last week. We will continue to monitor the other vendors as they implement these changes and will update this blog as they occur.”
Elsewhere, Skype has issued support for Windows 8, while Adobe released critical vulnerability patches for its Acrobat and Reader products.