Microsoft delivered its heaviest Patch Tuesday in recent memory, as 14 bulletins were delivered to cover 34 vulnerabilities.
With the out-of-band patch for the Windows shortcut vulnerability released last week, IT administrators face a busy time with 15 patches ready to be applied.
Microsoft said that it considered four bulletins to be the most important - MS10-052, which resolves a vulnerability in Microsoft's MPEG Layer-3 audio codecs; MS10-055 that resolves a vulnerability in Cinepak Codec, which is used by Windows Media Player to support the .avi audiovisual format; MS10-056 that resolves four privately reported vulnerabilities in Microsoft Office; and MS10-060 which resolves two privately reported vulnerabilities, both of which could allow remote code execution in Microsoft .NET Framework and Microsoft Silverlight.
Alan Bentley, SVP international at Lumension, said: “As always, the initial priority for IT administrators should be the nine critical vulnerabilities, but the remaining important and moderate patches must not be ignored. In today's environment, the combination of lesser impact vulnerabilities with critical vulnerabilities can provide a greater chance of success for cyber criminals.”
Tyler Reguly, lead security engineer at nCircle, said: “While most people are likely to focus on the vulnerabilities affecting media files, I'm actually leaning toward MS10-060 as being the most interesting bulletin this month. Silverlight is still a relatively new technology and from an end-user experience, I've been a fan of it so far. As a researcher, this month's release gives me a chance to dig into it a bit more.
“It will be interesting to see which of these issues, eight of which are rated critical, will make it into existing exploit frameworks and which are ignored. Given the sheer number of bulletins, it'll be fun at the end of August to compare the exploitability index to the real world results.”
Joshua Talbot, security intelligence manager at Symantec Security Response, pointed at the SMB pool overflow vulnerability as a real concern for enterprises. He said: “Not only does it give an attacker system-level access to a compromised SMB server, but the vulnerability occurs before authentication is required from computers contacting the server. This means any system allowing remote access and not protected by a firewall is at risk.
“Best practices dictate that file or print sharing services, such as SMB servers, should not be open to the internet. But such services are often unprotected from neighbouring systems on local networks. So, a cyber criminal could use a multi-staged attack to exploit this vulnerability. Such an attack would likely start by compromising an employee's machine via a drive-by download or socially engineered email, and would end by using that compromised computer to attack neighbouring machines on the same local network that have the SMB service running.”
“This issue affects more than just file servers using the SMB service. Workstations that have enabled file and print sharing are also at risk. Laptops with this configuration that connect to untrusted networks, such as public WiFi, or that allow ad hoc connections could be attacked by neighbouring computers. The user could then unwittingly carry their infected system back to the enterprise, opening the door to an organisation's entire network.”
Wolfgang Kandek, CTO of Qualys, said that IT administrators should first tackle the updates that represent the biggest attack potential: end-users who have internet access. He said these were the subject of six bulletins, all of them of critical severity and four of them with an exploitability rating of ‘1', indicating that working exploits are expected within 30 days.
He said: “MS10-053 has six direct fixes for Internet Explorer, while the ZDI submitted MS10-055 and MS10-052 address issues in media plug-ins: MS10-055 for the Cinepak codec and MS10-052 for the MP3 file format.
“MS10-060 patches a critical .NET framework issue that can be exploited through web browsing/Silverlight and MS10-051 addresses a vulnerability in the Internet Explorer MSXML ActiveX component. MS10-049 deals with a client-side vulnerability of the HTTPS protocol that can be triggered by a malicious HTTPS site. This and the previous MSXML ActiveX component are the bulletins in the group that are rated ‘2' on the exploitability scale (= harder to exploit). All of these updates should be applied as soon as possible.”
For the updates that focus on file format vulnerabilities, Kandek said that the most critical is MS10-056, as an attacker can craft a malicious file that triggers a remote code execution when opened by Word on the target computer.
He also pointed to MS10-057 and MS10-050, as they provide fixes for Excel 2003 and earlier and Windows Movie Maker (a default component in Windows XP) file format vulnerabilities. Both have an exploitability rating of ‘1' and should be addressed as soon as possible.
Dave Marcus, director of security research and communications at McAfee Labs, commented that outside of the large number of fixes, there was nothing extraordinary about this month's Patch Tuesday. “Such a large number of fixes should make business users want to investigate whether they could use whitelisting to lock down their systems instead of rushing out fixes,” he said.