Microsoft released 13 security bulletins on this month's Patch Tuesday, with two rated as critical.
As announced by SC Magazine last week, the bulletins covered 22 vulnerabilities and also included nine patches rated as important and two rated as moderate. The two most important to deploy, according to Microsoft and commentators, is MS11-057 for Internet Explorer and MS11-058 for the DNS Server.
Wolfgang Kandek, CTO at Qualys, said that MS11-057 is critical as it affects all versions of Internet Explorer. “Attackers can take complete control of a computer by setting up a malicious web page and attracting the victim to the page. The exploitability index for this issue is ‘1', indicating that we will see a reliable exploit soon,” he said.
Jason Miller, manager of research and development at VMware, said: “Two of the seven vulnerabilities fixed with this bulletin are publicly known. At this time, Microsoft has not received any reports of attacks against the vulnerabilities. With any publicly disclosed vulnerability exploit code, it is important to patch immediately.”
The second critical bulletin is MS11-058 which patches a server side vulnerability affecting the Microsoft DNS server running on Windows 2003 and 2008. Kandek said: “It allows the attacker to crash the server and in the worst case scenario, take complete control. To exploit this issue the attacker sets up a malicious DNS server and requests a DNS record from the server from inside of the victim's network.
“The exploitability rating for this is ‘3' which implies that a remote code execution exploit is unlikely to be seen in the next 30 days.”
Tyler Reguly, technical manager of security research and development at nCircle, said: “Microsoft listed the DNS server vulnerability as ‘critical' and placed it above other issues, such as cross site scripting and the remote ‘blue screen of death'. Given the exploitability index assigned to this vulnerability and the importance of XSS as an attack vector, I'm not sure I fully agree. For most enterprises the top of the list should be, as expected, the Internet Explorer patch.”
Miller said: “The attack vector for this vulnerability depends on your DNS server configuration, if your DNS servers have caching of DNS relaying enabled, the systems will be at risk for a remote attack. Even if your DNS servers do not have this type of configuration, you should still deploy the patch.
“An administrator could potentially change configuration in the future, making it vulnerable if left unpatched. In addition, this bulletin marks a good opportunity to review your DNS server configuration and harden the system.”
Kandek also highlighted patches MS11-061, MS11-066 and MS11-067 that affect remote desktop web access login, microsoft chat web control and report viewer web control respectively. “MS11-061 and MS11-067 are XSS issues, while MS11-066 can be used to reveal contents of files stored on the web server,” he said.
He also pointed to denial-of-service issues in Windows Vista and Windows 7 with MS11-064 and MS11-065 respectively, as these can cause a blue screen when a victim machine receives a malicious ICMP and TCP/IP-QOS (for 064) and RDP (for 065) packets from a remote unauthenticated attacker.
Andrew Storms, director of security at nCircle, said: “Although it isn't listed as ‘critical' by Microsoft, the MS11-064 bulletin this month demands special attention. Attackers can take advantage of this bug to cause a remote reboot of Windows computers even if they have a local firewall enabled. Back in the early 90's, we used to call this kind of bug the ‘ping of death.'
“It will take about ten minutes for attackers to write and distribute an attack tool to take advantage of this bug. Then, anyone can easily grab that attack tool and with a single click, cause your Windows network to reboot. The malicious potential is enormous. The most troubling thing about this bug is that the local Windows firewall does not mitigate the attack.”
Miller also said that Microsoft has re-released three previously-released security bulletins, with more products that affected by bulletin MS11-025, additional stability added to MS11-043 and additional detection updates for Visual Studio 2005 added to MS11-049.