Microsoft released two bulletins on its monthly Patch Tuesday yesterday to address a critical vulnerability in Windows and two important vulnerabilities in Office.
The sole critical bulletin is MS11-035 and resolves a privately reported vulnerability in the Windows Internet Name Service (WINS). Microsoft warned that the vulnerability could allow remote code execution to be exploited if a user received specially crafted malware on an affected system running the WINS service.
Tyler Reguly, technical manager of security research and development at nCircle, said: “The most important patch this month will be the WINS bulletin. Microsoft is downplaying the bug, but there is potential here for remote code execution.
“WINS is a network aware application that does not require authentication and many enterprises require WINS on their networks. Taken together, these factors mean that a lot of enterprises will find their internal network servers vulnerable to a remote code bug. Initially, most attackers will probably only trigger a denial-of-service event, but finding the remote code exploit won't be far behind.”
Joshua Talbot, security intelligence manager at Symantec Security Response, said: “This is a more serious issue on Windows Server 2003 than Server 2008. At its heart, this is a memory corruption issue. In-built protections such as DEP and ASLR in Server 2008 will probably keep most attackers from achieving a complete takeover. However, a complete system compromise appears to be more likely on Server 2003, which lacks the ASLR protection.
“Microsoft also patched a couple of WINS-related issues in August of 2009. At least one of those vulnerabilities was exploited by attackers after the patches were released. That should serve as motivation for IT managers to take this month's patches seriously, even though there is a lighter load.”
The other bulletin is MS11-036 that affects Microsoft Office PowerPoint and is rated as important. This resolves two privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted malicious PowerPoint file.
Wolfgang Kandek, CTO at Qualys, said: “As it happened before on several occasions, users of the new Office 2010 for both Windows and Mac OS X are not affected by the vulnerability. Older versions like Office XP, 2003, 2007 and 2004 for Mac are affected. Using this vulnerability, an attacker could take full control of the target machine if a victim opens a malicious PowerPoint document.”
Despite the light load, IT administrators have been warned not to relax too much, as a larger load is expected next month. Jason Miller, data team manager at Shavlik, said: “With this being a lighter patch month, administrators should take this chance to catch up from last month's massive Patch Tuesday. In addition, there were multiple vendors releasing critical security bulletins earlier this month.
“Adobe released updates to their Adobe Reader, Acrobat, Flash and Air products. The security update addressed a critical vulnerability that had reports of being exploited in the wild. Apple also updated their Apple iTunes addressing two vulnerabilities.”
This is also the first month for the revamped exploitability index, as announced last week. Kandek said: “The original exploitability index is now split into a rating for the most recent version of the software and an aggregate rating for all older versions. For example in MS11-036, which is an Office bulletin, the latest versions, both Office 2010 and Office 2011 for Mac, were not affected.
“Therefore the exploitability rating for the latest version is 'Not Affected' and for older platforms is two. This new system more accurately reflects risk to customers that keep their environments updated with the latest product releases.”