Your Patch Tuesday Update

Here’s the latest on Microsoft’s June 2011 Security Update, based on what the vendors are saying.

It’s nothing fancy, just the basics I’ve pulled from my inbox this afternoon. We’ll have a more detailed report later.

McAfee

June marks a large Patch Tuesday for Microsoft, the second-largest of 2011 after April’s record-breaking Patch Tuesday, with 16 security updates to address 24 vulnerabilities affecting Windows, IE, Office, SQL Servers and other products. Of the patches, nine have been rated as “critical,” and seven have been ranked as “important.”

Adobe will also release patches for vulnerabilities within its products today, and last week, Oracle released 17 Java SE patches.

“There’s going to be a lot of heavy lifting for IT administrators this month,” said Dave Marcus, director of security research and communications at McAfee Labs. “Not only are there a large number of Microsoft patches, there’s also the additional Adobe and Java patches to address as well. Administrators should evaluate and prioritize the most important patches for their organization.”

McAfee Labs Q4 2010 Threats Report (see http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2010.pdf), stresses the need for keeping Adobe patches up to date.

“Throughout 2010 malware developers have heavily exploited weakness in both Flash and especially PDF technologies,” as stated within the report. “Our malware database reveals that malicious Adobe PDFs topped the number of unique samples by a wide margin, making them a favorite target of client-side exploitation.”

One of today’s Microsoft patches also addresses the “Cookiejacking” vulnerability, which takes advantage of a property of HTML5 to steal cookies from its victim. According to a recent McAfee Labs blog post (see http://blogs.mcafee.com/mcafee-labs/cookiejacking-poses-minimal-danger-if-you-keep-good-habits) this particular vulnerability should be a lesser concern than other vulnerabilities addressed.

The blog states, “If this low-likelihood attack is successful, the attacker will have complete history of your browsing-which sites have you visited and how frequently- so you could start seeing a lot of spam/phishing designed especially for you.”

McAfee recommends that users install Microsoft’s patches as soon as possible. Home users should use Windows Automatic Updates.

Business users need to have a risk management strategy in place to prioritize the patches. McAfee provides enterprises with endpoint and network based security technology as well as risk and compliance tools to shield against cyberattacks and allow organizations to patch on their own time.

Symantec:

Today, Microsoft issued 16 security bulletins that address 34 vulnerabilities. Out of these vulnerabilities, 15 are rated critical by Microsoft.

“The slew of Internet Explorer vulnerabilities presents a significant attack surface for cybercriminals to poke at,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “None of these are being exploited in the wild yet, but you can bet they will be in the near future. Given that at least one of the recent high profile data breaches exploited a similar previously patched vulnerability, these should be a high priority.”

“Some IT administers might also be feeling safe because they recently updated their systems to the new Internet Explorer 9,” Talbot added. “But with several critical vulnerabilities being patched in this the newest version of the browser, they should avoid being lulled away into a false sense of security.”

“The only vulnerability already being exploited is the Ancillary Function Driver issue,” Talbot concluded. “This is a privilege escalation issue, which means it can be used in conjunction with another exploit to increase an attacker’s access to a targeted system. For example, the Internet Explorer vulnerabilities patched today only give an attacker user-level privileges. Combined with this vulnerability, however, they could gain complete system access.”

Qualys:

There is plenty of work this month of June for IT administrators – Microsoft’s June Patch Tuesday addresses 34 vulnerabilities in 16 distinct bulletins. Nine of the bulletins carry a maximum severity of “critical”, while the remaining seven are rated as “Important” only. Plus there are the critical fixes from Adobe Reader and Oracle for Java.

No doubt IT Administrators will have to pick and choose where to act first.

We rank as the highest priority Microsoft bulletins MS11-050, which addresses 11 vulnerabilities in Microsoft Internet Explorer version 6,7, 8 and 9, and MS11-052, which patches VML, a markup language that is used mainly in Internet Explorer. Browser and plug-in vulnerabilities together have been the point of entry for many recent security incidents and are the main infection vector for mass malware such as Zeus and SpyEye (for some interesting statistics see the StopBadWare report at: https://community.qualys.com/docs/DOC-2736). The combo MS11-050/052, together with APSB11-016 from Adobe and Java CPU June 2011 is the first highest priority set of vulnerabilities to address this week. That way IT admins will keep ahead of the “ExploitKit” writers and and make their workstation infrastructures more robust by practicing “Good Software Hygiene” (see our recent blog post on our efforts in providing the tools for improving robustness.

Second on our list is MS11-045, which fixes eight vulnerabilities in all versions of Excel including for Mac OS X. Microsoft ranks it only as “Important” because the end user is required to open an attacker-provided file, but we believe that attackers have shown often enough that they have the skills to make opening the file enticing enough for end users, especially with a file format like Excel that is used overwhelmingly for serious, business related communication.

Other high priority bulletins are MS11-042 and MS11-043, which address critical flaws in the SMB and DFS clients on Windows. Strict outbound firewalling will help enterprises in both cases to keep the exposure low, but since the exploit index is a low “1” for both vulnerabilities, IT admins should schedule them for inclusion into the patch process as soon as possible.

The only bulletin with a known expoit in the wild is MS11-046, a local privilege escalation flaw in the “afd.sys” driver. IT admins can check with their end-point security providers for coverage, but should include this bulletin high on their to-do lists in any case, as it is only a matter of time until we see more attackers use malware taking advantage of this exploit to gain control of your workstations.–Bill Brenner