Your Microsoft Patch Tuesday update for August 2011

Here’s the latest on Microsoft’s August 2011 Security Update, based on what the vendors are saying.

It’s nothing fancy, just the basics I’ve pulled from my inbox this afternoon. We’ll have a more detailed report later.

McAfee

August marks a large Patch Tuesday for Microsoft, the third largest Patch Tuesday of 2011 after April and June, with 13 security updates to address 22 vulnerabilities affecting Windows, IE, Office, .NET Framework and Microsoft Developer Tools. Of the patches, two have been rated as “critical,” nine have been ranked as “important” and two have been ranked “moderate.”

“Overall this Patch Tuesday is on the large side,” said Dave Marcus, director of security research and communications at McAfee Labs. “Although there are only two critical patches this month, this update comes after the July patches from Oracle and Apple, and there will be another release of critical patches for Adobe Flash Player today, leaving IT administrators with a full plate this summer.”

Serious patches ranked as “critical,” affect all versions Internet Explorer, including Internet Explorer 9, and Windows 7, Vista and XP and versions of Windows Server. One Information Disclosure vulnerability (CVE-2011-2383) in the Microsoft Internet Explorer update (057) has been ‘known’ since the Hack in the Box conference in May.

“Administrators should place priority to the Internet Explorer and Windows updates,” adds Marcus. “If left unpatched, the vulnerability can result in remote code execution attacks and can expose users to drive-by download attacks via the browser.”

Qualys

Today Microsoft released 13 security updates, which we are considering a normal workload for the heavier Patch Tuesdays every other month. Two of the updates are ranked are ranked as “critical” and should receive the highest priority in all organizations, while the remaining 11 are a mixed set and address a wide range of threats including remote code execution, remote and unauthenticated denial of service, information theft as well as elevation of privileges.

We give two bulletins MS11-057 and MS11-058 the highest priority for patching. MS11-057 is critical and affects all Internet Explorer versions including the newest IE9. Attackers can take complete control of a computer by setting up a malicious web page and attracting the victim to the page. The exploitability index for this issue is “1”, indicating that we will see a reliable exploit soon.

The second critical bulletin MS11-058 is for a server side vulnerability and affects the Microsoft DNS server running on Windows 2003 and 2008. It allows the attacker to crash the server and in the worst case scenario take complete control. To exploit this issue the attacker sets up a malicious DNS server and requests a DNS record from the server from inside of the victim’s network. The exploitability rating for this is “3” which implies that a remote code execution exploit is unlikely to be seen in the next 30 days.

MS11-061, MS11-066 and MS11-067 are information theft issues that affect Remote Desktop Web Access Login, Microsoft Chat Web control and Report Viewer Web control respectively. MS11-061 and MS11-067 are XSS issues, while MS11-066 can be used to reveal contents of files stored on the web server.

MS11-064 and MS11-065 are denial of service issues in Windows Vista and Windows 7 which can cause a blue screen when victim machine receives malicious ICMP and TCP/IP-QOS (for 064) and RDP (for 065) packets from a remote unauthenticated attacker. Although these are not remote code execution issue they could be used in conjunction with other attacks or just for playing prank.

IT administrators should look at the IE and DNS vulnerabilities first as they will very likely apply to their organisation’s networks and then prioritize the remaining patching effort based on the actual components that are installed on their machines. One further update to consider is for widely installed Apple’s Quicktime, which received a critical update last week that applies to both Windows and Mac OS X.

Symantec

Today, Microsoft issued 13 security bulletins which address 22 vulnerabilities. Out of these vulnerabilities, three are rated critical by Microsoft.

“The DNS vulnerability could result in a complete system compromise,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Because no user interaction is needed, a vulnerable service simply needs to be up and running for the vulnerability to be exploited.”

“Internet Explorer is affected by two critical vulnerabilities being patched, both of which can be exploited by a drive-by download,” Talbot added. “The fact that vulnerabilities such as these continue to be so common is one reason why web-based attacks are so prevalent. There is a very large attack surface.”

“We haven’t seen nearly this many low profile patches – ones that primarily result in information-disclosure or cause denial-of-service conditions – in quite some time,” Talbot concluded. “Half of all the vulnerabilities patched this month are of that type, which is rare.”

Symantec strongly encourages users to patch their systems against all vulnerabilities addressed this month.

Happy patching!

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a