Microsoft unleashed a massive update across its product line for Patch Tuesday this month, leading to what security experts say will be a long patching cycle for security professionals everywhere.
As always, Microsoft recommends that customers test and deploy all bulletins as soon as possible.
Pete Voss, communications manager, Microsoft
The company fixed a record-breaking 64 vulnerabilities with 17 security bulletins. The last time Microsoft produced such an extensive list was back in December, which also had 17 bulletins but contained patches for fewer vulnerabilities.
Of the nine "critical" bulletins in April, flaws affecting Internet Explorer and the Windows Server Message Block (SMB) network and file sharing protocol appear to be the most dangerous, according to Jason Miller, a data team manager at St. Paul, Minn.-based Shavlik Technologies LLC.
The first, MS11-018 addresses four Internet Explorer vulnerabilities, including a flaw that was exploited during the Pwn2Own contest at the CanSecWest Applied Security Conference. The flaw is not present in Internet Explorer 9, but Shavlik’s Miller pointed out that the IE update is important to patch due to the high volume of people that use IE6, IE7 and IE8. The update corrects the way Internet Explorer handles objects in memory during certain processes and scripts, according to the bulletin.
Security bulletins MS11-019 and MS11-020 address SMB client-side and server side vulnerabilities. Attack code surfaced Feb. 15, targeting one of the SMB flaws. Both vulnerabilities could be exploited by remote attackers or malicious users to cause a denial-of-service (DoS) attack or take control of a vulnerable system. Microsoft said an attacker would have to create a malicious SMB packet and send the packet to an affected system to exploit the flaws.
“[MS11]-020 really looks like a candidate for a future worm,” Miller said. “This is the first time I’ve seen this since back in 2008 with the Conficker vulnerability.”
A long-standing vulnerability lingering unfixed since January was addressed by security bulletin MS11-026. A flaw in the MHTML protocol handler in Microsoft Windows only garnered Microsoft’s second-highest “Important” rating, because it only allows for information disclosure not remote code execution. Microsoft has also been supplying a MHTML workaround for several months that effectively negates the threat of the MHTML vulnerability.
Paul Henry, a security and forensic analyst at Scottsdale, Ariz.-based vulnerability management vendor Lumension Security Inc., said Microsoft likely took its time to repair the protocol error to ensure a patch was thoroughly tested.
“It’s used in so many different things, they wanted to make sure they got it right the first time,” Henry said. “[Microsoft hasn’t} seen many people take advantage of it.”
In addition, Microsoft addressed a cluster of nine Microsoft Excel vulnerabilities. MS 11-021 is rated “important” and affects Microsoft Excel 2002, 2003, 2007 and 2010 as well as Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011. Shavlik’s Miller said the vulnerabilities can grant the same rights as the user logged on when the user opens a specially crafted Excel file.
Rodrigo Branco, director of vulnerability research at Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc., discovered the Excel vulnerability and said he reported it to Microsoft five months ago.
“I got a very complex [file], I started to understand the file formats … and what happens when it crashes,” Branco said. “I like to [play] with office files because … it is very complex.”
What is unclear is whether the flash vulnerability used in the RSA SecurID data breach at RSA combined with one of the Excel vulnerabilities, Branco said.
According to Lumension’s Henry, the larger threat is the multitude of third-party applications, such as Adobe Flash and Apple QuickTime, that people frequently utilize on their systems. These applications are increasingly becoming targets for attackers. Third-party applications often have far less support than operating systems, and when they do get security updates, they are far less frequent, leaving these applications more vulnerable.
“The keys to the kingdom at RSA were delivered with a Flash issue embedded in a Microsoft Excel spreadsheet,” Henry said.