Microsoft unleashed 16 bulletins on June’s Patch Tuesday, issuing major operating system repairs and addressing other serious coding errors across its product line. This month’s patching cycle was a double whammy for IT administrators who are also ruminating over a quarterly security update from Adobe Systems Inc.
The security bulletins include nine rated “critical” and seven rated “important” by Microsoft. Of the nine critical vulnerabilities, most require a restart. The software giant identifies four of the critical vulnerabilities as priorities on their blog:
MS11-042, a flaw in the Microsoft Distributed File System could allow for remote code execution; MS11-043, which addresses a vulnerability allowing for remote code execution in response to a client initiated SMB connection; MS11-050, which applies 11 Internet Explorer (IE)fixes and MS11-052, which fixes a Vector Markup Language vulnerability in Internet Explorer versions 6-8.
Jason Miller, a manager of research and development at VMware’s vulnerability management unit (formerly Shavlik Technologies LLC), said the cumulative update for Internet Explorer is expected and comes bi-monthly. “It is the number one attack vector of getting unsuspecting users of unpatched systems to browse to a malicious website,” Miller said of Internet Explorer vulnerabilities.
Miller said he considers the Internet Explorer update high priority. It also addresses four vulnerabilities that affect IE 9, the latest version of the browser. Web browsers, Miller said, are the most important piece of software that should be updated because users cannot be controlled and are rarely entirely caged on an Internet-enabled network.
Wolfgang Kandek, CTO at California-based Qualys Inc., identified MS11-045, a security update that resolves eight vulnerabilities in Microsoft Excel, as an important update because it deals with a widely used application. Microsoft gave the update an “important” rating because exploiting the flaws require user intervention. But enterprises that use spreadsheets should consider the update a priority, Kandek said. He noted that an Excel file was an element used in the RSA SecurID attack.
“Those are all remote code execution vulnerabilities, so they can be used to take over control of your machine and I think people have no problems opening Excel files,” Kandek said.
While not of critical importance, Kandek said MS11-046, which addresses a vulnerability in the Microsoft Windows Ancillary Function Driver, corrects an issue being actively targeted by attackers in the wild. The vulnerability is an elevation of privilege vulnerability, and must be exploited locally.
MS11-039, a vulnerability in Microsoft Silverlight and the .NET framework, could be exploited remotely if a victim browses to a website containing a malicious Silverlight file. Qualys’ Kandek said about 50% of their client’s browsers had Silverlight installed. Miller added that the software, which runs multimedia, often works in the background with some sites requiring a user to download it before website content can be viewed.
“it’s basically bundled right in with the browser once you install it so you could actually be viewing more Silverlight content than you even realize,” Miller said.
Adobe Systems quarterly update
Adobe Systems Inc. issued its quarterly update, which contains a critical update to Adobe Reader, fixing 11 vulnerabilities. Adobe also issued a mega patch for its Shockwave Player, resolving two dozen vulnerabilities and it repaired a serious flaw in Flash that could cause a crash and allow an attacker to take complete control of a system.
“These vulnerabilities could allow an attacker, who successfully exploits [them], to run malicious code on the affected system,” Adobe said.
VMware’s Miller said the update often accompanies a trickle of updates from third-party software makers who have flash embedded in their products. “Typically, when you have a Flash release you look to see a Chrome release as well, because Flash is bundled in Chrome,” Miller said.