Microsoft issued five security bulletins for its September 2011 Patch Tuesday, addressing 15 vulnerabilities in Windows and Office.
In addition, the software giant issued an updated security advisory Tuesday, adding six more DigiNotar root certificates to its Windows Untrusted Certificate Store. DigiNotar, a certificate authority based in the Netherlands, has been reeling since it announced its CA systems were breached by an attacker.
Patching experts marked September as a lighter month for system administrators, because none of the security bulletins were rated “critical” but all five were “important.” The updates repair flaws in Microsoft Office 2010, Microsoft Excel, Microsoft Office Groove 2007 and SharePoint Workspace 2010.
Despite the slow month, system administrators should give MS11-072 a higher priority, said Amol Sarwate, vulnerability labs manager at Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc. The bulletin addresses five vulnerabilities in Microsoft Excel that could enable remote code execution.
“An attacker could execute arbitrary code and take control of the system,” said Sarwate. “I would rate it as critical.”
However, Microsoft labeled MS11-072 as “important” because of the fact that the system prompts the user before they are allowed to open an Excel file. Jason Miller, manager of research and development at Palo Alto, Calif.-based VMWare inc., said it would be difficult for a person to fall victim of an attack that uses the vulnerability. The Windows prompt explains that the file is from an outside source, he said, adding that an attack is still technically dangerous.
Only one of the bulletins, MS11-070, which addresses a vulnerability in the Windows Internet Name Service, requires a restart. If unpatched, Microsoft said it could allow an elevation of privilege. The attacker, however, must have valid logon credentials and be able to log on locally to exploit the flaw.
The remaining four bulletins may require a restart. MS11-071, MS11-072 and MS11-073 address flaws in Windows and Office that could allow remote code execution.
VMware’s Miller said he was surprised that MS11-074, which addresses five vulnerabilities in Microsoft SharePoint and Windows SharePoint services, was only rated “important.” The update is complicated because it connects with many different products within SharePoint, he said. The bulletin could allow an elevation of privilege if a user clicks on a specially crafted URL or visits a malicious website.
Patch management experts said they did not see any danger in the draft text outlining the Microsoft security bulletins was published last week in an apparent slip-up by the software giant. Attackers need the patches in order to reverse engineer them to create exploits.
“We don’t think that it put any customers in any security danger,” said Qualys’ Sarwate. “If they published the actual patches, the attackers could look at the vulnerability and try to attack it, but it was only the text bulletins.”
In addition to Microsoft, Adobe Systems Inc. released its quarterly security update, fixing more than a dozen critical vulnerabilities in Adobe Reader and Acrobat. If unpatched, the vulnerabilities could allow the application to crash and an attacker to take control of the affected system.
DigiNotar certificates blacklisted
Microsoft has blacklisted six additional DigiNotar root certificates bringing the total blocked certificates to eight. The additional blacklisted certificates are cross-signed by Entrust and GTE. In addition to Microsoft, Adobe, Apple, Google and Mozilla have all blacklisted the Dutch certificate authority’s certificates.