Some Tricks and Some Treats from Microsoft
Paul Henry - October 10th, 2011
The Treat: October’s bulletins resolve several issues: 2 critical and 6 important, covering a range of products, including Microsoft .NET Windows, IE, Forefront and MS Host Integration Server.
The Trick: nearly all require a restart which will cause widespread disruptions across both Internet-connected servers and user community desktops.
The Details:
MS11-081: Critical Internet Explorer patches that correct 8 vulnerabilities with typical attack vectors and one involving Java Script. None of the patched issues are related to active exploits; however users are urged to patch this as a high priority. It’s important to note that many of the fixes are related to improving defense in depth to strengthen the browser.
MS11-078: Critical .NET issue, which also impacts SilverLight. Users of .NET Client and SilverLight are urged to apply this patch as a high priority.
MS11-075: Important Windows Active Accessibility that corrects a DLL Injection issue.
MS11-076: Important Media Center Issue, correcting a DLL Injection Issue.
MS11-077: Important patch that resolves a Win32l Kernel Mode Drivers Issue that involves font rendering, which is a low risk with Microsoft IE (as the font would not be rendered), but could be a high risk with third party browsers (that would render the font).
MS11-080: Important Ancillary Function Driver Issue that provides for an escalation of privilege.
MS11-079: Important Forefront UAG Issue, resolving a perimeter firewall XSS issue.
MS11-082: Important Host Integration Server, resolving a DoS issue for the service.
Also released today was SP 3 for Office 2007 and SharePoint 2007. SP3 includes a roll up of previously patched issues, as well as newly discovered issues from the lifecycle of SP2.
Yet again vulnerabilities have proven not to be an issue exclusive to Microsoft – third party products and add-ons are our Achilles Heel again this period. The ever increasing integration of mobile devices with little if any regard to security of our enterprise networks, along with the seemingly non-stop release of vulnerabilities from Android and other vendor is placing us in a precarious situation.
The recently disclosed Android Smart Phone issue can be exploited by third party applications and can effectively render all phone-based protections ineffective.
http://www.theinquirer.net/inquirer/news/2114308/android-vulnerability-renders-antivirus-products-ineffective
Also, a Chrome update was released to address several security issues. This period Google paid bounties totaling $8,000 to researcher Glazunov and an additional $2,000 to Miaubiz. Outside of the bounty program, a severe vulnerability discovered by Google’s own security team in audio node handling was also addressed. It’s important to note that one of Google’s fixed issues for Chrome was a buffer overflow that allowed a malicious attacker to arbitrarily execute code on a Chrome user’s computer.
http://news.cnet.com/8301-1009_3-10035720-83.html
In addition, a vulnerability in Apache that provides a DoS vector has been patched in release 2.2.20 and users are encouraged to upgrade to the current version to mitigate the risk of exploitation.
http://httpd.apache.org/security/vulnerabilities_20.html
Finally, just a week after the quarterly patch update from Adobe, an out of band patch was released to address 6 issues including a zero-day vulnerability.
http://www.eweek.com/c/a/Security/Adobe-Patches-ZeroDay-XSS-Vulnerability-in-Flash-Player-10-787685/
Not only are patches of concern but now we are facing a BEAST, both literally and figuratively. Last week, researchers demonstrated software they created called the BEAST (Browser Exploit Against SSL/TLS) that can decrypt parts of an encrypted data stream and can be used in what is known as a “man-in-the-middle” (MITM) type of attack. Browser makers have been a mixed bag on responding to this very real threat. Google is treating it as a serious issue for Chrome and Microsoft released an advisory, whereas Firefox did not issue and update but asked users to disable Java.
With respect to the SSL issues and “The BEAST” we are perhaps seeing just the tip of the iceberg in focusing our attention only on browsers. Several other products, such as VoIP phones and SCADA systems that also use SSL, are perhaps more at risk due to expected long term delays in patching them.
FREE Scanner
Free eBook &
Over 48% of IT Directors say that mobile devices represent the greatest network security threat.
Comments