Wednesday, June 15, 2011

MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

There is plenty of work this month of June for IT administrators - Microsoft’s June Patch Tuesday addresses 34 vulnerabilities in 16 distinct bulletins. Nine of the bulletins carry a maximum severity of “critical”, while the remaining seven are rated as “Important” only.

Plus there are the critical fixes from Adobe Reader and Oracle for Java.

No doubt IT Administrators will have to pick and choose where to act first.

The highest priority Microsoft bulletins should be:

MS11-050, which addresses 11 vulnerabilities in Microsoft Internet Explorer version 6,7, 8 and 9.
MS11-052, which patches VML, a markup language that is used mainly in Internet Explorer.
Browser and plug-in vulnerabilities together have been the point of entry for many recent security incidents and are the main infection vector for mass malware such as Zeus and SpyEye (for some interesting statistics see this recent StopBadWare report.

The combo MS11-050/052, together with APSB11-016 from Adobe and Java CPU June 2011 is the first highest priority set of vulnerabilities to address this week. That way IT admins will keep ahead of the “ExploitKit” writers and and make their workstation infrastructures more robust.

Second on the list should be MS11-045, which fixes eight vulnerabilities in all versions of Excel including for Mac OS X. Microsoft ranks it only as “Important” because the end user is required to open an attacker-provided file, but we believe that attackers have shown often enough that they have the skills to make opening the file enticing enough for end users, especially with a file format like Excel that is used overwhelmingly for serious, business related communication.

Other high priority bulletins are MS11-042 and MS11-043, which address critical flaws in the SMB and DFS clients on Windows. Strict outbound firewalling will help enterprises in both cases to keep the exposure low, but since the exploit index is a low “1″ for both vulnerabilities, IT admins should schedule them for inclusion into the patch process as soon as possible.

The only bulletin with a known exploit in the wild is MS11-046, a local privilege escalation flaw in the “afd.sys” driver. IT admins can check with their end-point security providers for coverage, but should include this bulletin high on their to-do lists in any case, as it is only a matter of time until we see more attackers use malware taking advantage of this exploit to gain control of your workstations.