Sunday, April 17, 2011
IE, SMB Holes Stand Out in Patch Tuesday's Flood
Security experts say the most important components of the "overwhelming" Patch Tuesday issue are the Internet Explorer and SMB vulnerabilities. Microsoft issued 17 security bulletins for 65 vulnerabilities on Patch Tuesday. Multiple versions of IE are vulnerable to drive-by downloads. The 32 bugs in Win35K boil down to three issues.
Microsoft Relevant Products/Services on Tuesday issued 17 security Relevant Products/Services bulletins to address 64 vulnerabilities. Thirteen of the vulnerabilities were rated critical.
The most important patches this month are part of the cumulative security update for Internet Explorer, according to Joshua Talbot, security intelligence manager at Symantec Security Response. Since the majority of the vulnerabilities fixed affect IE6, IE7 and IE8, there is an extremely wide installed base of affected software. The fact that all the vulnerabilities are drive-by download issues also increases their severity.
"Out of the IE vulnerabilities addressed this month, the object management Relevant Products/Services memory corruption issue is one of the most critical," Talbot said. "A reliable exploit for this vulnerability was developed at the PWN2OWN contest last month. We haven't actually seen attacks exploiting this vulnerability in the wild yet, but it's possible that exploit code will now be made more available. This would drastically increase the likelihood of attacks in the wild using this vulnerability."
Microsoft is not only patching PowerPoint, Excel and WordPad, but also 32 bugs in Win35K. Paul Henry, a forensic and security analyst at Lumension, said there is no need to fret because these all collapse down to three issues that cause vulnerabilities. Microsoft likes to give whoever reports bugs individual credit for each bug reported, he said, so it's giving 35 credits this month.
"Beyond the patch updates, Microsoft also released two security advisories, including an update for Office 2010. Another IE patch was released, which contains an update for a publicly exploited vulnerability. This is really important because they are closing all the vectors," Henry said.
"While the patch may look bad, it's really tough to exploit and, by default, it really only works when you have an Internet set to private. If you have your default settings, you're completely OK. But if you change it to be private, you should change it."
One Word: Overwhelmed
Andrew Storms, director of security operations at nCircle, said April's Patch Tuesday has left him wondering if these are the kind of patches we are going to see more of this year. What's more, he said, choosing the patch that should receive top priority for IT Relevant Products/Services security teams this month is tough. It's a toss-up between the Internet Explorer and SMB patches, he said.
"If I absolutely had to pick between the two bugs, I would patch IE first and then immediately patch SMB," Storms said. "You can't delay either of these two patches this month."
For Tyler Reguly, technical manager of security research and development at nCircle, one word comes to mind when he looks at the list of bulletins: Overwhelming.
"MS11-020 has me a little worried. It's definitely the patch that I'll be applying to my systems first," Reguly said. "At first glance, it appears to have all the criteria to be another MS08-067, the vulnerability utilized by Conficker."