Windows Patch Tuesday – October 2011
Windows, insecure by design. How else can you explain that all supported versions of Internet Exploiter have the same vulnerability to injection of malware?
Microsoft and Apple today released security updates to fix a slew of critical security problems in their software. Microsoft’s patch batch fixes at least 23 vulnerabilities in Windows and other Microsoft products. Apple’s update addresses more than 75 security flaws in the Windows versions of iTunes.
Nine of the 23 flaws Microsoft fixed with patches today are rated “critical,” meaning attackers could exploit them to break into vulnerable systems with little or no help from users. Eight of the nine critical bugs are in Internet Explorer. The remaining critical flaw is corrected in an update for the .NET Framework. Three of the vulnerabilities fixed with these updates were disclosed publicly prior to today, including a flaw in Windows Media Center that Microsoft believes crooks are likely to soon figure out how to reliably exploit.
The iTunes update brings the music player software to version 10.5, and is available for Microsoft systems running Windows 7, Vista, XP SP2 and later. Two new features of iTunes deserve mentioning: Apple says iPhone and iPad users who upgrade to iOS 5 when it is released later this week will be able to sync with iTunes wirelessly. More importantly from an update perspective, Apple has at long last untethered iTunes from QuickTime.
Users can download the update by opening iTunes; if you’re not directed to download iTunes 10.5 when you start the program, click “Help,” and then “Check for Updates.” Some OS X users may be wondering how many of these flaws exist in the Mac version of iTunes. According to the SANS Internet Storm Center, Mac users can expect some of these problems to be fixed inSecurity Update 2011-006 and in OS X Lion v. 10.7.2. For the time being, however, neither of those updates appear to have been released.
The latest Windows patches are available through Windows Update or via Automatic Update.
October’s Patch Tuesday release resolved issues in Internet Explorer versions 6 through 9, all versions of Microsoft Windows from XP through 7, .NET and Silverlight, Microsoft Forefront Unified Access Gateway and Host Integration Server, Microsoft said Oct. 11. Two of the patches are rated “critical,” and six are rated “important,” Microsoft said.
Microsoft recommended that organizations apply the Internet Explorer and .NET/Silverlight patches first as attackers are likely to come out with a reliable exploit within 30 days. Malware developers often reverse-engineer the patches after they are released to develop exploits that target unpatched systems.
Kaspersky Lab senior security researcher Kurt Baumgertner said that reliable exploitation will lead to remote code execution across a wide variety of Windows versions because Internet Explorer and Silverlight are heavily used software clients.
“It would be surprising to not see related exploits added to packs and widely used in attack attempts over the coming months,” Baumgartner wrote on the Securelist blog.
The critical update for Internet Explorer fixed at least eight known security flaws in all versions of Microsoft’s Web browser, including the latest Internet Explorer 9. The bugs were in the way IE handled objects in memory and the way memory was allocated and accessed.
If exploited, the bugs in Internet Explorer would expose the user to drive-by download attacks just by merely browsing to a booby-trapped site, according to Microsoft. The attacker can gain the same user rights as the user, but users who have accounts with fewer user rights are likely to be less impacted than those who have administrative rights.
“Patching browsers will be top priority because the vulnerabilities fixed with each security bulletin release in browsers are top exploit targets for attackers,” Jason Miller, manager of research and development at VMware, told eWEEK.
The second critical update fixed a remote code execution flaw in .NET Framework and Silverlight. Users could be compromised just by viewing a malicious page specifically running XAML Browser Applications or Silverlight applications, Microsoft said. The vulnerability would also allow remote code execution on a server running IIS if that system allowed processing ASP.NET pages and specially crafted ASP.NET pages are uploaded to the server and executed. The .NET issue also affects Mac OS clients, according to Dave Marcus, director of security research and communications at McAfee Labs.
The .NET framework class inheritance vulnerability is “complex to exploit” but can be exploited in a “number of ways,” including traditional downloads, drive-by-downloads and by hosting a malicious .NET application, said Joshua Talbot, security intelligence manager at Symantec Security Response.
Microsoft fixed five privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway. The cross-site scripting vulnerability in Microsoft Forefront, if exploited, will allow attackers to steal log-in credentials used for VPN access and gain access to sensitive data. The patch for Microsoft Forefront will likely affect the “smallest number” of organizations because Microsoft generally doesn’t have a big presence in corporate security infrastructure, Marcus Carey, a security researcher at Rapid7, told eWEEK.
Microsoft has two bulletins to fix the DLL preload vulnerabilities in Windows Media Center and Microsoft Active Accessibility. Microsoft has released a patch 17 times to close this issue in various programs since it was first identified Aug. 23, 2010, according to Miller.
“Overall this Patch Tuesday is fairly moderate. Three of the included vulnerabilities have been previously disclosed, and there is an available proof-of-concept code,” Marcus said.
October is often the last month in which administrators at financial and retail organizations apply patches before going into “lock-down” mode for the holiday shopping season, according to Andrew Storms, director of security operations at nCircle. “Enterprise IT teams should get ready to pull out all the stops,” Storms said.
