It is the second week of November – time for our monthly software updates from Microsoft and increasingly from other vendors. Microsoft is publishing six updates this month, which brings the total year-to-date number to 76. That means we will stay well below the 100 number for the year, which has been reached in both in 2011 and 2010 – definitely a win for IT administrators.
Four of the six updates are rated “critical”; there is also one “important” and one “moderate”. We rank the Internet Explorer update MS12-071 as the most urgent. It allows an attacker to gain control over a machine running on IE by setting up a web page that hosts the exploit code. Microsoft rates its exploitability as “1,” which means that it is relatively easy to develop the code necessary to take advantage of one of the four fixed vulnerabilities. However, the problem only affects IE 9, and anybody that is running a different version (7,8 or 10), which is 90% of all enterprise IE users, can move on to the next vulnerability.
MS12-076 addresses a file format vulnerability in Microsoft Excel, which Microsoft rates as “important.” We think any vulnerability in a popular application that allows Remote Code Execution should be high on any IT administrator’s list to fix. Excel 2013, Microsoft’s newest version, published just this year, is the only version of Excel not affected. All other versions of Excel should apply this patch.
MS12-074 addresses five vulnerabilities in the .NET framework; one of them is critical. The critical vulnerability allows an attacker who is controlling the contents of the the Proxy Auto Config (PAC) file to execute code in .NET applications, such as XBAP and .NET ActiveX. The potential for widespread code execution through this mechanism is limited because .NET applications are turned off by default. As of June 2011, they require user agreement to run, however if you have update MS11-044 installed.
MS12-075 addresses three vulnerabilities in the Windows kernel. One of the vulnerabilities is in the font handling module and could potentially be triggered by a file format attack through applications, such as Office, a third party browser or PDF reader.
Microsoft’s latest version of the Windows Operating System, Windows 8, came out last month in October and has a number of improvements in the security area (link) that address the majority of known attack vectors in the existing versions of Windows. However, researchers at VUPEN recently tweeted that they found a way to achieve remote code execution, and that the new OS is affected by three of this month vulnerabilities.
Do not forget to look into last week’s releases of Adobe Flash and Apple Quicktime. Both have been targeted by attackers before, and you should always be on the latest versions of both products to avoid being exposed to exploits against known vulnerabilities that are included in toolkits, such as BlackHole, Crimepack and Phoenix.
One way to always keep Adobe Flash updated is to upgrade to IE 10, which Microsoft is making available for Windows 7 in a special preview today. Similar to Google Chrome, IE 10 now includes Adobe Flash running in a special Sandbox, providing an encapsulated execution environment and assuming the responsibility to deliver updates for the third party Adobe Flash as part of IE. This is a first for Microsoft, but certainly a step in the right direction and a sign of things to come. As we migrate applications delivery to App Stores, a model proven in the mobile space where malware is at much lower levels, updates will be centrally delivered through a single update mechanism, and security will improve significantly.
Author: Wolfgang Kandek, CTO, Qualys.