Thursday, June 16, 2011

Heavy Patch Tuesday Highlights IE9 Vulnerabilities

Microsoft on Tuesday issued 16 security Relevant Products/Services bulletins that address 34 vulnerabilities. Fifteen are rated critical, with 11 vulnerabilities in Internet Explorer alone. Other patches address Excel and Windows.

"The slew of Internet Explorer vulnerabilities presents a significant attack surface for cybercriminals to poke at," said Joshua Talbot, security intelligence Relevant Products/Services manager at Symantec Security Response. "None of these are being exploited in the wild yet, but you can bet they will be in the near future. Given that at least one of the recent high-profile data Relevant Products/Services breaches exploited a similar previously patched vulnerability, these should be a high priority."

IE9 Remains Vulnerable

Talbot said some IT Relevant Products/Services administers might be feeling safe because they recently updated their systems to the new Internet Explorer 9. But, he noted, with several critical vulnerabilities being patched in the newest version of the browser, they should avoid being lulled into a false sense of security.

"The only vulnerability already being exploited is the Ancillary Function Driver issue. This is a privilege-escalation issue, which means it can be used in conjunction with another exploit to increase an attacker's access to a targeted system," Talbot said.

"For example, the Internet Explorer vulnerabilities patched today only give an attacker user-level privileges. Combined with this vulnerability, however, they could gain complete system access."

Chum in the Water

Andrew Storms, director of security operations at nCircle, said there's plenty of chum in the water to attract attackers in this month's release. Seven of the nine bulletins rated critical also come with an exploit index of one, indicating it's very likely an exploit will be developed within the next 30 days.

"As usual, Internet Explorer is at the top of the critical list. This is the first IE9 patch since it was released in April, and it has to be uncomfortable for Microsoft to have to patch their brand-new browser so quickly," Storms said.

Storms said anyone using older versions of Office should use the Office file-validation tools Microsoft released in April. That, he noted, is because these tools will significantly reduce the security risks associated with older versions of Microsoft Office.

"There are going to be some long days and longer nights for most security teams over the next few days," Storms said. "Today's hefty Patch Tuesday release of 16 bulletins and 34 bug fixes is just the beginning. Security teams also expect a large Adobe security release today."

The Adobe Factor

Tyler Reguly, technical manager of security research and development for nCircle, figured most IT admins probably have the patch drill down to a science at this point: Patch Internet Explorer first, your client software second, and obscure software third.

"While enterprises should be patching Internet Explorer as quickly as possible, I'll be digging into SMB Server Denial of Service and Active Directory Certificate Server Cross Site Scripting issues," Reguly said. "With the patches from both Microsoft and Adobe expected today, system administrators will have their hands full for the next couple of weeks."

Artikel yang Berkaitan

0 komentar:

Post a Comment