Risk
4/12/2011
02:36 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Microsoft Pushes Giant Security Patch

The record number of security fixes is the result of a single security bulletin that addresses 30 Windows kernel flaws.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches

Microsoft on Tuesday issued its April security patch, setting a new record for the number of vulnerabilities repaired.

The company published 17 security bulletins addressing 64 vulnerabilities. Last month the load was considerably lighter: three security bulletins addressing four vulnerabilities.

The April patch breaks a record set in December 2010, when Microsoft released 17 security bulletins addressing 40 vulnerabilities. Previous records were set in October 2010, with 16 bulletins and 49 vulnerabilities, and in August 2010, with 14 bulletins and 34 vulnerabilities.

Nine of the 17 bulletins this month are designated critical; eight are designated important.

Jerry Bryant, Microsoft group manager of response communications, said in a phone briefing that the large number of vulnerabilities this month is largely due to bulletin MS11-034, which addresses 30 Windows kernel flaws. Despite the sheer number of vulnerabilities addressed by this bulletin, it is only rated important.

Bryant credited Tarjei Mandt, a security researcher with Norman ASA, for reporting the vulnerabilities and expressed gratitude to all the security researchers who are working with Microsoft to improve the security of its software.

Bryant also said that Microsoft's customers care more about quality than quantity. "Customers don't have to do quite as a much testing [when the patches are high-quality]," he said. "So the volume is not so much of an issue."

In addition to its security bulletins, Microsoft is also releasing two security advisories. The first (25065014), Bryant said, is a non-security, high-priority update for the winload.exe component in 64-bit version of Windows. The update prevents a driver signing enforcement mechanism from being abused, thereby preventing current generation rootkits from being able to hide on Windows systems, said Bryant.

The second security advisory (25015084) details how Microsoft is bringing its Office 2010 file validation system to Office 2007 and 2003. This will mitigate the risk posted by malicious Office files to users of older versions of Office.

Bryant said Microsoft is recommending that customers focus first on deploying three patches: MS11-018, MS11-019, and MS11-020.

MS11-018 is an update for Internet Explorer, version 6 through 8. It addresses five critical vulnerabilities, one of which has been used in a targeted attack. Internet Explorer 9 is not affected.

MS11-018 fixes the vulnerability that was used to compromise Internet Explorer 8 at the Pwn2Own hacking competition during the recent CanSecWest security conference in Vancouver, Canada.

MS11-019 covers two SMB Client vulnerabilities. One has been publicly disclosed, Bryant said, but Microsoft is not aware of any attacks exploiting from this vulnerability. The privately disclosed flaw, however, he considers to be more serious.

MS11-020 resolves a privately disclosed SMB server flaw. Bryant said this is perhaps the most critical of all the vulnerabilities this month. "Any system with an open SMB share would be vulnerable from anyone on the network," he said.

Tyler Reguly, technical manager of security research and development for nCircle, concured, noting in an emailed statement that MS11-020 is similar to MS08-067, the flaw exploited by the Conficker worm. Security researchers with other companies are saying much the same thing.

Microsoft also is shipping a patch for the widely reported MHTML vulnerability (MS11-026) in Windows. Microsoft previously offered a Fix-it script as a temporary means of addressing the issue.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.