IT administrators may find they don’t have much to be thankful for this Thanksgiving with a disruptive Patch Tuesday headed their way. With six Microsoft bulletins, four of which are critical and some restarts required, along with a host of other issues, IT can expect a disruptive Patch Tuesday this month.
According to Paul Henry, security and forensic analyst at Lumension, it’s disappointing to see the critical bulletins impacting more than just legacy code as we’ve come to expect in recent months. These bulletins impact many current generation products and that’s concerning. Nothing is ever 100 percent secure and mistakes are made in software. But it’s still ugly to see. In this slideshow, Henry outlines, in the order of severity, what you can expect this patch Tuesday.
Click through for a review of the critical patches expected this month, as identified by Paul Henry, security and forensic analyst at Lumension.
Looking at the bulletins, bulletin 1 is an update for IE 9. It’s a pretty standard but critical cumulative IE update. It addresses three CVEs. Nothing is under active attack; however, this is a high priority update and should be considered the highest priority for those running Windows 7 or Vista.
Bulletin 5 is an interesting one, because it’s a True Type font issue. It resolves three vulnerabilities, the worst of which is a remote code execution. Microsoft has been dealing with font issues for a while. True Type fonts can be embedded all over the place and Windows kernel mode driver renders the font. If these fonts are embedded in a browser or a Word document, for example, they are rendered in the kernel mode driver and wind up becoming a kernel mode exploit. An authenticated, low-rights user could visit a website, the font gets rendered, and it gets rendered as “system.” This is a very effective attack mode, so Microsoft likes to close out font issues quickly. This is as high a priority as bulletin 1. Those two bulletins will be the two biggest attack vectors in this batch.
Bulletin 2 addresses two CVEs that are critical remote code executions. This is a Briefcase issue, where you have mapped drives with Briefcase. If you’ve mapped over to the vulnerable or malicious Briefcase, you could get remote code executions on the machine that you mapped from. There are some prerequisites, but at the end of the day, it is a critical and ugly vulnerability, because it does affect XP through Windows 7. It’s another high priority.
Bulletin 4 affects .NET and fixes five vulnerabilities in the .NET framework. It applies to all issues of Windows. Worst case scenario, it allows for man-in-the-middle attacks, which could lead to a remote code execution. This is critical, but not your highest priority.
Bulletin 6 is an Excel vulnerability. It’s a file format bug, which are marked as important as Microsoft users still have to take action before the attack can execute.
Bulletin 3 is a moderate update for IIS, which could cause concern. But this is an information disclosure issue via FTP only, so is only a concern if you have IIS set up to provide FTP services. It’s moderate, which typically means attackers have to authenticate to pull off the attack. And we all recognize if they can authenticate, they pretty much own the machine anyway.
There are also two rereleases in November. You may recall that last month, Microsoft put out an advisory about incorrect time stamps in some patches, which they’ll be rereleasing the patches to correct. There will be two such rereleases this month.
Adobe just released a series of patches and announced that going forward, they will integrate with Microsoft’s Patch Tuesday process. This is encouraging to see. Ironically though, the same week they announced this, a brand new zero day appeared in the wild used in attack toolkits.
VUPEN is talking this month about their new Windows 8 zero day. It’s sad to see a talented company choosing not to follow responsible disclosure and use this as a chance to line their pockets while putting the community at risk. The scary part about the VUPEN news is that when they indicate that they are selling packaged exploits, what ends up happening is people use the packaged exploits like a framework and slot in other bugs. While VUPEN claims to sell only to certain vetted governments, there’s no way to know that for sure.
In Apple news, they released nine patches recently, one of which appears to be a buffer overflow that’s over a year old. The date on the CV is 2011. That’s concerning. Now, the Apple patches are supposed to be somewhat automated, but the QuickTime patches are on Windows. So if you’re running WSUS, that doesn’t protect you. You’ve got to go get the patch yourself. It’s also concerning that Apple is still not being transparent about their security. They push out patches, calling them “feature enhancements,” when in fact it’s fixing critical issues. If Apple wants to be an enterprise player, they need to grow up and start providing IT admins with enough information to make patch decisions.
We’ve also seen a bunch of patches on Google on Chrome. The Google stuff fortunately patches itself, so no real great shakes there. However, people do need to be aware that they’re out there.
Finally, Twitter sent out an email to those who were impacted by their recent password problems. If you didn’t receive an email from Twitter, your account is probably secure and your password is okay. We don’t want to overload Twitter today if you’re not immediately impacted. However, if you did receive that email, we recommend you change your Twitter password as soon as possible. As always, remember to create secure passwords. Hint: 12345 doesn’t count as secure.