Microsoft released fixes for 23 security vulnerabilities today as part of this month’s Patch Tuesday.
The patches are tucked away in eight security bulletins, two of which are rated “critical.” The two critical bulletins address vulnerabilities in Internet Explorer (MS11-081) as well as .NET Framework and Silverlight (MS11-078).
“This month Microsoft marked all eight Internet Explorer patches it issued as critical,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “Internet Explorer vulnerabilities are very common targets of attackers and it will probably be no different with these. Users and IT departments should patch these right away.”
As for MS11-078, the bulletin resolves a vulnerability in Microsoft .NET Framework and Microsoft Silverlight that can be exploited to execute code remotely on a client system if a user views a specially-crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. The vulnerability could also allow remote code execution on a server system running IIS if that server allows processing ASP.NET pages and an attacker succeeds in uploading a malicious ASP.NET page to that server and then executes the page. The bug could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
Security Resource: Vulnerability Management Buyer’s Checklist: Key Questions to Ask
“The .NET Framework Class Inheritance Vulnerability, also rated critical, is complex to exploit, but affects all versions of .NET,” Talbot added. “The vulnerability can be exploited in a number of ways, including traditional downloads, drive-by downloads and through hosting a malicious .NET application.”
The remaining six bulletins are rated ‘Important’, and affect a number of different products, including Windows, Forefront United Access Gateway and Microsoft Host Integration Server.
“Overall this Patch Tuesday is fairly moderate,” said Dave Marcus, director of security research and communications at McAfee Labs. “Three of the included vulnerabilities have been previously disclosed and there is an available proof-of-concept code. Administrators should pay special attention to the critical flaw affecting Internet Explorer and Windows users, which, left unpatched, can allow attackers to remotely spread a virus. IT administrators should also be aware that the .NET issue also affects Mac OS clients.”
Keeping up with patches can be a challenge. But while brand new, unpatched vulnerabilities often generate a lot of media interest, it turns out zero-day issues account for a very small percentage of the infections in the first half of the year. That factoid was revealed today in Microsoft’s latest Security Intelligence Report. According to Microsoft, none of the top malware families in the first half of the year were known to be distributed through the use of zero-days, and while some smaller families were, less than one percent of all exploit attempts were against zero-day issues.
“October is the last month in 2011 that many financial and retail organizations apply patches because they go into ‘lock-down’ mode as the holiday shopping season approaches,” noted Andrew Storms, director of security operations at nCircle. “Enterprise IT teams should get ready to pull out all the stops.”
Related Reading: Vulnerability Management Buyer’s Checklist: Key Questions to Ask