Microsoft released 13 security bulletins today as part of Patch Tuesday, including two rated “critical” – its highest security rating. But according to some security pros, companies would be wise to not give some of the non-critical bulletins short-thrift when it’s time to prioritize patches.
Though Microsoft only gave the bulletins for Internet Explorer (MS11-057) and Windows DNS Server (MS11-058) a critical rating, researchers at nCircle warned there are other vulnerabilities that enterprises need to pay attention to as well. While he agreed the IE bulletin should be a top priority, Tyler Reguly, nCircle’s technical manager of security research and development, added the DNS server issue may not be as important as some others due to the relative unlikelihood of exploitation.
“Microsoft listed the DNS server vulnerability as ‘critical’ and placed it above other issues, such as cross site scripting and the remote ‘blue screen of death’,” he said. “Given the exploitability index assigned to this vulnerability, and the importance of XSS as an attack vector, I’m not sure I fully agree.”
Andrew Storms, director of security, at nCircle, added that MS11-064 – which patches two bugs that could be exploited to launch denial-of-service attacks – demands special attention as well.
“Attackers can take advantage of this bug to cause a remote reboot of Windows computers even if they have a local firewall enabled,” he said. “Back in the early 90’s, we used to call this kind of bug the ‘ping of death.’ It will take about 10 minutes for attackers to write and distribute an attack tool to take advantage of this bug. Then, anyone can easily grab that attack tool and, with a single click, cause your Windows network to reboot. The malicious potential is enormous.”
“The most troubling thing about this bug is that the local Windows firewall does not mitigate the attack,” he said. “Service providers like ISPs, cloud providers and others that allow in-bound ping packets to their server instances should immediately look for ways to mitigate this bug using edge firewalls.”
In both the Internet Explorer and Windows DNS Server updates, the most serious of the bugs being patched can be used by attackers to remotely execute code. In the case of MS11-057, the most severe vulnerability can be exploited by tricking a user into viewing a specially-crafted Webpage using Internet Explorer, the company warned.
In MS11-058, the most serious bug permits an attacker to remotely execute code if the attacker sends a malicious Naming Authority Pointer (NAPTR) query to a DNS server. Servers that do not have the DNS role enabled are not at risk of attack, Microsoft said.
According to Microsoft, there are no attacks targeting any of the issues addressed in MS11-057 and MS11-058 as of now. Of the remaining bulletins, nine are rated “Important”, while the other two are considered “Moderate.” All totaled, the 13 bulletins cover 22 vulnerabilities across Microsoft’s product line.
“Overall this Patch Tuesday is on the large side,” said Dave Marcus, director of security research and communications at McAfee Labs. “Although there are only two critical patches this month, this update comes after the July patches from Oracle and Apple, and there will be another release of critical patches for Adobe Flash Player today, leaving IT administrators with a full plate this summer.”
