Patch Tuesday Analysis for October 2011

A variety of security updates were released today both for some types of servers and workstations. The priority you give will depend on the types of systems you are responsible for. Note that MS11-076 and MS11-082 contain vulnerabilities that are publicy disclosed. This may shorten the time we have until there is an active exploit.

In August of 2010 Microsoft alerted us to a new attack vector. The class of vulnerabilities is called "Insecure Library Loading". So far 18 Security bulletins have been released due to Insecure Library Loading. MS11-075 is with Microsoft Active Accessibility and MS11-076 is with Media Center. This class of attacks can also find vulnerabilities in third-party programs so admins should be alert to updates from other vendors.

Multiple vulnerabilities are found in some kernel-mode drivers. The kernel is the core of the operating system and kernel-mode drivers can be especially bothersome since they access the kernel directly. These are addressed in MS11-077.

MS11-078 has to do with vulnerabilities in .NET framework and Microsoft Silverlight.

After installing the updates (MS11-079) for Microsoft Forefront User Access Gateway (UAG) the administrator must additionally open the console and activate the configuration. Users with access to the UAG are vulnerable but the patches are made on the server.

The update MS11-080 addresses a privilege elevation vulnerability in the in the Microsoft Windows Ancillary Function Driver (AFD). For Windows XP and 2003 it replaces a similar fix released last June. The vulnerability addressed here however had not been publicly disclosed.

MS11-081 is a critical update for Internet Explorer. It addresses multiple vulnerabilities by modifying the way IE handles objects in memory. This update applies to all supported versions of IE.

For those running Host Integration Server which integrates with IBM systems, MS11-082 provides an update for two publicly disclosed vulnerabilities. A properly configured firewall would mitigate these DoS attacks and is suggested as a workaround.

Get more of my knowledge on the security log with my Security Log Resource kit or get prescriptive best practice guidance what events to monitor and how with my Rosetta Audit Logging Kits.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS11-079

2544641
Arbitrary code

/ Forefront UAG
Servers
No/NoNoImportant Forefront UAG
 Patch after testing
MS11-077

2567053
Arbitrary code

/ Windows kernel mode drivers
Workstations
Terminal Servers
No/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-081

2586448
Arbitrary code

/ Internet Explorer
Workstations
Terminal Servers
No/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing
MS11-080

2592799
Privilege elevation

/ Windows
Workstations
Terminal Servers
No/NoNoImportant XP
Server 2003
Restart Req'dPatch after testing
MS11-076

2604926
Arbitrary code

/ Windows
Workstations
Yes/NoNoImportant Vista
Windows 7
Media Center TV Pack
 Patch after testing
MS11-078

2604930
Arbitrary code

/ .Net Framework; Silverlight
Workstations
Terminal Servers
Web Hosting Servers
No/NoNoCritical XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Silverlight 4
 Patch after testing
MS11-082

2607670
Denial of service

/ Host Integration Server
Servers
Yes/NoNoImportant Host Integration Server 2004
Host Integration Server 2006
Host Integration Server 2009
Host Integration Server 2010
 Patch after testing
MS11-075

2623699
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoImportant XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Restart Req'dPatch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.