Patch Tuesday Analysis for October 2011
A variety of security updates were released today both for some types of servers and workstations. The priority you give will depend on the types of systems you are responsible for. Note that MS11-076 and MS11-082 contain vulnerabilities that are publicy disclosed. This may shorten the time we have until there is an active exploit.
In August of 2010 Microsoft alerted us to a new attack vector. The class of vulnerabilities is called "Insecure Library Loading". So far 18 Security bulletins have been released due to Insecure Library Loading. MS11-075 is with Microsoft Active Accessibility and MS11-076 is with Media Center. This class of attacks can also find vulnerabilities in third-party programs so admins should be alert to updates from other vendors.
Multiple vulnerabilities are found in some kernel-mode drivers. The kernel is the core of the operating system and kernel-mode drivers can be especially bothersome since they access the kernel directly. These are addressed in MS11-077.
MS11-078 has to do with vulnerabilities in .NET framework and Microsoft Silverlight.
After installing the updates (MS11-079) for Microsoft Forefront User Access Gateway (UAG) the administrator must additionally open the console and activate the configuration. Users with access to the UAG are vulnerable but the patches are made on the server.
The update MS11-080 addresses a privilege elevation vulnerability in the in the Microsoft Windows Ancillary Function Driver (AFD). For Windows XP and 2003 it replaces a similar fix released last June. The vulnerability addressed here however had not been publicly disclosed.
MS11-081 is a critical update for Internet Explorer. It addresses multiple vulnerabilities by modifying the way IE handles objects in memory. This update applies to all supported versions of IE.
For those running Host Integration Server which integrates with IBM systems, MS11-082 provides an update for two publicly disclosed vulnerabilities. A properly configured firewall would mitigate these DoS attacks and is suggested as a workaround.
Get more of my knowledge on the security log with my Security Log Resource kit or get prescriptive best practice guidance what events to monitor and how with my Rosetta Audit Logging Kits.
| Bulletin | Exploit Types
/Technologies Affected | System Types Affected | Exploit
details public?
/ Being exploited? | Comprehensive,
practical
workaround
available? | MS severity rating | Products Affected | Notes | Randy's recommendation | MS11-079
2544641 | Arbitrary code
/ Forefront UAG | Servers
| No/No | No | Important | Forefront UAG
| | Patch after testing | MS11-077
2567053 | Arbitrary code
/ Windows kernel mode drivers | Workstations
Terminal Servers
| No/No | No | Important | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing | MS11-081
2586448 | Arbitrary code
/ Internet Explorer | Workstations
Terminal Servers
| No/No | No | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing | MS11-080
2592799 | Privilege elevation
/ Windows | Workstations
Terminal Servers
| No/No | No | Important | XP
Server 2003
| Restart Req'd | Patch after testing | MS11-076
2604926 | Arbitrary code
/ Windows | Workstations
| Yes/No | No | Important | Vista
Windows 7
Media Center TV Pack
| | Patch after testing | MS11-078
2604930 | Arbitrary code
/ .Net Framework; Silverlight | Workstations
Terminal Servers
Web Hosting Servers
| No/No | No | Critical | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
Silverlight 4
| | Patch after testing | MS11-082
2607670 | Denial of service
/ Host Integration Server | Servers
| Yes/No | No | Important | Host Integration Server 2004
Host Integration Server 2006
Host Integration Server 2009
Host Integration Server 2010
| | Patch after testing | MS11-075
2623699 | Arbitrary code
/ Windows | Workstations
Terminal Servers
| No/No | No | Important | XP
Vista
Server 2003
Server 2008
Server 2008 R2
Windows 7
| Restart Req'd | Patch after testing |
Receive Randy's same-day, independent analysis each Patch Tuesday
Email:
We will not share your address. Unsubscribe anytime.
|
"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"
- John K.
"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"
-Susan D.
"Thanks, Randy. Your regular updates have streamlined my
monthly patching. Much appreciated,"
- Steve T.
"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."
- Tess G.
"Many thanks for this Randy"
- Roger G.
"The chart is a REAAALLY good idea :)"
- Phil J.
"I like the table. Your insight is very valuable. "
Tom C.
"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."
- David A.
"Your Patch Tuesday Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."
- Gerard T.
|