MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

Summary: Guest post by Wolfgang KandekThere is plenty of work this month of June for IT administrators - Microsoft's June Patch Tuesday addresses 34 vulnerabilities in 16 distinct bulletins. Nine of the bulletins carry a maximum severity of "critical", while the remaining seven are rated as "Important" only.

SHARE:
TOPICS: Security
54

Guest post by Wolfgang Kandek

There is plenty of work this month of June for IT administrators - Microsoft's June Patch Tuesday addresses 34 vulnerabilities in 16 distinct bulletins. Nine of the bulletins carry a maximum severity of "critical", while the remaining seven are rated as "Important" only.

Plus there are the critical fixes from Adobe Reader and Oracle for Java.

No doubt IT Administrators will have to pick and choose where to act first.

The highest priority Microsoft bulletins should be:

  • MS11-050, which addresses 11 vulnerabilities in Microsoft Internet Explorer version 6,7, 8 and 9.
  • MS11-052, which patches VML, a markup language that is used mainly in Internet Explorer.

Browser and plug-in vulnerabilities together have been the point of entry for many recent security incidents and are the main infection vector for mass malware such as Zeus and SpyEye (for some interesting statistics see this recent StopBadWare report.

The combo MS11-050/052, together with APSB11-016 from Adobe and Java CPU June 2011 is the first highest priority set of vulnerabilities to address this week. That way IT admins will keep ahead of the "ExploitKit" writers and and make their workstation infrastructures more robust.

Second on the list should be MS11-045, which fixes eight vulnerabilities in all versions of Excel including for Mac OS X. Microsoft ranks it only as "Important" because the end user is required to open an attacker-provided file, but we believe that attackers have shown often enough that they have the skills to make opening the file enticing enough for end users, especially with a file format like Excel that is used overwhelmingly for serious, business related communication.

Other high priority bulletins are MS11-042 and MS11-043, which address critical flaws in the SMB and DFS clients on Windows. Strict outbound firewalling will help enterprises in both cases to keep the exposure low, but since the exploit index is a low "1" for both vulnerabilities, IT admins should schedule them for inclusion into the patch process as soon as possible.

The only bulletin with a known exploit in the wild is MS11-046, a local privilege escalation flaw in the "afd.sys" driver. IT admins can check with their end-point security providers for coverage, but should include this bulletin high on their to-do lists in any case, as it is only a matter of time until we see more attackers use malware taking advantage of this exploit to gain control of your workstations.

* Wolfgang Kandek is chief technology officer at Qualys. He is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure.

** Ryan Naraine is traveling.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

54 comments
Log in or register to join the discussion
  • Message has been deleted.

    SonofaSailor
    • There's nothing "timely" about MS11-050

      @SonofaSailor
      <i>"MS11-050, which addresses 11 vulnerabilities in Microsoft Internet Explorer version 6,7, 8 and 9."</i>

      Anything which affects IE 6 and 7 has been around for a long, long time.

      The more interesting question is how many of the vulnerabilities that affect IE6 also affect IE9, of course. And it's not immediately obvious because everything has been bundled into a "cumulative security update". But they're all "remote code execution" vulnerabilities, so even one is bad.
      Zogg
      • If you would care to read the actual bulletin

        @Zogg

        <i>The more interesting question is how many of the vulnerabilities that affect IE6 also affect IE9, of course. And it's not immediately obvious because everything has been bundled into a "cumulative security update".</i>

        If you would care to read the actual bulletin you would find this information available right there. I realize that you are not used to this kind of detailed vulnerability description from your favorite OS vendor, but here goes:

        Patched vulnerabilities in versions of IE:
        4 in IE9
        11 in IE8
        8 in IE7
        6 in IE6

        All of the IE9 bugs were also in IE8, but not all IE8 bugs were carried over to IE9 - presumably this bugs were in part which were rewritten in IE9.

        IE is still the browser with fewest vulnerabilities.
        honeymonster
      • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

        @Zogg
        "Anything which affects IE 6 and 7 has been around for a long, long time."

        Maybe, but it hasn't been KNOWN for a long time....which is the single most important factor. Security gaps are important only insofar as they are known, if there is a hole that no one knows about, then it really doesn't matter, does it?
        Doctor Demento
      • Actually, I *did* read it.

        @honeymonster
        And I said that the information wasn't "immediately obvious". However, now I see that it was inside a hidden table after all. So we can tell that "Link Properties Handling Memory Corruption Vulnerability - CVE-2011-1250" is present in every version of IE from 6 to 9, whereas "Drag and Drop Memory Corruption Vulnerability - CVE-2011-1254" and "Time Element Memory Corruption Vulnerability - CVE-2011-1255" are present in IEs 6 thru 8.

        Oh well; better patched late than never, I suppose.

        <i>"IE is still the browser with fewest vulnerabilities."</i>

        Don't forget to keep waving your pom-poms as you say that ;-).
        Zogg
      • Known to whom, though?

        @Doctor Demento
        I'm not worried about bugs that <b>you</b> are personally unaware of. But if something's been present for this long then there's a chance that someone else found it long ago.
        Zogg
      • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

        @honeymonster

        "IE is still the browser with fewest vulnerabilities."

        So untrue, it isn't even funny.
        csuwldcat
      • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

        [i]IE is still the browser with fewest vulnerabilities.[/i]

        No doubt that's an 'unbiased' opinion, right?

        ;)
        ScorpioBlue
      • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

        @Zogg
        [i]Don't forget to keep waving your pom-poms as you say that.[/i]

        According to you: Reporting concise and accurate facts is waving pom-poms?

        Therefore you must be poo-pooing with your cynical FUD?

        IE9 is the least vulnerable of all browsers, as per the NVD. Period. http://nvd.nist.gov/

        [i]~~~~~~~~~~
        If electricity comes from electrons, does morality come from morons?[/i]
        WinTard
      • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

        @Zogg <br>"IE9 is the least vulnerable of all browsers, as per the NVD. Period. <a href="http://nvd.nist.gov/" target="_blank" rel="nofollow"><a href="http://nvd.nist.gov/" target="_blank" rel="nofollow"><a href="http://nvd.nist.gov/" target="_blank" rel="nofollow"><a href="http://nvd.nist.gov/" target="_blank" rel="nofollow">http://nvd.nist.gov/</a></a></a></a>"<br><br><strong>That explains why vulnerability scanners mark IE not to be used due to critical vulnerabilities 30 out of 31 days a month.</strong><br><br>That's a home page, so what info are you citing, I'm guesing you haven't given a direct link because it's made up, I guess your not citing that firefox has one of the quickest times to patch record and IE one of the worst. We won't even go into the severity of IE vulnerabilities.<br><br>Another interesting question is how many unknown vulnerabilities does IE9 have that none of the others have in it's hardware acceleration layer which are extremely dangerous. Unknown vulnerabilities don't matter, how rediculous, they're worth more. Microsoft treats?/treated vulnerability reporters as annoyances to be ignored, criminal organisations pay them.
        kevlar700
      • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

        @WinTard ...
        [i]"IE9 is the least vulnerable of all browsers, as per the NVD. Period. http://nvd.nist.gov/"[/i]

        Boy howdy, that webpage is a mess. Care to be a bit more specific on where you located the information that points to IE9 being the least vulnerable web browser ever? Because I sure as hell can't find it.
        WarhavenSC
      • No Such Thing As

        @WinTard<br>"IE9 is the least vulnerable of all browsers, as per the NVD. Period."<br><br>You can not speak of this kind of absolute when it comes to security. Speaking this way about a browser that's been out for as short a time as IE 9 is silly. I suspect that it's generally quite a bit more secure than older versions, but it's too early to state much of anything more about it with any certainty at all.
        CFWhitman
      • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

        <i>According to you: Reporting concise and accurate facts is waving pom-poms?</i><br><br>Consider the original source.<br><br><i>IE9 is the least vulnerable of all browsers, as per the NVD. Period. <a href="http://nvd.nist.gov/" target="_blank" rel="nofollow">http://nvd.nist.gov/</a></i><br><br>That tells us nothing. <br><br><b>Absolutely nothing</b>
        ScorpioBlue
      • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

        @Doctor Demento
        Maybe, but it hasn't been KNOWN for a long time....which is the single most important factor. Security gaps are important only insofar as they are known, if there is a hole that no one knows about, then it really doesn't matter, does it?

        There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.
        Donald Rumsfeld

        The suspicion that there are Holes out there can make people do crazy things.
        Andrew Happ
      • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

        Facilitating remote code execution has been a primary function by design of IE from Day Zero. What is there to fix, isn't this what we are told we are supposed to want, a remote control interface for advertisers and worse?
        schmandel@...
    • RE: MS Patch Tuesday: Gaping holes haunt Internet Explorer browser

      @SonofaSailor wweeeeeeeeeeeeeeeeeeeeeeeejhhhhhhhhhh!
      oldtechdudze
    • Message has been deleted.

      piudicibus
  • sonof, the vulnerability of which you speak

    also requires the user to install code downloaded from the internet. It's merely 'important'.
    HollywoodDog
  • busy?

    If an IT admin takes more than an hour or to test and deploy, then he should consider an alternate line of work. It is good to see these vendors address the growing threat landscape that these complex solutions engender. These same vendors also provide the tools necessary to remediate these issues efficiently and effectively.
    Your Non Advocate
    • It depends..

      @facebook@...
      On how much legacy software and bespoke software you have. You need to test each patch with each piece of software individually.

      You can certainly automate some of the testing, but if you have a large financials package, with thousands of options, you have a lot of work to do, to ensure that even the most obscure of functions still work.

      It is a case of "it should work," but if the system fails after upgrading machines, that can be a huge headache and huge hole in your income.

      If one of the packages inadvertently uses one of the exploits, or the patch for the exploit changes the way an interface behaves, it can stop the business dead.

      Just think about MS Word (okay, bad example for security testing, one would hope MS have already tested it works with the patches, before they release them). But look at the functionality bundled in there. How long would it take you to walk through each and every function in Word?

      Multiply that by a couple of dozen bespoke LoB applications and you can see why many companies are reticent about bundling updates out to desktops, without properly testing them.

      The situation is certainly much better today than it was a decade or so ago. Back then, it would probably take 6 months to get every application tested and signed off.

      We now take less than half a day to test the main LoB apps, because we have streamlined the process and we only have a couple of apps which aren't common commercial apps.

      We also need to test it against the software we sell. Many of our customers hold off on updates, until they know we have tested them.
      wright_is