June 2011 Patch Tuesday Overview
Microsoft has released 16 new bulletins in the June 2011 edition of patch Tuesday. These 16 bulletins address 34 vulnerabilities. This is quite a large patch day and, to top it off, Microsoft was late in releasing the bulletins.
The first batch of security bulletins that need immediate attention all have web browsing to a malicious website as an attack vector. As this is the number one way to be exploited, these bulletins should be rolled out first.
The following five bulletins will be prime targets for attacks in the coming days/weeks.
First up is MS11-050. This security bulletin is the bi-monthly cumulative security update for Internet Explorer. This bulletin fixes multiple vulnerabilities and applies to all supported versions of Internet Explorer.
MS11-052 is the second Microsoft Internet Explorer security bulletin for this month. This bulletin also fixes a vulnerability that can lead to remote code execution if a user browses to a malicious website with an unpatched machine.
MS11-039 is one of two updates affecting the Microsoft .NET framework. This bulletin fixes a vulnerability that could lead to remote code execution if a user browses to a webpage containing malicious ASP.net applications. In addition, malicious web pages hosting XBAP applications can also lead to remote code execution if browsed to with an unpatched .NET Framework. It is important to note that XBAP vulnerabilities are not commonly used as a attack vectors to date.
With the two Internet Explorer and .NET Framework patches, both patches will need to be applied to machines to fully fix all vulnerabilities this month.
MS11-038 addresses a vulnerability in OLE Automation that can lead to remote code execution. The vulnerability can be exploited if a user navigates to a malicious website that contains a VBScript to load a WMF (Windows Metafile). Viewing media via web browsers is extremely common and prevalent in the new social media age, which increases the urgency of patching this vulnerability.
On the non-browser front, MS11-043 addresses a vulnerability with the SMB client on all supported operating systems. If an attacker can convince a user to make a SMB connection to a malicious SMB server, the attacker can gain full control of the user's machine. This attack is unauthenticated, meaning the attacker only needs to convince the user to make a connection to the malicious machine to gain full control of the target. Most home routers and firewalls block SMB connections externally to the internet. But on an internal corporate network, a SMB connection is typically a business critical service that is not blocked by the firewall on the local system.
With such a large number of bulletins and affected products this month, it is important to review each bulletin thoroughly and plan your patch attack this month. Every machine, whether server or workstation, will be affected this month. Also keep in mind that Adobe is also planning to release their quarterly security update today. This update will address all supported versions of Adobe Acrobat and Reader. Some of these fixes have been a long wait for administrators. The vulnerabilities affecting Adobe Reader X (10) have remained unpatched, and the vulnerabilities have been exploited in the wild against older versions of the Reader product. For the X (10) version of Adobe's product, the vulnerabilities have remained unpatched until the next scheduled quarterly security update because the latest version of their product runs in a sandbox mode. This prevents the vulnerabilities from being exploited.
Keep an eye out for other vendors releasing new bulletins/patches today and tomorrow. We have been here before with a massive patch day. Researching, planning and implementing your attack plan for patching this month is a must. If you are not responsible for patching your network, this would be an excellent time to take your IT admin in charge of patching out for lunch later this week after they catch up on sleep!
I will be going over the June 2011 patch Tuesday in depth with our monthly patch Tuesday webinar. You can register to attend it here.
- Jason Miller