September 2011 Patch Tuesday Overview
Microsoft has released their scheduled monthly Security Bulletin release with 5 bulletins addressing 15 vulnerabilities.
MS11-070 addresses 1 vulnerability in the WINS service. Only Microsoft server operating systems are affected by this vulnerability (Windows 2003, Windows 2008, Windows 2008 R2). In order for an attacker to carry out an exploit, the attacker must have access and login credentials to the machine. Once on the machine, the attacker could send a malicious WINS request to the local loopback network address of the machine. This could result in elevation of privilege.
MS11-071 brings back the DLL preloading issue once again this month. On August 23, 2010 Microsoft released a Security Advisory (2269637) regarding an issue with Microsoft products that could be attacked via binary planting. Microsoft has been identifying and patching affected products through the last 13 months. MS11-071 marks the 16th time that Microsoft has issued a Security Bulletin for the DLL preloading issue. Opening a genuine text file (.rtf or .txt) file in a directory that contains a malicious DLL can result in Remote Code Execution.
MS11-072 addresses five vulnerabilities in the Microsoft Office Excel program. Opening a malcious Microsoft Excel file could result in remote code execution on an affected machine. This bulletin is not rated as critical due to the defense in depth mechanism in the Microsoft Office program. The program will prompt users whether or not to open an excel file. To exploit this vulnerability, an attack requires user interaction.
MS11-073 addresses an issue with Microsoft Office. This vulnerability will be quite difficult for an attacker to exploit due to the user interaction required. Scenario 1: An attacker entices a user to open an office file located in a directory with a malicious DLL. This scenario would most likely have an attacker already on a corporate network in order to plant the malicious DLL. Scenario 2: An attacker sends a malicious Microsoft Office document and entices the user to save the file, and subsequently open the file in a directory that contains a malicious DLL. Both of these scenarios can be prevented if the Microsoft Office File Validation Add-in is installed on your machines. This feature was originally introduced by Microsoft in Microsoft Office 2010. Microsoft has since provided this defense-in-depth measure through an update to their customers.
MS11-074 is the largest Security Bulletin released this month. This Security Bulletin affects 12 different Microsoft product lines. One of the five vulnerabilities fixed in this Security Bulletin have been publicly released. However, Microsoft has not received any reports of attacks against the vulnerability. This Security Bulletin is related to MS11-050 (Cumulative Update for Internet Explorer released on June 14, 2011). MS11-050 fixed the vulnerability in Internet Explorer, and MS11-074 will fix the issue in the "Microsoft productivity" products. Both patches will need to be installed to fix the vulnerability in all Microsoft products.
Last week, Microsoft released a Security Advisory and subsequent patch adding the DigiNotar certficates to the untrusted certificate store. Today, Microsoft released an update adding additional certificates to the untrusted certificate store. This update superscedes the previous update, so you will only need to apply the latest patch if you did not apply the previous patch.
Adobe has also released a new Security Bulletin for Adobe Acrobat and Reader with APSB11-24. This update addresses 13 vulnerabilities. In addition, Adobe joins other vendors (Microsoft, Apple, Mozilla, etc) in blacklisting DigiNotar certificates. Adobe is not currently aware of any attacks with digitally signed Adobe documents with rogue DigiNotar certificates. More information on Adobe's stance with Adobe's Approved Trust List and subsequent blacklisting of DigiNotar certificates can be found on the Adobe Security Matters blog.
Skype has released a non-security update for their software. This release adds support for Windows 8. Yes, you read that correctly, Windows 8. Microsoft held a demonstration for journalists and analysts on Monday, September 12, 2011 showing off Windows 8. I expect a beta will soon be in the works for Windows 8 where you can install and use Skype. Or maybe, just maybe, Microsoft will bundle Skype with their latest operating system (Microsoft bought Skype last May).
I will be reviewing the September 2011 in depth during my monthly Patch Tuesday webinar tomorrow at 11am CDT. You can register to attend the live webinar here.
- Jason Miller