Two critical patches for IE and Silverlight released

Powered by SC Magazine
 

MS11-081 a priority.

Microsoft released eight security bulletins yesterday to address 23 vulnerabilities.

As revealed by SC, two of the patches are rated as critical, while the remaining six are rated as important.

According to Wolfgang Kandek, CTO of Qualys, highest priority should be given to MS11-081, which patches a code execution vulnerability in Internet Explorer.

“The exploit occurs when a victim uses IE to browse a malicious website. High priority should also be given to MS11-078, which fixes a vulnerability in Microsoft Silverlight and the .NET framework. This vulnerability is also exploited when a victim browses a malicious website with a Silverlight-enabled browser.”

Marcus Carey, security researcher and community manager at Rapid7, said: “When I look at security vulnerabilities, first I want to understand which ones can have the most widespread impact. MS11-081 is a cumulative update which affects Internet Explorer, so it relates to both corporate and home users.

“As far as we know, none of the vulnerabilities have been used in the wild. Having said that, this is something that systems administrators and home users should be patching as soon as possible.

“MS11-078 is an interesting bulletin because it requires administrators to patch both .NET and Silverlight installations. Patching to mitigate the vulnerabilities associated with this bulletin is critical, so administrators need to be diligent in applying both fixes, or else this vulnerability will persist.”

Tyler Reguly, technical manager, security and research development, at nCircle, said: “If I were responsible for patching systems, I'd want to patch IE first. It will be interesting to see if the vulnerability code for Silverlight 3 is released this month as Microsoft predicted. I'm curious to know how many people are running Silverlight 3 versus Silverlight 4. With Silverlight, I'm not always sure what I'm running.”

Jason Miller at VMware agreed that MS11-081 should be the priority because the vulnerabilities in browsers are top exploit targets for attackers.

Regarding MS11-078, Miller said: “If an attacker can entice a user to visit a malicious site, a vulnerability could then be exploited that results in remote code execution. With most 'browse then attack' scenarios, the vulnerability is attacked through the browser.

“It is important to note that Microsoft .NET Framework patches typically take quite a while to run. The patches can also be quite large for each version of the program (example: the .NET 4.0 update ranges from 10MB to 22MB in size).”

In regard to the other patches, Kandek said they should be scheduled after the critical bulletins are patched. He said: “Two DLL preloading issues were fixed by MS11-075 and MS11-076. More information about DLL preloading and workarounds can be found in advisory 2269637 from last year.

“Two local EoP issues were fixed in win32k.sys and AFD.sys by MS11-077 and MS11-080. To exploit these issues, attackers already need to have access to the target systems to gain higher privileges. Two patches were released for less pervasive technologies, namely Forefront Unified Access Gateway and Host Integration Server. In our opinion, the exposure for this is very low, but if your corporation uses these technologies, then patching is recommended.”

Carey said: “MS11-079 for Microsoft Forefront will affect the smallest number of organisations, because security infrastructure is one of the few areas where Microsoft isn't dominant. The specially crafted URL warning is indicative of a Cross Site Scripting (XSS) vulnerability.

“Forefront gives organisations VPN access to their internal networks, so an attacker would be able to exploit the vulnerability to steal login credentials and gain access to customer data. If you are running Forefront, I recommend testing and patching as soon as possible.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


Two critical patches for IE and Silverlight released
 
 
 
Top Stories
ATO shaves $4m off IT contractor panel
Reform cuts admin burden, introduces KPIs.
 
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Optus expands 4G coverage
Oct 10, 2014
If you rely on an Optus phone for work you might be interested to know that there are now 200 ...
Microsoft Office is now free for some charities
Oct 10, 2014
Microsoft has announced that eligible Australian non-profit organisations and charities can now ...
Vodafone lights up 4G in Adelaide
Oct 9, 2014
Live and work in Adelaide? Vodafone has switched on its 4G network in the city and suburbs.
Next year tradies will be able to take payments using ingogo
Oct 3, 2014
Ingogo is going to provide a card payment service for Xero users.
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  13%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 438

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 210

Vote