Two critical patches for IE and Silverlight released

Powered by SC Magazine
 

MS11-081 a priority.

Microsoft released eight security bulletins yesterday to address 23 vulnerabilities.

As revealed by SC, two of the patches are rated as critical, while the remaining six are rated as important.

According to Wolfgang Kandek, CTO of Qualys, highest priority should be given to MS11-081, which patches a code execution vulnerability in Internet Explorer.

“The exploit occurs when a victim uses IE to browse a malicious website. High priority should also be given to MS11-078, which fixes a vulnerability in Microsoft Silverlight and the .NET framework. This vulnerability is also exploited when a victim browses a malicious website with a Silverlight-enabled browser.”

Marcus Carey, security researcher and community manager at Rapid7, said: “When I look at security vulnerabilities, first I want to understand which ones can have the most widespread impact. MS11-081 is a cumulative update which affects Internet Explorer, so it relates to both corporate and home users.

“As far as we know, none of the vulnerabilities have been used in the wild. Having said that, this is something that systems administrators and home users should be patching as soon as possible.

“MS11-078 is an interesting bulletin because it requires administrators to patch both .NET and Silverlight installations. Patching to mitigate the vulnerabilities associated with this bulletin is critical, so administrators need to be diligent in applying both fixes, or else this vulnerability will persist.”

Tyler Reguly, technical manager, security and research development, at nCircle, said: “If I were responsible for patching systems, I'd want to patch IE first. It will be interesting to see if the vulnerability code for Silverlight 3 is released this month as Microsoft predicted. I'm curious to know how many people are running Silverlight 3 versus Silverlight 4. With Silverlight, I'm not always sure what I'm running.”

Jason Miller at VMware agreed that MS11-081 should be the priority because the vulnerabilities in browsers are top exploit targets for attackers.

Regarding MS11-078, Miller said: “If an attacker can entice a user to visit a malicious site, a vulnerability could then be exploited that results in remote code execution. With most 'browse then attack' scenarios, the vulnerability is attacked through the browser.

“It is important to note that Microsoft .NET Framework patches typically take quite a while to run. The patches can also be quite large for each version of the program (example: the .NET 4.0 update ranges from 10MB to 22MB in size).”

In regard to the other patches, Kandek said they should be scheduled after the critical bulletins are patched. He said: “Two DLL preloading issues were fixed by MS11-075 and MS11-076. More information about DLL preloading and workarounds can be found in advisory 2269637 from last year.

“Two local EoP issues were fixed in win32k.sys and AFD.sys by MS11-077 and MS11-080. To exploit these issues, attackers already need to have access to the target systems to gain higher privileges. Two patches were released for less pervasive technologies, namely Forefront Unified Access Gateway and Host Integration Server. In our opinion, the exposure for this is very low, but if your corporation uses these technologies, then patching is recommended.”

Carey said: “MS11-079 for Microsoft Forefront will affect the smallest number of organisations, because security infrastructure is one of the few areas where Microsoft isn't dominant. The specially crafted URL warning is indicative of a Cross Site Scripting (XSS) vulnerability.

“Forefront gives organisations VPN access to their internal networks, so an attacker would be able to exploit the vulnerability to steal login credentials and gain access to customer data. If you are running Forefront, I recommend testing and patching as soon as possible.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


Two critical patches for IE and Silverlight released
 
 
 
Top Stories
Westpac committed to core banking plan
[Blog post] Now with leadership.
 
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Apple's top MacBook Pro with Retina is now cheaper
Aug 1, 2014
Apple has updated its MacBook Pro range with faster processors and new pricing, including ...
Pass on carbon tax savings, warns ACCC
Jul 24, 2014
The ACCC is warning businesses that supply "regulated goods" to pass on any cost savings ...
Have customers that won't pay debts?
Jul 10, 2014
The ACCC and ASIC have updated their advice when it comes to collecting debts.
Carpet cleaner faces court over online testimonials
Jul 4, 2014
The ACCC has initiated proceedings against A Whistle (1979) Pty Ltd, the franchisor of Electrodry...
You can now get 15GB of free online storage using Microsoft OneDrive
Jun 25, 2014
Cloud storage has reached both the capacity and price where it's a viable alternative to local ...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1156

Vote