Two critical patches for IE and Silverlight released

Powered by SC Magazine
 

MS11-081 a priority.

Microsoft released eight security bulletins yesterday to address 23 vulnerabilities.

As revealed by SC, two of the patches are rated as critical, while the remaining six are rated as important.

According to Wolfgang Kandek, CTO of Qualys, highest priority should be given to MS11-081, which patches a code execution vulnerability in Internet Explorer.

“The exploit occurs when a victim uses IE to browse a malicious website. High priority should also be given to MS11-078, which fixes a vulnerability in Microsoft Silverlight and the .NET framework. This vulnerability is also exploited when a victim browses a malicious website with a Silverlight-enabled browser.”

Marcus Carey, security researcher and community manager at Rapid7, said: “When I look at security vulnerabilities, first I want to understand which ones can have the most widespread impact. MS11-081 is a cumulative update which affects Internet Explorer, so it relates to both corporate and home users.

“As far as we know, none of the vulnerabilities have been used in the wild. Having said that, this is something that systems administrators and home users should be patching as soon as possible.

“MS11-078 is an interesting bulletin because it requires administrators to patch both .NET and Silverlight installations. Patching to mitigate the vulnerabilities associated with this bulletin is critical, so administrators need to be diligent in applying both fixes, or else this vulnerability will persist.”

Tyler Reguly, technical manager, security and research development, at nCircle, said: “If I were responsible for patching systems, I'd want to patch IE first. It will be interesting to see if the vulnerability code for Silverlight 3 is released this month as Microsoft predicted. I'm curious to know how many people are running Silverlight 3 versus Silverlight 4. With Silverlight, I'm not always sure what I'm running.”

Jason Miller at VMware agreed that MS11-081 should be the priority because the vulnerabilities in browsers are top exploit targets for attackers.

Regarding MS11-078, Miller said: “If an attacker can entice a user to visit a malicious site, a vulnerability could then be exploited that results in remote code execution. With most 'browse then attack' scenarios, the vulnerability is attacked through the browser.

“It is important to note that Microsoft .NET Framework patches typically take quite a while to run. The patches can also be quite large for each version of the program (example: the .NET 4.0 update ranges from 10MB to 22MB in size).”

In regard to the other patches, Kandek said they should be scheduled after the critical bulletins are patched. He said: “Two DLL preloading issues were fixed by MS11-075 and MS11-076. More information about DLL preloading and workarounds can be found in advisory 2269637 from last year.

“Two local EoP issues were fixed in win32k.sys and AFD.sys by MS11-077 and MS11-080. To exploit these issues, attackers already need to have access to the target systems to gain higher privileges. Two patches were released for less pervasive technologies, namely Forefront Unified Access Gateway and Host Integration Server. In our opinion, the exposure for this is very low, but if your corporation uses these technologies, then patching is recommended.”

Carey said: “MS11-079 for Microsoft Forefront will affect the smallest number of organisations, because security infrastructure is one of the few areas where Microsoft isn't dominant. The specially crafted URL warning is indicative of a Cross Site Scripting (XSS) vulnerability.

“Forefront gives organisations VPN access to their internal networks, so an attacker would be able to exploit the vulnerability to steal login credentials and gain access to customer data. If you are running Forefront, I recommend testing and patching as soon as possible.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


Two critical patches for IE and Silverlight released
 
 
 
Top Stories
Change is the only constant at iiNet
iiNet's Matthew Toohey is trialling IBM's Watson - between preparing for an acquisition and making sure Netflix doesn't swamp the network.
 
Why straight-through processing is the holy grail for banks
Big benefits from stripping away human intervention and digitising processes.
 
CBA sued over frozen millions in IT bribery scandal
Eric Pulier's not-for profit lodges lawsuit in US.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
New features are coming to Outlook.com
May 27, 2015
Outlook.com, thanks to its predecessor Hotmail.com, is one of the world's major webmail services ...
Windows 10 to feature integrated apps for Android and iOS
May 27, 2015
Microsoft reveals multi-platform Cortana connectivity for Windows 10. What the heck is that, and ...
Microsoft launches Office for Android preview
May 22, 2015
Microsoft has launched a preview of Office for Android smartphones. Pre-release versions of ...
Microsoft is working on an iOS email chat feature called Flow
May 22, 2015
Microsoft is working on a new chat app, but at the moment we know more about what we DON'T know, ...
Windows 10 free upgrade: Microsoft details who gets what
May 22, 2015
Microsoft was meant to be streamlining its OS with Windows 10, so why is upgrading so confusing? ...
Latest Comments
Polls
Should Optus make a bid for iiNet?

   |   View results
Yes
  44%
 
No
  56%
TOTAL VOTES: 667

Vote