Two critical patches for IE and Silverlight released

Powered by SC Magazine
 

MS11-081 a priority.

Microsoft released eight security bulletins yesterday to address 23 vulnerabilities.

As revealed by SC, two of the patches are rated as critical, while the remaining six are rated as important.

According to Wolfgang Kandek, CTO of Qualys, highest priority should be given to MS11-081, which patches a code execution vulnerability in Internet Explorer.

“The exploit occurs when a victim uses IE to browse a malicious website. High priority should also be given to MS11-078, which fixes a vulnerability in Microsoft Silverlight and the .NET framework. This vulnerability is also exploited when a victim browses a malicious website with a Silverlight-enabled browser.”

Marcus Carey, security researcher and community manager at Rapid7, said: “When I look at security vulnerabilities, first I want to understand which ones can have the most widespread impact. MS11-081 is a cumulative update which affects Internet Explorer, so it relates to both corporate and home users.

“As far as we know, none of the vulnerabilities have been used in the wild. Having said that, this is something that systems administrators and home users should be patching as soon as possible.

“MS11-078 is an interesting bulletin because it requires administrators to patch both .NET and Silverlight installations. Patching to mitigate the vulnerabilities associated with this bulletin is critical, so administrators need to be diligent in applying both fixes, or else this vulnerability will persist.”

Tyler Reguly, technical manager, security and research development, at nCircle, said: “If I were responsible for patching systems, I'd want to patch IE first. It will be interesting to see if the vulnerability code for Silverlight 3 is released this month as Microsoft predicted. I'm curious to know how many people are running Silverlight 3 versus Silverlight 4. With Silverlight, I'm not always sure what I'm running.”

Jason Miller at VMware agreed that MS11-081 should be the priority because the vulnerabilities in browsers are top exploit targets for attackers.

Regarding MS11-078, Miller said: “If an attacker can entice a user to visit a malicious site, a vulnerability could then be exploited that results in remote code execution. With most 'browse then attack' scenarios, the vulnerability is attacked through the browser.

“It is important to note that Microsoft .NET Framework patches typically take quite a while to run. The patches can also be quite large for each version of the program (example: the .NET 4.0 update ranges from 10MB to 22MB in size).”

In regard to the other patches, Kandek said they should be scheduled after the critical bulletins are patched. He said: “Two DLL preloading issues were fixed by MS11-075 and MS11-076. More information about DLL preloading and workarounds can be found in advisory 2269637 from last year.

“Two local EoP issues were fixed in win32k.sys and AFD.sys by MS11-077 and MS11-080. To exploit these issues, attackers already need to have access to the target systems to gain higher privileges. Two patches were released for less pervasive technologies, namely Forefront Unified Access Gateway and Host Integration Server. In our opinion, the exposure for this is very low, but if your corporation uses these technologies, then patching is recommended.”

Carey said: “MS11-079 for Microsoft Forefront will affect the smallest number of organisations, because security infrastructure is one of the few areas where Microsoft isn't dominant. The specially crafted URL warning is indicative of a Cross Site Scripting (XSS) vulnerability.

“Forefront gives organisations VPN access to their internal networks, so an attacker would be able to exploit the vulnerability to steal login credentials and gain access to customer data. If you are running Forefront, I recommend testing and patching as soon as possible.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


Two critical patches for IE and Silverlight released
 
 
 
Top Stories
Tech SWAT teams kicking down the digital door
From dam engineers in Ecuador to Sydney light-rail gurus, Cardno's global CIO Karen Wagner is linking up her widespread organisation.
 
Brandis hits telcos with new security reforms
Civil penalties for those who don't comply.
 
When does an insurance company turn into a software vendor?
The lines are blurring for ASX-listed Cover-More Group.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
New Microsoft Office apps for Android phones
Jun 26, 2015
Microsoft's latest Office apps for Android now work on phones as well as tablets, further ...
Windows 10 UK price revealed, but don't believe everything you hear
Jun 26, 2015
Windows 10 £99 price tag for users in the UK (who presumably don't already have Win 7 Pro ...
Now Xero notifies iOS users of new transactions
Jun 24, 2015
The latest version of Xero's iPhone app includes notifications when new transactions arrive from ...
Your Essential Cloud Toolbox
Jun 22, 2015
When BIT interviewed Receipt Bank country manager Sophie Hossack, we asked for her thoughts on ...
Toshiba laptops to get “Cortana button” ahead of Windows 10 launch
Jun 19, 2015
Toshiba introduces 12 new laptops, all aimed at getting the most out of Microsoft's digital ...
Latest Comments
Polls
Is site blocking effective in stopping piracy?


   |   View results
Yes
  2%
 
No
  86%
 
Somewhat
  12%
TOTAL VOTES: 505

Vote