Microsoft Patch Tuesday fixes 22 vulnerabilities

Microsoft has released fixes for 22 vulnerabilities discovered in Internet Explorer, Windows, Visio and Visual Studio as part of its monthly Patch Tuesday upgrades.

The software giant released 13 security bulletins overnight, two of which are rated critical in severity, nine important and two moderate.

It advised customers to install all of the updates as soon as possible, starting with the two rated most critical.

MS11-057 for Internet Explorer fixed five privately reported vulnerabilities and two publicly disclosed vulnerabilities, according to the release. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

MS11-058 resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted Naming Authority Pointer (NAPTR) query to a DNS server. Servers that do not have the DNS role enabled are not at risk, the report said.

"It is interesting to see a big patch day coming after a security conference [Black Hat], instead of before one," Aviv Raff, CTO at cyberthreat management company Seculert, said on Tuesday.

"Usually, vendors patch for zero day before a security conference in order to block security researchers from releasing them." Andrew Storms, director of security at nCircle, a network security and compliance auditing firm, said enterprises should also pay special attention to MS11-064, a bulletin listed by Microsoft as "important".

"Attackers can take advantage of this bug to cause a remote reboot of Windows computers even if they have a local firewall enabled," Storms said. "Back in the early 90s, we used to call this kind of bug the ‘ping of death.'"

It would only take about 10 minutes for an attacker to write and distribute a tool to take advantage of the flaw, Storms said. Then, anyone could easily grab that attack tool and, with a single click, cause a Windows network to reboot.

"The malicious potential is enormous," he said. "The most troubling thing about this bug is that the local Windows firewall does not mitigate the attack."

Service providers like ISPs, cloud providers and others that allow inbound ping packets to their server instances should immediately look for ways to mitigate this bug using edge firewalls, Storms said.

Overall, IT administrators have had their hands full this summer, Dave Marcus, director of security research and communications at McAfee Labs, said.

“Although there are only two critical [Microsoft] patches this month, this update comes after the July patches from Oracle and Apple, and there will be another release of critical patches for Adobe Flash Player [on Tuesday]," he said.

To provide the best protection possible against exploitation, Don Debolt, director of threat research at Total Defense, a malware detection and anti-crimeware provider, advised that Microsoft Security Automatic Updates be enabled and that up-to-date anti-malware software be used.

"The combination of these two will ensure the best protection possible," Debolt said.