Patch Tuesday Updates Fix Critical Flaws in IE and DirectShow
By Tony Bradley, PCWorld
Microsoft’s Patch Tuesday for June 2010 is here. Microsoft released a total of 10 new security bulletins, addressing 34 separate vulnerabilities, including critical flaws in DirectShow and the Internet Explorer Web browser. Let’s turn to some industry experts and security professionals for additional insight on the Microsoft security bulletins, and perspective on how to prioritize and protect against the potential threats.
Seven of the security bulletins are rated as Important, while the remaining three are Critical. The Critical security bulletins include MS10-033 for DirectShow, and MS10-035 which addresses six different vulnerabilities in Internet Explorer.
Joshua Talbot, security intelligence manager for Symantec Security Response, points out that “This is the largest Microsoft patch release of 2010 and ties the record for the most vulnerabilities ever addressed in a single month; a record set in October of last year. This month’s release also features the largest ever single bulletin, with 14 vulnerabilities in Excel being addressed together.”
“Another Microsoft Patch Tuesday, another list of the usual suspects: Internet Explorer, Media Player, Office. Sadly, you no longer have to be psychic to figure out what’s coming. If I wasn’t in security, I’d be starting to wonder if it was time to go back to pen, paper and encyclopedias” mused Tyler Reguly, lead research engineer to nCircle.
Andrew Storms, director of security operations for nCircle, says “Generally, whenever Microsoft patches IE, it’s the top priority to deploy and this rule-of-thumb is doubly true this month. Along with patching a previously disclosed bug, Microsoft is patching a number of other critical security issues in IE this month, including their PWN2OWN bug from CanSec West.”
Storms added the following mitigating factors, though. “Critical bugs are still being found in IE8 and Windows 7, but they are harder to exploit because of Microsoft’s mitigation technologies. The underlying bugs are still there, but IE protected mode, Windows DEP and ASLR make them much far less attractive to hackers.
Qualys CTO Wolfgang Kandek explains in a blog post “MS10-032 addresses a local escalation of privilege vulnerability. While it is not remotely exploitable through any Microsoft product, third-party applications could expose it and provide a remote attack possibility.”
Kandek also clarifies “MS10-040 is a remotely exploitable vulnerability in all versions of IIS, but it is present only if the administrator has downloaded and installed the Channel Binding Update and enabled Windows Authentication. It further requires an account on the system, reducing the number of vulnerable hosts to a small subset.”
“Today’s Microsoft patches again underline the risk of using the Internet unprotected,” said Dave Marcus, director of security research and communications at McAfee Labs. “These vulnerabilities could be exploited to booby trap Web sites, Office and Windows Media files to gain control over vulnerable computers simply by tricking victims into opening a malicious file or clicking a malicious link.”
nCircle’s Reguly contributed this additional insight “As a researcher, I find MS10-041 and MS10-040 very interesting, although they are probably the least dangerous for the end user. Patches for MS10-035, which includes public vulnerabilities, and MS10-033 should probably be highest on most people’s priority lists because they include at least one public vulnerability and are likely to see published exploits in the next couple of weeks.”
“Aside from ensuring complete protection is running, computer users need to use common sense and avoid the dark alleys of the Internet as well as second guess and documents or links they are sent, including those that appear to come from friends, family or coworkers,” McAfee’s Marcus concluded.
A Microsoft spokesperson shared the following insight from Microsoft. “As always, Microsoft recommends that customers test and deploy all security updates as soon as possible to help protect their computers from criminal attacks. Specifically, Microsoft recommends customers prioritize deployment of MS10-033, MS10-034, and MS10-035.”