Microsoft released patches to fix 19 critical vulnerabilities in its software Tuesday, including five flaws in its Internet Explorer browser that security experts advise IT administrators to patch immediately.
The total of 11 security updates released for August is the largest round of Patch Tuesday updates Microsoft has released since last February and should give IT administrators plenty to do to secure their companies’ systems. “People are going to be quite busy with this load,” said Jason Miller, security data team leader for Shavlik Technologies, a patch-management software provider in St. Paul, Minnesota.
Six of the patches, which can be found on Microsoft’s Web site, are rated as critical, while five are rated as important.
Miller and other security experts cited Microsoft Security Bulletin MS08-045, a Cumulative Security Update for Internet Explorer, as the top priority among this month’s batch of updates. The update patches five privately reported vulnerabilities and one that already has been disclosed publicly and for which attack code already exists, which makes it a zero-day flaw.
Don Leatham, director of solutions and strategy for Lumension Security, said the fact that the IE vulnerabilities affect HTML (Hypertext Markup Language) is enough reason to make patching them of the utmost importance, since the opportunity for exploitation is so vast. “Every Web site in the world uses HTML,” he said. Lumension, based in Scottsdale, Arizona, provides patch- and vulnerability-management software and services
Shavlik’s Miller said that the IE patches and another critical update released Tuesday that fixes a vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access — MS08-041 — are related because they both allow an attacker to create a Web site that takes advantage of these vulnerabilities. He listed them both as priorities for immediate installation.
Leatham also cited the Snapshot Viewer exploit as a high priority for IT administrators because many businesses use Access and its Snapshot Viewer tool extensively.
“You can be assured people are using the viewer to share information with partners, customers and internally given the popularity of the Office suite and how much businesses tend to use Access,” he said.
An update that fixes a vulnerability in the Microsoft Windows Image Color Management System — MS08-046 — also should be installed immediately because it could allow an attack if a user navigates to a Web page and views a particular graphic, researchers said. The color-management system is part of the graphical subsystem of Windows.
“Given that [the vulnerability] is Web-based and graphical, you definitely want to pay some special attention to that one,” Leatham said.
Two August updates rated as important also should be of interest to IT professionals, even if Microsoft has rated them below the critical updates. They are MS08-047, which fixes a vulnerability in IPsec Policy processing, and MS08-50, which patches a flaw in Messenger.
Though Microsoft doesn’t rate flaws that allow for information disclosure as critical, the IPsec vulnerability, which could turn what people think are trusted encrypted information tunnels into open text communications, could become so for certain companies using IPsec intensively to transfer critical data, such as health care organizations that work with confidential patient information, Leatham said.
Similarly, Microsoft has not rated the Messenger vulnerability as critical because it only deals with information disclosure; however, it opens up the opportunity for a “social-engineering attack that we haven’t seen before” and should be taken seriously, said Amol Sarwate, manager of the vulnerabilities research lab at Qualys. Qualys, based in Redwood Shores, California, provides vulnerability-management and policy-compliance services.
“It allows attackers to invite people for audio or video conferencing by impersonating a victim,” he said, noting that it also is a zero-day vulnerability.
Last Thursday Microsoft said it expected to release 12 security updates on Tuesday as part of its monthly patch cycle, called Patch Tuesday by security researchers, but at the last minute pulled one of those updates because of quality issues, the company said.
Microsoft did not provide further information on if and when it would release the update; however, when updates have been pulled at the last minute before, they are usually released as part of the next month’s patch cycle.
Also complicating matters this month is a recent security advisory and patch Microsoft sent out for the tool many companies use to patch Microsoft applications, Windows Server Update Services, Leatham said. He advised that companies ensure they update the tool and verify that it is working properly before installing August’s patches.
“There was an odd bug causing some security patches not to be deployed into areas of organizations,” Leatham said. “You want to make sure your WSUS server has been patched” before installing another round of updates.