News

Microsoft’s October 2011 Patch Tuesday fixes 23 flaws, releases SIRv11

Hillary O’Rourke, Contributor

Microsoft released eight security bulletins today, patching 23 vulnerabilities across its product line for its October 2011 Patch Tuesday.

While it may not be the busiest Patch Tuesday, two of the eight

    Requires Free Membership to View

bulletins were rated “critical,” repairing flaws in Internet Explorer, the .NET Framework and Microsoft Silverlight. The remaining six bulletins were “important.”

The software giant also issued its 11th volume of its Security Intelligence Report, SIRv11. In the Microsoft Security Response Center blog, Pete Voss, senior response communications manager, wrote that the report “puts zero-day vulnerabilities into context against other global threats.”

The updates for this month’s Patch Tuesday span across Internet Explorer, the .NET Framework, Microsoft Windows, Microsoft Forefront UAG and Microsoft Host Integration Server.

One of the critically rated updates, MS11-078, affects .NET Framework and Microsoft Silverlight and may require a restart. If left unpatched, the privately reported vulnerability could allow remote code execution if a user views a specially crafted Web page using a browser that is configured to run XAML Browser Applications (XBAPS) or Silverlight applications.

The second critical vulnerability, MS11-081, is a cumulative security update that affects Internet Explorer. This update patches eight privately reported vulnerabilities and could also allow remote code execution if a user views a specially crafted Web page while using Internet Explorer. If successful, an attacker could gain the same user rights as the local user.

According to Jason Miller, manager of research and development at Palo Alto, Calif.-based virtualization vendor VMware Inc., these two bulletins are rated critical because they are browser-based and widely deployed.

The remaining six bulletins that are rated “important” can be scheduled after the critical bulletins are patched, said Amol Sarwate, vulnerability labs manager at Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc.

Three of the “important” updates require a restart. MS11-075, MS11-077 and MS11-080 affect vulnerabilities in the Microsoft Active Accessibility, Windows Kernel-Mode Drivers and Ancillary Function Driver components of Microsoft Windows, respectively. MS11-075 and MS11-077 both could allow remote code execution while MS11-080 could allow an elevation of privilege but only if the attacker has valid logon credentials and can log on locally.

The remaining three “important” bulletins, MS11-076, MS11-079 and MS11-082, may require a restart. They affect Windows Media Center, Microsoft Forefront Unified Access Gateway and Host Integration Server, respectively, and could allow remote code execution or a denial of service.

According to VMware’s Miller, MS11-079 is a little unusual because the update is available only through the Microsoft Download Center. Users actually have to manually configure the update to completely secure their system.

Security Intelligence Report volume 11
Qualys’ Sarwate explained that Microsoft’s release of the SIRv11 is something to note, especially with a new section called “Zeroing in on the Malware.” The report, which tracks malware and other threats posed to Windows users from January through June 2011, analyzed the frequency of zero-day exploitations, finding that 44% of the zero-day exploits in the wild require user interaction. About 26% of zero-day exploits take advantage of the Windows AutoRun feature to infect USB devices or network volumes mapped to drive letters.  Microsoft released an update in February to make the AutoRun feature more secure.   

Microsoft said zero-day exploitation accounted for about 0.12% of all exploit activity in the first half of 2011, reaching a peak of 0.37% in June. Two vulnerabilities disclosed in Adobe Flash Player in June made up the bulk of the zero-day exploits tracked by Microsoft.