October 2011 Patch Tuesday Overview
Microsoft has released eight new security bulletins in their October 2011 version of Patch Tuesday. These eight new security bulletins address 23 vulnerabilities.
The bulletin administrators should look at patching first is the bi-monthly cumulative update for Microsoft Internet Explorer. Security bulletin MS11-081 addresses eight individual vulnerabilities in Internet Explorer. A user visiting a malicious web page with an unpatched Internet Explorer browser could lead to remote code execution. As with every security update for Internet browsers (Microsoft or other browser vendors), patching browsers will be top priority because the vulnerabilities fixed with each security bulletin release in browsers are top exploit targets for attackers.
The next bulletin administrators should look at patching as soon as possible is the security bulletin affecting the Microsoft .NET Framework and Microsoft Silverlight programs. MS11-078 addresses one vulnerability in both programs. If an attacker can entice a user to visit a malicious site, a vulnerability could then be exploited that results in remote code execution. With most browse then attack scenarios, the vulnerability is attacked through the browser. This month, administrators will need to patch both Internet Explorer and .NET/Silverlight to prevent malicious website vector attacks. It is important to note that Microsoft .NET Framework patches from Microsoft typically take quite a while to run through the patching process. The patches can also be quite large for each version of the program (example: the .NET 4.0 update ranges from 10 MB to 22MB in size).
Microsoft is also revisiting a security advisory that was issued more than one year ago. MS11-075 and MS11-076 fix two more programs that have been identified as having the DLL preload vulnerability. Since the security advisory (2269637) was released last August 23, 2010, Microsoft has released a security bulletin 17 times to address the issue in various programs.
MS11-079 also has an interesting scenario that may affect administrators this month. This security bulletin addresses vulnerabilties in the Microsoft Unified Access Gateway (UAG) program. The patches for this security bulletin are only available on the Microsoft download center. Thus, administrators are relying solely on their WSUS and Windows Update reports for patching, this bulletin will not show as missing. Administrators will need to identify any machines on their network that have the affected program installed and manually deploy the patch to those systems. In addition, there are manual actions to fully protect the systems after patching. Administrators will need to perform manual actions on their UAG consoles to configure the program to fully be protected against attacks.
This is not the first time we have seen a patch for UAG not available through WSUS and Windows Update. The last security bulletin released for this program was released in November 2010. This security bulletin was also only available on the Microsoft Download Center. Both of these security bulletin releases are prime examples of why administrators should spend time each month reviewing the security bulletin documentation. This information may be in the fine print of the lengthy security bulletin web pages, but the extra time spent researching just may prevent an attack against systems.
I will be reviewing the October 2011 in depth during my monthly Patch Tuesday webinar tomorrow at 11am CDT. You can register to attend the live webinar here.
- Jason Miller