This month, Microsoft is releasing 17 bulletins to address 63 security vulnerabilities across a wide range of Windows products. Out of these vulnerabilities, 12 are rated critical and 51 important.
About half of these vulnerabilities are being patched with the MS11-034 bulletin. They all involve Elevation of Privilege vulnerabilities in the Windows kernel.
Elevation of privilege vulnerabilities have gained a lot in popularity as Windows 7 and the use of sandboxes have been gaining traction. These vulnerabilities could be used for instance to circumvent UAC and immediately give a program full admin privileges without warning.
With Microsoft’s newer products there’s been somewhat of a trend where the number of EoP vulnerabilities outweigh the number of Remote Code Execution vulnerabilities. This trend is likely to persist over the coming months.
Microsoft will also be releasing two advisories this month. One for Windows and one for Office.
The advisory for Windows affects the 64-bit versions of the 6.0 and 6.1 kernels – the Windows Vista and 7 code-base respectively. This update addresses an issue in driver signing enforcement.
I think this advisory should have been pushed as a security update as it involves some of the core integrity of the OS. As attacks have become more sophisticated it’s become more obvious integrity is crucial.
To not see Microsoft recognize this is rather surprising.
The Office advisory will be bringing “Office File Validation” to Office 2003 and 2007.
This feature is native to Office 2010 and determines if an (older) Office document is adhering to the file format specification. It will not allow malformed documents to be opened.
While this is obviously a good development this feature doesn’t stop the recent Flash zero-days we’ve seen. After all, those are simply using a feature from Word and not a bug.
Hopefully Microsoft will be able to back-port the Office 2010 sandbox at a later date, as the sandbox is able to stop the Adobe Flash zero-days.
With this release Microsoft is also finally fixing the MHTML vulnerability.
This vulnerability – CVE-2011-0096 – has been known for a while now and was seen in targeted attacks shortly after the previous patch Tuesday.
MS11-019 will address the SMB Browser vulnerability disclosed in February.
As always, we recommend to apply these patches as soon as possible.