Patch Tuesday August 2011

Microsoft released 13 bulletins addressing 22 CVE’s in its own software: Microsoft Windows, Office, Internet Explorer, .NET and Visual Studio. We’ll be watching for Adobe to coordinate any release of their own updates today.

This month’s release of 13 bulletins is a sizable one, following up on Microsoft’s four bulletin release last month. Everything from Microsoft operating system kernel and networking components to their Microsoft Internet Explorer web browser and development products are impacted to patch information disclosure, denial of service, memory corruption, and elevation of privilege vulnerabilities.

Of the long list, a few appear to be the most severe. All versions of Microsoft’s Internet Explorer across mostly all of the Windows operating system are impacted in serious ways. Remote code execution exploits are possible along with information disclosure and less serious denial of service attacks. Microsoft Excel is effected by the manner in which its Windows Data Access Tracing component loads external libraries. An Excel file could be shared on a WebDAV directory along with a maliciously modified library. When it’s opened, the library would load and execute on the system at the same privileges as the user that opened the Excel file. For vulnerabilities like these, we will be monitoring for related exploit inclusion in underground market exploit packs like BlackHole, NeoSploit and Phoenix, which is always a bad thing. Visio is also at risk of remote code execution for a second month in a row as attackers serve up modified Visio files. But we won’t see its inclusion in the packs because of its low install base numbers.

Four of these Microsoft Security Bulletins patch vulnerabilities that may lead to severe problems like remote code execution, which are often included as a part of client-side drive-by attacks in exploit packs. But this month one of the more interesting vulnerabilities is server-side and may lead to remote code execution on Microsoft DNS servers. This one may be timely because of suggestions that the ongoing progress to DNSSEC implementation will alleviate the problems that the PKI infrastructure has seen related in certificate authorities, a huge subject Moxie Marlinspike addressed at Blackhat last week.

As always, we recommend patching your systems asap. Cheers to a problem free patch Tuesday!