Microsoft 'Patch Tuesday' Fixes 24 Flaws In 16 Updates

IT administrators will have their hands full this month after Microsoft issued a monster security bulletin for its June "Patch Tuesday" release addressing 24 security vulnerabilities with 16 updates.

The patches repair a myriad of flaws in Windows, Internet Explorer, Office, SQL Servers, Silverlight, .NET framework, and Forefront Threat Management Gateway as well as others.

Of the 16 patches, nine have been given the highest severity ranking of ’critical,’ which typically indicates that the vulnerabilities could enable remote code execution -- attacks launched remotely by hackers, that require little or no user intervention. Additionally, Microsoft designated seven of the bulletins with the slightly less severe ranking of ’important.’

Security experts underscore that two of the patches that should be given top billing this month are MS11-50 and MS11-52, repairing critical flaws in IE that could open the door for hackers to launch malicious attacks.

Wolfgang Kandek, chief technology officer of Qualys, said that priority should be given to IE flaws due to widespread popularity of the platform that results in a broad attack vector.

’There are not that many attacks any more against machines directly,’ Kandek said. ’What most people do on the Internet is browse. Most attacks are against the browser, where the attacker will somehow send you to an infected page and run code inside your browser. These are very popular attacks.’

The first of the IE updates, MS11-50, is a cumulative IE update, repairing 11 security holes, most of which could allow remote code execution. For the first time, Microsoft addressed IE9 in its monthly patch load.

During an attack, a hacker could trick a user into clicking on a malicious link or visiting an infected site while running IE, typically through some kind of social engineering scheme. A successful attack would download malware onto users’ computers designed to steal information and take control of the entire system.

’IE9 isn't as much of a concern as IE6, which often seems to be the lowest common denominator in security breaches,’ said Paul Henry, security and forensic analyst for Lumension. ’It is absolutely imperative that people download a newer version of IE in order to take advantage of the more secure codebase.’

The second IE update, MS11-52, fixes one vulnerability in the Microsoft implementation of Vector markup Language, ranked critical for IE 6, IE 7, IE 8, and moderate for IE 6, IE 7 and IE 8 on Windows servers. However, the latest version IE 9, is not affected by the flaw. The vulnerability could enable hackers to execute malicious code remotely by enticing users to view a specially crafted Web site while running IE.

In addition, the June patch also included seven fixes designated with the slightly less severe ranking of ’important.’

Security experts said one of the ’important’ updates worth elevated priority is one that repairs a publicly known ’Cookiejacking’ vulnerability that allows hackers to exploit an HTML5 component to steal cookies from its victims. The update, MS11-37, affects all editions of Windows XP, Vista and Windows 7, and resolves the publicly disclosed vulnerability in the MHTML protocol handler in Microsoft Windows.

Next: June Patch Resolves "Cookiejacking" Flaw

If exploited, the vulnerability could allow hackers to access information stored on users’ ’cookies’ without authorization. As in many attacks, the hacker would have to convince the user to visit a malicious URL or Web site, usually by getting them to click on a link embedded in an e-mail or IM message. A successful attack would give hackers access to users’ complete browsing history, including specific sites they visit and how often they do so.

Another flaw designated as ’important’ fixed eight security bugs in Microsoft Office Excel. Despite its ranking of ’important,’ the update, MS11-45, repaired a flaw that paved the way for attackers to launch remote code execution attacks if users opened an infected Excel file. During an attack, a hacker would typically send a user a compromised Excel file as an attachment via e-mail, and entice them to open it with some kind of social engineering ploy.

Henry added that MS11-45 was ’a hot patch, as Excel has historically been a delivery mechanism for spear phishing.’

The Microsoft patch load is rivaling a comprehensive Java patch from Oracle, which issued critical fixes repairing 17 security bugs across Java standard edition products. In addition, Adobe plans to release security updates Wednesday for critical bugs in Adobe Reader X 10.0.1 for Windows, Adobe Reader 10.0.3 for Mac and Adobe Acrobat 10.0.3 for Windows and Mac.