Patch Tuesday Bottomline – October 2010

October’s Patch Tuesday will be challenging for IT administrators. In addition to the 16 security bulletins that Microsoft is releasing, Oracle is also publishing its quarterly security update which covers a wide array of products from the Oracle database line, through middleware and apps to the newly acquired Sun products, addressing a total of 81 vulnerabilities.

Nineteen vulnerabilities are classified as remotely exploitable, including 11 for Sun Solaris. If you run Solaris, these updates might be more important than today’s Microsoft patches and certainly require more work in testing and roll-out.

On the Microsoft side, I consider MS10-071 the most important patch. It is a critical update for Internet Explorer 6, 7 and 8 and has a exploitability index of 1 indicating that Microsoft believes the vulnerability relatively easy to exploit. MS10-076 comes in as a close second, it is a critical vulnerability in the way Windows handles fonts and can be triggered by a simple malicious webpage without interaction form the user, making it a good candidate for a “drive-by” infection campaign. The remaining critical vulnerabilities will see less attention, they are focused on some quite specific setups.

MS10-077 is the more interesting one, as it has a server side component. It is a vulnerability in the .NET framework running under 64 bit versions of Windows, and allows the attacker to take over the target computer. In addition to the client side component, it is possible for the attacker to use this vulnerability on a server if it allows the upload of ASP.NET code.

This is plausible scenario in web hosting companies, they should patch as quickly as possible, given that the exploitablity index is given as “likely”. MS10-075 is a Windows Media vulnerability only present in Vista and Windows 7 home system and only attackable from the local subnet.

The remaining vulnerabilities are all classified as “important” or lower. Microsoft Office has 2 bulletins (MS10-079 and MS10-080) that both allow “Remote Code Execution” handing attackers control over the machine, but requires user assistance in opening a malicious file. Most of the 24 vulnerabilities apply only to the old Office XP version, so users of this eight year old software packet should apply both updates as quickly as possible.

But even the new Word 2010 is affected by two of the vulnerabilities that allow “Remote Code Execution” on both 32 bit and 64 bit platforms. This shows that even when working with a structured SDLC that has security integrated, achieving a bug-free record is near impossible.

MS10-082 is a second vulnerability in the Windows Media section, but it can only be triggered through 3rd party browsers (Chrome, Firefox, Opera, Safari). If you use any of these browsers frequently I suggest bumping up the vulnerability in your priority list. Successful exploitation will allow the attacker to take control of the target machine.

As the CTO for Qualys, Wolfgang Kandek is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure. Wolfgang has over 20 years of experience in developing and managing information systems. His focus has been on Unix-based server architectures and application delivery through the Internet. Prior to joining Qualys, Wolfgang was Director of Network Operations at the Online Music streaming company myplay.com and at iSyndicate, an Internet media syndication company. Earlier in his career, Wolfgang held a variety of technical positions at EDS, MCI and IBM. Wolfgang earned a Masters and a Bachelors degree in Computer Science from the Technical University of Darmstadt, Germany.