Fixes For 23 Bugs In Microsoft Patch Tuesday

Microsoft plans to patch 23 vulnerabilities in Microsoft Windows, Silverlight and server software as part of the October Patch Tuesday release.

Microsoft will release eight security bulletins, of which two are rated “critical”, according to the Microsoft Security Bulletin Advance Notification. The remaining important bulletins address flaws in Forefront Unified Access Gateway, Host Integration Server as well as some versions of Windows.

Mandatory IE Update

One of the critical bulletins patches a bug in Windows and Internet Explorer that if exploited would allow attackers to remotely spread malicious code, Microsoft said. Affected software versions include Internet Explorer 6 through 8, Windows XP,Vista and 7, as well as Windows Server 2003 and 2008.

“As usual, this month we will receive the mandatory critical update to Internet Explorer,” Andrew Storms, director of security for nCircle, told eWEEK.

Attackers will continue to trick users into clicking on malicious links, so they will continue exploring Web browsers and plug-ins for weaknesses to exploit, Marcus Carey, security researcher at Rapid7, told eWEEK.

“My standard advice is to be careful when browsing,” Carey said.

The other critical bulletin fixes a bug present in .NET and Silverlight. It “looks very close” to a bug patched in June that allows remote code execution in both frameworks, according to Carey. He noted that the implications would most likely mirror MS11-039 in that attackers can launch server and client-side attacks through .NET and Silverlight applications.

When bugs are disclosed in a product, exploit developers often look for similar issues within the product that result in the same type of vulnerabilities, Carey said.

The bugs “could provide a good hunting ground for malware authors”, Storms said.

Remote Access Fix

One of the bulletins fixing bugs in Microsoft Forefront Unified Access Gateway 2010 was “interesting” to Carey because of the fact that it was found in the remote-access software.

“No one wants to hear that software that is designed for security is vulnerable to remote code execution,” Carey said. Attackers will likely look at this bulletin and related vulnerabilities closely, and organisations should keep an eye out for any suspicious activity on servers running Forefront, he added.

Nearly all the patches in this bulletin require a restart, which will “cause widespread disruptions across both Internet connected servers and user community desktops”, Paul Henry, security and forensic analyst for Lumension, told eWEEK.

As for the release’s size, Storms said it was as expected. “It’s significantly less than October 2010 when we were treated to 16 bulletins that patched a whopping 49 vulnerabilities,” Storms said.

Microsoft is also expected to release an updated version of the Malicious Software Removal Tool as part of the Patch Tuesday release to address the issue where Microsoft Security Essentials and Forefront were accidentally flagging Google’s Chrome Web browser as malicious and erasing it from Windows systems.

Along with the advance notification, Microsoft released Service Pack 3 for Office 2007 and SharePoint 2007, which includes a roll up of previously patched issues as well as newly discovered ones.

Microsoft is scheduled to distribute the October Patch Tuesday updates on 11 October.