Patch Tuesday fixed at least 22 Windows security flaws

According to security researcher Brian Krebs, the 13 software updates fix at least 22 security flaws in the Windows operating system and other Microsoft software.

Two of the flaws addressed in the August patch batch, he notes in his latest security posting, earned Microsoft’s most dire 'critical' rating, meaning that attackers can exploit them to break into systems without any help from users.

“Among the critical updates is a cumulative patch for Internet Explorer that plugs at least five security holes in the browser. The update is considered critical for IE versions 7, 8 and 9 – oddly enough, it earned an overall 'important' rating on the insecure IE6”, he says.

“The other critical patch fixes a serious problem with the DNS server built into Windows Server 2003 and Windows Server 2008 systems – consumer systems such as Windows XP, Vista and Windows 7 are not affected by the flaw”, he adds.

Krebs goes on to note that, although the DNS bug is rated critical, Microsoft considers it unlikely that attackers will develop functioning code to exploit the flaw.

Over at Qualys, meanwhile, the firm's CTO Wolfgang Kandek, has posted a detailed comment and video on his security blog, noting that Adobe is also using Patch Tuesday to ship updates for a number of products: Flash, Shockwave, Photoshop, RoboHelp and Flash Media Server.

The vulnerabilities in Flash, Shockwave, Photoshop and Flash Media Server, he says, are critical and IT admins should apply the patches as fast as possible, if they have these software packages installed..

Kandek says that he and his team give two of the bulletins in Patch Tuesday – MS11-057 and MS11-058 – the highest priority for patching. MS11-057 is critical and affects all Internet Explorer versions including the newest IE9.

“Attackers can take complete control of a computer by setting up a malicious web page and attracting the victim to the page. The exploitability index for this issue is '1', indicating that we will see a reliable exploit soon”, he said, adding that the second critical bulletin MS11-058 is for a server side vulnerability and affects the Microsoft DNS server running on Windows 2003 and 2008.

The Qualys CTO reports that this flaw allows the attacker to crash the server and in the worst case scenario take complete control. To exploit this issue the attacker sets up a malicious DNS server and requests a DNS record from the server from inside of the victim's network. The exploitability rating for this is "3" which implies that a remote code execution exploit is unlikely to be seen in the next 30 days.

“IT administrators should look at the IE and DNS vulnerabilities first as they will very likely apply to their organisation's networks and then prioritise the remaining patching effort based on the actual components that are installed on their machines. One further update to consider is for widely installed Apple's Quicktime, which received a critical update last week that applies to both Windows and Mac OS X”, he explained..

What’s Hot on Infosecurity Magazine?