Microsoft’s habit of releasing previews without details allows system administrators to prepare their patch schedule without giving away too many pre-patch vulnerability details to potential hackers. This month, although there are ten separate bulletins, Lumension’s security and forensic analyst Paul Henry doesn’t believe the stress level will be too high since 8 of the 10 are rated important rather than critical. He notes that this latest batch of bulletins brings the total this year to 45 this year, “or 10 more bulletins than last year at this time. This tells me,” he says, “Microsoft is continuing to dig deeper into their code base to uncover lower level vulnerabilities. This is good news and I believe the trend toward higher numbers of important bulletins will continue given Microsoft’s apparent commitment to proactively discovering and patching security issues in their code.”
It is worth noting that Microsoft issued a separate security advisory on 8 May: Vulnerability in Internet Explorer 8 could allow remote code execution, and provided a temporary Fix it. “An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” warns the advisory. This is probably the vulnerability used with the Labor Department water hole attack discovered at the beginning of the month (early reports claimed the vulnerability had already been patched, but it was subsequently found to be a new zero-day flaw in Internet Explorer 8). Since it is being actively exploited, Microsoft took the responsible route and issued an emergency Fix it. If you use IE8, don’t wait for the official patch but Fix it immediately – just make sure you have already applied the April patches from last month.
Only two of the 10 bulletins are critical and both impact Microsoft Windows and Internet Explorer. One is believed to be the Labor Department flaw, which, suggests Andrew Storms, director of security operations at Tripwire, is “record time turn around speed for Microsoft and will be sweet music to everyone's ears.” That issue is being actively exploited in the wild, “and has an exploit module available from Metasploit,” warns Ross Barrett, senior manager of security engineering at Rapid7. “This should be the top patching priority for anyone or any organization using Internet Explorer 8.”
The other critical vulnerability is thought to be the Pwn2Own vulnerability that took down IE at CanSecWest earlier this year. “Usually Microsoft releases Pwn2Own bug fixes in April, but this year other bug fixes must have been higher priority,” said Storms.
Since the two critical vulnerabilities both affect Internet Explorer, and the latest version 10 gets updated automatically, Henry suggests, “If your system is compatible with IE 10 and you’re not running it already, upgrade now.” For the remaining bulletins he believes that admins’ patch schedule should reflect the programs most used. He notes that Bulletin 4 is a spoofing issue that affects all versions of Windows from XP onwards. Bulletin 3 is a denial of service issue affecting only the newest versions of Windows products – “inconvenient”, he says, “but likely not damaging to systems in the long-term.” Nevertheless, it bothers him when only the current code is affected by a flaw, showing that flaws can and probably always will affect all new software.
“Bulletins 5, 6, and 7 are all rated Important and all three result in remote code execution in parts of Microsoft Office – specifically Communicator and Lync, Publisher and Word in that order,” notes Ziv Mador, director of security research at Trustwave.
Bulletins 8 and 9 are information disclosure issues. “These are always a little concerning,” comments Henry, “since they might allow an attacker insight into sensitive company information or documents. However, if they’re ranked important that generally means that there’s an element of the vulnerability that makes it difficult to achieve: a physical access requirement or additional steps required to execute the vulnerability successfully.”
Bulletin 10 is a privilege elevation issue. “Elevation of privilege vulnerabilities are almost always ranked important and this one is no different,” he says. “It’s likely a kernel mode driver issue that might allow for a low-rights user to be elevated to moderate or admin-level.”
All in all, ten bulletins is quite high for May’s Patch Tuesday – but the details could be worse.