June Gloom: Microsoft Releases 16 Bulletins for Patch Tuesday
What some security pros are calling the beginning of a long hot summer for Windows security jumped off in earnest with the June patch that features 16 bulletins -- nine "critical" and seven deemed "important."
This month's patch addresses 34 vulnerabilities and, as in most security update rollouts, Remote Code Execution (RCE) remains the dominant risk consideration, covering ten of the bulletins. Microsoft is also this month's addressing elevation-of-privilege, information disclosure and denial-of-service threats.
Windows Object Linking and Embedding (OLE) Automation is the component at risk for the first critical bulletin, resulting in a Windows operating system-level patch for every supported Windows OS.
The second critical bulletin will shore up defenses against a "privately reported vulnerability" in Microsoft .NET Framework and Microsoft Silverlight, which could be triggered by a specially crafted Web page. This item covers every supported Windows OS as well.
For the third critical bulletin, a privately disclosed vulnerability could allow an RCE incursion if an attacker got a hold of a workstation on the client side of the Windows processing environment and made specific requests to manipulate system firewall framework by exploiting the weakness in Microsoft's Forefront Threat Management Gateway 2010, specifically, the client application.
Critical bulletins Nos. 4, 5 and 6 address the Windows Kernel Mode Driver, Windows Distributed file system and Server Message Block (SMB), respectively. All will be Windows OS-level patches touching every supported OS release.
Likewise, critical patch No. 7 will be an all-encompassing Windows OS patch centered on .NET architecture, particularly XAML Browser Applications and other functions related to Internet Information Services (IIS).
The last two critical items provide insight into how serious the software giant is about protecting various iterations of the world's most widely used browser. The two bulletins represent comprehensive fixes for Internet Explorer.
To that end, critical item No. 8 will be a cumulative patch for IE 6, 7 and 8. Critical item No. 9 will be a more granular update for IE 6, 7 and 8 on Windows XP.
"As usual, Internet Explorer is at the top of the critical list. This is the first IE 9 patch since it was released in April, and it has to be uncomfortable for Microsoft to have to patch their brand new browser so quickly," said Andrew Storms, director of security operations for nCircle.
Other experts agree with the assertion that upgrading to IE 9 won't guarantee a totally risk-free browsing experience.
"With several critical vulnerabilities being patched in this the newest version of the browser, (administrators) should avoid being lulled away into a false sense of security," said Joshua Talbot, security intelligence manager, Symantec Security Response.
The first important item in the June patch will provide a long-awaited information disclosure fix on all supported Windows operating systems for Multipurpose Internet Mail Extensions HTML (MHTML), particularly the MHTML protocol handler in Microsoft Windows.
For the second important fix, RCE risks in Excel anchor a pervasive security update for the Microsoft Office suite of applications. Additionally, Microsoft InfoPath forms creation program also will be addressed by this bulletin.
The third important item will be a Windows fix addressing all Microsoft-supported operating systems that touches the Ancillary Function Driver where a hacker must have logon credentials to elevate access, change, edit and delete privileges in a Windows processing environment.
Important security bulletins Nos. 4 and 5 are designed to prevent denial-of-service attacks. The first, affecting the Hyper-V program, only touches Windows Server 2008, while the other, affecting Windows Vista, Windows 7 and Windows Server 2008, addresses Server Message Block. Microsoft also recommends strengthening firewall "best practices" for bulletin No. 5.
SQL Server, Visual Studio and InfoPath will be addressed by the sixth important fix. InfoPath 2007 and 2010 are the versions that Microsoft plans to fix as a result of a privately reported vulnerability in Microsoft XML Editor. For the SQL part of the fix, security and database administrators should take notice, as the bulletin cuts a wide swath of service packs and versions spanning the SQL Server 2005 and SQL Server 2008 releases.
A cross-site scripting (XSS) vulnerability in Windows Active Directory Certificate Services Web Enrollment is the impetus for the last important patch on the slate. It will only affect Windows Server 2003 and 2008.
In order to measure risk and asses the scale of potentially affected systems IT and security admins would do well to consult Microsoft's exploitability index, according to security experts.
All of Microsoft's June security updates may require a system restart.
Adding to a patch packed with bulletins there's an update of Security Advisory 967940, which dealt with exploits in Autorun. First disclosed in February, Microsoft now has new data on Autorun that it says "showcases broad decreases in Autorun-related infections on Windows XP and Vista," since 2010.
And once again on the third-party front Adobe Systems is piggybacking Microsoft's monthly patch with fixes for Adobe Reader and Adobe Acrobat applications that touch both Windows and Mac OS environments.
Meanwhile, IT pros with any time left can check out changes to the Windows Update and Windows Server Update Services in this Knowledge Base article.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.