July Patch Tuesday Arrives with 4
As expected, the July patch from Microsoft arrives rather light with only four security bulletins -- one "critical" and three "important."
Addressing some 22 vulnerabilities in all, the four bulletins are split in terms of risk considerations. There are two remote code execution (RCE) items and two designed to prevent elevation-of-privilege exploits.
The first and only critical security bulletin is designed, according to Microsoft, to address "a privately reported vulnerability in the Windows Bluetooth Stack," which enables an RCE attack via specially crafted Bluetooth packets to an infected workstation or system. Windows 7 and Vista are affected at the operating system level for this bulletin.
Joshua Talbot, security intelligence manager for Symantec Security Response, said it's unlikely that this specific exploit could be used in a widespread attack because an attacker would have to be within Bluetooth range to pull the trigger. In this way, a hacker would need to have already identified a target, with the target's whereabouts and range known to the attacker.
"An attacker would exploit this by sending specific malicious data to the targeted computer while establishing a Bluetooth connection," Talbot said. "Because of a memory corruption issue at the heart of this vulnerability, the attacker would then gain access to the computer. All this would happen before any notification alerts the targeted user that another computer has requested a Bluetooth connection."
The first two important elevation-of-privilege items touch every supported Windows OS.
No. 1 is a doozy, as it affects the Windows Kernel and addresses15 vulnerabilities. The bulletin notes claim that "the most severe of these weaknesses" in the Windows Kernel would give way to elevation of privilege if an attacker logged on locally and deployed exploits and commands from the client side.
The second important item staves off five vulnerabilities in Windows Client/Server Run-time Subsystem (CSRSS). In this case an inside job is required -- an attacker would need valid logon credentials to pull it off.
The last RCE bulletin in the group of important fixes deals with Visio 2003, which Rapid7 Security Researcher Marcus Carey says will not affect many people outside corporate circles.
All bulletins may require a restart.
Lightness aside, July's security update is one that bares study, according to Amol Sarwate, Vulnerability Labs manager for Qualys
"Microsoft also released a document that goes into depth on software mitigation techniques, options for software developers and IT admins that describe various compiler switches and utilities that harden the Windows OS and applications against many exploits," Sarwate said.
Among the mitigation subjects addressed are Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP) and changes and tweaks to the Enhanced Mitigation Experience Toolkit (EMET).
As far as anticipating the level of future patches, the rollout cycle appears to be normalizing in more conspicuous ways.
"Microsoft seems to have finally remembered that they release patches in a cycle: big month, small month. We finally got a small month," said Tyler Reguly, Technical Manager of Security Research and Development for nCircle.
In observing recent patch patterns Reguly's assertion rings true. Moreover, because the July patch is thin compared to the greater girth in rollouts during previous months, Windows IT security experts expect a busy August.
Ahead of that release next month, the opportunity to peruse changes to the Windows Update and Windows Server Update Services comes in the form of this Knowledge Base article.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.