Tuesday, May 10, 2011

Microsoft May 2011 Update

Microsoft just released its May 2011 security update: Two bulletins covering three vulnerabilities. Here's the early analysis from security companies Qualys, Symantec and McAfee:

"MS11-035 is rated as critical and affects the WINS component of Windows 2003 and 2008 server operating systems. WINS (like DNS) is a name resolution service. WINS resolves names in the NetBIOS namespace (like DNS which resolves names in the DNS domain). WINS is not enabled by default in Windows 2003 and 2008, but server administrators who have it enabled should apply the patch immediately as attackers could remotely cause a denial of service. The exploitability index is 2 which imply that remote code execution is not likely, but denial of service is possible.

"MS11-036 affects Microsoft Office Power Point and is rated important. As it happened before on several occasions, users of the new Office 2010 for both Windows and Mac OS X are not affected by the vulnerability. Older versions like Office XP, 2003, 2007 and 2004 for Mac are affected. Using this vulnerability, an attacker could take full control of the target machine if a victim opens a malicious power point document.

"The two patches released today came with a new and improved exploitability index rating that was announced by Microsoft. The original rating is split into a rating for the most recent version of the software, and an aggregate rating for all older versions. For example in MS11-036 the latest version, which is Office 2010, was not affected. Therefore the exploitability rating for the latest version was 'Not Affected' and for older platforms was 2. The new rating more accurately reflects risk to customers that keep their environments updated with latest product releases.

"Today's release provided a breather for administrators so they can brace themselves for a larger update next month."

"What might make the WINS vulnerability appealing to attackers is that it is a server-side issue," said Joshua Talbot, security intelligence manager, Symantec Security Response. "That means an attacker wouldn't have to trick a user into doing anything. All they would have to do to exploit this is find a server running the vulnerable service and send that machine a malicious string of data.

"This is a more serious issue on Windows Server 2003 than Server 2008," Talbot added. "At its heart, this is a memory corruption issue. In-built protections such as DEP and ASLR in Server 2008 will probably keep most attackers from achieving a complete takeover. However, a complete system compromise appears to be more likely on Server 2003, which lacks the ASLR protection.

"Microsoft also patched a couple WINS-related issues in August of 2009," Talbot concluded. "At least one of those vulnerabilities was exploited by attackers after the patches were released. That should serve as motivation for IT managers to take this month's patches seriously, even though there is a lighter load."

"These patches address a fix a vulnerability that could potentially allow attackers to remotely execute arbitrary code on systems," said Dave Marcus, director of security research and communications at McAfee Labs. "Even though it's a light Patch Tuesday this month, administrators should still attend to these patches quickly.

"Microsoft also announced that it will be modifying its Exploitability Index, a patch rating system aids in prioritization, by assigning a number based on the likelihood of an attack as a result of vulnerabilities in the first 30 days. Also included will be the "Denial of Service" risk score, which will take into account the risk posed by a denial-of-service (DoS) attacks.

"This updated rating system will make it easier for IT administrators to determine their risk level, so customers should be sure to look at the new Exploitability Index in the bulletin summary to get a feel for the 'exploit potential' of each vulnerability," said Marcus.

"With massive updates such as we had in April it's easy to get overwhelmed. Microsoft's new index simplifies the process, which will help IT administrators to prioritize which patches they tackle first."


No comments: