Happy Patch Tuesday, September 2011

Microsoft has five updates and Adobe has two for us on this fine Patch Tuesday, in addition to a patch Mozilla pushed out for Firefox last week.

Don’t get too complacent if you run something other than Windows. If you run Microsoft Office on a Mac, or Adobe Reader or Acrobat on a Mac, or Adobe Reader on Unix or Linux, you’re vulnerable. The vulnerabilities in those affected products are more serious than the vulnerabilities for Windows. So keep that in mind. Don’t be smug about security. It’ll bite you.

Microsoft Updates

We have 2 updates for Windows and 3 updates for Office this month. Most of these vulnerabilities can be exploited much more easily by insiders than by outside hackers. But a disgruntled insider is always a much greater security threat than random outsiders. Exploits for MS11-071, 072, and 073 could be distributed via e-mail attachments.

It should be noted that these vulnerabilities most likely exist in previous versions of Windows and Office as well, but products that predate Windows XP and Office 2003 are no longer supported unless you have an extended support contract. If you’re still running these older products, it’s best to either migrate to newer versions of the software, or get onto a support contract.

You can download the updates manually from the links provided, if need be. If you’re patching your home PC, running Windows Update is the easiest way to get them. If you have a multiple computers to patch, it’s often faster and easier to download the patches once and execute them on all of your system.

If you maintain a lot of computers and find yourself rebuilding them frequently, I highly recommend you slipstream your installation media. I’ve worked in a couple of shops where computers had a tendency to just appear, and the expectation was that somehow I would notice them and get patches to them. Usually the way I found out about them was an auditor calling me and asking me why such-and-such wasn’t patched. Slipstreaming the installation media at least reduces how far out of date the system will be when you find out about it.

Updates for Windows

MS11-070 fixes a vulnerability in WINS, where a specially crafted WINS packet could give an attacker an elevation of privilege. This is more of an insider threat vulnerability than an outsider threat, and if non-administrators aren’t logging into servers anyway, this isn’t as big of a deal. And while Active Directory supposedly made WINS obsolete, it turns out that SQL Server 2000, Exchange 2000, and Exchange 2003 all require it. You may have migrated away from Exchange 2000 and 2003, but I’ll be surprised if you don’t have any SQL 2000 running somewhere, and if you do, you still need WINS. Lucky you. This vulnerability affects Windows Server 2003 and 2008.

MS11-071 fixes a weird vulnerability where an RTF, TXT, or DOC file is located in the same network share as a specially crafted DLL, the attacker can gain the same rights as the logged-in user and/or trigger remote code execution. I guess the only reason this one didn’t get a rating above important is because of the odd circumstances under which it can be used. This vulnerability exists in Windows XP, Vista, 7, Server 2003, and Server 2008.

Updates for Office

MS11-072 fixes five vulnerabilities in Excel that can enable remote code execution via a booby-trapped Excel document. This affects Excel 2003, 2007, and 2011, the Excel Viewer, and the Office Compatibility Pack for Office 2007 file formats for Windows and Excel 2004, 2008, 2011, and the Open XML File Format Converter for the Macintosh.

MS11-073 fixes two vulnerabilities in Microsoft Office that appear extremely similar to MS11-071. I suspect this is because Windows and Office share some code. This affects Office 2003, 2007, and 2011.

MS11-074 fixes six vulnerabilities in Microsoft Sharepoint that can cause elevation of privilege via a specially crafted URL or web site. This affects Groove 2007 and Sharepoint 2010.

Additionally, last week Microsoft released an update to revoke the certificates of the hacked certificate authority Diginotar. That update is available at http://support.microsoft.com/kb/2616676.

Adobe Updates

Adobe joins us today with APBS11-24, which fixes 13 vulnerabilities in the popular Adobe Reader and Acrobat, versions 8, 9, and 10. This affects both products on Windows, Macintosh, and Unix platforms. 12 of these updates relate to remote code execution, and one creates an elevation of privilege on Windows. Additionally, this patch deals with the problem of faked certificates due to Diginotar being hacked. Adobe waited about a week longer than the other vendors at the request of the Dutch government.

The easiest way to get this update is to open Acrobat and/or Reader, go to Help, and click Check for Updates. You can also download them by visiting http://www.adobe.com/downloads/updates/ and selecting the product update you need from the dropdown.

Note that support for Acrobat and Reader version 8 will end on 3 November 2011, less than three months away. If possible, migrate to version 9 (supported until 23 June 2013) or version X (supported until 18 November 2015). Just like with Microsoft products, older versions probably are also affected, but no longer patched. So for security’s sake, it’s best to run at least version 9, even though the older versions were much lighter on system resources.

These vulnerabilities, and the ready availability of toolkits that exploit them and their relative ease of use, are one of the reasons I suggest using something other than Adobe Reader to view PDF files most of the time.

Mozilla updates

Mozilla previously updated Firefox to version 6.0.2 on 6 September 2011 to resolve an issue with the compromised Diginotar certificates and to correct a minor issue with .gov.uk web sites.

Patch Frequency

Microsoft releases patches on the second Tuesday of every month. On very rare occasions, they will release an out-of-band patch, but in October 2003 Microsoft standardized on the second Tuesday of the month to allow IT departments to plan in advance. Microsoft provides advance notification at http://www.microsoft.com/technet/security/bulletin/advance.mspx three business days beforehand.

In 2009, Adobe announced plans to release updates on a quarterly basis, but that hasn’t exactly worked out for them this year. This year they’ve released updates for Acrobat/Reader in February, March, twice in April, June, and September; Flash in February, twice in March, twice in April, May, twice in June, and August; and Shockwave in February, June, and August.

Mozilla controversially releases major product updates every six weeks, with security patches on an as-needed basis in between. Firefox version 7 is expected to be released in three weeks, on 27 September 2011.

Oracle plans to release an update to its database software and Java on 18 October 2011. Oracle generally releases its patches once per quarter, in January, April, July, and October. If none of the software you use requires Java, uninstalling Java is an easy way to improve your computer’s security posture.

If you found this post informative or helpful, please share it!

2 thoughts on “Happy Patch Tuesday, September 2011

  • September 13, 2011 at 10:37 pm

    That suggestion that MS11-073 means Office and Windows share code is waaaaaaaay over the top. Because didn’t Microsoft tell us that the OS and applications were developed separately – their application developers didn’t have any inside information about the OS? I think that was about the same time they said that Internet Explorer couldn’t be removed from Windows – right before somebody did it for a judge in about 5 minutes, in front of the court.

  • September 14, 2011 at 7:20 am

    Indeed they did. And Al Capone also said there are no gangsters in Chicago.

Comments are closed.

%d bloggers like this: