Microsoft is following up its eight patches in October with another octet in November, according to the Advance Notification released today. This time only three of the updates are rated critical, but because they impact various versions of Windows and Internet Explorer, all of them need to be taken very seriously. Once again, we’re looking at critical vulnerabilities that can be exploited to allow remote code execution, which – as we discussed in depth last month – is one of the most dangerous types of vulnerability.
Bulletin 1 might be considered the most critical of the critical, as it targets IE. The web browser is a favorite weak link for attackers because it’s by far one of the most-used applications. Although all the major browsers are constantly in the line of fire, attackers like to go after IE for several reasons. Microsoft hasn’t been as aggressive as Google in offering rewards for finding bugs, so there’s not as much incentive there for researchers to ferret them out early for a fix. There’s also a perception that many IE users are less technically savvy computer users who use the default browser “because it’s there” and may not be knowledgeable enough to take extra precautions to protect their systems.
IE’s current market share numbers vary widely, depending on the source. NetMarketShare.com shows it with a total of 57.92 percent when you add up the figures for versions 6, 7, 8, 9, 10 and 11. DazeInfo.com, on the other hand, quotes a Shareaholic report that claims Chrome has 34.68 percent of the market and IE only has 15.62 percent. Either way, those who are still using IE even some of the time (and many folks switch back and forth between different browsers) need to pay particular attention to this month’s first security bulletin.
Bulletin 2, is worth noting because it spans a broad scope of attack surface, as it affects even server core installations of Windows Server, which is generally considered to be much more hardened. The number of vulnerabilities we’ve recently seen that impact server core installations serves as a reminder not to become complacent just because you’ve followed best security practices.
The critical bulletins always draw the most attention but the five bulletins that are rated Important shouldn’t be ignored, either. Although the lower rating usually means either the severity of an exploit is less or the chances of falling prey to an attack are reduced (for example, because the attacker must persuade the user to take some action), the consequences can still be devastating in individual cases, especially if you have users who are naïve enough to be taken in by social engineering tactics. I hate it when I hear an update described as “only” Important – the very definition of the word indicates that there’s nothing “only” about it.
One of this month’s Important-rated updates addresses a remote code execution vulnerability and another is about elevation of privileges – which can be very serious if the attacker gains administrative privileges, since that means the ability to change system configurations and even change permissions on files. This could be particularly serious on a Windows Server computer acting as a file server where sensitive data is stored.
Bulletins 6 and 7 have to do with information disclosure vulnerabilities. Obviously this can be a more or less serious situation, depending upon what information is disclosed. One of these is a vulnerability in Windows and one is in Microsoft Office. In either case, having any kind of data that you thought was private accessible by an unauthorized person is not a good thing. The last bulletin deals with a denial of service vulnerability. Some IT pros seem to look at DoS vulnerabilities as almost benign. While it’s true that they don’t generally result in the same type of potential exposure of sensitive personal information or give complete control of the systems over to the attacker as can result from some other types of attacks, a DoS can bring productivity to a halt and severely impact a company’s bottom line.
I’d advise IT admins to be proactive about installing these updates as quickly as possible. A number of them require a system restart, which means it could take some time to deploy them, so get started doing your testing early and let me know if you run into problems with any of them. Check back here after next Tuesday’s release for more detailed information about each of the updates and any reported issues.
Like our posts? Subscribe to our RSS feed and be the first to get them!