This month, Microsoft issued five bulletins to address 15 vulnerabilities. All of these bulletins are rated “important”; however, while there are no “critical” bulletins this month, organizations should not downplay the vulnerabilities being addressed. It's easy for organizations to gain a false sense of security during a light patch month and sometimes an attitude of complacency towards non-critical vulnerabilities is evident.
“Important” vulnerabilities may not give attackers the full root privileges generally associated with “critical” vulnerabilities, but an attacker can use an “important”-rated vulnerability to achieve an initial compromise and then escalate privileges by other means. By using an “important” vulnerability and other methods, attackers can still end up with the same result, and so it is essential that organizations understand that all five of these "important" bulletins can result in an escalation of privileges for the attacker, which is a serious matter and needs to be addressed quickly.
Here’s what you specifically need to know about this month’s bullentins:
MS11-070 requires valid logon credentials in order to exploit. This has routinely been exploited by social engineering and weak passwords, or password re-use issues. Organizations should warn employees not to give out credentials over the phone, and generally never to share them with anyone. No one, including system administrators, should ever know their passwords.
MS11-071, MS11-072, MS11-073 are all malicious file exploits which are usually used in spear phishing campaigns. Many times end users will open up those malicious files, compromising their computer and organizations. Users should always be vigilant about the files they open, regardless of these bulletins.
There has also been some debate about whether Microsoft has played down the seriousness of these three bulletins. Certainly these bugs are potentially very serious; however, in my opinion, a bulletin classified as “critical” should require no end-user interaction to gain administrator privileges. In the case of bulletins MS11-071 for the DLL bug and MS11-072 and MS11-073 for Excel and Office, a user would need to open a malicious file for the machine to be compromised. To successfully exploit these vulnerabilities, a user would need to be socially engineered or the malicious files placed in a trusted location, including the DLL files. Hence, these bulletins do not qualify as “critical” and I believe Microsoft has classified them correctly as “important”. This is also in line with the previous classification of similar bulletins, such as MS11-055 and MS11-060. While these relate to less broadly used applications, they are consistent in that they all require users to open a malicious file.”
MS11-074 is related to several vulnerabilities associated with Microsoft SharePoint and Windows SharePoint Services. Administrators should pay attention to the details on this bulletin. There are some known issues that could prevent organizations from using Sharepoint after applying this update, effectively creating a self-inflicted denial of service scenario. This is why is it important to read the fine print, because many organizations use SharePoint as a vital part of their business operations. Microsoft lists the known issues and work-arounds related to this bulletin.
As usual, share your Patch Tuesday comments below.