Microsoft today issued a record 14 security updates to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer (IE), Office and Silverlight.
“Don’t get mired in the details,” recommended Andrew Storms, director of security operations for nCircle Security, as he acknowledged that the sheer number of updates and patches could easily overwhelm users.
“There are so many patches here that you could go in all kinds of different directions,” agreed Jason Miller, data and security team manager for patch-management vendor Shavlik Technologies. “It could come down to what people think are the biggest attack vectors.”
No one was questioning the size of today’s Patch Tuesday. The August update was the biggest ever by number of security bulletins, and equaled the single-month record for individual patches, which was first set last October and repeated in June 2010. This month’s collection also tied the October 2009 record for the most critical bulletins.
Of the 34 fixes flaws, Microsoft rated 14 as “critical,” the highest threat ranking in the firm’s four-step scoring system. Seventeen were pegged as “important,” and three were labeled as “moderate.”
With Microsoft throwing nearly three-dozen patches at customers, it’s not a surprise that researchers disagreed on which updates people should apply first.
“I’d have to put MS10-056 at the top,” said Storms, referring to a three-patch update for Office that included a pair of critical vulnerabilities in Office 2007. “All one needs to do is have the preview pane open [in Outlook 2007] and just look at a malformed RTF file,” Storms added.
Unlike most exploits delivered via e-mail, these wouldn’t require the recipient to open an attachment, a practice people know is risky. But as Storms pointed out, most users preview e-mail messages without a second thought. “I’d put this in the same category as a drive-by,” Storms said. “I can imagine someone sticking an RTF file in a spam engine and just going crazy.”
While other researchers agreed with Storms that MS10-056 was dangerous, they nominated different updates — or combinations of updates — for their top pick of the month.
“I’m concerned about the two media-related updates, MS10-052 and MS10-055,” said Miller.
Those updates, both judged critical, address a pair of bugs in two codecs – software that compresses and decompresses video data — included with Windows.
To Miller, video vulnerabilities are a juicy target for criminals. “They want to find the biggest market [for their attacks], and media, and social media are so huge today,” he said. “Everybody is watching stuff, they’re not reading stuff.”
Miller said he expected attackers to leverage the codec flaws in the coming month, a bet Microsoft also made: Its Exploitability Index rated both vulnerabilities as a “1,” meaning it anticipates active exploits in the next 30 days.
Wolfgang Kandek, CTO at Qualys, seconded Miller, but lumped in other bulletins, including the six-patch IE update, MS10-053, with the codec updates.
“With so many [updates] today, prioritization is important,” said Kandek. “And since most attacks today happen through the browser, we’ve put several updates into a group that should be applied first.”
Kandek added three more updates to that patch-first group because they could also be exploited through IE or another browser: MS10-049, MS10-051 and MS10-060.
The third of that bunch patches a pair of critical vulnerabilities in Silverlight, Microsoft’s rival to Adobe’s Flash.
“Silverlight is almost as popular as Adobe Reader on end-user systems,” said Kandek, citing data Qualys has compiled from its new “BrowserCheck” plug-in checking service. Kandek said that Silverlight is installed on approximately 60% of all PCs.
“This is the first major security update for Silverlight,” said Miller, who backed up Kandek. “It’s pretty easy to install, and lots of users may not even remember that it’s on their machines. Plus, just visiting a site means you’re exploited.”
But Josh Abraham, a security researcher with Rapid7, took a different tack. For his money, the biggest threat was the three-patch MS10-054 update, which fixed one critical and two important bugs in SMB (server message block), the Microsoft-made network file and print-sharing protocol that worms have leveraged in the past to infect PCs.
“It’s going to be non-trivial to ‘worm’ this,” admitted Abraham, whose company also manages the Metasploit open-source hacker toolkit. “But if you can come up with a reliable exploit, one that lets you leverage the vulnerability without authentication, it will be worth it.”
Abraham pointed out that the most vulnerable targets — Windows XP SP3 and Windows XP x64 SP2 — are widely deployed in both enterprises and among consumers, even though they’re nearly nine years old. It’s also likely that Windows XP SP2, which was retired from support last month and no longer receives patches, is also vulnerable, Abraham said. “So you’re also looking at things that are not being patched at all.”
Rapid7 and Metasploit will put resources into developing a reliable exploit for the SMB bugs, he added. “It’s definitely a high request already,” Abraham said.
Miller agreed that the SMB vulnerabilities are potentially dangerous, but looked on the bright side.
“You hear the three letters ‘S-M-B’ and the first thing you think of is ‘worm,'” said Miller. “This could be bad, but right now, it looks like the most likely result is a denial-of-service. That doesn’t mean that researchers won’t dig deeper to see if they can create a reliable exploit. But the patch is available now.”
If it takes a week, even two for researchers like Abraham to devise a ‘wormable’ exploit, that gives everyone that much time to patch, Miller continued. “With this one, it’s on a clock that starts right now,” he said. “And you don’t want to lose this race.”
This month’s security update can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.