Tomorrow’s regularly scheduled patch update from Microsoft includes – go figure – another cumulative rollup for Internet Explorer and a critical fix for a Windows remote code execution bug. More of the same for sure, but there’s another bug being patched that may merit moving up a rung on your list of priorities.
Rated Moderate impact by Microsoft, a patch is expected for the Microsoft Server Bus for Windows Server, a set of components that support messaging capabilities for Windows Azure, Microsoft’s cloud-based application platform. Developers use these components when building, testing and running message-driven applications, Microsoft says.
The update will take care of a denial-of-service vulnerability in the service; the moderate rating is a step below Important, likely because local authentication is required to exploit the issue.
“Microsoft Service Bus is a messaging service used by many third-party web applications as well as by Microsoft Azure, so even though this is rated as Moderate, it is probable that this vulnerability would be used in conjunction with other vulnerabilities to target those applications,” said Russ Ernst of Lumension.
The Service Bus patch is one of six bulletins scheduled for tomorrow, two of which are rated critical and three rated important.
The IE rollup addresses remote-code execution vulnerabilities in the browser, Microsoft said. IE has been patched every month this year since February, including in June when a six-month-old zero-day vulnerability was addressed in IE 8.
“The most critical patch to consider is Bulletin 1 is for all versions of Internet Explorer (IE), all the way from Internet Explorer 6, but only supported on Windows Server 2003 since XP has been retired, to the newest IE 11 on Windows 8.1 and R,” said Qualys CTO Wolfgang Kandek. “This patch should be top of your list, since most attacks involve your web browser in some way.”
The second critical vulnerability is another remote-code execution vulnerability that affects Windows on the client side back to Vista, WIndows 7, 8 and RT and on the server side, all the way to Windows Server 2003.
The three remaining vulnerabilities are privilege escalation bugs in Windows that are rated Important, and cannot be exploited remotely.
“Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attacker gets an account on the machine, say through stolen credentials,” Kandek said. “In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.”
Microsoft has had a particularly newsworthy last 10 days, with the company involved in another takedown of domains hosting malware, this time by No-IP, that also engulfed legitimate users forcing Microsoft to go back and hurriedly filter out those domains and restore them.