Microsoft released eight security updates on Tuesday, repairing 22 security holes in its October patch release, with 12 of the 22 described as “consistently exploitable” by the company.
The October patch release includes two bulletins that Microsoft rated “critical” to patch holes. The two cumulative updates, reparing a clutch of vulnerabilities in the Internet Explorer Web browser and .NET and Silverlight frameworks could be used to enable remote attacks in which malicious code was planted and run on vulnerable systems, Microsoft said.
The release follows guidance released on October 7. Microsoft warned that the critical holes could allow remote attackers to run malicious code on vulnerable systems, enabling remote attacks using drive by download Web pages and other means.
MS11-081, one of the two critical patches, fixes eight vulnerabilities in Internet Explorer Versions 6 through 9 running on a variety of Windows versions. The vulnerabilities, reported to Microsoft by third party vulnerability researchers working at McAfee, TipppingPoint, Google and other firms, include several methods for triggering remote code execution vulnerability using Internet Explorer elements that control how IE accesses an object that has been deleted. According to Microsoft, the vulnerability could be used to corrupt memory on the system running IE in such a way that an attacker could execute arbitrary code in the context of the logged-on user.
MS11-078, the second patch that was rated critical, fixes a remote code execution hole affects a wide range of versions of .NET Framework and Microsoft Silverlight for most supported versions of the Windows- and Windows Server operating systems. According to Microsoft, the patched vulnerabilities could have allowed an attacker to create an XAML Browser Application (XBAP) or Silverlight application to run malicious code on end user systems. The holes could also allow remote code execution on a server system running Internet Information Server (IIS), assuming the attacker could upload a malicious ASP.NET page to the vulnerable IIS server, and that the server was configured to run ASP.NET pages.
As has been noted, however, Microsoft’s severity rating system is biased towards vulnerabilities that might be used to power self replicating malicious code, not necessarily based on its ability to be used in malicious attacks. The company’s exploitability index is a better measure of how likely a particular vulnerability is to be used in that way.
According to the Exploitability Index Microsoft included with its October patch, MS11-076, –077 and -079 also appear to be more serious than their “Important” rating would suggest. The -076 patch – a fix for the Windows Media Center application – contains a fix for an library loading vulnerability with an exploitability rating of “1”, indicating that Microsoft’s analysis suggests that an attacker could consistently exploit that vulnerability against the latest releases of affected software. MS11-079, a cumulative patch for versions of Microsoft’s Office Suite and related applications, contains fixes for four vulnerabilities with an exploitability rating of “1” against current versions of the company’s software.
Microsoft encouraged users to apply the patches at their earliest convenience.