Adobe is using this patch Tuesday to ship updates for a number of products – (Flash, Shockwave, Photoshop, RoboHelp and Flash Media Server. The vulnerabilities in Flash, Shockwave, Photoshop and Flash Media Server are critical and IT admins should apply the patches as fast as possible, if they have these software packages installed..
Today Microsoft released 13 security updates, which we are considering a normal workload for the heavier Patch Tuesdays every other month. Two of the updates are ranked are ranked as “critical” and should receive the highest priority in all organizations, while the remaining 11 are a mixed set and address a wide range of threats including remote code execution, remote and unauthenticated denial of service, information theft as well as elevation of privileges.
We give two bulletins MS11-057 and MS11-058 the highest priority for patching. MS11-057 is critical and affects all Internet Explorer versions including the newest IE9. Attackers can take complete control of a computer by setting up a malicious web page and attracting the victim to the page. The exploitability index for this issue is “1”, indicating that we will see a reliable exploit soon.
The second critical bulletin MS11-058 is for a server side vulnerability and affects the Microsoft DNS server running on Windows 2003 and 2008. It allows the attacker to crash the server and in the worst case scenario take complete control. To exploit this issue the attacker sets up a malicious DNS server and requests a DNS record from the server from inside of the victim’s network. The exploitability rating for this is “3” which implies that a remote code execution exploit is unlikely to be seen in the next 30 days.
MS11-061, MS11-066 and MS11-067 are information theft issues that affect Remote Desktop Web Access Login, Microsoft Chat Web control and Report Viewer Web control respectively. MS11-061 and MS11-067 are XSS issues, while MS11-066 can be used to reveal contents of files stored on the web server.
MS11-064 and MS11-065 are denial of service issues in Windows Vista and Windows 7 which can cause a blue screen when victim machine receives malicious ICMP and TCP/IP-QOS (for 064) and RDP (for 065) packets from a remote unauthenticated attacker. Although these are not remote code execution issue they could be used in conjunction with other attacks or just for playing prank.
IT administrators should look at the IE and DNS vulnerabilities first as they will very likely apply to their organisation’s networks and then prioritize the remaining patching effort based on the actual components that are installed on their machines. One further update to consider is for widely installed Apple’s Quicktime, which received a critical update last week that applies to both Windows and Mac OS X.
Also stand by for another update: potentially Adobe will release a new version of Flash today.