Microsoft announced today a big Patch Tuesday – they will release 16 security bulletins fixing 34 vulnerabilities on June 14. Nine of the bulletins are rated as critical and the remaining seven are rated as important. All versions of Microsoft Windows are affected, plus Silverlight, the .NET framework and SQL on the server side. Similarly all versions of Excel in Microsoft Office will receive an update on both Windows and Mac OS X platforms, including even the most recent releases 2010 and 2011. Internet Explorer is covered by two bulletins that update version 6, 7, 8 and the newest version 9 as well.

Adobe will also publish an update to its Adobe Reader and Adobe Acrobat softwares that address a critical vulnerabilities as well, plus Oracle had a release this week of its latest version of Java U26.

All in all, a big update and system administrators will need to plan closely as both workstations and servers are affected by the critical bulletins. In addition applications such as Excel, Adobe Reader and Java will have to be taken into account this month

Malware operators are always looking for new ways to allow their programs to take control over additional machines. Their primary targets are Windows based machines, because they have the largest install base. However, the operating system has become increasingly difficult to attack, so exploit writers have focused their attention on critical vulnerabilities in 3rd party applications. These 3rd party vulnerabilities usually require user interaction (i.e. browse to a certain web page, open an e-mail, play a media file) to be successfully exploited, but malware operators have been able to get high conversion rates by using social engineering techniques and planting their attacks on trusted web sites. While the first wave of these exploits focused on Windows Office and the second wave on Adobe Reader and Flash products, we are now seeing an increased attention on Java – Java attends to the basic characteristics: it is a widely installed, it has a set of well known vulnerabilities and it has been largely ignored by IT administrators for patching.

Through our BrowserCheck application we have collected data that shows that over 80% of all visiting workstations have Java installed. Of these machines over 40% run a version of Java that has a critical vulnerability, making it the most vulnerable plug-in of all and giving the malware a excellent chance to install itself and control the targeted machine.

A possible solution is to include Java in an existing automated update process. It would be ideal if Oracle/Sun could collaborate with Microsoft to use the well established and robust WSUS update process to distribute fixes to Java. If this mechanism could then be extended to all major software vendors, the Internet would become increasingly safer to use for all of us.

References

• Brian Krebs on Java’s position in Exploit Packs
• Microsoft’s MMPC on Java Wave in Exploits
• BrowserCheck an end-user focused application to verify browser and plug-in security

October’s Patch Tuesday will be challenging for IT administrators. In addition to the 16 security bulletins that Microsoft is releasing, Oracle is also publishing its quarterly security update which covers a wide array of products from the Oracle database line, through middleware and apps to the newly acquired Sun products, addressing a total of 81 vulnerabilities. Nineteen vulnerabilities are classified as remotely exploitable, including 11 for Sun Solaris. If you run Solaris, these updates might be more important than today’s Microsoft patches and certainly require more work in testing and roll-out.

On the Microsoft side, we consider MS10-071 the most important patch. It is a critical update for Internet Explorer 6, 7 and 8 and has a exploitability index of 1 indicating that Microsoft believes the vulnerability relatively easy to exploit. MS10-076 comes in as a close second in our ranking, it is a critical vulnerability in the way Windows handles fonts and can be triggered by a simple malicious webpage without interaction form the user, making it a good candidate for a "drive-by" infection campaign. The remaining critical vulnerabilities will see less attention, they are focused on some quite specific setups. MS10-077 is the more interesting one, as it has a server side component. It is a vulnerability in the .NET framework running under 64 bit versions of Windows, and allows the attacker to take over the target computer. In addition to the client side component, it is possible for the attacker to use this vulnerability on a server if it allows the upload of ASP.NET code. This is plausible scenario in web hosting companies, they should patch as quickly as possible, given that the exploitablity index is given as "likely" (1). MS10-075 is a Windows Media vulnerability only present in Vista and Windows 7 home system and only attackable from the local subnet.

The remaining vulnerabilities are all classified as "important" or lower. Microsoft Office has 2 bulletins (MS10-079 and MS10-080) that both allow "Remote Code Execution" handing attackers control over the machine, but requires user assistance in opening a malicious file. Most of the 24 vulnerabilities apply only to the old Office XP version, so users of this eight year old software packet should apply both updates as quickly as possible. But even the new Word 2010 is affected by two of the vulnerabilities that allow "Remote Code Execution" on both 32 bit and 64 bit platforms. This shows that even when working with a structured SDLC that has security integrated, achieving a bug-free record is near impossible.

MS10-082 is a second vulnerability in the Windows Media section, but it can only be triggered through 3rd party browsers (Chrome, Firefox, Opera, Safari). If you use any of these browsers frequently we suggest bumping up the vulnerability in your priority list. Successful exploitation will allow the attacker to take control of the target machine.

Oracle/Sun today released an update to Java that addresses the 0-day from last week.

Ryan Naraine at Threatpost has a good writeup and screenshots showing the blocking of the testurl that Tavis Ormandy Included in his initial disclosure.

We recommend immediate installation as the exploit has apparently been sighted already on a number of websites

Today Tavis Ormandy published a 0-day vulnerability in Java. His post provides exploit information and a link to a webpage demonstrating the launch of calc.exe on WIndows. The vulnerability allows an attacker to execute remote code on the target machine and can be triggered by a user visiting a simple webpage. It is located in the Java Web Start component and is present on Java running on Windows Operating Systems. There is no patch or official work-around yet, but Tavis provides suggestions on how users can configure their system to defend themselves.

Rubén Santamarta provides additional technical information on the vulnerability and points out that Java on Linux is affected as well.

Our vulnerability research team has confirmed the existence of the vulnerability on Windows and we are releasing a detection under QID 117772 in QualysGuard. We will track the development around this vulnerability and keep you posted.

Reference:

• Summary by Dennis Fisher at ThreatPost