On Tuesday, Microsoft released 16 security bulletins, addressing 34 vulnerabilities in its products, including Internet Explorer, Microsoft Excel, and .Net. In addition, Adobe also released patches for Acrobat, Reader, ColdFusion, LifeCycle, and Blazem, while last week, Oracle pushed a major Java security update.
While Microsoft and Adobe previewed their patches last week, IT administrators now have their work cut out for them, as they must quickly determine which patches to test and deploy first. Where should they start?
Of the nine new security bulletins rated by Microsoft as "critical," the Internet Explorer--versions 6, 7, 8, and 9--patches, which fix a flaw in VML (a markup language mostly used by IE), are the most important patch to install, said Wolfgang Kandek, CTO of Qualys, in a blog post. "Browser and plug-in vulnerabilities together have been the point of entry for many recent security incidents and are the main infection vector for mass malware such as Zeus and SpyEye," he said.
Indeed, according research conducted by Qualys, 80% of browsers have known vulnerabilities, primarily due to the plug-ins they're running. Thus by patching the critical IE plug-in vulnerability first, said Kandek, "IT admins will keep ahead of the 'ExploitKit' writers," referring to malware developers that create malicious code to exploit newly disclosed vulnerabilities.
Kandek said there are two other top "must patch" priorities. One is Oracle's Java CPU June 2011 update, released last week.
The other involves critical vulnerabilities in Adobe Reader X (10.0.1) and earlier versions (for Windows), Adobe Reader X (10.0.3) and earlier versions (for Mac), and Adobe Acrobat X (10.0.3) and earlier versions (for Windows and Mac). According to Adobe, which released a related patch on Tuesday, "these vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system."
The next priority is to patch the eight vulnerabilities affecting all versions of Excel, including both Windows and Apple OS X. "Microsoft ranks it only as 'Important' because the end user is required to open an attacker-provided file, but we believe that attackers have shown often enough that they have the skills to make opening the file enticing enough for end users, especially with a file format like Excel that is used overwhelmingly for serious, business-related communication," said Kandek.
As noted, on Tuesday, Adobe also released Windows, Mac OS X, Linux, and Solaris updates for a zero-day vulnerability in Adobe Flash Player, which it last patched less than two weeks ago. "This flaw is being exploited in the wild and is considered critical," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. Expect an update for Android later this week.
In addition, "Shockwave Player for Windows and Mac saw 24 vulnerabilities fixed this quarter, begging the question of why anyone still installs this software," he said. "That is an extremely large attack surface for something hardly used on modern websites," especially since all of the bugs would allow attackers to remotely execute code on a targeted PC.
In terms of proactive security, Adobe Acrobat 10.1--both the standalone version and browser plug-in--now includes the sandbox mode released in November 2010 for Adobe Reader X. Furthermore, Brad Arkin, director of product security and privacy for Adobe, said in a blog post that Adobe is now "turning the automatic update option on by default for all Adobe Reader users on Windows," meaning that they'll get future patches installed automatically.
"The vast majority of attacks we are seeing are exploiting software installations that are not current with the latest security updates," said Arkin. "We therefore believe that the automatic update option is the best option for most end users and strongly encourage users to choose this option."
In addition to Microsoft, Adobe, and Oracle releasing patches, last week Google--as part of its six-week update cycle--pushed a new version of Chrome "that fixed multiple vulnerabilities and added additional security enhancements," said Paul Henry, security analyst for Lumension, via email.
But with recently released patches for IE and Chrome, where's Firefox? "Mozilla appears to have abandoned its small security fixes altogether and is rumored to merge those patches into its regular browser releases, which will update browser versions every six weeks, once the latest version of Firefox is released on June 21," he said. "It is important to note that there has only been one maintenance update for Firefox 4 since its release on March 22," meaning that the next version will likely include fixes for a slew of not-yet-detailed bugs.
Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.
