Microsoft on Tuesday issued 13 security bulletins that address 22 vulnerabilities. Out of those vulnerabilities, only three are rated critical. But that doesn't mean IT admins won't have their hands more than full.
"We haven't seen nearly this many low-profile patches -- ones that primarily result in information disclosure or cause denial-of-service conditions -- in quite some time," said Joshua Talbot, security intelligence manager for Symantec Security Response. "Half of all the vulnerabilities patched this month are of that type, which is rare."
He warned that the DNS vulnerability could result in a complete system compromise. Because no user interaction is needed, he said, a vulnerable service simply needs to be up and running to be exploited.
"Internet Explorer is affected by two critical vulnerabilities being patched, both of which can be exploited by a drive-by download," Talbot added. "The fact that vulnerabilities such as these continue to be so common is one reason why web-based attacks are so prevalent. There is a very large attack surface."
The Ping of Death
Although it isn't listed as critical, the MS11-064 bulletin this month demands special attention, according to Andrew Storms, director of security at nCircle. That's because attackers can take advantage of this bug to cause a remote reboot of Windows computers even if a local firewall is enabled.
"Back in the early 90s, we used to call this kind of bug the 'ping of death.' It will take about 10 minutes for attackers to write and distribute an attack tool to take advantage of this bug," Storms said. "Then anyone can easily grab that attack tool and, with a single click, cause your Windows network to reboot. The malicious potential is enormous. The most troubling thing about this bug is that the local Windows firewall does not mitigate the attack."
Tyler Reguly, technical manager of security research and development at nCircle, noted that Microsoft listed the DNS server vulnerability as critical and placed it above other issues, such as cross-site scripting and the remote "blue screen of death."
"Given the exploitability index assigned to this vulnerability, and the importance of XSS as an attack vector, I'm not sure I fully agree," he said. "For most enterprises, the top of the list should be, as expected, the Internet Explorer patch."
Admins Catch Breath
Outside of Microsoft, IT teams are still recovering from the 78 patches released by Oracle on July 19 and the update to Apple's Mac OS X Lion released on July 20. Further, the parade of flaws in mobile platforms and apps continues this period. Android , Apple and BlackBerry all have issues that need to be addressed, noted Paul Henry, security and forensic analyst at Lumension.
"With all this work to be done, at least admins and researchers have the chance to make a little cash if they choose to hop on the bug-bounty bandwagon. Last week Facebook announced a rewards program, similar to one already in place at Mozilla," Henry said. "This incentive provides researchers with the ability to earn $500 per discovered bug and potentially more for the big bugs."