Microsoft on Tuesday issued eight security bulletins to deal with 23 vulnerabilities. Nine of the flaws are rated critical, including eight patches for Internet Explorer.
"Internet Explorer vulnerabilities are very common targets of attackers and it will probably be no different with these," said Joshua Talbot, security intelligence manager for Symantec Security Response. "Users and IT departments should patch these right away."
So far, none of the Internet Explorer vulnerabilities have been used in the wild, reports Marcus Carey, a Rapid7 security researcher. Nonetheless, he stressed, systems administrators and home users should be patching as soon as possible.
"When it comes to browser exploits, I expect public exploit code to be available in pretty short order," Carey said. "If users visit malicious Web sites with an attack targeting this vulnerability it will be game over, with a total compromise of their system."
Nixing .Net Flaws
Beyond the deluge of critical IE patches, there are other pressing issues for IT admins, namely the .NET framework. This critical issue also impacts Silverlight and users of both are urged to implement the patch immediately.
"The .NET Framework Class Inheritance Vulnerability, also rated critical, is complex to exploit, but affects all versions of .NET," Talbot said. "The vulnerability can be exploited in a number of ways, including traditional downloads, drive-by downloads and through hosting a malicious .NET application."
Indeed, Andrew Storms, director of security operations at nCircle, said bugs in Silverlight and the .NET framework should also be patched quickly. He said both are similar to the IE vulnerabilities in that they can allow users surfing the Internet to be victimized by visiting a malicious site. And timing may be everything.
"October is the last month in 2011 that many financial and retail organizations apply patches because they go into 'lock-down' mode as the holiday shopping season approaches," Storms said. "Enterprise IT teams should get ready to pull out all the stops."
Battling the BEAST
Vulnerabilities have proven not to be an issue exclusive to Microsoft -- third-party products and add-ons are the IT admin's Achilles' heel again this month, according to Paul Henry, a security and forensic analyst at Lumension.
"The ever-increasing integration of mobile devices with little if any regard to security of our enterprise networks, along with the seemingly non-stop release of vulnerabilities from Android and other vendors are placing us in a precarious situation," Henry said. "Also, a Chrome update was released to address several security issues."
Not only are patches a concern, but now IT admins are facing a BEAST, both literally and figuratively. Last week, Henry noted, researchers demonstrated software they created called the BEAST -- Browser Exploit Against SSL/TLS -- that can decrypt parts of an encrypted data stream and can be used in what is known as a "man in the middle" (MITM) type of attack.
"With respect to the SSL issues and 'the BEAST' we are perhaps seeing just the tip of the iceberg in focusing our attention only on browsers," Henry said. "Several other products, such as VoIP phones and [supervisory control and data acquisition] systems that also use SSL, are perhaps more at risk due to expected long-term delays in patching them."