Microsoft on Tuesday issued seven
bulletins to address 23 vulnerabilities in its products. Redmond rated eight of those vulnerabilities critical, four are rated important -- and one of them is causing IT admins plenty of confusion.
"The remote code-execution vulnerability used against Microsoft Office, Windows and .NET Framework tie back to the TTF vulnerability used by Duqu," said Joseph Chen, engineering director of Security Technology and Response at Symantec. "We recently found a new Duqu sample showing that the is still active. Microsoft has provided some further patching, in addition to the already issued patch for the used vulnerability at the end of 2011."
Symantec also reports a much larger patch of vulnerabilities affecting Microsoft Excel. Chen said the patches are rated important rather than critical because the user still gets a prompt to download or open the malicious content rather than it infecting automatically, but it could still be used as a targeted attack.
"The .NET vulnerabilities are also prominent in this month's patches," Chen said. "Exploits for this vulnerability are likely to be hosted as drive-by downloads on maliciously created or otherwise compromised Web sites. So, as always we strongly advise avoiding sites of unknown or questionable integrity, to protect from attacks seeking to use these security holes."
The Confusion Factor
We caught up with Andrew Storms, director of security operations at nCircle, to get his thoughts on the latest round of patches. He told us May offers a mixed bag of bulletins and MS12-034 stands out for its confusion factor.
"This bulletin affects a hodgepodge of products including Windows, .NET, Silverlight and Office, and dissecting its contents has the potential to make IT security teams heads explode," Storms said. "The core of this bug fix is related to the vulnerabilities leveraged by Duqu -- a problem Microsoft fixed last year -- so this bulletin also replaces a half-dozen previously released bulletins. This is going to give the patch management folks some serious heartburn."
Evidently, Storms said, Microsoft discovered that the same bits of bad code that were fixed in MS11-087 last year were copied and pasted into other applications and they needed to fix those, too. Since other changes were pending for those applications, he noted, all kinds of other bug fixes not related to Duqu are bundled into this bulletin.
"Microsoft's careful due diligence and adherence to their strict update processes may end up causing more confusion than clarity with this fix," Storms said. "It's probably best not to spend too much time analyzing -- just install the patch as soon as you can, and then move on."
Beyond Patch Tuesday
We also turned to Paul Henry, a forensic security analyst at Lumension, to get his overview of recent security issues IT admins need to know about. He told us IT admins should also focus on Patch Tuesday issues outside of Microsoft and pointed to a recent Forbes report that reveals an estimated 10 million credit cards were breached at Global Payments between Jan. 21 and Feb. 25.
"Oracle released patches for 88 issues that impact over 35 Oracle products," Henry said. "An apparent misunderstanding by a security researcher reviewing the Oracle patch release has also led to the release of an exploit that remains unpatched.
Meanwhile, he said, the Apple Flashback malware is now reportedly creating cash flow for the bad guys. Symantec estimates that with the size of the botnet, revenues could exceed $10,000 per day. He predicts more issues ahead.
"Another embarrassing Apple issue is the apparent release of a fix three months ago by Apple that left a debug option enabled in FileVault," Henry said. "This caused passwords to be saved in plain text in a log file outside of the encrypted area. Worse yet for those users that are using Time Machine for backups, their passwords may have been repeatedly stored in Time Machine unencrypted. Pending a patch from Apple, Lion users should immediately activate FileVault 2, which can be found in the Security & Privacy setting in System Preferences."