We’ve just been hit with a double-barrelled Patch Tuesday, with both Microsoft and Adobe publishing security updates.
Despite its weekly-sounding name, Patch Tuesday happens once a month in Microsoft’s calendar, once a quarter in Adobe’s, and once a quarter but in different months to Adobe and not necessarily on the same Tuesday as Microsoft in Oracle’s cosmology.
(That was meant to sound confusing, so as better to reflect how confusing it is.)
Microsoft has issued five patches, covering the following vulnerabilities:
|MS11-070||WINS||Elevation of Privilege|
|MS11-071||Windows Components||Remote Code Execution|
|MS11-072||Microsoft Excel||Remote Code Execution|
|MS11-073||Microsoft Office||Remote Code Execution|
|MS11-074||Microsoft SharePoint||Elevation of Privilege|
All of these vulnerabilities are rated Important by Microsoft, even though three of them could lead to remote code execution.
The potentially-remoteable bugs in Microsoft Excel relate to memory mismangement – in traditional-speak, buffer overflows. Those in Windows itself and in Microsoft Office are caused by DLL mismanagement.
The latter sort of bug is an easily-made mistake which all programmers need to be wary of. DLLs, or dynamic link libraries, are bundles of software subroutines which are sucked into memory by the operating system when a program starts, or loaded at run-time by the program itself.
When programmers want to load a DLL at run-time, they can just pass the name of the desired DLL to the LoadLibrary() function. Windows will take care of finding, opening and loading the DLL into memory.
This is convenient, but very dangerous: Windows looks for the named DLL in whatever happens to be the current directory – even if that is a data directory which is writeable by an attacker.
That is never what you want, so you should always explicitly state the full directory and filename of any DLL you intend to use. Hard-wiring the path of the DLL prevents Windows from simply “going looking” for one which matches.
The good news is that SophosLabs has categorised all these Microsoft vulnerabilities as Medium risk. This means that we haven’t seen any exploits which actually make use of these vulnerabilities yet, and whilst we admit that exploits might be possible, they’re unlikely.
Should you patch right away? I’d recommend doing so as a matter of course – why leave yourself exposed? – but there is no immediate danger in letting your change control committee decide at its leisure. (Don’t let it take too long, though. Treat all security patches as having an implicit urgency, even if they don’t seem immediately important.)
Adobe’s update comes in a single security bulletin, APSB11-24, but covers twelve vulnerabilities – all potentially involving remote code execution – affecting even the new sandboxed versions of Adobe products.
Adobe considers these vulnerabilities critical, meaning “[vulnerabilities], which, if exploited would allow malicious native-code to execute, potentially without a user being aware”.
SophosLabs has rated them High risk. We haven’t seen working exploits yet, but we think there is a strong possibility that exploits may yet appear.
Should you patch right away? In this case, I think you should. I can’t explain the reasons any more simply or clearly than the SophosLabs analysts did, so I shan’t. I’ll simply quote their words:
Previous Adobe and Acrobat vulnerabilities have proved to be a rich source of potential malware. As all twelve vulnerabilities [...] allow for code execution on various operating systems, patching is essential.
There you have it.
You can stay up-to-date with the latest Sophos vulnerability assessments – and access any updates we may make, for example if attacks start to appear using a vulnerability for which we hadn’t previously seen a working exploit – on our Latest vulnerabilities analysis page.