Microsoft fixes IE, SMB bugs in big Patch Tuesday

Fixes for IE bug revealed in Pwn2Own contest and holes in Server Message Block software for client and server are among 64 holes addressed in 17 bulletins.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

Microsoft today urged customers to apply fixes for holes in Internet Explorer, including one being exploited in attacks, and for vulnerabilities in Windows Server Message Block (SMB) client and server software as part of a whopping Patch Tuesday.

The company released 17 bulletins resolving 64 vulnerabilities, nine of them rated "critical" and eight rated "important." However, 30 of the vulnerabilities are addressed by one bulletin, a kernel update that is rated "important," that was discovered by one researcher.

First priority is MS11-018, a cumulative security update for IE that is rated critical for IE6, IE7 and IE8 on Windows clients, but does not affect IE9. The company is aware of limited, targeted attacks against one of the holes, Jerry Bryant, group manager for response communications at Microsoft's Trustworthy Computing Group, told CNET. The bulletin also addresses problems uncovered in the Pwn2Own contest at CanSecWest last month.

Two vulnerabilities associated with the bulletin are being exploited in the wild, but they require attackers to set up a malicious Web site and lure victims there to compromise their computers in a drive-by attack, said Josh Abraham, security researcher at Rapid7.

Also high priority, according to Microsoft's TechNet blog, are two SMB-related bulletins. One, MS11-020 is in SMB Server and affects all supported versions of Windows. It could allow an attacker to take over a server by creating a specially crafted SMB packet and sending it to any open SMB network share.

Meanwhile, MS11-019 addresses two vulnerabilities in the SMB Client that could enable an attack if an attacker sent a specially crafted SMB response to a client-initiated SMB request.Bryant said that with an exploitability index rating of "one," he expects to see exploit code in the wild within the first 30 days after the release of the bulletin.

Other software affected by the updates, which are detailed in this security advisory, include Visual Studio, .NET Framework and GDI+.

Also today, Microsoft unveiled a new Rootkit Evasion Prevention tool and said it would apply Office File Validation, which is built into Office 2010, to Office 2003 and 2007.

The Rootkit Evasion Prevention tool for 64-bit Windows systems will make it easier for antivirus products to detect and remove installed rootkits, which offer admin access to a machine and remain hidden from view by bypassing driver signing checks done by winload.exe.

Adding Office File Validation to older versions of Office, which Microsoft announced in December, enables files to be scanned before they are opened and opens in Protected View or alerts the user if anything out of the ordinary is detected, Bryant said. It is included in Word, Excel, PowerPoint, and Publisher. "About 80 percent of Office vulnerabilities have to do with file parsing and this functionality mitigates the majority of those," he said.

"While this is obviously a good development this feature doesn't stop the recent Flash zero-days we've seen," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky. "After all, those are simply using a feature from Word and not a bug. Hopefully Microsoft will be able to back-port the Office 2010 sandbox at a later date, as the sandbox is able to stop the Adobe Flash zero-days."

Adobe warned yesterday of a critical hole in Flash Player that is being exploited in the wild to take control of computers or cause them to crash.