After last month’s relatively light security update, Microsoft released 16 bulletins to address 34 vulnerabilities. Nine of these bulletins were tagged “critical” while the remaining seven were deemed “important.” The patch release contains fixes for bugs in Microsoft Windows, Microsoft Office, Internet Explorer (IE), and Silverlight, among others. Most of the updates also require a system restart, making deployment a possible issue for IT administrators.
Trend Micro earlier worked with Microsoft regarding a vulnerability that was addressed in this release, specifically one found in IE (CVE-2011-1252). This vulnerability involves the way IE handles specific strings when sanitizing URLs. If exploited, this can allow cross-site scripting that can possibly lead to unauthorized information disclosure.
Microsoft also addressed the “cookiejacking” issue in this month’s release. A cookiejacking attack may allow an attacker to acquire cookies from a user’s system and access the websites that the user recently logged in to. Microsoft, however, believes this threat does not pose huge risks, considering the level of user interaction required to successfully conduct an attack.
Trend Micro Threat Research Manager Robert McArdle, on the other hand, as shown in “Contrary to Reports—Cookiejacking Presents a Major Risk,” believes that such an attack heavily uses social engineering tactics, which are often subtle, devious, and emotive, making them very successful. Hopefully, this Microsoft update Microsoft will provide more protection for users.
To keep systems protected, users are advised to visit the related Microsoft pages and to immediately download the security updates. For enterprise users, we offer specific solutions to deal with vulnerabilities. Both Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in have existing rules that protect users from the vulnerabilities patched in this month’s release.
For more information about this month’s security update, read the related Threat Encyclopedia entry.
In addition, Adobe issued its own batch of security updates for this month comprising six security bulletins to address vulnerabilities in applications like Adobe Flash Player, Adobe Shockwave Player, Adobe Reader, and Adobe Acrobat. Users are also strongly advised to patch their software as soon as possible.