Microsoft issues first patch for IE9 amidst 34 holes closed today

Today's regularly scheduled security updates fix holes in Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, VML and Forefront/ISA.

As expected, today's Patch Tuesday is a whopper. Microsoft released 16 security updates (nine critical and seven important) addressing 34 vulnerabilities, including the first patch for Internet Explorer 9 and a rare patch for Hyper-V.

The remaining patches fix vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, VML  and ISA.

For nine of the patches, reboots are required and for the rest, well, a reboot may still be wise, Microsoft says.

"With nine critical bulletins and the vast majority directly requiring a reboot, this marks the beginning of a long summer for IT professionals with no room for slowing down," says Paul Henry, Security Analyst for patch management vendor Lumension. "Four of the critical and a few of the important patches affect Windows; 7 critical and 3 important patches affect Internet Explorer. And with this Patch Tuesday, we are seeing Internet Explorer 9 affected for the first time." Henry notes that even with this patch today, IE9 is still the most secure browser that Microsoft produces ... and enterprises still on IE6 should really do something about upgrading at this point.

The patch that affects IE9, MS11-050, is a cumulative patch that actually affects all versions of Internet Explorer. Microsoft describes it as: "The security update addresses the vulnerabilities by modifying the way Internet Explorer enforces the content settings supplied by the Web server, handles HTML sanitization using toStaticHTML, handles objects in memory, and handles script during certain processes."

Microsoft plans to push 050 out automatically, and fortunately, reports no known problems with it.

The Hyper-V patch, MS11-047, although only rated important, is interesting because it affects Hyper-V. It could allow a DoS attack, but isn't easy to exploit. An attacker needs to be an authenticated user in one of the guest virtual machines hosted by the Hyper-V server, and can't execute this one remotely. Still, it is notable for being only the third patch Microsoft has issued for Hyper-V, according the Securina database. (The other two, issued in 2010, also solved DoS holes).

Amidst the fixes are patches for three publicly known holes, one critical, two important. The critical update, MS11-044, fixes a hole in .Net that could be used to pwn both servers and clients. For the client, it could allow remote code execution the client system viewed a malicious page with a browser that runs XAML Browser Applications (XBAPs). For the server, the hacker could exploit by uploading the malicious code on IIS running ASP.NET. Similarly, another .Net fix secures a critical hole that also relies on XAML, and it also affects Silverlight, MS11-039.

Microsoft is also issuing a patch for its firewall clients, MS11-040. An attacker could use the Microsoft Forefront Threat Management Gateway (TMG) 2010 Client to run malicious code.

More good news is that Microsoft fixed the well-publicized “Cookiejacking” vulnerability "which takes advantage of a property of HTML5 to steal cookies from its victim," says Dave Marcus, director of security research and communications at McAfee Labs. The hole made it extremely easy for people with limited programming knowledge to steal authentication credentials stored in IE.

Microsoft is at last closing the publicly reported hole in the MHTML protocol handler in Microsoft Windows, MS11-037. This fixes a popular method for cross-scripting attacks, says Henry. And it is tidying up the publicly disclosed hole in the Microsoft Windows Ancillary Function Driver (which could result in escalation of privileges).

For your convenience, here is a link to the map that lists the recommended order that enterprise shops should test and roll out patches.

Click to enlarge

“There’s going to be a lot of heavy lifting for IT administrators this month,” said Marcus. “Not only are there a large number of Microsoft patches, there’s also the additional Adobe and Java patches to address as well. Administrators should evaluate and prioritize the most important patches for their organization.”

Amidst this big burden of fixes this month, there is a glimmer of good news. Last month, Microsoft issued a change to its autorun utility, which technically was a "security advisory" and not a patch (Security Advisory 967940). This was pushed out to all users who subscribe to such automatic updates and the results of that change have been impressive.

"As of May 2011, the number of infections found by the Malicious Software Removal Tool (MSRT) per scanned computer declined by 59 percent on Windows XP machines and by 74 percent on Windows Vista machines in comparison to the 2010 infection rates on those platforms. (Windows 7 had the updated Autorun settings built in by default.)," Microsoft reports.

More from Microsoft Subnet

Microsoft’s automated Future Home, what can go wrong?

Scrollbars Missing on iPad 2 in SharePoint (problem solved!)

Microsoft and Nokia: A win-win for enterprise smartphone use

First look at Windows 8: Tiles instead of windows and real multi-tasking

Microsoft pays Nortel $7.5 million for IPv4 addresses

Read my blogs other blogs, covering Cisco and Open Source. Follow Julie Bort on Twitter @Julie188

Follow all Microsoft Subnet bloggers on Twitter @microsoftsubnet

 

• Microsoft
• Security
• Software
• Security
• cookiejacking
• Hyper-V
• IE9 patch
• Internet Explorer
• Microsoft security
• Patch Tuesday
• Windows security
• XSS