Microsoft's monthly patches released today include a critical fix for seven holes in Internet Explorer which, if left unpatched, are considered "likely to see reliable exploits developed within the next 30 days."
A second critical patch was released for Windows DNS Server, although the vulnerabilities closed by this patch are not likely to be exploited within the next month, Microsoft said.
Overall, Microsoft issued 13 patches closing 22 vulnerabilities in IE, Windows, Office, .NET and Developer Tools.
Microsoft patching: Still painful after all these years
The critical IE patch affects all versions of Internet Explorer from IE6 to IE9. "The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," Microsoft said. "An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Microsoft is not aware of any attacks leveraging the vulnerabilities addressed in this bulletin." (UPDATE: As one eagle-eyed reader notes, the SANS Internet Storms Center reports a for-pay exploit is already available for one of the vulnerabilities affecting IE8 on Windows 7.)
The second critical patch "is for a server side vulnerability and affects the Microsoft DNS server running on Windows 2003 and 2008," Qualys CTO Wolfgang Kandek says in written commentary. "It allows the attacker to crash the server and in the worst case scenario take complete control. To exploit this issue the attacker sets up a malicious DNS server and requests a DNS record from the server from inside of the victim's network. The exploitability rating for this is '3' which implies that a remote code execution exploit is unlikely to be seen in the next 30 days."
Having only two critical patches out of 13 total will help IT prioritize. Obviously, rolling out the critical patches first makes sense. But that doesn't mean you should wait more than a day to deploy the other ones. In fact, the 30-day window cited by Microsoft might be too long.
Using tools that compare snapshots of a nonpatched machine to a patched machine to detect differences in code, hackers can easily generate code for new attacks, says Paul Henry, security expert and forensic analyst at Lumension.
"I've seen malware in the wild within 24 hours of a release of patches from Microsoft," he says. "In my view, we are working in a 24-hour window for expecting to see exploit code in the wild."
This isn't the most severe Patch Tuesday, but it comes after a busy period for IT administrators, Henry notes.
"IT teams are recovering form the 78 patches from Oracle on July 19," Henry says. "Everyone and his brother was updating [Macs to] Lion after July 20, and we still have this parade of flaws in mobile platforms. Android, Apple, BlackBerry, they all have their issues."
In addition to the two critical patches, nine were rated "important," the next most serious level, and three of these are likely to be exploited in the next month, Microsoft said. Two in the likely-to-be-exploited category would allow elevation of privilege attacks on Windows desktops and servers, and the third would allow remote code execution attacks on Visio within Microsoft Office.
One patch that might be overlooked is MS11-064, for which Microsoft says there is "no exploit possible for code execution," but could be used in denial-of-service attcks.
"Attackers can take advantage of this bug to cause a remote reboot of Windows computers even if they have a local firewall enabled. Back in the early 90's, we used to call this kind of bug the 'ping of death,'" Andrew Storms, director of security at nCircle, says in written commentary. "It will take about 10 minutes for attackers to write and distribute an attack tool to take advantage of this bug. Then, anyone can easily grab that attack tool and, with a single click, cause your Windows network to reboot. The malicious potential is enormous."
As always, this is a busy time for Windows IT pros, but Storms says "The good news in today's release, if there is any, is that the only other issue requiring immediate attention is the IE patch."