October Update Tuesday: Security Intelligence Report volume 11 announced


On this October Update Tuesday, we are releasing the 11th volume of the Security Intelligence Report, SIRv11, which puts zero-day vulnerabilities into context against other global threats. We are also releasing eight security updates so please read on for details.

A new method of analyzing malware distribution indicates that in the first half of 2011 zero-day issues account for a very small percentage of actual infections. The results from our analysis concluded that none of the top malware families in the first half of 2011 were known to be distributed through the use of 0-days, and while some smaller families did take advantage of 0-day vulnerabilities, less than 1 percent of all exploit attempts were against zero-day issues.

The key takeaway from SIRv11 is how malware is actually being distributed – social engineering, Autorun feature abuse, file-infection, exploits (with updates available) and brute force password attacks. Many of these attacks can be avoided with fundamental security practices, such as downloading security updates once available or ensuring that you have Automatic Updates enabled on your system. Automatic Updates help to ensure that computers are protected against new and ongoing security threats and that Windows continues to function smoothly.

Speaking of which, as we do each month, today we are releasing security updates to help protect customers. As I mentioned in the Advance Notification Service blog on Thursday, today we are releasing eight security bulletins, two of which are rated Critical, the remaining rated Important.

These bulletins will increase protection by addressing 23 unique CVEs in Microsoft products. As always, customers should plan to install all of these updates as soon as possible. There are two bulletins that we want to call out as priorities for our customers:

  • MS11-081 (Internet Explorer): This security update resolves eight privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
  • MS11-078 (.NET Framework & Silverlight): This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

We encourage all customers prioritize these bulletins this month.

In this video, Jerry Bryant discusses this month’s bulletins in further detail:

As noted above, we recommend that customers deploy all security updates as soon as possible. Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Deployment Priority

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

Exploitability Index

More information about this month’s security updates can be found on the Microsoft Security Bulletin Summary web page.

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Jonathan Ness. I invite you to tune in and learn more about the October security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, October 12, 2011 at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Pete Voss
Sr. Response Communications Manager
Microsoft Trustworthy Computing