Establishing Digital Trust: Don't Sacrifice Security for Convenience
Microsoft is out with its September Patch Tuesday update, providing only two security advisories. The small number has some folks worried Microsoft may have missed some bugs.
The low patch count is not unprecedented. According to Jason Miller, manager of Research and Development at VMware, the last time Microsoft released only two Patch Tuesday security bulletins was the May 2011 release.
That said, Andrew Storms, director of security operations for nCircle, is concerned the number is too low.
"Historically, every patch Tuesday so far this year has averaged eight security bulletins and each bulletin typically covers multiple bugs," Storms told eSecurity Planet. "While we don’t know exactly how many bugs are in the backlog, it’s safe to assume there are plenty still waiting to be fixed."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
While Storms said there aren't any significant bugs requiring immediate patches at the moment, he mused that the situation could change at any time.
Others believe the low bug count could be a reflection of the success of Microsoft's multi-year trustworthy computing efforts. "Is this September’s light Patch Tuesday a reflection of the maturity of Microsoft’s secure coding initiatives?" said Paul Henry, security and forensic analyst at Lumension. "One can only hope…"
Flaws Rated 'Important'
Both flaws this month are rated Important, and both could potentially lead to a privilege escalation attack. MS12-061 details a vulnerability in Microsoft's Visual Studio Team Foundation Server.
"The vulnerability could allow elevation of privilege if a user clicks a specially crafted link in an email message or browses to a webpage that is used to exploit the vulnerability," Microsoft's bulletin warns. "In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website."
The M212-062 bulletin deals with a vulnerability in the Microsoft System Center Configuration Manager. As is the case with the Visual Studio Team Foundation Server, an attacker would have to trick a user into visiting a maliciously encoded website, by way of email or instant message. The actual flaw is what is known as a reflected Cross Site Scripting vulnerability.
"A cross-site scripting (XSS) vulnerability exists in System Center Configuration Manager where code can be injected back to the user in the resulting page, effectively allowing attacker-controlled code to run in the context of the user clicking the link," Microsoft warns in its advisory.