I suppose the good news is that the SMB flaw that's had exploit code in the wild for the last month is included in the patch release, so we'll finally have some closure on that.
Two critical patches target Windows 7, making them the first fixes officially released by Microsoft for their newest platform. While not scheduled for consumer release until the end of the month, Windows 7 has been available since the summer for corporate clients who hold volume licensing agreements.
Redmond is again patching holes in GDI+, and it's been a favorite target of attackers in the past, so don't be surprised if some of the exploit frameworks do some reverse engineering of this newest offering to craft some creative exploits to roll out before the patch hits a wide install base.
If I had to pick a couple of patches to prioritize, I would choose:
- MS09-050, the SMBv2 flaw. There's exploit code already out there, so enough said.
- MS09-052, Windows Media Player - way too easy to exploit with specially-crafted media files, plus there is at least one public exploit out there.
- MS09-053, FTP Service on IIS - two different CVEs for this, both having known exploits in the wild
- MS09-054, Internet Explorer. Firefox or Opera, anyone?
- MS09-062, the aforementioned GDI+ vulnerabilities.
All in all, this release will be an enormous pain in a sysadmin's ass due to the sheer size and complexity of the changes introduced. Significant testing will need to be performed against critical systems and applications, not just for the individual patches, but also for the fixes in combination with each other. It's a good thing not many people take vacation time in October.
All of the gruesome details, including the monthly Severity and Exploitability Index, are available at the Microsoft Security Response Center blog.
Image via Robert Scoble's photostream on flickr
No comments:
Post a Comment
Please tell me what you think.