Tuesday, October 13, 2009

Microsoft Security Bulletin for October 2009


Ladies and gentlemen, we have a new record. Microsoft's Security Bulletin for October 2009 consists of a whopping 13 patches that address 34 outstanding vulnerabilities.

I suppose the good news is that the SMB flaw that's had exploit code in the wild for the last month is included in the patch release, so we'll finally have some closure on that.

Two critical patches target Windows 7, making them the first fixes officially released by Microsoft for their newest platform. While not scheduled for consumer release until the end of the month, Windows 7 has been available since the summer for corporate clients who hold volume licensing agreements.

Redmond is again patching holes in GDI+, and it's been a favorite target of attackers in the past, so don't be surprised if some of the exploit frameworks do some reverse engineering of this newest offering to craft some creative exploits to roll out before the patch hits a wide install base.

If I had to pick a couple of patches to prioritize, I would choose:

  • MS09-050, the SMBv2 flaw. There's exploit code already out there, so enough said.
  • MS09-052, Windows Media Player - way too easy to exploit with specially-crafted media files, plus there is at least one public exploit out there.
  • MS09-053, FTP Service on IIS - two different CVEs for this, both having known exploits in the wild
  • MS09-054, Internet Explorer. Firefox or Opera, anyone?
  • MS09-062, the aforementioned GDI+ vulnerabilities.
If you're primarily worried about clients instead of servers, MS09-055 deals with the ActiveX killbits, so you'll want to roll that out pretty soon, and MS09-061, involving the .NET Common Language Runtime, has known exploits, so move them up on your list.

All in all, this release will be an enormous pain in a sysadmin's ass due to the sheer size and complexity of the changes introduced. Significant testing will need to be performed against critical systems and applications, not just for the individual patches, but also for the fixes in combination with each other. It's a good thing not many people take vacation time in October.

All of the gruesome details, including the monthly Severity and Exploitability Index, are available at the Microsoft Security Response Center blog.

Image via Robert Scoble's photostream on flickr


No comments:

Post a Comment

Please tell me what you think.