The monthly update includes six patches claimed to address fifteen vulnerabilities in Windows, Windows Server, and Office (Word & Excel). Only one patch, MS09-065, is rated as "critical" by Microsoft with an Exploitability Index of 1 (Consistent exploit code likely). Two others, MS09-063 and MS09-064, are rated as "critical" with an Exploitability Index of 2 (Inconsistent exploit code likely).
SANS seems to disagree with Redmond, rating 3 patches as critical for servers and 4 as critical for clients. Obviously, several of the root vulnerabilities involved are likely to see exploit code released in the wild shortly, and if you've got vulnerable machines without compensating controls, the consistency of the exploit code matters very little.
Similarly, if you aren't blocking ports that aren't required at the firewall, either at the network or client level, then you probably deserve a good dose of exploit code.
The Microsoft Security Response Center blog has all the color detail, including their exploitability matrixes.
Overall, November is a very light month given the activity to which we've come to expect from Redmond, but fear not. There's still plenty of time for fill your stockings with work before the end of the year.
No comments:
Post a Comment
Please tell me what you think.