Tuesday, December 8, 2009

Microsoft Security Bulletin for December 2009

Hi there, all you Microsoft kiddies. It's Microsoft Tuesday, and you know what that means!

Today Microsoft released six bulletins that reportedly address twelve vulnerabilities in various flavors of Windows, Internet Explorer, and Office.


The good news is that Redmond released MS09-072 for Internet Explorer that addresses four privately-reported and one publicly-reported vulnerabilities in IE. Exploit code for IE6 and IE7 has been floating around in the wild for awhile now, and it's certain that malicious code targeting IE8 will result once this patch is reverse-engineered. Right now, it's significantly more difficult to attack IE8 since DEP is enabled by default if you're running IE8 on XPSP3, Vista SP1 or later, Server 2008, or Windows 7. Which reminds me - why are you still using Internet Explorer, for crying out loud?

MS09-073 targets a critical vulnerability in Wordpad which is unlikely to see widespread exploitation, since it involves someone sending you a specially-crafted .doc file created in legacy Wordpad 8 format, and you would also need to open it using Wordpad or Word.

Unless you're running wireless authentication via IAS using PEAP, there's not much to worry about with MS09-071, and if you don't use Microsoft Project, MS09-074 isn't applicable to you.

There's the obligatory vulnerability targeting LSASS (MS09-069) and another flaw in Microsoft IIS (MS09-070) that leverages a weakness in ADFS, so get to them sooner rather than later, but they can be toward the bottom of your priority list.

Microsoft Security Bulletin Summary for December 2009



No comments:

Post a Comment

Please tell me what you think.