Microsoft Security Bulletin for October 2009

Ladies and gentlemen, we have a new record. Microsoft's Security Bulletin for October 2009 consists of a whopping 13 patches that address 34 outstanding vulnerabilities.

I suppose the good news is that the SMB flaw that's had exploit code in the wild for the last month is included in the patch release, so we'll finally have some closure on that.

Two critical patches target Windows 7, making them the first fixes officially released by Microsoft for their newest platform. While not scheduled for consumer release until the end of the month, Windows 7 has been available since the summer for corporate clients who hold volume licensing agreements.

Redmond is again patching holes in GDI+, and it's been a favorite target of attackers in the past, so don't be surprised if some of the exploit frameworks do some reverse engineering of this newest offering to craft some creative exploits to roll out before the patch hits a wide install base.

If I had to pick a couple of patches to prioritize, I would choose:

• MS09-050, the SMBv2 flaw. There's exploit code already out there, so enough said.
• MS09-052, Windows Media Player - way too easy to exploit with specially-crafted media files, plus there is at least one public exploit out there.
• MS09-053, FTP Service on IIS - two different CVEs for this, both having known exploits in the wild
• MS09-054, Internet Explorer. Firefox or Opera, anyone?
• MS09-062, the aforementioned GDI+ vulnerabilities.

If you're primarily worried about clients instead of servers, MS09-055 deals with the ActiveX killbits, so you'll want to roll that out pretty soon, and MS09-061, involving the .NET Common Language Runtime, has known exploits, so move them up on your list.

All in all, this release will be an enormous pain in a sysadmin's ass due to the sheer size and complexity of the changes introduced. Significant testing will need to be performed against critical systems and applications, not just for the individual patches, but also for the fixes in combination with each other. It's a good thing not many people take vacation time in October.

All of the gruesome details, including the monthly Severity and Exploitability Index, are available at the Microsoft Security Response Center blog.

Image via Robert Scoble's photostream on flickr

Microsoft Security Bulletin for June 2009

As expected, Microsoft has today released their June Security Bulletin Summary, comprised of 10 separate security bulletins, plus 2 security advisories. Busy month, folks.

6 of the 10 affect Windows, with two carrying the critical rating, three rated as important, with one posted as moderate. For the remaining 4, all are rated as critical, impacting Internet Explorer, Microsoft Office Word, Microsoft Office Excel and Microsoft Works Converters.

The two security advisories involve kill bits for Active X and a non-security update for DNS devolution that actually changes the security config of systems when you apply it, so Redmond decided to release it with an advisory.

SANS has a nice monthly table that outlines the patches, associated CVEs, and other pertinent information, including their suggested patching prioritization.

Malicious code is already in the wild for some of these, with active exploits in progress for several, but as always, we'll see an uptick in activity now that these have been publicly released. I wouldn't dally around long before rolling these out, especially MS09-019 for Internet Explorer.

Adobe Patch Tuesday for June 09

Update June 9, 6:55 PM - Adobe has released their security bulletin - mercifully it's only one item, APSB09-07, that is associated with 13 CVEs for Adobe Reader and Acrobat. The bad news is that the bulletin calls out that the fixes for the UNIX platform won't be out for another ten days, which gives the bad guys a good amount of time to reverse-engineer the vulnerabilities from the Windows and Mac code and create exploits for the UNIX world.

Original Post - Don't forget that June 9 will be Adobe's first foray into releasing patch bundles in a Microsoft-esqe manner, although Adobe plans to go the quarterly route rather than the monthly bulletins that come out of Redmond.

A number of the patches will be rated as Critical by Adobe, which typically means that malicious code can be executed without user interaction, so you'll want to stay tuned and fix those ASAP.

Experts are anticipating fixes for Acrobat Reader and Adobe Acrobat, for both Windows and Mac platforms. Details are still to come for fixes for those products on the UNIX operating system.

If you're not already using some other PDF viewer, you should be. You'll be surprised at how much faster it will load and render compared to Adobe Reader, and it's not nearly the attack vector, either.

Adobe (finally) Issues Update

Adobe has finally released an update to mitigate a critical vulnerability that first became public knowledge back in January.

The security update is for Acrobat Reader 9 and Acrobat 9. You really shouldn't be on an older version at this point unless you have some peculiar application compatibility issues. Fixes for versions 7x and 8x of both products will reportedly be available by March 18, and an update for Reader 9.1 for Unix is expected on March 25.

If you use other PDF readers or writers, you may also need to apply an update for that particular software. Be sure to check the vendor website or run the update feature from the tools or help menu.