 |
Patch Tuesday Security Briefing
No matter how you look at it, it's an ugly Patch Tuesday this month. There are 17 bulletins this month and over half of them, 9, are critical and we are seeing 64 patches in total. All but two provide for remote code execution. We are well into a new year and things have not improved. In fact, they've gotten worse. Case in point - the recent revelation by RSA that the exploit of their tokens all began with an Adobe Flash Module embedded within a Microsoft excel spreadsheet. Most concerning about this is at this very moment there is yet another unpatched Adobe vulnerability currently being exploited in the wild. Time and time again, we're finding that spear phishing exploits are taking advantage of the weaknesses in third party applications. Also last week, Conde Nast fell for an $8 million dollar breach... yet again, spear phishing. Most spear phishing attacks being reported involve taking advantage of these third party applications. While the rest of the world is focusing on Windows, the bad guys are taking advantage of the applications we aren't patching with free patch software that Microsoft makes available.
With this release, we finally have our patches for the MHTML and SMB issues that reportedly have been causing some targeted pain on the Internet. From a priority perspective then, you will want to get MS11-018 and MS11-019 installed first followed by the remaining 7 critical vulnerabilities and then 8 important ones.
Something that may shock people for today's Patch Tuesday is Microsoft is not only patching Powerpoint, Excel, and WordPad; they are also updating Win35K. People will certainly question why. Microsoft is patching 32 bugs in Win35k because this many were reported. No need to fret however because these all collapse down to 3 that actually cause vulnerabilities. Microsoft likes to give whomever reports bugs individual credit for each bug reported, so they're giving credit this month where credit is due.
Beyond the patch updates, Microsoft also released two security advisories including an update for Office 2010. Another IE patch was released today, which contains an update for a publicly exploited vulnerability. This is really important because they are closing all the vectors. While the patch may look bad, it's really tough to exploit and by default, it really only works when you have an internet set to private. If you have your default settings, you're completely OK. But if you change it to be private, you should change it.
All of this is further evidence that our methods of securing our systems still aren't up to par. Yet again, Microsoft falls victim to third-party software causing a major breach. Everyone blames Microsoft month after month for patching issues, but this is not just a Microsoft issue. Unless we're going to get busy patching this garbage we're installing on our systems, it will continue to be an issue.
|
|
|
|
|