Patch Tuesday Bulletin - August 2010
As expected, we have a large release from Microsoft covering 15 bulletins, 9 of which are critical. This will be a disruptive Patch Tuesday given the broad range of products impacted and the required restarts. Initial priorities should always be the 9 critical vulnerabilities followed by the remaining balance of important and moderate patches.
The balance of patches, while not critical, should not be ignored in today’s environment where more often than not lesser impact vulnerabilities are combined together to provide a greater chance of success for cyber criminals.
While the spotlight is on Microsoft today, let us not forget that Microsoft does not have any “exclusive” on software vulnerabilities. While no one can dispute that the patch load for Microsoft this Patch Tuesday is high, we all need to keep some perspective. Since the week of Microsoft Patch Tuesday in July, CERT has released over 130 Bulletins for software vulnerabilities rated high (CVSS score of 7.0 – 10) Out of all those bulletins – Microsoft was only noted as the vendor in 1 of the published CERT bulletins for the given period.
It is also important to note that while Microsoft rushed out an out of band patch last week for the LNK issue, putting out a lot of fires this week, one new day zero remains unpatched - a kernel level vulnerability impacting all versions of Windows (including Windows 7). The vulnerability involves a heap overflow which is more difficult to take advantage of than a traditional buffer overflow. However, if executed, it can reportedly afford escalation of privilege, denial of service or potentially execute arbitrary code with kernel privileges.
Other flaw remediation concerns this Patch Tuesday:
- Apple is preparing to roll out a patch for a serious issue that can Jail-Break an iPhone, iTouch or iPad device. The exploit can be triggered by a drive-by malware site or by tricking the user in to opening a specially crafted PDF;
- Adobe is also creating a patch for Adobe Reader 9.3.3 for Windows, Mac OS X, and UNIX, and Adobe Acrobat for Windows and Mac, as well as Reader and Acrobat version 8.2.3 for the same platforms to resolve a number of security issues
- We have seen the typical flurry of browser patches this period for Chrome and Mozilla. It is important to note that the Chrome patches were installed silently and reportedly Mozilla is about to introduce silent patching in an upcoming release of the browser. Some are concerned about the impact silent patching will have on network bandwidth in an enterprise environment especially with a large population of users running the browser. While most would agree that silent patching is necessary for home users it can be disruptive within an enterprise environment and is usually better handled in an efficient distributed model that affords full administrative control.
» Lumension Endpoint Protection Solution
Awarded 5-Star Review by SC Magazine
Lumension's Endpoint Protection Solution Lauded in Technical Review for its Return-on-Investment, Seamless Integration and Ease-of-Use
Read the Press Release.
» Patch Tuesday Content Checklist
Do you want to know what patches Lumension releases as part of Microsoft Patch Tuesday? If so, please visit the Microsoft Patch Tuesday Content Checklist on the Customer Portal.
Patch Tuesday Commentary
Paul A. Henry - Video Blog
Security and Forensic Analyst