Patch Tuesday Bulletin - September 2010
Following Labor Day, IT teams may have been hoping for a lighter patch load for the September Patch Tuesday, but such was not the case. The Microsoft Security Bulletin Summary shows nine new bulletins that address a total of 13 vulnerabilities. With Adobe, Mozilla, Cisco, and Apple all releasing security updates within the last seven days, IT security teams are stressed by a tremendously heavy load.
Highest on the priority list for September's Patch Tuesday are MS10-061 and MS10-062. MS10-061 addresses a vulnerability in the Print Spooler Service that allows the Stuxnet worm to spread across internal networks where the Print Spooler Service may not be protected by authentication challenges. MS10-062 closes a vulnerability in the popular MPEG-4 codec which can be exploited by enticing users to download a specially crafted media file or by receiving streaming content via a compromised website. Microsoft gives both of these a "1" on their exploitability index, which means consistent exploit-code is available or highly likely.
One good note, MS10-065 which addresses a vulnerability in Microsoft's popular Internet Information Services (IIS) is rated as "Important" and has the lowest possible score on Microsoft's "exploitability" ranking. Vulnerabilities in Microsoft IIS are always of high concern for the IT security community.
This Patch Tuesday clearly demonstrates the fruit of Microsoft's efforts to make their latest platforms and products more secure and should encourage organizations to continue to move away from the Windows XP and Windows Server 2003. A simple comparison of impacted software in this notification shows clearly how older versions of Windows are essentially less secure:
- XP and Server 2003: 3 critical, 5 important
- Vista and Server 2008: 2 critical, 3 important
- Windows 7 and Server 2008 R2: 0 critical, and 3 important
These results show that organizations running Windows 7 and Server 2008 R2 are running much more secure environments and, as an added benefit, this Patch Tuesday will practically be a non-event for them. Organizations stuck on Windows XP and Server 2003 need to take a hard look at the cost and risk factors associated with staying on these dated platforms.
Tangible benefits for Windows 7 and Server 2008 R2 adopters are readily apparent this patch Tuesday. These teams will have more time and resources to focus on protecting their organizations from currently active exploits, deploying new patches from other vendors, and ensuring that virus signatures are up-to-date to protect against the latest malicious email campaign. In the last seven days the following sizable IT security "to do" list has materialized:
- Per Adobe, a critical vulnerability in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. They state that active exploits have been reported on the windows platform. A fix will not be available from Adobe until the week of October 4th.
- Also from Adobe, a critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX (CVE-2010-2883.) This vulnerability is being actively exploited in the wild. A fix will not be available from Adobe until the week of October 4th. IT teams can get help from Microsoft via Microsoft's Enhanced Mitigation Experience Toolkit 2.0 (EMET) enabled for AcroRd32.exe, which blocks this exploit.
- The "Just for You" or "Here you have" malicious email campaign continues to spread. IT teams need to ensure that updated virus signatures are deployed throughout their organizations to stop this malware.
- Cisco has released updates for the Cisco Wireless LAN Controller (WLC) that address various vulnerabilities. Left unaddressed, these vulnerabilities can facilitate remote access to the controller where configuration information can be changed and access controls bypassed.
- Mozilla released Firefox 3.6.9 which addresses multiple vulnerabilities including the execution of arbitrary code, access to sensitive information, and cross-site scripting.
- Apple released Safari 5.0.2 and 4.1.2 to address multiple vulnerabilities in Safari as well as the underlying WebKit technology.
» Not Your Father's Whitelisting
The practice of "whitelisting" is actually one of the original computer security models. Why did this effective security practice not catch on to a greater degree within corporate endpoint environments? More importantly, why is it now coming back?
See CEO Pat Clawson's podcast
» Patch Tuesday Content Checklist
Do you want to know what patches Lumension releases as part of Microsoft Patch Tuesday? If so, please visit the Microsoft Patch Tuesday Content Checklist on the Customer Portal.
Patch Tuesday Commentary
Paul A. Henry - Video Blog
Security and Forensic Analyst