Patch Tuesday Monthly Security Briefing september 2010

Patch Tuesday Bulletin - September 2010

Following Labor Day, IT teams may have been hoping for a lighter patch load for the September Patch Tuesday, but such was not the case. The Microsoft Security Bulletin Summary shows nine new bulletins that address a total of 13 vulnerabilities. With Adobe, Mozilla, Cisco, and Apple all releasing security updates within the last seven days, IT security teams are stressed by a tremendously heavy load.

Highest on the priority list for September's Patch Tuesday are MS10-061 and MS10-062. MS10-061 addresses a vulnerability in the Print Spooler Service that allows the Stuxnet worm to spread across internal networks where the Print Spooler Service may not be protected by authentication challenges. MS10-062 closes a vulnerability in the popular MPEG-4 codec which can be exploited by enticing users to download a specially crafted media file or by receiving streaming content via a compromised website. Microsoft gives both of these a "1" on their exploitability index, which means consistent exploit-code is available or highly likely.

One good note, MS10-065 which addresses a vulnerability in Microsoft's popular Internet Information Services (IIS) is rated as "Important" and has the lowest possible score on Microsoft's "exploitability" ranking. Vulnerabilities in Microsoft IIS are always of high concern for the IT security community.

This Patch Tuesday clearly demonstrates the fruit of Microsoft's efforts to make their latest platforms and products more secure and should encourage organizations to continue to move away from the Windows XP and Windows Server 2003. A simple comparison of impacted software in this notification shows clearly how older versions of Windows are essentially less secure:

  • XP and Server 2003: 3 critical, 5 important
  • Vista and Server 2008: 2 critical, 3 important
  • Windows 7 and Server 2008 R2: 0 critical, and 3 important

These results show that organizations running Windows 7 and Server 2008 R2 are running much more secure environments and, as an added benefit, this Patch Tuesday will practically be a non-event for them. Organizations stuck on Windows XP and Server 2003 need to take a hard look at the cost and risk factors associated with staying on these dated platforms.

Tangible benefits for Windows 7 and Server 2008 R2 adopters are readily apparent this patch Tuesday. These teams will have more time and resources to focus on protecting their organizations from currently active exploits, deploying new patches from other vendors, and ensuring that virus signatures are up-to-date to protect against the latest malicious email campaign. In the last seven days the following sizable IT security "to do" list has materialized:

  • Per Adobe, a critical vulnerability in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. They state that active exploits have been reported on the windows platform. A fix will not be available from Adobe until the week of October 4th.
  • Also from Adobe, a critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX (CVE-2010-2883.) This vulnerability is being actively exploited in the wild. A fix will not be available from Adobe until the week of October 4th. IT teams can get help from Microsoft via Microsoft's Enhanced Mitigation Experience Toolkit 2.0 (EMET) enabled for AcroRd32.exe, which blocks this exploit.
  • The "Just for You" or "Here you have" malicious email campaign continues to spread. IT teams need to ensure that updated virus signatures are deployed throughout their organizations to stop this malware.
  • Cisco has released updates for the Cisco Wireless LAN Controller (WLC) that address various vulnerabilities. Left unaddressed, these vulnerabilities can facilitate remote access to the controller where configuration information can be changed and access controls bypassed.
  • Mozilla released Firefox 3.6.9 which addresses multiple vulnerabilities including the execution of arbitrary code, access to sensitive information, and cross-site scripting.
  • Apple released Safari 5.0.2 and 4.1.2 to address multiple vulnerabilities in Safari as well as the underlying WebKit technology.

Bulletins

» Critical

» Important

Other News

» Not Your Father's Whitelisting

The practice of "whitelisting" is actually one of the original computer security models. Why did this effective security practice not catch on to a greater degree within corporate endpoint environments? More importantly, why is it now coming back?

See CEO Pat Clawson's podcast

» Patch Tuesday Content Checklist

Do you want to know what patches Lumension releases as part of Microsoft Patch Tuesday? If so, please visit the Microsoft Patch Tuesday Content Checklist on the Customer Portal.


Patch Tuesday Commentary

Paul A. Henry - Video Blog
Security and Forensic Analyst



Security Insights
Endpoint Security Fundamentals

Listen to Mike Rothman, Analyst with Securosis, discuss how to build a real-world, defense-in-depth security program that improves your IT risk posture and prevents malware and insider threats.

Part 1:
Finding and Fixing the Leaky Buckets
On-Demand Webcast
eBook: Chapter 1

Part 2:
Leveraging the Right Enforcement Controls
Register Now »
eBook: Chapter 2

Part 3:
Building the Endpoint Security Program
Register Now »
 
Lumension Application Vulnerability and Threat Intelligence Center

Participate in the Global Application Inventory Project – a survey that will provide Lumension a global view of the types of applications residing across IT networks. You could win an Apple iPad!

Participate Today »
Watch Your Inbox

On September 20, 2010, Lumension customers will receive an email from the National Business Research Institute (NBRI). Your input will help us improve our service offerings. Please take a minute to respond.


Whitepaper »
Three Strategies to Secure Endpoints from Risky Applications
Webinar »
Key Steps to Surviving Patch Tuesday
Blog »
Yet Another Big Patch Tuesday for September
 

The heat is on to proactively safeguard your systems and endpoints from the newest exploits. Read this whitepaper to find out the four steps you can take to establish a best practices approach to help reduce costs and risks in the long term.

Watch this webcast with Security and Forensic expert Paul Henry. We'll examine how the vulnerability and threat landscape has evolved beyond the OS, and discuss recommended steps to ensure continuous Patch Tuesday readiness.

Don Leatham provides his insights on 9 new patches from Microsoft.