|
Shavlik’s statement on December 2009 Patch Tuesday releases
by Jason Miller |
|
Microsoft has released 6 new security bulletins for December. They have also released two new security advisories as well as one bulletin that has been re-released. In addition to the Microsoft releases, even though Adobe’s quarterly security update is scheduled for next month, they are planning to release a security bulletin for Adobe Flash and Adobe Air today.
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
 |
Windows 7: Tips and Best Practices for Simplified Migration | |
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | ||
A quick rundown of today’s patches: MS09-072 is the first security bulletin administrators should address on their network. This bulletin is a cumulative update for Internet Explorer. Microsoft usually releases a cumulative update for Internet Explorer every other month, and typically contains multiple fixes in it. This bulletin addresses five vulnerabilities, with one of the vulnerabilities publicly known. There is one vulnerability patched with this bulletin that administrators should pay close attention to. Microsoft released a Security Advisory for this vulnerability late last month in Security Advisory 977981. With this bulletin, the advisory expires if administrators patch the vulnerable versions of Internet Explorer. The vulnerability specifically deals with malicious Active-X controls that were built with a vulnerable ATL. The ATL vulnerability prompted an out-of-band release earlier this year from Microsoft. All five vulnerabilities will target any user that browses to a malicious web site with an unpatched Internet Explorer. In this scenario, this can lead to remote code execution on the target system. MS09-070 affects Microsoft Active Directory Federation Service (ADFS). Web servers that have ADFS enabled are at risk, clients are not at risk from this vulnerability. The attacker needs to be an authenticated user to carry out an attack, so this reduces the risk of this vulnerability. Companies that have implemented ADFS on their network should apply this patch as soon as possible. MS09-071 affects Microsoft Internet Authentication Server (IAS) on servers and clients except for Windows 7 and Windows 2008 R2. IAS is a technology from Microsoft that allows such business services as Wireless and VPN connections. This security bulletin addresses two vulnerabilities. One of these vulnerabilities is publicly known, but the vulnerability is not being actively exploited at this time. An attacker can send a malicious packet to a vulnerable server that can result in remote code execution. Interesting enough, Client systems do not have the vulnerable files on the system as they are not part of the base operating system, but Microsoft is providing a patch for Windows Client system. However, third party products can be installed on client systems that can be vulnerable. MS09-069 affects the Microsoft LSASS service on Windows 2000, XP and 2003. An attacker can send a specially crafted packet to a target machine that will cause the system to be unresponsive. The LSASS service can use up all system resources that will cause the machine to be unresponsive. Users will need to reboot their systems to gain back those resources and make the system responsive once again. This security bulletin addresses one vulnerability that is not publicly known at this time. MS09-073 affects WordPad on Windows XP and 2003 as well as Office Text Converters for Office XP and 2003. This security bulletin fixes one software vulnerability which is not publicly known at this time. A user with a vulnerable operating system or Microsoft Office program will need to be enticed into opening a malicious Word 97 document. Upon opening, the document will be converted to a new version of a Word document. A successful exploit can lead to remote code execution. MS09-074 affects Microsoft Project. The one security vulnerability this bulletin addresses is not publicly known at this time. In an attack scenario, a user would need to be enticed into opening a malicious Project document. This can lead to remote code execution. Microsoft has also re-released security bulletin MS08-037. The bulletin was updated to include the DNS client on Windows 2000 Service Pack 4. Anyone who has previously installed this patch will need to apply this latest patch offering. On the Security Advisory front, Microsoft released two new security advisories. Microsoft Security Advisory (954157) This security advisory does not offer a patch and Microsoft is not planning on release for this product. This advisory explains to customers how to disable the Indeo codec on their systems. The workaround will prevent malicious websites from exploiting vulnerable systems that can lead to remote code execution on the target system. Microsoft Security Advisory (974926) This security advisory informs customers of a potential man in the middle attack. In this scenario, the attacker would need valid user credentials that are passed between system. Microsoft is offering up two non-security patches to help administrators harden their systems. Both of these patches were offered a few months ago. Adobe Patch Adobe is also joining this patch Tuesday with the release of a new Adobe Flash Player and Adobe Air. This security patch will address critical software vulnerabilities. There is no word from Adobe yet on how many vulnerabilities are addressed and if they are publicly known or exploited at this time. Any Adobe Flash Player less than version 10.0.32.18 and any Adobe Air less than version is affected by this vulnerability(ies).
Tags: Adobe Security Advisory, Microsoft Security Bulletins, Patch Tuesday
This entry was posted on Tuesday, December 8th, 2009 at 1:45 PM and is filed under Community Manager, Patch Tuesday, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
|
| Making The Buy For Trust Seal VeriSign At SES VeriSign Now a Symantec Company |
|
| PayPal UK Launch Security Key - Guest Posting from PayPal I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly. Facebook scam - Part 2 This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info. Survey finds passwords are not secure - well d'uh! I don't think the vendor community has been crying wolf about the problems that stronger authentication solves, more like highlighting that this problem is here and growing. Well the discussion I have had recently with many different organisations across many different industries are now resulting in more and more consumer projects in this area |
|
| Cloud Identity, Trust and the Liability Elephant. I have been involved with a couple similar initiatives around certification for identity and thought it would be interesting to explain the logic behind these efforts. The first initiative is led by the Open Identity Exchange and is based on... Greek Heroes, Facebook and Trust When Achilles was a baby, the oracle predicted that he would die in battle from an arrow. Thetis, Achilles' mother who did not want her son to die decided to dip Achilles' body into the water of a river that... PCI for the Cloud For most enterprise and security vendors, the cloud is fascinating both as a technology and a business disruptor. In fact, SAAS CEOs such as Successfactor, SalesForce and NetSuite are hot shots in Silicon Valley these days. Yet, most of us... |
|
