Yet Another Big Patch Tuesday for September
Don Leatham - September 14th, 2010
Following Labor Day, IT teams may have been hoping for a lighter patch load for the September Patch Tuesday, but such was not the case. The Microsoft Security Bulletin Summary shows nine new bulletins that address a total of 13 vulnerabilities. With Adobe, Mozilla, Cisco, and Apple all releasing security updates within the last seven days, IT security teams will be stressed by a tremendously heavy load.
Highest on the priority list for September’s Patch Tuesday are MS10-061 and MS10-062. MS10-061 addresses a vulnerability in the Print Spooler Service that allows the Stuxnet worm to spread across internal networks where the Print Spooler Service may not be protected by authentication challenges. MS10-062 closes a vulnerability in the popular MPEG-4 codec which can be exploited by enticing users to download a specially crafted media file or by receiving streaming content via a compromised website. Microsoft gives both of these a “1” on their exploitability index, which means consistent exploit-code is available or highly likely.
One good note, MS10-065 which addresses a vulnerability in Microsoft’s popular Internet Information Services (IIS) is rated as “Important” and has the lowest possible score on Microsoft’s “exploitability” ranking. Vulnerabilities in Microsoft IIS are always of high concern for the IT security community.
This Patch Tuesday clearly demonstrates the fruit of Microsoft’s efforts to make their latest platforms and products more secure and should encourage organizations to continue to move away from the Windows XP and Windows Server 2003. A simple comparison of impacted software in this notification shows clearly how older versions of Windows are essentially less secure:
- XP and Server 2003: 3 critical, 5 important
- Vista and Server 2008: 2 critical, 3 important
- Windows 7 and Server 2008 R2: 0 critical, and 3 important
These results show that organizations running Windows 7 and Server 2008 R2 are running much more secure environments and, as an added benefit, this Patch Tuesday will practically be a non-event for them. Organizations stuck on Windows XP and Server 2003 need to take a hard look at the cost and risk factors associated with staying on these dated platforms.
Tangible benefits for Windows 7 and Server 2008 R2 adopters are readily apparent this Patch Tuesday. These teams will have more time and resources to focus on protecting their organizations from currently active exploits, deploying new patches from other vendors, and ensuring that virus signatures are up-to-date to protect against the latest malicious email campaign. In the last seven days the following sizable IT security “to do” list has materialized:
- Per Adobe, a critical vulnerability in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. They state that active exploits have been reported on the windows platform. A fix will not be available from Adobe until the week of October 4th.
- Also from Adobe, a critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX (CVE-2010-2883.) This vulnerability is being actively exploited in the wild. A fix will not be available from Adobe until the week of October 4th. IT teams can get help from Microsoft via Microsoft’s Enhanced Mitigation Experience Toolkit 2.0 (EMET) enabled for AcroRd32.exe, which blocks this exploit.
- The “Just for You” or “Here you have” malicious email campaign continues to spread. IT teams need to ensure that updated virus signatures are deployed throughout their organizations to stop this malware.
- Cisco has released updates for the Cisco Wireless LAN Controller (WLC) that address various vulnerabilities. Left unaddressed, these vulnerabilities can facilitate remote access to the controller where configuration information can be changed and access controls bypassed.
- Mozilla released Firefox 3.6.9 which addresses multiple vulnerabilities including the execution of arbitrary code, access to sensitive information, and cross-site scripting.
- Apple released Safari 5.0.2 and 4.1.2 to address multiple vulnerabilities in Safari as well as the underlying WebKit technology.
- MS10-061 Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290)
- MS10-062 Vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558)
- MS10-063 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2320113)
- MS10-064 Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2315011)
- MS10-065 Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Remote Code Execution (2267960)
- MS10-066 Vulnerabilities in Remote Procedure Call Could Allow Remote Code Execution (982802)
- MS10-067 Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2259922)
- MS10-068 Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539)
- MS10-069 Vulnerability in Windows Client/Server Runtime Subsystem Could Allow Elevation of Privilege (2121546)