dijous, 15 d’octubre de 2009

Pagar per l´inseguretat¿

WatchGuard Wire
Improve Your Security IQ

Microsoft corrects 34 security vulnerabilities on their largest Patch Day ever.

13 October 2009 -- Today, Microsoft released 13 security bulletins, fixing a total of 34 vulnerabilities in Windows, Office, Internet Explorer, and some components that ship with Windows. Microsoft rates eight of the 13 bulletins as Critical, so you'll want to patch them as soon as possible. As expected, Microsoft's bulletins include:
  • Eleven patches for Windows and its components, including SMB2, the .NET Framework, and IIS's FTP service, six rated Critical
  • A cumulative Internet Explorer (IE) update that fixes four new vulnerabilities, rated Critical
  • An Office bulletin covering two code execution flaws, rated Critical
As we mentioned in last week's advance notification, today's update finally fixes a serious zero day SMB2 vulnerability that affected the most recent versions of Windows (more on the flaw here and here). By sending a specially crafted SMB2 message, an attacker can exploit this vulnerability to execute code on your computer, potentially gaining complete control of it. Researchers have already publicly released exploit code for this previously unpatched vulnerability, so you should assume attackers are currently exploiting it. I'm relieved Microsoft has fixed this flaw and I suggest you download, test, and deploy the SMB2 patch immediately.
Once you've applied the SMB2 update, you should work on the remaining Critical updates. With so many updates affecting several different components, it's difficult to say which patches to apply first. The Windows Media related updates, and the GDI+ vulnerabilities sound particularly concerning since attackers can exploit them simply by enticing you to view a specially crafted media file, such as an image or movie. I'd put those updates near the top of my list. Once you've hammered out all the Critical patches, then work through the remaining Important ones. As usual, I recommend you test these patches on non-production machines before deploying them throughout your production network. Especially when applying server related patches, such as the IIS FTP service update.
If you use Microsoft Windows, Office, or Internet Explorer (IE), refer to the tables provided in Microsoft's Bulletin Summary for October. Microsoft's tables (arranged in order of severity) link directly to this month's bulletins and patches. If you expand the "Affected Software and Download Location" section of the Summary, you'll find a valuable table that will help you develop your own deployment strategy.
LiveSecurity and LiveSecurity Informer subscribers will receive more detailed information about these flaws, and how to fix them, in alerts we're working on now. On a side note, Adobe plans to release an update today, fixing a zero day vulnerability in Adobe Reader.With Microsoft's busy Patch Day, I may not have time to send a LiveSecurity Alert about this Adobe patch until tomorrow. However, I encourage you to visit Adobe's site for that patch today -- if you have time. -- Corey Nachreiner, CISSP
Copyright© 2009 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.