Improve Your Security IQ
Microsoft corrects 34 security vulnerabilities on their largest Patch Day ever.13 October 2009 -- Today, Microsoft released 13 security bulletins, fixing a total of 34 vulnerabilities in Windows, Office, Internet Explorer, and some components that ship with Windows. Microsoft rates eight of the 13 bulletins as Critical, so you'll want to patch them as soon as possible. As expected, Microsoft's bulletins include:
- Eleven patches for Windows and its components, including SMB2, the .NET Framework, and IIS's FTP service, six rated Critical
- A cumulative Internet Explorer (IE) update that fixes four new vulnerabilities, rated Critical
- An Office bulletin covering two code execution flaws, rated Critical
Once you've applied the SMB2 update, you should work on the remaining Critical updates. With so many updates affecting several different components, it's difficult to say which patches to apply first. The Windows Media related updates, and the GDI+ vulnerabilities sound particularly concerning since attackers can exploit them simply by enticing you to view a specially crafted media file, such as an image or movie. I'd put those updates near the top of my list. Once you've hammered out all the Critical patches, then work through the remaining Important ones. As usual, I recommend you test these patches on non-production machines before deploying them throughout your production network. Especially when applying server related patches, such as the IIS FTP service update.
If you use Microsoft Windows, Office, or Internet Explorer (IE), refer to the tables provided in Microsoft's Bulletin Summary for October. Microsoft's tables (arranged in order of severity) link directly to this month's bulletins and patches. If you expand the "Affected Software and Download Location" section of the Summary, you'll find a valuable table that will help you develop your own deployment strategy.
LiveSecurity and LiveSecurity Informer subscribers will receive more detailed information about these flaws, and how to fix them, in alerts we're working on now. On a side note, Adobe plans to release an update today, fixing a zero day vulnerability in Adobe Reader.With Microsoft's busy Patch Day, I may not have time to send a LiveSecurity Alert about this Adobe patch until tomorrow. However, I encourage you to visit Adobe's site for that patch today -- if you have time. -- Corey Nachreiner, CISSP