Microsoft has issued five security bulletins to address 15 vulnerabilities. In a rare occurrence, none of this month's vulnerabilities are rated critical. But that doesn't mean IT admins get a free ride in September, especially with the DigiNotar issues.
"Despite the number of patches Microsoft issued today, it's important to not let the out-of-hand advisory Microsoft updated last week slip through the cracks," said Joshua Talbot, security intelligence manager at Symantec Security Response.
"The advisory essentially revokes Microsoft's trust of various DigiNotar certificates. This update should probably be kept at the top of IT admins' to-do lists -- even before any of today's patches -- as there are attacks occurring in the wild leveraging the compromised certificates."
DigiNotar Outfall
Indeed, in light of the current DigiNotar certificate issues -- including the latest threat by the certificate hacker to exploit the Microsoft Windows Update service -- the handling of potentially compromised digital certificates is currently top of the list for most IT pros this period.
"Many IT professionals are already busy dealing with replacing their server certificates and also updating user browser and OS software to revoke trust in compromised certificates, so this Patch Tuesday is a welcome break," said Paul Henry, a security and forensics analyst at Lumension .
Mozilla is aggressively dealing with the issue and has sent communication to all certificate authorities with root certificates in Network Security Services requesting immediate action. Henry said that seems to imply that other CA's could face the same demise seen at DigiNotar if they are not cooperative and forthcoming.
Pay Close Attention
Although none of the patches released Tuesday are rated critical, security researchers are urging users to pay close attention to the Office Uninitialized Object Pointer Vulnerability. Talbot said it seemed to be fairly easy to exploit the memory corruption issue and leverage extremely common Word files to attack users' computers.
"Microsoft is also patching two vulnerabilities that are already in the public realm, but neither are of too great a concern," Talbot added. "The first is the HTML Sanitization Vulnerability, which is simply an information disclosure issue. The other is the Insecure Library Loading Vulnerability, which is part of the ongoing DLL issue that the company has been working on correcting for more than a year now. We've yet to see any exploits targeting one of these vulnerabilities."
A First-Time Event
The start of the second half of 2011 has seen more than 40 high-profile breaches. Yet in terms of security bulletins there are no surprises in September's patch release. That's because Microsoft accidentally released the bulletins four days early in a gaffe that caused some confusion for Microsoft and its customers.
"In what might be a first-time event, Adobe released a batch of 13 Common Vulnerabilities and Exposures before the Microsoft patch," said Andrew Storms, director of security at nCircle. "It's a definite improvement over their previous late-afternoon releases, but it's still a 'classic' Adobe patch in that we have very little information about the bugs being fixed in the patch. The bad news is that most of them could result in the worst kind of security outcome -- remote code execution."
0 komentar:
Post a Comment