Microsoft delivers monster patch batch
Clock ticking as hackers race to exploit bugs in Windows, IE and Office, says researcher
Computerworld - Microsoft today issued a record 14 security updates to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer (IE), Office and Silverlight.
"Don't get mired in the details," recommended Andrew Storms, director of security operations for nCircle Security, as he acknowledged that the sheer number of updates and patches could easily overwhelm users.
"There are so many patches here that you could go in all kinds of different directions," agreed Jason Miller, data and security team manager for patch-management vendor Shavlik Technologies. "It could come down to what people think are the biggest attack vectors."
No one was questioning the size of today's Patch Tuesday. The August update was the biggest ever by number of security bulletins, and equaled the single-month record for individual patches, which was first set last October and repeated in June 2010. This month's collection also tied the October 2009 record for the most critical bulletins.
Of the 34 flaws, Microsoft rated 14 as "critical," the highest threat ranking in the firm's four-step scoring system. Seventeen were pegged as "important," and three were labeled as "moderate."
With Microsoft throwing nearly three-dozen patches at customers, it's not a surprise that researchers disagreed on which updates people should apply first.
"I'd have to put MS10-056 at the top," said Storms, referring to a three-patch update for Office that included a pair of critical vulnerabilities in Office 2007. "All one needs to do is have the preview pane open [in Outlook 2007] and just look at a malformed RTF file," Storms added.
Unlike most exploits delivered via e-mail, these wouldn't require the recipient to open an attachment, a practice people know is risky. But as Storms pointed out, most users preview e-mail messages without a second thought. "I'd put this in the same category as a drive-by," Storms said. "I can imagine someone sticking an RTF file in a spam engine and just going crazy."
While other researchers agreed with Storms that MS10-056 was dangerous, they nominated different updates -- or combinations of updates -- for their top pick of the month.
Those updates, both judged critical, address a pair of bugs in two codecs - software that compresses and decompresses video data -- included with Windows.
To Miller, video vulnerabilities are a juicy target for criminals. "They want to find the biggest market [for their attacks], and media, and social media are so huge today," he said. "Everybody is watching stuff, they're not reading stuff."
Miller said he expected attackers to leverage the codec flaws in the coming month, a bet Microsoft also made: Its Exploitability Index rated both vulnerabilities as a "1," meaning it anticipates active exploits in the next 30 days.
Wolfgang Kandek, CTO at Qualys, seconded Miller, but lumped in other bulletins, including the six-patch IE update, MS10-053, with the codec updates.
"With so many [updates] today, prioritization is important," said Kandek. "And since most attacks today happen through the browser, we've put several updates into a group that should be applied first."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts