Microsoft has rolled out 13 bulletins to fix 34 flaws on its monthly Patch Tuesday update.
The general consensus from commentators is that this is a very heavy load of patches after a busy summer. Andrew Clarke, senior vice president at Lumension, claimed that after a heavy summer of patch releases, October's Patch Tuesday fails to give IT administrators a welcome respite.
Clarke said: “If this pressure continues next month, simply put, the administrative burden of flaw remediation is clearly beyond what can be handled by IT administrators without implementing a fully automated flaw remediation process.”
Clarke recommended that as a priority, IT administrators should pay attention to two particular security bulletins that are both currently being exploited in the wild|: MS09-050 impacts Vista and Windows 2008 platforms and MS09-053, while only rated important, affects any organisation running public facing FTP servers.
He also recommended that internet users focus on seven bulletins - MS09-51, MS09-52, MS09-54, MS09-55, MS09-60, MS09-61 and MS09-62 - that need close attention as they could be hit by a ‘drive-by' hack attack, as they casually browse the web or open rich media files without considering the dangers.
In agreement on the weight of the update was Andrew Storms, director of security operations at nCircle. Storms claimed that ‘13 bulletins is a lot for a single release as compounded with the impeding Adobe quarterly release, some enterprise teams are going to become flustered'.
Storms said: “The key for security and IT organisations managing today's deluge of patches is to maintain focus and diligence with patch management practices.” He claimed that the bug that is likely to have the biggest impact on Microsoft users will be MS09-051, the speech codec bug that already has limited exploits in the wild.
“This is a typical file parsing issue and similar vulnerabilities have allowed attackers to create drive-by attacks that infect unsuspecting video viewers,” said Storms.
Dave Marcus, McAfee Labs director of security research and communications, agreed with Storms' point on the challenge faced by enterprises, as they ‘will need a solid risk management strategy to test and prioritise the fixes to fend off potential attacks'.
Marcus focused on the critical vulnerability (MS09-062) that exposes Windows XP and Windows Vista users to attacks that exploit the Graphics Device Interface (GDI+), a Windows component used to process image files that has been patched repeatedly over the past couple of years.
Marcus said: “Microsoft has repeatedly had to fix problems related to the GDI+ in Windows and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse engineer today's patches, which may very well lead to exploits being created.”
Jason Miller, security and data team manager at Shavlik Technologies, claimed that for the first time, Windows 7 and Windows 2008 R2 are affected by security bulletins. Like Clarke, Miller focused on MS09-050 and also MS09-053, which patch vulnerabilities in small businesses that could allow remote code execution and vulnerabilities in the FTP service in internet information.
Focusing on the user experience, Miller claimed that MS09-054 is Microsoft's cumulative security update for the Internet Explorer browser. “This bulletin addresses four vulnerabilities, one that is publically known, and is rated critical. Users can be affected if they visit a specially crafted web page. This can lead to remote code execution,” said Miller.
Finally Wolfgang Kandek, CTO at Qualys, claimed that six vulnerabilities are tagged as having information disclosed publicly before today's patch release, and two advisories address last month's zero-day vulnerabilities.
Kandek said: “Of the total set of vulnerabilities, a full 22 are of critical severity and should be addressed as quickly as possible. A large selection of software is affected: all versions of Windows (including Windows 7), Windows Media Player, Office and also Silverlight - Microsoft's new rich media development tool. Internet Explorer also receives an update for two critical vulnerabilities - one of them disclosed at the Black Hat Security conference.”