The latest patches from Microsoft have been welcomed but criticised for a large batch after a summer of heavy patching.
Paul Henry, security and forensic analyst at Lumension, claimed that the last thing IT workers need is yet another large batch of patches from Microsoft after a summer of heavier-than-normal Patch Tuesdays, but that was what was received.
Henry said: “While they are not the kernel issues that many were bracing for based on the initial pre-release, they are still very important and also disruptive. For priorities, the five critical issues MS09-37, MS09-038, MS09-39, MS09-43, MS09-44 will be the first priority as all offer remote code execution, followed by MS09-42 and finally, the privilege of elevation and/or DoS issues associated with MS09-36, MS09-40 and MS09-41.”
Henry further claimed that there was originally concern about an issue in the pre-release information that was initially thought to be exclusive to Internet Security and Acceleration (ISA) server and its potential impact to security teams that support ISA.
However the published bulletin for MS09-43 shows that it impacts not only Microsoft ISA Server but also Microsoft Office, Microsoft Visual Studio and Microsoft BizTalk Server.
Henry said: “Overall, the full impact on IT workers will be a disruptive and busy Patch Tuesday while we are already facing the need to deal with patches from Apple and Mozilla distributed within the last week. Further, Microsoft has released a new version of Internet Explorer 8 that includes new default settings to ease regulatory concerns with the previously released version's default settings.”
Wolfgang Kandek, CTO at Qualys, claimed that although this is a big release, there are no surprises in it as it addresses an outstanding public zero-day vulnerability and it includes an official patch for the out-of-band patch released in July for MS09-034.
Kandek said: “As always, users are urged to review these critical patches carefully against their environment and apply them as soon as possible. QualysGuard users are advised to scan systems in their environment to identify affected Windows machines and patch them accordingly.”
Eric Schultze, CTO at Shavlik Technologies, claimed that the majority of bulletin releases these days relate to client-side vulnerabilities, where a user will visit an evil website, open an evil document, or read an evil email and get hacked.
Schultze said: “This month, there are five bulletins addressing these types of issues. The remaining four bulletins address server-side vulnerabilities. These are the ones that keep network administrators up at night. The attacker simply needs network access to the system in question and they can run code of their choice on the server.
“This month, there is one flaw that lets anyone with network access own a WINS server, two flaws that let authenticated users own any system, and one flaw that lets unauthenticated users create a denial-of-service against some IIS7 web servers. I always encourage patching the server-side issues as soon as possible. Maybe best to form two teams and patch server-side and client-side issues simultaneously.”