Microsoft praised for patching zero-day vulnerabilities as prioritisation instructions given
Andrew Clarke, senior vice president, international at Lumension, recommended prioritising the three critical issues: MS09-28, MS09-29 and MS09-32, followed by MS09-30, MS09-31 and MS09-33 for those organisations utilising the respective impacted software.
“With this month's Patch Tuesday, web browsers are clearly a focus of IT professionals with nearly every popular web browser (Microsoft, Apple, Mozilla and Google) requiring some form of immediate attention, leaving IT departments scrambling to install a patch or workaround to deal with potentially significant issues," said Clarke.
“The three critical issues, carry an exploitability index of ‘1' with consistent exploit code likely. Additionally, all three patches impact all Windows Platforms and require a restart.”
Qualys CTO Wolfgang Kandek, claimed that the update did not contain any surprises due to recent press around the three zero-day advisories that came out in the last six weeks.
Kandek said: “Microsoft had already announced that they would address two advisories with patches MS09-028 and MS09-032 for DirectShow and Microsoft Video respectively. Yesterday's zero-day is left for later and users should apply the workaround published in KB973472.
“The third critical vulnerability addressed is MS09-029 OpenType Font Engine which applies to all versions of Windows, Vista and 2008 included. These three advisories should be addressed immediately as they allow the attacker to fully control the victim's computer.”
Regarding the ‘important' rated patches, Kandek claimed that the vulnerability affecting Microsoft proxy server ISA 2006 that allows remote unauthenticated users to access the server, paired with knowledge of the administrator's username, attackers can take full control of the server.
Kandek said: “As administrator usernames are often easy to guess this vulnerability deserves special attention, if IT organisations are using ISA with the Radius configuration. This vulnerability is covered in MS09-031.”
He also recommended considering the MS09-030 advisory as critical, even though it was rated as important. “The Publisher component in the MS Office 2007 suite can be used to take full control of the system if the victim is logged in as administrator. If an organisation uses Publisher or has it installed as part of Office 2007, this should be treated as ‘critical' as well," said Kandek.
Eric Schultze, CTO at Shavlik Technologies, agreed with Kandek that the releases were timely due to patches being released for two recent zero-day attacks, as both vulnerabilities are reported as being actively exploited on the internet.
“While Microsoft has announced workarounds and/or provided Fixit tools for each of these issues, today's patches will be welcomed by network administrators who have been tasked with remediating these issues. Shavlik recommends that network administrators download and install the patches for these two bulletins as soon as possible (MS09-032 and MS09-028)," said Schultze.