The various updates issued on Patch Tuesday have been welcomed.
In particular, updates to Internet Explorer have been well received. Ben Greenbaum, senior research manager at Symantec Security Response, claimed that these are the most significant.
Greenbaum said: “The four Internet Explorer fixes that address HTML object memory corruption vulnerabilities—the first ever patch for Internet Explorer 8 being among these—are of particular interest. These weaknesses actually appear to be quite simple to exploit and we have observed malicious code being offered in malware toolkits that have taken advantage of very similar vulnerabilities.”
Andrew Clarke, senior vice president, international at Lumension Security, claimed that this month's updates, while being disruptive to the enterprise, perhaps also show a positive trend, building evidence that Microsoft's security-focused coding practices have improved the current code base, with a majority of this month's patches being rated critical only on legacy platforms and applications.
Clarke said: “MS09-019 is the most important in that it addresses seven separate vulnerabilities across Internet Explorer 6 and 7 for both XP and Vista. This means that almost all Windows users will soon be vulnerable while browsing the web.
“Two of the vulnerabilities that this update addresses are rated ‘1' on Microsoft's ‘Exploitability Scale' meaning that exploits are likely. These vulnerabilities are in the DHTML and HTML object handling capabilities of Internet Explorer, the core technologies in almost every web page. Additionally, this patch requires a reboot so there is an additional level of complexity in ensuring that this patch is fully deployed across the enterprise.
“Because MS09-018 addresses an Active Directory vulnerability that is rated a ‘1' on the exploitability scale and addresses a key infrastructure service, it should also be prioritised. It addresses a ‘critical' remote code execution for Windows Server 2000 and ‘important' denial-of-service vulnerabilities on more recent Microsoft server platforms, something to be avoided on an organisation's directory services infrastructure."
Meanwhile, Wolfgang Kandek, CTO of Qualys, claimed that June's Patch Tuesday is generating a major workload for IT administrators, with Microsoft releasing their largest number of patches for both Windows and the Mac Office suite. Couple this with Adobe's patches for its Reader product for Windows and Mac and Apple's production version of Safari 4 for Mac OS X and Windows, and IT departments will be facing a busy time updating.
Eric Schultze, CTO of Shavlik Technologies, claimed that despite all of the patches, customers are still at risk from a known problem called the DirectShow-QuickTime vulnerability. Schultze said: “I think Microsoft got it right this month by releasing patches for a number of well publicised security flaws. For the one issue they didn't fix, they released a one-click workaround to protect customers.”
Shavlik recommended installing the following patches first - IIS patch (for webdav 0-day), IE8 patch (for IE8 0-day) and Active Directory patch for Windows 2000.