Today is Patch Tuesday again. The ninth of the year already. Microsoft has released five new security bulletins, and Adobe has joined the party with some security patching of its own today. With all of the vulnerabilities and updates, though, you need to take a step back to prioritize and figure out which patches are most urgent.
Actually, today is a bit anti-climactic. Due to human error the full security bulletins were made public briefly on Friday, so there has already been a four-day heads up of what to expect. But, now that the security bulletins and associated patches are legitimately public, it’s time to take a closer look.
Five security bulletins isn’t the lightest month ever, but it is far fewer than some of the Patch Tuesday avalanches we have seen. What is even more unique is that none of the five security bulletins are rated as Critical. All five of the bulletins–MS11-070 through MS11-074–are all rated Important.
“Although none of this month’s patches are rated critical, we strongly urge users to pay extra close attention to the Office Uninitialized Object Pointer Vulnerability,” said Joshua Talbot, Security Intelligence Manager for Symantec Security Response. “It seems to be a fairly easy to exploit memory corruption issue and leverages extremely common Word files to attack users’ computers.”
Tyler Reguly, Technical Manager for Security Research and Development at nCircle, explains, ” If you’re prioritizing bulletins today, it’s pretty simple: Excel (MS11-072) comes first, followed by the rest. Some of the more interesting patches (Sharepoint and WINS) only apply to certain software configurations.”
Talbot also stresses, though, “Despite the number of patches Microsoft issued today, it’s important to not let the out of band advisory Microsoft updated last week slip through the cracks. The advisory essentially revokes Microsoft’s trust of various DigiNotar certificates.”
Andrew Storms, Director of Security Operations for nCircle concurs on the urgency of the DigiNotar trust revocation. “Microsoft continues its effort to be vigilant about the DigiNotar certificates and is releasing another DigiNotar update. This time it is ‘nuking’ more certificates related to DigiNotar, specifically ones that were cross-signed by other certificate authorities. Anything and everything associated with DigiNotar is getting purged.”
Symantec’s Talbot urges, “This update should probably be kept at the top of IT admins’ to-do lists–even before any of today’s patches– as there are attacks occurring in the wild leveraging the compromised certificates.”
The Microsoft Patch Tuesday is overshadowed to some extent by Adobe’s security patch release.
Storms cautions, “In what might be a first time event, Adobe released a batch of 13 CVE’s early this morning before the Microsoft patch. It’s a definitely improvement over their previous late afternoon releases, but it’s still a ‘classic’ Adobe patch in that we have very little information about the bugs being fixed in the patch. The bad news is that most of them could result in the worst kind of security outcome–remote code execution.”
Make sure you check out the patches released by Microsoft and Adobe today and apply the appropriate updates to protect your systems.