United States
Web App Attacks: Sneaking in the Front Door
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Microsoft Black Tuesday: Microsoft Fixes Google researcher's zero day

13 July, 2010 -- Today, Microsoft released four security bulletins for July's Patch Day, fixing two flaws in Windows, and two in Office. They rate three of the four bulletins as Critical. However, even the Important bulletin fixes an Outlook flaw that poses a significant risk. You should download, test and install all of these patches as quickly as possible.

As I had hoped, Microsoft did patch the zero day Windows Help and Support Center vulnerability that a Google researcher had disclosed without giving Microsoft time to patch. Since attackers are already exploiting this public vulnerability in the wild, you will probably want to apply this update first. I have expressed my discontent with how the Google researcher disclosed this flaw, but for a slightly different opinion, feel free to read this Threat Post write-up about the incident. While the Help and Support Center flaw will probably get all the media attention today, the other Critical updates fix vulnerabilities that are just as serious. So, I recommend you install those updates just as quickly. With only four patches (fixing five actual vulnerabilities), you shouldn't have much trouble getting through today's Patch Day.

You can learn more about these security bulletins from the tables provided in Microsoft's Bulletin Summary for July. Microsoft's tables (arranged in order of severity) link directly to this month's bulletins and patches. Expand the "Affected Software and Download Location" section of the Summary to find a valuable table that will help you develop your own deployment strategy.

LiveSecurity and LiveSecurity Informer subscribers will receive more detailed information about these flaws, and how to fix them, in alerts we're working on right now. -- Corey Nachreiner, CISSP

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.