United States
Easy management - our secret sauce. Watch the video tour.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Microsoft Black Tuesday: Microsoft's June patches fix flaws in IIS, IE, and AD

9 June 09 -- Today, Microsoft released ten security bulletins, fixing 31 security vulnerabilities in their products. They rate six of the bulletins as Critical, three as Important, and one as Moderate. The bulletins report details on:

  • Flaws in five Windows components, including Active Directory (AD) and the Print Spooler, two rated Critical
  • An Internet Explorer (IE) cumulative patch, rated Critical
  • Three updates to fix Office components, all rated Critical
  • An Internet Information Services (IIS) elevation of privileges flaw, rated Important

Many of these bulletins fix vulnerabilities that could allow remote attackers to take over your computers, so you'll want to update quickly. Here's the order I would apply the patches:

  1. IE cumulative update. This patch fixes a zero-day IE8 flaw demonstrated at the Pwn2Own contest, so I'd patch it first.
  2. Critical Windows updates: The AD vulnerabilities sound pretty bad, though a firewall should prevent external attackers from exploiting them.
  3. IIS update: Technically, Microsoft doesn't consider this as severe as the Office flaws, but your web server is a high value target. So I'd patch this before Office.
  4. Three Office updates: This will protect your users from malicious Office documents.
  5. Remaining Windows patches: Finally, finish off with the left over Windows updates.

Frankly, as long as you patch the Critical vulnerabilities earlier than the less severe ones, the order in which you apply them doesn't really matter too much. In any case, try to apply them as quickly as possible. As with all Microsoft fixes, you should also make sure to test the updates on non-production machines before deploying them throughout your network.

You can learn more about these security bulletins from the tables provided in Microsoft's Bulletin Summary for June . Microsoft's tables (arranged in order of severity) link directly to this month's bulletins and patches. Expand the "Affected Software and Download Location" section of the Summary to find a valuable table that will help you develop your own deployment strategy.

LiveSecurity and LiveSecurity Informer subscribers will receive more detailed information about most of these flaws, and how to fix them, in alerts we're working on right now. -- Corey Nachreiner, CISSP

Copyright© 2009 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.