WatchGuard Wire
Improve Your Security IQ
Microsoft Black Tuesday: Ten bulletins fix Windows,
Office, IE, and IIS vulnerabilities
8 June, 2010 -- Microsoft's June
Patch Day has gone live and, as
expected, it's brimming with considerable updates. According
to one twit (twitter user), @Solomani,
today's MS Patch Day contains over 171 updates, creating a massive
3.44GB of downloads for the Windows
Server Update Services (WSUS) -- and that's excluding the Itanium
updates.
Microsoft's ten security
bulletins contain fixes for 34 vulnerabilities in Windows (and its
components), Office, Internet Explorer (IE), and Internet Information
Service (IIS). Microsoft rates two of the Windows bulletins, and the IE
bulletin, as Critical. They rate the rest as Important.
In general, you should apply
Microsoft's patches in order of severity rating. The higher rated
issues usually are easier for attackers to exploit, and give the
attacker more control of your computer. I would probably install the
cumulative IE update first, since most your users browse with it, and
web-based attacks are very common. That said, attackers can exploit
quite a few of the Windows vulnerabilities, including the two critical
ones, through your web browser as well. So, you should apply the
Critical Windows updates just as quickly. A lot of people have noticed
the remote IIS vulnerability. It draws attention since Microsoft hasn't
had a serious remote vulnerability in their popular web server package
for quite awhile. However, this IIS flaw only presents itself on
servers that include the optional Extended Protection for
Authentication add on. Plus, an attacker needs to authenticate before he
or she can exploit this flaw. These mitigating factors make this IIS
flaw much less severe than some first assumed. Nonetheless, I do
recommend IIS administrators patch this Important rated vulnerability
before the other Important ones.
You can learn more about these security bulletins from the tables
provided in Microsoft's
Bulletin Summary for June. Microsoft's tables (arranged in
order of severity) link directly to this month's bulletins and patches.
Expand the "Affected Software and Download Location" section of the
Summary to find a valuable table that will help you develop your own
deployment strategy.
LiveSecurity and LiveSecurity Informer subscribers will
receive more detailed information about most of these flaws, and how to
fix them, in alerts
we're working on right now. -- Corey Nachreiner,
CISSP
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
