Comments on Patch Tuesday

patchtuesday

The second Tuesday of the month is always a busy day for IT and security pros.  That, of course, is the day Microsoft releases their regular security updates.  And this month’s list of advisories reminds me how far we have to go before we get an upper hand on the bad guys who exploit vulnerabilities for a living.  Microsoft, like so many other software vendors, continues to release vulnerable software and we continue to apply patches to fix those vulnerabilities.  All the while, systems are exposed and often get compromised due to this game of reactive patch management.

Microsoft released 5 security advisories today to address 8 vulnerabilities:

  • MS09-045 – addresses a vulnerability in Jscript (KB 971961)
  • MS09-046 – addresses a vulnerability in Microsoft Windows (KB 956844)
  • MS09-047 – addresses a vulnerability in Microsoft Windows (KB 973812)
  • MS09-048 – addresses a vulnerability in Microsoft Windows (KB 967723)
  • MS09-049 – addresses a vulnerability in Microsoft Windows (KB 970710)

The first three patches address vulnerabilities that allow a malicious web site to compromise an unpatched machine simply by browsing the web site.  These drive-by exploits are undoubtedly already setup on rogue web servers, compromising vulnerable systems even as I write this.  Microsoft rated MS09-045 and MS09-047 as critical and MS09-046 as important.

The other two, MS09-048 and MS09-049, are more interesting and potentially more problematic.  Both of these vulnerabilities are rated as important by Microsoft, but I would not be surprised if exploits for these two end up doing more damage than the others.  The reason for this is that both of these patches address vulnerabilities in the network stack and do not require any intervention by the end user for exploitation.  This makes them good candidates for exploitation via a worm which increases the criticality of these advisories.  Microsoft believes these vulnerabilities are most likely to be exploited via a denial of service attack as it is difficult to reliably achieve remote code execution.  But denial of service attacks can be very damaging and it is not inconceivable that someone could write a exploit that can smash the stack, resulting in remote code execution.

Microsoft is not alone in releasing regular security patches and expecting us, the end users, to manage the process of performing the updates.  Apple, Adobe, Red Hat, Sun and every other software vendor does the same thing.  While I understand that software development is a complex endeavor, vendors must get better at implementing security testing and vulnerability analysis into their software development life cycle.  But until they do, keep applying those patches.

Comments are closed.