Saturday, October 16, 2010

Loads of Security Patches Haunt IT Administrators

A record 16 security bulletins on Patch Tuesday added to the Halloween burden for IT administrators. Besides Microsoft's fixes for Windows, Office, Internet Explorer, and .NET, Oracle fixed 81 flaws, Apple one, and Red Hat two. Among Microsoft's patches, security experts tagged the Embedded OpenType Font Engine as the most critical fix.

Microsoft on Tuesday issued a record 16 security bulletins that address 49 vulnerabilities. The problems affect Microsoft Office, Windows, Internet Explorer, and the .NET Framework. Microsoft only rated six of the 49 vulnerabilities critical.

"Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all," said Joshua Talbot, security intelligence manager for Symantec Security Response. "Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines."

Stuxnet Hangovers

Talbot pointed out that one of the two remaining Stuxnet-related zero-day vulnerabilities was fixed with Tuesday's release. Stuxnet uses the Win32 keyboard layout vulnerability to gain administrator privileges on infected systems. This ensures that malicious actions won't be blocked on targeted systems.

"The vulnerability addressed in the Embedded OpenType Font Engine is perhaps the most likely to be widely exploited," Talbot said. "Similar vulnerabilities have seen extensive exploitation in the past. Since this particular issue affects so many Windows operating systems and can be exploited via a web browser, it's likely to get the immediate attention of attackers."

Remember To Upgrade

Andrew Storms, director of security operations at nCircle, said it's possible that Microsoft will hit the triple-digit mark for bulletins in 2010. As he sees it, "another 14 bulletins over the next two months seems more than likely." This month, he added, it's more important than ever to prioritize the release. He agreed with Talbot that the Embedded OpenType bugs should top the list.

Tyler Reguly, lead security engineer for nCircle, said when you mix in IIS client-side certificates, Office web apps, and Windows Media Home Sharing, it's a rather eclectic collection of affected products.

"The most important message this month is 'upgrade Relevant Products/Services,'" Reguly said. "This month should be a wake-up call for anyone still running Office XP; the number of vulnerabilities affecting only that product are a clear indicator that it's time to upgrade to a newer version, perhaps Office 2010, which has only a single CVE affecting it."

Security Patches Galore

For all the talk about Microsoft's record-breaking release, it seems minuscule compared to Oracle's patch release for 81 flaws, 31 of which are remotely exploitable without authentication, said Paul Henry, security and forensic analyst for Lumension.

"Red Hat issued two repatches as well, which address flaws in the kernel that they originally patched in 2007," Henry said. "However, it seems these flaws have been lingering for the past three years and have found their way back into the code base. Apple has also announced a patch of a file-sharing issue in OS X, which could allow a remote hacker to access a share without a valid password."

More than 130 vulnerabilities total is spooky indeed, and, if not managed correctly, they will certainly have a massive impact on corporate productivity Relevant Products/Services, Henry said. Even if managed correctly, work-day interruption is unavoidable because these updates will require a restart, shutting down computer Relevant Products/Services systems for a period of time. In some instances, this can take up to 20 minutes.

"There's no rest for the weary -- security administrators, that is -- as all of this comes on the heels of patches or new versions for the most popular browsers, Mozilla, Chrome and Opera, all of which have been announced just since last Patch Tuesday," Henry said. "Perhaps once Halloween time has passed, things will slow down a bit. But if organizations still fail to put the proper preventive measures in place, vulnerabilities will be sure to haunt them forever."

No comments:

Post a Comment