While only one—a vulnerability in Windows—is deemed critical, three of the advisories address vulnerabilities that can lead to system takeover: the Windows flaw, flaws in MSN Messenger and Windows Live Messenger, and holes in Visual Studio.
"If the Windows Messenger vulnerability lends itself to a chat-based attack vector, then organizations and users of the ubiquitous Microsoft Messenger should pay attention, because this would be a prime candidate for spreading malware and viruses," said Paul Zimski, senior director of market and product strategy for PatchLink, in a statement.
In its September 2007 advanced security bulletin notification, Microsoft said it also plans to release updates for SharePoint as well as for Windows Services for Unix and the subsystem for Unix-based applications. Outside of the one critical Windows advisory, the other four updates are all deemed important.
The eEye Zero-Day Tracker is currently listing three unpatched Microsoft vulnerabilities, but none of these are rated critical.
While Sept. 11 may strike some as a Patch Lite Tuesday, experts warn that any vulnerability that could lead to remote code execution should be dealt with quickly.
"Although this month may be a reprieve from this year's heavy patch releases, any vulnerability that lends itself to remote code execution should prompt IT administrators to identify which parts of their network are affected and to apply those patches first," Zimski said.
Indeed, he said, finding systems vulnerable to the threats at hand will be the toughest part of dealing with this month's patch deployments.
At any rate, whatever breathing room IT administrators get from having a less than onerous Patch Tuesday should be spent cleaning house, he said: updating network inventories, addressing backlogged vulnerabilities, classifying assets, prioritizing risk and measuring recent response times for patch implementation.
As it does every month, Microsoft will also be releasing an update to the Microsoft Windows Malicious Software Removal Tool. The company also plans to release one high-priority, non-security update on Microsoft Update but none released on Windows Update.
http://www.eweek.com/print_article2/0,1217,a=214796,00.asp
September 7, 2007
留言列表