Microsoft's September Patch Tuesday Easy; October, Not So Much
September's Microsoft Patch Tuesday preview is shaping up to be a fairly simple one with only two bulletins in a list that is usually much longer. Both are rated as "important" and relate to privilege escalation vulnerabilities, which usually imply that the attacker already has some malware on the system in order to conduct the exploit.
The first bulletin is believed to impact FoxPro, requiring the installation of Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1. The second bulletin is believed to be aimed at System Management Server and the installation of a new service pack.
[Related: When IT Security Goes Awry, Whose Head Will Roll? ]
"They are not high profile and the severity is not high," said Wolfgang Kandek, CTO of Qualys. "But you still have to be attentive. You need to have a good inventory of the software that's actually installed on your enterprise. FoxPro is a little bit more likely to escape the attention of an IT administrator. But, the System Management Server is not likely to slip through the cracks."
Meanwhile, Alex Horan, senior product manager at Core Security, warns that cyber criminals often take advantage of low-intensity vulnerabilities that IT administrators and channel partners may be slow to patch.
"In terms of deployment, it just means that you're touching fewer servers, which from an administrator standpoint is a good thing," he said. "A lot of people don't put a high priority on elevation of privilege vulnerabilities, but they truly are a big deal because people usually take longer to patch them, and it's relatively easy to trick someone into running something for you that opens up an opportunity. So as an attacker, a privilege escalation vulnerability is pretty useful."
NEXT: October Looks Rough
While the September Patch Tuesday is being characterized as a "walk in the park," the upcoming October counterpart is likely to be a completely different story.
"Next month, Microsoft intends to introduce a change in their certificate strategy that they have been planning since the June timeframe when the Flame malware was abusing Microsoft certificates," said Kandek. "Microsoft fixed that, but then went on to a larger-scale audit of what the potential exposures might be. So they will be moving towards certificates with longer keys because the shorter ones are much easier to forge. So, we can expect that anything with less than 1,024 bits is not likely to be seen as secure communication anymore and will be subject to upgrade. Best practices for key-length are currently at 2,048 bits."
Failure to comply could lead to increased error messages, problems with enrolling certificates, difficulties with S/MIME messages and complications installing Active X controls.
Meanwhile, a separate vulnerability continues to be watched closely. A pair of issues with Java 7 was apparently patched by Oracle, but at least one research organization has discovered new vulnerabilities that seem to have emerged as a result of the patch, itself. At this point, there is no word on whether Oracle intends to issue new patches, although the most recent one was made available without pre-announcement.
"The problem with Java is that it's extremely prevalent, and you can trick it into running by persuading someone to visit a particular Web page," said Horan. "You have to work with the principle that there is always a vulnerability in those third-party packages and not rely on the vendors to keep them patched. You should have something to contain any compromise as soon as it happens."
PUBLISHED SEPT. 6, 2012