Download, test, patch, and repeat. That should be the mantra for Microsoft administrators every month.
By now, you’re likely quite used to Microsoft’s regular monthly patch cycle, so you’re already expecting next week’s updates. However, this month’s updates are especially important, since one fixes a fairly prevalent zero day flaw that attackers are exploiting in the wild. According to their advanced notification, Microsoft plans on releasing eight security bulletins next Tuesday to fix vulnerabilities in Windows, Internet Explorer (IE), Office, and the .NET and SilverLight frameworks. They rate half the bulletins as Critical, and the other half as Important.
This would all sound like business as usually for Microsoft Patch Day, except that one of the Critical updates fixes the very serious zero day IE flaw, which I warned you about a few weeks ago. Since that initial warning, more and more attackers have started exploiting this vulnerability. Worse yet, researchers have released a Metasploit exploit for the flaw, which means anyone can try it out. I expect every smart network attacker to start incorporating this flaw into their exploit kits, if they haven’t already. You should get this IE update as soon as it’s available next week.
Also, don’t forget that Adobe now shares Microsoft’s Patch Tuesday, and they too will release updates next week. According to a pre-notification post, they plan on releasing an Adobe Reader and Acrobat update on the 8th.
While I’m talking about Adobe, if you’re an Adobe customer, it’s time to change your user credentials on their site. Today, Adobe released an important announcement informing their customers that their network has been breached. Attackers made off with 2.9 million customer records, including email addresses and encrypted credit card numbers. They plan on emailing affected customers, so be sure to change your password if you get this email. As an aside, the attackers also seem to have acquired some Adobe source code. For more information on this attack, I recommend you read Brian Krebs’ blog post.
So to summarize:
Corey Nachreiner - Watchguard Security Centre