[+] Wayc0de's Blog[+]

09/09/11

Patch Tuesday heads-up: Microsoft readies 5 'important' security updates

Microsoft plans to ship five security bulletins next Tuesday with fixes for serious security vulnerabilities that could lead to remote code execution attacks.

The updates, all rated “important,” will provide fixes for security holes in the Microsoft Windows operating system, the Microsoft Office productivity suite and the Microsoft Server Software.

According to an advance notice issued by Redmond, the flaws could cause code execution of elevation of privilege attacks.  At least one of the bulletins will require a restart after installation.

The Windows OS updates will apply to all versions of the operating system, including the newest Windows 7 and Windows Server 2008 R2.

Despite the light Patch Tuesday and the absence of “critical” bulletins, Rapid7 security researcher Marcus Carey is urging IT administrators and Windows users to avoid downplaying this batch of patches.

“It’s easy for organizations to gain a false sense of security during a light patch month and sometimes an attitude of complacency towards non-critical vulnerabilities is evident, but while there are no “critical” bulletins this month, organizations should not downplay the vulnerabilities being addressed. I know of organizations that have 30 day patch requirements for “critical” – which is too long in my opinion – and up to three months to patch “important” and below,” Carey said.

While “important” vulnerabilities may not give attackers the full root privileges generally associated with “critical” vulnerabilities, Carey warns that an attacker can use an “important”-rated vulnerability to achieve an initial compromise and then escalate privileges by other means.

“By using an “important” vulnerability and other methods, attackers can still end up with the same result, and so it is essential that organizations understand that all five of these “important” bulletins can result in an escalation of privileges for the attacker, which is a serious matter and needs to be addressed quickly,” he added.

nb : zdnet

Tidak ada komentar:

Posting Komentar