Microsoft released 10 security bulletins today. Six of the bulletins impact the Windows operating system, while one applies to the Internet Explorer browser and three affects Microsoft Office (Word, Excel, Works).
Some interesting notes for today:
1. Microsoft has patched the IIS WebDav 0-day. This flaw enables information disclosure but does not directly allow code execution. Some of the information that could be obtained via information disclosure could lead to code execution via other applications on the system (SQL usernames and passwords, etc), depending upon how the system was configured. Users should patch their IIS webservers soon with this patch.
2. Microsoft has patched the IE8 0-day that was identified at the CanSecWest conference. This flaw enables code execution against Windows XP systems running IE8. Get XP IE8 systems patched right away.
3. Microsoft has NOT released a patch for the DirectShow QuickTime parsing 0-day vulnerability. We expect we’ll see a patch for this next month. In the meantime, Microsoft has published a one-click workaround for this issue. Go to this KB article and click the “Fix It” button. The workaround cures the vulnerability and still enables QuickTime and DirectShow applications to function. Customers who have tested the workaround say that they’ve suffered no negative consequences from applying the workaround. The above referenced KB article also includes information on how enterprises can push out this fix using Group Policy.
4. Microsoft has released a Mac patch for PowerPoint for the MS09-017 vulnerability. This issue was patched in May for Windows systems – Microsoft didn’t have the Mac patch available at that time. It’s now available and should be installed on PowerPoint for the Mac systems.
5. Microsoft has released a non-security update (KB971888) to more fully address wpad configuration concerns. This update limits devolution to 2 levels and should mitigate concerns that some customers voiced about the previously released wpad security patch.
We recommend installing the following patches first:
- IIS patch (for webdav 0-day)
- IE8 patch (for IE8 0-day)
- Active Directory patch for Windows 2000
* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company.