Tuesday, October 12, 2010

More discussion of today's patches

It's looking like there really are some PATCH NOW! patches in today's set of fixes for Microsoft Windows.  Also, Oracle released a major patch for the Java Runtime Engine (JRE), taking it to 6u22.  If you have Java installed, you should patch that as well.  Get your Java patch here: Java Downloads for All Operating Systems.  Here are links to two stories with "user-friendly" discussions of why you need to patch:

Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser | ZDNet
Microsoft dropped its largest ever batch of security patches today to cover a record 49 security vulnerabilities, including several browser flaws that could expose Internet Explorer users to drive-by malware downloads.

The Internet Explorer bulletin (MS10-071) fixes a total of 12 vulnerabilities and because of the risk of zero-click drive-by download attacks, Microsoft is urging Windows users to apply this patch immediately.

Windows users should also pay special attention to MS10-076, which covers a serious flaw in the way the operating system handles embedded OpenType (EOT) fonts. This update is rated “critical” for all versions of Windows (including Windows 7 and Windows Server 2008) and can be exploited to launch remote code execution attacks if a computer user simply surfs to a booby trapped Web site.
Microsoft Plugs a Record 49 Security Holes — Krebs on Security
Microsoft today issued 16 update bundles to fix a record-breaking 49 separate security vulnerabilities in computers powered by its Windows operating systems and other software.

“Microsoft has broken several of its own Patch Tuesday records this year, but this month far surpasses them all,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Perhaps most notable this month is the number of vulnerabilities that facilitate remote code execution. By our count, 35 of the issues fall into this category. These are bugs that could allow an attacker to run any command they wish on vulnerable machines.”

McAfee notes that today’s release exceeds the previous record of 34 vulnerabilities fixed in one go, which was first set in October 2009, and again in June and August of this year.

... Update, 3:58 p.m. ET: Several readers have pointed out that Microsoft took the momentous step today of adding detection for the infamous ZeuS Trojan to its Malicious Software Removal Tool. The MSRT is offered alongside Windows updates and if approved will scan host computers once a month for a variety of the most prevalent threats. It will be interesting to chart the impact of this welcome move by Microsoft.
Java Update Clobbers 29 Security Flaws — Krebs on Security
Oracle today released a critical update to its widely-installed Java software, fixing at least 29 security vulnerabilities in the program.

... Be aware that Java’s updater may by default also include free “extras”
that you may not want, such as the Yahoo! Toolbar or whatever other
moneymaker they decide to bundle with their software this time around,
so be sure to de-select that check box during installation if you don’t
want the add-ons.

No comments: