Tuesday, December 8, 2009
Microsoft Patch Tuesday: Critical Update for IE
Barring any urgent security issues or exploits circulating in the wild to force an out-of-band update, the total number of security bulletins for 2009 is 74--a 5 percent drop from the 78 security bulletins released in 2008.
Deal with MS09-072 First
Experts are unanimous that the MS09-072 security bulletin, which includes the cumulative security update for Internet Explorer, is by far the most urgent patch released by Microsoft today.
Andrew Storms, director of security operations for nCircle, said in an email "Topping today's news from Microsoft is the fix for a critical zero-day bug in Internet Explorer. The vulnerability became a top security concern for users when exploit code became publicly available. In recognition of the critical nature of the problem, Microsoft made the fix a top priority and delivered it in about two weeks."
Another nCircle security expert, senior security engineer Tyler Reguly, agreed "Number one on everyone's hit list today should be MS09-072, the IE patch, as this includes a patch for the current IE 0-day vulnerability. Patching IE is always crucial but given the public exploit, this should be patched as quickly as possible.
I spoke with Amol Sarwate, manager of Qualys Vulnerabilities Research Lab, who summed it up "MS09-072 is definitely the most urgent. The vulnerability was made public three weeks ago. Attackers have had three weeks to work with the proof-of-concept and develop a workable exploit. If you can only do one patch, do that one."
Reguly said that beyond MS09-072 the rest of today's security bulletins are sort of a random mash-up of fixes. They involve a most of the alphabet and a number of acronyms, affecting LSASS, ADFS, and IAS for starters.
In the grand scheme of things, though, there is nothing very urgent once you patch Internet Explorer. Reguly recommends that organizations take the time to properly test the remaining patches before deploying. PCWorld