Microsoft releases patch for Oct's patch Tuesday

Filed Under: Microsoft, Vulnerability

Picture of Windows Update alert

Today Microsoft released an out of band fix for MS09-054 from last month's patch Tuesday. Microsoft says that the fix is not security related, yet users should apply it immediately to prevent difficulties browsing some web sites.

MS09-054 from October's release was rated critical, and Microsoft's description reads "Browse and own through all supported OS's. Easy to achieve reliable exploit. One vuln disclosed publicly." So I would not advise rolling back the previous patch as a resolution. In today's bulletin Microsoft softballs the issue by saying "Also, we're not currently aware of any attempts to attack the vulnerabilities."

What concerns me about this is it may make people more hesitant to deploy patch Tuesday fixes with urgency. Many of our customers have strict change control policies and are hesitant to run out and deploy fixes on Tuesday afternoon following Microsoft's release. As a security advisor I emphasize how important it is to deploy the fixes quickly, and the impact of not doing so could be far worse than any minor issues that result from patching.

The problem being fixed simply causes some pages to not render properly in Internet Explorer. Microsoft stating that they are not aware of any attacks against MS09-054 is a bit misleading as to the danger of having not rolled out the patch. In their own assessment they state "One vuln disclosed publicly." Administrators should not conclude that their original rating of critical is hyperbole.

Considering we are approaching another patch Tuesday a week from tomorrow, we need to consider our plans for rolling out another batch of updates. Fortunately if you are looking for third party verification of the risk posed by the various vulnerabilities SophosLabs publishes our analysis every month to help you create your patch plan. They also provide a post with a general summary on the SophosLabs blog.

As for KB 976749, it's not too important. If your users have not encountered a problem you can probably wait until next Tuesday to roll it out. Of course Google has an app for that... Yet I doubt this is the solution you are looking for.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.