As scheduled, on May 11th Microsoft released the latest patch Tuesday fixes. There are two total and while Microsoft has rated them as critical, this isn't accurate for most business environments. The first primarily affects end users and the second primarily affects developers.
The first patch, Microsoft MS 010-030, affects Microsoft email clients on most Windows operating systems. For customers who use Outlook Express, Windows Mail, and Windows Live Mail, this warrants a rating of critical. In my experience, these products are uncommon in the professional world and this particular exploit also requires the ability to manipulate the response from the mail server the client is connecting to. While the critical rating may have been applied because the issue is easy to exploit, it seems unlikely to affect most organizations.
The second patch, MS 010-031, is really only a critical risk to developers. Like MS 010-030, it may be easy to exploit, but it could only impact a small number of users; therefore, it does not seem to be a likely target for malware authors. The issue also affects Microsoft Office, but it does require user interaction. This seems to be the most likely vector of attack and I encourage everyone to ensure their Office installations are patched as soon as possible.
In other patch Tuesday news, Adobe released patches for ColdFusion and Shockwave Player. ColdFusion users should certainly update, but the larger issue is the Shockwave player. I have previously commented on why Shockwave should simply be removed and this is simply another nudge to get rid of it. Eighteen vulnerabilities were patched in this release and you don't need Shockwave to view most of the modern Internet. Mr. Jobs may wish to take pot shots at Flash, but it's time for Shockwave to rest in peace. If you really do need Shockwave, be sure to update to 18.104.22.1689.
Michael Argast and I sat down once again this week to discuss the latest security news on Sophos Security Chet Chat episode 9. We had a good chat about Facebook, Twitter, and social media security. We also talked a bit about our announcement of support for Citrix Receiver and the enhanced security provided by our partnership to help the BYOC (Bring Your Own Computer) trend that is becoming more popular.
Facebook responded to the concerns over the IP address leakages very quickly. I implied in the podcast it may not have been complete, but it appears there was a transition period across their clusters that made some messages still exhibit the old behavior for a short period of time. Facebook's Barry Schnitt, Director of Policy Communications, commented on the Binary Intelligence blog in response to the criticism.
Barry said, "We originally included IP address information in these email headers as part of industry best practices designed to improve spam filters. This is similar to what many webmail providers do. However, we agree this practice no longer makes sense for Facebook and we've discontinued it. Thank you for bringing this to our attention."
Creative Commons image courtesy of Vaguely Artistic's Flickr photostream