Today Microsoft released an out of band fix for MS09-054 from last month’s patch Tuesday. Microsoft says that the fix is not security related, yet users should apply it immediately to prevent difficulties browsing some web sites.
MS09-054 from October’s release was rated critical, and Microsoft’s description reads “Browse and own through all supported OS’s. Easy to achieve reliable exploit. One vuln disclosed publicly.” So I would not advise rolling back the previous patch as a resolution. In today’s bulletin Microsoft softballs the issue by saying “Also, we’re not currently aware of any attempts to attack the vulnerabilities.”
What concerns me about this is it may make people more hesitant to deploy patch Tuesday fixes with urgency. Many of our customers have strict change control policies and are hesitant to run out and deploy fixes on Tuesday afternoon following Microsoft’s release. As a security advisor I emphasize how important it is to deploy the fixes quickly, and the impact of not doing so could be far worse than any minor issues that result from patching.
The problem being fixed simply causes some pages to not render properly in Internet Explorer. Microsoft stating that they are not aware of any attacks against MS09-054 is a bit misleading as to the danger of having not rolled out the patch. In their own assessment they state “One vuln disclosed publicly.” Administrators should not conclude that their original rating of critical is hyperbole.
Considering we are approaching another patch Tuesday a week from tomorrow, we need to consider our plans for rolling out another batch of updates. Fortunately if you are looking for third party verification of the risk posed by the various vulnerabilities SophosLabs publishes our analysis every month to help you create your patch plan. They also provide a post with a general summary on the SophosLabs blog.
As for KB 976749, it’s not too important. If your users have not encountered a problem you can probably wait until next Tuesday to roll it out. Of course Google has an app for that… Yet I doubt this is the solution you are looking for.