Patch Monday – Apple and Microsoft fix vulnerabilities

dmitrybarsky's photo of a patch panel

As has been suspected for a couple of weeks now Microsoft announced this morning an out-of-band emergency patch for the IE exploit that has been circulating in the wild. The patch known as MS10-018 will be released Tuesday morning 10 am PDT (1700 UTC) and resolves an issue with the iepeers.dll vulnerability. It is rumored to include 9 other fixes for IE, which is why Microsoft is calling it a “cumulative update”.

We have seen exploits against this flaw on websites for some time now, and we strongly encourage users of Internet Explorer 6 and 7 to apply the fix as soon as possible. Of course the best course of action where compatible is to upgrade to IE 8.

Users who still require older versions of IE highlight the importance of adopting standards when creating websites. Standards-based development provides flexibility and allows the use of alternative browsers when flaws like this are found. Web developers who have decided to create sites that require proprietary or poorly implemented features of IE have locked many environments into sticking with IE 6 and 7.

Apple today released another large batch of updates as well. OS X 10.6.3 contains 69 fixes for vulnerabilities in OS X applications. However, this patch does not appear to fix the vulnerability exploited by Charlie Miller in this years Pwn20wn contest at CanSecWest. To be fair to Apple many of the fixes in 10.6.3 are for open source components, yet since they chose to build OS X on an open platform it is still their responsibility to ensure those tools are secure.

If you have Macs on your network, be sure to apply these fixes as soon as possible. If you are not using Apple’s remote administration tools simply click the Apple in the upper left corner and choose Software Update. Be forewarned though, the update from 10.6.2 is 435MB, and can be more if you use iLife or iWork.

As always information on Apple security updates can be found in their knowledge base at Microsoft’s fix for Internet Explorer will be available through Windows Update, as well as posted to the Microsoft Security Response Center.

Creative Commons image courtesy of dmitrybarsky’s Flickr photostream.