Patch Tuesday insecurity news and SSCC 18

Broken glass

Broken glass

For those administrators anxiously awaiting a fix for the zero day flaw in Windows Help Center disclosed by Tavis Ormandy last month your patch is ready. Microsoft released four patches today and their standard summary with priority and severity ratings.

MS10-042 fixes the Help Center vulnerability, while MS10-043 resolves the bug in Windows 7/2008 R2 in the Windows Aero interface that could lead to remote code execution.

Microsoft also resolved two flaws in Microsoft Office 2003/2007, MS10-044 addresses a flaw in Microsoft Access while MS10-045 fixes a vulnerability in Microsoft Outlook. All are listed as Critical except for the Outlook bug, but I would make it a priority as well considering it can be exploited by a malicious email.

I am not going to get into much detail on the state of security at Oracle, but they released fixes for 59 flaws today as well. 28 of the Oracle flaws are considered critical which means a lot of patching to do if you are an Oracle customer.

Firefox fox

Even Mozilla had some bad news today with a warning about two insecure plugins for it’s Firefox browser. The first one called “Mozilla Sniffer” was simply malicious and would steal any usernames and passwords entered into the browser and send them off to a remote server. The second is a widely deployed vulnerable plugin called “CoolPreviews”.

Mozilla advises users to patch their “CoolPreviews” to a newer release and in time will disable the vulnerable versions. Considering the inclusion of a genuinely malicious add-on making it into their site they are reviewing their policies concerning public publication before code review.

Last week Rami Jebara our Technical Product Manager for endpoint web security joined me for the Sophos Security Chet Chat. Rami and I discussed the new functionality in Endpoint Security and Control 9.5 and how we can now protect PCs against web threats using real-time detection.

Today Michael Argast and I discussed patch Tuesday, the whole full disclosure debate and the debate around anti-malware testing and whether all of the tests overlook important factors such as ease of management and breadth of protection.

Creative Commons photo courtesy of Nesster’s Flickr photostream.