MS Patch Tuesday, Adobe Vulns and Firefox 3.6.10 – Sept 2010

What a busy week! Aside from not having time to blog, there were a lot of stories about new vulnerabilities and patches for recent vulnerabilities. Microsoft, Adobe, and Mozilla all had news.

Microsoft released nine patches addressing 14 vulnerabilities, four of which are rated critical. The most important fix is arguably MS10-061, for a remote code execution vulnerability in the print spooler. This fix generated a lot of attention as it was the second of four previously unknown vulnerabilities used by the recent Stuxnet worm. The two remaining vulnerabilities remain unpatched at this time.

Other critical Microsoft fixes were released for the MP4 codec, Outlook, and some Windows scripting functionality. The flaws rated “Important” affect LSASS, IIS, RPC, Wordpad, and Windows 2K3/XP. As always, deploy these fixes as soon as possible and use Microsoft’s “Deployment Priority” and “Severity and Exploitability Index” to help determine which are most important for your organization.

Microsoft is usually the biggest newsmaker on the second Tuesday of each month, but this month they may be overshadowed by two new Adobe vulnerabilities. As Graham mentioned earlier this week Adobe will be releasing accelerated fixes for new zero-day vulnerabilities discovered in their Flash and Reader/Acrobat products. On Friday Adobe announced on their PSIRT blog that they will be moving the Flash patch up to September 20th, a week earlier than previously reported. This is likely because the flaw is being actively exploited in the wild.

Fixes for Reader and Acrobat are still scheduled for October 4th, eight days ahead of the scheduled quarterly update. Adobe will release all of the quarterly fixes on the 4th rather than holding less critical fixes back until the 12th. Attacks against the Reader flaw are active in the wild as well, as I reported last week.

Mozilla released Firefox 3.6.10 this week as well, although the fix appears to be related to the stability of a specific plugin, rather than a security issue. This one can probably wait if you recently rolled out 3.6.9, but if you are using the “Personas plus” extension you may wish to expedite this.

Roll out the MS patches and stay tuned for information on the upcoming Adobe fixes. They will be very high priority and I recommend planning your deployment of these fixes as soon as possible.

Creative Commons image “Tuesday” courtesy of Vaguely Artistic’s Flickr photostream.