Patches to dominate the end of the month for IT

by Steve Ragan - Jan 25 2010, 09:00

Now that Monday has arrived, there’s likely to be a good deal of work in the IT department this week. Along with the scheduled deployment of Microsoft’s out-of-cycle patch for Internet Explorer, there are fixes from Adobe, Oracle, and Apple to consider, as well as one from RealNetworks. Here’s a breakdown of what to expect.

First, Microsoft took the cake with patch related news, considering that after they released a single patch for their scheduled monthly release, they had to push a second one out to deal with a flaw in Internet Explorer, which was linked to several attacks online and the attack on Google.

Microsoft’s out-of-cycle patch corrects eight specific vulnerabilities in the Internet Explorer browser. Six of these fixes involve memory corruption flaws with the potential of allowing remote code execution. The patch is listed as critical for all versions of Internet Explorer except Internet Explorer 6 on Windows Server 2003, which earns a rank of Moderate. More information from Microsoft can be found here.

Microsoft’s top competition, Apple, released Security Update 2010-001 for Leopard and Snow Leopard last week, addressing 12 vulnerabilities for their OS X software. The majority of Apple’s updates center on Adobe’s Flash Player. Most of the Flash Player patches were released months before Apple pushed them last Tuesday, so if they haven’t been applied already, they should be at the top of the list.

In addition to the patches for Flash Player, Apple also released a fix for SSL that was discovered by Marsh Ray and Steve Dispensa of PhoneFactor. The SSL vulnerability, if exploited, would allow an attacker to capture data sent using SSL/TLS or alter it. Apple’s update disables renegotiation in OpenSSL as a preventive security measure.

More information from Apple is here, and if you want to read PhoneFactor’s work head here.

Adobe has released updates for Adobe Reader and Acrobat 9.2 and 8.1.7 for Windows, OS X, and UNIX. These updates address a vulnerability that was being actively exploited in December, and if successful, lead to system compromise. As many are well aware, Adobe’s software has emerged as a highly vulnerable attack surface, and criminals will often use it to spread Rogue anti-Virus applications or other Malware.

In addition to the patch for Reader and Acrobat, Adobe has also released an update for Shockwave Player. The patch addresses several flaws in Shockwave Player 11.5.2.602 that can lead to code execution if exploited. The only major problem with the patch released is how it should be applied.

“Adobe recommends Shockwave Player users uninstall Shockwave version 11.5.2.602 and earlier on their systems, restart their systems, and install Shockwave version 11.5.6.606,” the company said.

This means more work, but if Shockwave Player is installed across the network, then it can’t be avoided. Adobe gave no indication why the update process wasn’t an in-place upgrade in their advisory.

More information from Adobe on the Reader and Acrobat patches, as well as the Shockwave patch is here and here. Also, there was a patch for Illustrator CS4 and CS3 released recently, and more information on that is here.

Oracle released a set of patches that address 24 vulnerabilities in seven of their enterprise products including Oracle Database 10g and 11g, Oracle Application Server, Access Manager, and PeopleSoft. The vulnerabilities patched by Oracle are all open to remote exploitation, without prior authentication.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” they said in their security notice.

More information on the Oracle patches can be found here.

Lastly, if there are installations of RealPlayer floating around on the network, administrators should note that RealNetworks released an update that addresses 11 vulnerabilities on the Windows, OS X, and Linux versions of the media player.

“We have received no reports of any machines actually being compromised as a result of the now-remedied vulnerabilities,” RealNetworks said in a statement, but added that they recommend everyone update to the latest versions to avoid problems.

More information on the RealPlayer patches is here.

It may not look like a lot, but to some IT departments, the patches released in the last week translate into a ton of work, and a very long and slow close to the first month of the new decade.

When you see your IT staff on this week, be kind and offer caffeine. They’ll be pulling their hair out by Friday for sure.

Around the Web