Silicon Shecky

Ahh yes, the second Tuesday of the month and Microsoft releases patches. This month is a big month for it again with 10 patches, 6 of them marked as critical. So what do we have patched this time?

1) Active Directory. It seems that there are holes in Active Directory’s security that can allow remote code execution. Definitely do some testing on this patch, but try to roll it out as quickly as possible. This does affect 2000, 2003, and XP

2) Print Spooler. A patch that closes up 3 vulnerabilities that could allow remote code execution. Another one that should be rolled out as quickly as possible. I have not heard of code in the wild on this, but you know how quickly people will jump on such a critical system hole.

3) Internet Explorer. Big surprise here as IE seems to get a patch at least every other month. Considering that Microsoft was able to compromise Firefox’s security with a .Net add on for it, the holes in IE need to get patched up as quickly as possible.

4) Word, Excell, Works. I hope you aren’t using Works, but with Word and Excel, test these and then deploy, even though they are marked as critical.

Those are the Critical’s as decided by Microsoft. Interestingly the Direct X vulnerability, which does have code exploiting it in the wild, has no patch whatsoever, and no sign that Microsoft is going to patch that hole anytime soon. Again a concern where Microsoft is concerned, but not surprising considering the amount of resources working on Windows 7, and the amount of reported vulnerabilities Microsoft must receive every month. More information on the Microsoft patches can be found here.

Also, Adobe released a patch to address a number of vulnerabilities that have been found in its Acrobat Reader. Information on that can be found here.

Yep, a busy Patch Tuesday, so go get them, test em, and deploy em. And if you find a problem with any of the patches, or caused by them, let me know.

It is interesting watching how different companies look at patches, and security holes. It is more interesting to see one giant seem to fail at prompt patching for a Zero-Day exploit, while another gives a basic time frame and is pretty much right on as far as when the fix will be out. Of Course the two companies I am talking about are Adobe, and Microsoft.

Adobe released the patch for the JavaScript Vulnerability in all of its Acrobat products this past week. They had said they would have patches out by the 18th, when the flaw was pointed out by Symantec back in February. That is pretty prompt if you ask me. They acknowledge a serious flaw, say when they hope to have a patch available to close it, and then hit that time frame.

The fact of the matter is a great many pieces of software, both closed and open source, take these flaws and vulnerabilities seriously, and are very prompt in patching the holes. Yeah you hear Opens Source people talk about how much quicker they are able to patch things, but they tend to refer to Microsoft, and don’t think about all the other companies out there.

That does bring us to case 2, which just happens to be Microsoft. Back in January, a Zero-Day exploit in Excel was found. Now if a flaw like this had been found in Internet Explorer or Windows, we might have a patch for it already, probably released Out Of Band (not on the normal patch Tuesday every month). Instead, with it only being Excel, we are nearing the end of March, and still no patch for it. Now mind you this exploit was found a month before the Adobe one. Last I check, Excel was a very popular program, used by a lot of individuals and companies. Yet, Microsoft still has no patch for it.

Sure you can say that Excel is a complex program, but so is every program out there in this day and age. Sure you can say that Microsoft is working on it, except I haven’t heard anything about a patch from Microsoft. No expected time frame on getting a patch out, no nothing. Yes, this is the sort of thing the Open Source people feed on, and I can’t blame them.

I use both Microsoft, and Open Source software, so don’t think I’m bashing something I don’t use. Microsoft as a company has come a long way in their patch management, but they still have a long long way to go. Then again so does Linux, but that will be an editorial for another day.

I just want to know that I’m not going to have to deal with clients who get hit by the Excel exploit. Please get us our patch.