Silicon Shecky

Yep, that’s right, its that time of month where Microsoft’s servers get slammed. Its patch week.

This month some patches for holes that have Zero Day Exploits out for them already. Included in this is the Active X Video Hole, The Direct X Quicktime Hole, and the Open Type Font hole. The first two I had talked about when they came out, with the Direct X hole being the one that it looked like Microsoft had no serious plans of patching. Nice to be proven wrong.

There is no fix this month for Office Web components, which have recently come under attack. I expect this fix is being worked on and will be out soon. Considering the move to the cloud that people talk about, and that Office Web competes with Google Documents, they do need to secure it.

As always, I do recommend paying attention when you patch as one reader pointed out, you can choose not to install IE8, which still comes down as a critical patch, unless you download it and then stop the install of it, or tell the updater to hide the download of it. Yeah, its a pain, and unfortunately the everyday end user who we tell to make sure they install critical patches will still inadvertently install the sucker, we can at least try to educate them a little and not make the same mistake ourselves.

Ahh yes, the second Tuesday of the month and Microsoft releases patches. This month is a big month for it again with 10 patches, 6 of them marked as critical. So what do we have patched this time?

1) Active Directory. It seems that there are holes in Active Directory’s security that can allow remote code execution. Definitely do some testing on this patch, but try to roll it out as quickly as possible. This does affect 2000, 2003, and XP

2) Print Spooler. A patch that closes up 3 vulnerabilities that could allow remote code execution. Another one that should be rolled out as quickly as possible. I have not heard of code in the wild on this, but you know how quickly people will jump on such a critical system hole.

3) Internet Explorer. Big surprise here as IE seems to get a patch at least every other month. Considering that Microsoft was able to compromise Firefox’s security with a .Net add on for it, the holes in IE need to get patched up as quickly as possible.

4) Word, Excell, Works. I hope you aren’t using Works, but with Word and Excel, test these and then deploy, even though they are marked as critical.

Those are the Critical’s as decided by Microsoft. Interestingly the Direct X vulnerability, which does have code exploiting it in the wild, has no patch whatsoever, and no sign that Microsoft is going to patch that hole anytime soon. Again a concern where Microsoft is concerned, but not surprising considering the amount of resources working on Windows 7, and the amount of reported vulnerabilities Microsoft must receive every month. More information on the Microsoft patches can be found here.

Also, Adobe released a patch to address a number of vulnerabilities that have been found in its Acrobat Reader. Information on that can be found here.

Yep, a busy Patch Tuesday, so go get them, test em, and deploy em. And if you find a problem with any of the patches, or caused by them, let me know.