HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 4 MINUTES AGO.
You are here: Home / Computing / Light MS Patch Tuesday Is a Relief
Neustar, Inc.
Protect your website & network using real-time information & analysis
www.neustar.biz
Light Microsoft Patch Tuesday Is a Relief for IT
Light Microsoft Patch Tuesday Is a Relief for IT
By Jennifer LeClaire / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
SEPTEMBER
12
2012
In a welcome light month for IT administrators, Microsoft on Tuesday released two security bulletins. Both are rated important.

MS-12-061 fixes a vulnerability in Visual Studio Team Foundation Server. MS12-062 patches a vulnerability in Microsoft System Center Configuration Manager.

"Neither of the issues addressed is known to be under active exploit in the wild -- and, on another positive note, neither bulletin requires customers to restart their machines," said Angela Gunn of Microsoft's Trustworthy Computing. "As always, we recommend that customers deploy all security updates as soon as possible."

Sign of Maturity?

Paul Henry, security and forensic analyst at Lumension, told us he hopes September's light Patch Tuesday is a reflection of the maturity of Microsoft's secure coding initiatives.

"Some vendors scrambled with repeated emergency patches last week just days apart and others seemed to just shrug off multiple day zero vulnerabilities," Henry said. "To the delight of IT pros everywhere though, Microsoft has given us the least disruptive Patch Tuesday we've seen in a long time."

Analyst Surprised

Andrew Storms, director of security operations for nCircle, is surprised there are only two bulletins in this month's patch, because there's definitely a backlog of old bugs in addition to the new ones we already know about. He pointed to MS-CHAP as one example.

"This does make you wonder what Microsoft has planned for the October patch. Did Microsoft choose to deliver an extremely small patch this month because they have a monster patch in final testing for next month?" Storms asked. "This might be the first month Microsoft has delivered a set of patches that don't require a reboot. IT teams focused on uptime and availability metrics will be smiling for the rest of the month."

An Automatic Install

In other security-related news, Security Advisory 2661254, which tightens Windows certificate acceptance rules, deserves attention, according to Wolfgang Kandek, CTO of Qualys. He told us KB2661254 will go into automatic install mode through Windows Update in October, and IT admins should be aware of the consequences.

"The patch will change the Windows certificate system, and it will stop accepting certificates that are using RSA keys with fewer than 1024 bits because those keys are considered forge-able," Kandek said.

"The associated Microsoft Support article explains that the services that are potentially impacted by KB2661254 are Web browsing and e-mail. For more background information on the recent Microsoft Certificate changes, look at Microsoft's reaction to the DigiCert incident and recent events around the Flame malware."

Nine HP Zero-Day Vulnerabilities

Beyond Microsoft, Java has had several issues this year. The two recent zero-day vulnerabilities were highly-publicized after Oracle botched the patch process. Then there's Hewlett-Packard. Lumension's Henry said there are currently nine zero-day vulnerabilities in HP's enterprise products with no patch in sight.

"Eight of these vulnerabilities have been given the highest risk-level rating and they should be keeping IT up at night if they're using any of the affected products," Henry said. "I recommend considering compensating controls while we anxiously wait for HP to address these critical issues."

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
DDoS PROTECTION POWERED BY VERISIGN: The increasing frequency, size and sophistication of DDoS attacks are rapidly changing the face of network security. DDoS Protection Services powered by Verisign provides a comprehensive cloud-based solution from the operator of some of the Internet's largest and most reliable infrastructure. Click here to take a closer look Verisign's DDoS solution.
MORE IN COMPUTING
Product Information and Resources for Technology You Can Use To Boost Your Business
© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.