In a welcome light month for IT administrators, Microsoft on Tuesday released two security
bulletins. Both are rated important.
MS-12-061 fixes a vulnerability in Visual Studio Team Foundation Server. MS12-062 patches a vulnerability in Microsoft System Center Configuration Manager.
"Neither of the issues addressed is known to be under active exploit in the wild -- and, on another positive note, neither bulletin requires customers to restart their machines," said Angela Gunn of Microsoft's Trustworthy Computing. "As always, we recommend that customers deploy all security updates as soon as possible."
Sign of Maturity?
Paul Henry, security and forensic analyst at Lumension, told us he hopes September's light Patch Tuesday is a reflection of the maturity of Microsoft's secure coding initiatives.
"Some vendors scrambled with repeated emergency patches last week just days apart and others seemed to just shrug off multiple day zero vulnerabilities," Henry said. "To the delight of IT pros everywhere though, Microsoft has given us the least disruptive Patch Tuesday we've seen in a long time."
Andrew Storms, director of security operations for nCircle, is surprised there are only two bulletins in this month's patch, because there's definitely a backlog of old bugs in addition to the new ones we already know about. He pointed to MS-CHAP as one example.
"This does make you wonder what Microsoft has planned for the October patch. Did Microsoft choose to deliver an extremely small patch this month because they have a monster patch in final testing for next month?" Storms asked. "This might be the first month Microsoft has delivered a set of patches that don't require a reboot. IT teams focused on uptime and availability metrics will be smiling for the rest of the month."
An Automatic Install
In other security-related news, Security Advisory 2661254, which tightens Windows certificate acceptance rules, deserves attention, according to Wolfgang Kandek, CTO of Qualys. He told us KB2661254 will go into automatic install mode through Windows Update in October, and IT admins should be aware of the consequences.
"The patch will change the Windows certificate system, and it will stop accepting certificates that are using RSA keys with fewer than 1024 bits because those keys are considered forge-able," Kandek said.
"The associated Microsoft Support article explains that the services that are potentially impacted by KB2661254 are Web browsing and e-mail. For more background information on the recent Microsoft Certificate changes, look at Microsoft's reaction to the DigiCert incident and recent events around the Flame malware."
Nine HP Zero-Day Vulnerabilities
Beyond Microsoft, Java has had several issues this year. The two recent zero-day vulnerabilities were highly-publicized after Oracle botched the patch process. Then there's Hewlett-Packard. Lumension's Henry said there are currently nine zero-day vulnerabilities in HP's enterprise products with no patch in sight.
"Eight of these vulnerabilities have been given the highest risk-level rating and they should be keeping IT up at night if they're using any of the affected products," Henry said. "I recommend considering compensating controls while we anxiously wait for HP to address these critical issues."