Software Updates From the Major Vendors
Over the last week, there have been security and functionality updates released by Microsoft and Apple, as part of their scheduled patching cycle and patch management processes, respectively. Towards the end of the week Oracle joined the fray, pre-announcing that they would be shipping 46 security patches with their Quarterly patch release, due for release next week. Significant recent attention has also been given to a known (and patched) issue affecting various Java JRE and SDK versions.
With the patches that have already been released over the last several days, the only real concern appears to surround MS07-040, the cumulative .NET Framework patch, that addressed arbitrary code execution holes in the base Framework, and information disclosure problems affecting ASP.NET (as well as changing the behaviour of ASP.NET).
This is despite Microsoft providing advance warning (in the associated patch summary) that KB 928365 was going to be of use to users who encountered difficulties applying the patch, suggesting that they were anticipating that users would have trouble applying the patches.
Reports that have been appearing on technical forums, technical media sites, and security sites, indicate that there are a range of issues that are being encountered by users and administrators who are struggling to patch their systems. Issues being encountered range from the patch failing to install, through to system instability. The chief culprit appears to be the patch monopolising the processor after it has been installed, but the case is being made worse by the existence of dedicated exploit code that surfaced within a matter of hours of the patch release (and fore-warned against, here).
This latest patch nightmare (for some users) has only cemented the need (in their minds) for applying delays to the installation of patches from vendors. The dichotomy that plagues this approach is the threat posed by attackers weighed against the risks to the system from the actual patch. Since a 0-day was hinted at last week, exploit code being readily available from immediately after the patch was released, and the suggestion that other significant vulnerabilities can easily be found and attacked, any prospective attacker has a range of available material to work from. With the widespread use of and reliance upon the .NET Framework for consumer and business applications, the potential number of victims is quite large and likely to have a reasonably sized set of systems that contain material of interest.
As was seen with the efforts to breach the iPhone, it doesn't take much of a userbase for interest to be turned to a technology or platform. For users and administrators who are applying a delay to the patching process, it might be worthwhile accelerating the rollout of this patch.
14 July 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.