Critical Updates from Microsoft, Adobe, and Oracle
Today is the second Tuesday of 2010, which means it's the second Tuesday in January, which makes it Patch Tuesday. Microsoft welcomed 2010 by taking things easy this month and released only a single security bulletin.
Light Month from Microsoft
Microsoft security bulletin MS10-001 affects a vulnerability in the embedded Open Type font engine. The security bulletin is rated as Critical, but that rating really only applies to Windows 2000 systems. For all other versions of Windows, this flaw is rated as a Low severity.
Tyler Reguly, senior security engineer for nCircle characterized the Microsoft update as more or less trivial. "Welcome to a slow start to the new year. A single patch, and from a research standpoint, not even an interesting one. All patches should be taken seriously but this definitely isn't a fire that needs to be put out quickly, this one can definitely fall into regular patching cycles."
nCircle director of security Andrew Storms suggests putting the time normally spent on assessing and implementing patches into other worthwhile endeavors. "This is a very light Patch Tuesday from Microsoft and IT security teams should be taking advantage of the situation to address housekeeping items. Take the time this month to find every out-of-date Microsoft system and apply any necessary patches from those 2009 vulnerabilities."
Storms added, though, that "One of the outstanding bugs that wasn't patched this month is an SMB denial of service attack vulnerability that has been open since mid-November. Since Microsoft has left the bug open for this long it's now clear that the threat isn't as serious as many people believed."
Adobe and Oracle Join the Fray
While Adobe and Oracle don't follow the same security update and patch release cycle as Microsoft, both coincidentally released critical updates of their own today.
nCircle's Storms noted "Once considered the safest document format, Adobe PDF has fallen prey to a rash of serious security threats. After a solid year of security issues, Adobe's product security and secure product development practices are being seriously questioned. It's ironic to consider that we may have reached the point where Microsoft Office documents are now more secure than PDF documents."
Oracle joined the party as well, rolling out a quarterly patch of its own. The Oracle update contains a total of 24 updates affecting seven different Oracle products. Most of the vulnerabilities are remotely exploitable without authentication, making them critical security concerns. Database servers should not be exposed to the network, but IT administrators need to scrutinize affected application servers to determine the amount of risk the servers are exposed to.
Qualys' Kandek also noted that a Intevydis, a Russian security research firm, announced last week that it plans to publish server-based zero-day vulnerabilities over the next three weeks. "The first two are live and have POC [proof-of-concept] code for Sun Directory Server 7.0 and Tivoli Directory Server 6.2. We are monitoring these releases and will keep you updated on further developments."