Yesterday was Microsoft’s Patch Tuesday for the month of November. There are 6 new Security Bulletins this month: 3 rated as Critical and 3 rated as Important. Not all Critical Security Bulletins are created equally though. You need to understand the implications of the flaw being patched and how it applies to your systems to determine how urgent the update is.
With one month left in 2009, Microsoft would have to have a record-breaking month in December to surpass the 78 Security Bulletins released in 2008. So, in that regard you can say its been a better year for Microsoft. It is also worth noting that this month’s Security Bulletins do not affect the new Windows 7 operating system.
Some Security Bulletins may be rated Critical by Microsoft, but only impact platforms or applications you don’t use so they don’t pose much threat to your system. Others may be exploited by worms, or with unauthorized drive-by malicious downloads like Security Bulletin MS09-065.
According to Tyler Reguly, Lead Security Research Engineer with nCircle, says “There’s no question that this month, the most important bulletin to patch quickly is MS09-065. Given the drive-by attack vector presented in Internet Explorer, combined with the Office document vector, this bulletin is dangerous and should be patched as soon as possible.”
Small and medium businesses are often between a rock and a hard place when it comes to security flaws and updates. They tend to have a more diverse collection of hardware and software than consumers, but they also have to balance patching against business needs and ensure that software updates don’t break applications or impact productivity.
Reguly notes “In general with SMBs, operation of the company usually seems to trump security in a big way. It’s important that they remember that security is important and apply the more serious patches as quickly as possible, and roll out the remainder as soon as possible.”
One issue that plagues small and medium businesses is reliance on legacy software. They don’t have the budgets and enterprise licensing agreements that larger enterprises have, so they try to squeeze out every last drop of usability from an operating system or application before investing in upgrades.
“I have seen many SMB’s that are still running Microsoft Small Business Server 2000 (SBS). I’ve seen setups where the SBS is sitting open on the internet– these entities are affected by both the license logging service and active directory vulnerabilities (MS09-064 and MS09-066) and should probably apply the patches as soon as possible. We can always be hopeful that in 2009 few people are still running SBS 2000 but I’m sure it’s still out there” says Reguly.
User education and awareness training are also critical components of mitigating against these threats. Pending the testing and implementation of the necessary patches, SMB’s can prevent exploits by making sure that employees know what to avoid and how to exercise some common sense.
Reguly summarized by stating “Many enterprises have implemented training programs, but in the SMB I’m not sure that it’s overly common. Ensuring users know to ignore unsolicited attachments and avoid sketchy websites is an important thing for a SMB Sys Admin to convey.”