October 8th, 2009
Monster Patch Tuesday on tap: 13 bulletins, 34 vulnerabilities
Microsoft is planning a bumper Patch Tuesday next week — 13 bulletins covering 34 security vulnerabilities in a wide range of products. Eight of the 13 bulletins will be rated “critical,” Microsoft’s highest severity rating.
According to Microsoft’s advance notice, the patches coming on October 13 includes fixes for two serious issues that are well-known and already documented — a code execution bug in SMB v2 and a gaping hole in FTP in IIS.
Affected products include Microsoft Windows, Internet Explorer, Microsoft Office, Silverlight, Microsoft Forefront, Developer Tools, and SQL Server.
[ SEE: Microsoft confirms SMB2 vulnerability, warns of code execution risk ]
The most serious issue being addressed is the SMB v2 flaw that exposes users to remote code execution attacks. Exploit code that provides a roadmap to launch attacks have been publicly released into the Metasploit Framework and into Immunity’s Canvas pen-testing platform.
Although only one documented issue is known, It appears Microsoft will be fixing multiple “vulnerabilities” in its implementation of the SMB v2 protocol.
[ SEE: Microsoft FTP in IIS vulnerability now under attack ]
The FTP in IIS vulnerability, first exposed in early September, is finally getting fixed. That flaw, which affects IIS 5.0 (Windows 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003), has been under attack for a few weeks.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
