Today was Microsoft‘s final Patch Tuesday of 2009. Microsoft released a total of six new security bulletins, the most urgent one affecting a zero-day flaw in Internet Explorer for which exploit code already exists.
Barring any urgent security issues or exploits circulating in the wild to force an out-of-band update, the total number of security bulletins for 2009 is 74–a 5 percent drop from the 78 security bulletins released in 2008.
Deal with MS09-072 First
Experts are unanimous that the MS09-072 security bulletin, which includes the cumulative security update for Internet Explorer, is by far the most urgent patch released by Microsoft today.
Andrew Storms, director of security operations for nCircle, said in an email “Topping today’s news from Microsoft is the fix for a critical zero-day bug in Internet Explorer. The vulnerability became a top security concern for users when exploit code became publicly available. In recognition of the critical nature of the problem, Microsoft made the fix a top priority and delivered it in about two weeks.”
Another nCircle security expert, senior security engineer Tyler Reguly, agreed “Number one on everyone’s hit list today should be MS09-072, the IE patch, as this includes a patch for the current IE 0-day vulnerability. Patching IE is always crucial but given the public exploit, this should be patched as quickly as possible.
I spoke with Amol Sarwate, manager of Qualys Vulnerabilities Research Lab, who summed it up “MS09-072 is definitely the most urgent. The vulnerability was made public three weeks ago. Attackers have had three weeks to work with the proof-of-concept and develop a workable exploit. If you can only do one patch, do that one.”
Reguly said that beyond MS09-072 the rest of today’s security bulletins are sort of a random mash-up of fixes. They involve a most of the alphabet and a number of acronyms, affecting LSASS, ADFS, and IAS for starters.
In the grand scheme of things, though, there is nothing very urgent once you patch Internet Explorer. Reguly recommends that organizations take the time to properly test the remaining patches before deploying.
Internet Explorer Fail
You may not have noticed, but “Cumulative Update for Internet Explorer” is a permanent fixture on the monthly list of security bulletins from Microsoft, and as far as I can recall it is always rated as Critical. As more applications and services are run directly from the cloud, the Web browser will become even more of a security Achilles heel.
I talked with Qualys chief technology officer Wolfgang Kandek who noted that a significant percentage of Qualys customers still rely on Internet Explorer 6. He suggested that most of the weaknesses being faced could be eliminated by simply adopting Internet Explorer 8.
nCircle’s Storms’ points out, however, that “Microsoft’s secure code development practices are going to come under scrutiny again because today’s IE update includes fixes for two previously non-public exploits that only affect IE8, the newest browser from Microsoft.”
Storms’ elaborated “There’s no way for Microsoft to avoid the speculation that these bugs should have been found during the software development and quality assurance cycle, but the reality is that this was bound to happen. Every product has bugs and more features means greater attack surfaces.”
Don’t Drag Yourself Down
Kandek feels that Microsoft is firmly focused on Windows 7 and would like to keep its eyes–and developers–on the future, but that the massive base of Windows XP installations can’t be ignored. As much as Microsoft might like to walk away from supporting the legacy operating system, Windows XP will still be around for a while.
Its worth noting that Windows 7 has not been directly affected by any of the 12 security bulletins that have been released since it hit the streets. Windows 7 is peripherally affected by the Internet Explorer issues addressed in MS09-072, and there is the ongoing exploration into what is causing the mysterious black screen of death, but no confirmed Windows 7 flaws as of yet.
Overall, though, Internet Explorer 6 is like swiss cheese compared with IE8 from a security perspective. Its also a nightmare for Web Administrators and users who try to do things like view Web pages. The recent Microsoft Security Intelligence Report showed that Windows XP is 75 percent more likely to be compromised than Windows 7.
As weak as those two products are compared with their more modern equivalents, many organizations still rely on them. Those organizations need to take another look at Windows 7 and Internet Explorer 8 and the potential savings in terms of support.
Using Windows XP and Internet Explorer 6 and then complaining about the security of Microsoft products is like driving your car around dragging a boat anchor and then complaining that you’re getting poor gas mileage.
Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page.