For IT administrators still trying to determine which of Microsoft's October 2007 security updates to deploy first, patch management experts have this suggestion: Worry about the Internet
Since the IE Web browser is used by just about everyone on the planet, attackers are most likely to go after the flaws outlined Tuesday in Microsoft's MS07-057 bulletin, which fixes four different flaws, the most serious of which could allow remote code execution if a user views a specially crafted Web page using IE. Microsoft rated the security update as moderate for Internet Explorer 6 and 7 on Windows Server 2003 and critical for all other supported releases of IE.
"Given that IE is so prevalent in the workplace, every time there's a critical issue we recommend people put that high up the list," said Don Leatham, director of solutions and strategy for Scottsdale, Ariz.-based Lumension Security. "Employees can be on what they think is a secure page when they are not [and] hackers can spoof trusted information. Some interesting hacks could come out of this."
In addition to deploying the MS07-057 fixes, he suggested that as a best practice IT administrators ensure their users are set up in trusted zones within IE, so that scripting is disabled if they end up on an untrusted Web site.
Amol Sarwate, research manager of the vulnerability research lab at Redwood Shores, Calif.-based Qualys, said the IE fix should be top priority because it addresses two zero-day issues. He said the spoofing flaw can be used for phishing attacks.
"[The flaw] enables an attacker to write malicious code that leads a victim to a Web site that looks legitimate, from the content all the way down to the address bar URL address," he said in an email. "Instead, it's a landing page where the hacker can phish for information that can be used to compromise their machine and, more specifically, their identity."
Eric Schultze, chief security architect at Shavlik Technologies LLC in Roseville, Minn., thinks attackers are more likely to launch exploit code for one of the two flaws Microsoft rated "important." MS07-058 fixes a denial-of-service flaw in the remote procedure call (RPC) facility due to a glitch in how the program communicates with the NTLM security provider when performing authentication of RPC requests. This affects all supported editions of Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.
"The RPC denial-of-service is the one I think corporate administrators should install first, because I expect we'll see exploit code for this shortly," he said in an email.
Microsoft security updates are typically followed by reports of deployment trouble in some IT shops. After the May patch release, for example, various blogs and discussion boards were full of reports about everything from DNS service failures to Windows Server Update Services (WSUS) malfunctions.
Some minor problems with the October updates have been reported so far.
Schultze noted that Microsoft forgot to digitally sign its Malicious Software Removal Tool for x64 systems. "This is the first month they've offered an x64 version of this tool," he said. "Forgetting to sign it is a very bad move on Microsoft's part."
Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif., said she's proceeding with caution on MS07-059, which fixes a flaw in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. Microsoft said attackers could exploit the flaw to run a malicious script and gain elevated privileges within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment. The vulnerability could also allow an attacker to run arbitrary script to modify a user's cache, resulting in information disclosure at the workstation.
Asked if she was running into any patching issues, Bradley said in an email, "The Sharepoint 3.0 patch has a list of watch-outs a mile long. I wouldn't be rushing to get that sucker out but would be backing up my Sharepoint first."
Edward Ziots, a Rhode Island-based network engineer, reported smooth patching so far, though his department is still in the testing phase.