Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

TLS flaw not included in this month's patch update from Microsoft

Lumension Security : 07 December, 2009  (Technical Article)
Six patches will be released by Microsoft on Tuesday for December including a high impact patch affecting Windows 7, XP and Vista which requires a restart
Matthew Walker, Regional Director UK & Ireland at Lumension comments on the six patches set to be released by Microsoft on Tuesday.

"For December's Patch Tuesday, Microsoft is planning to release six patches, three of which are critical. Of these three, Bulletin 4 will have the broadest impact as it will affect all user machines across the entire organisation. It is critical across Windows 7, Vista and XP, requires a restart and impacts all versions of Internet Explorer (6, 7 and 8). IT departments need to be prepared to quickly assess and patch all end user machines throughout their organisation.

"Bulletin 1 is also rated critical for Windows Server 2008 and requires a restart. If IT teams have Windows Server 2008 deployed in support of mission critical applications, this update could be disruptive. If the associated vulnerabilities are rated high on Microsoft's exploitability scale, organisations may be forced to pull production servers out of service for patching.

"Bulletin 3, also labelled as critical, is very narrow in focus as it is an application vulnerability for Microsoft Project 2000. Since the large majority of people use later versions of Microsoft Project, any attack surface associated with this update should be fairly narrow. Nonetheless, IT teams should ensure that they have identified all instances of Project 2000 that may still exist in their organisation.

"One thing to note - It appears that Microsoft is not issuing a patch for the recently announced TLS flaw that will most likely force updates to all brands of browsers and all SSL/TSL internet servers using SSL/TSL. Although organisations will have to wait until Patch Tuesday for confirmation, we are led to believe that Microsoft has chosen not to address this vulnerability in this round of patches. There is controversy in the security community as to the true importance of speeding a fix to market for this flaw, and no wide-spread exploits have been reported.

"In summary, IT teams should be ready to immediately deploy the upcoming critical IE patch to all user machines (Bulletin 4) and to patch all Windows 2008 Servers (Bulletin 1), with Bulletin 4 being the most timely and critical of the two patches."
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo