CONTACT INFO

SCHWARTZ HOMEPAGE

TANGLED WEB

Tangled Web Blog

August Wednesday Wrap-Up: Patch Tuesday in a Nutshell

It’s that time of the month again and Microsoft really came out with a bang releasing a record-breaking number of patches, tying with June for the number of vulnerabilities targeted and also tying with October 2009 for the number of critical bulletins.

In the August 2010 Patch Tuesday release, Microsoft issued 14 bulletins targeting 34 vulnerabilities. Here’s a quick overview of the bulletins:

  • Eight bulletins are labeled “Critical”
  • Six bulletins are labeled “Important”
  • 10 bulletins involve remote code execution
  • 18 vulnerabilities have an exploitability index of 1.

And now a summary of the August Patches:

  • Since the sheer volume of updates and vulnerabilities can be overwhelming, Schwartz client Qualys separated the updates into three groups, identified by vulnerability targets: end-users and Internet browsing, file format vulnerabilities and Windows OS.
  • Of the six vulnerabilities targeting end-users and Internet browsing, all are ranked as critical, and four have an exploitability index of 1.
  • Silverlight and other media file formats are a key target for hackers due to the increasing use of video, emphasizing the importance of these updates. In a Computerworld article, Silverlight was said to be installed on approximately 60 percent of PCs, whether users are aware of the installation or not.
  • Accompanying the release of the August patches was an advisory that warns of a problem that could elevate user privileges on a PC. The problem affects Windows XP, Vista, Windows 7, Server 2003 and 2008, and impacts the Windows Service Isolation feature.

Reminder!
August is the first cycle of patches to come out after the end of XP SP2 support. It’s important to note that XP SP2 users will still find themselves at risk regarding these vulnerabilities, but now they will be unable to update their systems with the latest round of patches.

Activity Beyond the Patches
The last four weeks have been busy with improvements to the status of vulnerability disclosures within the industry, a topic that has been top of mind in the last few Wednesday Wrap-Up posts. Although many vendors have not agreed to a bug bounty program, new programs in place will force vendors to fix a bug sooner rather than later.

TippingPoint’s Zero Day Initiative is a great step forward for vulnerability disclosures as it gives a firm deadline as to when the vulnerabilities will need to be fixed. According to an article by Elinor Mills, TippingPoint will give vendors six months to fix a vulnerability. If it is not fixed in that timeframe, TippingPoint will release limited details on the vulnerability. Worth noting is that extensions can be granted, but they will be decided on a case-by-case basis.

Is this a trend?
What’s most interesting is that it appears Microsoft is falling into a light-month, heavy-month trend, releasing a few bulletins one month, then a record number of bulletins—targeting double-digit vulnerabilities—the next. There also seems to be potential for an increasing number of out-of-band patches as more vulnerabilities are identified.

It will be interesting to see if this trend continues, especially with the Coordinated Vulnerability Disclosure (CVD) program and Zero Day Initiative in place.

What do you think we can anticipate from Microsoft over the next four weeks?

Tags: Coordinated Vulnerability Disclosure, CVD, exploitability index, Microsoft vulnerabilities, Patch Tuesday, Qualys, record Patch Tuesday, vulnerability disclosures, Zero Day Initiative

Posted by Kristin Forte Allaben on August 11, 2010 at 9:18 AM

Share |
blog comments powered by Disqus

Author Profiles

Shweta Agarwal - Bio
Kristin Forte Allaben - Bio
Dave Bowker - Bio
Deepika Bharadwa - Bio
Tiffany Darmetko - Bio
Matt Grant - Bio
Bill Keeler - Bio
Katerina Korfias - Bio
Ross Levanto - Bio
Bryan Scanlon - Bio
Nicole Solera - Bio

Feeds

Recent Posts

The Pulse

Client Blogs

Categories

Archive