Microsoft Tuesday released six patches that address 15 vulnerabilities. Windows exploit code coming "There are three vulnerabilities this month that target a listening service. Here's a look at what security experts are saying about the vulnerabilities, patches and what should concern users.
While none of them are likely to considered great candidates for exploit, they are worth noting as they all primarily affect the enterprise. While Web Services on Devices affects Vista and Server 2008, the attack vector requires that you be on the local subnet, meaning the home user is unlikely to see any real risk."- Tyler Reguly, senior security engineer for nCircle "MS09-066 affects corporate networks as it addresses a vulnerability in Active Directory. It is unlikely that the home user will be running a license logging server or have Active Directory up and running. A successful exploit can result in denial-of-service on the system. All operating systems other than Windows 2000 require valid credentials to send a specially crafted packet.
This vulnerability will be difficult to exploit though. If an attacker already had valid credentials, they would do more damage than a denial-of-service attack on a server. A specially crafted packet sent to a Windows 2000 machine can result in an unresponsive machine that requires an unscheduled reboot."- Jason Miller, data and security team leader for Shavlik Technologies "The Embedded OpenType font kernel vulnerability [MS09-065] is the most serious in our opinion. For Windows 2000 servers, like MS09-064, these machines should be patched immediately. Not only is proof-of-concept exploit code publicly available, but all that's required of a user to become infected by it is simply viewing a compromised Web page. Symantec isn't seeing any active exploits of this in the wild yet, but we think attackers will be paying a lot of attention to it in the future."- Ben Greenbaum, senior research manager at Symantec Security Response. "One of the nice things that you will see today is that Windows 7 and Windows Server 2008 are not affected by any of these patches."- Richie Lai, director of vulnerability research for Qualys Follow John on Twitter: http://twitter.com/johnfontana
0 comments:
Post a Comment