Tomorrow Microsoft will release an operating system patch that represents the largest number of system fixes in Microsoft history. PCWorld gave the details in a post updated yesterday:
Microsoft says it will deliver its largest-ever number of security updates on Tuesday to fix flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and the enterprise-grade Forefront Security client software. Continue reading this post…
Last week Microsoft issued an advisory on a new vulnerability with the IIS FTP service. This vulnerability already has a published exploit and can result in allowing the attacker to execute unauthorized code on the target. Details of the vulnerability are available at the US-CERT website. If you have an anonymous account on your ftp server then you are especially at risk because no theft of credentials would be needed to execute this exploit.
To me the key to this issue is that a fix won’t be included in today’s Microsoft security patch release. There simply wasn’t enough time to identify, code and test the patch before it was released. Microsoft complained that the security researcher didn’t report the vulnerability responsibly. While this may be true, it certainly highlights the weakness of a desktop security plan that relies on patching and antivirus signatures. Continue reading this post…