Patch/Configuration Management, Vulnerability Management

Microsoft readies five fixes for September security update

Microsoft plans to distribute five patches -- all labeled "critical" -- in Tuesday's monthly security update.

All the bulletins will address flaws in Windows, according to an advance notification released Thursday. Four of the patches impact all supported versions of the operating system, while one does not involve Server 2008 or Vista. Few other details emerged in the notification.
There remains one known, unpatched Microsoft vulnerability: An FTP server bug, present in older versions of Internet Information Systems, that was disclosed Monday on the exploit repository Milw0rm. One day later, Microsoft acknowledged the flaw.

However, a patch for the vulnerability is not expected to arrive Tuesday, Jerry Bryant, a Microsoft security program manager, said Thursday on a company blog. He said engineers are "working hard" on a fix and, in the meantime, recommended that users review an earlier advisory, which contains workaround options.

Andrew Storms, director of security operations at vulnerability management firm nCircle, told that he instead expects the update Tuesday to patch "something deeply rooted in the operating system," such as an issue with the Graphics Device Interface (GDI) or Active Template Library (ATL).

Even though it is likely none of the patches will remediate previously known problems, administrators still should take them seriously.

"The likelihood of exploits coming out post-Tuesday are generally pretty fast anyway," Storms said Thursday. "That time from release to exploit has increasingly gotten shorter over the years."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.