jginspace writes: "As per the advance notification, Microsoft's monthly security bulletin, released yesterday addressed five general Windows issues and one in Visual Studio. It also included a fix for a problem in Outlook Express for a total of seven updates.
As patch Tuesdays go it was fairly unremarkable. The only general Windows update labelled as 'critical' is for a flaw in Media Player. As usual, there's a cumulative update for Internet Explorer, and it does sound quite nasty - there are two critical script-related vulnerabilities and Secunia has already issued an advisory. Significantly, only versions of Internet Explorer versions 5 and 6 are affected. Version 7 is clean - which is welcome news as this is the first round of updates since the upgrade was pushed to world+dog last month as part of Windows Update.
Sans is calling this 'Black Tuesday' and recommends patches be applied urgently for the Visual Studio and Media Player vulnerabilities. The Visual Studio update is for version 2005. Sans indicate that there are already known exploits circulating for the SNMP vulnerability but currently none targetting the latest flaws in IE. However if you really have to use IE I recommend using a metabrowser such as Maxthon, Avant or SlimBrowser. Sans is recommending the Heise Offline Update utility covered in a previous story."
jginspace writes: "Vulnerabilities seem to be flavour of the month, what with exploits for Oracle and OS X being in the news just lately.
Microsoft probably won't be outdone. Watch this space - next advance notification is Thurs Dec 7th. It should give you a modest idea of how vulnerable - potentially and currently - you are. Vulnerabilities are exploited quickly once the miscreants know where to look - see previous journal entry - so with advance notice you'll have an idea whether you should be taking steps to boot Linux for a few days, make sure you're running as non-admin, making sure that firewall is up, turning off unnecessary services or getting used to running Open Office instead of the Microsoft version.
Remember the next bunch of updates will be the first since Internet Explorer 7 was pushed out to world+dog via Windows Update. Previous versions of IE made near-monthly appearances so the second Tuesday security bulletin will be an indication of whether Microsoft have really sorted out their browser issues or whether it's a case of more of the same."
Last month Microsoft Office took the limelight; this month "Remote Code Execution" targetting the core services seems to be de rigeur. Keep your systems patched, don't run unecessary services and don't run more than you have to as administrator. Sign up for notifications here."