MS Patch Tuesday Leaves 3 Critical Flaws Unaddressed

Microsoft yesterday released a package of five Security Bulletins offering fixes for a total of eight vulnerabilities. While it's news worth celebrating, unfortunately the software company has also failed to address three other zero-day vulnerabilities.

Browse And Get Owned, Drive-By Attacks Addressed

All five of the Security Bulletins Microsoft has addressed were outlined in September and deemed "critical" -- the highest level of concern. Three out of five of the issues taken care of by Microsoft fix issues associated with "browse-and-get-owned" attacks, otherwise known as "drive-by" attacks. These problems occur when a user stumbles upon a legitimate looking (but otherwise malicious) website or program and find their systems infected.

Of the remaining issues addressed, two involve network problems that could lead to remote code execution. Another, involving flaws in the Windows Media format, could also allow for remote code execution.

Three Zero-Day Exploits Unaddressed

As for the flaws remaining unaddressed, security experts appear very concerned that Microsoft hasn't yet issued a patch for them. Speaking to the media yesterday, Lusmension forensic and security analyst Paul Henry noted that each of the three zero-day vulnerabilities need to be addressed by Microsoft as soon as possible. (Source: informationweek.com)

According to reports, Microsoft knows about the flaws -- most of which involve Internet Information Services (IIS) vulnerabilities -- but it's not yet known just how long they've been aware of their presence. For its part, Microsoft has claimed that those reporting the Internet Information Services vulnerabilities did not do so responsibly.

As for the issues that can be addressed right now with Microsoft's latest patch, experts are suggesting users first install/apply MS09-048, which addresses three vulnerabilities in Windows TCP/IP (the Internet Protocol Suite). (Source: crn.com)