Critical Patch Tuesday Misses Serious gap in FTP
Before the dust even settled on Patch Tuesday, Microsoft confirmed a bug in several versions of its Windows operating system that could leave the door open to malicious hackers. Windows Vista, Windows Server 2008, and the release candidates of Windows 7 and Windows Server 2008 R2 are vulnerable.
“An attacker who successfully exploited that vulnerability could take complete control of an affected system,” Microsoft’s advisory said. “Most attempts to exploit that vulnerability will cause an affected system to stop responding and restart.”
Microsoft confirmed that hackers are actively using exploits of the FTP bug to attack Web servers. Until a patch is available, Microsoft recommends users disable SMB 2 by editing the Windows Registry or blocking TCP ports 139 and 445 at the firewall. However, that workaround disables the browser and several other applications.
Patch Tuesday Review
Beyond the unexpected Patch Tuesday drama, Microsoft released five critical advisories to address eight vulnerabilities. The focus is on the Windows operating system family, and all versions are affected except Windows 7. There are critical vulnerabilities in the JavaScript engine, the wireless LAN autoconfig service, Windows Media, Windows TCP/IP, and the editing component of DHTML Active X.
Of the five critical patches, two will require mandatory restarts, causing some level of disruption within the enterprise, according to Paul Henry, Lumension safety measure and forensic analyst. Leading the pack that month, however, is Microsoft Vista with four critical vulnerabilities.
“This brings up an interesting situation, as Windows 7 and Windows 2008 R2 were released to manufacturing (RTM) early last month, which means many Microsoft partners and corporate customers will have started using and evaluating these two new platforms,” Henry said. “These early adopters are covered that month as Microsoft has identified these new platforms as non-affected for all five September updates.”
Shaking Consumer Confidence
Microsoft hasn’t seen a serious bug in its…
[Source] dhiram