Security Watch

9 for 9: September's Patch Tuesday To Remember

• By Jabulani Leffall
• 09/13/2010

It's going to be a big week for Microsoft where security is concerned.

First off, there's the relatively hefty patch release to consider this Tuesday. Security pros will be looking to see if Microsoft addresses the Dynamic Link Library hijacking issue this month .

Then the world will find out if Internet Explorer 9 makes any marked improvements on browser security as the software giant launches the browser into beta testing. It seems there was a leak of some demonstration video for the Beauty of the Web Even in San Francisco on Sept. 15. (This blogger will be attending).

The chatter coming in the wake of the leak suggests that IE9 may be crafted in the mold of Google's Chrome Browser, which depends on sandboxing techniques and whitelisting of Web destinations to guard against threats.

It's a busy week indeed.

Redmond Pitches In on Adobe Zero Day
Late last week Adobe issued a security advisory regarding a new "critical" vulnerability in Adobe Reader 9.3.4 PDF files. The bug affects earlier versions for Windows, Macintosh and Unix, and Adobe Acrobat 9.3.4 and earlier versions on Windows and Macintosh.

Microsoft is touting its Enhanced Migration Experience Toolkit (EMET) as an antidote to the bugs in PDFs on Windows systems in this blog post.

"The good news is that if you have EMET enabled ... it blocks this exploit," wrote Fermin Serna and Andrew Roths, two engineers with the Microsoft Security Response Center on the group's blog

New Zero Day in IE8?
Never mind how secure IE9 might be. Microsoft still has to continue to support IE 8 and earlier versions.

IT security pros are all "a twitter" (for lack of a better phrase) about a discovery by Google security researcher Chris Evans of a possible "data stealing" in IE 8.

Speaking of "a twitter,"Jason Miller, data and security team manager for Shavlik Technologies pointed out that the Microsoft Security Response Center recently tweeted on the mini-blog site Twitter about a possible zero day exploit with Internet Explorer 8.

Redmond has not yet issued a security advisory or indicated that they are investigating the issue.

"The reported vulnerability about an Internet CSS bug was publicly disclosed, but there have been no reports of attacks yet. As Microsoft is investigating this issue, we fully expect a security advisory to be released with this issue soon," said Miller.

Either way, until Microsoft fully researches the issue and officially announces an investigation it's much ado about nothing.

Miller added, "It is very important to wait for vendor confirmation with zero day exploits. Security researchers that publicly disclose vulnerabilities may not have all the information. We have seen this recently with publicly disclosed information that was not entirely correct."

Microsoft weighing in on the issue officially -- when and if they do -- will provide administrators with precise information and actions they can take to help mitigate the risk, if any, exist.