8 Elements of Complete Vulnerability Management
Eight essential elements to help reduce your vulnerability to hackers.
For the second month in a row, Microsoft's Patch Tuesday includes multiple, critical, zero-day vulnerability fixes. One of those vulnerabilities affects most of us because it hits in Office, versions 2003 to 2010. According to PC Advisor:
The MS12-027 security bulletin addresses a vulnerability found in Microsoft Office versions 2003 to 2010 -- excluding the 64-bit version of Office 2010 -- and is susceptible to attacks embedded in rich text format (RTF) files. Qualys CTO Wolfgang Kandek says limited attacks targeting this exploit have already been identified in the wild. Now that the vulnerability has been made public, he says it won't be long until more attacks are designed to exploit it.
Another vulnerability, MS12-023, is found in Internet Explorer. As Marcus Carey, security researcher at Rapid7, told me, fixing this vulnerability needs to be a top priority for all organizations because users could be compromised by drive-by exploits from Web pages with specially crafted malicious content.
Downloading the patch for both of these vulnerabilities is vital, but I have to admit that I'm slightly amused that security experts have some disagreement over which vulnerability should be the top priority. Carey said in his email to me that MS12-023 is the top priority, a thought which other experts share. The folks at Qualys suggest first attention should go to MS12-027.
I say it shouldn't matter which one is a priority. Everyone who uses Microsoft should have their computer set up to automatically download any new updates. If you don't, a quick visit to Microsoft's download page will let you know if you have updates waiting to be installed, and then, with the click of a button, they all install at once. If a patch to a vulnerability is made available, in my opinion, that is a priority. While some vulnerabilities may leave you more susceptible to an attack than others, they are all an open back door that allows the bad guys to sneak in.
When Carey provided his Patch Tuesday comments to me, it was last week, a few days before the patches were available. The descriptions of the problem areas were quite clear before the patches were available. According to PC World, hackers were already exploiting the vulnerabilities fixed in MS12-027, but other exploits to the other vulnerabilities weren't known yet.