According to Henry, perhaps the bigger story this Patch Tuesday is Apple (and their lack of a formal Patch Tuesday like program).
Anyone with Internet access has been reading the stories of Apple products being impacted with yet more malware. This time around it is already impacting an estimated 600,000 Macs after snubbing the researchers that found the botnet. Apple eventually released a patch that, as always, played down any sense of urgency to empower users to make their own informed decision. If you just so happened to have checked for updates on your Mac recently you would have seen a note that a Java patch is available:
“Java for OS X 2012-001 delivers improved compatibility, security, and reliability by updating Java SE 6 to 1.6.0_31.”
The original patch from Apple was released on April 3rd and then quickly followed up with another patch on April 6th— it is assumed that a glitch in the original patch necessitated a second patch be released by Apple.
No mention from Apple that 600,000 users were infected or that the exploit is clearly being used in the wild. According to Henry, if Apple wants to be taken seriously as an enterprise player they have to stop trying to hide behind their issues and take a lesson from Microsoft. They need to own up to the vulnerabilities and provide users with enough information to make educated decisions regarding urgency in flaw remediation. Interesting to also note that it was about 7 weeks after Oracle released a patch for an eerily similar Java issue that Apple addressed the issue (albeit quietly).
As we approach April 17, we get to deal with both filing our income taxes and a taxing bunch of patches from Microsoft and others. While the overall number of patches from Microsoft is light, we have four critical patches along with two important ones. They impact a wide array of platforms and applications including Microsoft Windows, IE, .NET Microsoft Office, SQL Server, Windows Server, Developer Tools and Forefront. Most concerning is that some critical issues seem to impact Windows from the older legacy XP platform. Lately we have come to expect current Windows 7 and Windows 2008 platform issues.
Paul Henry, security and forensic analyst with Lumension, takes a closer look at the details from Microsoft.