In response to much attention on the ANI vulnerability in IE, Microsoft has decided to release security bulletin MS07-017 this Tuesday, a week earlier than scheduled. “Microsoft is aware of the existence of a public attack utilizing the vulnerability,” a Microsoft spokesperson said, “Since testing has been completed earlier than anticipated, Microsoft has released the update ahead of schedule to help protect customers.”
The impact of this particular vulnerability should be minimal if you follow security best practices and use some common sense, but it is always best to apply the patch as soon as it is available. The patch modifies a number of IE binaries so it should be tested in your environment, especially with any line-of-business applications, before any widespread deployment.
Note that Microsoft will deploy the patch via Automatic Updates so users with that enabled will not need to take any additional action to install this patch once it becomes available.
Apparently because currently planned releases did not meet testing standards, Microsoft decided to postpone all patches for this month, so you can all let next Tuesday roll by like any other Tuesday.
Microsoft will, however, be releasing several non-security updates through Windows Update.
According to a Microsoft spokesperson, the last time Microsoft did not have any security updates was September of 2005.
With Microsoft’s ongoing improvements to the patch management process, you may find yourself letting automation take over on patch Tuesday. I sat down at my PC this morning and saw that it had rebooted because it automatically installed new updates. Although I spent half the day yesterday writing patch reports for several clients, I forgot to apply the patches on my own system. The fact is that nowadays you can get away with doing that.
Continue Reading »
I post this because sometimes it is easy to overlook path re-releases, especially when they are off schedule. According to a Microsoft spokesperson, the original patch itself is not flawed, it just fails to correctly set the kill bit for the Microsoft XML Parser 2.6.
The kill bit is a registry setting that prevents Internet Explorer from creating the object in the browser. This is a defense-in-depth measure that reduces exposure to any future exploits of this object.
The update only affects the Windows 2000 version of the path, other operating systems are not affected.
