If you are a server only admin you can rest easy this month except for any servers that have MS Message Queuing installed or Windows Media Servers – those are the only 2 patches that really apply to servers and since neither patch is public you can take your time testing.
If you secure workstations your month is very different. Six of the patches are targeted directly at workstations and 2 are public meaning you need to immediately implement available workarounds or push the patch out with little or no testing.
Don’t forget that you can use group policy for automating many workarounds. For instance this month you could use group policy to:
- Disable the MSMQ service (MS07-65)
- Disable SMBv2 via a custom administrative template (MS07-063)
- Set deny permissions on quartz.dll (MS07-064, 067 and 068)
- Disable Active Scripting and ActiveX (MS07-069)
Other notes:
- Take my survey and get a free Security Log Mini-Seminar of your choice
- Register for “Filtering Out the Noise in the Security Log”
- Get $100 of my new Security Log Resource Kit. Use coupon code UWSGOLD.
| KB # | Exploit Type Product | Principle type of systems exposed | Exploit details public? / Being exploited? | Comprehensive, practical workaround available? | MS severity rating | Vulnerable | Notes | Randy’s recommendation | |||
| 2000 | XP | 2003 | Vista/ 2008 | ||||||||
| MS07-063 (KB942624) | Arbitrary code | Workstations | No/No | Yes | Important | No | No | No | Yes | SMBv2 signing | Temporarily disable SMBv2; Patch after testing. Create a custom administrative template to implement the workaround automatically via group policy. Use http://www.ultimatewindowssecurity.com/killbit.asp as a guide |
| MS07-064 (KB941568) | Arbitrary code Windows | Workstations & Terminal Servers | No/No | Yes | Critical | Yes | Yes | Yes | Yes | DirectX; restart may be required when patching; workaround reduces functionality | Patch after testing or implement workaround permissions change with group policy |
| MS07-065 (KB937894) | Arbitrary code Windows | Servers | No/No | Yes | Important | Yes | Yes | No | No | MSMQ is not installed by default; Restart required | Disable Message Queuing via group policy; Patch after testing |
| MS07-066 (KB943078) | Privilege Elevation Vista only | Workstations | No/No | No | Important | No | No | No | Yes | Restart required | Patch after testing – if your end users are not already local administrators |
| MS07-067 (KB944653) | Privilege Elevation Windows | Workstations & Terminal Servers | Yes/Yes | Yes | Important | No | Yes | Yes | No | Macrovision Driver | Disable secdrv.sys; Patch after testing |
| MS07-068 (KB941569) | Arbitrary code Windows | Workstations & Terminal Servers | No/No | Workstations: yes | Critical | Yes | Yes | Yes | Yes | Windows Media Format; no workaround for servers; restart not required if service can be stopped | Patch after testing or, in case of workstations, implement workaround permissions change with group policy |
| MS07-069 (KB942615) | Arbitrary code Windows | Workstations & Terminal Servers | No/Yes | Not unless your users will let you get away with disabling Active Scripting and ActiveX in IE J | Critical | Yes | Yes | Yes | Yes | Internet Explorer 6 & 7 multiple vulnerabilities; restart required | Patch immediately or disable Active Scripting and ActiveX except for trusted sites |
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.
No comments:
Post a Comment