Re: Internet Explorer Vulnerability

["Flynn, Gerald" <flynngn () JMU EDU>]

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hudson, Edward
> Sent: Friday, December 11, 2009 1:58 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Internet Explorer Vulnerability
>
> Has anyone run into any issues rolling in the MS Patch regarding this
> IE bug?

Not yet.

Two good early warning systems:

-Your students (assuming they get the updates directly from Microsoft and
 heed automatic updates)

-The Microsoft usenet groups, particularly Microsoft.public.windowsupdate@
 msnews.microsoft.com. It is probably readable through google groups too. 
 If there is a common problem, you'll see a lot of common threads. In five 
 years of patching with WSUS the two patches causing problems in our 
 environment were flagged here first within three days.

> Also curious as to the expediency of implementation given that
> it is nearing holiday break, finals weeks etc. TIA
> http://www.microsoft.com/technet/security/Bulletin/MS09-072.mspx

Microsoft says exploit code is likely within 30 days and that the
exploit code is apt to be reliable. When a vendor tells me that,
I tend to take it seriously. The only saving grace is that they
appear not to be simple stack overflows which seem to tend to allow
reliable exploit code to be generated in days.

There is already unreliable exploit code out there for one of
the defects disclosed before the patch was released.

http://blogs.technet.com/srd/archive/2009/12/08/assessing-the-risk-of-the-december-security-bulletins.aspx
http://www.microsoft.com/technet/security/bulletin/ms09-dec.mspx