On Patch Tuesday this week, Microsoft issued five security bulletins which address eight vulnerabilities, six of which are rated as critical.
“The two vulnerabilities attackers are most likely to target involve the way Windows handles ASF and MP3 media files,” says Grant Brown, endpoint security specialist at Symantec. “We’ve seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected.
“A patch has not yet been made available for the Internet Information Services vulnerability made public last week,” Brown adds. “Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately. We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5.”
Symantec strongly encourages users to patch their systems against these vulnerabilities. In addition, enterprises are encouraged to consider implementing an automated patch management solution to help mitigate risk.