The nCircle PPI is created by nCircle’s Vulnerability and Exposure Research Team (VERT), a group of highly skilled security research engineers that develop vulnerability and configuration checks for nCircle’s agentless auditing solutions. VERT uses a range of unique sources and reviews a variety of criteria, selecting the most severe issues that can be patched in a given month as candidates for the list. For a vulnerability to be included on the PPI list, it MUST have a patch available. VERT researches each vulnerability and ranks them using the following criteria:

·         Attack Vector
·         CVSS Score
·         Availability of Public Exploit Code
·         Popularity of the Service or Software
·         Customer Feedback
·         Worst-Case Attack Scenarios
·         Attack Outcome

“Deploying software patches is a complex process even for smaller organizations,” said Lamar Bailey, director of security research and development for nCircle. “Companies need deep security knowledge to identify and prioritize the software updates that will translate into the greatest security improvements. VERT’s security experts created PPI to give every business access to an up-to-date, prioritized ‘patch immediately’ list that translates directly into a more security network.”

The nCircle Patch Priority Index will be updated monthly and is publicly available to any IT security professional.

The plague of rogue AV scareware apps has been a source of controversy and heated debate over the past few weeks. Mac users are trained to believe the OS is impervious, making them easier targets for social engineering attacks like MacDefender.

Apple initially stayed out of the fray, and directed support techs not to get involved with eradicating the malware from Mac systems, but eventually Apple acknowledged the threat and developed this update to address the problem.

Mac users should download and apply the update immediately.

Microsoft used to release security bulletins and patches ad hoc as they arose, but switched to the Patch Tuesday monthly release cycle to make it easier for IT admins. The regular, predictable release of updates enables IT departments to be prepared and have the appropriate resources allocated to analyze and deploy the batch of patches.

Most software doesn’t have any such patch management framework, though–putting the burden on IT admins to try to keep up with vulnerability details and patch releases. The lack of a consistent patch release and deployment schedule results in vulnerabilities that fall through the cracks and remain unpatched.

Some attacks leverage previously unknown zero-day vulnerabilities, but many viruses, worms, and other types of malware often attack vulnerabilities which are already known, and for which patches have already been published. Norman–a security and patch management company–claims that nearly two dozen new vulnerabilities are discovered on average each day. 

Paul Henry, Forensic & Security Analyst at Lumension, points out, “Time and time again, we’re finding that spear phishing exploits are taking advantage of the weaknesses in third party applications,” adding, “While the rest of the world is focusing on Windows, the bad guys are taking advantage of the applications we aren’t patching with free patch software that Microsoft makes available.”

“IT departments should make patch and remediation a priority,” said Audun Lodemel, vice president, Norman Marketing, “Remember to look into all your OS platform and applications vulnerabilities, not just focus on Microsoft issues around Patch Tuesday.”

Bottom line: Microsoft makes it easy because Patch Tuesday is reliable, and predictable, and Microsoft provides the tools to download and implement the latest updates for both consumer and business systems. But, don’t get lazy and forget that you have a wide variety of software installed on those systems, and that those applications are just as likely to contain exploitable flaws.

Microsoft has only three security bulletins planned this month. Two affect Windows, and one addresses issues with Microsoft Office. One of the two slated for Windows is Critical, while the second is rated Important. The Microsoft Office bulletin is ranked as Important as well, and all three may require a system reboot for the update to complete.

Amol Sarwate, manage of the Vulnerability Research Lab for Qualys, passed on this analysis of the Patch Tuesday advance notification. 

“The critical update affects Windows XP, Vista and Windows 7 while Windows Sever 2003 and Server 2008 are not affected. One of the important updates affects all Windows operating systems and we expect it to be for the MHTML Information Disclosure issue which was left un-patched in last month’s patch cycle (2501696). The other important update patches the little known Office Groove 2007 software.”

• Adobe Reader and Acrobat
• ColdFusion
• Adobe Shockwave Player
• Adobe Flash Player