Jan 24, 2010

Protecting vulnerability CVE 2010-0249

On Thursday, 1/21 Microsoft released an out of band patch for CVE-2010-0249; this was the vulnerability that was exploited during the 'aurora operation' against Google and 30+ other companies over the last month. The press coverage and political context makes this a high profile attack, and a story rife with confusion and concern amongst CISOs.

So, we performed some initial testing. On Friday, 1/22 NSS Labs validated that the patch was effective on IE6 on Windows XP, SP2 and IE8 on Windows 7 against multiple variants of the exploit. This means, that the patch appears to cover the vulnerability and multiple variants, and should be applied as soon as possible. The downside is that if you have thousands of PCs, this will take a while, including your own test cycle. Many organizations schedule monthly updates to desktops and servers, so you could be waiting a while.

And in the mean time? That's what security products like Network IPS and endpoint protection (which should include Host IPS) are for. But depending on your vendor's release schedule, and your acceptance/deployment schedule, some waiting/exposure could be involved as well.