Yesterday was Microsoft Patch Tuesday, with 13 bulletins issued to address 22 vulnerabilities. Of these, only two are rated “critical”; the first of which – MS11-057 – is the latest Internet Explorer cumulative patch. Until this one is patched, we'd recommend limiting your use of Internet Explorer to only visiting trusted sites and remember that it's never a good idea to click on suspect or unknown links. If users are still concerned, they may want to consider using one of the alternate browsers that are easily and freely available, such as Firefox or Chrome. While multiple browsers can be an administrative headache at times, it comes in handy in situations like this. In general, servers should never be used to browse the Internet. Still, some organizations break this principle and compromise their crown jewels.
The second “critical” bulletin – MS11-058 – only relates to servers, which include 2003 SP2, 2008 SP2, 2008 R2, and 2008 R2 SP1. Microsoft points out that this only affects servers with the DNS service turned on, though this is actually the majority of organizations running Microsoft-based networks. It is standard practice for Windows Domains Controllers to act as the default DNS server on domains. This is also an issue for any external facing DNS servers that are using the affected Microsoft software. System administrators need to test and quickly deploy the DNS fix on their external DNS servers, then focus on internal. Some organizations may be unaware they have DNS configured. To check, they can use something as simple as a port scanner to make sure DNS is not activated unless necessary.
As ever, if you have any questions, let us know in the comments section.