Greetings,

Up until today I was assuming that this would contain more or less only Microsoft bugs and patches. However at the last minute Apple must have felt left out and so we released AL-2008.0128, remote code execution in iTunes and Quicktime.

Normally, being the second paragraph, this would be where I would start talking about each "bad" vulnerability. However this week there are too many. So I will start from the top (or bottom depending on how you sort your email):

1. Microsoft released 8 security bulletins containing 28 fixes. 6 Critical bulletins contain 25 of those fixes.
2. Proof of concept code is released for MS08-073.
3. Microsoft issued an advisory stating that a new (non patched) vulnerability in WordPad Text Converter is being actively exploited.
4. SANS post this blog talking about a NEW exploit for Internet Explorer (ie NOT MS08-073) that is not patched and being exploited.
5. Microsoft posts another advisory talking about the new Internet Explorer vulnerability and stated that it is being exploited and only exploits Internet Explorer 7.
6. We have been seeing increases in exploitation and also saw an update saying that the exploits are being served out due to SQL injected sites.
7. Microsoft updates their advisory saying that not only Internet Explorer 7 is affected, but also 5, 6 and 8 beta.
8. Proof of concept code is released for this new Internet Explorer vulnerability.
9. Apple iTunes and Quicktime felt left out and decided to join in on the un-patched vulnerability fun.

And if that is not enough for you SEC Consult is reporting about an un-patched vulnerability in Microsoft SQL Server 2000 and 2005.

So ... keep your IDS, IPS and AV updated and ... well ... you could always unplug the internet and see what the world looks like. (Unfortunately I kept kicking out my internet connection and so I gaffer taped it in. I guess I will have to dig up the cable cutters first.)

Regards,
Richard