PCI and Microsoft 0-day?
April 1st, 2007 by chitchcock Posted in Approved Scanning Vendor, Compensating Controls, PCI DSS
I’m curious to see if anyone was affected by the 0-day Microsoft vulnerability that was released right before the end-of-quarter.
Did your company wait until the last minute to submit their PCI report to their issuing bank (as many companies tend to do)?
Did you have problems with your ASV or auditor — as there is no official patch available? Here is an unofficial/temporary patch by-the-way.
What compensating controls did you come up with?
How did it ultimately affect your compliance effort?
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
One Response to “PCI and Microsoft 0-day?”
By datasecurity on Apr 5, 2007
So long as they are patching their systems within 30 days they should be OK. Now they do need a “clean” scan, but individual vulnerabilities like this will come up all the time. It should not materially change the compliance of organizations.