At one side you have the dangereous environnement of the internet and the numereous new ways to attack machines for which there is no protection yet. At the other side you have the pressure from management and the workers to be able to work on your network outside the office and after or before office hours. In the meantime you will have to guarantee that there will still be a network and that it will stay more or less secure and that only authorized personnell has access.
Cisco has developed for this a server based upton the Network Access Control. The principle is that even if you have the credentials, you can only access the network if your pc has an antivirus, all the patches installed and a firewall. But CISCO made some mistakes while designing the process. This gave the opportunity to create code with which you could pass this networkguard without much difficulty.
The most important part of the attack is that it is possible to spoof the information the Trust Client sends to the server about the configuration of the machine. It seems it is possible for all clients to send only the spoofed information they received to their servers and not the real information. After that they were able to bypass the system because no other authentification was asked. It is also impossible for the moment to integrate the Cisco architecture with other standard authentification systems.
NAC is just a start, but for CISCO it was a false one.
Small embedded microprocessors are included in everything that needs to the things we expect from them. 90% of these microprocessors have a program called JTAG (Joint Test Action Group) enabled to let engineers debug a problem in the future. A security expert has used this tool to find a way to let these processors execute unknown code through other means than the normal buffer-overflow attack. These programs could be used to send confidential information to other phones or systems (and why not in combination with bluetooth). And this is just the beginning of it.
So who said your phone was much safer than your computer ? Malware follows the money.
We had a month without patches and now we have a month of which all the patches are critical to urgent of which two have been used in exploits around the web. This means that they are really critical and that you should plan to implement them before the weekend (surely for the two critical ones) or next week. What isn't exploited today, can be next week and we'll never know which vulnerability will be exploited first and when.
Even Apple has security patches now and Solaris 10 and Oracle and....
So as a simple user you can go to http://update.microsoft.com