Patching the Vulnerabilities in DS6.8 and DS6.9

I put this on the Altiris Forums a little while ago, but thought it might be useful to place here too.

The link below describes half-a-dozen security vulnerabilities which appear to be only fixed by UPGRADING to DS 6.9 plus the hotfixes www.symantec.com/avcenter/security. Here are the steps I took to remedy the problem.

I've tried to put together a mitigation list. The first draft is below. Can anyone comment on this? A mitigation list would help admins protect their servers now, and allow them to plan the upgrade to 6.9 at a more leisurely pace.

1. For the SQL-injection vulnerability (exploitable), you have two mitigation options: Follow best practice and ensure that port 80 is heavily firewalled to restrict the Deployment Solution web console access to your management PCs only. Alternatively, you can disable the IIS services altogether, and install remote consoles as an alternative, and firewall SQL server accordingly.
2. For the encryption weakness in the domain credential exposure (no current exploit), follow best practice ensure that the credentials you configure in Altiris are limited. For instance, the altiris services should *not* be running with administrator rights, and if you employ credentials for joining machines to domains ensure these accounts are limited, granting them the right to add computers to the domain only.
3. For the GUI interface privilege vulnerability (no current exploit) you can mitigate by password protecting the Deployment Solution agent, and configuring it to be hidden. The interface cannot be activated thereafter without password entry. This might be heavy handed, but the exploit does not detail the level in the GUI at which this vulnerability emerges.
4. Tooltip local privilege escalation (exploitable). As 3 above.
5. Registry keys vulnerability which can lead to service disruption, and access to system information. Uncertain yet whether this is client based, or server. My advice is to follow best practice and ensure server access is restricted to key personnel.
6. Install Directory local privilege issue (no current exploit). Restrict access to express share as per installation best practice. Only System, administrators and the altiris service account should have modification rights to the folder root.

Kind Regards,
Ian./