Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Monthly Patch Omits Word Zero-Days

Posted by kdawson on from the swelling-botnets dept.

bungee jumper writes "Microsoft released four bulletins with patches for 10 vulnerabilities but there are no fixes for known MS Word zero-day flaws that are under active attack, eWeek.com reports. The January batch covers critical bugs in Excel, Outlook, and Windows. The first confirmed Windows Vista flaw, a denial-of-service issue that was publicly released on an underground hacker site in Russia, also remains unpatched." eWeek notes that Microsoft originally scheduled eight bulletins for release, but pulled four last Friday without explanation.

14 of 80 comments (clear)

  1. Ummmm... by needacoolnickname · · Score: 5, Insightful

    The patches caused more harm than good so they decided to pull them?

    Damn them for not releasing patches that make a more unstable system! Damn them I say!

    1. Re:Ummmm... by marcello_dl · · Score: 3, Funny

      >The patches caused more harm than good so they decided to pull them?

      Not much of an excuse, considering that most Microsoft software causes more harm than good, yet they release it.

      *ducks*

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
    2. Re:Ummmm... by needacoolnickname · · Score: 3, Insightful

      Who are you ducking from around here?

      Sit back, relax, and wait for the Insightful rather than the Redundant moderation points to start rolling in on your comment.

    3. Re:Ummmm... by marcello_dl · · Score: 5, Funny

      > Who are you ducking from around here?

      Sorry for the qui pro quack, I actually meant that Microsoft software is likely to have been conceived and released by ducks.

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
  2. I like that solution. by User+956 · · Score: 4, Funny

    Microsoft released four bulletins with patches for 10 vulnerabilities but there are no fixes for known MS Word zero-day flaws that are under active attack

    Well, that's because there aren't any zero-day flaws. Microsoft changed the name to ">1 day flaws", thereby solving the problem forever.

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:I like that solution. by Opportunist · · Score: 3, Insightful

      In other words, from now on they will only patch issues that have been around long enough to be known by pretty much every malware writer in existance. This is, of course, only to be compliant with the request from anti-malware and firewall companies to still have a share in the biz.

      How dare we accuse MS of being anything but anti-monopolizing and doing good? That's their way of keeping the competition in business!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Local elevation of privilege by GIL_Dude · · Score: 5, Informative

    Local elevation of privilege is now considered a DoS attack on Vista? I guess even submitters don't have to RTFA here anymore to get published. I did read the article though since I was worried about any DoS attack for Vista and wanted to see what ports, processes, etc. it was using. All that was there though was a local only elevation of privs (where an authenticated user logged on to the box can get admin rights). Not good of course, but far from a DoS...

    1. Re:Local elevation of privilege by Osty · · Score: 3, Informative

      Local elevation of privilege is now considered a DoS attack on Vista? I guess even submitters don't have to RTFA here anymore to get published.

      The submitter read the article, and then directly lifted that line right out of it. Is the submitter an idiot for confusing local privilege escalation with DoS? No, because he wasn't the one who made that claim. Is the article author an idiot for making that statement? Definitely. Is the submitter an idiot for directly quoting the article without attributing it as a quote, thus passing it off as his own words and thoughts? Absolutely.

  4. Damn... by locokamil · · Score: 3, Funny

    It's been 18 days since I've been able to us MS Word. My boss is very unhappy-- I may lose my job.

    Damn you Microsoft!

  5. Skewed statistics by fluffy99 · · Score: 4, Insightful

    If a particular vulnerability affects multiple versions of the program, you generally don't count them all as separate vulnerabilities. eWeek is counting MS07-02 as five separate patches, but really it's the same flaw in five different versions. How many people have multiple versions of Excel on their system anyway?

  6. Default application by Bob54321 · · Score: 4, Informative

    I just installed these updates and what I want to know is why updating Outlook makes it your default email application. I know I just have to click OK when I start Thunderbird again but it is annoying that I should even have to do that.

    --
    :(){ :|:& };:
  7. As a literal word? by staticdaze · · Score: 4, Funny

    Anyone else read that as: MS Monthly Patch Omits Word "Zero-Days" ?

    They aren't zero day, they're "highly relevant to your enterprise investment"!

  8. Re:What the hell does "Zero-day" mean, anyway? by Bacon+Bits · · Score: 5, Informative

    "Zero-day" is an exploit classification.

    It goes like this. Software has bugs. These bugs can cause security vulnerabilities, which are then published and patches issued to fix the vulnerabilities. Hopefully, all this happens before the black hats can take advantage of -- or exploit -- these vulnerabilities.

    An exploit of a vulnerability is the virus, worm, SQL injection, hack attempt, etc. itself. An exploit can be labelled "zero-day" when an in-the-wild exploit has been detected on the same day that the vulnerability was made known to the security industry. Most often, "zero-day" means "we learned there was a vulnerability when we found this exploit". This is rather like finding out the locks on your doors don't work when a thief has already been and gone. Zero-day exploits then will have a maximal timeframe to affect vulnerable systems since no work has been done on fixing the vulnerability (presumably).

    The Slammer worm, for example, was an [i]exploit[/i] of MS SQL Server 2000. SQL Server 2000 had a buffer overflow vulerability which was the subject of Slammer. Slammer was not zero-day, however, since this security vulnerability had been known about for many months and MS had already issued patches for it (six months prior to Slammer).

    The vast majority of exploits are *not* zero-day, but uninformed reporters for computer news services (like CNet, or anything Ziff Davis owns) are now using "zero-day" as a synonym for "new vulnerability" instead of the proper "new exploit to unknown vulnerability".

    --
    The road to tyranny has always been paved with claims of necessity.
  9. Darn? by Anonymous+McCartneyf · · Score: 3, Insightful

    In case of emergency, break out the OpenOffice, specifically the "Writer" program. It can handle .doc files almost as well as Word, and it's free.
    Also consider e-mailing the .doc files to your home computer, since your boss is apparently keeping an eye on what software is on your work computer.
    Disclaimer:
    I am getting two MS Updates today--one for IE7, and the usual malware "stinger." I don't actually use IE--I updated it for security...
    This has actually been a better month for MS update-downloads than most months last year.

    --
    There is a fine line between recklessness and courage... -- Paul McCartney