Microsoft Patches 19 Flaws, 6 in Vista

Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"

Most secure windows ever!

[A+beautiful+mind]

Hm...I guess they leveraged the active synergies to stop the probes but the active hardening failed on the SuperHyperVista3000 edition.

Oh wait, you did expect real security instead of buzzwords?

Re:Most secure windows ever!

[BrewedInTexas]

Actually I expect a bunch of monday morning quarterbacking from a horde of slashdot users who should be working. Ah, the day after patch tuesday.

You've got some serious issues with the days of the week.

Linux patches?

[stevenbdjr]

When are we going to start seeing regular Slashdot postings outlining Linux or other free software security patch releases in the same accusatory tone that the monthly Microsoft security bulletin releases bring? No, I'm not trolling, but I'm getting sick of the clear bias Slashdot editors (and most readers) have when it comes to matters of Microsoft.

(I can feel my karma slipping away, but I couldn't take it anymore).

Re:Linux patches?

[QuickFox]

But then comes the trolls that point out that it was fixed in a matter of hours and not weeks or months. Don't blame it on the trolls, they only report it here. It's the open-source developers' fault. Why can't they wait for some time and give Microsoft a chance?

Re:Linux patches?

[Lord_Slepnir]

You have listed my fondest dream: To be part of an abusive monopoly that replaced the abusive monopoly that I hated when I was a young college student....*sigh*

Re:Linux patches?

[SnowZero]

It's a myth that Slashdot has almost all Linux users. It used to be that way, but it has long since been overrun with a more "general computing" crowd. I would bet that if you add up the regular Windows and Mac users, it would outnumber regular Linux users. For UIDs below 100k however, you would probably see a quite different statistic. People only notice Linux users here because we're not at 1-2%, like on almost any other discussion site.

Frankly, I'm now getting tired of the number of posts with the same tone as yours. You lament losing Karma in a sea of angry "Linux-zealot" mods, but I would guess you will be modded up, not down. Enjoy the karma...

Re:Linux patches?

[QuickFox]

While it's not exactly a security problem What makes you think it's not about security? If the ethernet driver locks up nobody can hack you.

Re:Linux patches?

[PixieDust]

I invite you to investigate this site which holds no immediate bias in it's reporting of security advisories, patches, problems and exploits. Look at the average turnaround time for patches, fixes, and responses to security problems. You will find out that Microsoft isn't as bad as everyone likes to pretend it is, nor is it's flagship Windows OS. Also to, I find it ironic that whenever someone points out a problem that affects Linux, people are like "But that's not the OS, it's (insert kernel module, driver, app, whatever) that is (insert special circumstance here).", but when it's Microsoft, they're all lumped together as "OMGz! Windoze h4x!". This includes vulnerabilities in Word, and Excel (and something else from the Office Suite, can't remember though atm), and additionally mentions Exchange. Exchange runs on a server platform, but ok, I'm not going to get into semantics on that (I assume they meant Outlook, though even if it was Exchange, it's still a fix, or at least an attempt at one).

I am the first to admit that Microsoft has problems with security, but it's a problem that plagues the entire industry. Linux, Unix, Windows, Mac, websites, forms, applications, EVERYTHING. It's a problem in how the industry approaches security. It goes far beyond Microsoft. The entire industry has this "Get it working now, patch it later" mentality. It's the "Default Allow" instead of "Default Deny" approach. There is NO reason Buffer Overflow attacks should work... EVER. Period. How hard is it to check your buffers, and make sure you're handling them properly? Very sloppy. Microsoft certainly isn't the best, but they're far from the worst. Don't believe me? Check that website, and all the security advisories for the past few years, and you will notice and interesting trend.

Re:Linux patches?

[metallic]

I think they call that RHEL 5.

Re:Linux patches?

[PixieDust]

Agreed, which is pretty much the same thing I'm saying. The Buffer overflow bit was just an example. But you can see this everywhere. You see it in ACLs in firewalls, routers, and switches. You see it in applications that let everything just go willy nilly. You see it in default installations of some OSes. You see it in the installations of applications, in websites, email-clients, hell even games. And before you say "What could POSSIBLY happen in a game that could be a security threat?" Let me illustrate this example...

Take a well known game, say, a first person shooter based in WW-II. Fairly good game, kinda fun. Let's say it's released witha BIG following, and several expansions are released for it. Now imagine, that since it's initial release, it has had a vulnerability just hiding, waiting to be discovered. It is discovered, by a couple of gamers just having fun. Say there's a voting system (for kicks, map change, etc.). Let's say people use this voting system all the time to talk to people who are still alive, because it displays the vote in yellow text to everyone. Some ingenious players discover that if your vote is for a map change, and you manually enter the command and name via console something like:

callvote change_map "Shotgunner camping in the vent!!"

It's been a while so forgive the syntax if it's wrong. In any case, these intrepid gamer friends are having fun, and annoying each other with vote requests that mean nothing, and just fill the screen with yellow text (repeating gibberish to flood the screen so the player can't see). Let's say during this, both game clients crash. Hmm, well that sucks. So you go back to having fun, the server is running on an actual server in the garage so it's no biggy. Same thing happens again. The clients just crash immediately after a vote is called that is an absurd length. Hmmmm.. You get another friend involved, they join, they also crash. Interesting. Then you crash 2 clients, and have the 3rd join immediately after to see people running in place, stuck in doors, etc. Server is still running just fine. Clients however, have crashed. Now intensely curious, you start digging, and find the exact point at which is goes from "Annoying Spam Vote" to Buffer Overflow.

Now through various methods you discover that this vulnerability is definitely client specific. The server is totally unaffected. The server simply hands everything off to the clienhts, which don't know what to make of it, stuff is outside the buffer, client craps all over itself. Now someone malicious enough could take that, and create something that would quite literally be capable of hijacking any machine the game client was running on, and the only thing the user would notice MIGHT be a game crash (hell if you do it right you might be able to do it without the game itself crashing), which happens occasionally anyway, so it's ignored. Now let's say you notify the producer of this Entertainingly Amazing game, and exchange a few emails with them. 4 patches later it still isn't fixed. Several expansions later it still is not fixed.

Unacceptable. Absolutely unacceptable. And this happens throughout the industry. THAT is why security problems, are as much of a thorn in our side as they are.

*flips two coins onto the table, returns the soapbox to it's upright and locked position, and returns to her regularly scheduled nonsense*

/rant off

Changes Default Browser

I used Microsoft Update to download and install the new patches last night. Lo and behold, upon reboot, Mozilla Firefox was no longer my default browser. It appears one of the new patches resets Internet Explorer as the default browser. Easy enough to fix, but why would a patch change a system's default browser in the first place?

Cumulative IE 7 update 34,70 MB??

[edgrale]

What's up with the cumulative IE 7 update being 34,70 MB?
It is bigger than the x64 bit version!

Cure the disease and lose the patient

[CyberVenom]

When Microsoft releases "critical" patches like this, one of the primary motivations for users, home and business alike to apply the patches is fear of loss of data if their computer falls victim to one of the new exploits. To "help" users keep their systems up to date, Microsoft has provided the Automatic Update tool. Formerly this tool would insistently prompt the user to reboot once updates had been installed. Recently, however, the tool has taken to rebooting computers of its own volition if it is unable to elicit a user response to its prompting within 5 minutes. What's the big deal? Well, lets say you have just typed up a nice email but want to add a couple more points to it before sending it off, but you have to walk away from the computer for a while. (coffee break, etc.) And when you come back 6 minutes later you find that Windows has terminated all your open programs, lost your email, rebooted, and is now happily chiding away to itself in a little speech bubble about some new updates having been installed. Well, that's fine - install your damn updates, but either do it without destroying my work or wait until I give you permission!
(yes, I lost an email I was writing last night because of this and I'm still a bit sore...)

Did they fix the cltreq.asp query nonsense?

[Medievalist]

People running Apache are starting to see this junk in their logs:

GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER =4&CAPREQ=0 HTTP/1.1
GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER =4&CAPREQ=0 HTTP/1.1 This noise gets spewed at websites by IE if you load the latest version of Microsoft Office and turn on the discussion bar "feature".

You'd think sending these GETS to every single web site visited would be unnecessary (since IE can tell if it's connected to IIS, and only IIS is going to have cltreq.asp installed).

I'm guessing they didn't fix that one?

Why didn't they find these holes earlier?

[644bd346996]

Ok, here's what's bugging me: 6 out of 19 holes are still present in Vista. That means that, in developing Vista, they removed at least 13 holes. My question: was that an accident? If those 13 holes were identified as critical vulnerabilities during Vista development and fixed, then they should have been patched in XP too. If they were accidentally fixed by more broad changes in Vista, then I guess you can see that as good, but it still calls into question MS's ability to audit code.

On the other hand, if the rewritten portions of Vista removed 70% of the critical holes, that's pretty good. They might have been working on the right modules.

Summary was incorrect

[SEMW]

Actually, the summary was incorrect regarding Vista: at least one of the vulnerabilities in question ("Uninitialized Memory Corruption Vulnerability CVE-2007-0944") is not present in Vista, and contrary to the summary's implication, only two out of the Vista vulnerabilities (CVE-2007-0945 and CVE-2007-2221) are rated critical.

Not, of course, that this excuses MS in any way (two is still two too many), but the summary was still rather misleading.

Re:No flaws in Vista itself, all 6 in IE7

[aichpvee]

I'm calling bullshit. Microsoft has been saying for 10 years that IE is INSEPARABLE from Windows. Any flaw in IE is a flaw in Windows. Because either you believe Microsoft or you stop your cheerleading and admit that Bill Gates and all the other execs at Microsoft are liars and that the feds should have broken the company up into a hundred little Microsofts.

Only One of the Vista Bugs was "Critical"

[ThinkFr33ly]

Only 1 of the 6 bugs that affected Vista was rated "critical". (Critical is typically reserved for bugs that could allow somebody to remotely take over the machine.)

In the case of the one bug that was rated critical, the rating was dependent on several mitigating factors, including that the user running as full admin with UAC turned off. (Obviously not the default configuration.)

Only in that scenario could the machine be compromised, and even then the successful execution of exploit code was unlikely thanks to ASLR and various other security measures. It was far more likely to simply cause a browser crash.

Considering Vista has been out since November of last year, its security record so far as been extremely impressive.