Microsoft Patches 19 Flaws, 6 in Vista

Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"

Most secure windows ever!

[A+beautiful+mind]

Hm...I guess they leveraged the active synergies to stop the probes but the active hardening failed on the SuperHyperVista3000 edition.

Oh wait, you did expect real security instead of buzzwords?

Re:Most secure windows ever!

[BrewedInTexas]

Actually I expect a bunch of monday morning quarterbacking from a horde of slashdot users who should be working. Ah, the day after patch tuesday.

You've got some serious issues with the days of the week.

Linux patches?

[stevenbdjr]

When are we going to start seeing regular Slashdot postings outlining Linux or other free software security patch releases in the same accusatory tone that the monthly Microsoft security bulletin releases bring? No, I'm not trolling, but I'm getting sick of the clear bias Slashdot editors (and most readers) have when it comes to matters of Microsoft.

(I can feel my karma slipping away, but I couldn't take it anymore).

Re:Linux patches?

[PixieDust]

I invite you to investigate this site which holds no immediate bias in it's reporting of security advisories, patches, problems and exploits. Look at the average turnaround time for patches, fixes, and responses to security problems. You will find out that Microsoft isn't as bad as everyone likes to pretend it is, nor is it's flagship Windows OS. Also to, I find it ironic that whenever someone points out a problem that affects Linux, people are like "But that's not the OS, it's (insert kernel module, driver, app, whatever) that is (insert special circumstance here).", but when it's Microsoft, they're all lumped together as "OMGz! Windoze h4x!". This includes vulnerabilities in Word, and Excel (and something else from the Office Suite, can't remember though atm), and additionally mentions Exchange. Exchange runs on a server platform, but ok, I'm not going to get into semantics on that (I assume they meant Outlook, though even if it was Exchange, it's still a fix, or at least an attempt at one).

I am the first to admit that Microsoft has problems with security, but it's a problem that plagues the entire industry. Linux, Unix, Windows, Mac, websites, forms, applications, EVERYTHING. It's a problem in how the industry approaches security. It goes far beyond Microsoft. The entire industry has this "Get it working now, patch it later" mentality. It's the "Default Allow" instead of "Default Deny" approach. There is NO reason Buffer Overflow attacks should work... EVER. Period. How hard is it to check your buffers, and make sure you're handling them properly? Very sloppy. Microsoft certainly isn't the best, but they're far from the worst. Don't believe me? Check that website, and all the security advisories for the past few years, and you will notice and interesting trend.

Re:Linux patches?

[metallic]

I think they call that RHEL 5.

Changes Default Browser

I used Microsoft Update to download and install the new patches last night. Lo and behold, upon reboot, Mozilla Firefox was no longer my default browser. It appears one of the new patches resets Internet Explorer as the default browser. Easy enough to fix, but why would a patch change a system's default browser in the first place?

Cure the disease and lose the patient

[CyberVenom]

When Microsoft releases "critical" patches like this, one of the primary motivations for users, home and business alike to apply the patches is fear of loss of data if their computer falls victim to one of the new exploits. To "help" users keep their systems up to date, Microsoft has provided the Automatic Update tool. Formerly this tool would insistently prompt the user to reboot once updates had been installed. Recently, however, the tool has taken to rebooting computers of its own volition if it is unable to elicit a user response to its prompting within 5 minutes. What's the big deal? Well, lets say you have just typed up a nice email but want to add a couple more points to it before sending it off, but you have to walk away from the computer for a while. (coffee break, etc.) And when you come back 6 minutes later you find that Windows has terminated all your open programs, lost your email, rebooted, and is now happily chiding away to itself in a little speech bubble about some new updates having been installed. Well, that's fine - install your damn updates, but either do it without destroying my work or wait until I give you permission!
(yes, I lost an email I was writing last night because of this and I'm still a bit sore...)

Did they fix the cltreq.asp query nonsense?

[Medievalist]

People running Apache are starting to see this junk in their logs:

GET /_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER =4&CAPREQ=0 HTTP/1.1
GET /MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER =4&CAPREQ=0 HTTP/1.1 This noise gets spewed at websites by IE if you load the latest version of Microsoft Office and turn on the discussion bar "feature".

You'd think sending these GETS to every single web site visited would be unnecessary (since IE can tell if it's connected to IIS, and only IIS is going to have cltreq.asp installed).

I'm guessing they didn't fix that one?

Re:No flaws in Vista itself, all 6 in IE7

[aichpvee]

I'm calling bullshit. Microsoft has been saying for 10 years that IE is INSEPARABLE from Windows. Any flaw in IE is a flaw in Windows. Because either you believe Microsoft or you stop your cheerleading and admit that Bill Gates and all the other execs at Microsoft are liars and that the feds should have broken the company up into a hundred little Microsofts.