Slashdot Mirror
Microsoft Plugs "Drive-By" and 14 Other Holes
CWmike writes "Microsoft today patched 15 vulnerabilities in Windows, Windows Server, Excel, and Word, including one that will probably be exploited quickly by hackers. None affects Windows 7. Of today's 15 bugs, Microsoft tagged three 'critical' and the remaining 12 'important.' Experts agreed that users should focus on MS09-065 first and foremost. That update, which was ranked critical, affects all still-supported editions of Windows except Windows 7 and its server sibling, Windows Server 2008 R2. 'The Windows kernel vulnerability is going to take the cake,' said Andrew Storms, director of security operations at nCircle Network Security. 'The attack vector can be driven through Internet Explorer, and this is one of those instances where the user won't be notified or prompted. This is absolutely a drive-by attack scenario.' Richie Lai, the director of vulnerability research at security company Qualys, agreed. 'Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver.'"
They're not fixes. They're just there to introduce more vulnerabilities that will "encourage" people to shift to Windows 7 ;)
which is totally what she said
If you patch, you're safe. Too bad so many XP users don't opt-in to patching, a lot of them will be infected, but it's a good thing MS started auto-patching by default with Vista, also since Vista has a lot of anti-exploit code (DEP, ASLR, Protected Mode Sandboxing, etc.) it probably won't see very many infections, although I thought I saw on another site that Vista wasn't affected.
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Anybody else think something is integrated with something else in a deeply, deeply wrong way here?
# cat
Damn, my RAM is full of llamas.
What about the fourteen other fixes?
The article talks about them at the end (on the second page):
Microsoft also issued critical updates for Vista and Server 2008, as well as for Windows 2000 Server. On the latter, which harbors a bug in its implementation of the License Logging Server, a tool originally designed to help customers manage Server Client Access Licenses (CAL), Storms urged users of that aged operating system to apply the patch pronto, even though the machines are probably well-protected.
"Windows 2000 Server has the logging server enabled by default, but those systems are likely behind multiple firewalls, and people running [Windows 2000 Server] are pretty cognizant of the fact that it's an older version and will act accordingly."
Excel and Word also received patches today. Eight vulnerabilities were addressed in Excel in MS09-067 and one in Word with MS09-068. Both updates also affected the Mac editions, Office 2004 and Office 2008.
For more info, check out the top six listings here.
My work here is dung.
No wonder my home system was such a dog this morning. It was pulling the latest patches and updates.
Meanwhile, it's still Windows. There's only so much improvement you can make when the manufacturer insists on packing so much into the "kernel." I was always taught that the OS kernel is the one piece that provides the interface between all software and all hardware. File systems, GUIs, internet browsers and lesbian Pr0n are all just forms of software that should be clients to the ultimately optimized but minimalist kernel.
My office has been taken over by iPod people.
But while Storms speculated that Microsoft knew the EOT font flaw was a security issue -- and waited until now to patch older Windows -- Lai thought that Microsoft didn't realize until recently that it was also a security vulnerability in editions prior to Windows 7. "I think they fixed this bug as part of the code sanitization during [Windows 7's] development cycle. It was actually only publicly disclosed recently, and then they patched it in other Windows
The article is speculating what did Micrsoft know and when did it know it etc. Microsoft's standard line defending its security through obscurity policy is, "we are not providing any details because it is going to help the hackers". But what about its big customers? Almost all businesses do not care much about its small customers. So forget small timers. But Microsoft has to coddle its big Fortune500 company customers. Would they be informed, even under confidentiality agreements and non disclosure agreements, which platforms and applications are vulnerable?
How do these big companies justify being so meek and acquiescing to Microsoft? If these Fortune 500 companies chip in 100,000$ a year, they can create an Institute of Software Interoperability and go towards reducing their switching costs. Microsoft has total revenue of more than 25 billion dollars, and a significant chunk comes from these big companies. They pay off has to be enormous for these companies.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I, for one, have been getting my hole plugged by Microsoft for a good twenty plus years now.
So sore.
Facebook is the new AOL
Good grief. MS offers ALL security patches to EVERYONE, including pirates, and also offers many other patches such as stability and performance updates to everyone as well.
---
"There seems to be a myth that Microsoft limits security updates to genuine Windows users," wrote Microsoft's Paul Cooke, who works in Windows Client Enterprise Security. "Let me be clear: all security updates go to all users."
----
From http://www.tomshardware.com/news/windows-pirate-bootleg-security-patches,7666.html
"...I think the Microsoft hatred is a disease." - Linus Torvalds
I discovered this bug (check the credit section in the advisory), so can explain. The bug is in parsing a component of TTF files, which are handled by the GDI kernel subsystem in Windows. Anything that tries to load fonts can be used to exploit this vulnerability, as they will eventually reach this code, Internet Explorer just happens to be the easiest way to reach it remotely.
Other browsers _are_ affected, the difference is that there's only one level of indirection before the vulnerable code in Internet Explorer, and at least two in other browsers. This is because IE supports EOT files directly, which via TTLoadEmbeddedFont() are decoded and passed straight to GDI, where as other browsers take a TTF input, convert it into an EOT and then pass that to TTLoadEmbeddedFont, so you have to convince three different chunks of code your input is valid (the browser, t2embed, then gdi), instead of just two in IE.
If you use any browser that support @font-face on Windows (Safari, Firefox 3.5+), you should still patch and reboot.
ex$$