12.11.08
Nothing New Under the Microsoft
Microsoft’s handling of security is a cyclic routine that goes like this:
- Many flaws get reported, accumulated, and then mostly ignored
- Attacks on the unpatched flaws begin, so Microsoft ‘kindly’ bothers to work on patches in a rush
- Patch Tuesday arrives and Microsoft delivers a slew of patches (occasionally delivering nothing critical for bragging rights in the press, only to deliver a massive number of critical patches the following month, i.e. deferral)
- Patches arrive too late, after many servers and desktop have already been hijacked
- A number of zero-day flaws emerge, some of which exploiting vulnerabilities Microsoft has been aware of for a long time
- Patches turn out to be dysfunctional and consequently many computers are left out of services
- Microsoft reworks the patches and then delivers a patch to the broken patches
- Repeat (1)
This month was no exception. Microsoft delivered half a dozen “critical” patches (usually meaning that the vulnerability they patch enables crackers to seize full control of a to-be-compromised machine).
Appended below are reports from the past couple of days alone. The lies need to end because everyone suffers. █
____
[1] Another Microsoft Bug Revealed on Huge Patch Day
Along with its biggest patch release in five years, Microsoft warned on Tuesday of another potentially dangerous vulnerability in its software.
The problem lies within the WordPad Text Converter for Word 97 files, Microsoft said in an advisory.
The systems affected include Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, Microsoft said. XP Service Pack 3 and the Vista operating systems are not affected.
[2] Two new zero-day exploits dent Microsoft’s Patch Tuesday
Microsoft’s Patch Day delivered eight updates, but has been overshadowed by newly discovered zero day holes, which are apparently not closed by the new updates.
[3] New Web Attack Exploits Unpatched IE Flaw
As Microsoft readies its latest set of security updates, online attackers have begun exploiting a new flaw in the company’s Internet Explorer (IE) browser.
[4] Third Zero Day exploit appears
Microsoft has confirmed it is investigating another zero day exploit.
[5] Security vulnerability found in MS SQL Server 2000
SEC Consult say Microsoft has been aware of the problem since April this year. Despite the promise of a patch by September, a release date for the patch remains uncertain.
pcolon said,
December 11, 2008 at 6:47 am
MS can spin this to increase their server footprint without having to embrace Apache by claiming “MS has the real “A-Patchy” servers .
Richard Mclaughlin said,
December 11, 2008 at 5:41 pm
actually, it’s more like this.
Patches are released.
smart people and IT departments install them.
average joe blow doesn’t.
Hacker looks at the hole the patch fixed and attacks the hole.
systems go down because people didn’t upgrade when the patch came out.
Having run call centers for 15+ years, I know this to be a fact.
Roy Schestowitz said,
December 11, 2008 at 5:53 pm
How many of those “smart people” actually get ‘burned’ for installing bad patches? Quality counts too.
The lateness of some patches is another issue that is raised above. As the new references show, Windows is already vulnerable again and no patches will have arrived until next month.