Archive | January 11, 2006

Microsoft Patch Tuesday, January 2006

Despite releasing it last week, MS06-001, the WMF flaw, was also released as one of three Critical, Remote Code Execution possible patches that comprised the January 2006 Microsoft security bulletin. As is typical, the patches seem to affect every supported version from Windows 2000 on up. However, earlier versions of Windows are provided with a link which seems to say “you’re on your own.” Here are the patches:

MS06-001 – Vulnerability in Graphics Rendering Engine Could Allow
Remote Code Execution (912919)

MS06-002 – Vulnerability in Embedded Web Fonts Could Allow Remote
Code Execution (908519)

MS06-003 – Vulnerability in TNEF Decoding in Microsoft Outlook and
Microsoft Exchange Could Allow Remote Code Execution (902412)

So, Microsoft graphics, Microsoft Fonts, Microsoft Office and Microsoft Outlook all have serious flaws. Get patching!

It is the second week of 2006.

‘Numbers of flaws’ is a flawed measure of security

Garrett Fitzgerald’s Blogs Apples and Oranges. “In a recent post, Craig Berntson trumpets about a recent CERT report that “proves” that Windows is more secure than Linux. What he doesn’t mention is that the “Linux/Unix” list lumps together the Linux kernel, Mac OSX, HPUX, SCO Unixware, and others. So, when comparing 1 OS against 6 or more OSs, the 1 OS comes out ahead. What a surprise.”

Over at Groklaw, the poster does a fine job of pointing out the problems with just quoting the gross numbers from this survey. It would be far better to identify how many security flaws led to major exploits and the costs of the cleanup. Trivial items are counted one-for-one with items that cost millions to clean up, exploits are listed multiple times (on both Windows and non-Windows platforms).

Bottom line: security is a process, not a feature. Millions more computers were turned into spam-sending zombies, and not just because they are running a more commonly-available operating system. They were exploited because the OS runs as an administrator with the rights to alter anything on the machine. Only one OS manufacturer shipped software that has that fatal flaw.

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.