Archive | Security

Microsoft Watch from Mary Jo Foley asks “Is Microsoft Engaging in ‘Borderline Extortion’ with Security Disclosures?” “We have to admit, zero-day Internet Explorer vulnerabilities just don’t shock us any more. But the harsh words of security researcher Michal Zalewski, regarding Microsoft’s policies for dealing with vulnerabilities, did make us stand up and take notice.”

In very related news, eWEEK.com is reporting Microsoft Rocked by New IE Zero-Day Flaw Warning. “Microsoft is scrambling to address the public disclosure of a new zero-day vulnerability that could put Web surfers at risk of code execution attacks.”

In a fairly unusual move, Microsoft has re-released MS06-015, Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531). Microsoft sent out an email to let folks know about that. Amazingly, while explaining why they were re-issuing the patch, they never mention what the patch is, nor specifically what went wrong, nor who should apply the new patch:

This bulletin has been re-released to
advise customers that revised versions of the security update
are available for all products listed in the “Affected Software”
section. Customers who have already applied the MS06-015 update
who are not experiencing the problem need take no action.

Here’s the quick scoop: Windows Explorer (the desktop, not the browser) has fundamentally changed the way it launches programs, and some programs that hooked into that behavior, including Hewlett-Packard’s “Share-to-Web”, older NVIDIA graphics drivers, Kerio firewall, and others, would fail to operate properly, lock up, or freeze after files are saved, especially to “My Documents” or other special folders. This patch allegedly fixes the problem.

Get Patching! Good Luck!

From Microsoft Watch from Mary Jo Foley: Is Microsoft’s Silent Treatment Appropriate for Patches?. “Microsoft says it is withholding certain details on security vulnerabilities to protect customers from bad guys. But critics say Microsoft’s cone of security silence only increases the risk for everyone.”

An interesting article. It claims that Microsoft is keeping its bug count artificially low by silently slipstreaming multiple bug fixes into the patches and, worse, not disclosing the details even to their “trusted partners.” The bad guys know what’s patched. Why shouldn’t we? Shouldn’t “Trustworthy Computing” require more transparency than this?