two
Volume 6, Number 30 -- August 20, 2008

It's Black Tuesday for Microsoft, with 26 Flaws Patched

Published: August 20, 2008

by Alex Woodie

In what some have taken to calling Black Tuesday, Microsoft last week issued 11 patches for 26 separate security flaws in its products. The software giant addressed four zero-day flaws that hackers are already exploiting in the wild, which should get the attention of systems administrators. It was the largest one-day issuance of patches in 18 months for Microsoft, and raises questions about whether the company is headed in the right direction with its security program.

Last week's mega release was the biggest for 2008, and the largest since February 2007, when Microsoft issued 12 patches for 20 flaws, including seven zero-days. Prior to last week's haul, February 2008's Patch Tuesday yield of 11 fixes for 17 flaws was the most of the year.

"Summer vacation is over a little early for network security professionals," quipped Don Leatham, director of solutions and strategy for Lumension Security, a provider of patch management solutions. "After a light July, the August patch Tuesday will be a very busy one."

Originally, Microsoft planned to issue 12 patches, including seven deemed critical, the most serious rating by the vendor. (Microsoft will change its rating system this fall.) But when the patches came out, there were only 11 patches for six flaws. The vendor also revised security for patches previously released in what was a very busy day for the folks in security at the Redmond, Washington, company.

But missing was a fix for a critical Windows Media Player update, which Microsoft said it needed more time to develop. It almost would have better if Microsoft hadn't even mentioned the upcoming Media Player patch, says Tyler Reguly, a security engineer with nCircle, a network security firm that also reaches out to the media to provide commentary once a month on Patch Tuesday.

"Since this was originally marked critical, it's not good that it's pulled," Reguly says. "The bad thing about Microsoft announcing a patch and then pulling it is that it let's everyone know where to look and that there is something there to be found. It's like being given a treasure map that's half completed … there's still a lot of space to cover, but it's significantly smaller than if you had no insight at all."

More than half of last week's patches are replacements of old patches going back to 2003. While replacement patches are common, it's unusual for there to be so many in a single month, says Andrew Storm, director of security at nCircle. "This is likely the result of Microsoft fixing old patches that didn't cover every exploit avenue and new bugs occurring in the same pieces of code," he says.

Microsoft is confident it has squashed a variety of security problems with the remaining patches. The fixes are aimed at flaws primarily in client-side applications, such as Excel, Word, Access, PowerPoint, Outlook Express, Messenger, and Internet Explorer versions 5 through 7. Flaws were also patched in all recent versions of Windows--from Windows 2000 through Windows Vista and Windows Server 2008.

Microsoft also re-released an old patch: MS08-022, a fix for a scripting flaw that Microsoft originally issued in April. It also updated some of its security tools, providing a clean-sweep (we hope) of its security housekeeping chores.

Four zero day flaws were patched. Two of them--the critical ActiveX vulnerability in Access patched with Microsoft Security Bulletin MS08-041, and the Word remote execution vulnerability patched with Microsoft Security Bulletin MS08-042--are already being actively exploited, according to Amol Sarwate, manager of vulnerability research at Qualys.

Sarwate says two other flaws that hackers were not actively exploiting--at least as of last week--included an HTML objects memory corruption vulnerability patched with Microsoft Security Bulletin MS08-045 (a cumulative IE update) and the Windows Messenger flaw, which was patched with Microsoft Security Bulletin MS08-050.

Reguly, the nCircle security engineer, was curious about Microsoft's treatment of the zero-day Messenger flaw, which could allow an attacker to take nearly total control of a user's Messenger application, including changing state, getting contact information, and initiating audio and video chat sessions without the knowledge of the logged-on user. "This seems fairly serious but has been classified as 'information disclosure,'" Reguly says. "I find this to be extremely strange."

The dominant pattern of client-side vulnerabilities being patched did not change last week, but that doesn't make the Internet any more secure. "We're seeing a lot of the same things we've seen in the past in regards to what's being patched," Reguly says. "Unpatched systems and lack of user awareness coupled with the number of people freely roaming the Internet makes these more profitable and more easily exploitable than the remote attacks from days-gone-by."

However, Microsoft is taking positive steps to change the status quo and trying to get in front of the hackers and their accelerating momentum. Earlier this month at a security convention in Las Vegas, the company announced the Microsoft Active Protections Program (MAPP), a new program designed to facilitate the sharing of exposure-related information with security software vendors, so they can do more to prevent users from falling victim to malicious software and hackers' traps.

Storms applauded the MAPP and its potential to clamp down on security in the long term, but noted there are barriers to adoption.

"While MAPP does help to reduce the risk around 'Exploit Wednesdays,' it has a larger and longer-term objective of building a security community of competing third-party vendors around Microsoft," he says. "If members can look past the competition inherent in their relationships and drink the coalition Kool-Aid, then Microsoft will be the first to build a multi-vendor collaborative environment striving to secure all Microsoft products. This is not something we could have imagined Microsoft doing even a few years ago, and the impact on Microsoft security could be significant."


RELATED STORIES

Microsoft Works to Put the Clamps on 'Exploit Wednesday'

Monster Patch Tuesday Yields 11 Fixes for 17 Flaws

Microsoft Issues a Dozen Security Patches, Fixes Security Tools


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
COMPUTER MEASUREMENT GROUP

CMG '08 International Conference
Unleash the Value of IT Service Management
December 7-12, Las Vegas

Are you an IT professional responsible for managing the performance...capacity...cost of your company's IT systems? Then there is just one place you need to be this December. CMG '08 has all the information you need to unleash the value of IT Service Management.

Let Your IT Performance Soar

At CMG '08 you can choose from more than 150 technical, tutorial, panel, and management sessions. But the presentations are only part of the story. You will have an unparalleled opportunity to:

· Network with IT Service Management leaders
· Learn about new products and services
· Share insights and experiences with your peers
· Consult with industry luminaries, who will be accessible throughout the conference

CMG '08 is the 34th annual international conference sponsored by the Computer Measurement Group (CMG)-a not-for-profit worldwide association for systems management professionals.

Register today at www.cmg.org/conference
Or call 800-436-7264
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2009 conference, April 26 - April 30, in Reno, Nevada
Storage Guardian:  Remote backup services at a special rate of $8/compressed GB/month
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 
 

IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
PowerTech Acquired by Help/Systems, Private Equity Firm

JDA Ponies Up $346 Million to Buy i2 Technologies

SMBs Are Sensibly More Concerned with Biz than Tech

As I See It: Lessons from Robben Island

Big Blue Launches XIV Clustered Storage Arrays

The Linux Beacon
Intel's Nehalems to Star at IDF, AMD Pitches Shanghai

Sundry Red Hat Announcements: Fedora 10 Alpha, RHEL Support Extended

Power Systems Memory Prices Slashed to Promote Virtualization

As I See It: God Bless Technology

Virtualization Adoption Skyrockets on Power Systems Iron

Four Hundred Stuff
looksoftware Unveils iPhone Client for i OS Apps

ID Theft Case Put Focus on Credit Card Security

Original Beefs Up Report Compare Feature in iSeries Testing Tool

BCD Adds More Automation, Customization to PHP Tool

Pat Townsend Unveils New Name, New Windows Solution

Big Iron
The Resurgent Mainframe: A Platform for Innovation

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Serving Up Spreadsheets

V6R1 Enhancements for Run SQL Scripts

Admin Alert: Common Mistakes When Failing Over to a CBU

System i PTF Guide
August 2, 2008: Volume 10, Number 31

July 26, 2008: Volume 10, Number 30

July 19, 2008: Volume 10, Number 29

July 12, 2008: Volume 10, Number 28

July 5, 2008: Volume 10, Number 27

June 28, 2008: Volume 10, Number 26

The Unix Guardian
Sun Carbon Copies Another Q4 and Fiscal Year

Q&A with IBM's Ross Mauri: Talking Power Systems and Power7

Sun Delivers AMP Stack for Solaris and Linux, Windows Coming

As I See It: Babes in Broadband

SAP Profits Under Pressure in Q2, Software Prices Get Jacked

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

SafeData
MKS
Computer Measurement Group
Solidcore
Vibrant Technologies


Printer Friendly Version


TABLE OF CONTENTS
Windows 7 Means Windows Server 2008 R2, Microsoft Reveals

Free Range Apps Can Roam the Farm, Microsoft Says

It's Black Tuesday for Microsoft, with 26 Flaws Patched

Why Blade Servers Still Don't Cut It, and How They Might

SQL Server 2008 Goes RTM

But Wait, There's More:
Two More Xeon-Based Galaxy Servers from Sun . . . Overseas and Notebook Sales Offset Printer Declines for HP in Q3 . . . Intel's Nehalems to Star at IDF, AMD Pitches Shanghai . . . Pat Townsend Unveils New Name, New Windows Solution . . . Big Blue Launches XIV Clustered Storage Arrays . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement