two
Volume 4, Number 42 -- November 14, 2007

Patch Tuesday Light, Or the Lazy Days of November

Published: November 14, 2007

by Alex Woodie

It was a light Patch Tuesday for Microsoft yesterday, as the software giant posted just two fixes for two vulnerabilities--only one which was critical--in sharp contrast to recent months that saw as many as 17 vulnerabilities being fixed. At least one vulnerability that was expected to be patched yesterday was left alone, raising concern in the security community.

Security Bulletin MS07-061 fixed the lone critical vulnerability patched this month, a remote code execution in Windows XP and Windows Server 2003 that had been known about since midsummer, and which was being used to exploit users via "drive by" attacks on the Web. "This exploit was made public last month and has already been widely exploited, most notably on a collection of Websites registered in Russia," said Amol Sarwate, manager of the vulnerability research lab at Qualys.

The problem, called the URI Handling Vulnerability, allows an attacker to take total control over an affected computer when a victim visits an infected Web site. While the patch was made for Windows, only Internet Explorer 7 had been infected thus far, says Andrew Storms, director of security operations for the security software company nCircle.

The second patch, Security Bulletin MS07-062, fixes a DNS spoofing problem in Windows 2000 Server and Windows Server 2003 that Microsoft deemed "important." Microsoft says this problem had not been publicly disclosed, and is not being actively exploited. MS07-062 is the patch that Microsoft last month elected not to release at the last minute, the second month in a row that had happened.

The small number of patches issued yesterday left some security researchers scratching their heads. "Noticeably absent from this month's release is the much anticipated patch for the Macrovision driver," Sarwate says. "Given that Microsoft released an out-of-band advisory stating that a patch would be available shortly for this vulnerability, it was very surprising that it was omitted."

Storms gave this analysis to the situation: "The difference in responsiveness on these two issues typifies Microsoft’s track record on security. They have moments of stellar service combined with moments of inattention," he says.

There are currently only two vulnerabilities in Windows and other Microsoft products being actively exploited, according to eEye Digital Security, which lists past and current security problems on its Zero-Day Tracker. While both of the problems have been disclosed for well over a year, neither of them are critical in nature, according to eEye.


RELATED STORIES

Six Patches Issued by Microsoft, One Held Back Again

Microsoft Patches Four Security Flaws


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
COMPUTER MEASUREMENT GROUP

CMG '07 International Conference
Enterprise Computer Performance Management
December 2-7, San Diego

Learn how to master today's most demanding enterprise computer performance management challenges at CMG '07-December 2-7 in San Diego. CMG '07 is the world's largest gathering of IT professionals focused on performance optimization…capacity planning…and resource management for enterprise computing systems. This 33rd annual conference is sponsored by the Computer Measurement Group (CMG), a not-for-profit worldwide association for systems management professionals.

Register today at www.cmg.org
Or call 800-436-7264
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
World Data Products:  Free Server Spec Book for the design, installation and maintenance of servers
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 
 

IT Jungle Store Top Book Picks

The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
Power6 Blades Finally Come to Market from IBM

Power Systems Division: A New Unit, i5/OS and iCluster Included

System i VIP Initiative Boosts Sales, Says IBM

As I See It: The Paradox

The Linux Beacon
Red Hat to Use Automation, Virtualization to Eat the Server Space

Red Hat Puts Out Fedora 8 Rev of Development Linux

Intel Announces First "Penryn" Xeon Processors

Mad Dog 21/21: Symphony for the Devil

Four Hundred Stuff
PowerTech Ships i5/OS Syslog Connector for SIEM

Change Management Software Gets Boost from Mighty Ant

Attachmate Ships Emulator, Touts Tolly Report

BCD Delivers Major Update of WebSmart ILE

Big Iron
IBM Acquires BI Software Specialist Cognos for $5 Billion

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
V6R1 CL Enhancements

Copy Message Descriptions

Admin Alert: Five Benefits of a High-Availability System

System i PTF Guide
November 10, 2007: Volume 9, Number 45

November 3, 2007: Volume 9, Number 44

October 27, 2007: Volume 9, Number 43

October 20, 2007: Volume 9, Number 42

October 13, 2007: Volume 9, Number 41

October 6, 2007: Volume 9, Number 40

The Unix Guardian
Sun Wrings Profits from a Flat Fiscal First Quarter

Power6 Blades Finally Come to Market from IBM

Intel Quietly Releases 'Montvale' Itanium Kickers

IBM Brags About Its Power6 Server Shipments

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

Vision Solutions
Gabriel Consulting Group
Storage Guardian
IT Security
Computer Measurement Group


Printer Friendly Version


TABLE OF CONTENTS
Windows Server 2008 Pricing and Packaging Set by Microsoft

'Viridian' Hypervisor Gains Formal Name: Hyper-V

Intel Announces First "Penryn" Xeon Processors

Microsoft Makes Gains in HPC Market

But Wait, There's More:
Patch Tuesday Light, Or the Lazy Days of November . . . Linux, OS X Desktops to Get NAP Support from Microsoft . . . Oracle Dives into the Server Virtualization Fray . . . Radmin Gets 64-bit Windows Support . . . ArcSight Expands Log Management Offerings . . . Fujifilm Adds GPS Tracker to Tape Cartridges . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement