G
Gordon Darling
Microsoft warns of a score of security holes
http://news.com.com/2100-7349_3-5190818.html
"Microsoft released on Tuesday fixes that cover at least 20 Windows
flaws, several of which could make versions of the operating system
vulnerable to new worms or viruses.
At least six of the flaws could make the OS susceptible to programs
similar to the MSBlast worm and its variants, which have infected more
than 8 million computers since last August. Another flaw affects a
common file used by Internet Explorer, Outlook and Outlook Express and
opens the way for the type of virus that executes when PC users click
a specially crafted Web link.
The software giant released four patches to cover the 20 security
issues, as part of its monthly update schedule. Microsoft wouldn't
comment on the level of risk the flaws present, instead maintaining
that companies that apply the fixes won't be in danger.
"If you are running a personal firewall, you are at reduced risk from
a lot of these vulnerabilities," said Stephen Toulouse, security
program manager for the Microsoft Security Response Center. "But we
are absolutely taking this seriously."
The largest patch, MS04-011, fixes at least 14 security flaws. A
security hole in the Help and Support Center affects both Windows 2003
and Windows XP. Another flaw in the Windows Meta File image format
could allow an attacker to create a digital picture file that could
take control of a Windows NT, 2000 or XP computer. At least six of the
14 flaws could result in a remote user taking control of a Windows
computer.
Toulouse said that instead of taking a piecemeal approach, Microsoft
waited to release some patches so it could present a more
comprehensive set of fixes. "Rather than shipping the same files over
three months, we are trying to provide customers one update that has
all the fixes," he said.
However, some security researchers took the software giant to task for
waiting to release a particular patch that covers many of the flaws.
Microsoft's strategy, they said, was keyed more toward public
relations than customer convenience.
"These releases confirm a trend that has been happening with Microsoft
security lately--that they are willing to leave customers vulnerable
for long periods of time, all in order to try to bundle security
fixes, which leads to the (impression) of having less
vulnerabilities," said Marc Maiffret, chief hacking officer for eEye
Digital Security. "This is completely unacceptable."
eEye Digital Security found six of the flaws Microsoft reported on
Tuesday. The company urged Windows users to update their systems as
soon as possible. Maiffret has previously criticized Microsoft for
taking as long as 200 days to fix flaws. He said Microsoft took as
many as 216 days to fix the latest set of flaws.
Other security researchers were less critical of the software giant.
"You can't generalize that Microsoft takes too long to fix flaws,"
said Gerhard Eschelbeck, chief technology officer for vulnerability
assessment company Qualys. "It depends on when the flaw is in the
code."
Qualys found two of the flaws Microsoft announced on Tuesday. A flaw
in a networking code library common to many versions of Windows only
took the giant two months to fix, said Eschelbeck. Microsoft had
practice, since another flaw had been found in that same library by
eEye Digital Security in February.
"A lot of the flaws in this release are derivative of ones that we
have seen before," said Qualys' Eschelbeck. "Typically, someone finds
a flaw in a particular area and a lot of researchers start looking in
that code."
That also happened with the flaw that lead to the MSBlast worm. A
second, similar flaw was found in October, but it took Microsoft until
now to fix it.
Overall, Eschelbeck believes that the software giant is doing the
right thing by releasing a single patch for all the flaws that affect
the same software components, rather than quickly releasing the fixes
one at a time. Qualys had previously found that it takes at least 30
days for half of the vulnerable companies on the Internet to fix the
most critical flaws. Easing the pain of patching is important, he
said.
"It's a single patch on a scheduled day," he said. "Everyone knows
today is Microsoft patch day. I think this is the right thing to do."
Eschelbeck recommended that companies apply at least the first patch
from Microsoft by the end of the week.
Information on the four patches can be found on Microsoft's Web site."
Regards
Gordon
http://news.com.com/2100-7349_3-5190818.html
"Microsoft released on Tuesday fixes that cover at least 20 Windows
flaws, several of which could make versions of the operating system
vulnerable to new worms or viruses.
At least six of the flaws could make the OS susceptible to programs
similar to the MSBlast worm and its variants, which have infected more
than 8 million computers since last August. Another flaw affects a
common file used by Internet Explorer, Outlook and Outlook Express and
opens the way for the type of virus that executes when PC users click
a specially crafted Web link.
The software giant released four patches to cover the 20 security
issues, as part of its monthly update schedule. Microsoft wouldn't
comment on the level of risk the flaws present, instead maintaining
that companies that apply the fixes won't be in danger.
"If you are running a personal firewall, you are at reduced risk from
a lot of these vulnerabilities," said Stephen Toulouse, security
program manager for the Microsoft Security Response Center. "But we
are absolutely taking this seriously."
The largest patch, MS04-011, fixes at least 14 security flaws. A
security hole in the Help and Support Center affects both Windows 2003
and Windows XP. Another flaw in the Windows Meta File image format
could allow an attacker to create a digital picture file that could
take control of a Windows NT, 2000 or XP computer. At least six of the
14 flaws could result in a remote user taking control of a Windows
computer.
Toulouse said that instead of taking a piecemeal approach, Microsoft
waited to release some patches so it could present a more
comprehensive set of fixes. "Rather than shipping the same files over
three months, we are trying to provide customers one update that has
all the fixes," he said.
However, some security researchers took the software giant to task for
waiting to release a particular patch that covers many of the flaws.
Microsoft's strategy, they said, was keyed more toward public
relations than customer convenience.
"These releases confirm a trend that has been happening with Microsoft
security lately--that they are willing to leave customers vulnerable
for long periods of time, all in order to try to bundle security
fixes, which leads to the (impression) of having less
vulnerabilities," said Marc Maiffret, chief hacking officer for eEye
Digital Security. "This is completely unacceptable."
eEye Digital Security found six of the flaws Microsoft reported on
Tuesday. The company urged Windows users to update their systems as
soon as possible. Maiffret has previously criticized Microsoft for
taking as long as 200 days to fix flaws. He said Microsoft took as
many as 216 days to fix the latest set of flaws.
Other security researchers were less critical of the software giant.
"You can't generalize that Microsoft takes too long to fix flaws,"
said Gerhard Eschelbeck, chief technology officer for vulnerability
assessment company Qualys. "It depends on when the flaw is in the
code."
Qualys found two of the flaws Microsoft announced on Tuesday. A flaw
in a networking code library common to many versions of Windows only
took the giant two months to fix, said Eschelbeck. Microsoft had
practice, since another flaw had been found in that same library by
eEye Digital Security in February.
"A lot of the flaws in this release are derivative of ones that we
have seen before," said Qualys' Eschelbeck. "Typically, someone finds
a flaw in a particular area and a lot of researchers start looking in
that code."
That also happened with the flaw that lead to the MSBlast worm. A
second, similar flaw was found in October, but it took Microsoft until
now to fix it.
Overall, Eschelbeck believes that the software giant is doing the
right thing by releasing a single patch for all the flaws that affect
the same software components, rather than quickly releasing the fixes
one at a time. Qualys had previously found that it takes at least 30
days for half of the vulnerable companies on the Internet to fix the
most critical flaws. Easing the pain of patching is important, he
said.
"It's a single patch on a scheduled day," he said. "Everyone knows
today is Microsoft patch day. I think this is the right thing to do."
Eschelbeck recommended that companies apply at least the first patch
from Microsoft by the end of the week.
Information on the four patches can be found on Microsoft's Web site."
Regards
Gordon
