MS Critical Security Update Thurs 21st

[Taffycat]

Advance Notification for Out-of-Band Bulletin Release

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing MS10-002 tomorrow, January 21st, 2010. We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible. This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released.

Full article: MSRCTEAM

 

[captain zed]

At least they bothered to warn us lol. Thanks TC.

 

[muckshifter]

At least they bothered to warn us lol. Thanks TC.

They usually do, people don't read or report the fact.

 

[captain zed]

That's the first time i have had warning.....maybe i just don't read enough on the microsoft site lol.
I'm installing as i type this and there are 2 updates today

1. Cumulative Security Update for Internet Explorer 8 for Windows Vista (KB978207).

2.Definition Update for Windows Defender - KB915597 (Definition 1.71.2521.0).

I dont think these two can be removed either.

 

[Abarbarian]

They usually do, people don't read or report the fact.

Mind you it has taken Microsoft 17 years to tell folk about this bug

"This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009)."

http://seclists.org/fulldisclosure/2010/Jan/341

http://jordanopensource.org/freeplanet/article/microsoft-confirms-17-year-old-bug-windows

 

[Abarbarian]

At least they bothered to warn us lol. Thanks TC.

However they could have told folk 4 months ago.

"Microsoft was aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies but did not patch the hole completely until Thursday. The software giant had intended to release a patch for the flaw in February — more than four months after learning about it, but had to speed up that plan and role it out this week in the wake of news that Google and others had been hacked through the flaw, the world’s largest software maker acknowledged Thursday.

Meron Sellen, a security researcher at BugSec, an Israeli firm, quietly reported the vulnerability to Microsoft in September, according to security firm Kaspersky.

Microsoft confirmed it learned of the so-called “zero-day” flaw months ago."

"Google disclosed last week it discovered in mid-December that it had been hacked in an attack originating from China, about two months after Microsoft learned of the vulnerability. Adobe followed Google, announcing it, too, was hacked. Security firm iDefense said it had information that at least 34 companies were breached in the coordinated attack."