Microsoft today released a baker’s dozen of software updates to fix twice as many vulnerabilities in its various Windows operating systems and other software. Translation: If you use any supported version of Windows, it’s time once again to update your PC.
Five of the 13 update bundles Redmond issued today earned a rating of “critical,” meaning Microsoft considers these flaws so serious that attackers could exploit them to seize control over vulnerable systems just by getting users to visit a hacked or malicious Web site.
Seven of the most serious bugs are addressed by two patches for Microsoft Office software. Critical flaws in Microsoft Paint, Microsoft Directshow, and a critical ActiveX (Internet Explorer) vulnerability round out the most recognizable of the serious flaws.
According to Microsoft, the most dangerous of the flaws — that is, those that computer crooks are most likely to try and succeed at exploiting soon, include:
-A critical vulnerability in the “server message block” or SMB service — which handles Windows networking (curiously, this is rated critical on all supported Windows versions except Windows Vista and Server 2008);
-A nasty bug in the Windows Shell Hander, the component that allows preview thumbnails to Windows Explorer (affects only Windows 2000, XP and Server 2003);
-The ActiveX/IE and Directshow flaws I mentioned above.
If you encounter any issues or serious problems after installing any or all of these updates, please drop a line in the comments below. Generally, serious problems with Windows patches are rare, and occur mainly in business systems with custom software. Usually, it becomes clear very soon after Patch Tuesday if there are any problems with consumer systems. Just try not to let too much time pass by before applying all of the relevant updates to your machine.
Windows Vista and Windows 7 users can check for updates by clicking “Start,” typing “Windows Update” and selecting the resulting option. Windows XP and W2k users will need to visit the Windows Update Web site with Internet Explorer. Alternatively, Windows users with Automatic Update enabled will likely receive a prompt within the next 12-24 hours to install this month’s round of patches.
PAINT has a critical bug??? Hasn’t that been around since, oh, Windows ONE??? Jeez…OK, let the Windows-bashing begin
Windows problems ? There’s a (careful) app for that!
14. “Any problem on earth can be solved with the careful application of high explosives. The trick is to not be around when they go off.”
— from the Movie “Valkyrie”
There is also an app that fixes a series of critical issues for the iPhone:
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=222601138
Unfortunately, I believe you nee to connect to a computer with iTunes to install the patch. How many people with iPhones never (or rarely) connect them to a computer?
For those saying code on non a Microsoft OS is better:
One of the critical flaws is for Office for Mac
Affected: Microsoft Office 2004 for Mac
(KB979674)
Component Not applicable
Risk: Remote Code Execution
Rating: Important
You’re trying to argue against non-MS operating system code by using…Microsoft code as an example? By the way, as you quoted, this vulnerability is rated “important” – not “critical.”
When was the last time you heard of malware compromising the OS X system itself through Office for Mac? Not only would you have to trick the user into furnishing admin credentials (an obvious red flag) to get privilege escalation, you had better hope that the user either has software update turned off or just ignores the updates all together. No OS is going to stop the PEBKAC.
Also, Office 2004 is a PPC suite. Macintel users are more than likely using Office 2008 which isn’t affected by this vulnerability.
I quote myself for clarification.
My point was to say bad code on any OS is still bad code. This one happened to be an example of a 6 year old product being exploitable due to poor architectural/programming decisions still making it across the cross platform gap.
As for the rating I’ve always been amazed how fragmented the definitions are. Critical, Important, Whatever. Important today could be critical tomorrow. If anything is not critical what gets the user’s attention to go patch their application suite.
It may not be that malware compromises the entire system. Perhaps it just compromises the userland or a users data. It sucks to have all your data deleted, encrypted or passworded due to an extortion payload. Any remote execution bug is a threat _within_ a users account.
A couple things I forgot to explore, It would be interesting to see how cross OS applications are supported for security issues in the future.
1) Office 2004 is pushed heavily & deeply discounted to students/teachers who are least likely in a managed environment (aka outside the school).
2) The student/teacher versions are not upgradable to 2008 by design and I’d be curious if they are still deployed – personally, students and teachers could be cash-strapped enough, or simple enough not to get into constant upgrade paths. Perhaps that generation is savvy enough to go to OOo, or well funded enough for purchasing Iwork and its a moot point.
3) Rosetta is slowing being deprecated, but until that happens MS still somehow is obliged to invest resources into responding to and testing this platform. I don’t think that this is a “for free” of patching the Wintel.
That’s just ridiculous.
Microsoft forgot one:
http://arstechnica.com/microsoft/news/2010/02/microsoft-warns-of-tslssl-flaw-in-windows.ars
If I worked as a Microsoft programmer I think I’d have developed elephant hide to get up in the morning and go to work every day. I say this as a “user”in the benevolent sense, and as a reader of sometimes very acid anti-M/S comments on a few sites. I didn’t ever have any real problems with …gasp!…Vista.
OK!, OK!, I’m ducking…Don’t throw any more shoes!
….and, I always kept (keep) my updates on ‘automatic’, and now use Windows 7 with Firefox’s Private Mode as my designated browser.
Is my halo blinding me? Maybe I don’t need to know.
[Couldn’t resist this genuine insertion here. ]
Brian, I submit that the easiest and least complicated way to protect one’s Windows PC is to partition the hard disk and install another and more secure OS on one half. One can then use this latter for all purposes for which access to Microsoft programmes and applications is not absolutely necessary, e g, helping others when they run into problems with this buggy and insecure software….
Henri
If you recall a few months ago, BK actually wrote a series of posts about e-banking with Linux live CDs:
http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_non.html
http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_pc.html
The problem with setting up a dual boot environment is that you must plan out how much space you’re willing to dedicate to both operating systems and data if you decide to create another shared partition in between. Moreover, you have to factor in the extra time to back up your data (you do back up, right?), partition your drive, install both systems + all patches, install programs, and migrate your data back. While this may be trivial to the geek contingent in here, it will be completely lost on Average Joe User, hence why it just might be easier to use the live CD as a temporary solution.
AlphaMack, I do recall Brian’s posts, and I agree with him and you that using a Live CD for banking errands can be an excellent solution. But as this particular post deals with more general vulnerabilities, I suggested a more general solution. But you are quite right, with multiple systems/computers, whether with different platforms or no, keeping everything up to date can be quite a chore (and keeping one’s software up to date is the alpha and omega of all security)….
Henri
To my knowledge, there is nothing to stop a virus from infecting the second partition.
There is also the issue of licensing. Installing the same OS on two partitions might require 2 licenses.
To clarify, this thread isn’t talking about using the same OS. It is inferred that the dual-boot environment is Windows and Linux, BSD, or some other *nix.
OMG! The sky is falling. The sky is falling! ;P
Seriously people! Just install the patches and move on. Patching is simply part of the computing environment. Complaining about it or slamming the vendor isn’t helping anyone.
Attn: All Readers….
Pls. see the two astute, penetrating comments immediately above. What can be too wrong with something that eighteen gazillions seems attracted to….in my old field, it was marketing vv. technology. Some marriages work under certain conditions, some simply don’t.
It helps if people get sick and tired of patching junkware all the time and start discussing using another vendor where they don’t run into this type of situation all the time. To say patching is simply part of the computing environment is to grossly sidestep the bigger issue – and it’s also an admission that one lacks important expertise in other operating systems.
OK,
M.Henry Day got posted in between…I’m not as agile as I was once…
< ; )
B.A.Econ,.1954, your ability to spell personal names seems also to have declined….
Henri (with «i») and no dot after the «M»
I’m off too see my optometrist in the morning, ….here in the steppes/tundra of deepest central Maryland my faculties/energies have been diverted to clearing snow from my MX5 convertible (the top, mercifully was up….)
….besides, my chauvinistic spellings somehow leap to the surface, bursting forth from that closet in times of wx stress…condom must’ve slipped, again…
….you’ll forgive, Non ?
Looks like KB977165 is causing havoc for some. PCs won’t boot/blue screen after patching up. See links:
http://www.dslreports.com/forum/r23780205-Info-Microsoft-Patch-Tuesday-Huge-Security-Update-on-02092
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1
Brian:
Help! I’m technically inept, and have only one old computer running XP. I read the comments in the forum that jerry posted a link to. Sounds like these updates, or at least one of them, will totally crash the computer. I’m not about to try downloading them to find out.
Please, will you follow up and keep us posted on when/whether this problem gets fixed?
If you have trouble with all the techy underpinnings and probably don’t feel like wasting your time on them either, you could just use deepFreeze… if something got on your system, a reboot will revert everything back to the way it was.
Or keep your main system off the net and use some older computer thats been sitting in the garage for browsing the net.
The best way might be to only run your browser inside VirtualBox, if you’re worried that your outdated operating system is full of unpatched security holes..
Well either way you do it, it has its drawbacks. Just remember, if you don’t get on a browser and you don’t click on links in emails, and you’re behind a cheap hardware firewalled router from netgear or belkin etc, nothing will get on your system.
Bien sur, B.A.Econ., 1954 !…
Henri