Microsoft said Tuesday that its investigation has turned up no evidence that anything in its November security updates should be causing users to encounter a so-called "black screen of death."
"Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," Microsoft security response communications lead Christopher Budd said in a statement. "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."
Microsoft said it was not contacted by British security firm Prevx before that company went public with its claims. Microsoft said it has reached out to them to let them know the results of its investigation.
The company said on Monday that it would look into the matter, but issued an update later in the day saying it could not verify any issues.
"Our support organization is also not seeing this as an issue," Budd said on Tuesday. "The claims also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles.
Update, 3:15 p.m. PT: Prevx posted an updated blog saying that it has done additional testing.
"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches," the comapny said. "Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."
The company also offered up a mea culpa to Redmond and said it also recommends users keep patching their systems promptly. "We apologize to Microsoft for any inconvenience our blog may have caused."
Microsoft plans to release the final version of its free antivirus software soon, according to a note sent to testers late Sunday.
"The final version of Microsoft Security Essentials will be released to the public in the coming weeks," Microsoft said in the note.
(Credit:
CNET News)
Microsoft first announced its plans for the product, then code-named Morro, last November, at the same time the company said it was scrapping its paid Windows Live OneCare product.
Public beta testing of Security Essentials started in June, with Microsoft reaching its goal of 75,000 testers just one day after it issued a call for them.
On a personal note, I've been using the product on several machines since June, and I like the way--unlike other antivirus programs--it doesn't make a spectacle of itself, just quietly doing its thing. I often forget it is running on a machine, yet it did save my bacon a couple weeks back when I almost caught Koobface from a friend on Facebook.
Aiming to crack down on a growing problem, Microsoft said it filed five lawsuits Thursday against parties it suspects of posting online advertisements laden with malicious code.
Microsoft has tried to work with ad networks to thwart such "malvertising" in the past, but this is the first time it has gone to court.
"Our filings in King County Superior Court in Seattle outline how we believe the defendants operated, but in general, malvertising works by camouflaging malicious code as harmless online advertisements," Microsoft Associate General Counsel Tim Cranton said in a blog posting.
In each case, Microsoft is suing the unknown parties responsible for the ads.
"Although we don't yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits," Cranton said.
In the past week, The New York Times' Web site was hit with a rogue advertisement that told readers that their computer may be infected with a virus and redirected them to a site that purports to offer antivirus software.
"Scareware is often distributed among criminals, which therefore results in many of the animations a user may see utilizing a common design and interface," a Microsoft told CNET News. "However, without additional information and specific details about the attacks, we cannot be certain that any of today's filings directly relate to the attacks on The New York Times' Web site."
Microsoft likened the latest lawsuits to prior legal action that it has taken against those suspected of click fraud or instant messaging spam.
"This work is vitally important because online advertising helps keep the Internet up and running," Cranton said. "It's the fuel that drives search technologies. It pays for free online services like Windows Live, Facebook, Yahoo, and MSN. Fraud and malicious abuse of online ad platforms are therefore a serious threat to the industry and for all consumers and businesses that rely on these free services."
Microsoft issued a formal security advisory late Tuesday on a reported zero-day flaw in Windows Vista and Windows Server 2008. However, the software maker also said that the flaw does not affect the final version of Windows 7, contrary to earlier reports.
"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation," Microsoft said in the advisory. "We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."
The flaw could allow an attacker to gain control of a system, although Microsoft said that "most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."
The software maker said it is working with security software partners to provide information that can be used to create protections. Once its investigation is wrapped up, Microsoft said it will take action, which could include releasing a patch during its next monthly cycle or doing an "out-of-band" release, if necessary. Tuesday was Microsoft's monthly release for patches, which included five critical Windows updates addressing eight vulnerabilities.
The software maker said the latest issue affects the "release candidate" version of Windows 7, but not the final version that was completed in July. Also, the recently completed Windows Server 2008 R2 is not vulnerable, Microsoft said, nor are the earlier Windows XP and Windows 2000 operating systems.
Microsoft is already dealing with a separate, still unpatched flaw reported last week. Attacks have already been seen based on that vulnerability. Microsoft has taken issue with the fact that that flaw, like the latest one, was reported publicly as opposed to being privately disclosed to Microsoft, giving the company time to patch it.
Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.
While the issues affect different versions of Windows differently, Microsoft said none of the issues apply to the final version of Windows 7, which Microsoft wrapped up in July.
The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files. "We've seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected."
McAfee Avert Labs director Dave Marcus said that two of the flaws, in particular, relate to serious security vulnerabilities in the networking components of Window Vista, Windows Server 2008 and Windows Server 2003 that could allow for malicious software to spread from one PC to another.
"These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," Marcus said in a statement. "That said, all of today's security bulletins address vulnerabilities that could allow an attacker to take complete control of a vulnerable PC."
In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.
Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week. "Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately," Greenbaum said. "We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5."
There are already some attacks being seen based on that flaw.
"While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution," Microsoft said.
Meanwhile, Microsoft said Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.
As for the patches Microsoft did release on Tuesday, Qualys CTO Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions--the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.
"Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators," Qualys CTO Wolfgang Kandek said in an e-mail.
Microsoft on Monday said it is looking into a report of a flaw in some versions of its Internet Information Services product that could allow an attacker to gain control of a system.
In a statement, a Microsoft representative said the company "is investigating new public claims of a possible vulnerability in IIS 5 and IIS 6 File Transfer Protocol (FTP)."
Microsoft said it is not aware of any attacks using the vulnerability. "We will take steps to determine how customers can protect themselves, should we confirm the vulnerability."
According to IDG News Service, code for exploiting the unpatched flaw was posted to the Milw0rm Web site. IDG said the exploit appears to affect primarily older versions of IIS--and only when the FTP function is enabled.
Once it is done with its investigation, Microsoft said, it will decide how to address the matter, which could include a security update as part of its monthly Patch Tuesday or an out-of-cycle update.
In a posting on Monday, the U.S. Computer Emergency Readiness Team (US-CERT) suggested IT administrators "disable anonymous write access to the FTP server to help mitigate the vulnerability" but added that "a proper impact analysis should be performed prior to taking defensive measures."
Microsoft on Tuesday released nine patches, five of them critical, to plug holes in Windows and other software products.
The nine patches actually relate to 19 separate vulnerabilities in Windows, the .Net Framework, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server, and Remote Desktop Client for Mac.
Among the issues addressed is one that Microsoft warned about last month--a vulnerability related to the Office Web Components that help users put spreadsheets, charts, and other documents onto the Web. At the time, Microsoft said it was already seeing attacks based on the flaw, which affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.
More information on that issue and the others addressed with this month's patches is available in a bulletin on Microsoft's Web site.
As is its practice, Microsoft said last week that the patches were coming.
Symantec senior research manager Ben Greenbaum noted that many of the vulnerabilites this month related to so-called ActiveX controls and added that many of the holes could be exploited just by getting a user to visit a Web page that has malicious code.
"All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user," Greenbaum said in an e-mail. "For example, any user who has Microsoft Office on their machine could be vulnerable to the Microsoft Office Web Components vulnerabilities. Similarly, every user with Windows XP SP3 or Vista could also be susceptible to one of the Remote Desktop Connection issues."
Actually, not all versions of Office are affected, as the Web components issue does not affect the latest version--Office 2007. For a list of Office programs affected, see this security bulletin.
In any case, McAfee and Lumension both noted that it continues to be a long, hard summer for IT professionals who have had to deal with a large number of regular patches and some unscheduled ones as well from Microsoft and others.
"There's no break from patching this summer," McAfee Avert Labs' Dave Marcus said in a statement. "Microsoft is playing catchup with these patches as cybercriminals have already used some of the serious vulnerabilities to commandeer vulnerable Windows computers."
Lumension analyst Paul Henry said there had been some fear that the patches would go further, addressing some kernel-level issues. But even still, he said the latest crop of patches will bring their fair share of headaches.
"After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need is yet another large batch of patches from Microsoft," Henry said in a statement. "Unfortunately, that is exactly what we got today as Microsoft released a total of nine security updates, five of which are critical and seven of which require disruptive restarts."
A day after making a beta of its free security program available, Microsoft has said it already has the number of testers it needs and has halted new downloads.
(Credit: CNET)Well, that didn't take long.
A day after making available a free beta of its Microsoft Security Essentials software, Microsoft has stopped offering new downloads, saying it has reached the number of participants it was looking for, at least here in the U.S. The software maker had said it was only looking to initially have about 75,000 downloads of the product, formerly code-named Morro.
"Thank you for your interest in joining the Microsoft Security Essentials Beta. We are not accepting additional participants at this time," Microsoft said in a posting on its Web site. "Please check back at later a date for possible additional availability."
Microsoft Security Essentials is the free product that Microsoft promised it would create last year, at the same time the software maker said it was discontinuing its paid Windows Live OneCare product.
The program hits the antivirus basics, including built-in and customizable scan options, a scheduler, automatic definition file updates, a real-time defense shield, and rootkit protection. It's also similar to other free products on the market, such as those from AVG and Antivir.
Download.com's Seth Rosenblatt contributed to this report.
Click on the image above to see Download.com's look at Microsoft Security Essentials.
(Credit: CNET)Microsoft on Tuesday released a patch aimed to fix a critical vulnerability in PowerPoint that had already led to exploits.
The vulnerability is listed as critical for Office 2000, but rated only as important for Office XP, Office 2003, and Office 2007. However, the hole had already formed the basis of targeted attacks, prompting Microsoft to issue a warning last month.
Although Microsoft says the hole is now patched in the Windows version of PowerPoint, the software maker said it is still working on fixes for the Mac version of Office as well as for Microsoft Works, the company's entry-level productivity suite.
"The updates for Office for Mac and Microsoft Works 8.5 and 9.0 users are still in development," Microsoft security response communications lead Christopher Budd said in a statement. "Microsoft plans to issue updates for these software when testing is complete and we can ensure high quality. We are releasing this security update on an incremental basis because of active targeted exploitation toward Windows platform users."
Without the patch, the vulnerability can be exploited by getting a person to open a PowerPoint file rigged for the attack, Microsoft has said. When the file is opened, PowerPoint will access an invalid object in memory. That then allows an attacker to remotely execute code on the system.
The fix was released as part of the company's regularly scheduled monthly Patch Tuesday.
The software maker said that with the update, the ability to open PowerPoint 4.0 file formats will be disabled by default in Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002. (Microsoft has already disabled that option by default in PowerPoint 2003 Service Pack 3 and that capability does not exist in PowerPoint 2007.)
Microsoft said that the vulnerability is not rated critical for PowerPoint 2002 and later versions because they prompt a user before opening a document, meaning that the vulnerability "requires more than a single user action to complete the exploit."
Symantec said in a statement that the PowerPoint fix related largely to flaws in older file formats. "Because taking advantage of these vulnerabilities requires a user to open a maliciously crafted PowerPoint file, e-mail is likely the most probable method attackers would use to try and exploit these," said Alfred Huger, vice president of Symantec Security Response, in a statement. "Another possibility is for an attacker to lure a victim into downloading the file from a misleading or compromised Web site. At that point, the attacker would then have complete control over everything the user's account has permission to do on the system."
One security analyst warned that corporate IT staff should be paying attention not just to Microsoft, but also to a variety of security updates being issued by other software makers.
"Although Microsoft only dropped one patch for PowerPoint this month, IT administrators shouldn't get the wrong impression and breathe easy given the light load," said Lumension security analyst Paul Henry. "In addition to Microsoft, other vendors including Google, F-Secure, Adobe, HP, Symantec and Mozilla (to name a few) released a slew of patches for popular software applications."
Henry posted a list of the other updates and blogged on the subject.
"It is important to remember that historically, popular applications and files like Adobe PDF files or Word, Excel or PowerPoint files have been great vehicles for targeted attacks because those attachments are so socially acceptable and are simply expected attachments within corporate email," Henry said. "While we are relieved about the PowerPoint patch, we live in an environment where compromised applications have now become a delivery mechanism for additional downloaded and executed malware such as key-loggers and rootkits. The most effective risk mitigation, therefore, continues to be application control to prevent a compromised application from downloading and running any unauthorized software (including malware) on a user's PC."
SAN FRANCISCO--Microsoft's operating systems are still vulnerable to attacks, but more often than not it's older versions that are taking the big hits.
That was the message from Scott Charney, corporate vice president in Microsoft's Trustworthy Computing group, when he sat down with me on Tuesday. We chatted about the latest threats, including Conficker. The much-maligned Windows Vista, he noted, wasn't hit in the way that older versions of the operating system were.
"Some of those widespread exploits take advantage of older platforms," Charney said in an interview, following his keynote speech at the RSA 2009 conference here.
With Windows 7, Microsoft is trying to take security into a few more areas, such as extending encryption to removable devices.
Charney also noted that, as a whole, the Internet still should be safer than it is.
"There is still a sense that it is not safe enough," Charney said. "It was not built for the uses that we currently use it for, all these commercial transactions."
One of the answers, he said, is adding more security features into the PC hardware.
"In a nutshell, software is malleable and hardware is harder to tamper with," he said.
For my complete interview with Charney, check out the video below:
