Microsoft issues critical Windows patches
Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.
While the issues affect different versions of Windows differently, Microsoft said none of the issues apply to the final version of Windows 7, which Microsoft wrapped up in July.
The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files. "We've seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected."
McAfee Avert Labs director Dave Marcus said that two of the flaws, in particular, relate to serious security vulnerabilities in the networking components of Window Vista, Windows Server 2008 and Windows Server 2003 that could allow for malicious software to spread from one PC to another.
"These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," Marcus said in a statement. "That said, all of today's security bulletins address vulnerabilities that could allow an attacker to take complete control of a vulnerable PC."
In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.
Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week. "Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately," Greenbaum said. "We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5."
There are already some attacks being seen based on that flaw.
"While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution," Microsoft said.
Meanwhile, Microsoft said Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.
As for the patches Microsoft did release on Tuesday, Qualys CTO Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions--the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.
"Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators," Qualys CTO Wolfgang Kandek said in an e-mail.
During her years at CNET News, Ina Fried has changed beats several times, changed genders once, and covered both of the Pirates of Silicon Valley. These days, most of her attention is focused on Microsoft. E-mail Ina. 
I'm rather surprised it's only five this time though. I'm used to seeing a dozen or so total.
...it also has a habit of breaking things, automatically. Run it on your Exchange 2007 servers sometime... and watch your enterprise webmail and Free/Busy services go 'splat' until all the other Exchange 2k7 servers catch up to the same patch level.
...and we haven't even covered the enforced reboot habit that can cause server downtime at the most inconvenient of times. ;)
A competent administrator can take care of those issues readily. Microsoft does allow you to tailor the updates as you wish to have them run. It's not hard at all. Simply go to the management console. Heck, you can do it in remotely if you want. Server management simply isn't that hard to do. This is the sort of 1st year student level type of work.
WSUS is for professional administrators. Remember, Random_walk isn't talking about professionals and servers. He's pointing out more like the small time operations without a dedicated system admin, I think.
Both Linux and Apple have good products that can compete in this area. Use what works best for you.
Can't? Didn't think so
Meanwhile, in Windowsland, there are hordes of s'kiddies happily reverse-engineering the latest fixes and looking to exploit the unpatched as soon as practical - a time-frame that has shrunk to hours in some instances (meaning, we hope you manage to patch before they find one, campers...)
Now if you don't mind, I have to test a shedload of Windows servers against this patch (thank Heaven for VMWare and 'cloning'....)
I'm sure glad you know more than Apple does on security. That silly company keeps releasing security updates for not only OS X but a host of other products including things like QuickTime and iTunes. But the joke's on Apple because you know better- it's pointless to run security updates on a Mac! So says Random_Walk!
Now in reality, I'm a bit more inclined to believe Apple just a wee bit more than you- I somewhat suspect they know a bit more about the product than you do, but who knows, I could be wrong. :)
'Perhaps in your rush to knee-jerk out a hot and frothy defense of your object of worship (Windows), you might have missed the aspect of urgency. In OSX at this time, there is no urgency to run Software Updates.'
>>>>In case you have forgotten, there have been a few hundred vulnerabilities reported in Windows Vista since its release. And yet, since IE8 and the latest versions of Firefox have fully implemented Vista's ASLR (and DEP, which Snow Leopard does not have, at least not properly implemented), no working exploits have been discovered.
Still using status quo as evidence for inherent security, I see. And now, you've picked up on my religious fundamentalist zingers. However, there is irony in your use of such terms. As it were, our "frothy defenses" happen to have factual foundations, while yours do not. It's because of these empty assertions that you stand accused of worshipping an operating system. Your attempt to channel it back at us doesn't work quite as well, sorry.
'Meanwhile, in Windowsland, there are hordes of s'kiddies happily reverse-engineering the latest fixes and looking to exploit the unpatched as soon as practical - a time-frame that has shrunk to hours in some instances (meaning, we hope you manage to patch before they find one, campers...)'
>>>>As always, where are the post-2007 exploits? And, as I'm sure I'll have to remind you plenty more times in the future, I'm asking for "EXPLOITS," not Trojans. And if you want to avoid looking stupid again, make sure that the exploit itself is affecting Vista machines, and not just the vulnerability. Remember, the vulnerabilities exploited by Conficker and Gumblar happen to affect Vista machines, but the worms will not work on Vista because of its mitigations.
'Now if you don't mind, I have to test a shedload of Windows servers against this patch (thank Heaven for VMWare and 'cloning'....)'
>>>>This is getting old. You're a long way from measuring up to a network administrator. If you were one, then you would know the difference between an exploit and a Trojan horse. EVERY SA I know is aware of the difference, as are most of the people in my own department.
Those past remarks of yours about Charlie Miller's "geek stick" have left your credibility in ruins; that is, whatever credibility you could possibly have built back up after falling flat on your face by signing /P under your current username. You know too little about computers, security, and hacking to continue to claim ANY technical expertise, much less the level of prestige you're trying to assume. And again, when we already know that you're not above trying to reinforce yourself by using two different usernames simultaneously, your word would continue to mire you even if you WERE a good pretender. Nice try, but no cigar. Stay in school, kid!
Any OS can be attacked and that goes for any flavor UNIX or LINUX as well. Being ignorant about security or too lazy to apply patches is the main cause of failure.
In enterprise computing using MS products; there must be a WSUS server that is constantly administered. This is a very small part of my job and my company has not had an attack as far as I can remember. The same should apply to all OS being used, even if they are behind a dozen firewalls.
It's nearly as annoying as righteous zealots who keep harping on MAC vs Mac distinctions, assuming the world is too stupid to know the difference and that they need your help to understand the context of the message.
@ Dan... I had to add a second Windows system as one of our new recruits is more familiar with that platform. I still prefer Mac, but don't necessarily dislike Windows. What I do dislike is someone telling me it's better simply because it commands more market share.
I dislike someone telling me Macs are better simply because they have less market share, which somehow makes them more secure. I can care less what OS I use, as long as it will let me run the apps I want to.
As usual, my system updated without any problems.
" I still prefer Mac, but don't necessarily dislike Windows"
Your own prior comments here on CNET would tend to cast this statement into a bit of doubt. What changed?
Let me apologize to you on that last comment. That was me being snarky and I didn't think you really meant what you said, but going back and rereading it, I think I need to delay my response a bit more before commenting.
.. then again I never do, maybe it is because I am not a dumb@$$ or that people don't target me :p
btw, it is my birthday, woot!
- by monster_eater123 September 9, 2009 11:09 PM PDT
- May I remind Windows users, running Automatic updates DOES NOT give you all the security up dates. Rather just the biggest and most important ones. Otherwise you need to go to Microsoft Update and select Custom mode and get all the updates.
- Like this Reply to this comment
-
(36 Comments)