Microsoft said Tuesday that its investigation has turned up no evidence that anything in its November security updates should be causing users to encounter a so-called "black screen of death."
"Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," Microsoft security response communications lead Christopher Budd said in a statement. "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."
Microsoft said it was not contacted by British security firm Prevx before that company went public with its claims. Microsoft said it has reached out to them to let them know the results of its investigation.
The company said on Monday that it would look into the matter, but issued an update later in the day saying it could not verify any issues.
"Our support organization is also not seeing this as an issue," Budd said on Tuesday. "The claims also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles.
Update, 3:15 p.m. PT: Prevx posted an updated blog saying that it has done additional testing.
"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches," the comapny said. "Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."
The company also offered up a mea culpa to Redmond and said it also recommends users keep patching their systems promptly. "We apologize to Microsoft for any inconvenience our blog may have caused."
Microsoft said on Monday that it is looking into reports that its latest security updates are causing some serious problems for certain users.
The problem has been dubbed the "black screen of death" because those affected are left with a black desktop and little else on their screen.
.JPG){kind=logo}
"Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers," the software maker said in a statement. "Once we complete our investigation, we will provide detailed guidance on how to prevent or address these issues. "
The issue was noted by British security firm Prevx on its blog on Friday, with that company also offering a suggested fix for the problem.
"The symptoms are very distinctive and troublesome," Prevx said. "After logging on there is no desktop, task bar, system tray or sidebar. Instead you are left with a totally black screen and a single My Computer Explorer window."
Prevx suggested that the black screen issue can occur on a wide range of Windows machines from Windows NT through Windows 7. In its blog, Prevx said there appear to be many causes of the black-screen issue, not all of which are related to the security update.
"In researching this issue we have identified at least 10 different scenarios which will trigger the same black screen conditions," Prevx said. "These appear to have been around for years now." As for the latest security update, Prevx said changes to the way registry keys are handled appears to be the reason it is causing black screens.
I've asked Microsoft what it recommends users should do for now and will post its answer here.
Microsoft released its latest security updates on November 10, issuing six bulletins addressing 15 flaws.
Update, 3:35 p.m. PT: A Microsoft representative said that the company continues to recommend that customers "test and deploy" the November security updates.
"Based on our investigation so far we can say that we're not seeing this as an issue from our support organization," the representative said. "The issues as described also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles."
Microsoft issued a formal security advisory late Tuesday on a reported zero-day flaw in Windows Vista and Windows Server 2008. However, the software maker also said that the flaw does not affect the final version of Windows 7, contrary to earlier reports.
"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation," Microsoft said in the advisory. "We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."
The flaw could allow an attacker to gain control of a system, although Microsoft said that "most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."
The software maker said it is working with security software partners to provide information that can be used to create protections. Once its investigation is wrapped up, Microsoft said it will take action, which could include releasing a patch during its next monthly cycle or doing an "out-of-band" release, if necessary. Tuesday was Microsoft's monthly release for patches, which included five critical Windows updates addressing eight vulnerabilities.
The software maker said the latest issue affects the "release candidate" version of Windows 7, but not the final version that was completed in July. Also, the recently completed Windows Server 2008 R2 is not vulnerable, Microsoft said, nor are the earlier Windows XP and Windows 2000 operating systems.
Microsoft is already dealing with a separate, still unpatched flaw reported last week. Attacks have already been seen based on that vulnerability. Microsoft has taken issue with the fact that that flaw, like the latest one, was reported publicly as opposed to being privately disclosed to Microsoft, giving the company time to patch it.
Microsoft on Tuesday issued five critical Windows-related updates as part of its monthly Patch Tuesday release.
While the issues affect different versions of Windows differently, Microsoft said none of the issues apply to the final version of Windows 7, which Microsoft wrapped up in July.
The five bulletins address eight vulnerabilities. According to Symantec Security Response research manager Ben Greenbaum, the two vulnerabilities most likely to be used by attackers involve the way Windows handles ASF and MP3 media files. "We've seen similar exploits in the past and all a user would have to do is visit a compromised Web site hosting one of these malicious files, which could be an MP3, WMA or WMV file, and they could become infected."
McAfee Avert Labs director Dave Marcus said that two of the flaws, in particular, relate to serious security vulnerabilities in the networking components of Window Vista, Windows Server 2008 and Windows Server 2003 that could allow for malicious software to spread from one PC to another.
"These vulnerabilities are the most likely to be exploited by malicious code and are two of the best worm candidates that we've seen since Conficker," Marcus said in a statement. "That said, all of today's security bulletins address vulnerabilities that could allow an attacker to take complete control of a vulnerable PC."
In addition, Microsoft said it is re-releasing a bulletin from last month to address an additional control found to be vulnerable to an issue with the Microsoft Active Template Library.
Greenbaum noted that Microsoft has yet to issue a patch for a zero-day flaw in Internet Information Services that was made public last week. "Until a patch for this is issued, as a temporary workaround we suggest IT administrators using IIS 5.0 and 6.0 turn off anonymous write access immediately," Greenbaum said. "We also recommend using a firewall and restricting access to creating directories. Those using IIS 7.0 with FTP Service version 6.0 installed should upgrade to FTP Service version 7.5."
There are already some attacks being seen based on that flaw.
"While the company will not release an update this month, it will do so once it has reached an appropriate level of quality for broad distribution," Microsoft said.
Meanwhile, Microsoft said Tuesday that it is investigating another zero-day issue, this one a reported flaw in Windows Vista and Windows 7.
As for the patches Microsoft did release on Tuesday, Qualys CTO Wolfgang Kandek noted that some of the bulletins are interesting in that they either affect only newer operating systems or are more critical on later versions--the reverse of what is normally the case. Overall, he said, five Windows patches should keep IT workers busy.
"Due to the criticality of the patches and wide coverage of the operating system, this will be a busy day for IT administrators," Qualys CTO Wolfgang Kandek said in an e-mail.
Microsoft on Tuesday released nine patches, five of them critical, to plug holes in Windows and other software products.
The nine patches actually relate to 19 separate vulnerabilities in Windows, the .Net Framework, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server, and Remote Desktop Client for Mac.
Among the issues addressed is one that Microsoft warned about last month--a vulnerability related to the Office Web Components that help users put spreadsheets, charts, and other documents onto the Web. At the time, Microsoft said it was already seeing attacks based on the flaw, which affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.
More information on that issue and the others addressed with this month's patches is available in a bulletin on Microsoft's Web site.
As is its practice, Microsoft said last week that the patches were coming.
Symantec senior research manager Ben Greenbaum noted that many of the vulnerabilites this month related to so-called ActiveX controls and added that many of the holes could be exploited just by getting a user to visit a Web page that has malicious code.
"All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user," Greenbaum said in an e-mail. "For example, any user who has Microsoft Office on their machine could be vulnerable to the Microsoft Office Web Components vulnerabilities. Similarly, every user with Windows XP SP3 or Vista could also be susceptible to one of the Remote Desktop Connection issues."
Actually, not all versions of Office are affected, as the Web components issue does not affect the latest version--Office 2007. For a list of Office programs affected, see this security bulletin.
In any case, McAfee and Lumension both noted that it continues to be a long, hard summer for IT professionals who have had to deal with a large number of regular patches and some unscheduled ones as well from Microsoft and others.
"There's no break from patching this summer," McAfee Avert Labs' Dave Marcus said in a statement. "Microsoft is playing catchup with these patches as cybercriminals have already used some of the serious vulnerabilities to commandeer vulnerable Windows computers."
Lumension analyst Paul Henry said there had been some fear that the patches would go further, addressing some kernel-level issues. But even still, he said the latest crop of patches will bring their fair share of headaches.
"After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need is yet another large batch of patches from Microsoft," Henry said in a statement. "Unfortunately, that is exactly what we got today as Microsoft released a total of nine security updates, five of which are critical and seven of which require disruptive restarts."
Microsoft on Tuesday released a patch aimed to fix a critical vulnerability in PowerPoint that had already led to exploits.
The vulnerability is listed as critical for Office 2000, but rated only as important for Office XP, Office 2003, and Office 2007. However, the hole had already formed the basis of targeted attacks, prompting Microsoft to issue a warning last month.
Although Microsoft says the hole is now patched in the Windows version of PowerPoint, the software maker said it is still working on fixes for the Mac version of Office as well as for Microsoft Works, the company's entry-level productivity suite.
"The updates for Office for Mac and Microsoft Works 8.5 and 9.0 users are still in development," Microsoft security response communications lead Christopher Budd said in a statement. "Microsoft plans to issue updates for these software when testing is complete and we can ensure high quality. We are releasing this security update on an incremental basis because of active targeted exploitation toward Windows platform users."
Without the patch, the vulnerability can be exploited by getting a person to open a PowerPoint file rigged for the attack, Microsoft has said. When the file is opened, PowerPoint will access an invalid object in memory. That then allows an attacker to remotely execute code on the system.
The fix was released as part of the company's regularly scheduled monthly Patch Tuesday.
The software maker said that with the update, the ability to open PowerPoint 4.0 file formats will be disabled by default in Microsoft Office PowerPoint 2000 and Microsoft Office PowerPoint 2002. (Microsoft has already disabled that option by default in PowerPoint 2003 Service Pack 3 and that capability does not exist in PowerPoint 2007.)
Microsoft said that the vulnerability is not rated critical for PowerPoint 2002 and later versions because they prompt a user before opening a document, meaning that the vulnerability "requires more than a single user action to complete the exploit."
Symantec said in a statement that the PowerPoint fix related largely to flaws in older file formats. "Because taking advantage of these vulnerabilities requires a user to open a maliciously crafted PowerPoint file, e-mail is likely the most probable method attackers would use to try and exploit these," said Alfred Huger, vice president of Symantec Security Response, in a statement. "Another possibility is for an attacker to lure a victim into downloading the file from a misleading or compromised Web site. At that point, the attacker would then have complete control over everything the user's account has permission to do on the system."
One security analyst warned that corporate IT staff should be paying attention not just to Microsoft, but also to a variety of security updates being issued by other software makers.
"Although Microsoft only dropped one patch for PowerPoint this month, IT administrators shouldn't get the wrong impression and breathe easy given the light load," said Lumension security analyst Paul Henry. "In addition to Microsoft, other vendors including Google, F-Secure, Adobe, HP, Symantec and Mozilla (to name a few) released a slew of patches for popular software applications."
Henry posted a list of the other updates and blogged on the subject.
"It is important to remember that historically, popular applications and files like Adobe PDF files or Word, Excel or PowerPoint files have been great vehicles for targeted attacks because those attachments are so socially acceptable and are simply expected attachments within corporate email," Henry said. "While we are relieved about the PowerPoint patch, we live in an environment where compromised applications have now become a delivery mechanism for additional downloaded and executed malware such as key-loggers and rootkits. The most effective risk mitigation, therefore, continues to be application control to prevent a compromised application from downloading and running any unauthorized software (including malware) on a user's PC."
Microsoft plans to release a trio of updates for Windows Vista this week, a move the company said should help ease some of the top complaints leveled against the operating system.
The patches, expected to be issued Tuesday, address core issues like performance, reliability, and stability of the nearly year-old operating system.
One update aims to improve battery life on mobile devices, boost stability of wireless connections, and improve the operating system's response time following a period of inactivity.
A second patch deals with the operating system's interactions with USB ports, in particular when systems wake from sleep or hibernation, issues that cause 1 percent to 2 percent of all reported crashes, Microsoft said.
The final software update deals with the Windows Media Center component of Vista Home Premium and Vista Ultimate, offering fixes for the way the software interacts with an Xbox 360 that is acting as a Media Center extender.
The updates will also be included in the first service pack for Vista, due next year.
- prev
- 1
- next
