ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

MS Patch Tuesday heads-up: Critical flaws in Windows, Office

By | March 3, 2011, 12:28pm PST

Summary: Microsoft has announced plans to ship three security bulletins this month to cover at least four serious vulnerabilities in all supported versions of the Windows operating system.

Microsoft has announced plans to ship three security bulletins this month to cover at least four serious vulnerabilities in all supported versions of the Windows operating system.

According to an advance notice from Redmond, one of the bulletins will be rated “critical” while the rest will carry an “important” rating.  All three bulletins cover issues that could lead to remote code execution attacks, Microsoft said.


Affected software includes the Windows OS, Microsoft Office and Microsoft Groove 2007. follow Ryan Naraine on twitter

It is not yet clear if this Patch Tuesday batch of updates will include fixes for the recent Windows BROWSER protocol vulnerability that was publicly discussed in February.

Microsoft last week quietly shipped an update to fix a security flaw in the in the Microsoft Malware Protection Engine.   This engine powers Microsoft’s range of anti-malware and security products (Forefront, Live OneCare, Security Essentials, etc.)

From an advisory issued last week:

Microsoft is releasing this security advisory to help ensure customers are aware that an update to the Microsoft Malware Protection Engine also addresses a security vulnerability reported to Microsoft. The update addresses a privately reported vulnerability that could allow elevation of privilege if the Microsoft Malware Protection Engine scans a system after an attacker with valid logon credentials has created a specially crafted registry key. An attacker who successfully exploited the vulnerability could gain the same user rights as the LocalSystem account. The vulnerability could not be exploited by anonymous users.

Since the Microsoft Malware Protection Engine is a part of several Microsoft anti-malware products, the company said the the update was installed along with the updated malware definitions for the affected products.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security Bulletin, Microsoft Corp., Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
41
Comments
Add Your Opinion

Join the conversation!

Just In

RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
Gis Bun 6th Mar 2011
@search & destroy : So where do you get 2GB from? The Win 7 SP1 [if you download from the updater] takes between 40MB and 100MB in 99% of the cases. Compare that with the 500+ MB for each and every Apple update EVERY two months. Microsoft uses a way to download just what the OS requires. Apple can't figure that out. Look at buggy and bloated iTunes. 100MB per update. They don't know how to patch software. so you need to update iTunes every couple of weeks. Spend more time updating a Mac that almost anything else.
View in thread
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
WhatsamattaU 3rd Mar 2011
Just another installment of the weekly train wreck that is Windows......
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
rjshortt 3rd Mar 2011
@WhatsamattaU

You should end the statement with three (3) dots, whatsamattau... Lack of education?
0 Votes
+ -
LOL...
i8thecat 3rd Mar 2011
@rjshortt

Good one... That actually made me laugh...
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
WhatsamattaU Updated - 3rd Mar 2011
@rjshortt Yeah, that's it. This from the poster who can't capitalize a proper name. Maybe we can focus on the topic. Wait, the topic is always the same, Windows is insecure. Never mind, no news here.
0 Votes
+ -
Didn't they just release SP1 a couple of days ago?
search & destroy 3rd Mar 2011
The motherload of bloatware?

I guess 2GB of crapware wasn't enough...
0 Votes
+ -
2GB?
Michael Alan Goff 4th Mar 2011
Stop spreading FUD.

The 2GB was for every version available, and didn't take into account somebody actually patching their system throughout the last year and a half.
0 Votes
+ -
2GB of crap
search & destroy 4th Mar 2011
It even puts Apple's patches to shame...
0 Votes
+ -
One person won't install
Michael Alan Goff 5th Mar 2011
x86
x64
IA64
0 Votes
+ -
What are you rambling about?
search & destroy 5th Mar 2011
You been smoking pot again? wink
0 Votes
+ -
The 2GB ISO
Michael Alan Goff 5th Mar 2011
It includes every different version of SP1, for any type of computer. Are you honestly trying to tell me that one person would have to install all versions of SP1 on their computer?
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
DNSB 6th Mar 2011
@goff256

Actually, I have installed all versions, 2 on 2008 R2 servers and 2 on Windows 7 workstations. All systems live in a test setup so we can find any issues before we start to worry about updating production environment systems. Though I must admit the Itanium box is not going to be a big worry since the only production Itanium server is retiring around the end of June -- oddly, the Opteron server replacing it is faster and more power efficient so our last non-x86.x64 server is going away.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
Gis Bun 6th Mar 2011
@rjshortt : Yup lack of education, friends, etc.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
Gis Bun 6th Mar 2011
@search & destroy : So where do you get 2GB from? The Win 7 SP1 [if you download from the updater] takes between 40MB and 100MB in 99% of the cases. Compare that with the 500+ MB for each and every Apple update EVERY two months. Microsoft uses a way to download just what the OS requires. Apple can't figure that out. Look at buggy and bloated iTunes. 100MB per update. They don't know how to patch software. so you need to update iTunes every couple of weeks. Spend more time updating a Mac that almost anything else.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
Gis Bun 6th Mar 2011
@WhatsamattaU : Let me guess Linux? Why do Linux zealots have nothing to do with their lives. They site in front of their Linux box complaining left and right. Nothing in a Linux blog to complain about? Head over to a Windows or Mac blog and complain more. Maybe you need a life? I guess you lack friends. With Linux accounting for 1% of the global OS share, who know how bad Linux would be with vulnerabilities if people used it.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
DaCloud 3rd Mar 2011
I love the banter going back and forth. I love how some of you clowns bash Windows. Yet, in my little daily update newsletter from ZD, three lines down the URL title reads "Apple plugs 57 major security holes in iTunes ". Now there is an option. 57 MAJOR security flaws in one application.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
choyongpil 3rd Mar 2011
@DaCloud
Yet you bash Apple, double standard.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
WhatsamattaU 3rd Mar 2011
@DaCloud / The fact that iTunes is crap doesn't exclude all other programs, operating systems, etc. from also being crap. It's not a competition to see who's favorite chunk of code is less crappy. While we're trying to keep score, just how many thousands of security flaws have been uncovered in Windows in its various incarnations over the last fifteen years? Is it really about the score, or the fact that there are some fundamentals about how Windows was put together that might have made sense when it was a toy used at home before the internet that make it so g.d. vulnerable today?
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
WilErz 3rd Mar 2011
@WhatsamattaU

Are you implying other operating systems don't contain security vulnerabilities? If you really think this is the case, I suggest you visit secunia.com, and search for your favourite operating system.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
michael56555@... 3rd Mar 2011
@DaCloud I downloaded a patch today for my OSx 10.6 machine that was about 675 mb. It was larger than my win 7 SP1 update. Downloaded a patch last Friday for it too.
0 Votes
+ -
EVERY system has security issues...
randysmith@... 3rd Mar 2011
I think the point is that unfortunately the trolls and bashers seem to jump in with "Microsoft sucks" or "whatever sucks" - how about "Thanks, Ryan for bringing that to my attention", or at least some other constructive comment. You know, that lack of civility in discourse!
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
WhatsamattaU 3rd Mar 2011
@randysmith@... Dude, how is calling people "trolls and bashers" contributing to the civility of this discourse? Just asking...
0 Votes
+ -
I think he left out 'fecking'.
peter_erskine@... 4th Mar 2011
@WhatsamattaU . So he is quite civil. Everything is relative.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
mbrogdon 3rd Mar 2011
@randysmith@...
I agree. Part of the reason I rarely post here is because it always feels like I'm chatting on AOL in the 90s. Every post seems to be filled some sort of attack, posturing or over-the-top statement of some sort--almost like the drive-by "teenager loose at the computer" attacks I used to see in AOL chatrooms.

Windows vs. Linux vs. Apple. They all suck on some level and are all great on another. Why does there always have to be an OS war? Why does it always feel like they're defending their right to live?

It's also strange that so many people complain about the articles here. It's not like we're paying ZDNet. At least I'm not. It's sort of like complaining that someone gave you a quarter instead of a dollar bill. I mean, you didn't have the quarter in the first place, so, why not accept the quarter graciously?
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
Paradise Lost 3rd Mar 2011
@mbrogdon
Thanks - the problem (I guess) is that Apple always has been a religion, and not an operating system. As with practically every religion, you have to justify your believe system in the only true church by declaring everybody else a heritic damned into the seventh circle of hell. Now that Apple has recovered from a fringe existence it seems that the other OS users have to follow suit to maintain their own allegiance - and civility (forget about courtesy) goes out the door.
  • Flagged
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
search & destroy 3rd Mar 2011
@Paradise Lost
Oh, what a load of asinine horsesh!t. With M$ monopolizing 90% of the desktop market, the only ones on here defending them are shills, fools and idiots. They give ABMers a lot of power (and fun) around here.
  • Flagged
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
alan_r_cam 3rd Mar 2011
@mbrogdon Windows vs. Linux vs. Apple... don't forget CP/M.
30 years and running strong. Maybe because the machine has no network interface, just a good ol' serial port.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
DNSB Updated - 4th Mar 2011
@mbrogdon

Trolling and flame wars go back a lot further than AOL. Over the years, the location and participants have changed but the general tone of the discussions has not risen above the level found on the average kindergarten playground.

Just my not so humble opinion that very few people are capable of remaining civilized when they are offered the anonymity found in most online discussions.
0 Votes
+ -
You only got the first part right
klumper Updated - 4th Mar 2011
@DNSB
Just my not so humble opinion that very few people are capable of remaining civilized when they are offered the anonymity found in most online discussions.

Trolling and flame wars date back to the old BBS's like FidoNet and early dial-ups like Compuserve, Genie, Delphi, AOL, etc, where console cowboys were charged by the minute or hour once upon a time (so what does that tell you). The wars hit full stride in Usenet and Deja newsgroups when the internet took off, and verses became cheaper to bang out and unload.

It was flat rate Prodigy that basically shot itself in the foot with its high handed board police, censorship there became suffocating, whereas at least Compuserve and most other seminal forums were overseen by more responsible, even handed sysops (for the most part).

Considering we're not all going to see eye to eye, I think there's plenty of civility to be found in most online discussion groups, including ZDNet's. Some things need to be said, and sometimes they're best said bluntly. So what. It's when the talking stops that weapons are drawn. Most censors ought never lose sight of this (same with politicians). Believe it.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
inventif@... 3rd Mar 2011
Well, to be perfectly honest, many of us actually do hold job exactly because of the crap (or "crap") software being manufactured. So here's to crap software: hip-hip hooray! :^)
0 Votes
+ -
LOL everyone has crapware to a point....
dtroyerSMU 3rd Mar 2011
@inventif@... its just how you look at it. It is good that a software manufacturer actually preposts alerts about its software that someone has found a vunerability to.

Perfect software never exists, only software that slowly gets better with time.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
DNSB 4th Mar 2011
@inventif@...

Reminds me of a tag line I once saw to the effect that you think of viruses as problems while I think of them as job security.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
FastEddie50 3rd Mar 2011
You nerds would probably think clearer with one less device on your belt.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
msdoogan 3rd Mar 2011
@FastEddie50

Hilarious! I hope you don't mind if I you this line.With due credit of course.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
sdghjt 3rd Mar 2011
http://in2s.us/1z8
http://in2s.us/1z8
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
StevenKing 4th Mar 2011
Windows XP has really taken a toll on me in the recent past. Five of our deployed laptops, all of the same ilk, had problems with automatic updates: resulting in BSOD's. HP, the vendor, was kind enough to install Windows 7 as a "fix," but geesh - bloated crapware should problably be patented.
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
WilErz 4th Mar 2011
@StevenKing

The worst OS I've had to deal with in terms of upgrade issues is Fedora Linux. In my department, there was a Linux advocate who had insisted a few years back (before my time) on setting up a Linux server, despite the IT department recommending Windows. They let him set it up, but said he'd have to maintain it himself.

This bloke was always banging on about how high his server's uptime was, but one day I logged in and saw it hadn't been updated for ages, and was full of gaping security holes. I asked for root access and tried to pull down the latest updates, only to get an error saying it was too old to download updates. Next I tried to upgrade it to the latest version and got an error saying it was beyond the 2-year support window and that I'd have to clean install (compare this with Windows XP, which is ten years old). I wanted nothing more to do with this thing, so let the IT department clean install: they installed Windows.

The fun wasn't quite over, however, as the bespoke scripts used to back up the data on the server hadn't actually backed everything up. On the Windows side, everything is managed at the domain level by the IT department, so all of that would have been taken care of for us, without the need for a 'guru' to manage the system. Like a typical Linux advocate, however, the bloke who set up this server thought that knowing how to write spaghetti scripts in Bash, Perl and PHP made him a 'guru', and that he knew more than the experienced Windows administrators in the IT department.

I do realise Fedora is a particularly crap version of Linux to use on a server, and that Red Hat or SuSE would have been much better (although if I were using a Unix-like system, I'd use Solaris). Nevertheless, the bespoke scripts full of unreadable spaghetti code (and bugs) are a more general problem I've encountered with Linux servers. It's just too easy for inexperienced users to construct byzantine systems out of fragile spaghetti scripts. Windows at least provides more hand-holding for them, and tends to warn them when they're doing stupid things.
0 Votes
+ -
Stay away from MS, they almost put Lush Cosmetics out of business.
Joe.Smetona Updated - 4th Mar 2011
@WilErz@WilErz ...Sounds like you have a problem with maintenance, upgrades and the Administrator trying to keep his job. It would be a problem with any server setup. They now use www.worldpay.com which is 100% Apache/Linux. There is a very, very big lesson here.

Microsoft almost single-handedly put Lush Cosmetics out of Business. They switched over to Linux and Apache and started using outside, professional consultants.

For the latest information, refer to:
http://www.lush.co.uk/articles/news/security-update---temporary-website_124-10218_10.html

"No bang-for-the buck" is a statement that implies that Windows and Linux are equal in terms of their security quality. Now, we all know that's not true.

It's interesting that Windows gleefully opened the door for major break-ins. For me, over the years, that's just too typical for the bank card and other large scale data thefts including the recent Lush Cosmetics break-in in the UK.

Lush Cosmetics in the UK was hacked for Credit Card information over the Holidays. It was so Extensive that they had to close down their Website. Check out their explanation to customers and their message to the hackers. http://www.lush.co.uk/

Here's the netcraft.com page showing what they are running. Microsoft, as always, is indefensible.

http://toolbar.netcraft.com/site_report?url=http://www.lush.co.uk

Microsoft is all about selling and hype. The tail end is all the malware and hacking left up to the AV people and the critical updates. Microsoft has the marketing prowess to push their glittered up garbage to the masses without addressing continuing security issues. The net effect of this propaganda by omission is to create (ready to buy) zombie users who don't even know or care about security.

Notice how Lush Cosmetics just upgraded their server to Linux and Apache on January 21. Look, they upgraded to Apache/2.2.3 Red Hat on February 12. What does Steve Ballmer have to say about this? It's a typical case, companies eventually can't survive with Microsoft.

Netcraft.com says it all, Microsoft in all its glory ended up in the trash can. Microsoft security isn't part of their ROI, so it's left up to the applications and AV teams. Microsoft will eventually make everybody cry "Uncle".

"WE ARE VERY SORRY TO CONFIRM THAT OUR WEBSITE HAS BEEN THE VICTIM OF HACKERS."

"24 hour security monitoring has shown us that we were still being targeted and there were continuing attempts to re-enter.

We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website."

"For complete peace of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised."

"An Oct to Jan timeframe was decided because we wish it to cover a larger period than we think has been exposed. We hope we are erring very much on the side of caution. We would rather notify more customers than required, than find out in retrospect that we had narrowed it and missed people. Some of our customers have already experienced unauthorised use of their cards, so we still urge all customers in the above period to check statements and talk to their banks for advice".
0 Votes
+ -
RE: MS Patch Tuesday heads-up: Critical flaws in Windows, Office
WilErz 5th Mar 2011
@ Joe.Smetona

'Sounds like you have a problem with maintenance, upgrades and the Administrator trying to keep his job.'

Yes and no. Fedora is only supported for two years, full stop. After that you've got to clean-install a new version. Our IT administrators, by the way, are very competent, and manage an excellent IT infrastructure based on Windows. The bloke who set up the Linux system wasn't an administrator or even in the IT department at all, but they allowed him to use Linux because he convinced management it was necessary (it wasn't).

The major problem in my example was the user, not the OS (Fedora) and certainly not its kernel (Linux). However, an OS with no support -- not even updates -- after two years is simply a joke. There are good Linux distributions, especially commercially supported ones like Red Hat Enterprise and SUSE, but Fedora most certainly isn't one of them. My overall point isn't that Linux is inherently bad, it's that anyone who thinks Windows is bad for support/upgrades has obviously never had to deal with Fedora.

As for your example, Lush Cosmetics almost certainly suffer from an incompetent IT department, who are using Windows as a scapegoat. Windows is by far the leading server platform in both server unit shipments (over 70 per cent) and server revenue (over 40 per cent). It clearly works for a lot of organisations (including the one I work in). Even in websites, Linux's stronghold, Windows/IIS has a much higher share in SSL websites than in non-SSL (according to Netcraft). Since things like security and reliability are much more important for SSL websites, that says something right there.
0 Votes
+ -
Microsoft is awfully close.
Joe.Smetona 4th Mar 2011
They will get to the point where the complications of service packs and critical updates will cause the system to bog down and eventually be unusable on modern hardware. It's called the Vista effect.
0 Votes
+ -
"The Vista effect"
Michael Alan Goff 5th Mar 2011
That explains why my mom has Vista on a Dell Inspiron 531 with the only upgrade being in the video card (xfxforce Radeon HD 4550).

2.3 ghz single core
2 GB RAM

And that's why it works rather well.
0 Votes
+ -
I cannot get my 2gb to be accepted and who the heck is hanging on windows
glynj1s@... 5th Mar 2011
If one should fall, therl be ten green bottles bottling on the wall. (sung along to "long may she rain".

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix