Patch Tuesday heads-up: 8 bulletins, 5 critical

Patch Tuesday heads-up: 8 bulletins, 5 critical

Summary: Microsoft plans to ship 8 security bulletins next Tuesday (April 14, 2009) to fix remote code execution and denial of service vulnerabilities affecting Windows, Office and Internet Explorer.According to the company's Patch Tuesday advance notice, five of the bulletins will be rated "critical," meaning they can be exploited by hackers to take complete control of Windows machines.

SHARE:
35

Microsoft plans to ship 8 security bulletins next Tuesday (April 14, 2009) to fix remote code execution and denial of service vulnerabilities affecting Windows, Office and Internet Explorer.

According to the company's Patch Tuesday advance notice, five of the bulletins will be rated "critical," meaning they can be exploited by hackers to take complete control of Windows machines.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

I've been given a heads-up that one of the Internet Explorer vulnerabilities being fixed is the musty old Safari-to-IE carpet bombing blended threat that combined flaws in two browsers into a code execution attack.

The IE flaw was originally discovered and reported by Aviv Raff back in November 2006 (more than two years ago!) but was ignored by Microsoft until the Safari carpet-bombing bug emerged to show how a combo-attack could lead to complete PC takeover.

[ SEE: Why Apple must fix Safari 'carpet bombing' flaw immediately ]

I'm told Microsoft will actually issue two separate bulletins on this issue -- one with a patch that changes several calls to LoadLibrary and SearchPath in Internet Explorer to stop the browser from attempting to load libraries directly from the desktop.

Microsoft will also push out additional defense-in-depth protections and a new API to further limit the damage from hacker attacks but because of application compatibility issues, the protections will NOT be enabled by default.

In addition to the high-priority IE bulletin, next Tuesday's patch batch will include five different Windows bulletins (four rated critical), a solitary Microsoft Excel update (critical), and an ISA denial-of-service issue that Microsoft rates as "important."

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • Patch Tuesday

    Good ol' patch Tuesday. We definitely need a
    Google Operating system.
    http://googlescloud.blogspot.com
    Shuelin
    • Yeah, based on Linux

      so that we'd have to put up with more than 2 or
      even 3 times the vulnerabilities:

      http://www-
      935.ibm.com/services/us/iss/xforce/trendreports
      /xforce-2008-annual-report.pdf

      Windows is the mainstream operating systems
      which needs the fewest patches.

      So how is a Linux based Google OS going to beat
      that?
      honeymonster
      • RE: Yeah, based on Linux

        You can selectively install minimal and maximal installations based upon packages you want/need in Linux.

        If I could install Windows like that, I would install without Internet Explorer which links your entire File System to the Internet through .dll's. Find me a Linux browser that hooks code through the Linux kernel!

        The number of Linux updates should not be numerically comparative to Windows updates because:
        A) Your system may not have all the packages installed that require such updates
        B) Many of the updates are bug fixes or related to local user security, which is in many cases moot on a Linux server.
        gparsons
        • A little education...

          <i>If I could install Windows like that, I
          would install without Internet Explorer which
          links your entire File System to the Internet
          through .dll's. Find me a Linux browser that
          hooks code through the Linux kernel!</i>

          Do you have any idea what you are talking
          about? Something residing in a .dll does not
          automatically make it part of the kernel.

          DLLs are sharable libraries of code. Just that!
          They can be loaded by a process, but they don't
          magically open some portal through to the
          kernel. Your comment illustrates how clueless
          you are on this topic.

          And IE like all other apps uses DLLs. Some of
          the shared code is a HTML renderer. A browser
          uses a HTML renderer. Some other components of
          Windows <i>also</i> uses a HTML renderer. So,
          they share the code. <b>This does not mean that
          somehow the execution path can jump from
          Internet Explorer to the kernel</b>. Get a grip
          will you? Modularization is known in the *Nix
          world as well, and its the same concept.

          So, IE does not "hook code through the kernel".
          It uses shared libraries just like FF uses
          shared libraries. Where on earth did you get
          that idea? Are you just spewing out myths you
          read somewhere on a Linux forum?

          <i>The number of Linux updates should not be
          numerically comparative to Windows updates
          because:
          A) Your system may not have all the packages
          installed that require such updates
          </i>

          Oh no. Read the IBM X-Force report. I provided
          the link above. They compared vulnerabilities
          in Windows, Linux <i><b>kernel</b></i>, OS X
          and a host of other operating systems. No
          distro, no packages; just the raw operating
          system. Result: Linux <b>kernel</b> contains 2x
          the number of vulns of Vista. Apple OSX even
          worse: 3x the vulnerabilities and presiding
          swiss cheese OS.

          <i>B) Many of the updates are bug fixes or
          related to local user security, which is in
          many cases moot on a Linux server.</i>

          Oh yeah? Do you have any data or are you just
          making this up? Yeah, I though so.

          Anyway, "local" vulnerabilities are just one
          minor remote vulnerability away from pwning
          your box. Combined with a flaw in a browser
          (and FF has plenty with practically no
          mitigation from Linux), a "locally exploitable"
          or privilege escalation bug is suddenly the
          hole which is exploited by an attacker.

          BTW, the IBM report already filtered away the
          "minor" vulnerabilities and only counted the
          "moderately critical" and above. It's solid
          research by an independent and highly reputable
          company (IBM). You just have to suck it up.

          I agree that you should be able to uninstall
          IE. At least so that it is not in any way
          active any more. I hear that that's finally
          coming in Windows 7.
          honeymonster
      • 2 or even 3 times the vulnerabilities:

        Microsoft FINALLY patching a 3 year old problem? At least the Linux community is responsive to problems and has patches much faster than Microsoft! One can't simply go by the numbers, unless you're brainwashed by the Redmond people. Try thinking for yourself and looking behind the FUD.
        1djk1
        • Rounding up, are we?

          Even though it's not 3 years as you claim it is
          still way too long to have a problem linger.

          It was presumably ignored because it was
          initially assumed to be minor. The issue was
          that explorer would "trust" files on the
          desktop which were marked as "local" - i.e. not
          received from the Internet. Windows has this
          feature where it uses metadata to "taint" files
          received from the Internet. However, the Apple
          Safari "carpet bombing attack" allowed any
          website to 1) download files to your computer
          <i>without</i> your consent, 2) by default
          downloaded the files to <i>the desktop</i> and
          finally 3) did <b>not</b> taint the files as
          having been received from the Internet. Go
          figure.

          That problem was indeed a path to place
          executable, untainted content on the desktop.
          So, the "minor" IE flaw suddenly became serious
          because it could be used in a blended attack
          when the attacker could combin Safari and IE.
          That Apple sneaked in their Safari on Windows
          through despicable social engineering tricks
          only made matters worse. (The tricks involved
          new software masquerading as "updates", sneaky
          defaults and deliberately intricate "ignore"
          procedures).

          There's no way to apologize taking almost 2?
          years to patch a vulnerability which can have
          critical consequences. While it initially may
          have looked like it would be hard to exploit
          without first pwning the box anyway, the
          history showed that the software ecosystem is
          much too complicated to assume any such thing.

          Regardless, I'm sure that wrong severities will
          be assigned to bugs again. Both in *nix land
          and in Windows.

          honeymonster
          • Will you stop with the FUD

            [i]http://www-
            935.ibm.com/services/us/iss/xforce/trendreports
            /xforce-2008-annual-report.pdf[/i]

            You keep bringing out this tired, useless report that doesn't mean squat. Out of 106 pages, I only see it mentioned once on pg.44

            No footnotes to substantiate it. No related documentation to back up your FUD claim.

            However, pg. 43 has a list of new Active-X vulnerabilities and we know Linux doesn't use Active-X. Guess which OS uses Active-X.

            Try again, pal... Otherwise quit spinning your wheels.
            hasta la Vista, bah-bie
          • Plus, the list is based on *disclosed* vulns

            Underneath the fabled table of doom it says "Operating systems with the most vulnerability [u]disclosures[/u]." A product whose code is available for anyone with the time and the inclination to look at it will probably have more vulnerabilities discovered than a program whose code is locked away in a vault right between the Ark of the Covenant and the Colonel's secret supply of 11 herbs and spices.

            As much as some might want to spin this as a negative, this works to the advantage of open source. Knowing that a vulnerability exists enables the developers to do something about it. As a development model, open source perhaps has its roots in the words of Louis Brandeis: "Sunlight is the best disinfectant."
            Third of Five
  • To the blind with screen readers, this image contains a table.

    This table has 9 rows and 2 columns.
    Heading Row 1
    Heading Column 1: Bulletin ID
    Heading Column 2: Maximum Severity Rating and Vulnerability Impact
    Row 2
    Column 1: Windows 1
    Column 2: Critical - Remote Code Execution
    Row 3
    Column 1: Windows 2
    Column 2: Critical - Remote Code Execution
    Row 4
    Column 1: Windows 3
    Column 2: Critical - Remote Code Execution
    Row 5
    Column 1: IE
    Column 2: Critical - Remote Code Execution
    Row 6
    Column 1: Excel
    Column 2: Critical - Remote Code Execution
    Row 7
    Column 1: Windows 4
    Column 2: Important - Elevation of Privilege
    Row 8
    Column 1: ISA
    Column 2: Important - Denial of Service
    Row 9
    Column 1: Windows 5
    Column 2: Moderate - Elevation of Privilege

    Note that the words marked "Moderate," "Important," and "Critical" looks like they are links to another website -- probably Microsoft's but I'm not sure.

    I hope this can be very useful for blind users who surfs for news and blogs using their screen reader. Also note that this Talkback system does not support embedding a URL within a text (by creating a hyperlink). If you see this: [url=http://www.zdnet.com]ZDNet[/url], that means this Talkback does not parse the URL tag.

    To those who've never heard of a screen reader, a screen reader doesn't read text within an image; thus, making it very difficult for those who cannot see images in the website. About the link I've mentioned in the previous paragraph, I could leave a string of text like http://www.zdnet.com, while this is okay, if there's a very long string of text (even for a TinyURL), this can be quite meaningless for those who quickly tab between links. But that's unless a blind user knows how to use flat-review cursors in their number pads (7, 8, and 9 for reading a line; 4, 5, and 6 for reading a word, and 1, 2, and 3 for reading a letter within a word), including up and down arrow keys just to navigate through series of text.

    OH, and I have a question! What is that "Windows 1," "Windows 2," "Windows 3," "Windows 4," and "Windows 5" in the table (as an addition to the image)?

    ----------------------------------------------------

    If anyone is interested in how I navigate through a website using a screen reader. I have posted a video in YouTube. Here's the link:

    http://www.youtube.com/watch?v=x081s6wTsbE

    While I've captured the video under Windows Vista, Ubuntu 8.10 is running in my virtual machine and it's running as a guest under VirtualBox. Orca is my screen reader of choice for Ubuntu and I enjoyed it a lot. I didn't include my voice for narration (I didn't explain what I am doing in the video), but I thought anyone might be interested in my video. Have fun!

    Sorry Ryan for going too far off-topic, but I just had to type what's in the image and provided reasons why I did this. :)
    Grayson Peddie
  • Honestly...

    ...I just don't understand why ANYONE would put up with this cr@p...I DO understand that Windows is the gamers only choice. But, if you work at home or in an office (both of which I do) where there are Macs, you're not gaming. At least I HOPE you're not. So tell me again WHY you would put yourself through Tuesday Hell over and over again? Look, I don't know enough about Windows to understand why Patch Tuesday has to happen at all. Again, if you're using a computer for work, and said computer runs MS-Office, why in the world do you have to do this EVERY Tuesday???

    It just seems this OS keeps on going for gamers. Is that enough to put up with Patch Tuesday (not to mention all the viruses, trojans, and worms)? Yes I know that no OS is invulnerable but this kind of sounds like trying to keep patching a leaky balloon with Elmer's Glue!

    I guess if I were Microsoft, I would just trash every OS I've created up to now and hire a bunch of smart, savvy, programmers to do a completely NEW operating system without trying to build on something that is so obviously flawed.

    OMHO.
    QueenMama
    • It isn't every Tuesday.

      It is a Tuesday once a month.

      [i]Yes I know that no OS is invulnerable but this kind of sounds like trying to keep patching a leaky balloon with Elmer's Glue![/i]

      Name a modern OS that doesn't require patching.
      Erroneous
      • Well there's patching...

        ...for bugs and there's patching for vulnerabilities. Try to distinguish between the two.
        hasta la Vista, bah-bie
        • If you think...

          it really makes a difference in the question asked then there is something wrong with your thought processes.
          Erroneous
          • I think the fact...

            ...that you confuse the two means that there is something wrong with your thought processes.
            hasta la Vista, bah-bie
        • RE: Well there's patching...

          I just got a patch this morning on this machine which is running SUSE 11.1. It had a Vulnerability.
          dougbeer
          • For what? (nt)

            --
            hasta la Vista, bah-bie
        • Secunia

          Try going to secunia and search for
          vulnerabilities - both patched and unpatched.

          http://secunia.com/advisories/product/10611/

          Ubuntu since 6.06 (Vista timeframe) clocks in
          at <b>1124</b> publicly disclosed
          vulnerabilities.

          All of these are security issues.
          honeymonster
          • These are the security issues

            https://help.ubuntu.com/community/Linuxvirus

            Now unless Ubuntu is lying to it's users and there are large-scale exploits out there that no one is aware of, or people aren't talking about, then honeymonster should do his duty and let them all know about this.

            They're right here...

            http://www.ubuntu.com/community

            They are awaiting your enlightenment, honeymonster. Please advise them.

            ;)
            hasta la Vista, bah-bie
          • And by the way...

            At your same website, Micro$haft currently has 569 pieces of software monitored by Secunia, each containing hundreds of vulnerabilities leading into the thousands.

            http://secunia.com/advisories/vendor/1/

            Care to count? Over 10,000 yet?

            ;)
            hasta la Vista, bah-bie
          • 1124 vulnerabilities

            Including those for Firefox, Thunderbird, Open Office and every third party app in the Ubuntu universe repositories, including third party apps.

            Not a fair comparison unless you want to count all the vulnerabilities for Vista, IE, MS Office, .NET, SQL, antivirus suites and so on.

            "Try going to secunia and search for
            vulnerabilities - both patched and unpatched."
            Patched- 1124
            Unpatched- 0

            The problem I have with MS' security practices is that all too often, they don't disclose vulnerabilities and issue patches only when the exploits are already out in the wild. This is in sharp contrast to the folks at Canonical, where every vulnerability is reported and published, and nearly all are patched(vulnerabilities rated not critical may be left unpatched). So just going by the number of published vulnerablities is misleading. Vista still has 5 unpatched vulnerabilities, the oldest reported in Feb 2007.

            Compare how severe the vulnerabilities were, how long it took to patch them, and how many of them were exploited in the wild and what impact that had in the real world.
            That in my opinion is a better metric to measure how secure an OS(or other software) is.
            balaknair