Patch Tuesday heads-up: Critical MS Office patches coming
Summary: Microsoft plans to release six security bulletins next week to fix at least 15 serious vulnerabilities that could expose Windows users to malicious hacker attacks.
Microsoft plans to release six security bulletins next Tuesday November 10 to fix at least 15 serious vulnerabilities that could expose Windows users to malicious hacker attacks.
According to Microsoft's advance notice for this month's Patch Tuesday, the updates will address gaping holes in the Windows operating system and the Microsoft Office productivity suite.
Three of the six bulletins will be rated "critical," Microsoft's highest severity rating. The other three will be rated "important."
According to the Redmond, Wash. software maker, the Windows OS vulnerabilities affect Windows 2000, Windows XP, Windows Vista and Windows Server 2003 and Windows Server 2008.
The code execution holes affecting Microsoft Office will apply to Office XP, Office 2003 and the 2007 Office System.
The bulletin will also include patches for serious holes in the Microsoft Excel spreadsheet program.
Microsoft Office for Mac is also affected.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Office for Mac also affected...
Oh, that's right, faulty Microsoft software on OS X must be Apple's fault. Forgot that.
Marketing
ridiculing Apple's OS X abysmal security.
Apple has built a marketing campaign on
ridiculing Windows security.
That is the difference, see?
When Apple chooses to do so and at the same
time is the vendor of one of a Windows product
with numerous and very severe security bugs,
they open themselves up to criticism.
Everybody know that building totally
invulnerable software is neigh impossible, at
least if it has to be affordable and available
to the market before the sun burns out. That is
why Microsoft don't beat the security drums.
When Apple does so and at the same time
contributes to the instability and insecurity
of the platform they attack, it is bordering
recklessness.
OS X vulnerabilities still outnumber Windows
vulnerabilities 3 to 1. Despite clever and smug
marketing, OS X is still much more vulnerable
than Windows.
microsoft propaganda detected
this is a piece of not-so -well-hidden microsoft propaganda
Specifics, please
from BSD, what exactly is that?
Or is that just propaganda?
OS X has more vulnerabilities, more-risk days,
is patched slower and has fewer and less
efficient anti-exploits mechanisms.
<u>OS X has more (<b>the most</b>)
vulnerabilities.</u>
http://www-
935.ibm.com/services/us/iss/xforce/trendreports
/xforce-2008-annual-report.pdf
Read <i>most vulnerable operating systems</i>.
That's right. OS X has 3 times more
vulnerabilities compared to Vista. Ugh.
The raw vulnerabilities:
http://secunia.com/advisories/product/96/
http://secunia.com/advisories/product/13223/
Apple OSX vulnerabilities: 1038
MS Vista vulnerabilities: 140
MS Windows XP vulnerabilities: 289.
<u>OS X has fewer and less efficient anti-
exploit mechanisms</u>
Apple's Mac OS 'lagging behind Vista on
security':
http://software.silicon.com/malware/0,380000310
0,39501473,00.htm
(Charlie Miller should now, he's the one who
keeps taking down macs at pwn2own - and he is a
mac user himself!)
What?s Missing and What?s New in Snow Leopard
Security Enhancements:
http://blog.intego.com/2009/08/31/whats-
missing-and-whats-new-in-snow-leopard-security-
enhancements/
<u>More risk days</u>
Apple again, again and again lets delays
patches while vulnerability information is in
the open and Mac users exposed with no
mitigation.
http://arstechnica.com/apple/news/2009/06/apple
-finally-issues-patch-for-critical-java-
vulnerability.ars
Apple let that particular Java vuln site for 6
months while all other platforms had been
patched and vulnerability information was in
the open.
Because of the way Apple assembles OS X from
many open source components, Apple is
notoriously late to patch when those components
are patched elsewhere. That goes for example
for libxml. At any one time you can find good,
exploitable vulnerabilities simply by comparing
version numbers of OS X libraries with those at
the source.
The propaganda is entirely coming from Apple.
And you fell for it! The have successfully made
an army of fanbois believe a blatant lie.
blah blah...nothing but microsoft propaganda lies
and you are using so called "relevant" statistics, nothing but lies, dirty lies.
microsoft is paying and has payed many research reports that will prove this and that, but how many viruses are for windows and for OS X?
you cannot hide truth with statistics.
by the way, i'm not buying into Apple lies, i don't prefer Apple but linux/BSD
Wow, that is some really mature arguments
Nice to meet someone who is not afraid of re-
evaluating their opinion when faced with
inconvenient facts.
Thanks.
I can't blame him
ljenux: "I object!"
ljenux: "Because it's devastating to my case!"
Really honeymonster... How dare you infect this hallowed ground with your facts and statistics. I mean, presenting a logical argument that accurately debunks the premise of the opposing argument, what's with that?
Another deflection away from Patch Tuesday
Indefensible?
Vulnerabilities should be patched. Microsoft products have vulnerabilities. Once a month Microsoft releases patches for these vulnerabilities.
To be honest I'm strugging to see where "defending the indefensible" applies here. I know you're a troll, but I enjoy pointing out the nonesense regardless.
Yes, indefensible
Only when honeymonster does his usual insecurity mode deflection does Linux come up.
But then, none of these Patch Tuesday bonafide exploits affect Linux, now do they...
Hmmmm? ;)
So you're arguing that Windows is indefensible...
That's loopy.
"Defend the indefensible. Tell us how wrong Ryan Naraine's story really is."
The implication here is, if Ryans story is accurate, Microsoft is at fault and therefore the MS-apologists would need to defend it. The problem is that Ryans story is accurate, and guess what? There's no reason to defend Microsoft. They are taking the appropriate action to maintain the integrity of the product.
I'm not defending MS. I'm pointing out the stupidty of the comments being made here. How could I defend MS, when there is yet to be a valid criticism leveled at it in this thread?
If you don't like Windows, thats cool. I totally get it. Each to their own. But if you're going to openly criticise MS and it's products you should try to have some knowledge of the subject matter, and actually come up with an argument based on accurate information.
@Mew-shew
indefensible because honeymonster mentioned
linux."</i>
The irony is... I did not mention Linux. I have
been going over my posts and looked for it, but
I didn't mention Linux. Apple and BSD, yes -
since that was the post I was originally
responding to. But not Linux.
Nope, your missing my point
If that's truly the case, then why bring up red herrings like Linux, Apple or BSD in the first place? Looks like you all were out the front gate from the beginning.
Given honeymonster's track record here, you can substitute Apple for Linux or vice versa for BSD. They all mean the same to him. One big pile of FUD to spread.
[i]I'm not defending MS. I'm pointing out the stupidty of the comments being made here. How could I defend MS, when there is yet to be a valid criticism leveled at it in this thread?[/i]
Yeah, three of those patches are corrections from October's Patch Tuesday:
[i]"Andrew Clarke, senior VP at patching specialist Lumension, reckons three of the updates due out of Tuesday may also be aimed at tackling glitches with the October patch batch.
"Microsoft is delivering three critical patches and three important patches, none of which impact Windows 7," Clarke said. "Three of the November patches, however, appear to be updates to or re-releases of patches that were issued last month including Live Communications Server 2005 and Office Communications Server 2007, as well as scenarios involving the usage of Windows Server Update Services or running Microsoft Office Access Runtime 2003."[/i]
http://www.theregister.co.uk/2009/11/06/ms_nov_patch_tuesday/
In other words, they screwed it up the first time.
Maybe they'll get it right this time, huh... lol... :D
This is hilarious
This "But you mentioned Linux, Apple or BSD" line seems to be a one-size-fits-all response to any argument in your world. It's pretty funny really, because it consistantly fails to engage the actual subject matter that is the souce of the discussion.
You might as well be saying "I don't understand, but I disagree anyway."
Your conclusions are faulty
establish the criteria to be used to define "secure", then set about
measuring it.
The secunia reports that you cite state:
"[i]PLEASE NOTE: The statistics provided should NOT be used to
compare the overall security of products against one another. It is
IMPORTANT to understand what the below comments mean when
using the statistics, especially when using the statistics to compare
the vulnerability aspects of different products.[/i]"
In other words, the statistics should not be used for simplistic
comparisons of product security.
Your "analysis" of the IBM paper you cite is similarly flawed, the data
on vulnerabilities is based on [b]disclosed[/b] vulnerabilities (page 40).
So the higher number of disclosed Mac OS X vulnerabilities could be
the result of greater diligence at finding them, or more honesty in
reporting them, or including a wider range of components in the OS,
or a number of other reasons.
Some of the vulnerabilities are extremely obscure (e.g. one was in the
font utility for X11, I would guess that less than 0.1% of OS X installs
are actually running X11), so a component of the overall measure
should include possibility that a typical user (say one with default
settings from a standard install) might be compromised.
The fact that the Java vulnerability was unfixed for 6 months is
certainly not good, but does not necessarily reflect on the overall
security of the OS - that depends on the criteria for "secure". There
was no known exploit and there was a very simple preventative
measure to take in the meantime (turn off Java support in your
browser).
You might decide to measure security based on actual exploits in the
wild, or number of machines actually compromised over a certain
period. Not sure OS X would come out worst if either of those were the
primary criterion for "secure".
Nope
"crunched" data by a respectable company (IBM)
in a report which MS <i>did not pay for</i>
shows the same tendencies as the raw data.
Your <b>disclosed</b> remark is ridiculous. Of
course the report is based on disclosed
vulnerabilities, otherwise they would not be
known to anyone. Are you somehow suggesting
that Microsoft keeps vulnerabilities secret?
Microsoft has a policy of disclosing *all*
patched vulns. They are not doing so for the
benefit of statistics but (like this bulletin)
to empower sys admins to make informed
decisions. They want to know exactly what would
be the consequence of *not* allowing a patch.
yes, some sys admins will value system
stability (fewer patches) over security if the
security implications does nor concern them.
If there is any under-counting going on it is
with Linux and OS X.
In case of Linux Linus Torvalds himself has
stated pretty clearly that he doesn't report
security bugs. He just fixes them.
In the case of Apple you can go through their
bulletins and watch just how many
"vulnerabilities" is actually "multiple
vulnerabilities" in a 3rd party library.
Counted as 1 OS X vuln.
If OS X vulnerabilities suddenly shot up you
could claim that it was a concerted effort in
rooting them out. <b>But it has been like this
for the last 3 years at least</b>. 3 years
concerted effort, all while releasing 2
versions of OS X? BS.
And the systemic problem remains: Often 3rd
party libraries are patched and Apple needs to
start working them into OS X. Until Apple is
ready with a patch, their customers are left
hanging out there with known and disclosed
vulnerabilities.
And you can not find a <b>single</b> security
analyst/researcher who will claim that OSX has
better anti-exploit mechanisms and better
security. In fact, they unanimously point to
Microsoft SDL and the better security in
Windows.
Are you trotting out that IBM FUD report again, @honeymonster?
lol.... :D
That "FUD" report
publications in the security industry. From a
company who does NOT sell Windows security
software, unlike "reports" from Sophos et. el.
But even so I made sure to mention the data
source. I provided links so that you wouldn't
have to go search. The data clearly show the
same tendencies as IBM reported.
It may not coincide with your preconceived
conclusions, but that alone does not make it
FUD.
No no no
"Windows is not as secure as OSX because there are more viruses written to attack Windows"
Seems fine? Apply the same logic to a different premise...
"The US Military Defence is not as robust as that of New Zealand, because there are more nations who would might try to attack the U.S.A"
Pretty ridiculous logic isn't it?