Vista hit by Patch Tuesday shrapnel

Vista hit by Patch Tuesday shrapnel

Summary: A close look at MS07-010 shows that Microsoft Windows Defender in Windows Vista is indeed vulnerable to a "critical" code execution flaw that was flagged by researchers at IBM's ISS X-Force unit.

SHARE:
22
Reports that Windows Vista emerged unscathed from the Patch Tuesday barrage have been slightly exaggerated.

A close look at MS07-010 shows that Microsoft Windows Defender in Windows Vista is indeed vulnerable to a "critical" code execution flaw that was flagged by researchers at IBM's ISS X-Force unit.

As Ed Bott correctly noted, this patch does not show up in Vista's automatic update mechanism. That's because the anti-spyware component comes with its own auto-update system that will pull down the patch independently. All the vulnerable products -- OneCare, Antigen, ForeFront and Windows Defender -- will get the patched scan engine automatically.

This is in effect the first remote code execution vulnerability to affect Vista since the operating system hit retail stores and it should not be pooh-poohed. The flaw is an integer overflow that leads to heap corruption when Microsoft's core anti-virus engine scans a dirty PDF file. As proven recently, maliciously rigged PDF files can trigger PC takeover attacks so the potential for real damage here is high.

Some other Patch Tuesday leftovers, via an interviewed I did yesterday with Mark Griesi, program manager in the MSRC (Microsoft Security Response Center):

  • All the under-attack Microsoft Office (Word and Excel) vulnerabilities have been fixed with MS07-014 and MS07-015.
  • The privilege elevation vulnerability confirmed in Windows Vista is still under investigation. It's been 60 days and counting since the release of proof-of-concept exploits for this flaw.
  • Also unpatched is a critical PowerPoint vulnerability that was reported to Microsoft since July 2006, seven months ago. FrSirt has the skinny.
  • In addition to the Word and Office patches, pay special attention to MS07-016, which covers three serious Internet Explorer bugs. All three flaws can be exploited by simply luring a surfer to a malicious Web page. IE 7 users are at risk too.

Also see Larry Dignan's riff on the problems associated with a strict monthly patch release cycle and the Internet Storm Center's recommendations on prioritizing the February updates.

Topics: Windows, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • Vista Hit By Patch Tuesday Shrapnel

    This is a non-issue......meh....it's not even worth the effort....
    itanalyst
  • No Suprises

    Well of course Vista has been hit by vulnerabilities. Did anyone seriously believe the "Most secure ever" routine? That's been standard issue PR since Windows 95.

    Now that AAACS content protection system for both HD and Blue Ray DRM has been completely smashed, what hoops will Hollywood make Vista jump through next? Retinal scanning before media player starts? Finger printing?

    http://www.theregister.co.uk/2007/02/14/aacs_hack/
    whisperycat
    • Happy Valentines Day.

      May your heart be filled with joy and love of all things DRM. ha ha ha ha ha ha ha ha ha......
      xuniL_z
  • OSX and Linux just got far less secure

    After all, if a vulnerability in an application that runs on an OS is now considered a vulnerability in the OS itself then all Apache and php vulnerabilities can now be categorized as Linux and OSX vulnerabilities. Feel any less secure now that this is true? No? Good, then you know how this Defender revelation makes me feel about Vista. :)
    NonZealot
    • It's nice you feel good

      However, seeing as you have made this quantum leap in logic, albeit a horribly wrong leap, I should point out to you that...

      Apache and PHP run On Windows including Vista apparently. I guess by your *ahem* "logic" if these flaws are going to counted against the OS then Windows and Vista just got way less secure. Have a nice day.
      zkiwi
      • Poor zkiwi

        [i]However, seeing as you have made this quantum leap in logic, albeit a horribly wrong leap[/i]

        Since my logic is that application vulnerabilities should [b]not[/b] be counted as OS vulnerabilities and you think my logic is wrong, please tell us all why Apache vulnerabilities should be counted as Linux and OSX vulnerabilities. Thanks!
        NonZealot
        • Yes I'm poort

          Send me all your money.

          That aside, it was you who was "wanting" Apache and PHP flaws to be considered OS flaws. Do you even read what you write?
          zkiwi
    • That depends

      Aren't part of these products "integrated" into Windows? Does the flaw affect that part? If so, then it is not an application vulnerability but an OS one.
      Patrick Jones
    • If you're talking about Linux and OS X servers

      then you'd be on to something. The Linux and OS X desktops, however, do not have these applications, so you cannot consider their vulnerabilities as a part of these systems.

      However, even with the servers, you have to remember that these are optional components. Now I'll admit I'm not familiar with how Defender installs on Vista (I do have a test copy, but I haven't gotten around to testing it yet) but if Defender cannot be uninstalled from Vista then I would consider it a part of the OS proper, and thus a vulnerability of the entire OS. If it can be removed entirely from the system, then it is not an OS vulnerability but an application vulnerability. Put it this way... if all Vista installations must have this update to be secure, then it's an OS problem. Only a fraction of all Linux and OS X installs are affected by Apache and PHP vulnerabilities.
      Michael Kelly
      • Yes but you forget

        That there are other apps that provide gaping holes on Linux and OS X. Quicktime and FireFox are just two examples. Can Linux be considered usable without a browser? Granted it's not part of the OS, but it's a requirement to have a Linux desktop in all reality. So what's the diff really other than technicalities. Actually Defender does come with Vista but it can be inactivated and you are free to use anti-syware of your choice, if that helps.
        xuniL_z
        • Firefox is but one possible browser

          There's also konquerer, Opera, Epiphany, links, lynx, elinks, Seamonkey, and probably a whole bunch I could list more if I cared to look them up. Heck, I can even use links in graphical mode in a framebuffer if xorg isn't working. So yes, a browser can be considered a requirement for a base system, but there are several options for Linux, all of which can be installed and uninstalled at will.

          Quicktime for OS X (I assume you listed that as a possible OS X weak spot seeing as there is no QT for Linux) is an interesting observation. I never tried to uninstall it from OS X, and I'm not sure it can be done. If this is true, then a QT vulnerability should rightly be considered an OS X vulnerability, just as WMP would be for Windows. Linux of course has several engines to choose from (the most popular being mplayer, xine, and VLC), all of which do basically the same thing, so any security problem with one of them can be resolved by using one of the others.
          Michael Kelly
          • once again, semantics.

            My best understanding that defender can be uninstalled on Vista, so that's moot. And there are dozens of good spyware programs to choose from today, so I don't see the point?
            Firefox was used in my post because of it's marketshare. but to say other engines are available, as in the case of windows spywere programs, is not the same as saying you've removed risk. It's as much a patch as anything and you are now at the mercy of the next (least popular therefore most likely least attended to) product. It's all spin. vista is a great OS. there has been this great amount of anti-ms bashing and how long it took them to get an OS out and the minute they do, and everyone sees the potential, the anti-ms crowd is now asking: why did they have to put out another OS. They are just after money ad other foolish and anti-for profit statements. Double standards as I said. The entire linux crowd hates, hates with a passion microsoft and can't tell you often enough how they are "taxing" people for software. Yet these same people will back Apple and Google in the same breath...or IBM. They have given into corporate sponsorship to make it happen. Mozilla has given into Ad based revenue and gets millions per year from Google and Yahoo for pusing Google stuff..PROPRIETARY STUFF. I call that a sell out and double standards. Just an observation by the way.
            xuniL_z
  • Say what?

    Did he just write a headline news story that explains how Windows defender updates independent of Windows update? Is he serious? zdnet's use of minor incidents, interviews with unknowns or those known to be anti-ms and turning them into headlines with title's that far more national enquiresque is really tipping their hand. <br><br>
    btw, what about Mozilla and how it treats add-ons as seperate from the browser, therefore not a browser flaw. I guess the linux zealots need to re-think that stance if they are going to apply app issues to an OS. It's the double standard at work again. <br>
    And the biggest project "open source" has going is in reality funded by Google in the 10s of millions a year in return for FF advertising and making Google tools prominent and available. Oh, yeah, almost forgot...Mozilla need engineering assistance from Google to pull off FF 2.0. I guess that make it a hybrid? Partially open source, but mostly a Google project. Nice. And the side of the organization that builds FF still has non profit charity tax status while creating a .com side to funnel the Google money through.
    xuniL_z
    • I'll ask you the same question I asked NonZealot

      Can Defender be uninstalled from Vista? That's an honest question, I really don't know. If it can't, then it is a Vista vulnerability.

      All the add-ons you speak of for Firefox are optional. Some are actually applications that use FF API rather than traditional OS API. So if you consider vulnerabilities of one of these add-ons as a Firefox vulnerability, then you have to consider ALL Windows application vulnerabilities as a Windows vulnerability. And of course that is absurd.

      I think a simple rule you can use is the following: If it can be uninstalled, it's an application vulnerability, if it can't, it's an OS vulnerability.
      Michael Kelly
      • You are wrong.

        First of all, i've read where defender can be uninstalled but users have trouble if they want to reinstall. <br><br>
        But the point is Defender can be turned off and not used, like with Firefox you don't have to use Add-on programs. <br>
        Defender is not analagous to the addons themselves, but the means FF has that allows for the creation of addons. Can you turn that off? You can turn defender off. So unless you can STOP people from being able to install addons, Defender is actuall less product bound. Again, since it can be turned off and never used. <br>
        Let me konw what FF removes the ability to run addons form it's product cause it's a security hole even with no programs attached. <br>
        xuniL_z
        • Likewise I can't stop people from installing programs on Windows

          so I guess that means all application problems are Windows problems. (In other words, that's a lame argument. You can't stop add-ins for IE either, and nobody's calling their problems IE problems.)

          Yes, Defender can be turned off. That certainly cuts down the risk by quite a bit. But it can be reactivated, either through carelessness or by maliciousness. So as long as it's still on the system it is a potential problem.

          You know, all we're really arguing is semantics. The problem's been fixed, so right now it really doesn't matter how we label this particular problem as long as there is a mechanism to have the updates applied (which there is). But I do think it is fair to consider an uninstallable application to be a part of an OS. I can't uninstall glibc from my Linux machine, so a glibc vulnerability is a Linux vulnerability even if Linus Torvalds is not involved in glibc development. But one of the reasons why a Linux system has more security potential than Windows is precisely because it is piecemealed together with interchangeable parts. Spyware could and should be an interchangable part, but if it can't be completely uninstalled then you still have to worry about the baggage.

          Also think of it another way. There are other OS components that you may not consider a separate application that are welded into the OS that you can turn off or not use. But their problems are still considered OS problems. I could disable Explorer (not IE, but the shell) in Windows too and still have a working system. But if there were a vulnerability problem with that, would anybody be on these boards trying to argue that it's an application problem and not an OS problem? Don't think so.
          Michael Kelly
          • good point but...

            Installing ANY application triggers a privilege escalation hole with UAC and the OS. The hole isn't in the application it is how Vista handles any install.

            That is a very important difference.
            jjarman
          • You left out anothe very important difference

            Vista does indeed allow for a privilege escalation but only at the user's discretion.
            xuniL_z
          • And that doesn't bother me at all

            People need to get out of the habit of downloading and installing every program they see on the internet regardless of the source. That's where the problem lies. It's considered a "Windows" problem only because there are so many disreputable programs out there for that platform. No doubt the popularity of the platform is an issue in this case. But you can have the same problem on any other OS, it's just not as common.
            Michael Kelly
          • I agree

            semantics. That's what I was trying to say in my original post. Why was this headline material when it's patched?<br>It's, at best, back, page news item.
            We've not even begun to see the vulnerabilities of linux. But gauging by open source's most successful project (commercially in use outside of business) to date, the marketshare myth seems to be a reality. Mozilla apps are as vulnerable as Microsoft apps. That's all there is to it.
            xuniL_z