Archive for Patches
Author: Dave Lewis
January 21, 2008 at 10:09 am · Filed under Patches, Vendor News
From InfoWorld:
Microsoft has warned corporate administrators that it will push a new version of Internet Explorer 7 their way next month, and it has posted guidelines on how to ward off the automatic update if admins want to keep the older IE6 browser on their companies’ machines.
The IE7 upgrade scheduled to roll out via WSUS (Windows Server Update Services) on Feb. 12 was announced last October, when Microsoft said it would no longer require users to prove they owned a legitimate copy of Windows XP before they were allowed to download the newer browser. Microsoft explained that the move was prompted by security concerns.
“Because Microsoft takes its commitment to help protect the entire Windows ecosystem seriously, we’re updating the IE7 installation experience to make it available as broadly as possible to all Windows users,” said Steve Reynolds, an IE program manager, on a Microsoft company blog in early October. “Internet Explorer 7 installation will no longer require Windows Genuine Advantage validation and will be available to all Windows XP users.”
One of the interesting aspects of IE7 is the low adoption rate. On this site, liquidmatrix.org, IE7 accounts for less than a quarter of the traffic. What’s even more telling is that Vista accounts for less than 10% of all users who read the site.
At any rate if you have WSUS in your environment, consider yourselves warned.
Article Link
Tags: Microsoft Updates, WSUS Update, IE7 Forced Update, IE7 Update
Author: Dave Lewis
December 18, 2007 at 7:51 am · Filed under Apple, Patches, Vulnerability
From Secunia:
Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) A format string error in the URL handler of Address Book can be exploited to execute arbitrary code when a user views a specially crafted web page.
2) An error in the handling of downloaded files in CFNetwork can be exploited via directory traversal attacks to automatically download files to arbitrary folders when a user is enticed to visit a specially crafted web page.
3) An unspecified error exists in ColorSync when processing images with an embedded ColorSync profile, which can be exploited to cause a memory corruption.
Successful exploitation may allow execution of arbitrary code.
4) A race condition exists in the “CFURLWriteDataAndPropertiesToResource” API, which can lead to files being created with insecure permissions.
5) A boundary error exists in the printer driver for CUPS. This can be exploited to cause a buffer overflow and allows an admin user to execute arbitrary code with system privileges by passing a specially crafted URI to the CUPS service.
And the list goes on. For the full listing of the patches for Tiger and Leopard please follow the link below.
Article Link
Tags: Apple Security, OS X Security, Apple Patches, Apple OS X Security
Author: Dave Lewis
November 24, 2007 at 8:20 pm · Filed under OS Security, Patches
Windows Vista has been underwhelming folks since in left the dock. This OS smells like a load of dead fish. OK, a touch much. I had decided to give it a fair shake. I have a computer running Vista in my lab and I have been forcing myself using it off and one now for months. I just can’t take it anymore. The security approach is nutty. Death by a thousand pop ups. And, to be honest I find Linux and Mac OS X far more user friendly.
That being said, the news isn’t any more positive for the SP1.
From PC World New Zealand:
Devil Mountain ran its DMS Clarity Studio framework on a laptop Barth described as a “barn burner” — dual-core processor, dedicated graphics, and either 1GB or 2GB of memory — to compare performance of the SP1 release candidate that Microsoft released last week with the RTM version that hit general distribution last January. The Vista RTM was not updated with any of the bug fixes, patches or performance packs that Microsoft has pushed through Windows Update since the operating system’s debut.
“One gigabyte, 2GB [of memory], it didn’t make a difference,” said Barth. “SP1 was never more than 1% or 2% faster.”
The difference between Vista RTM and SP1 on Devil Mountain’s Microsoft Office-based test script was “statistically insignificant,” Barth said, while a multitasking test panel produced results for SP1 less than 1% faster than RTM.
“Our goal wasn’t to bash Vista,” said Barth. “We’ve been doing this for a while, we know how to do it, and we tried to be as clinical as possible. But SP1 is not going to be a panacea for any performance problems users have with Vista. If you’ve been disappointed with the performance of Windows Vista, you’re not going to be any happier with SP1.”
May not have been the goal. But, it was always a possible outcome. Bad luck that.
Article Link
Tags: Windows Vista SP1, Vista SP1
Author: Dave Lewis
November 13, 2007 at 7:51 pm · Filed under Patches, Vulnerability
Here is a Microsoft security vulnerability that deals with Windows DNS service cache poisoning.
From Microsoft:
Executive Summary
This important security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS Servers and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.
This is an important security update for all supported editions of Microsoft Windows 2000 Server and Windows Server 2003. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses the vulnerability by increasing the randomness of DNS transaction IDs. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation: Microsoft recommends that customers apply the update at the earliest opportunity.
Article Link
Tags: Microsoft Security, Microsoft Security Vulnerability, Windows DNS Cache Poisoning
Author: Dave Lewis
October 26, 2007 at 12:23 pm · Filed under Patches
Microsoft puts hand up, “our bad”. After the story broke about the stealth updates Microsoft has admitted that they goofed. The problem hit he support forums on Tuesday but, based on earlier analysis it appears that this problem may have turned up as early as last month.
From Computer World:
On the same day it tried to refute reports that enterprise customers’ PCs were being force-fed the Windows XP desktop search tool, Microsoft Corp. did a turnabout and admitted it had messed up.
Some system administrators, however, were still not convinced that the company is telling a straight story.
Late Thursday night, Bobbie Harder, a program manager on the WSUS (Windows Server Update Services) team, said the update for Windows Desktop Search (WDS) had, in fact, been installed on some machines without administrator approval, and offered an apology.
On Tuesday, Harder said in a post to a company blog, Microsoft revised and released a WDS update package aimed at machines running Windows XP or Windows Server 2003 that did not have the desktop search tool installed. The update was supposed to be optional.
“Unfortunately, in revising this update, the decision to reuse the same update package had unintended consequences to our WSUS customers,” she said. “Many of you who had approved the initial update package for a limited number of machines, had Tuesdays’ WDS revision automatically install on all clients because of the expanded applicability scope and because, by default, WSUS is set to automatically approve update revisions.
“We sincerely regret the inconvenience this has caused and extend a sincere apology to all impacted customers,” Harder said.
Apologies at this point in the game are a hollow sentiment. This is not a new process and it is rather stunning that Microsoft had this problem arise at all.
Article Link
Tags: WSUS Error, Stealth Updates, Microsoft Stealth Updates
Author: Dave Lewis
September 13, 2007 at 9:39 am · Filed under OS Security, Patches
From Adrian Kingsley-Huges blog over on ZDNet:
I can now confirm that the stealth Windows Update that I blogged about yesterday actually exists - because I’ve detected its presence on a machine at the PC Doc HQ.
At the PC Doc HQ we have several systems set not to update. This is so that they are kept at a specific patch level for testing duties. Many of these systems are virtual machines but some are physical. When I heard about this stealth update I decided to take a look at one of these systems that don’t update automatically - and within seconds I found what I was looking for.
Wow, this is truly sucktastic. I have seen apps go completely sideways after some Microsoft patches were applied. Now, factor in this “stealth” update function. Now ponder those systems in your production environment.
Not cool.
For the full posting read on.
Article Link
Tags: Windows Updates, Windows Stealth Updates, Stealth Updates
« Previous entries
