I want to make a note of this here… Microsoft has announced that XP Home and Media center editions will get extended support on par with that of XP Pro. Essentially this means security updates for these versions of the OS should be available until 2014. Previously support for XP Home was to have ended as soon as December 2006, but was then extended modestly until after the release of Vista. The “Home” oriented products weren’t given the same length of support as the “Professional” or Business class products at that time. This announcement puts the two versions of XP on par with Pro.

If Microsoft patched 101 flaws in one release it would make big headlines – so this deserves some headlines too…. more coverage at incidents.org

The first thing I should mention is that this months update from Microsoft is the last for XP SP1 users should plan a migration path to SP2 to keep getting updates to XP. Multiple vulnerabilities this month have been patched in Office There are 4 advisories, but a total of 15 issues covered by those four. Powerpoint, Excel, Word and Office/Publisher there are a variety of exploits, some public (like the powerpoint) others that were privately reported. Also, Incidents.org gives a nice summary of the advisories and the severity of each (urgency of updating.) The setslice vulnerability is patched in this batch by the way.

Unfortunately, this patch day has already had it’s share of problems Zdnet reports the following….

“Due to technical difficulties experienced on the Microsoft Update platform, security updates released today are not currently available via Microsoft Update, Automatic Updates, Windows Server Update Services or Windows Update v6,”

Which explains why the workstation that I led to windows update this afternoon saw that there were 0 new updates available….

Brian Krebs at the Security fix has a few good points as well… Two of these updates affect Vista. Also, among the Office updates, they are most critical on Office 2000, which is not serviced by automatic updates and so Office 2000 users SHOULD VISIT OFFICE UPDATE…. office.microsoft.com/en-us/officeupdate/

These days the focus of crackers seems to be client applications and the distribution of updates seems to reflect that. (Which makes it all the more important that even Office 2000 users get their updates.)

11 patches will be released by Microsoft on the 10th of October. Bulletin is here, 6 for windows, 4 for Office (at least one in each of those two batches is critical) and 1 .NET (moderate) – yes the Windows updates will likely require a restart. Betanews has a bit more coverage hoping the WebViewFolderIcon ActiveX control vulnerability will get fixed in this batch.

The Security Fix also has coverage on the advance notice. Here’s hoping that the three vulnerabilities Brian mentions are among those fixed.

If you’ve been delaying on updating with the recent Apple Mac OS X updates…. don’t, there are exploits in the wild now for at least one. It’s speculated that this code may have been in the wild before Apple released the security updates.

Apple is fixing 15 security flaws with the 10.4.8 version upgrade of Mac OS X. (There is a second update as well…. Security Update 2006-006). In typical fashion there are a bundle of issues in these updates. Several address remotely exploitable vulnerabilities.

According to Incidents.org 10.4.8 addresses the following….

- connecting to wireless networks using the EAP-FAST protocol
- Apple USB modem reliability
- using OpenType fonts in Microsoft Word
- compatibility with 3rd party USB hubs
- scanner performance
- RAW camera support
- printing documents with Asian language names
- performance of the Translation widget
- broadband network performance

That didn’t sound too bad, but some of the bad issues are lumped in to the 2006-006 security update.

Some of the remotely exploitable vulnerabilities COULD be exploited merely by a user visiting a malicious website that was specially crafted to take advantage of the flaw. Patch away.

The big news this afternoon is that Microsoft HAS gone out of the routine patch cycle to release a security fix for the VML vulnerability that’s been actively exploited in recent days for everything from sneak keylogger installs to massive spyware installs. Sans has a few links, if you de-registered the affected DLL you should consider re-registering the same so that you’ll be able to view/access vml content in the future. Here’s Microsoft’s technet Security Bulletin on the matter. (Visit update.microsoft.com if it’s not automatically downloaded for you.) It should be noted that the RC of IE 7 was not affected by this vulnerability.

A few days ago, I speculated that the way to get this patched by 9/25/06 was if it were discovered that the vulnerability were being used to strip DRM from Microsoft’s Windows Media audio/video files…. I’m glad to see that they did it early without their DRM future at stake….

Also, I should mention if you’ve installed the unofficial patch, uninstall that at this time as well. Brian Krebs at the Security Fix also has coverage on this.

Good job Microsoft, thanks for going “out of cycle” to get this update out there.

Do you remember the big bruhaha a month or so back about the “apple wireless vulnerability” that everybody picked apart because in the video taped demonstration they used a third party card…. EVEN though the demonstrators stated that the same vulnerability existed in Apple’s own driver some on the internet tore one reporter up over stating that because Apple denied being shown exploit code (slight semantic issue there…) Well… those driver vulnerabilities that must have not existed, were fixed today by Apple. Brian Krebs has the story, as well as incidents.org

What’s really interesting is that several remote code execution vulnerabilites are fixed in this update, but no credit is given to the company that presented the vulnerability, so it’s either “bad blood” over the issue or a matter of pride for Apple since they’ve not admitted the demonstrated vulnerability was actually in their driver. In fact…. according to the Security Fix post they (Apple) say…

“Basically, what happened is SecureWorks approached Apple with a potential flaw that they felt would affect the wireless drivers on Macs, but they didn’t supply us with any information to allow us to identify a specific problem. So we initiated our own internal product audit, and in the course of doing so found these flaws.”

–Update 10/1/06–

This is still an ongoing controversy. There definitely appears to be bad blood, it’ll continue to be interesting to follow this one.

This is getting to be like clockwork, but it sounds like this may be one of the nastiest problems so far. It appears that there is a problem with one of the recent patches from Microsoft MS06-49. It looks as though the problem is data corruption for small files (under 4096 bytes.) There’s a google groups thread here. The key factor seems to be that IF the folder is compressed, the data within is subject to this possible corruption.

This appears to just affect Windows 2000 pro and server. It’s been reported to Microsoft, but no official word yet from them. (Maybe they should have claimed that the bug disabled DRM on subscription based media files….)

I didn’t really think of this in context, but George Ou points out that Microsoft issued an “out of cycle” patch for their DRM software in response to the FairUse4WM software that stripped DRM protections from Windows Media Files. It took a mere 3 days from being made aware of the issue to releasing a patch. In context, we have seen numerous instances in the last year of “zero-day” vulnerabilities becoming known just after a monthly patch day, and Microsoft waiting until the next patch day to release a fix. So why the different response?

Some might give Microsoft the benefit of the doubt. Patching a full application is different than just patching DRM schemes, it requires a lot more testing to make sure things work right and don’t break. (I presume with this argument there’s no concern for media files “breaking” in any way with a change to the DRM scheme – of course – we could get into a tangent on “broken” in relation to media files, but we’ll save that for another time….)

I’m not giving them the benefit of the doubt. In fact, I think it’s fairly obvious. There are several very large companies that are paying pretty big for Microsoft’s DRM and are nervous at the thought of broken DRM. I wouldn’t be surprised if, on news of this DRM “workaround” or breakage, they didn’t hear from some VERY upset people with some of the big content distributors “urging” them to fix things as soon as possible. (OR ELSE.)

When it comes to security vulnerabilities in a Microsoft product there isn’t a single entity that can tell them…. “Look – you need to get this fixed now, or we’ll suspend our contract and go elsewhere.” This is ONE of the many reasons that I think we need to really invest time and attention in potential alternatives to Windows (as well as other Microsoft products.) Because the day that there’s a zero day in Microsoft office that prompts Fortune 500 companies to say, “you need to get this fixed or I’m migrating to xxxxoffice suite and not coming back.” we won’t see quite the responsiveness on security issues. One thing on this, moving away from the one time software purchase model may actually be a good thing for this to change because if you’re “subscribing” to the software (or maintenance) you have more leverage to be able to say “fix it or I’m out the door”.

It would be interesting to hear Microsoft’s explanation of how this patch was streamlined so quickly, while most security updates sit on the shelf longer. Oh, and by the way, DRM was slightly broken again within a couple days after the patch. (But not for songs with an expiration date. (subscription services))

Oh, by the way, it is that time again – updates coming Tuesday (September 12). Sans has details – 2 “important” updates for Windows (no critical this time…) and 1 critical for Microsoft Office (hopes are that this fixes the most recent zero-day vulnerability that’s been circulated.) There are other non-security related updates for a total of 9, but it seems relatively low-key. The bulletin from Microsoft can be found here. (Yes reboot will be required for at least one of the updates.)

Brian Krebs of the SecurityFix has the story as well, and notes that this is far fewer than what we’ve seen in recent months on patch Tuesday.