Thursday, July 15, 2010

Patch Tuesday Will Fix Flaws in XP, Windows 7, Servers

July's light Patch Tuesday will fix remote-code vulnerabilities in Windows XP, Windows 7, and Windows Server versions. The four bulletins will also patch Microsoft Office, especially a flaw in Outlook. Security researchers are irked by Google engineer Tavis Ormandy, who gave Microsoft just five days to fix the Windows XP vulnerability. Microsoft is preparing for July's Patch Tuesday, which centers on Windows and Office. With only four bulletins -- compared to 10 bulletins with a record-tying 34 vulnerabilities in June -- IT Relevant Products/Services admins can breathe at least a partial sigh of relief.
Still, there's plenty to patch in July, including a vulnerability a Swiss Google engineer made public in June. Google engineer Tavis Ormandy published attack code for a vulnerability in Windows XP's Help and Support Center, which lets users access and download Microsoft help files from the Internet. Support technicians also use the Help and Support Center to launch remote support tools on a PC.

Ormandy has been criticized because he only gave Microsoft five days to fix the problem before going public with details about how hackers could write malicious code to exploit the flaw. Sophos Security Consultant Graham Cluley called it an "irresponsible disclosure." Making matters worse, Microsoft said the flaw also affects Windows Server 2003.

Exploring Windows Flaws

"Keeping IT professionals as busy as the air-conditioning units in New York City this week, Microsoft announced today that next Tuesday they will release four security Relevant Products/Services bulletins to address five separate current vulnerabilities, with three that are rated critical and one of the critically rated bulletins requiring a restart of server-class machines," said Don Leatham, senior director of solutions and strategy at Lumension.

Bulletins 1 and 2 both affect Microsoft Windows -- and they are both rated critical. The vulnerabilities could allow remote code execution, typically the most-feared exploit.

Leatham said Bulletin 2 will have a huge impact because it affects Windows 7 desktop users and Windows 2008 R2 servers, which are Microsoft's most current and widely deployed desktop and server solutions. IT departments with Windows 7 and/or Windows 2008 R2 should be ready to prioritize this bulletin, he warned.

Exploring Office Flaws

Bulletin 3 and 4 affect Microsoft Office. While Bulletin 3 is rated critical, Leatham said IT admins should feel fortunate that its impact will be limited to only those organizations that have built applications and processes using Microsoft Access.
Meanwhile, security researchers are still irate about how Ormandy handled his disclosure. "A responsible security researcher would have been happy working with Microsoft on a successful resolution of the issue, and only shared details once a safe patch had been developed," Cluley said. "Five days isn't a sensible period of time to expect Microsoft to develop a fix which has to be tested thoroughly to ensure it doesn't cause more problems than it intends to correct."

No comments:

Post a Comment