Sign in with
Sign up | Sign in

MS Addressing Google-Exposed Flaw Next Week

By - Source: Tom's Hardware US | B 21 comments

Patch Tuesday brings two needed fixes to Windows XP and Windows 7.

Next week Microsoft is slated to address a zero-day vulnerability in Windows XP that was recently discovered by Google engineer Travis Ormandy. As reported earlier, Ormandy went public with his findings after Microsoft would not provide a definite timeline for addressing the issue. Because of Ormandy's actions, more than 10,000 Windows XP PCs were hacked since the CVE-2010-1885 exploit went live. Microsoft said that the company was only given five days notice.

Nevertheless, Microsoft is addressing the issue next week on Patch Tuesday, July 13. The fix--dubbed as Bulletin 1--will be one of four issues Microsoft will address, and one of two critical patches that applies to the Windows platform. The second Windows patch--dubbed as Bulletin 2--will fix a vulnerability in Windows 7 64-bit and Windows Server 2008 R2's canonical display driver. The issue was announced back on May 18, reporting that the vulnerability could allow for remote code execution.

The remaining two patches in next week's update will address issues with Microsoft Office 2002, 2003, and 2007. As seen in the list below, Bulletin 3 will address issues with Access 2003 Service Pack 3, Access 2007 Service Pack 1 and Access 2007 Service Pack 2. Bulletin 4 will focus on Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 3, Outlook 2007 Service Pack 1 and Outlook 2007 Service Pack 2.

Here's the full list:

Bulletin 1

  • Windows XP Service Pack 2 (Critical)
  • Windows XP Service Pack 3 (Critical)
  • Windows XP Professional x64 Edition Service Pack 2 (Critical)
  • Windows Server 2003 Service Pack 2 (Low)
  • Windows Server 2003 x64 Edition Service Pack 2 (Low)
  • Windows Server 2003 with SP2 for Itanium-based Systems (Low)

Bulletin 2

  • Windows 7 for x64-based Systems (Critical)
  • Windows Embedded Standard 7 for x64-based Systems (Critical)
  • Windows Server 2008 R2 for x64-based Systems (Critical)

Bulletin 3

  • Microsoft Office Access 2003 Service Pack 3 (Critical)
  • Microsoft Office Access 2007 Service Pack 1 (Critical)
  • Microsoft Office Access 2007 Service Pack 2 (Critical)

Bulletin 4

  • Microsoft Office Outlook 2002 Service Pack 3 (Important)
  • Microsoft Office Outlook 2003 Service Pack 3 (Important)
  • Microsoft Office Outlook 2007 Service Pack 1 (Important)
  • Microsoft Office Outlook 2007 Service Pack 2 (Important)
Discuss
Display all 21 comments.
This thread is closed for comments
Top Comments
  • 15 Hide
    hellwig , July 9, 2010 9:45 PM
    Teen GeekMicrosoft is quick. How long does Apple takes to issue a security patch?

    There are no security patches because the OS is 100% secure. If your computer is infected, you shouldn't have downloaded that virus/visited that website/inserted that thumbdrive/connected to the internet/plugged in your mac/held it that way.

    Duh.
Other Comments
  • 1 Hide
    Teen Geek , July 9, 2010 9:23 PM
    Microsoft is quick. How long does Apple takes to issue a security patch?
  • 15 Hide
    hellwig , July 9, 2010 9:45 PM
    Teen GeekMicrosoft is quick. How long does Apple takes to issue a security patch?

    There are no security patches because the OS is 100% secure. If your computer is infected, you shouldn't have downloaded that virus/visited that website/inserted that thumbdrive/connected to the internet/plugged in your mac/held it that way.

    Duh.
  • 0 Hide
    hellwig , July 9, 2010 9:49 PM
    On another note, I think it was a pretty dick move to release a exploit because Microsoft didn't tell you when a patch was coming out. I'm guessing they didn't know what the problem was to patch it. I'm not sure how releasing the flaw to the public will help the millions of Windows users who could have been affected. I mean, did he at least include his own security solution, or did he Rush-Limbaugh the job and just complain about how someone else was doing it wrong, and not offering any of his own suggestions?
  • -1 Hide
    dheadley , July 9, 2010 10:08 PM
    I think all the businesses or private windows users who were hacked as a result of this guys action should be able to sue him for any damages they suffered as a result of his actions. If what they are saying is true about the short notice then the guy is just a plain asshole and should be treated in kind. Everyone knows they do "patch Tuesdays" and he should have given them the chance to roll out a patch silently before then making public the problem.

    People that publish these security holes publicly in order to "force" the companies to do something about it are kind of unrealistic. Being a Google employee you would think he knows this as they often have problems with code themselves that takes a much longer time to get straightened out than he gave MS.

    To me it is like someone that finds a problem with the power grid in NYC and causes a blackout to prove their point, then claims that they are not responsible for any looting or crimes or accidents that result from the blackout because they gave the electric utility five days to re-engineer the power stations.
  • 4 Hide
    adipose , July 9, 2010 10:50 PM
    Quote:
    To me it is like someone that finds a problem with the power grid in NYC and causes a blackout to prove their point,


    Bad analogy. A better one would be if he published the information on how to cause the blackout.

    The end result may be the same, but revealing information is quite different from actually being the attacker.

    MS had 5 days to give a timetable for fixing it, but would not do so during that time (I believe he was requesting 30 days). Now that he released it, they fix it in almost no time at all. Sure seems like they could have committed to fixing it in 30 days time.

    Those that find security flaws have to have some kind of assurance by the company that the flaw will be fixed, if they are going to cooperate with them. If the company refuses to give that assurance, then why should the security "analyst" play nice?

    That said, I don't agree with the action. He could have demanded the 30 day timetable, and if he didn't get it, released on day 30. Instead it seems he got mad and released it the same day when MS wouldn't play ball. Even if MS wouldn't commit to 30 days they might very well have met that goal (as they clearly were capable of).
  • 1 Hide
    70camaross396 , July 9, 2010 11:34 PM
    adiposeBad analogy. A better one would be if he published the information on how to cause the blackout.The end result may be the same, but revealing information is quite different from actually being the attacker.MS had 5 days to give a timetable for fixing it, but would not do so during that time (I believe he was requesting 30 days). Now that he released it, they fix it in almost no time at all. Sure seems like they could have committed to fixing it in 30 days time.Those that find security flaws have to have some kind of assurance by the company that the flaw will be fixed, if they are going to cooperate with them. If the company refuses to give that assurance, then why should the security "analyst" play nice?That said, I don't agree with the action. He could have demanded the 30 day timetable, and if he didn't get it, released on day 30. Instead it seems he got mad and released it the same day when MS wouldn't play ball. Even if MS wouldn't commit to 30 days they might very well have met that goal (as they clearly were capable of).


    I have to agree with you. 30 days is plenty of time to fix the problem or if your not able to fix it at least call the guy back and say hey were working on it, give us a few more days.

    To release it after only 5 days makes this guy a asshole. I hate people that qoute comic books but it the old "with great power, come great responcibility" thing. just becuase you can doesnt mean you should. so if this guy is a security researcher at google, then he is a tool.

    I would have simply told microsoft about the exploit, given them thirty days to fix it, then release the exploit. hell if they told me they were working on it and it was going to take 60 days, i would have cut them some slack, after all there are millions of lines of code to check. To release this in to the wild after only 5 days is stupid. I think that if your a "security researcher" then you have an obligation to withold the exploit for at least 30 day. personly i think this guy is a tool and should be held accountable for all of the systems that were hacked because he could not wait 30 days.
  • 1 Hide
    Gin Fushicho , July 10, 2010 12:20 AM
    Oi.... really? Leave XP alone Microsoft, you said you were going to kill XP. Isn't this the opportunity you were waiting for?
  • 1 Hide
    pojih , July 10, 2010 12:25 AM
    Quote:
    Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product will end July 13, 2010! To ensure that you will receive all important security updates for Windows after that date you need to upgrade to Windows XP with Service Pack 3 (SP3) or later versions such as Windows 7.


    1. http://support.microsoft.com/ph/1173#tab0


    it would appear they have a few days left still
  • -1 Hide
    f-14 , July 10, 2010 4:07 AM
    today is the 9th, why 5 days? microsoft policy concerning windows xp this is why:
    Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product will end July 13, 2010! To ensure that you will receive all important security updates for Windows after that date you need to upgrade to Windows XP with Service Pack 3 (SP3) or later versions such as Windows 7.

    you guys do know google is keeping track of lots of people machines system specs that use googles products... well maybe google has the scoop that there's just too many people using xp sp2/sp1/1st edition. it seems to me they were trying to be the good guys here and not the a-holy-o's like microsoft wants to be by discontinuing support for an OS that isn't their brand new money maker (and it also has the same security flaw, which will they give their attention to first.) and leave an XP problem until conveintly well after the 13th in a 'richard' move to force people to upgrade to vista or 7 perhaps? that is how marketing works after all.
  • -2 Hide
    tearlach2 , July 10, 2010 4:59 AM
    Despite everyone making absurd analogies, this dude released a security flaw he found in windows. how do any conversations he had with MS show anything? I don't think he should have even bothered contacting MS, screw em for making crap.
    For real though I am surprised anyone is giving this guy a hard time at all. I feel like I'm in Bizzaro World
  • -1 Hide
    Anonymous , July 10, 2010 5:14 AM
    If you read between the lines, it sounds more like M$ was blowing off his concerns and not acknowledging the issue. If M$ simply said "Oh snap! Thank you so much for bringing this to our attention! We'll be fixing this issue as soon as possible!", This article would not exist.
  • 2 Hide
    Kelavarus , July 10, 2010 6:52 AM
    KunziteIf you read between the lines, it sounds more like M$ was blowing off his concerns and not acknowledging the issue. If M$ simply said "Oh snap! Thank you so much for bringing this to our attention! We'll be fixing this issue as soon as possible!", This article would not exist.


    Actually, what I get from reading between the lines is that Microsoft refused to obligate itself to meeting a time line that they weren't 100% sure they could meet, which is perfectly reasonable, then the guy decided be a dick and publicize it because they wouldn't meet his demands.

    I haven't seen anything that says they knew exactly how to fix it right then. Knowing how OS (and coding in general) stuff works, it could've been something that could take an hour, or take months. Fortunately for them, it was much less, but they wouldn't have known that right off the bat. Nor would the guy, for that matter, unless he's sitting in front of XP's source code.
  • 0 Hide
    dEAne , July 10, 2010 7:15 AM
    Its a good thing they address that issue.
  • 1 Hide
    gurthang , July 10, 2010 1:03 PM
    tearlach2Despite everyone making absurd analogies, this dude released a security flaw he found in windows. how do any conversations he had with MS show anything? I don't think he should have even bothered contacting MS, screw em for making crap.For real though I am surprised anyone is giving this guy a hard time at all. I feel like I'm in Bizzaro World


    Perhaps, it is because all systems and applications have bugs and flaws. And sorry but releasing the exploit to a new not seen the in wild vulunerability helps nobody. Using it in one of those hack to own contests sure but releasing it like he did just comes of as self promotion.
  • 1 Hide
    gurthang , July 10, 2010 1:19 PM
    f-14today is the 9th, why 5 days? microsoft policy concerning windows xp this is why:Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product will end July 13, 2010! To ensure that you will receive all important security updates for Windows after that date you need to upgrade to Windows XP with Service Pack 3 (SP3) or later versions such as Windows 7.you guys do know google is keeping track of lots of people machines system specs that use googles products... well maybe google has the scoop that there's just too many people using xp sp2/sp1/1st edition. it seems to me they were trying to be the good guys here and not the a-holy-o's like microsoft wants to be by discontinuing support for an OS that isn't their brand new money maker (and it also has the same security flaw, which will they give their attention to first.) and leave an XP problem until conveintly well after the 13th in a 'richard' move to force people to upgrade to vista or 7 perhaps? that is how marketing works after all.


    You realize just how old XP is and that SP3 is a free service pack don't you and that the cut-off "date" has been known for some time. At some point all developers need to focus their limited resources on the newer systems. Oh and if you have a contract with MS and the deep pockets to afford it you can get them "help" with older systems too just not for free anymore.

    Hey MS bashing is easy and sometimes fun when Balmer does something stupid. (Windows Moble *cough*) But really in this one case they are not the bad guys.. slow and bureaucratic maybe but neither evil nor bad.
  • 1 Hide
    dertechie , July 10, 2010 7:29 PM
    tearlach2Despite everyone making absurd analogies, this dude released a security flaw he found in windows. how do any conversations he had with MS show anything? I don't think he should have even bothered contacting MS, screw em for making crap.For real though I am surprised anyone is giving this guy a hard time at all. I feel like I'm in Bizzaro World


    There's this little thing called responsible disclosure. You tell the vendor, give them a reasonable amount of time. If they fix it, great, you reveal it when the patch comes out. If not, you reveal to pressure them into making a patch. If the exploit wasn't used before revelation (and this one wasn't), no one gets hurt. If it's already being abused, you of course release it to allow for defensive measures. Dropping the exploit into the wild without giving reasonable time to fix it is irresponsible and hurts both about 10,000 hapless users and Microsoft. If he had been waiting for over a month with no response, I wouldn't have an issue with him releasing. Releasing it 5 days after discovery is, bluntly, a dick move.

    To the guy saying they want to avoid supporting SP2, SP3 has been out for two years now (and gets security patches until something like 2014). Even the most bureaucratic IT department has had plenty of time to make the upgrade
  • 0 Hide
    Bolbi , July 11, 2010 1:41 AM
    Interesting that there are no bulletins affecting Office 2010.
  • 1 Hide
    jsm6746 , July 11, 2010 6:22 PM
    this is like finding out a new way of smuggling a bomb on a plane, letting the plane companies know, then making it public 5 days later. a couple planes blow up and you just set back with a smug 'i told you so'...

    you'd call it irresponsible, except that google is a competitor with microsoft... and of course no one would consider 'google' as irresponsible, as they have data mined so much dirt on everyone that such beliefs would only keep you up at night...
  • 1 Hide
    eddieroolz , July 11, 2010 10:41 PM
    Regardless of comments here, I still think it was a dick move by Google. How are they going to compensate for the accounts that were hacked?
  • 0 Hide
    zak_mckraken , July 12, 2010 1:54 PM
    Thank God, Windows Vista is protected!
Display more comments