MS Addressing Google-Exposed Flaw Next Week
Patch Tuesday brings two needed fixes to Windows XP and Windows 7.
Next week Microsoft is slated to address a zero-day vulnerability in Windows XP that was recently discovered by Google engineer Travis Ormandy. As reported earlier, Ormandy went public with his findings after Microsoft would not provide a definite timeline for addressing the issue. Because of Ormandy's actions, more than 10,000 Windows XP PCs were hacked since the CVE-2010-1885 exploit went live. Microsoft said that the company was only given five days notice.
Nevertheless, Microsoft is addressing the issue next week on Patch Tuesday, July 13. The fix--dubbed as Bulletin 1--will be one of four issues Microsoft will address, and one of two critical patches that applies to the Windows platform. The second Windows patch--dubbed as Bulletin 2--will fix a vulnerability in Windows 7 64-bit and Windows Server 2008 R2's canonical display driver. The issue was announced back on May 18, reporting that the vulnerability could allow for remote code execution.
The remaining two patches in next week's update will address issues with Microsoft Office 2002, 2003, and 2007. As seen in the list below, Bulletin 3 will address issues with Access 2003 Service Pack 3, Access 2007 Service Pack 1 and Access 2007 Service Pack 2. Bulletin 4 will focus on Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 3, Outlook 2007 Service Pack 1 and Outlook 2007 Service Pack 2.
Here's the full list:
Bulletin 1
- Windows XP Service Pack 2 (Critical)
- Windows XP Service Pack 3 (Critical)
- Windows XP Professional x64 Edition Service Pack 2 (Critical)
- Windows Server 2003 Service Pack 2 (Low)
- Windows Server 2003 x64 Edition Service Pack 2 (Low)
- Windows Server 2003 with SP2 for Itanium-based Systems (Low)
Bulletin 2
- Windows 7 for x64-based Systems (Critical)
- Windows Embedded Standard 7 for x64-based Systems (Critical)
- Windows Server 2008 R2 for x64-based Systems (Critical)
Bulletin 3
- Microsoft Office Access 2003 Service Pack 3 (Critical)
- Microsoft Office Access 2007 Service Pack 1 (Critical)
- Microsoft Office Access 2007 Service Pack 2 (Critical)
Bulletin 4
- Microsoft Office Outlook 2002 Service Pack 3 (Important)
- Microsoft Office Outlook 2003 Service Pack 3 (Important)
- Microsoft Office Outlook 2007 Service Pack 1 (Important)
- Microsoft Office Outlook 2007 Service Pack 2 (Important)
There are no security patches because the OS is 100% secure. If your computer is infected, you shouldn't have downloaded that virus/visited that website/inserted that thumbdrive/connected to the internet/plugged in your mac/held it that way.
Duh.
There are no security patches because the OS is 100% secure. If your computer is infected, you shouldn't have downloaded that virus/visited that website/inserted that thumbdrive/connected to the internet/plugged in your mac/held it that way.
Duh.
People that publish these security holes publicly in order to "force" the companies to do something about it are kind of unrealistic. Being a Google employee you would think he knows this as they often have problems with code themselves that takes a much longer time to get straightened out than he gave MS.
To me it is like someone that finds a problem with the power grid in NYC and causes a blackout to prove their point, then claims that they are not responsible for any looting or crimes or accidents that result from the blackout because they gave the electric utility five days to re-engineer the power stations.
Bad analogy. A better one would be if he published the information on how to cause the blackout.
The end result may be the same, but revealing information is quite different from actually being the attacker.
MS had 5 days to give a timetable for fixing it, but would not do so during that time (I believe he was requesting 30 days). Now that he released it, they fix it in almost no time at all. Sure seems like they could have committed to fixing it in 30 days time.
Those that find security flaws have to have some kind of assurance by the company that the flaw will be fixed, if they are going to cooperate with them. If the company refuses to give that assurance, then why should the security "analyst" play nice?
That said, I don't agree with the action. He could have demanded the 30 day timetable, and if he didn't get it, released on day 30. Instead it seems he got mad and released it the same day when MS wouldn't play ball. Even if MS wouldn't commit to 30 days they might very well have met that goal (as they clearly were capable of).
I have to agree with you. 30 days is plenty of time to fix the problem or if your not able to fix it at least call the guy back and say hey were working on it, give us a few more days.
To release it after only 5 days makes this guy a asshole. I hate people that qoute comic books but it the old "with great power, come great responcibility" thing. just becuase you can doesnt mean you should. so if this guy is a security researcher at google, then he is a tool.
I would have simply told microsoft about the exploit, given them thirty days to fix it, then release the exploit. hell if they told me they were working on it and it was going to take 60 days, i would have cut them some slack, after all there are millions of lines of code to check. To release this in to the wild after only 5 days is stupid. I think that if your a "security researcher" then you have an obligation to withold the exploit for at least 30 day. personly i think this guy is a tool and should be held accountable for all of the systems that were hacked because he could not wait 30 days.
it would appear they have a few days left still
Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product will end July 13, 2010! To ensure that you will receive all important security updates for Windows after that date you need to upgrade to Windows XP with Service Pack 3 (SP3) or later versions such as Windows 7.
you guys do know google is keeping track of lots of people machines system specs that use googles products... well maybe google has the scoop that there's just too many people using xp sp2/sp1/1st edition. it seems to me they were trying to be the good guys here and not the a-holy-o's like microsoft wants to be by discontinuing support for an OS that isn't their brand new money maker (and it also has the same security flaw, which will they give their attention to first.) and leave an XP problem until conveintly well after the 13th in a 'richard' move to force people to upgrade to vista or 7 perhaps? that is how marketing works after all.
For real though I am surprised anyone is giving this guy a hard time at all. I feel like I'm in Bizzaro World
Actually, what I get from reading between the lines is that Microsoft refused to obligate itself to meeting a time line that they weren't 100% sure they could meet, which is perfectly reasonable, then the guy decided be a dick and publicize it because they wouldn't meet his demands.
I haven't seen anything that says they knew exactly how to fix it right then. Knowing how OS (and coding in general) stuff works, it could've been something that could take an hour, or take months. Fortunately for them, it was much less, but they wouldn't have known that right off the bat. Nor would the guy, for that matter, unless he's sitting in front of XP's source code.
Perhaps, it is because all systems and applications have bugs and flaws. And sorry but releasing the exploit to a new not seen the in wild vulunerability helps nobody. Using it in one of those hack to own contests sure but releasing it like he did just comes of as self promotion.
You realize just how old XP is and that SP3 is a free service pack don't you and that the cut-off "date" has been known for some time. At some point all developers need to focus their limited resources on the newer systems. Oh and if you have a contract with MS and the deep pockets to afford it you can get them "help" with older systems too just not for free anymore.
Hey MS bashing is easy and sometimes fun when Balmer does something stupid. (Windows Moble *cough*) But really in this one case they are not the bad guys.. slow and bureaucratic maybe but neither evil nor bad.
There's this little thing called responsible disclosure. You tell the vendor, give them a reasonable amount of time. If they fix it, great, you reveal it when the patch comes out. If not, you reveal to pressure them into making a patch. If the exploit wasn't used before revelation (and this one wasn't), no one gets hurt. If it's already being abused, you of course release it to allow for defensive measures. Dropping the exploit into the wild without giving reasonable time to fix it is irresponsible and hurts both about 10,000 hapless users and Microsoft. If he had been waiting for over a month with no response, I wouldn't have an issue with him releasing. Releasing it 5 days after discovery is, bluntly, a dick move.
To the guy saying they want to avoid supporting SP2, SP3 has been out for two years now (and gets security patches until something like 2014). Even the most bureaucratic IT department has had plenty of time to make the upgrade
you'd call it irresponsible, except that google is a competitor with microsoft... and of course no one would consider 'google' as irresponsible, as they have data mined so much dirt on everyone that such beliefs would only keep you up at night...