MS Addressing Google-Exposed Flaw Next Week

News
By Kevin Parrish
published

Patch Tuesday brings two needed fixes to Windows XP and Windows 7.

Next week Microsoft is slated to address a zero-day vulnerability in Windows XP that was recently discovered by Google engineer Travis Ormandy. As reported earlier, Ormandy went public with his findings after Microsoft would not provide a definite timeline for addressing the issue. Because of Ormandy's actions, more than 10,000 Windows XP PCs were hacked since the CVE-2010-1885 exploit went live. Microsoft said that the company was only given five days notice.

Nevertheless, Microsoft is addressing the issue next week on Patch Tuesday, July 13. The fix--dubbed as Bulletin 1--will be one of four issues Microsoft will address, and one of two critical patches that applies to the Windows platform. The second Windows patch--dubbed as Bulletin 2--will fix a vulnerability in Windows 7 64-bit and Windows Server 2008 R2's canonical display driver. The issue was announced back on May 18, reporting that the vulnerability could allow for remote code execution.

The remaining two patches in next week's update will address issues with Microsoft Office 2002, 2003, and 2007. As seen in the list below, Bulletin 3 will address issues with Access 2003 Service Pack 3, Access 2007 Service Pack 1 and Access 2007 Service Pack 2. Bulletin 4 will focus on Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 3, Outlook 2007 Service Pack 1 and Outlook 2007 Service Pack 2.

Here's the full list:

Bulletin 1

  • Windows XP Service Pack 2 (Critical)
  • Windows XP Service Pack 3 (Critical)
  • Windows XP Professional x64 Edition Service Pack 2 (Critical)
  • Windows Server 2003 Service Pack 2 (Low)
  • Windows Server 2003 x64 Edition Service Pack 2 (Low)
  • Windows Server 2003 with SP2 for Itanium-based Systems (Low)

Bulletin 2

  • Windows 7 for x64-based Systems (Critical)
  • Windows Embedded Standard 7 for x64-based Systems (Critical)
  • Windows Server 2008 R2 for x64-based Systems (Critical)

Bulletin 3

  • Microsoft Office Access 2003 Service Pack 3 (Critical)
  • Microsoft Office Access 2007 Service Pack 1 (Critical)
  • Microsoft Office Access 2007 Service Pack 2 (Critical)

Bulletin 4

  • Microsoft Office Outlook 2002 Service Pack 3 (Important)
  • Microsoft Office Outlook 2003 Service Pack 3 (Important)
  • Microsoft Office Outlook 2007 Service Pack 1 (Important)
  • Microsoft Office Outlook 2007 Service Pack 2 (Important)
Kevin Parrish
21 Comments Comment from the forums
  • Teen Geek
    Microsoft is quick. How long does Apple takes to issue a security patch?
    Reply
  • hellwig
    Teen GeekMicrosoft is quick. How long does Apple takes to issue a security patch?There are no security patches because the OS is 100% secure. If your computer is infected, you shouldn't have downloaded that virus/visited that website/inserted that thumbdrive/connected to the internet/plugged in your mac/held it that way.

    Duh.
    Reply
  • hellwig
    On another note, I think it was a pretty dick move to release a exploit because Microsoft didn't tell you when a patch was coming out. I'm guessing they didn't know what the problem was to patch it. I'm not sure how releasing the flaw to the public will help the millions of Windows users who could have been affected. I mean, did he at least include his own security solution, or did he Rush-Limbaugh the job and just complain about how someone else was doing it wrong, and not offering any of his own suggestions?
    Reply
  • dheadley
    I think all the businesses or private windows users who were hacked as a result of this guys action should be able to sue him for any damages they suffered as a result of his actions. If what they are saying is true about the short notice then the guy is just a plain asshole and should be treated in kind. Everyone knows they do "patch Tuesdays" and he should have given them the chance to roll out a patch silently before then making public the problem.

    People that publish these security holes publicly in order to "force" the companies to do something about it are kind of unrealistic. Being a Google employee you would think he knows this as they often have problems with code themselves that takes a much longer time to get straightened out than he gave MS.

    To me it is like someone that finds a problem with the power grid in NYC and causes a blackout to prove their point, then claims that they are not responsible for any looting or crimes or accidents that result from the blackout because they gave the electric utility five days to re-engineer the power stations.
    Reply
  • adipose
    To me it is like someone that finds a problem with the power grid in NYC and causes a blackout to prove their point,

    Bad analogy. A better one would be if he published the information on how to cause the blackout.

    The end result may be the same, but revealing information is quite different from actually being the attacker.

    MS had 5 days to give a timetable for fixing it, but would not do so during that time (I believe he was requesting 30 days). Now that he released it, they fix it in almost no time at all. Sure seems like they could have committed to fixing it in 30 days time.

    Those that find security flaws have to have some kind of assurance by the company that the flaw will be fixed, if they are going to cooperate with them. If the company refuses to give that assurance, then why should the security "analyst" play nice?

    That said, I don't agree with the action. He could have demanded the 30 day timetable, and if he didn't get it, released on day 30. Instead it seems he got mad and released it the same day when MS wouldn't play ball. Even if MS wouldn't commit to 30 days they might very well have met that goal (as they clearly were capable of).
    Reply
  • 70camaross396
    adiposeBad analogy. A better one would be if he published the information on how to cause the blackout.The end result may be the same, but revealing information is quite different from actually being the attacker.MS had 5 days to give a timetable for fixing it, but would not do so during that time (I believe he was requesting 30 days). Now that he released it, they fix it in almost no time at all. Sure seems like they could have committed to fixing it in 30 days time.Those that find security flaws have to have some kind of assurance by the company that the flaw will be fixed, if they are going to cooperate with them. If the company refuses to give that assurance, then why should the security "analyst" play nice?That said, I don't agree with the action. He could have demanded the 30 day timetable, and if he didn't get it, released on day 30. Instead it seems he got mad and released it the same day when MS wouldn't play ball. Even if MS wouldn't commit to 30 days they might very well have met that goal (as they clearly were capable of).
    I have to agree with you. 30 days is plenty of time to fix the problem or if your not able to fix it at least call the guy back and say hey were working on it, give us a few more days.

    To release it after only 5 days makes this guy a asshole. I hate people that qoute comic books but it the old "with great power, come great responcibility" thing. just becuase you can doesnt mean you should. so if this guy is a security researcher at google, then he is a tool.

    I would have simply told microsoft about the exploit, given them thirty days to fix it, then release the exploit. hell if they told me they were working on it and it was going to take 60 days, i would have cut them some slack, after all there are millions of lines of code to check. To release this in to the wild after only 5 days is stupid. I think that if your a "security researcher" then you have an obligation to withold the exploit for at least 30 day. personly i think this guy is a tool and should be held accountable for all of the systems that were hacked because he could not wait 30 days.
    Reply
  • Gin Fushicho
    Oi.... really? Leave XP alone Microsoft, you said you were going to kill XP. Isn't this the opportunity you were waiting for?
    Reply
  • pojih
    Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product will end July 13, 2010! To ensure that you will receive all important security updates for Windows after that date you need to upgrade to Windows XP with Service Pack 3 (SP3) or later versions such as Windows 7.

    http://support.microsoft.com/ph/1173#tab0
    it would appear they have a few days left still
    Reply
  • f-14
    today is the 9th, why 5 days? microsoft policy concerning windows xp this is why:
    Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product will end July 13, 2010! To ensure that you will receive all important security updates for Windows after that date you need to upgrade to Windows XP with Service Pack 3 (SP3) or later versions such as Windows 7.

    you guys do know google is keeping track of lots of people machines system specs that use googles products... well maybe google has the scoop that there's just too many people using xp sp2/sp1/1st edition. it seems to me they were trying to be the good guys here and not the a-holy-o's like microsoft wants to be by discontinuing support for an OS that isn't their brand new money maker (and it also has the same security flaw, which will they give their attention to first.) and leave an XP problem until conveintly well after the 13th in a 'richard' move to force people to upgrade to vista or 7 perhaps? that is how marketing works after all.
    Reply
  • tearlach2
    Despite everyone making absurd analogies, this dude released a security flaw he found in windows. how do any conversations he had with MS show anything? I don't think he should have even bothered contacting MS, screw em for making crap.
    For real though I am surprised anyone is giving this guy a hard time at all. I feel like I'm in Bizzaro World
    Reply