Network News

X My Profile
View More Activity

Microsoft Issues 9 Security Patches

Microsoft Corp. today released nine updates to fix security holes in its Windows operating system, including three patches that earned Redmond's "critical" rating, meaning the company believes hackers could exploit them to take control over unpatched computers.

Among the critical patches is a bundle of fixes for Microsoft's Internet Explorer Web browser, which mends at least four security holes in the browser that purveyors of spyware will no doubt take advantage of on unpatched Windows machines in the near future.

There is also a patch to fix a critical problem in DirectShow, the video playback software bundled as part of Microsoft's DirectX graphics program. This flaw is present in every version of Windows going back to Windows 98.

The third critical patch fixes three separate security holes in the Microsoft "MSDTC and COM+ services." Never mind what those stand for or what they do, just patch if you need to -- the flaws are present in certain versions of Windows Server 2003, Windows XP, and Windows 2000.

There are six other patches, but I won't bore you with the details here. If you want to read up on them, check out this link to Microsoft's security page.

If you're running Windows, you can (and should) grab the free patches immediately. One method is to point Internet Explorer to Microsoft's update site. If you have not upgraded yet from Windows Update to Microsoft Update, you may be prompted to do so before continuing. Alternatively, you can let Microsoft handle the whole process for you by turning on automatic updates and installing any security patches it says you need.

Curiously, Microsoft did not release an update to fix a problem reported several months ago in a component of Microsoft Office that is actively being exploited.

By my running tally, this brings to 29 the number of critical patches Microsoft has issued thus far in 2005, already topping 2004's total of 25 critical updates. 

By Brian Krebs  |  October 11, 2005; 2:59 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Positive News in the War on Spyware
Next: License to Hack

Comments

"By my running tally, this brings to 29 the number of critical patches Microsoft has issued thus far in 2005, already topping 2004's total of 25 critical updates."

You are making a very simplistic insinuation here. Number of overall patches is not a useful metric.

How many of the 29 criticals apply to XP SP2? Server 2003? Including today's patches, nine criticals apply to XP SP2, compared to 17 for XP SP1.

Of the three criticals released today, two apply to XP SP2, and only one applies to all version of 2003. All three apply to XP pre-SP2 and all versions of 2000.

The Secure Development Lifecyle (SDL) implemented at Microsoft a few years ago is paying off, as evidenced by XP SP2, IIS6, 2003 SP1 (ever done a comparsion of vulnerabilites between Apache and IIS6? Very eye opening). It will pay off more as newer products are released (SQL 2005, IE7, Vista, etc).

Posted by: Matt | October 11, 2005 3:57 PM | Report abuse

Nice to see you again, Matt. Where have you been all these posts :) ?

Posted by: Brian Krebs | October 11, 2005 4:04 PM | Report abuse

Trying to push back the onslaught of FUD that often shows up in the comments section of your blog is a full time job, and I don't need a second job :)

But I do enjoy reading your posts.

Posted by: Matt | October 11, 2005 4:15 PM | Report abuse

What's interesting, it seems to me, is not necessarily how many vulnerabilities there are in a product, but how critical the exposures are, how quickly a patch is made available, and how important the service affected is. Microsoft has left critical vulnerabilities in important services (IE) open for long periods of time. And that's the vulnerabilites we _know_ about. Since MS's products are closed source, there are likely enough exposures that users don't know about but that crackers do.
Just my $.05.

Posted by: Elmer | October 11, 2005 4:57 PM | Report abuse

The flip side to the "more eyes" argument floated often by the OSS crowd is that there aren't a whole hell of a lot of people who have the desire to find and fix security flaws. Not to mention that there are very few who actually have a clue if they are looking at a vulnerability and what to do about it.

Posted by: Matt | October 11, 2005 6:06 PM | Report abuse

Matt, I don't see how that is a "flip side" since that comment applies equally to both closed source and OSS software.

I think you're right regarding the finding of security flaws, but I think it is impossible to generalize about fixing the flaws. Overall, most companies and OSS projects don't pay enough attention to security fixes. However, the most successful OSS projects seem to realize that their bread is buttered by claiming they release security fixes faster than non-OSS. Because of that, projects like Mozilla, Apache, and others seem to follow through to help support claims of faster fixes.

Posted by: anonymous | October 11, 2005 7:50 PM | Report abuse

In Microsoft's case, the argument does not apply equally. Every dev is required to attend training on the SDL, where, among other things, Writing Secure Code is required reading.

If you want to know more about why the counter argument to "more eyes" doesn't apply to Microsoft, I highly suggest reading about the SDL: http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp

Microsoft uses SDL to make sure products are secure from the beginning of the development process through to the end, rather than depending on a 'community' that may or may not have sufficient training to find problems.

Just compare the first product to go through the SDL (IIS6) with Apache 2.0. To date, there has not been a single vulnerability found in IIS6. Apache 2.0 has been a disaster, made worse by the zealots who feel that OSS can do no wrong.

Posted by: Matt | October 11, 2005 9:00 PM | Report abuse

Matt,

You might want to pay close attention to the list of acknowledgements regarding the patches:

http://www.microsoft.com/technet/security/bulletin/ms05-oct.mspx

Do you not find it concerning that folk outside of Microsoft are *STILL* finding flaws in SDL developed software?

Im no security expert, but even armed with closed source, "less eyes" and SDL, why are these things being found by the security community, and NOT Microsoft.

Posted by: Anonymous | October 11, 2005 9:06 PM | Report abuse

With a one to one personal experience with a Microsoft XP Pro Global engineer for over six months in trying to fix installtion issues of an independently purchased XP Pro, I am convinced that the organization has serious problems relating to customer services and contractual agreements that Microsoft supposed to provide. These people waste conumer time with their trial and error approach. Second Microsoft outsourcing Customer Services to places like India, South America and the Far East make things worst for American customers.
Bill Gates himself is a great and decent person, but the Company itself got used to bullying competitors and the like and lost the war. Now it is bullying the consumer and the only realistic avenue is to sue in every small claims and or magistrates court in the country. Class actions and antitrust are where only the lawyers and the Government make out. Consumers need Microsoft attornies to appear in every small claims court to get justice.

Posted by: Winemaster2 | October 19, 2005 5:39 PM | Report abuse

Very good site, congratulations! the xmen

Posted by: xmen | April 18, 2006 12:10 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company