Network News

X My Profile
View More Activity

For Microsoft, Patch Tuesday Often Becomes Exploit Thursday

Microsoft releases security updates on the second Tuesday of each month -- a regular schedule the company follows to make it easier for network administrators around to the world to manage all the updating necessary to deploy the fixes on their systems.

Over the past several months news of exploits targeting previously undocumented flaws in Windows and other Microsoft applications have surfaced within hours of each Patch Tuesday. Today, less than 48 hours after Microsoft released a record number of security updates, comes the release of exploit code for yet another Office flaw, this one apparently targeted at PowerPoint files in Office 2003 (no, I'm not going to link to the site hosting the exploit code).

As I've noted before, the Patch Tuesday/Exploit Wednesday (or Thursday) phenomenon gives bad guys the maximum amount of time to use exploits in the wild before Microsoft gets around to its next patch cycle. Redmond occasionally breaks out of that cycle for especially serious or high-profile attacks on unpatched flaws; it has done so twice this year, though neither of those emergency patches dealt with an Office vulnerability.

It is quite clear from the massive number of Office patches issued this week that Microsoft is doing some long overdue code review on its desktop software. So far in 2006, Microsoft has issued patches to address no fewer than 44 distinct vulnerabilities in its Office products, many of them labeled "critical" -- meaning that bad guys can install malicious programs on your machine just by convincing you to open a poisoned document or spreadsheet. By comparison, Microsoft issued just six updates to fix problems in Office last year.

It is also painfully clear that those who would wish to heap harm and embarrassment on Microsoft and its millions of users also are conducting their own audits, and with very effective results. Office flaws have shown themselves to be extremely potent weapons in targeted attacks against organizations (think corporate and government espionage).

Regarding the Office exploit revealed today, a Microsoft spokesperson said the company "is investigating new public reports of a possible vulnerability in Microsoft Office 2003. Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary."

While we're on the subject of Office vulnerabilities, it appears Microsoft's Office Update service is still experiencing some hiccups.. I tried to update my Office 2000 installation last night and again this morning and was met with an error message saying the site was experiencing technical difficulties.

By Brian Krebs  |  October 12, 2006; 12:34 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Fixes Record 26 Security Holes
Next: Patches Available for Bluetooth Flaw

Comments

Do the Tues Oct 10 MS patches fix the issue you posted "Microsoft Issues Emergency Patch for IE Flaw" posted on September 26, 2006; 3:51 PM ET, or do I need to do what you say in that article separately. I've left IE alone since then, waiting to see if it came bundled with other fixes on 10/10. Thanks

Posted by: ML | October 12, 2006 1:31 PM | Report abuse

I just want to say (amusedly) Office 2000? :)

Posted by: LonerVamp | October 12, 2006 5:31 PM | Report abuse

The statistic I would like to know is this. Just how many of all these Microsoft vulnerabilities are discovered by Microsoft and how many by third parties. Or to put it another way; how proactive are Microsoft in protecting the users? One assumes Microsoft have all the code and design documents and yet we keep getting the same class of flaws in their software.
If one bought a new house and I discovered someone had broken in through a window because the lock was not a good enough standard what would you do? The sensible person would not only replace that lock but check and replace the locks on the other windows. They would not just sit and wait until someone broke in to another window. Mind you I suspose if you were just renting a house the landlord might prefer you to suffer loss rather than spend some of the rental profit!

Posted by: Steve | October 13, 2006 1:22 AM | Report abuse

Steve,

If not for the "bad" guys, your windows and doors would not need locks! The root causes are the malevolent people on this planet. Until the root cause is addressed, it will forever be a cat and mouse game. We need a better mousetrap!

Posted by: TJ | October 13, 2006 12:53 PM | Report abuse

Posted by: J. Warren | October 13, 2006 1:58 PM | Report abuse

Microsoft PowerPoint Unspecified Code Execution Vulnerability
- http://secunia.com/advisories/22394/
Release Date: 2006-10-13
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
...According to Microsoft, the vulnerability may allow execution of arbitrary code. The vulnerability is reported in Microsoft PowerPoint 2003. Other versions may also be affected.
Solution: Do not open untrusted Office documents.
Original Advisory: Microsoft:
http://blogs.technet.com/msrc/archive/2006/10/12/poc-published-for-ms-office-2003-powerpoint.aspx ..."

.

Posted by: J. Warren | October 13, 2006 4:34 PM | Report abuse

LonerVamp,

You'd prefer to pay out cash for Office 2000, then XP, then 2003 over a few years, when they are all basically the same?

Posted by: Michael | October 13, 2006 6:29 PM | Report abuse

TJ

If not for the bad folk houses, cars, etc would not need locks either!

Malevolent and benevolent are not the same as illegal and legal!

It is certainly legal for companies to take money for poor software but certainly not benevolent.

Posted by: Steve | October 14, 2006 7:20 AM | Report abuse

... I discovered someone had broken in through a window because the lock was not a good enough standard what would you do?
---

a killer may argue that our lives are too easy to take, to stay away from the temptation. Now, what a poor rapist to do in this whole situation?

Posted by: miron | October 14, 2006 2:52 PM | Report abuse

Get Office 2007 and the problem's fixed.

Posted by: someone | October 14, 2006 3:19 PM | Report abuse

Get Office 2007 and the problem is fixed?!?! Yeah only for a little while! Then it's Office 2007 SP1, then Office 2007 SP1 SR1, then Office 2007 SP2 w/e-mail validation controls, blah, blah blah. It just goes on and on and on. There is no end in sight for PC updates once they are connected to the world.

Posted by: na-uh | October 18, 2006 12:21 PM | Report abuse

Yep. The windows update site has been unavailable occassionally over the past week. I wonder what type of back-end servers these guys are using. ;-]

Posted by: slave to M$ | October 18, 2006 6:22 PM | Report abuse

M$ is a blessing for internet criminals hence it's increasing popularity amongst these people. The criminal potential is enormeous as M$ software is massive leaky and provides lots of hiding places. Ordinary users hardly know what's going on in their machines. Despite protection software, once infected they don't know to get rid of malware. M$ gets even smarter, 'let's prevent illegal users from downloading security patch, yeah!'. This is the 2nd blessing for internet criminals. Infected pc's stay infected, yeah!, thanks M$.
M$ is only interested in $$$, fixing security leaks is an undesirable expense. M$ is not pro-active as there are still probably thousands of breaches to fix. M$ hopes they will not be revealed but hey will (dream on M$ / 3rd blessing). Only public community force M$ to fix security breaches. If there was a serious competitor, M$ products would be whiped off the market, users would save a lot of money and frustration. Maybe M$ products will never become mature if it comes to security ...

Why not introduce a software security approval enforced by law?
No approval, no sale!

I wish I wouldn't have to be this negative.

Posted by: sick of it | October 31, 2006 4:58 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company