Tag Archive: hole

Internet Explorer out of band patch released, update now

Posted Jan.21, 2010 under Microsoft, Windows 7, Windows XP

Microsoft has issued security hot-fixes to patch a security vulnerability in Internet Explorer which saw Google fall victim to some targeted and sophisticated attacks recently.

The vulnerability was unveiled when Google went public that they were targeted in a sophisticated cyber-attack. The breach, involving Internet Explorer 6, resulted in the theft of intellectual property. Due to the attack, and the background behind it, Google announced it will no longer be providing censored results for its Chinese Google search engine. Currently Google offers censored search results as part of an agreement with the Chinese government.

Microsoft has been busy working on a fix for the issues and decided an out of band patch was required. Whilst it’s a rare decision these days, Microsoft could ill afford to wait three weeks until the next “patch Tuesday” on February 9.

Windows Desktop downloads:

Windows Server downloads:

Tags: , , , ,
3 Comments

Windows has a 17 year old un-patched vulnerability

Posted Jan.20, 2010 under Windows

When it comes to updating security threats and bugs in their operating systems, Microsoft is, for the most part, pretty good about it. True, there are threats here and there that get overlooked, but eventually, Redmond takes care of them… except in this case.

The H Security points out that Microsoft has ignored a security hole in Windows since the release of Windows NT 3.1 in 1993. This vulnerability is present in all 32-bit Windows operating systems since then. The problem exists due to a flaw in the Virtual DOS Machine (or VDM), which was used to support 16-bit applications. The flaw allows for a 16-bit program to manipulate the kernel stack of processes. The site notes that “this potentially enables attackers to execute code at system privilege level,” making this a real threat to system security.

The vulnerability was discovered by a member of the Google security team, named Tavis Ormandy. The hole was tested and found to still be present in Windows XP, Server 2003, 2008, Vista, and 7, and can be used to open a command prompt “in the system context, which has the highest privilege level.” Ormandy says that he informed Microsoft of this hole back in 2009, but they have yet to fix it. The work around for it happens to be pretty simple; all you have to do is disable the MS-DOS subsystem. It’s advised that all companies patch the hole, especially now that the vulnerability is public knowledge. Turning this off should not affect any compatibility issues, unless, for some strange reason, you’re still using 16-bit applications.

Here’s how to disable it:

“The workaround requires users to start the group policy editor and enable the “Prevent access to 16-bit applications” option in the Computer Configuration\Administrative Templates\Windows Components\Application Compatibility section.”

Tags: , , , ,
1 Comment

Microsoft investigating zero-day Windows 7 hole

Posted Nov.13, 2009 under Microsoft, Windows 7

Microsoft confirmed to Cnet News that it is looking into a report of a vulnerability in Windows 7 and Server 2008 R2 that could be used by a malicious attacker to remotely crash PCs.

The software giant is looking into claims of a “possible denial-of-service vulnerability in Windows Server Message Block (SMB),” a Microsoft spokesperson confirmed. Security researcher Laurent Graffie published proof of concept code in a blog posting proclaiming “This bug is a real proof that SDL #FAIL”. Laurent also added “the bug is so noob, it should have been spotted 2 years ago by the SDL if the SDL had ever existed.”

The flaw kicks off an endless loop on the Server Message Block (SMB) protocol used for sharing files in Windows. The vulnerability report came a day after Microsoft’s patch Tuesday for November. The software company released six patches to fix 15 vulnerabilities across different versions of Windows and Office.

Tags: , , , ,
Leave a Comment

Microsoft to fix first critical hole in Windows 7 on Tuesday

Posted Oct.08, 2009 under Microsoft, Windows 7

Microsoft confirmed on Wednesday that the company plans to push out a security fix for a critical security hole in Windows 7 next Tuesday.

Microsoft officials posted an advanced security bulletin today that confirms Windows XP will have 6 critical holes patched, Windows Vista 5 critical holes and Windows 7 only one. Microsoft’s critical rating is the highest out of all definitions used by the company, described as “a vulnerability whose exploitation could allow the propagation of an Internet worm without user action.”

Microsoft will ship a total of 13 updates on Tuesday, eight of them marked as critical. Previously the company released a record of 12 updates in both February 2007 and October 2008. Next Tuesday will set a new record. This is Windows 7′s first critical patch and initial information suggests Internet Explorer 8 is at fault. Everybody will be live from the New York launch of Windows 7 on October 22 where Microsoft CEO Steve Ballmer will release Windows 7 to the world.

Tags: , , , ,
Leave a Comment

Enter your email address:

Delivered by FeedBurner