"Quality Issue" Holds Media Player Update Back  

Posted by Mohammad Talha in ,

You might have noticed that when Microsoft released the Advance Notification last week for Patch Tuesday they said there would be 12 updates, 7 of them critical. When Tuesday came around there were only 11 updates, 6 of them critical. Where'd the last critical update go?

In the Microsoft Security Response Center the company answered this, although not in any detail. The withholding of the update was due, the company says, to "a last minute quality issue." It's not the first time this has happened; testing of the updates continues, it seems, even after the advance notification. Chances are that the update, which addressed a flaw in Windows Media Player, will be in the September updates.

(full story)

Java Will Solve Old Version Problem  

Posted by Mohammad Talha in ,

Have you ever looked in your Add/Remove Programs applet and wondered why there were multiple copies of Java in it? That's because the Java installer doesn't remove old versions. Do 10 updates and you'll have 11 copies of Java installed. And they all take up a lot of space.

But an update to Java, currently in beta, will fix this problem. The current version of Java (I think) is Java 6 Update 7. A document on the Java web site says of Java 6 Update 10 that:

For current users of Java SE, the JRE update mechanism has also been improved, using a patch-in-place mechanism that translates in a faster and more reliable update process (the patch in place mechanism will take effect for end users who upgrade from this update release or later to a new update release). As an added benefit, follow-on update releases will no longer be listed as separate items in the Windows "Add or Remove Programs" dialog.

Exactly what this means is not clear; will it clean out the old versions? But it seems to say that it will solve the problem going forward. In fact, a beta is available from the page for downloading.

Do we really have to wait 3 updates for this? The page says the release is scheduled for Summer/Fall of 08. We'll see.

(full story)

Vista Security Rendered Useless?  

Posted by Mohammad Talha in , ,

Perhaps the most explosive presentation at last week's Black Hat hacker conference in Las Vegas was that of Alexander Sotirov and Mark Dowd. The paper they presented delves deep into security technologies in Windows Vista which protect against abuses of memory and seeks out weaknesses in them. Among these technologies are DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). The authors found many interesting attack techniques.

Some of the industry press on this presentation has been on the hysterical side: Neowin started it all with the hyperbolic "Vista's Security Rendered Completely Useless by New Exploit" followed by a TechTarget article here. The TechTarget article was updated later to tone it down some. These articles fed the fires of credulousness in those who want to believe the worst about Vista. Even the respected Bruce Schneier blogged tersely, but with great concern, about the severity of it all.

But even Sotirov himself argues that "...the sky is not falling and the flaws are not unfixable..." Thanks to Ed Bott for bringing all this out in his blog. As Sotirov says, exploitation is always a cat and mouse game, and it won't take long for Microsoft and others to respond. He adds "The articles that describe Vista security as 'broken' or 'done for,' with 'unfixable vulnerabilities' are completely inaccurate." In fact, Microsoft provided feedback on the paper to Sotirov and Dowd.

ASLR and DEP are opt-in technologies; they aren't turned on by default and a developer has to specifically build their program (with special linker switches) to opt in to the protections. Many of the attacks in the paper rely on the common software, especially Java, which does not opt in. Even Microsoft doesn't uniformly use them. Over time one can expect more programs to opt in and that aspect of the problem will tend to resolve.

The research is top stuff for sure, a good example of how independent vulnerability research can help improve products. As a general matter, if users follow common sense security practices and run a decent anti-malware package and keep everything updated they should be in good shape, even with the revelations described in this paper.

(full story)

TopBlogLists.com - Blog Search