Microsoft Sets Kill Bits

At the request of their ISVs, Microsoft has released kill bit packages for certain versions of HP Instant Support and Aurigma Image Uploader. They have been released as part of a cumulative security update for ActiveX with many other kill bits.

Kill bits are settings in the Windows registry which disable an ActiveX control. When an ISV finds a vulnerability in an ActiveX control they often ask Microsoft to disable that control by making the kill bit available. Click here to learn more about kill bits.

This cumulative update was pushed out with this past Patch Tuesday's set of updates, but the update was rated Important, so if your Automatic Updates is set only to apply critical updates you may not have it.

You can apply the update by running Windows Update manually or by downloading and running the appropriate update for your system from Microsoft's Knowledge Base.

For details on the new kill bits and what they kill see the advisories at Aurigma and HP (here and here).

Excerpt: A cumulative update disables many faulty ActiveX controls.

(full story)

"Quality Issue" Holds Media Player Update Back

You might have noticed that when Microsoft released the Advance Notification last week for Patch Tuesday they said there would be 12 updates, 7 of them critical. When Tuesday came around there were only 11 updates, 6 of them critical. Where'd the last critical update go?

In the Microsoft Security Response Center the company answered this, although not in any detail. The withholding of the update was due, the company says, to "a last minute quality issue." It's not the first time this has happened; testing of the updates continues, it seems, even after the advance notification. Chances are that the update, which addressed a flaw in Windows Media Player, will be in the September updates.

(full story)

Java Will Solve Old Version Problem

Have you ever looked in your Add/Remove Programs applet and wondered why there were multiple copies of Java in it? That's because the Java installer doesn't remove old versions. Do 10 updates and you'll have 11 copies of Java installed. And they all take up a lot of space.

But an update to Java, currently in beta, will fix this problem. The current version of Java (I think) is Java 6 Update 7. A document on the Java web site says of Java 6 Update 10 that:

For current users of Java SE, the JRE update mechanism has also been improved, using a patch-in-place mechanism that translates in a faster and more reliable update process (the patch in place mechanism will take effect for end users who upgrade from this update release or later to a new update release). As an added benefit, follow-on update releases will no longer be listed as separate items in the Windows "Add or Remove Programs" dialog.

Exactly what this means is not clear; will it clean out the old versions? But it seems to say that it will solve the problem going forward. In fact, a beta is available from the page for downloading.

Do we really have to wait 3 updates for this? The page says the release is scheduled for Summer/Fall of 08. We'll see.

(full story)

Vista Security Rendered Useless?

Perhaps the most explosive presentation at last week's Black Hat hacker conference in Las Vegas was that of Alexander Sotirov and Mark Dowd. The paper they presented delves deep into security technologies in Windows Vista which protect against abuses of memory and seeks out weaknesses in them. Among these technologies are DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). The authors found many interesting attack techniques.

Some of the industry press on this presentation has been on the hysterical side: Neowin started it all with the hyperbolic "Vista's Security Rendered Completely Useless by New Exploit" followed by a TechTarget article here. The TechTarget article was updated later to tone it down some. These articles fed the fires of credulousness in those who want to believe the worst about Vista. Even the respected Bruce Schneier blogged tersely, but with great concern, about the severity of it all.

But even Sotirov himself argues that "...the sky is not falling and the flaws are not unfixable..." Thanks to Ed Bott for bringing all this out in his blog. As Sotirov says, exploitation is always a cat and mouse game, and it won't take long for Microsoft and others to respond. He adds "The articles that describe Vista security as 'broken' or 'done for,' with 'unfixable vulnerabilities' are completely inaccurate." In fact, Microsoft provided feedback on the paper to Sotirov and Dowd.

ASLR and DEP are opt-in technologies; they aren't turned on by default and a developer has to specifically build their program (with special linker switches) to opt in to the protections. Many of the attacks in the paper rely on the common software, especially Java, which does not opt in. Even Microsoft doesn't uniformly use them. Over time one can expect more programs to opt in and that aspect of the problem will tend to resolve.

The research is top stuff for sure, a good example of how independent vulnerability research can help improve products. As a general matter, if users follow common sense security practices and run a decent anti-malware package and keep everything updated they should be in good shape, even with the revelations described in this paper.

(full story)

Real Issues Security Updates For Windows, Mac, Linux

RealNetworks has issued a series of updates to fix four vulnerabilities in the Windows, Mac and Linux versions of RealPlayer 10 and 11. Click here to see which versions are affected on which platforms.

The vulnerabilities include:

1. RealPlayer ActiveX controls property heap memory corruption.—A variety of versions are vulnerable to heap overflows from mismanaging memory for the software.


2. Local resource reference vulnerability in RealPlayer.—No meaningful description was provided for this flaw.


3. RealPlayer SWF file heap-based buffer overflow.—We reported on this the other day. Processing a malicious Flash SWF file can cause a heap-based overflow.


4. RealPlayer ActiveX import method buffer overflow.—Deleting a vulnerable file from the user's media library triggers a stack overflow and can cause arbitrary code execution.

(full story)