Posts Tagged ‘microsoft vulnerability’
Microsoft Fails Again! Revises Another Critical Update
On September 25th, I posted that Microsoft confesses to posting a flawed update, which pointed to an August 22, InfoWorld article that stated it was the third time in two months that Microsoft has had to re-issue a security related update. Well, Microsoft has done it again!
The most recent is MS08-052, first published on September 9. Seems they left out a few pieces of software in the original release! According to the e-mail I received about the re-release:
Bulletin updated
to add Microsoft Office Project 2002 Service Pack 2, all
Office Viewer software for Microsoft Office 2003, and all
Office Viewer software for 2007 Microsoft Office System as
Affected Software.
Let’s recap the re-issues….
MS08-030:
06-10 First Issued
06-19 Re-issued
Advisory 954960:
06-30 Advisory Issued
07-09 Fix available
08-01 Re-release Fix
08-12 Re-release Fix
MSO08-052:
09-09 Security Update Issued
09-12 Re-release
Now, perhaps you might be wondering why I feel this is a serious enough of an issue to post it here?
Come with me for a minute down the path my brain takes when I see this kind of stuff.
Thought #1: Microsoft’s software isn’t cheap. You would expect better service from a more expensive product – wouldn’t you? I mean, would you pay for a Lincoln and expect to drive away in a Rickshaw? No! You pay big money for the Lincoln and expect to get this nice, well made car with the full company guarantee behind it. So, why am I (we) paying for Microsoft’s software and paying more than any other software manufacturer? Especially since they can’t seem to get their own act together?
Thought #2: Microsoft wonders why people don’t patch and don’t trust their software in general. Hello? Many times we wait two weeks to patch because we are so used to Microsoft either re-releasing something or not knowing about known issues in a patch at the time they issue them.
Like Microsoft, we and our clients have businesses to run. We can’t afford the down time it takes to fix one of their F*ck ups.
My sister spent over 12 hours on the phone with Microsoft Tech Support in India just to get Vista’s SP1 installed! Businesses don’t have the time or patience but Microsoft just expects us to suck it up.
Thought #3: Security professionals, repair techs, and pretty much anyone involved with the care and feeding of PCs and their users, are constantly frustrated with having to fix user’s PCs from either known vulnerabilities that have been exploited or infected from some malware that was easily installable in Windows system.
And when asked why the user isn’t updating, the answer commonly is one of the following three responses:
- I’m afraid they will screw up my machine.
- I don’t trust Microsoft because their updates have screwed up my machine.
- Why should I fix it if it ain’t broken.
Thought #4: After all, with all the ISPs trying to get more money for their bandwidth, do we users want to keep having to reinstall service packs, patches, and security updates from Microsoft?
Don’t you think that since Microsoft is consuming a lot of our bandwidth with their updates, don’t you think they should foot the bill for some of it?
Thought #5: I think I might get back into the repair business because I’m telling you what, with what I’m seeing in terms of security problems in our research here, the more we are going to see systems infected with all kinds of things! And Microsoft losing even more credibility with users is just adding more wood to the fire.
Thought #6: The reason Microsoft revised this current update? From their FAQ’s:
The last Microsoft Security Bulletin for GDI+, MS04-028, lists affected and non-affected software that is not listed in this bulletin. Why?
The software listed in this bulletin have been tested to determine which supported versions or editions are affected and which supported versions are not affected. Other versions or editions listed in the MS04-028 are past their support life cycle.
Does that mean Microsoft, that you DON’T TEST your software patches and updates before you issue these? Well, THAT would explain EVERYTHING!
Let’s see how long anyone else would stay in business if they tried the same tactics. We’ll just create some software, charge people to purchase it, and let them debug it and all our updates! Saves a hellofalot of time and money in research and development!
Yeah, I’m sure that would work in the REAL, NON-MICROSOFT business world!
So, in conlcusion, if you haven’t patched yet, you really should apply this one. Unless you want to wait to see if they revise it again in another two weeks!
No Comments »
OXYMORON: Microsoft Security Tools
As much as I preach and preach in my courses about Microsoft and their lame excuse for security – whether within their code or in an alleged security application – people continue to get suckered into the delusional image Microsoft presents about knowing what’s best for you in security.
I’ve posted before about this so I won’t rehash the same old arguments. I’m just going to illustrate YET ANOTHER reason why I continue to harp on the subject in an effort to educate users about the subject of their security.
I was reading my RSS feeds and ran across the current Microsoft Security Bulletin summary for May. Don’t know why I felt compelled to read it – I just did.
Published on May 13th (so I’m a little behind but give me a break, our PC Security course just launched!), the bulletin summary contains a “Moderate” severity listing hidden under the lovely plus signs [+] they use liberally to discourage people from actually reading the details.
First, if you click the link to see just what a Moderate severity rating is, you are taken to a page that explains the rating in such terms as: exploitability, mitigated, default configuration, and auditing. Yeah, right! I’m sure you all understand that right?
But okay, let’s give them a break since the technical writer was probably a nerd.
Moving on….. I click the nefarious plus sign [+] to expose the underlying dirt that M$ doesn’t want us to see. And what do I get?
This bulletin title:
Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044)
Imagine that! A vulnerability in another Microsoft product!
Okay, so I’m not surprised by that, but what interests me is the fact that it’s in the Malware Protection Engine of their product. So, hmmmmm, I wonder… “could that be one of their so-called security products?” I ask myself as I start reading further.
I hit the jackpot! Not only is it one of their so-called security products, it’s a good many of them!
Specifically, the affected software is: Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security.
So now I’m REALLY interested! I clicked the link to go to the actual full bulletin – which is located here if you want to follow the whole story with me: http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx
And once again tackling the plus signs [+] I get to see the “down and dirty” details of what’s really going on here!
There are two specific CVE references to this vulnerability:
1. Microsoft Malware Protection Engine Vulnerability- CVE-2008-1437
2. Microsoft Malware Protection Engine Vulnerability- CVE-2008-1438
(For those who do not know, the CVE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security and they track all reported vulnerabilities.)
The first one is pretty odd and just annoying. The vulnerability causes their software engine to “hang and reboot“. And that’s different from any other Microsoft program because?????
The second CVE report is what’s fascinating to me and interesting the way M$ plays it down in the initial bulletin.
CVE reports:
…allows context-dependent attackers to cause a denial of service (disk space exhaustion) via a file with “crafted data structures” that trigger the creation of large temporary files, a different vulnerability than CVE-2008-1437.
To translate that into common, every day language, the vulnerability allows an attacker to use a specially crafted file (crafted data structures) that when the Microsoft product scans the file for malicious content, it causes you to use up all your disk space (disk space exhaustion) by creating large temporary files on your computer which results in your not being able to use your computer (denial of service).
I vaguely remember an old virus that used to do that!
The updated fix is available, but that’s not the point. (Although if you’re running this garbage, you should update immediately!)
The point is Microsoft has been selling you a line of marketing bull sh**!
Here’s their sales pitches directly from their website:
Microsoft Forefront – Trial Downloads
Help secure your servers, clients, and network edge with these free software trials from Microsoft Forefront.
Protect Your PC From Viruses, Spyware & Other Problems
Protecting your PC is easy with Windows Live OneCare-Download a Free Trial
Microsoft Security At Home – Help Prevent Identity Theft, Spyware …
Learn about how to protect your home computer, data, and family from viruses, phishing, identity theft, spyware, and email hoaxes. Learn about online child safety. Microsoft …
Which leads you to these recommended products:
Security Products
· Windows Defender
· Windows Live OneCare
· Windows Live OneCare Safety Scanner
· Microsoft Phishing Filter
· Windows Vista: Parental Controls
· Xbox Family Settings
· Windows Live OneCare Family Safety
Anyone else see a problem with this besides me? (HINT: I’ve bolded all the products they’re wanting you to use for your security that were affected by this vulnerability!) I’m going to trust a company who has never put security first since day one and can’t even build a secure product designed to be secure to protect me???
Oh, and in case you don’t want to go read what caused this vulnerability in the first place, here’s the actual cause described by Microsoft in the bulletin – under the plus signs of course!
CVE-1437 portion of the vulnerability: The Microsoft Malware Protection Engine does not properly validate input when parsing specially crafted files.
CVE-1438 portion of the vulnerability: The Microsoft Malware Protection Engine does not properly validate certain data structures when parsing files.
Now let me see….. security means, in part, authentication and validation of data, access, and execution of files. And it seems that Microsoft managed to botch the major portion of that basic programming again!
So, I reitterate: Using Microsoft and security in the same sentence is an oxymoron.
Yeah, I think I’ll trust them with my security! NOT!
No Comments »
 |
 |
 |
|
||
 |
|
 |
|
||
