Critical Vista Flaw Leads Patch Tuesday Lineup
Update, April 11, 12:06 p.m.: An earlier version of this post incorrectly stated that Microsoft had re-issued a patch that it originally released on Tuesday, Apr. 3. The text below has been changed.
Original post:
Microsoft Corp. today issued a bundle of software updates to fix at least eight security flaws in its software, including a patch that plugs another dangerous vulnerability in Windows Vista. The free updates are available either from the Microsoft Update Web site or by turning on automatic updates.
This is the second time in a week that the company has shipped a patch to address a "critical" flaw in Vista. Microsoft labels security holes "critical" if they could be exploited by attackers to gain complete control over a vulnerable system through no action on the part of the victim. Last Tuesday, Microsoft pushed out an emergency fix to correct a bug in Vista and Windows XP that hackers have been actively exploiting to attack Windows users.
Security experts were quick to seize upon the Vista flaw as a harbinger of things to come. Amol Sarwate, manager of vulnerability research for security software vendor Qualys, said the most-recent Vista hole to be documented is merely "the beginning of the weaknesses that we will see this year with Vista" and that Microsoft's reuse of code from previous versions of Windows threatens to weaken Microsoft's much-vaunted work on building security into its flagship operating system.
The Vista vulnerability (also present in XP systems) resides in a component of Windows that processes system error messages. The real danger that this flaw presents at the moment is that software blueprints showing would-be attackers exactly how to use the vulnerability to hijack vulnerable systems has been available online since December. No doubt more robust versions of that exploit code will appear in the coming days and weeks.
Eric Schultze, chief security architect for Minneapolis based patch management company Shavlik Technologies, said the vulnerability that affects Vista is due to computer code carried over from Windows NT 4.0, a legacy version of Windows that predates even Windows 98.
"Microsoft has patched this particular component multiple times before," Schultze said. Given that Microsoft did not have time to do a wholesale re-write of Windows with Vista, "we're bound to see 10-15 more of these legacy vulnerabilities in Vista in this year alone," he said.
Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, which tracks hacking trends, said two of the eight vulnerabilities fixed by this most recent patch bundle look like they could be easily exploited by computer worms able to spread to vulnerable machines and Internet servers without any user interaction.
One final note: An emergency patch that Microsoft pushed out on Apr. 3 appears to be causing problems for some people (including my poor stepmother) every time they go online. Microsoft has acknowledged that this patch can interfere with certain commonly installed hardware components, and if you're seeing an intermittent message complaining about "illegal System DLL Relocation" and/or a buggy file called "user32.dll," you're one of the unlucky few. The company has a fix available for anyone experiencing this problem. You can download and install it from this link.
By Brian Krebs |
April 10, 2007; 4:57 PM ET
Latest Warnings
,
New Patches
,
Safety Tips
Previous: Research Suggests Weakness in Anti-Phishing Technology |
Next: Uncle Sam Earns "C-Minus" in Computer Security
Posted by: Chad | April 10, 2007 6:36 PM
"Given that Microsoft did not have time to do a wholesale re-write of Windows with Vista..."
Huh? How is FIVE YEARS not enough time? I guess they spent so much time figuring out how to cripple the machine if you play a blu-ray dvd to get the basics right.
When will people realize the emperor has no clothes?
Posted by: James | April 10, 2007 10:21 PM
OMG! You mean to tell me Vista has to be patched???? Oh, the humanity!
Microsoft didn't re-invent the wheel with Vista???? Backward compatibility?? Who needs that??????
Security researchers salivating at the possibility of Vista vulnerabilities??? And waiting to throw it in everyone's face? Who'd a thunk?
>>>
This post is just plain ol' FUD!!!!
Posted by: Bill Gates | April 11, 2007 12:24 AM
I was web surfing from a limited user account with the security slider all the way to the top. A message appeared saying the MSFT patch had been installed, and my machine would automatically restart to complete the installation. There was no option to delay the restart beyond the few minute timer that appeared on the screen. Must have been an important patch. Someone was sufficiently worried about this vulnerability to wait for anything.
Posted by: Mike | April 11, 2007 5:10 AM
I installed the 4 security patches on an HP desktop running XP SP2 Media Center, and found that the machine won't shut down automatically now. It just sits there with the 'shutting down' screen, at least for a couple minutes, and has to be turned off manually. Does anyone have a suggestion?
Posted by: wolf25 | April 11, 2007 8:23 AM
James is correct. If MS is still reusing code from the early 1990's, then it is fully two decades behind Apple.
I am sick and tired of MS parading around saying their OS is the most secure ever, when clearly they are more interested in market share than minimization of security flaws.
Posted by: cayman | April 11, 2007 12:24 PM
GREAT........................................................................................... I just started the Vista update on our PC before I had a chance to see this. I am writing this on a MAC as the NEW PC BOX runs the upgrades now. I think I should have just went with my gut feeling and bought another MAC?
Posted by: Larry Wangelin | April 11, 2007 12:31 PM
Don't be so quick to condemn Microsoft on the basis of a few security researchers conjecture and couple of Vista patches!
"Microsoft is frequently dinged for having insecure products, with security holes and vulnerabilities. But Symantec, no friend of Microsoft, said in its latest research report that when it comes to widely-used operating systems, Microsoft is doing better overall than its leading commercial competitors."
Posted by: TJ | April 11, 2007 11:24 PM
Not in our stars, but in ourselves.
The problem seems to be not that MICROSOFT or anybody else isn't perfect, but that we smile about people using our property to their own ends and screwing us over in the process.
Give me a physical address and I will be pleased to drop by and beat to dust those who do such things.
It's a tried and generally true method, and I am sure it would take less time and effort and money than following the giggling, tut/tutting, passive people (like me to this point) who seem to feel cyberjerks are somehow not jerks at all but cute little folk who are ingeniously exploiting the system'
Posted by: sijit44 | April 12, 2007 12:39 AM
For Mike above: your shutdown issue might show a need for Microsoft's "uphclean" service (User Profile Hive Cleanup). This makes sure that reluctant processes respond properly to kill signals at shutdown. Available from download.microsoft.com.
There are versions for Windows XP.\, Vista, and possibly other systems.
Posted by: Mark | April 12, 2007 10:22 AM
Thanks Mark. I think wolf25 had the machine that wouldn't shut down, but making sure the profile hive is clean sounds like something that maybe I should check out too. I've never cleaned the hive to make sure no extraneous entries are in it.
Posted by: Mike | April 14, 2007 8:59 AM
My computer is unable to do a system restore, never had a problem in the past.
I noticed on restore points 4/4/07 and 4/12/07 a reference to(software distribution service 2.0)
I knew that I had not put this software on my system.
I went to the internet and look up (software distribution service 2.0) and many sites came up with many complaints. Compliants like they could not longer do a system restore, missing files and pictures, slower system, system backup problems and crashes.
I have have a missing financial file, that is why I wanted to do a restore, now I am worried maybe something else is going on.
I think it is related to Microsoft's so called critical updates for 4/03/07 and 4/11/07. Those udates are KB932168, KB930178 KB931261 KB931784 KB925902.
What ever is going on, I am unable to do a system restore, even restore points before the updates will not restore.
My system's Ram has been affected as well, running much slower.
Posted by: Sherry | April 15, 2007 1:04 AM
Purchased new HP (AMD64X2 4600, 2G RAM) in February with Vista HP. All worked well with Firefox. Beginning late March/early April, Firefox started to terminate, followed by blue screen crash. Restored OS to out-of-box status, followed by Vista auto-updates; reinstalled Firefox, same thing happened time after time. Uninstalled Firefox, including profiles, and switched to Opera. After one day, same crash/blue screen scenario. Anyone have similar experience? Is there a Microsoft conspiracy against IE competitors?
Posted by: David | April 21, 2007 1:29 PM
Vista was written so they could spend more time on longhorn, as they needed more time they told you all longhorn will become known as vista, well you beleve anythink they tell you, have you ever wondered why all those fancy looks and fetures never appeared.
Posted by: Anonymous | May 6, 2007 7:58 PM
The comments to this entry are closed.
Microsoft needs to overhaul some of its main components
Check out My blog @
ihatebull.com