Wednesday, July 14, 2010

Microsoft Patch Tuesday: one CRITICAL patch, and the end of support for Windows 2000 and XP SP2

Microsoft's Patch Tuesday for July, 2010, was a small but very important one.  SANS rates patch MS10-042 as "PATCH NOW", their highest rating. It affects Windows XP and Windows 2003 Server only, not Vista or Windows 7.  This patch fixes a vulnerability which is being actively exploited right now, so if you are still running XP, get patching!  Here are links to and some wording from articles about this month's patch set.

July 2010 Microsoft Black Tuesday Summary
Overview of the July 2010 Microsoft Patches and their status.

Important: with today's patches, support for XP SP2 officially comes to an end. There will be no more patches for XP SP2 after today.

US-CERT Current Activity: Microsoft Releases July Security Bulletin
Microsoft Releases July Security Bulletin
added July 13, 2010 at 01:25 pm

Microsoft has released updates to address vulnerabilities in Microsoft Windows and Office as part of the Microsoft Security Bulletin Summary for July 2010. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Here's the official Microsoft TechNet Blog entry about this, with links:

July 2010 Security Bulletin Release - The Microsoft Security Response Center (MSRC) - Site Home - TechNet Blogs
Hi everyone. As part of our usual monthly update cycle, today Microsoft is releasing four security bulletins to address five vulnerabilities in Windows and Microsoft Office.

Microsoft patches critical bugs in Windows, Office
Microsoft today patched five vulnerabilities in Windows and Office, including a bug hackers have been exploiting for almost a month.

As expected, today's patch slate was short: Just four security updates that included fixes for five separate flaws. Of the four updates, three were rated "critical," the highest threat ranking in Microsoft's four-step scoring system. All five of the specific vulnerabilities patched today were also rated critical.

Two of the bulletins affected Windows, while the remaining pair impacted Office. Four of the five vulnerabilities in the bulletin quartet were pegged by Microsoft with an exploitability index score of "1," meaning that the company expects attacks to materialize in the next 30 days.

But there were few surprises. Last week Microsoft revealed that the two Windows updates would address already-acknowledged bugs in Windows XP and Windows 7 .

Microsoft Security Updates, and a Farewell to Windows XP Service Pack 2 — Krebs on Security
Microsoft today released software updates to fix at least five security vulnerabilities in computers running its Windows operating system and Office applications. Today also marks the planned end-of-life deadline for Windows XP Service Pack 2, a bundle of security updates and features that Microsoft first released in 2004.

Four out of five of the flaws fixed in today’s patch batch earned a “critical” rating, Redmond’s most severe. Chief among them is a bug in the Help and Support Center on Windows XP and Server 2003 systems that’s currently being exploited by crooks to break into vulnerable machines.

... Anyone still using Windows 2000 should take note of this important change: After today, Microsoft will no longer be shipping security updates or any other updates for Windows 2000 machines.

One interesting thing about MS10-042 is that the vulnerability that it fixes was disclosed to Microsoft only 33 days before it was fixed. There has been a LOT of chatter about whether or not this vulnerability should have been made public the way it was, but there is no question that having it public certainly made Microsoft patch it very quickly.

MS Patch Tuesday: Googler zero-day fixed in 33 days | ZDNet
Last month, When Google researcher Tavis Ormandy released details on a critical Help and Support Center vulnerability that exposed Windows XP and Windows Server 2003 users to malicious hacker attacks, Microsoft was publicly unhappy with the decision.

Ormandy claims he spent five days negotiating with Microsoft for a 60-day patch window and decided to go public only when the company could not provide him with confirmation that it would issue a prompt fix.

Now, just 33 days later, Microsoft has shipped MS10-042 as a “critical” bulletin to cover the hole which has already led to in-the-wild malware attacks.


The fact that Microsoft pushed out a fix in just 33 days — much shorter than the average time it takes to issue a fix for a Windows vulnerability — is a boost to full-disclosure advocates who argue that Ormandy’s actions actually helped to secure the ecosystem.

No comments: