Search
Search titles only
By:
Search titles only
By:
Log in
Register
Search
Search titles only
By:
Search titles only
By:
Menu
Install the app
Install
Forums
New posts
All threads
Latest threads
New posts
Trending threads
Trending
Search forums
What's new
New posts
New ads
New profile posts
Latest activity
Free Ads
Latest reviews
Search ads
Members
Current visitors
New profile posts
Search profile posts
Contact us
Latest ads
Colombo
RidhMathraa ’26 🎶✨
Tmadhusanka
Updated:
Wednesday at 11:58 PM
Ad icon
Colombo
PXN V10 Pro Direct Drive Racing Wheel (Under Warranty)
Abdur Rahman
Updated:
Wednesday at 10:23 PM
Ad icon
USDT ණය සේවාව - USDT Loan Service
පුරවැසියා
Updated:
Wednesday at 4:54 PM
Ad icon
🎮 INDIAN PSN GIFT CARDS AVAILABLE NOW! 🎮
madukaperera
Updated:
Tuesday at 12:57 PM
🚀 Google AI PRO – 18 Months | Rs. 850 Only
lkkolla
Updated:
Monday at 4:56 PM
Electronics
Vehicles
Property
Search
Reply to thread
Forums
Computers & Internet
Problems and Troubleshooting
Microsoft issues massive security update for Windows, Office
Get the App
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Message
<blockquote data-quote="lkdood" data-source="post: 2637222" data-attributes="member: 92282"><p><strong>Microsoft Corp. today released its largest security update in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer (IE), Windows Messenger and other software.</strong></p><p><strong></strong></p><p><strong>"Today is a perfect storm of client-side issues," said Amol Sarwate, manger of Qualys Inc.'s vulnerabilities research lab. "Most or all of Microsoft's client-side applications are affected or patched."</strong></p><p><strong></strong></p><p><strong>At least two of the vulnerabilities have already been exploited in the wild, Microsoft acknowledged. Those two, plus another pair, said one security researcher, should be considered "zero-day" bugs because technical details about the flaws had been circulating prior to today. </strong></p><p><strong></strong></p><p><strong>"It's all about the count today," Sarwate said. "This is the largest update in 2008, and the largest in the last 18 months. We have two that we know have been exploited and four zero-days."</strong></p><p><strong></strong></p><p><strong>Even though today's updates -- 11 total bulletins, six of which were tagged as "critical," Microsoft's highest threat rating -- set a 2008 record, Microsoft left one expected fix off the table. Last week, it said it would patch one or more critical flaws in Windows Media Player 11, the version bundled with Windows Vista.</strong></p><p><strong></strong></p><p><strong>Microsoft has yanked updates at the last minute in the past, and the company typically cites reliability concerns with the patch or says it was not able to wrap up testing in time. It did the same today. "The bulletin has been removed prior to today's bulletin release because of a last-minute quality issue," said Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC) in an e-mail.</strong></p><p><strong></strong></p><p><strong>Of today's 11 updates, two were most anticipated: a patch for a bug in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, and one for a less-critical flaw in Microsoft Word that the company confirmed in a July 8 security advisory. The former was patched by MS08-041, while the latter was fixed by MS08-042.</strong></p><p><strong></strong></p><p><strong>The Snapshot Viewer and Word vulnerabilities have been exploited by attackers, making them especially important to patch, Sarwate said.</strong></p><p><strong></strong></p><p><strong>Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., saw two major themes in the massive update. "There's a lot of file-parsing vulnerabilities here," he said, " and a ton of replacement bulletins."</strong></p><p><strong></strong></p><p><strong>File-format bugs are not new to Microsoft's software, especially the applications in its Office suite, but the number patched today -- a full dozen altogether -- took Storms by surprise. "Every Office product got touched today," he said. "The good thing is that if Office 2007 [applications] are affected, they're less affected, because the file format changed with that version."</strong></p><p><strong></strong></p><p><strong>File-format vulnerabilities -- like the ones patched in Excel (MS08-043), Office in general (MS08-044) and PowerPoint (MS08-051) -- remain valuable to attackers, Storm maintained.</strong></p><p><strong></strong></p><p><strong>"They'll continue to pop up because the file formats, the older formats in particular, have been so well documented outside of Microsoft," Storms said.</strong></p><p><strong></strong></p><p><strong>On the theme of replacement bulletins, Storms noted that seven of the 11 updates unveiled today replace earlier Microsoft security patches. "It's not unusual to have a few, and by 'a few' I think of one or two, maybe three, but we're looking at a full deck here.</strong></p><p><strong></strong></p><p><strong>"It tells me that one of the best ways to find new vulnerabilities continues to be to look at what Microsoft has patched in the past and what they might have missed when they did," Storms said.</strong></p><p><strong></strong></p><p><strong>That tactic pays dividends, he argued, citing the large number of replacement updates as proof. "Absolutely, this works. You look in the same area of code as the fix Microsoft applied. Maybe the function call they patched here is being used somewhere else."</strong></p><p><strong></strong></p><p><strong>While Microsoft addressed six critical vulnerabilities in its IE browser today with MS08-045, it did not tackle a bug first reported in 2006 that returned to the limelight in May 2008 when security researcher Aviv Raff claimed that it could be combined with the so-called "carpet bomb" flaw in Apple Inc.'s Safari. Apple and Mozilla Corp. have patched their browsers to prevent the kind of blended threats that Raff has outlined.</strong></p><p><strong></strong></p><p><strong>Microsoft also issued a separate security advisory today that announced it had set the "kill bits" for a pair of third-party ActiveX controls from Hewlett-Packard Co. and Aurigma Inc. The practice, which debuted in April, lets Microsoft disable vulnerable ActiveX controls remotely through its Windows Update service.</strong></p><p></p><p><span style="font-size: 9px"><a href="http://www.satlk.com/redirect-to/?redirect=http%3A%2F%2Fcomputerworld.com%2Faction%2Farticle.do%3Fcommand%3DviewArticleBasic%26articleId%3D9112450" target="_blank">computerworld</a></span></p></blockquote><p></p>
[QUOTE="lkdood, post: 2637222, member: 92282"] [B]Microsoft Corp. today released its largest security update in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer (IE), Windows Messenger and other software. "Today is a perfect storm of client-side issues," said Amol Sarwate, manger of Qualys Inc.'s vulnerabilities research lab. "Most or all of Microsoft's client-side applications are affected or patched." At least two of the vulnerabilities have already been exploited in the wild, Microsoft acknowledged. Those two, plus another pair, said one security researcher, should be considered "zero-day" bugs because technical details about the flaws had been circulating prior to today. "It's all about the count today," Sarwate said. "This is the largest update in 2008, and the largest in the last 18 months. We have two that we know have been exploited and four zero-days." Even though today's updates -- 11 total bulletins, six of which were tagged as "critical," Microsoft's highest threat rating -- set a 2008 record, Microsoft left one expected fix off the table. Last week, it said it would patch one or more critical flaws in Windows Media Player 11, the version bundled with Windows Vista. Microsoft has yanked updates at the last minute in the past, and the company typically cites reliability concerns with the patch or says it was not able to wrap up testing in time. It did the same today. "The bulletin has been removed prior to today's bulletin release because of a last-minute quality issue," said Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC) in an e-mail. Of today's 11 updates, two were most anticipated: a patch for a bug in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, and one for a less-critical flaw in Microsoft Word that the company confirmed in a July 8 security advisory. The former was patched by MS08-041, while the latter was fixed by MS08-042. The Snapshot Viewer and Word vulnerabilities have been exploited by attackers, making them especially important to patch, Sarwate said. Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., saw two major themes in the massive update. "There's a lot of file-parsing vulnerabilities here," he said, " and a ton of replacement bulletins." File-format bugs are not new to Microsoft's software, especially the applications in its Office suite, but the number patched today -- a full dozen altogether -- took Storms by surprise. "Every Office product got touched today," he said. "The good thing is that if Office 2007 [applications] are affected, they're less affected, because the file format changed with that version." File-format vulnerabilities -- like the ones patched in Excel (MS08-043), Office in general (MS08-044) and PowerPoint (MS08-051) -- remain valuable to attackers, Storm maintained. "They'll continue to pop up because the file formats, the older formats in particular, have been so well documented outside of Microsoft," Storms said. On the theme of replacement bulletins, Storms noted that seven of the 11 updates unveiled today replace earlier Microsoft security patches. "It's not unusual to have a few, and by 'a few' I think of one or two, maybe three, but we're looking at a full deck here. "It tells me that one of the best ways to find new vulnerabilities continues to be to look at what Microsoft has patched in the past and what they might have missed when they did," Storms said. That tactic pays dividends, he argued, citing the large number of replacement updates as proof. "Absolutely, this works. You look in the same area of code as the fix Microsoft applied. Maybe the function call they patched here is being used somewhere else." While Microsoft addressed six critical vulnerabilities in its IE browser today with MS08-045, it did not tackle a bug first reported in 2006 that returned to the limelight in May 2008 when security researcher Aviv Raff claimed that it could be combined with the so-called "carpet bomb" flaw in Apple Inc.'s Safari. Apple and Mozilla Corp. have patched their browsers to prevent the kind of blended threats that Raff has outlined. Microsoft also issued a separate security advisory today that announced it had set the "kill bits" for a pair of third-party ActiveX controls from Hewlett-Packard Co. and Aurigma Inc. The practice, which debuted in April, lets Microsoft disable vulnerable ActiveX controls remotely through its Windows Update service.[/B] [SIZE=1][URL="http://www.satlk.com/redirect-to/?redirect=http%3A%2F%2Fcomputerworld.com%2Faction%2Farticle.do%3Fcommand%3DviewArticleBasic%26articleId%3D9112450"]computerworld[/URL][/SIZE] [/QUOTE]
Insert quotes…
Verification
Dawasata paya keeyak thibeda?
Post reply
Top
Bottom