Tag Archives: vulnerabilities

Microsoft Security Updates for July 2008

Padlock graphicMicrosoft has released four security bulletins for July 2008, two of which are for desktops.

MS08-038 addresses a vulnerability in Windows Explorer and is for Windows Vista and carries an “important” rating. The update includes the original Vista, Vista SP1 and Vista x64.

MS08-037 addresses a vulnerability in DNS and is for Windows 2000 SP4, Windows XP SP2 & SP3, and Windows XP x64 original release & SP2. it’s rated as “important”. [Updated: This patch is part of a coordinated, multi-vendor DNS patch.]

These patches, and the others, also affect server OS’s. There’s no Internet Explorer update this month.

Also, Microsoft will begin rolling out an update to Windows Update later this month. Last time they did this they catch grief for updating PCs that were set to “do not update”. This time around they’ll be doing things differently and won’t update PCs set to not update.

Microsoft Security Bulletins for April 2008

Another "Super Tuesday" patched this week but I just got around to firing up my Windows VM’s today (actually it’s been about 12 days since I’ve been in Windows). There were ten updates waiting for me on Windows Vista and eight on Windows XP Home, although not all were security related.

This month’s updates included:

KB945553 (MS08-020) – Vulnerability in DNS client could allow spoofing. This is rated as "Important" for all supported desktop OS’s except Windows Vista SP1, which doesn’t need the update.

KB948590 (MS08-021) – Vulnerability in GDI could allow remote code execution. This is rated as "Critical" for all supported desktop OS’s.

KB944338 (MS08-022) – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution. This is rated as "Critical" for all desktop OS’s except Windows Vista, which doesn’t need the update.

KB948881 (MS08-023) – Critical security update for ActiveX killbits. This is required for all supported desktop OS’s, although the severity ranges from "Important" to "Critical".

KB947864 (MS08-024) – Cumulative security update for Internet Explorer. As expected, all supported versions of IE get the update and all are rated "Critical".

KB941693 (MS08-025) – Vulnerability in Windows Kernel could allow elevation of privileges. This one has an "Important" rating for all supported desktop OS’s.

There were also some security patched for applications. MS08-018 patches a Project vulnerability while MS08-019 patches a vulnerability in Visio. I don’t run either Project or Visio so I didn’t install the updates.

The Malicious Software Removal Tool, Junk Email Filter update (Vista only, in my case at least) and Windows Defender definition updates were also included.

I also received KB938371 (on my Vista SP1 vm) which is an updated needed to add or remove Vista SP1. Since I received Vista SP1 successfully I already had some of the components. According to the bulletin Vista SP1 install "will only install the new components in this rereleased update."

Non-security related patches included an update to Live Writer and a optional Group Policy patch. For some reason my Windows XP Home installation also received .NET 2.0 SP1 although it appears that it was released back in December and I installed the base .NET 2.0 in early January, two patch Tuesday’s ago.

As expected, a reboot was required. So far I haven’t encountered an differences or problems since applying the updates. A subset of these updates also installed on my Windows Home Server and I covered the WHS March Updates here.

Microsoft Security Bulletins for March 2008

Microsoft has released 4 security bulletins for March. All are for Office products and all are rated critical for one or more of the affected products. There weren’t any OS or IE updates this month. Since I don’t run any Office products I didn’t install any Microsoft updates this month, but these were the updates:

MS08-014 is a security update that patches several vulnerabilities in Microsoft Excel. Microsoft Excel 2003 Service Pack 3 and Microsoft Excel 2007 Service Pack 1 are not affected but other versions of Excel are vulnerable. Vulnerable versions include Office 2004 and Office 2008 for the Mac. The Office 2007 Compatibility pack is also vulnerable as is the Excel 2003 viewer.

MS08-015 is a critical update for Microsoft Outlook. Microsoft Outlook 2007 Service Pack 1 is not vulnerable but all other versions are vulnerable.

MS08-016 is a security update for Microsoft Office. Vulnerable versions include Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel 2003 Viewer (base version & Service pack 3), and Microsoft Office 2004 for Mac.

MS08-017 is a critical update for Microsoft Office Web Components. Client vulnerabilities include Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, and Visual Studio .NET 2003 Service Pack 1.

While none of these patches apply to me, my Windows Vista Home Premium and Windows Vista Ultimate installations did have three updates waiting in Windows Update. The Windows Malicious Software Removal Tools, the March Update for the Windows Mail Junk E-Mail filter, and a generic "Update fir Windows Vista" described as:

Update for Windows Vista (KB946041)

Download size: 581 KB

You may need to restart your computer for this update to take effect.

Update type: Recommended

This is a reliability update. This update resolves some performance and reliability issues in Windows Vista. By applying this update, you can achieve better performance and responsiveness in various scenarios. After you install this item, you may have to restart your computer.

More information:

Windows Update also includes Microsoft Silverlight 1.0 as an optional installation. I decide to go ahead and install it. The updates installed without any issues, a restart was required. The first time I went to a Microsoft website I had to except the Silverlight license agreement and enable Silverlight itself.

Microsoft Security Bulletins for February 2008

Microsoft released 11 security bulletins for February 2008, six are rated critical and five are important.  My Windows XP Pro SP2 installation received the following updates through Windows Update:

MS08-010 – Cumulative Update for Internet Explorer (critical)

MS08-007 – Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (critical)

MS08-008 -  Vulnerability in OLE Automation Could Allow Remote Code Execution (critical)

A reboot was required.

I’m running the Windows Vista SP1 Release Candidate so I didn’t get any updates on that machine. I don’t run MS Office apps so I avoided those updates too. I’m all updated out so I’m not going to cover the other updates. Suffice it to say that any copies of Windows or Office you have will get updated. For more information you can read CNet’s article which has the Cliff Notes version of the MS Bulletins.

Security Quest #14: Apple Releases Security Patches

Lock in B&W Apple released Security Update 2007-009 for OS X 10.4.11 Tiger and OS X 10.5.1 Leopard on Monday. The Apple support article lists 41 vulnerabilities that were patched. Patched components include Core Foundation, CUPS, Flash Player Plug-in, Launch Services, perl, python, Quick Look, ruby, Safari, Samba, Shockwave Plug-in, and Spin Tracer. The update requires a reboot.

The Leopard update was a 35.4MB download on my Intel Macs through Apple Automatic Update. It’s also available as a 35.6MB standalone download. There are two versions for Tiger. The PPC version is a 15.9MB standalone download and the Universal version is a 27.4MB standalone download.

I applied the update to my iMac, MacBook and Mac Mini. All are running OS X 10.5.1 Leopard on Intel cpu’s. I’ve been running the update for a little over a day without a specific problem but have had some new instability. Not necessarily due to the updates, but they are new problems.

On my iMac Parallels is a bit unstable. Windows XP SP2 is having some network connectivity issues and some keyboard issues. On the network side of things some connections time out through Windows while connecting fine in OS X. There’s so many potential failure points for Internet sites it’s hard to point the finger at the update and be sure. The keyboard issue within Parallels is more annoying. Sometimes the VM starts up in caps mode (while staying lower case in OS X) until I restart the VM. It also buffers keystrokes and falls behind my two-finger typing. But, I haven’t seen any info that others are experiencing the problem.

My MacBook has gotten the gray screen of death once since the update. It was soon after startup and Safari was the only app running. I think that was the first OS crash for the MacBook. It’s been OK since and I’m using it now.

The problems can’t be tied to the update and they aren’t persistent, but my Macs have been stable and the updates were the last change before the problems occurred. That’s usually the place to start.


Spam Counts

Time to start keeping track of my spam again, at least for awhile.

Spam to my primary GMail mailbox (which manages multiple email addresses) has had seven spam messages in the last 30 days. What’s interesting is which e-mail addresses were used. Back in October when I redesigned the web site I decided to stop using two addresses which appeared on the site. I removed one at that time. I missed the second one and it still appears on the web site in clear text/html since I removed the obfuscation plug-in. The one in clear text since October picked up three email messages that are clearly spam. The address that I removed was picked up by a software company and I received three "promotional" emails from them. You could say they’re on topic for the blog but there’s no unsubscribe link and GMail sees them as spam.  The seventh spam email was sent to my Yahoo email which I’ve never given out. I canceled AT&T/Yahoo as my ISP but the email account remains.

A GMail address I use extensively picked up 2 spam messages in the last 30 days, both blocked by GMail. I don’t use this account with places that are high spam risks but I’m actually surprised there’s not more yet.

A third GMail address that gets used almost exclusively where there’s a high risk of spam received 154 spam emails in the last thirty days. This is less than 50% of what the count was in June. On June 24th there were 343 spam messages in the previous 30 days.

Much to GMail’s credit their spam filter works well for me a they didn’t let anything through and didn’t flag anything I wanted.

I use the Spam Karma plugin for WordPress on this website. So far its caught 7,341 spam comments.


News & Links

Apple.com: About the security content of Java Release 6 for Mac OS X 10.4 – Apple released a java security update for mac OS X 10.4 Tiger. I don’t have any Macs running Tiger so don’t have any first hand experience.

Apple.com: Safari 3 Beta Updated – Safari 3.0.4 beta for Windows XP/Vista.