Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Windows

Microsoft Plugs "Drive-By" and 14 Other Holes 189

Posted by kdawson from the clip-clop-clip-clop-bang dept.
CWmike writes "Microsoft today patched 15 vulnerabilities in Windows, Windows Server, Excel, and Word, including one that will probably be exploited quickly by hackers. None affects Windows 7. Of today's 15 bugs, Microsoft tagged three 'critical' and the remaining 12 'important.' Experts agreed that users should focus on MS09-065 first and foremost. That update, which was ranked critical, affects all still-supported editions of Windows except Windows 7 and its server sibling, Windows Server 2008 R2. 'The Windows kernel vulnerability is going to take the cake,' said Andrew Storms, director of security operations at nCircle Network Security. 'The attack vector can be driven through Internet Explorer, and this is one of those instances where the user won't be notified or prompted. This is absolutely a drive-by attack scenario.' Richie Lai, the director of vulnerability research at security company Qualys, agreed. 'Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver.'"
This discussion has been archived. No new comments can be posted.

Microsoft Plugs "Drive-By" and 14 Other Holes More

Microsoft Plugs "Drive-By" and 14 Other Holes

Comments Filter:

  • That's shocking! (Score:3, Interesting)

    by Rik Sweeney ( 471717 ) on Wednesday November 11, 2009 @09:24AM (#30059132) Homepage

    They thank someone from Google for helping them spot the vulnerability! It's in the acknowledgements:

    http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx [microsoft.com]

  • Would the big customers know more? (Score:5, Interesting)

    by 140Mandak262Jamuna ( 970587 ) on Wednesday November 11, 2009 @09:32AM (#30059182) Journal
    From the article

    But while Storms speculated that Microsoft knew the EOT font flaw was a security issue -- and waited until now to patch older Windows -- Lai thought that Microsoft didn't realize until recently that it was also a security vulnerability in editions prior to Windows 7. "I think they fixed this bug as part of the code sanitization during [Windows 7's] development cycle. It was actually only publicly disclosed recently, and then they patched it in other Windows

    The article is speculating what did Micrsoft know and when did it know it etc. Microsoft's standard line defending its security through obscurity policy is, "we are not providing any details because it is going to help the hackers". But what about its big customers? Almost all businesses do not care much about its small customers. So forget small timers. But Microsoft has to coddle its big Fortune500 company customers. Would they be informed, even under confidentiality agreements and non disclosure agreements, which platforms and applications are vulnerable?

    How do these big companies justify being so meek and acquiescing to Microsoft? If these Fortune 500 companies chip in 100,000$ a year, they can create an Institute of Software Interoperability and go towards reducing their switching costs. Microsoft has total revenue of more than 25 billion dollars, and a significant chunk comes from these big companies. They pay off has to be enormous for these companies.

  • Re:Yay, tight integration of browser with OS... (Score:2, Interesting)

    by jspenguin1 ( 883588 ) <jspenguin@gmail.com> on Wednesday November 11, 2009 @10:18AM (#30059702) Homepage

    According to Microsoft, the Windows kernel improperly parses Embedded OpenType (EOT) fonts, which are a compact form of fonts designed for use on Web pages.

    One question: Why is the kernel parsing fonts?

  • OK, just a second now... (Score:3, Interesting)

    by FatdogHaiku ( 978357 ) on Wednesday November 11, 2009 @10:32AM (#30059908)
    I gotta wonder about the line:
    'Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver.'
    Why aren't users of other browsers on the older Win platforms vulnerable? Is there some other risk or problem that is being ignored or even concealed?

    Man, I can't believe I got that out without laughing...

  • Re:Yay, tight integration of browser with OS... (Score:1, Interesting)

    by Anonymous Coward on Wednesday November 11, 2009 @11:07AM (#30060370)

    Anybody else think something is integrated with something else in a deeply, deeply wrong way here?

    This flaw is in font rendering, and oddly enough was a similar flaw just fixed in the mac as well.

    It has to do with invalid downloadable fonts that then get rendered.

  • "Opt-in" Is The Wrong Term (Score:3, Interesting)

    by EXTomar ( 78739 ) on Wednesday November 11, 2009 @01:15PM (#30062248)

    It isn't quite true to suggest people don't "opt-in to patching" on any Windows product. It is more the case the process is arcane and confusing to some users. And worse still, the system trains the rest of the users to blindly accept things that look like "official updates" when they are really malware. I've lost track on the number of times someone asked me what was going on when the WGA thing pops up. The way it is worded and framed seems to freak users out and I see why: Going for months with a legit copy and suddenly getting challenged makes people wonder if they accidentally broke or misconfiguration their system. That means many hit cancel because Microsoft gave these worried users a choice of "Do you want to take the chance breaking your system? Yes or No?"

Slashdot Top Deals

This file will self-destruct in five minutes.

Close