The Inquirer-Home
Hardware

Microsoft reveals more about those security updates

Not as straight forward as it appears
By Edward Berridge
Thu Aug 12 2010, 10:49

SOFTWARE PATCH FACTORY Microsoft has been telling the world plus dog more about the mega patch that it released on Tuesday.

While IT departments are frantically trying to deal with the Vole's bumper patch update, Microsoft has provided a smattering of details about one of its bigger problems related to the Transport Layer Security and Secure Sockets Layer (TLS/SSL) protocols in general and its Windows Secure Channel security package.

The problem was fixed with critical security bulletin MS10-049 and was designed to address the flaw in Windows Server 2008, Windows 7 and 12 other supported versions of the Windows OS, including XP and Vista. But just in case you were thinking of not rolling out that particular patch, the Vole is saying that you really should.

Left unpatched, the Windows Secure Channel vulnerability could allow attackers the ability to perform "man-in-the-middle" attacks via TLS/SSL connections, warned Microsoft.

Jason Miller, data and security team manager at Shavlik Technologies told Technet that the speed at which this fix was issued, and its importance, shows that the Vole has been chatting with other vendors to make sure that everything gets fixed.

The release of security bulleting MS10-049 shows that Microsoft is again working with the industry on vulnerability management as the TLS/SSL vulnerability was "not just Microsoft's problem" as it affected the entire IT industry.

Yesterday the Vole provided an updated statement on the zero-day Windows kernel-level clipboard vulnerability uncovered last week by independent security researchers.

Microsoft said that it will not release a security advisory for the heap overflow problem affecting all supported Windows versions.

It said that for the problem to be exploited, it has to be an inside job and the attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system.

This means that there will be no out-of-band patch, but the Vole said that it will fix the problem in a future security update. µ

 

Share this:

< Previous article| Next article >
Comments
Clipboard flaw neglected

"for the problem to be exploited, it has to be an inside job and the attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system"

Is social engineering an application that users (most who run as administrators) download and execute an "inside job"? I hope those harmed by this exploitation of Microsoft's sloppy coding get together for a nice class action lawsuit. And perhaps people will start reconsidering the wisdom of paying so much to a company with lax security practices which tries to limit its liability via a draconian EULA.

posted by : Piper Payback, 12 August 2010 Complain about this comment
aboutus
Advertisement
Subscribe to INQ newsletters
Click here to sign up Existing user
INQ White papers

Databases

Network management

Security

Service oriented architecture

Storage
Advertisement
INQ Jobs
INQ Poll

Authorities in several countries raided Megaupload recently, shut down all of its services, seized hundreds of servers and arrested several of its executives on criminal charges.

Do you think the move was justified?

View other polls
Follow us:
Business & Technology websites:
Business research resources:
Products:
Investment Market IT websites:
Find out what you are worth:
Search for a job:
Recruitment Agency A-Z Directory
Accreditations: