Coffeehouse Thread

14 posts

Updates from Microsoft's Security Response Center

Back to Forum: Coffeehouse
  • User profile image
    The Channel 9 Team

    The Microsoft Security Response Center this morning released seven bulletins to Windows update and the Microsoft download center. Two of these were rated "critical." Please update your computers.

    Also, today, Microsoft has released a download.ject cleaner tool to the download center. This tool will detect and clean compromised systems.

    More work continues and further updates will be released to microsoft.com/security.

  • User profile image
    manickernel

    ..most excellent.  Especially the patch for the shell and .chm vulns.

  • User profile image
    nektar

    So, there is still no fix for Internet Explorer. Or is there? The number of updates is confusing. You have to find and read the Technical info for each issue. To find it you have to search through technet or first go to the consumer info pages and click for more technical info. Then you have to read through everything, including the faq in order to know which oses are affected and in order to finally get the patch. The download center does not have a convenient place where all the patches are listed. You have to search for them. Plus Windows Update has posted an update for the BITS service for example. Why is there no mention of this on the Download Center? I believe that there should be an easier way of locating all Windows and other updates and not having to first learn by chance or by carefully reading anouncements about them and then having to search for them.

  • User profile image
    KnightOfNI

    If possible, could you guys take a picture of the Microsoft Security Response Center and post it here? Because I imagine it like the "ER" (from the series) Smiley I´d like to see it... Smiley

    Like....a red light flashes...."Red alert. Red Alert. All hands to battlestation"....hmmm...wait....wrong show....

    NI!

  • User profile image
    lars

    Don't forget to actually show the sleeping bags!

    /Lars.

  • User profile image
    Mike Dimmick

    nektar wrote:
    So, there is still no fix for Internet Explorer. Or is there? The number of updates is confusing. You have to find and read the Technical info for each issue. To find it you have to search through technet or first go to the consumer info pages and click for more technical info. Then you have to read through everything, including the faq in order to know which oses are affected and in order to finally get the patch. The download center does not have a convenient place where all the patches are listed. You have to search for them. Plus Windows Update has posted an update for the BITS service for example. Why is there no mention of this on the Download Center? I believe that there should be an easier way of locating all Windows and other updates and not having to first learn by chance or by carefully reading anouncements about them and then having to search for them.


    All the updates are on Windows Update, for Windows vulnerabilities and those of products for which Windows is the ship vehicle (e.g. Internet Explorer, Outlook Express).

    You're very non-specific - a 'fix' for what issue? The Shell.Application vulnerability everyone seems to be bringing up appears to have been fixed in MS04-024. MSRC rated this 'important' rather than 'critical' because it requires the user to visit a site - either a malicious site or, as we discovered in the case of Download.Ject, a compromised site.

    As I've said before, there was no vulnerability in the ADODB.Stream class - just a repurposing attack. There's no buffer overrun, information disclosure, or whatever - simply that the component can be used to upload files to the user's computer. The component isn't marked Safe For Scripting, so it could only be loaded if the security option 'Initialize and script ActiveX controls not marked safe' was enabled. This option is enabled in the Local Machine zone (prior to XP SP2), but disabled in all the other zones; the Download.Ject attack (from what I've been able to deduce from public reports) used a vulnerability which already had a patch available (MS04-013) to load the exploit code in the Local Machine zone.

    The previously posted patch for ADODB.Stream simply sets the 'kill bit' for that control - it can no longer be loaded by IE.

  • User profile image
    Stepto

    We're still working on the IE update.

    Oh and we'll have a video soon from the MSRC situation room.  I just went upscale and got a futon bed for my office.  Much better than the sleeping bag.  :>

    Lars did I mention we have a couple of native swedes on the MSRC team?

    S.

  • User profile image
    pacelvi

    After reading about all these updates and that they're avaialbe via WU, I'm sitting here thinking to myself, I dont remember seeing any of those.  Now I do have SP2RC2 with autoupdating turned on. So i know that if it did find updates it would install them.

    I think a human factor that may have been overlooked is that now I have no idea if I'm patched or not.. so in the process of writing this post, I am trying to determine if I am, and these are the steps I'm going through...

    - I am checking Windows Update first.. The only updates available are two hardware driver fixes.

    - I will check installation history in windows update.. it says "You have not installed any updateS"

    - I check settings.. nothign useful there

    - I check Admin Options.. I see "To quicky view which updates are deliveryed by Auto Updates, WIndows Update and WUS read this faq"

    - I click on it

    - I see this: Why can’t I view update details, installation history details, or troubleshooting articles?

    Maybe it's applicable to my problem?

    Though I never a warning about any blocked pop ups. I add the site to my exception list. Go back to Installation history, but there's no difference.

    I dont see anywhere else in WIndows update that might show this.

    I go to Control Panel System Updates but nothing there either.

    How do I know updates I have?

  • User profile image
    lars

    Stepto wrote:
    We're still working on the IE update.
    <snip>
    Lars did I mention we have a couple of native swedes on the MSRC team?


    There you go, both the problem and the solution defined. Then you'll be ready in a jiffy! Smiley

    Do they blog btw?

    /Lars.

  • User profile image
    Larry​Osterman

    pacelvi, I believe SP2 wasn't vulnerable to any of these, which is why you didn't see any updates.

  • User profile image
    Stepto

    That's correct, SP2 already contains the fixes.

    S.

  • User profile image
    leoflorin

    why are you waiting so long to release Win XP Service pack 2? It's been a long time coming.

    Another issue we face there is no one diagnosis tool to see if infected with an os virus. Have to look around for each individual one to detect? It is getting somewhat frustrating with these viruses.
     

  • User profile image
    pacelvi

    Granted I may not have needed them since Sp2 is so cool.. but can someone tell me where I would see the updates? As of today I can't say that I've seen any and there must be at least ONE in all this time.

    Thanks

    Vince.

  • User profile image
    Mike Dimmick

    For updates, subscribe to the Security Bulletin Notification Service mailing list at http://www.microsoft.com/technet/security/bulletin/notify.mspx.

    If you prefer your security bulletins in RSS format: http://www.microsoft.com/technet/security/bulletin/secrss.aspx.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.