No patches for serious flaws in IE8 or Windows 7 on Tuesday

Gary · Jan 11, 2010, 07:45:27

Quote" The software maker on Thursday said January's Patch Tuesday will include a single bulletin that fixes a vulnerability that carries a severity rating of "critical" in Windows 2000 and "low" in all other versions of the operating system. That's one of the slimmest ever offerings since Microsoft began the practice of releasing security fixes on the second Tuesday of every month.

That may lighten the load on IT admins, but it also means potentially serious vulnerabilities known to affect Internet Explorer 8 and Windows 7 will be allowed to fester for at least another 28 days"

Tthe IE 8 bug can enable attacks against people browsing websites that are otherwise safe to view. The flaw can be exploited to introduce XSS, or cross-site scripting, exploits on webpages, allowing attackers to inject malicious content and code. Ironically, it resides in a feature Microsoft added to harden the browser against that very type of attack.

Also remaining unfixed is a bug that allows an attacker to completely lock up systems running windows 7 and Windows 2008R2. The flaw, which resides in the OSes' SMB, or server message block, can be triggered remotely by sending malformed traffic that specifies incoming packets that are smaller or larger than they actually are. SMB is a network protocol used to provide shared access to files and printers.

Courtesy of El Reg.

Now that the internet nasties know this, they will use those vectors as attack paths even if they are not being used now, I wonder sometimes if telling people this sort of stuff is wise $:-\$

somanyholes · Jan 11, 2010, 10:39:18

QuoteI wonder sometimes if telling people this sort of stuff is wise

You really are embracing the apple way Gary

Full disclosure is the way to go in my opinion, at least let people know what they are up against and try to find work arounds etc.

esh · Jan 11, 2010, 16:50:16

Browser flaws are blown totally out of proportion. If you have ad servers blocked and don't go on suspicious websites you are safe as you can reasonably expect. Are you absolutely safe? Of course not. Are you going to be absolutely safe once they patch this latest hole? No. All the IE hate is now fairly unsubstantiated since I find IE7 and IE8 to be quite reasonable and not the bug-ridden leaky sieve than IE5 and IE6 were. IE4 used to crash my computer at least once per day. Things have certainly come a long way.

Secondly, a flaw in the SMB protocol? If you have SMB open on your router, I think you should be worried about more than that exploit.

As always, common sense goes a long way.

Gary · Jan 12, 2010, 00:02:20

Quote from: somanyholes on Jan 11, 2010, 10:39:18
You really are embracing the apple way Gary Full disclosure is the way to go in my opinion, at least let people know what they are up against and try to find work arounds etc.

I agree with full disclosure, as for embracing the apple way, I resent that as you do not know me at all, also thats not what I am suggesting, I'm aware as many others of how evil Apple is along with Google, I just like their products, Apple that is. Letting the bad guys know that critical patches wont be patched for 28 days seems.....a bit like yelling the combination to a safe across a busy bar, so, yes tell who needs to be know, but when there is not much you can do to protect yourself and its an OS issues is that general knowledge always wise? Things like Adobe Zero day flaws yes we all need to know or not use them as I do. Broadcasting a open door for a month just seems foolish, after all surely responsible disclosure is better?

Gary · Jan 12, 2010, 00:04:18

Quote from: esh on Jan 11, 2010, 16:50:16
Browser flaws are blown totally out of proportion. If you have ad servers blocked and don't go on suspicious websites you are safe as you can reasonably expect. Are you absolutely safe? Of course not. Are you going to be absolutely safe once they patch this latest hole? No. All the IE hate is now fairly unsubstantiated since I find IE7 and IE8 to be quite reasonable and not the bug-ridden leaky sieve than IE5 and IE6 were. IE4 used to crash my computer at least once per day. Things have certainly come a long way.

Secondly, a flaw in the SMB protocol? If you have SMB open on your router, I think you should be worried about more than that exploit.

As always, common sense goes a long way.

I was not bashing IE, all browsers are unsafe, esh. I was just regurgitating what I had read on El reg.

somanyholes · Jan 12, 2010, 08:04:20

Gary apologies if I have caused offense, that wasn't the intention, it was just that what you said sounded very much like that which
comes out of the apple camp, this was also not a dig at apple.

In an ideal world responsible disclosure should be done first, then when the vendor doesn't respond, which happens a lot, full disclosure
should then occur.

esh · Jan 12, 2010, 11:35:13

Some russian group only today announced they are going to dump a massive load of vulnerabilities from a vast swathe of commercial software on their website, apparently after trying for months to get any response from vendors.

Rik · Jan 12, 2010, 11:35:58

Makes you glad to be alive, doesn't it.

somanyholes · Jan 12, 2010, 12:41:33

QuoteSome russian group only today announced they are going to dump a massive load of vulnerabilities from a vast swathe of commercial software on their website

Any linkage mate ?

esh · Jan 12, 2010, 13:49:04

Actually it was yesterday, heh. I have been awake all night again. Anyway, he's already posted some stuff on Sun's directory server, as seen at http://intevydis.blogspot.com/ complete with example code. He's probably going to do the 1-a-day thing that seems traditional in these circles. He works for a security research firm out of Moscow.

He's also got stuff like IBM DB2 (root vulnerability!) and MySQL buffer overflows coming up, or so he claims.

somanyholes · Jan 12, 2010, 14:01:16

Thanks for that, Will keep an eye on it

Noreen · Jan 13, 2010, 11:43:04

Three security updates for Vista this morning.

Rik · Jan 13, 2010, 11:52:26

Four for XP, but mostly Office 2003.

Noreen · Jan 13, 2010, 12:14:12

Talking of XP, have you seen this? http://www.microsoft.com/technet/security/advisory/979267.mspx

Rik · Jan 13, 2010, 12:17:22

No, thanks for that Noreen...

Glenn · Jan 13, 2010, 16:33:47

I have 2 for Win 7, and one for Office 2007

Gary · Jan 20, 2010, 01:38:00

Quote from: somanyholes on Jan 12, 2010, 08:04:20
Gary apologies if I have caused offense, that wasn't the intention, it was just that what you said sounded very much like that which
comes out of the apple camp, this was also not a dig at apple.

In an ideal world responsible disclosure should be done first, then when the vendor doesn't respond, which happens a lot, full disclosure
should then occur.

Apology excepted, and sorry if I wa over zealous So, had a cr@p week and things can be read the wrong way when fuming over events out side forum, no hard feelings