Silicon Shecky

Infosec Practitioner

Connect

Out of Band Patches this week

By Leave a Comment

So it seems that a few vulnerabilities have rated out of band patches from Microsoft. One for Visual Studio and one for Internet Explorer. while they are not releasing the details of the patches yet, I”ll bet the IE one is to patch the drive by downloads that have been happening lately.

Read the information here.

I always find it interesting as to what Microsoft considers important enough to do an out of band patch. Last year one was to close up the hole that Cornficker used. Sometimes it seems that they should issue one and they don’t. Maybe someday we will understand the madness to their decisions.

Patch Tuesday for July

By Leave a Comment

Yep, that’s right, its that time of month where Microsoft’s servers get slammed. Its patch week.

This month some patches for holes that have Zero Day Exploits out for them already. Included in this is the Active X Video Hole, The Direct X Quicktime Hole, and the Open Type Font hole. The first two I had talked about when they came out, with the Direct X hole being the one that it looked like Microsoft had no serious plans of patching. Nice to be proven wrong.

There is no fix this month for Office Web components, which have recently come under attack. I expect this fix is being worked on and will be out soon. Considering the move to the cloud that people talk about, and that Office Web competes with Google Documents, they do need to secure it.

As always, I do recommend paying attention when you patch as one reader pointed out, you can choose not to install IE8, which still comes down as a critical patch, unless you download it and then stop the install of it, or tell the updater to hide the download of it. Yeah, its a pain, and unfortunately the everyday end user who we tell to make sure they install critical patches will still inadvertently install the sucker, we can at least try to educate them a little and not make the same mistake ourselves.

And the pain of Automagical Updates

By 1 Comment

Before I get started let me say this, I believe in patching, and updating systems and software. It is essential to security fo a system.

That being said, there is something to be said about forcing updated software by calling it a high priority update. Yep, I’m talking about IE8 yet again. Don’t get me wrong, I’ve used it, and for general web browsing, it is ok, although a lot of sites still seem broken when using it.Some of it is because of the higher security settings built into IE8 the rest because a lot of sites are not optimized for IE8 yet.

The problem is that it is listed as a high priority update, and if you have a machine set to automatically install critical updates, it gets automatically installed on your machine. This is totally against the statement from Microsoft that IE8 is optional. The non-tech person does not know to check, nor is expected to know how to decline the installation of something like IE8. All of a sudden this is costing my clients money, due to the fact that they have to pay me to remove IE8 and then reinstall IE7 on their machine.

Yeah, its nice for my revenu, but it makes the IT world look bad overall. Clients jsut want things to work, and I can’t blame them on that. I just want things to work also. Microsoft doesn’t seem to care about anything except market share and money, and with more and more viable options coming out, they better start learning that reputation means everything, and properly working software is the way to get more market share and money.