Silicon Shecky

Infosec Practitioner

Connect

Zero-Day Exploit: A Tale of Two Companies

By Leave a Comment

It is interesting watching how different companies look at patches, and security holes. It is more interesting to see one giant seem to fail at prompt patching for a Zero-Day exploit, while another gives a basic time frame and is pretty much right on as far as when the fix will be out. Of Course the two companies I am talking about are Adobe, and Microsoft.

Adobe released the patch for the JavaScript Vulnerability in all of its Acrobat products this past week. They had said they would have patches out by the 18th, when the flaw was pointed out by Symantec back in February. That is pretty prompt if you ask me. They acknowledge a serious flaw, say when they hope to have a patch available to close it, and then hit that time frame.

The fact of the matter is a great many pieces of software, both closed and open source, take these flaws and vulnerabilities seriously, and are very prompt in patching the holes. Yeah you hear Opens Source people talk about how much quicker they are able to patch things, but they tend to refer to Microsoft, and don’t think about all the other companies out there.

That does bring us to case 2, which just happens to be Microsoft. Back in January, a Zero-Day exploit in Excel was found. Now if a flaw like this had been found in Internet Explorer or Windows, we might have a patch for it already, probably released Out Of Band (not on the normal patch Tuesday every month). Instead, with it only being Excel, we are nearing the end of March, and still no patch for it. Now mind you this exploit was found a month before the Adobe one. Last I check, Excel was a very popular program, used by a lot of individuals and companies. Yet, Microsoft still has no patch for it.

Sure you can say that Excel is a complex program, but so is every program out there in this day and age. Sure you can say that Microsoft is working on it, except I haven’t heard anything about a patch from Microsoft. No expected time frame on getting a patch out, no nothing. Yes, this is the sort of thing the Open Source people feed on, and I can’t blame them.

I use both Microsoft, and Open Source software, so don’t think I’m bashing something I don’t use. Microsoft as a company has come a long way in their patch management, but they still have a long long way to go. Then again so does Linux, but that will be an editorial for another day.

I just want to know that I’m not going to have to deal with clients who get hit by the Excel exploit. Please get us our patch.

Patches for Firefox

By Leave a Comment

So it seems that we have a new set of patches for Firefox, and that the next version has a little change to it.

The article I have read indicates that there are a bunch of critical issues patched up with yesterday’s update to Firefox, but that none have been exploited. What seems to be the biggest thing has been some issues that cause memory corruption and crashes. Now I’m not a programmer, but that sounds to me liek a big deal. The real question is, how long will it take for the autoupdate feature of Firefox to get the update? Its the one failure in my mind of the browser. I know I hear about an update, and sometimes the autoupdate doesn’t get it for a month or longer. With critical patches, you would think it would get to you a little sooner than that.

Also in the article the next release of Firefox is now 3.5. Makes sense if you ask me, since they are doing a heck of a lot to the browser, but not quite enough to warrant it being called 4.0.

And things break again

By Leave a Comment

So, while reading the other blogs and news sites I check daily, I came across this interesting article. It seems that Microsoft’s .NET 3.5 SP1 has caused yet more problems. This time with Exchange 2007 on SBS 2008.  With this latest issue that has now cropped up with .Net 3.5 Its time to remember a few things…

1) In Microsoft’s defense, they can’t test everything before releasing stuff. That is why hot fixes exist.

2) Never just accept patches. Always find a way of testing them yourself, even if it is on a personal machine, and research the patches also to see what problems other’s have had. The more reports you find, the more prepared you can be about any issues with it.

I know they are simple thoughts, but just watching how Microsoft has screwed up with this latest version of  .Net it just amazes me that people don’t think of these things. Course, I am one to speak.