Click here to receive your FREE subscription to Campus Technology
News
Microsoft Releases 6 Critical Patches
2/14/2008
For the February security bulletin release, Microsoft rolled out six "Critical" fixes--rather than the seven detailed in the advanced notice--and five "Important" items.
This month's 11 patches--said to fix 17 total bugs--are the most Windows IT pros have seen since August, and with a greater variation of vulnerability plugs than at any time in the last 12 months, according to security experts.
"After several slow Patch Tuesdays, administrators are faced with the most patches they've seen in a year," said Paul Zimski, senior director of market strategy at Scottsdale, Ariz.-based Lumension Security. "Because so many critical patches affect so many applications--including Office, Internet Explorer and the operating systems themselves--these are widespread enough to have a bigger effect and they are going to require the utmost attention and energy."
Moreover, Zimski added, with many remote code execution flaws that don't require end user consent, the potential for malware, botnets and rootkits is rampant.
The first critical issue is said to solve what Redmond said was a "privately reported vulnerability" in the Web-based Distributed Authoring and Versioning Mini-Redirector, or WebDAV Mini-Redirector. WebDAV, which enables users to manage Web files on remote servers, is a set of extensions of hypertext protocol most commonly known as "http:." This RCE implication constitutes a hacker's dream in a scenario where attackers can get in and take complete control of a system, manage and edit files and create new accounts with elevated user rights. The issue affects all Windows OS versions with the exception of Windows 2000 SP4.
Critical patch No. 2 also resolves an internally reported hole. It's designed to thwart attacks on Object Linking and Embedding (OLE) Automation, which is a proprietary software feature from Redmond that allows linking to documents, data and other objects on the Windows Component Object Model. For developers, it serves as a way to customize user interfaces. With a specially crafted Web page, an attacker could execute malicious code through OLE but the vulnerability would only really be damaging if it were to affect user workstations that have administrative profile parameters. The fix is for Windows, Office and Visual Basic programs on all OS versions, though only Windows 2000 SP4 and all editions of XP and Vista were labeled as "critical."
Yet another private vulnerability plug is designed to block bad code embedded in specially crafted Word documents. A user could send a Word file, get it opened by an unsuspecting user, and then gain access, going willy-nilly. The vulnerability mainly affects Office SP3, Office XP SP3 and Office 2003 SP2.
The popular browser Internet Explorer was late last year plagued with problems, and now the fourth critical bulletin will hopefully address most of those issues. Specifically, Redmond says this cumulative patch addresses three private bugs and one publicly reported one. Although these fixes--affecting all versions of IE up to and including IE 7 for Vista--are yet to be specified, once that patch is installed what's fixed and not fixed will come out in the rinse, security experts contend.
Recommended Reading
- U Wyoming Students Vote To Implement Sonic Foundry's Mediasite for Lecture Capture
An overwhelming student vote for Mediasite will put the Webcasting platform from Sonic Foundry into University of Wyoming lecture halls this fall. Mediasite is a presentation capture tool that records and synchronizes audio, video, and slides and then allows the presenter to provide it online for on-demand viewing or in podcast form. The tool also enables the presenter to make the presentation available online as it happens.
- DNS Flaw Unfixed as Experts Argue Protocol
Speculation continues as to what the ultimate systemic Domain Name System (DNS) flaw could be. This flaw apparently allows Web surfers to be spoofed, directing them to fake Web sites to gain passwords and load malware on their computers.
- IT Cost Cuts in 2008 May Be a Trend, Study Says
A first-quarter 2008 survey conducted by Computer Economics suggests a possible slowdown in IT spending and staffing lies ahead.
- Microsoft Revamps Its Platforms Division, Loses Kevin Johnson
Microsoft announced late Wednesday a reorganization of its Platforms & Services Division (PSD), as well as the departure of Kevin Johnson, a 16-year Microsoft veteran and president of the PSD.
- Microsoft's DNS Fix Leads to More Problems
The blogosphere is awash with talk about the possible overall weakness of the Domain Name System (DNS) architecture. For its part, Microsoft's released a DNS fix in its patch slate for July, but Redmond seems to have problems just getting it to end users. Moreover, some users of the DNS fix have experienced additional difficulties.
- D2L Launches Mobile Learning Environment
Desire2Learn this week announced a new mobile application of its Desire2Learn Learning Environment. Called Desire2Learn 2GO, the application ties in with Learning Environment 8.3 to provide access via Blackberry. The company also announced that it's streamlining integration Respondus 3.5, a quiz- and test-building application.
