Click here to receive your FREE subscription to Campus Technology
News
Microsoft Releases 6 Critical Patches
2/14/2008
For the February security bulletin release, Microsoft rolled out six "Critical" fixes--rather than the seven detailed in the advanced notice--and five "Important" items.
This month's 11 patches--said to fix 17 total bugs--are the most Windows IT pros have seen since August, and with a greater variation of vulnerability plugs than at any time in the last 12 months, according to security experts.
"After several slow Patch Tuesdays, administrators are faced with the most patches they've seen in a year," said Paul Zimski, senior director of market strategy at Scottsdale, Ariz.-based Lumension Security. "Because so many critical patches affect so many applications--including Office, Internet Explorer and the operating systems themselves--these are widespread enough to have a bigger effect and they are going to require the utmost attention and energy."
Moreover, Zimski added, with many remote code execution flaws that don't require end user consent, the potential for malware, botnets and rootkits is rampant.
The first critical issue is said to solve what Redmond said was a "privately reported vulnerability" in the Web-based Distributed Authoring and Versioning Mini-Redirector, or WebDAV Mini-Redirector. WebDAV, which enables users to manage Web files on remote servers, is a set of extensions of hypertext protocol most commonly known as "http:." This RCE implication constitutes a hacker's dream in a scenario where attackers can get in and take complete control of a system, manage and edit files and create new accounts with elevated user rights. The issue affects all Windows OS versions with the exception of Windows 2000 SP4.
Critical patch No. 2 also resolves an internally reported hole. It's designed to thwart attacks on Object Linking and Embedding (OLE) Automation, which is a proprietary software feature from Redmond that allows linking to documents, data and other objects on the Windows Component Object Model. For developers, it serves as a way to customize user interfaces. With a specially crafted Web page, an attacker could execute malicious code through OLE but the vulnerability would only really be damaging if it were to affect user workstations that have administrative profile parameters. The fix is for Windows, Office and Visual Basic programs on all OS versions, though only Windows 2000 SP4 and all editions of XP and Vista were labeled as "critical."
Yet another private vulnerability plug is designed to block bad code embedded in specially crafted Word documents. A user could send a Word file, get it opened by an unsuspecting user, and then gain access, going willy-nilly. The vulnerability mainly affects Office SP3, Office XP SP3 and Office 2003 SP2.
The popular browser Internet Explorer was late last year plagued with problems, and now the fourth critical bulletin will hopefully address most of those issues. Specifically, Redmond says this cumulative patch addresses three private bugs and one publicly reported one. Although these fixes--affecting all versions of IE up to and including IE 7 for Vista--are yet to be specified, once that patch is installed what's fixed and not fixed will come out in the rinse, security experts contend.
Recommended Reading
- Moodle Gets SCORM Improvements, Security Fixes
New versions of Moodle have been released, bringing the most recent stable build to 1.9.3. The latest round of updates includes a number of bug fixes and security enhancements, as well as improvements to the SCORM module.
- Free 'Morro' Antivirus To Replace Microsoft OneCare
Microsoft is rolling out a free antivirus software program for consumers that will compete with products made by Symantec and McAfee. Code-named "Morro," the AV app is expected to be available by the end of 2009.
- Microsoft Demos New SQL Server Features at PASS
Microsoft Wednesday previewed the ability to centrally manage applications and resources in the planned upgrade of SQL Server, code-named "Kilimanjaro."
- Microsoft Unveils Exchange and SharePoint as Services
Microsoft exec Stephen Elop on Monday announced two hosted solutions from Microsoft--Exchange Online and SharePoint Online--which are now available to organizations of all sizes in the United States. The software, paid for by annual subscriptions, is hosted on Microsoft's servers and supported by Microsoft's channel partners.
- 6 Ways Not To Become Rote Using Instructional Technology
There are, in my experience, six strategies to consider with any use of technology that will guard against rote use of technology and facilitate critical analysis of teaching and learning effectiveness. In this article, I'll share with you the checklist I work with and encourage others to work with in learning about and using new technology.
- Bringing Student Web "Stuff" to Campus Enterprise Systems
How can an institution incorporate Web 2.0 learning opportunities for students, and evidence of learning from those opportunities, into existing campus technologies and processes? PlugJam is providing part of the answer.
