Eric Schultze

Inside Microsoft Patch Tuesday: Revenge of the ActiveX Controls

By Eric Schultze
Microsoft has released nine bulletins today, five of them Critical, four of them Important. The bulletins cover a gamut of affected products – almost everything in your enterprise will need to be patched today with the exception of Internet Explorer. No IE patches this month! The majority of bulletin releases these days relate to client-side vulnerabilities – visit an evil website, open an evil document, or read an evil email and you’ll get hacked. These vulns are of greatest concern on the desktop where end users are filling time between Mafia Wars power-ups and Facebook updates by visiting websites that may be hosting content of questionable repute. This month, there are five bulletins addressing these types of issues.

Inside Microsoft’s July Security Patch Batch

By Eric Schultze
Microsoft released six security bulletins  today — three rated Critical and three rated Important.  Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.

Today’s release is important because patches were released for two recent 0-day attacks – a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability.  Both vulnerabilities are reported as being actively exploited on the Internet.

Patch Counting: Horseshoes and Hand Grenades

By Eric Schultze
Like the old saying goes, “Close only counts in horseshoes and hand grenades.”  I’ve developed a corollary this week, “The ‘number of flaws’ only matters to vulnerability assessment scanners and journalists.”
I’ve read many news stories this week talking about the record number of flaws/vulnerabilities that Microsoft fixed in the June ’09 Patch Tuesday release. For the record, I’m saying that none of this is relevant.

By Eric Schultze

Microsoft patched all Windows versions of PowerPoint today — addressing both a zero-day flaw [] and 13 other privately reported security vulnerabilities.   The zero-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website.  The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user.  (If the user was logged on as an administrator, the evil code could execute as admin.  If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).