Microsoft Patches 19 Flaws, 6 in Vista

Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"

Re:Changes Default Browser

[Kandenshi]

Happened to me as well, which was ... confusing.

Then I adjusted my thinking to Microsoft's point of view and tried to figure it out.

Now that IE7 is patched, it's much more secure than Firefox could ever be! Changing IE7 back to default is much like a firewall, an ounce of prevention is worth a pound of cure eh? By trying to get us back using IE7 they're just trying to prevent all the malware from getting on our systems, much like most of the rest of the patches.

It's a bit screwy, but that's the best rationalization I could come up with, anyone got a better one?

Summary was incorrect

[SEMW]

Actually, the summary was incorrect regarding Vista: at least one of the vulnerabilities in question ("Uninitialized Memory Corruption Vulnerability CVE-2007-0944") is not present in Vista, and contrary to the summary's implication, only two out of the Vista vulnerabilities (CVE-2007-0945 and CVE-2007-2221) are rated critical.

Not, of course, that this excuses MS in any way (two is still two too many), but the summary was still rather misleading.

Re:Linux patches?

[abigor]

Slashdot is CmdrTaco's blog site. It is biased by its very nature. It makes no claims to objectivity or to be a "true" news site. To put it another way, it's an opinion site by design.

Re:Linux patches?

[tknd]

Frankly, I'm now getting tired of the number of posts with the same tone as yours. You lament losing Karma in a sea of angry "Linux-zealot" mods, but I would guess you will be modded up, not down.

But that's the problem. Had he not posted in that type of tone, he might not have gotten modded up. I've seen many good posts defending Microsoft products without flaming the opposition yet when they hit the 4 or 5 moderation marks, people keep trying to mod them down.

I'm sure even if you removed all of the modded up Funny posts (which often are stabs at MS but cloaked with humor) I'm sure you'd see a clear anti-MS bias in moderation. That is, you're more likely to get modded up if you choose to post anti-MS comments.

People here are also quick to mod up any frustration with MS products even when they're just flames, yet when you see the comments about frustrations for Apple or Linux, you often get responses to the person having frustrations showing good light for Apple/Linux/etc modded up, not the parent frustration.

Only One of the Vista Bugs was "Critical"

[ThinkFr33ly]

Only 1 of the 6 bugs that affected Vista was rated "critical". (Critical is typically reserved for bugs that could allow somebody to remotely take over the machine.)

In the case of the one bug [microsoft.com] that was rated critical, the rating was dependent on several mitigating factors, including that the user running as full admin with UAC turned off. (Obviously not the default configuration.)

Only in that scenario could the machine be compromised, and even then the successful execution of exploit code was unlikely thanks to ASLR and various other security measures. It was far more likely to simply cause a browser crash.

Considering Vista has been out since November of last year, its security record [csoonline.com] so far as been extremely impressive.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Changes Default Browser

[Anonymous Coward]

Are you sure Firefox is not actually the browser?

http://www.zoliblog.com/blog/_archives/2007/3/26/2 836828.html [zoliblog.com]

Re:No flaws in Vista itself, all 6 in IE7

[ad0gg]

You can't seperate IE from windows. It will break the windows help system which uses the IE renderer. It will break apps that depend on the IE engine(about boxes use this a lot with HTML/ActiveX that hooks into application). Removing IE Engine from windows would be like removing konqueror(really the KHTML engine) from KDE.

Vista patches

[obeythefist]

The vista patches are all just to disable the one-click activation hacks that are circulating.