Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug Microsoft Security IT

MS Monthly Patch Omits Word Zero-Days 80

bungee jumper writes "Microsoft released four bulletins with patches for 10 vulnerabilities but there are no fixes for known MS Word zero-day flaws that are under active attack, eWeek.com reports. The January batch covers critical bugs in Excel, Outlook, and Windows. The first confirmed Windows Vista flaw, a denial-of-service issue that was publicly released on an underground hacker site in Russia, also remains unpatched." eWeek notes that Microsoft originally scheduled eight bulletins for release, but pulled four last Friday without explanation.
This discussion has been archived. No new comments can be posted.

MS Monthly Patch Omits Word Zero-Days

Comments Filter:
  • Ummmm... (Score:5, Insightful)

    by needacoolnickname ( 716083 ) on Tuesday January 09, 2007 @07:24PM (#17532442)
    The patches caused more harm than good so they decided to pull them?

    Damn them for not releasing patches that make a more unstable system! Damn them I say!
    • Re: (Score:3, Funny)

      by marcello_dl ( 667940 )
      >The patches caused more harm than good so they decided to pull them?

      Not much of an excuse, considering that most Microsoft software causes more harm than good, yet they release it.

      *ducks*

      • Re: (Score:3, Insightful)

        Who are you ducking from around here?

        Sit back, relax, and wait for the Insightful rather than the Redundant moderation points to start rolling in on your comment.
  • by User 956 ( 568564 ) on Tuesday January 09, 2007 @07:24PM (#17532444) Homepage
    Microsoft released four bulletins with patches for 10 vulnerabilities but there are no fixes for known MS Word zero-day flaws that are under active attack

    Well, that's because there aren't any zero-day flaws. Microsoft changed the name to ">1 day flaws", thereby solving the problem forever.
  • Now we have to spend a few years rewriting before we can make a patch.
  • by ackthpt ( 218170 ) *

    It's OK, as long as they have the patch of the patch of the bug formerly known as Prince.

  • by GIL_Dude ( 850471 ) on Tuesday January 09, 2007 @07:35PM (#17532608) Homepage
    Local elevation of privilege is now considered a DoS attack on Vista? I guess even submitters don't have to RTFA here anymore to get published. I did read the article though since I was worried about any DoS attack for Vista and wanted to see what ports, processes, etc. it was using. All that was there though was a local only elevation of privs (where an authenticated user logged on to the box can get admin rights). Not good of course, but far from a DoS...
    • Re: (Score:2, Funny)

      --Local elevation of privilege is now considered a DoS attack on Vista?

      Absolutely. Considering that all the anti-user media playback programs are running under SYSTEM-like permissions, any sort of elevations breaks DRM.

      Not patching broken DRM means the media ogres get really mad.
    • Re: (Score:3, Informative)

      by Osty ( 16825 )

      Local elevation of privilege is now considered a DoS attack on Vista? I guess even submitters don't have to RTFA here anymore to get published.

      The submitter read the article, and then directly lifted that line right out of it. Is the submitter an idiot for confusing local privilege escalation with DoS? No, because he wasn't the one who made that claim. Is the article author an idiot for making that statement? Definitely. Is the submitter an idiot for directly quoting the article without attributing

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Whoa, I didn't realize that Vista has garnered a huge marketshare, cuz ya know, script children only target OS with the highest marketshare.
    • All that was there though was a local only elevation of privs (where an authenticated user logged on to the box can get admin rights). Not good of course, but far from a DoS...

      On the contrary, keeping in mind that Vista includes DRM I think it's very good that Vista security is at the usual Microsoft level. It may chain the user, but the chains are made from recycled tin cans, the links are hollow to save material, and the lock pops open when anyone looks at it funny :).

      I guess the one thing that can

  • Damn... (Score:4, Funny)

    by locokamil ( 850008 ) on Tuesday January 09, 2007 @08:17PM (#17533122) Homepage
    It's been 18 days since I've been able to us MS Word. My boss is very unhappy-- I may lose my job.

    Damn you Microsoft!
    • The lack of proper spelling bears out the truth of my last post...
      • The lack of proper spelling bears out the truth of my last post...
        What are you talking about? My spellcheck says it's fin. :P
    • Darn? (Score:3, Insightful)

      In case of emergency, break out the OpenOffice, specifically the "Writer" program. It can handle .doc files almost as well as Word, and it's free.
      Also consider e-mailing the .doc files to your home computer, since your boss is apparently keeping an eye on what software is on your work computer.
      Disclaimer:
      I am getting two MS Updates today--one for IE7, and the usual malware "stinger." I don't actually use IE--I updated it for security...
      This has actually been a better month for MS update-downloads than
      • I was joking. We're a Linux shop for the most part, and I spend most of my days in xemacs on a SLES 9.0 box (working on getting that changed), and read my mail in Pine. Office is overkill unless I'm trying to make something pretty, and even then, I use LaTeX. Never had to make a presentation, so powerpoint is not necessary-- we are most fortunate in that the management operates on the same wavelength as us cogs, and understands our ideas without pretty graphs and charts. :)
  • Skewed statistics (Score:5, Insightful)

    by fluffy99 ( 870997 ) on Tuesday January 09, 2007 @08:20PM (#17533150)
    If a particular vulnerability affects multiple versions of the program, you generally don't count them all as separate vulnerabilities. eWeek is counting MS07-02 as five separate patches, but really it's the same flaw in five different versions. How many people have multiple versions of Excel on their system anyway?
    • by segra ( 867730 )
      they are sold as different products, you cant just go and get a patch for office xp to make it office 2003
    • Re: (Score:2, Informative)

      Actually, it's one patch that fixes five different vulnerabilities (CVE-2007-0027 through CVE-2007-0031). Some of these vulnerabilities appear in five different versions of Excel or Works; other appear in as few as three. So eWeek is closer to the truth than you think.
  • Microsoft is such a big company, you would think that they would have been able to solve this by now. Why couldn't they have, for example, had two or three different teams working on a patch, and then choosing the best solution? They could even offer a nice reward to the winning team as an incentive.
    • Software doesn't work like that. The more staff, the more bloat, the more breaking something new. At the end of the day the problem and fix have to be held in a single person's head. If the software is out of control and overly complex then this becomes impossible. Rewriting from scratch becomes the only answer. Code needs to be elegant to work well. That's why an elegent OS like Debian can be installed on a 386 - whereas a bloated OS like Windows needs a cray to sit there and do nothing.
  • Default application (Score:5, Informative)

    by Bob54321 ( 911744 ) on Tuesday January 09, 2007 @09:02PM (#17533598)
    I just installed these updates and what I want to know is why updating Outlook makes it your default email application. I know I just have to click OK when I start Thunderbird again but it is annoying that I should even have to do that.
  • Seriously: I think I understand the original meaning of the phrase, to refer to known bugs in the first release of a piece of software, but we're talking about Office 2000 or maybe even earlier in some cases (although MS won't support the older stuff anyway), so what is "zero-day" supposed to refer to? Yes, I looked at Wikipedia, but their Zero-day page (or at least the US-English version) reads to me like a garbled mess.
    • Zero-day (to me) means an exploit is in the wild the same day the vulnerability is discovered/announced.

      My translation may be a garbled mess as well.

      • That or a hack created the day the software is released ( with etymology likely from game cracking groups ). The anonymous coward post about yours strikes me as a bastardization of proper usage for the term, likely caused by its ever more "buzzword" existence.
    • by Bacon Bits ( 926911 ) on Tuesday January 09, 2007 @11:24PM (#17534808)

      "Zero-day" is an exploit classification.

      It goes like this. Software has bugs. These bugs can cause security vulnerabilities, which are then published and patches issued to fix the vulnerabilities. Hopefully, all this happens before the black hats can take advantage of -- or exploit -- these vulnerabilities.

      An exploit of a vulnerability is the virus, worm, SQL injection, hack attempt, etc. itself. An exploit can be labelled "zero-day" when an in-the-wild exploit has been detected on the same day that the vulnerability was made known to the security industry. Most often, "zero-day" means "we learned there was a vulnerability when we found this exploit". This is rather like finding out the locks on your doors don't work when a thief has already been and gone. Zero-day exploits then will have a maximal timeframe to affect vulnerable systems since no work has been done on fixing the vulnerability (presumably).

      The Slammer worm, for example, was an [i]exploit[/i] of MS SQL Server 2000. SQL Server 2000 had a buffer overflow vulerability which was the subject of Slammer. Slammer was not zero-day, however, since this security vulnerability had been known about for many months and MS had already issued patches for it (six months prior to Slammer).

      The vast majority of exploits are *not* zero-day, but uninformed reporters for computer news services (like CNet, or anything Ziff Davis owns) are now using "zero-day" as a synonym for "new vulnerability" instead of the proper "new exploit to unknown vulnerability".

      • by markhb ( 11721 )
        Most often, "zero-day" means "we learned there was a vulnerability when we found this exploit".


        Now that makes sense. Thanks!
  • Am I the only one who glanced at that and saw

    "Ms. Monthly Patch" and thought "She's on the rag again?"
  • by staticdaze ( 597246 ) on Tuesday January 09, 2007 @09:47PM (#17534036)
    Anyone else read that as: MS Monthly Patch Omits Word "Zero-Days" ?

    They aren't zero day, they're "highly relevant to your enterprise investment"!
  • by anss123 ( 985305 )
    Lately I've received spam with images displayed in Outlook Express, despite said feature being blocked. The image links look like these: mhtml:mid://00000088/!cid:003e01c7342e$d54bc0c0@Lo calHost

    Anyone know what this is about?

    • Re: (Score:2, Informative)

      by Anonymous Coward
      the image is embedded in the email. thunderbird has the same "issue."
  • Details (Score:3, Informative)

    by jginspace ( 678908 ) <jginspace@nosPam.yahoo.com> on Tuesday January 09, 2007 @11:08PM (#17534674) Homepage Journal
    I've got into the habit of saving Microsoft's advance notifications using the wonderful Scrapbook [mozilla.org] extension.

    Here's the original:
    • Three Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
    • One Microsoft Security Bulletins affecting Microsoft Windows and Microsoft Visual Studio. The highest Maximum Severity rating for this is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates will require a restart.
    • One Microsoft Security Bulletins affecting Microsoft Windows and Microsoft Office. The highest Maximum Severity rating for this is Important. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
    • Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
    In the end there was only one Windows patch - a critical flaw in VML - along with critical patches Outlook and Excel. The only 'important' patch was for Office 2003 but seemed to only affect the Brazilian Portugese version.

    I was surprised to find, following the TFA, that eWeek [eweek.com] got hold of this last Friday.
  • Sorry to be so kiddish, but can someone explain me what a zero day flaw is? I guess from wikipedia, its the number of days difference between a security vulnerability and exploit.
    • by Joebert ( 946227 )
      A zero day flaw is one that occurs on the zero day of the month, it's kinda like a leapyear, but it happens more often.
      What happens is that virus writers tend to release things on the zero day because it gives them an advantage against companies like Microsoft. Microsoft doesn't like to acknowledge that zero day exists because it's not widely accepted enough to place on calendars.
      Thus, virus writers get an entire day to test their products since Microsoft has to wait untill the 1st day to issue a patch.
  • Microsoft fails to fix known problem in any less than six months? How could this possibly be? They've always been so prompt about that kind of thing.

    And while I'm at it, my unicorn swallowed my key to the TARDIS, can I borrow yours?
  • Does anyone else see the irony in: "a denial-of-service issue that was publicly released on an underground hacker site in Russia, also remains unpatched."
  • Microsoft originally scheduled eight bulletins for release, but pulled four last Friday without explanation.
    That's because all available developers were redeployed to design the iPhone killer to be codenamed "zone".

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...