Quantcast
PC World: Technology Advice You Can Trust
Search
Browse by Topic
Subscribe to magazine

Magazine

Subscribe & Get
a Bonus CD

Customer Service

Audio & Video Business Center Cameras Cell Phones & PDAs Desktop PCs Gadgets Gaming HDTV Laptops Macs & iPods Monitors Printers Software Spyware & Security Storage Upgrading Windows Vista & XP
Resource Centers
Asus Notebook Center
Intel Technology Center
CDW Solution Center
Lenovo Laptop Showcase
Try It Free
White Paper Library
Webcast Library
Most Popular Search Terms
Most Popular Products
Most Popular Downloads
Today at PC World
Today @ PC World
News, opinion, and links from the PC World staff.
Recent entries in this blog:
Tuesday, October 09, 2007 1:41 PM PT Posted by Stuart Johnston

Too Early For Halloween, It's Patch Tuesday

Thirty years or so ago, when I was on the road as a solo musician, there were mornings when I'd wake up and not know where I was. Too proud to look in the night table for the hotel matches, I'd go . . . "hmm, if this is Tuesday, this must be Yellowstone . . . or is it Portland?"

While those days are long gone, sometimes I still get that giddy feeling of waking up and not being absolutely clear where I am. But not on Patch Tuesday. That is, on the second Tuesday of every month, Microsoft issues its latest horde of security bug patches for its products.

Microsoft released six patches today. A couple of them plug holes that are not as dangerous as the others. For instance, not a lot of home users are going to be using Office SharePoint collaboration software, since that's primarily a business product. Additionally, Microsoft's security mavens have tagged that one as "important" ? the second highest level in Microsoft's four-tier severity rating scale.

A second patch, also rated "important" affects how most versions of Windows use what's called "remote procedure calls" ? that is, program commands sent to your PC over the Internet. If you have your firewall properly configured, this shouldn't happen anyway, but at worst, according to Microsoft's security bulletin, a successful attack will result in a "denial of service," which could cause your PC to "stop responding and automatically restart."

A third patch only affects you if you are running Window 2000, or upgraded your PC from Windows 2000 Service Pack 4 to Windows XP, and you have Kodak Image Viewer, which was bundled with Windows 2000, installed. Then, in order to be attacked ? note there have been no attacks to date ? you'd need to click on a malicious link or visit a Web site with a poisoned URL such as a renegade banner ad.

Microsoft has designated this one as "critical," the highest ranking in the company's severity scale. But, to be fair, not a lot of consumers bought Windows 2000 and even fewer probably upgraded to XP. That said, if you're in that subset of folks who meet the criteria, be sure to patch this one.

The most significant patch this time around, however, is a cumulative update for Internet Explorer 5.01 (on Windows 2000), 6.0 and 7.0 that fixes three holes, all of them "critical."

First off, the term "cumulative update" means that this patch contains all the previous patches that have come out for IE. So if you've been remiss in installing the last several IE patches, installing this one will bring you up to date.

This patch also fixes two flaws that could let an attacker trick you into thinking you were at a familiar site ? say your online bank -- while you are really in the clutches of an attacker's site.

In fact, if you were to only adopt one patch this month, this is it. "We're recommending customers focus on [the cumulative update] given the pervasiveness of Internet Explorer," Don Leatham, director of solutions and strategy for Lumension Security (formerly PatchLink), told me earlier today. "[What's dangerous] is the idea that you would think you've left a site, but still be on that site," he added.

These are referred to as "browser entrapment bugs," and they work by letting a bad guy's program "spoof" IE's address bar. That is, IE's address bar says you're at one URL while you are actually somewhere else. That can be very dangerous because you might think you're logging into your bank when you're really giving away your user name and password. What's more, one of these spoofing bugs has already been publicly disclosed, though no attacks have been detected yet, according to Microsoft.

A third bug in IE Microsoft is not giving much detail about other than to say that it's a script handling error that can result in memory corruption ? which is usually a codephrase meaning it's a "buffer overflow" vulnerability. Again, there have been no attacks and no proof-of-concept exploits published as of now. But here too, a successful exploitation of the flaw could result in a classic drive-by download or something equally as nasty.

. . . To be continued.

Comments
Post a comment Post a comment
Recent Posts
More Bad News for Blu-Ray
McCain Pushes Fair Use on YouTube
Firefox Update Enters Beta
Googling Is Good For Your Brain
Apple vs. the Economy: Can the New Macs Really Sell?
Motorola, Verizon Deliver ZN4 Touch-Screen: Krave
Pimp Your Flip Mino with Customizable Designs
Archives
View posts from:
 

PC World's Marketplace

PC World's Free Whitepapers

QUICK LINKS: cheap laptops cell phones laser printers HDTV reviews LCD TV Plasmas digital cameras laptop reviews security antivirus windows vista reviews digital camera reviews inexpensive desktop LCD wide screen monitors
tech news tech blogs community & forums laptop prices software reviews downloads
About UsContact UsAdvertiseASME GuidelinesNewslettersFAQIDG InternationalMagazine Customer Service
© 1998-2008, PC World Communications, Inc.Terms of Service AgreementPrivacy PolicyCommunity Standards
RSS FeedsXML

Visit other IDG sites: