Microsoft Vows to Make Permanent Fixes

In a widely quoted blog post, a member of the Microsoft Security Response Team has said that the fixes that Windows needs will be made on the upcoming Patch Tuesday, and that the fixes will stymie the bad actors who wish to cause trouble for some time.

from v3.co.uk

Microsoft will next week launch a number of security fixes designed to address vulnerabilities issues in ActiveX and DirectShow, among other systems.

According to Microsoft, the weaknesses have already attracted the attention of hackers and the firm is keen to fix them in its monthly patch update, set for 14 July.
Advertisement

Three of the issues are rated as ‘critical’ while the remaining three are rated as ‘important’. Microsoft is urging users to fix the issues as soon as possible and has provided guidance for firms on how best to prepare themselves for the patches.

Writing on his blog, Jerry Bryant of Microsoft’s security response team said, “I want to provide some clarity on two of the pending Windows updates mentioned. First, we will be addressing the issue concerning a vulnerability in DirectShow. As noted in the advisory, we are aware of limited active attacks and we have been working aggressively to get a quality update shipped to customers.

“Second, our engineering teams have been working around the clock to produce an update for the issue discussed in Security Advisory 972890 (vulnerability in the Microsoft Video ActiveX Control) and we believe that they will be able to release an update of appropriate quality for broad distribution that protects against the attacks we detailed in the advisory and in an MSRC blog post by Christopher Budd.”

Bryant encouraged customers in the meantime to continue to enable the workaround for the latter vulnerability “by running the ‘Microsoft Fix it’ solution in the associated knowledge base article (KB972890)”.

He also urged users to visit the Microsoft Security Research and Defence blog as well as the MSRC site on Tuesday for additional information.

It begins to be a case of what will Microsoft fix, and what will they obfuscate, because, if too much of the problematic code in XP is repaired, out goes more reason to upgrade from the operating system that will not die.

from ComputerWorld

The fix for the ActiveX vulnerability won’t be a patch per se, said Reavey, but will instead be an automatic update that will set a large number of “kill bits” to disable the flawed control. The fix, then, will be the same as the manual workaround that Microsoft published Monday along with its advisory.

“This will block all known attacks,” promised Reavey, who added that Microsoft will continue its work on a full-fledged patch, which will be released at some point in the future. He declined to say whether that patch would be delivered “out-of-cycle” — outside the normal monthly update schedule — when it is ready.

Certainly the impetus is no longer there for Microsoft to fix these vulnerabilities, beyond one of honor. The question is whether or not that is enough.

§

•

•

²