Microsoft Patch Tuesday (February 2007)

JDMurray

Yes, fellow Windows users, it's "Patch Tuesday" once again. This month provides a veritable landslide of security updates from Microsoft for not only Windows (especially XP), but also Office (Word, Excel, Outlook, and PowerPoint) and IE7. Many of the Office patches fix security vulnerabilities that have existed in Word and Excel for a loooooong time. Run Windows Update on all your machines now!

Oh, if there is anyone else besides me who was having problems with their USB mouse suddenly not being recognized by Windows Vista, there is a now a patch for it. When switching between Vista and XP using a KVM switch, Vista would eventaully stop responding to USB mouse input, forcing me to use a second, "fail-over" USB mouse. Now that problem seems to be patched.

Slowhand

Yup there was a whole mountain of updates today. There was even a brand-spanking-new junk mail filter for Outlook 2007.

JDMurray

Slowhand wrote:

There was even a brand-spanking-new junk mail filter for Outlook 2007.

One wonders what took them so long to add a filter that most other popular email clients have had as a standard feature for years. Does this filter report to Microsoft the address of every email that you receive, like the IE7 phishing filter reports every URL you surf to? I'm soooooo glad that I switched to using Mozilla Thunderbird and FireFox (and Google Gmail) a long time ago.

Slowhand

The junk mail filter is updated with just about every patch Tuesday. I'm guessing it's a new set of rules and filters. It's been around for quite a bit, for each incarnation of Outlook.

JDMurray

I wouldn't expect a junk mail filter to require periodic definition updates like a Spyware and A/V scanners do (Windows Defender does download periodic updates). The junk mail filters are suppose to train themselves when the user marks an email as junk. The filter with Thunderbird does a pretty good job after it has been train with a few hundred spam emails. When a bunch of spam emails get through the filter it means that the spammer have changed their patterns (again).

Here is the actual Microsoft Security Bulletin Summary for February, 2007 which describes each security update, but not the non-security-related fixes.

royal

I agree that the Thunderbird junk mail filter does a pretty good job at filtering mail. I used to use it for a little over a year. I then started using Gmail with Pop3 enabled that sends e-mail to my Outlook. This way I have my e-mail archived in g-mail when I need to retrieve old data when I'm not able to access Outlook, and I also have my e-mail already filtered. Gmail does an extremely good job at filtering junk mail. With Gmail, I get about 100-200 junk mails every day and I've only had 2 e-mails in the past year get past the filters into my Outlook.

JDMurray

icroyal wrote:

Gmail does an extremely good job at filtering junk mail. With Gmail, I get about 100-200 junk mails every day and I've only had 2 e-mails in the past year get past the filters into my Outlook.

Yes, I completely agree that Gmail does a great job of filtering spam, and I've abandoned my Hotmail and Yahoo Mail accounts primarily because of that.

Here's the link for the Update for Outlook 2003 Junk E-mail Filter (KB924885) patch. It looks like it only adds additional junk email filtering rules. I wonder why this isn't a more frequent update.

keatron

The most interesting thing I find about all this is simply the fact that Microsoft actually now has a relatively effective patching system in place. From a security standpoint I've seen this directly influencing several things. One of which is the fact that more and more exploits are now being written against not Windows itself, but other applications that are commonly installed on Windows boxes. Some of the most common ones are Norton Antivirus, Symantec Backup Exec, McAfee, Mozilla, and many others. It's leading to interesting developments in the security world. As Microsoft has started to get it's act together security wise (kinda), attackers are now targeting these other applications as these apps usually have some type of privilaged access to the kernel. The scary part is the fact that not many companies have the resources to **** into patch management and security updates (like Microsoft does). I'll make it even more plain. I taught an advanced pentesting class in November, we used about 6 MS security vulnerabilites as exploits (3 weren't publically known). By the time the December patch Tuesday came around, they had fixed 4 of the 6. By the middle of January, there were patches for all 6 of the ones we used. Now, we also looked at some exploits against Backup Exec, Backup Exec remote agent, and Norton. To date, every last one of those exploits STILL work, as there have been no fixes released. We are now seeing the first big wave of owning the Windows box via trusted third party apps. It will indeed be interesting to see how the industry responds to this trend (once it becomes the norm).

sprkymrk

keatron wrote:

One of which is the fact that more and more exploits are now being written against not Windows itself, but other applications that are commonly installed on Windows boxes. Some of the most common ones are Norton Antivirus, Symantec Backup Exec, McAfee, Mozilla, and many others.

keatron wrote:

We are now seeing the first big wave of owning the Windows box via trusted third party apps. It will indeed be interesting to see how the industry responds to this trend (once it becomes the norm).

Exactly the same trend I am seeing from a DoD perspective. With almost every DoD site now having it's own WSUS server in place, and the upstream top-level WSUS servers firmly established, Windows and Office updates no longer cause the frantic visit to every desktop like they did 2-3 years ago. The problems are now focused on third party apps as Keatron mentioned because many smaller installations/sites don't have SMS or something similar to handle the mass rollouts of these updates. The ones I see most frequently include flash, adobe, java, quicktime, etc. Trend Micro just had a big remote exploit too. Symantec AV hasn't had a bad one since the SAVCE 10.1.401 patch a year ago, but there have been other Symantec products that have needed attention. Additionally, besides trusted third party apps there is always Cisco IOS updates and Oracle quarterly updates. These are both much more difficult to quickly update than any MS vulnerabilities.

JDMurray

The big problem is when Microsoft decides to release a fix for a specific Windows or application vulnerability. For the past several months, the security community has waited for Microsoft to release patches for known vulnerabilities in Word and PowerPoint (and Excel?) that could be exploited by corrupted files. Each Patch Tuesday these fixes were not made available, and the security blogs and podcasts kept asking why Microsoft was sitting on these critical fixes for such widely-used applications. It appears that this month the fixes were released, but why the multi-month wait is still a mystery. (It's likely that either Microsoft didn't not believe that these vulnerabilities could be easily exploited, or were being exploited, or the fixes themselves required rigorous testing to assure full backward-compatibility with exiting Office document files.)

Plantwiz

Maybe some strange marketing reason??? It keeps people 'talking' about the product...and you don't really see people switching off MS products due to these known vulnerabilites...IT may personally use other apps, but how many business clients really switch? They all want MS.

JDMurray

Plenty of organizations use Linux and MySQL on the server side because they don't want to pay the M$ licensing fees. But on the client side, I wonder how many organizations try Linux and OpenOffice on the desktop and end up switching back to Microsoft. I've been part of an OpenOffice-on-Windows experiment, and we ended up going to MS Office only because it came with the new Dell workstations we ordered. (Clever Microsoft, clever...)

bighornsheep

keatron wrote:

One of which is the fact that more and more exploits are now being written against not Windows itself, but other applications that are commonly installed on Windows boxes. Some of the most common ones are Norton Antivirus, Symantec Backup Exec, McAfee, Mozilla, and many others.

I agree, anyone experience a virus that exploits adaware?

icroyal wrote:

With Gmail, I get about 100-200 junk mails every day and I've only had 2 e-mails in the past year get past the filters into my Outlook.

I can't say I agree with this one...perhaps it has to do with how I distribute the gmail address, but I find that in the couple of years that I have used gmail, it's actually receiving nearly as much spam daily as my yahoo account, which i Have used for over 10 years.

jdmurray wrote:

But on the client side, I wonder how many organizations try Linux and OpenOffice on the desktop and end up switching back to Microsoft.

Alot of schools are going this route, a couple of high schools I know of, and a few universities are adopting linux (both server & workstation), as for maintaining healthy relationship with MS? They come up with "student auxiliary packages" which includes hundreds of dollars in software licensing...and of course, such software are seldom available during needed times in the crammed library.

my personal sidenote -> was there suppose to be a DST update with automatic update due for release today?

JDMurray

bighornsheep wrote:

my personal sidenote -> was there suppose to be a DST update with automatic update due for release today?

Those DST patches were already released. Check this forum posting: http://www.techexams.net/forums/viewtopic.php?t=20719

UPDATE: Apparently, items in Microsoft Outlook Calendar will not automatically adjust for the DST change on March 11th, and there's a few steps that Outlook users or Exchange Server admins need to perform: http://office.microsoft.com/en-us/outlook/HA102086071033.aspx

Slowhand

My Outlook 2007 notified me that it was adjusting to the new DST rules, as of a few days ago.

blargoe

It sucks for people that have WSUS set to auto-approve critical updates because there was a DST patch for the Windows OS back toward the end of 2006. If it's installed before the Exchange tool that was released last week is run, that period of time will have incorrect calendar appointments by one hour.

kevozz

jdmurray wrote:

The big problem is when Microsoft decides to release a fix for a specific Windows or application vulnerability. For the past several months, the security community has waited for Microsoft to release patches for known vulnerabilities in Word and PowerPoint (and Excel?) that could be exploited by corrupted files. Each Patch Tuesday these fixes were not made available, and the security blogs and podcasts kept asking why Microsoft was sitting on these critical fixes for such widely-used applications. It appears that this month the fixes were released, but why the multi-month wait is still a mystery. (It's likely that either Microsoft didn't not believe that these vulnerabilities could be easily exploited, or were being exploited, or the fixes themselves required rigorous testing to assure full backward-compatibility with exiting Office document files.)

The same reason they delayed the release of Service Pack 3 for Windows XP. They want you to buy Vista and Office 2007.

JDMurray

kevozz wrote:

The same reason they delayed the release of Service Pack 3 for Windows XP. They want you to buy Vista and Office 2007.

Damn, I was just in a Windows Vista meeting with Microsoft security people and I forgot to ask about SP3 for XP. I think the "delay" is because they are using it to add new features--including egress filtering on the firewall--and it just isn't ready for release yet. SP3 is suppose to be *THE LAST* service pack for Windows XP; they've got to pack everything they can into it.

royal

bighornsheep wrote:

icroyal wrote:

With Gmail, I get about 100-200 junk mails every day and I've only had 2 e-mails in the past year get past the filters into my Outlook.

I can't say I agree with this one...perhaps it has to do with how I distribute the gmail address, but I find that in the couple of years that I have used gmail, it's actually receiving nearly as much spam daily as my yahoo account, which i Have used for over 10 years.

I don't get what you don't agree with? Everyone uses their e-mail differently. I do actually get about 200 spam mails a day in my Gmail account and only 2 have actually ever gotten into my Outlook inbox. This means that my account still gets a ton of spam like you said, but it sends it to the spam folder and not to my inbox so Outlook rarely ever sees any spam. It seems like you are more agreeing with my comment than disagreeing. If you are getting different results, that is fine. Most people will see different results.

bighornsheep

icroyal wrote:

I don't get what you don't agree with?

whoops...didnt mean to offend you, I'm trying to say that I dont find gmail to be "better" with Spam in any way compare to Yahoo. For myself, I get about 200-300 spam daily also, but it seems like gmail lets more spam come through to the inbox than yahoo does. But I've also admitted that my gmail account is used as spam collection.

royal

bighornsheep wrote:

icroyal wrote:

I don't get what you don't agree with?

whoops...didnt mean to offend you, I'm trying to say that I dont find gmail to be "better" with Spam in any way compare to Yahoo. For myself, I get about 200-300 spam daily also, but it seems like gmail lets more spam come through to the inbox than yahoo does. But I've also admitted that my gmail account is used as spam collection.

You didn't offend me at all. I was just confused with your statement, that's all. No worries mate. Thanks for the clarification.

bighornsheep

jdmurray wrote:

Those DST patches were already released. Check this forum posting: http://www.techexams.net/forums/viewtopic.php?t=20719

I was referring to the critical DST patch released with Automatic Update, but I guess I found my own answer, it was indeed released via automatic update this week, yay!