The Security Patching Fun Never Ends
Two new off-cycle patches follow the usual Patch Tuesday release. Plus: Looking to third-party app security.
As proof positive that security patch management is a never-ending job, Microsoft has reissued two patches in as many weeks.
Last week, the software giant released an update to a critical fix for Windows Media Services on Windows 2000 Server.
Now Redmond begins this week with a reissue of a patch first released in March, for Microsoft Producer for Office PowerPoint, a program that helps users capture and synchronize audio, video, slides and images.
"The product may have reached end-of-life for support, but Microsoft is still providing a critical security fix for their software and their customers," said Jason Miller, data and security team manager for Shavlik Technologies of the latest reissue.
Microsoft has also apparently fixed installation switches for patches on Movie Maker 2.6 on Vista and Windows 7. If users have already applied those patches, they won't have to act on the installation revamps.
Patch Expected for Sharepoint Bug
Microsoft just issued a security advisory for a vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007.
Security observers tell me that this issue may very well be the next out-of-band patch because: 1. the advanced notification for May's patch release is expected this week; and 2. this hotfix is not likely to make this month's security bulletin rollout.
The advisory did say, as usual, that Microsoft is "working on a patch for the exploit," which was discovered by High-Tech Bridge SA, a Swiss security outfit, who then reported to the public.
Microsoft spokesman Jerry Bryant covered all bases in an e-mail statement, saying Microsoft will "take the appropriate action," which may include providing "a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."
Microsoft Steps Up Defense Against Alureon
As part Redmond's updates to Malicious Software Removal Tool and the ongoing combat with iterations of the pesky Alureon rootkit, Microsoft announced that it has "added support for more variants of the Win32/Alureon rootkit/infector." According to a Microsoft blog, the updates to MSRT are configured to cover the strains of Alureon that are reported as being the root cause of Microsoft Security Bulletin MS10-015.
MS10-015 is the most recent patch affected by the Alureon rootkit that was said to "brick" or crash certain systems that installed the patch.
Attention Turns to Third-Party Apps on Win OS
Wolfgang Kandek, chief technology officer of security firm Qualys, had a similar assessment of Microsoft's recent Security Intelligence Report and many of his peers: It's time to look at vulnerable third-party applications that adversely affect Windows programs.
"In the corporate environment IT administrators need to expand their patch programs to include the Office suite plus common third-party applications, such as Adobe Reader and Flash, Apple Quicktime and Realplayer," he said. "This can be difficult as Microsoft's WSUS patch system does not support these patches directly and IT admins have to look for other solutions, either manual, through scripting or additional patch management systems."
Speaking of Kandek's peers and Adobe Reader, F-Secure's Sean Sullivan, seems to think that Windows needs to cut Adobe off at the pass with a PDF viewer of sorts that would act as a filter to potentially corrupt Adobe Reader files.
Sullivan's comments come after Microsoft already announced intentions to add such a conduit program for storing PDF documents on Office 2007. Even so, word is that Adobe isn't having it. The result is a "Save as PDF" option that came with Office 2007 Service Pack 2 that security experts say is feeble in comparison to an actual gatekeeping function.
The closest thing to cooperation on security between the two software mammoths was something I first reported back in March about a potential patch distribution partnership that hasn't yet materialized.
One thing's for sure -- neither Windows nor the third-party apps that sit on the operating systems are going away. And at some point, more earnest collaboration or beefed up security by individual firms won't just be a good idea but a requirement to prevent cross-pollination of malicious code and manual back-door incursions used by hackers exploiting third-party weaknesses.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.