Browse And Get Owned Patch Coming Tuesday

rated by 0 users
This post has 1 Reply | 0 Followers

Top 10 Contributor
Posts 25,662
Points 1,154,940
Joined: Sep 2007
ForumsAdministrator
News Posted: Fri, Jul 10 2009 6:56 PM
Microsoft plans to fix a "browse-and-get-owned" vulnerability in its Video ActiveX Control when it releases software patches next week. The company acknowledged the vulnerability last week and is moving with uncharacteristic speed in issuing a fix for the problem. A second and similar vulnerability with Microsoft’s DirectShow was disclosed in May. It too will be fixed with Tuesday’s patches. According to Microsoft, both of the flaws affect older versions of Windows; Windows Vista and Windows Server 2008 users are not affected.

In an advanced summary of its upcoming July 14 security patch, Microsoft said it plans to release six security bulletins on Tuesday. Three of these will be listed as critical updates for Windows; one of them affects Windows Vista and Windows Server 2008. There will also be an important update for Publisher, an important update for Internet Security and Acceleration (ISA) Server, and an important update for Virtual PC and Virtual Server.


According to Jerry Bryant, senior security program manager at Microsoft, Microsoft is aware of limited attempts to exploit the DirectShow vulnerability. Trend Micro and Websense have found evidence to show that the ActiveX flaw is actively being exploited on Web sites in China. “Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive site redirections and lands them to download a .JPG file containing the exploit.” wrote Roland Dela Paz, a Trend Micro security engineer, in a blog post.
 
 
Top 10 Contributor
Posts 5,053
Points 60,700
Joined: May 2008
Location: U.S.
Moderator
3vi1 replied on Sun, Jul 12 2009 7:23 PM

>> The company acknowledged the vulnerability last week and is moving with uncharacteristic speed in issuing a fix for the problem.<<

This bug was reported to Microsoft in 2008 (http://www.eweek.com/c/a/Security/Was-Microsoft-Slow-to-Patch-Video-ActiveX-Vulnerability-130458) . The first *known* exploit in the wild occurred over a month ago.

Microsoft has shown there normal speed in fixing this, which is why their security record remains abysmal compared to other operating systems.

What part of "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn" don't you understand?

++++++++++++[>++++>+++++++++>+++>+<<<<-]>+++.>++++++++++.-------------.+++.>---.>--.

  • Filed under:
  • | Post Points: 5
Page 1 of 1 (2 items) | RSS