Security and the Net

News and opinions about security, the internet and more

Entries Tagged ‘microsoft’

Microsoft’s Silverlight used on YouTube

If the rumors about IBM buying Sun weren’t enough, this news should prove once and for we live in interesting times: Silverlight has made its way to YouTube. It’s used on the CBS March Madness channel, and the feeds themselves are not served by Google, but it is an interesting development nonetheless.

Leave a Comment

MS09-08: When is a patch not a patch?

… when it doesn’t patch! That was an easy question, but Microsoft has a different opinion on this. In this blog post at 360 Security, Tyler Reguly explains why he thinks MS09-08 is not really a patch; it doesn’t actually fix the vulnerability that it is supposed to fix.

Leave a Comment

Followup on Patch Tuesday post

As noted last week, I find Microsoft’s severity ratings a bit confusing; but fortunately they also provide an exploitability index that tells us a bit more about how likely Microsoft thinks a particular vulnerability is to be exploited. So let’s have a look at how they rate this months updates:

Leave a Comment

Patch Tuesday: does Microsoft need a new severity rating?

I’ve never quite liked Microsoft’s severity rating system for security vulnerabilities; todays pre-announcement for this months patch tuesday provides a very good example of the problem I have with it. Microsoft provides four severity levels for security issues, and the different ratings appear to make sense at first sight:

Comments (1)

Microsoft will fix Windows 7 UAC loophole after all

Last week, Long Zheng posted details about a security issue in Windows 7′s implementation of User Account Control. The UAC feature in Vista received so much criticism that Microsoft decided to add different security levels in Windows 7; the default setting now only warns you when a program tries to change Windows settings.

Comments (1)

About IE8′s clickjacking protection

When the first release candidate for Internet Explorer 8 was released, the accompanying press release mentioned it had the ability to protect users from clickjacking attacks “out of the box”. and that this was possible “without impacting compatibility”. Microsoft has just provided some additional details that show how this protection works; for now, it looks [...]

Leave a Comment

Zune: small programming errors that have big consequences

Microsoft has just shown the world what the consequences of a relatively small programming mistake can be. In this case, it’s a classic “off-by-one” error in the clock driver of the Zune mediaplayer: year = ORIGINYEAR; /* = 1980 */ while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days -= [...]

Comments (1)

It’s official: MS08-78 fixing critical IE bug

Microsoft just released MS08-78, a security bulletin describing the issue that has been affecting Internet Explorer users for almost a week (CVE-2008-4844). The bug is fixed for Internet Explorer 5.01, 6, 7 and the beta version of IE8. As Microsoft points out on their Internet Explorer homepage, the browser is now “safer than ever”. Don’t [...]

Leave a Comment

Fix for IE7 zero-day to be available tomorrow

Microsoft has just announced that a fix for the critical bug in Internet Explorer 5, 6 and 7 is to be published tomorrow. As usual, there will be webcasts detailing the fixes: Microsoft is hosting two webcasts to address customer questions on these bulletins: on December 17, 2008, at 1:00 PM Pacific Time (US & [...]

Comments (1)

More details about IE7 zero-day exploit

More details about the zero-day exploit for IE7 are starting to surface. The most shocking detail is that this is actually an older issue: eEye reports that this was first seen on 11/15. eEye says that no mitigation strategies currently exist; Symantec suggests that disabling Javascript will at the very least disable the currect attack [...]

Comments (1)