|
Apple Patches, Microsoft Passes |
|
|
|
|
Thursday, 15 March 2007 |
While Patch Tuesday came and went with Microsoft deploying no critical security updates, Microsoft didn't leave I.T. admins sitting on their hands. Redmond released a new version of the Windows Malicious Software Removal Tool and several other software updates. Apple, meanwhile, released a slew of patches for Mac OS X to plug 45 holes, including several zero-day vulnerabilities.
If Microsoft Relevant Products/Services's monthly Patch Tuesday failed to grab I.T.'s attention, Apple Computer added some excitement to the security Relevant Products/Services world on the notorious day.
Microsoft typically releases security fixes the second Tuesday of each month. For the first time in 18 months, however, Microsoft canceled its scheduled security update, despite at least five zero-day software vulnerabilities that leave a back door open to hackers.
A Microsoft spokesperson said the company needed more time to develop fixes for known flaws and is continuing to investigate potential and existing vulnerabilities.
"Creating security updates that effectively and comprehensively fix vulnerabilities is an extensive process involving a series of sequential steps," said the spokesperson. "All updates need to meet testing standards in order to be released. This ensures that our customers can confidently install these updates in their environment."
More Work To Be Done
With Daylight Savings Time configuration duties, many I.T. administrators might have welcomed the breather, but with a potential slew of new critical patches coming down the pike, they might not be looking forward to April's patch cycle.
Although no critical patches were deployed this week, Microsoft didn't leave I.T. administrators sitting on their hands. Redmond released an updated version of its Windows Malicious Software Removal Tool, along with two high-priority, nonsecurity updates for Windows through the Windows Update and Software Update services and four high-priority, nonsecurity updates through Microsoft Update and Windows Server Update services.
In addition, Microsoft rolled out Service Pack 2 for Windows Server 2003, a large update that has been in beta for several months and is now available as an optional download. It should become available through Microsoft's automated-update services in a few months.
According to Chris Andrew, vice president of security technologies at PatchLink, I.T. administrators should concentrate on checking whether their company is running any of the applications for which there are currently five known zero-day vulnerabilities.
"A reported vulnerability in Microsoft PowerPoint was revealed 152 days ago," he said. "This security hole allows a hacker to remotely crash PowerPoint. While this is more of a nuisance than a threat to critical data, it is worth keeping an eye on this exploit to minimize any user interference."
Apple's Megapatch Tuesday
Meanwhile, enterprises that run Apple products are looking at a security update for Mac OS X to plug 45 holes, including several zero-day vulnerabilities.
The megapatch update is a partial response to the Month of Apple Bugs project in January and the Month of Kernel Bugs in November. The software addresses vulnerabilities in Apple software and third-party applications, including Adobe's Flash Player, OpenSSH, and MySQL, according to Apple's advisory.
Eight of the patches deal with flaws in the way Mac OS X handles disk images. Apple said mounting a malicious image could lead to an error that opens the door for a hacker.
In fact, hackers could exploit some of the flaws to take complete control of the system. Other flaws, such as the vulnerability in iPhoto 6.0.6, could lead to remote code execution. "By enticing a user to subscribe to a maliciously crafted photocast, a remote attacker can trigger the vulnerability which may lead to arbitrary code execution," Apple said in its advisory.
Source: here |
News Stories