|
| Top
Security News |
Microsoft Pummels Education Software Thieves
Heavily discounted software intended for the education market had been redirected to the consumer market by international smugglers. Companies dealing in that software have found themselves on the receiving end of legal action from Microsoft. The company...
MovieCommander Will Redirect DNS Requests
One of the latest viruses making the rounds attempts to infect systems and send their DNS lookups to sites operated for criminal gain. No one tries to drop a DNS switching utility on users to improve their...
Kitties, Hotties, And Captchas
The use of captcha technology has helped limit the impact of spam on sites that accept comments or other submissions from users; a couple of photo-oriented options offer something different from the usual hard-to-read letters and numbers in captcha forms...
Fake Online Druggist Deadly For Canadian
Marcia Bergeron died from taking pills she purchased over the Internet, through a website plastered with fake medical agency endorsements. Think those spams and web pages touting deeply discounted...
The 59 Most Influential People In IT Security
ITSecurity.com has put out its 2007 list of the 59 most influential people in IT Security, the interesting part is that I have not heard of all but a small handful. It is a great list of people to go and watch and pay attention to, and that is the benefit of being on such a...
Strategy Before Tactics
If you have no defined strategy then what ever tactics you employ probably won't meet your goals. How many of us in the information security business bought a product, tool, policy or process from a company...
|
|
|
|
Microsoft's patch update process requires a lot of testing, but the urgency of the animated cursor flaw problem, where numerous websites are hosting attacks against it, led them to cut some corners.
No one has disputed Microsoft's knowledge of the animated cursor flaw, least of all the company itself. Microsoft's Mike Reavey said on their Security Response blog that security firm Determina properly submitted details of the vulnerability on December 20, 2006.
Microsoft has been roundly criticized for the delays in fixing the problem. A patch became available out of band for Windows users, a week ahead of their normal monthly update process.
Security pros and tech observers helpfully pointed out how Microsoft skipped issuing any patches in March.
Reavey wrote about the seemingly lengthy process, and described how such issues get patched on a routine
basis:
Based on the severity of the initial report, we began driving for release right after we were able to verify the vulnerability reproduced. The level of priority that we assign to a vulnerability is based on the severity of the vulnerability and the risk to customers. The level of urgency and our willingness to "shortcut" steps in the process, such as quality testing, to release on a faster timeline is based on the actual risk to customers at that time.
Problems for the security engineers came as they
realized the dependencies in play while trying to fix the flaw.
"For this issue in particular, the update modifies functionality that is pervasive and core to the operating system, both in graphics rendering, as well kernel mode operations," said Reavey.
While they caught many possible conflicts, the engineers reached the point where they had to release the patch.
One conflict that arose for users, with the RealTek Audio Control Panel application, required a separate hotfix to correct it as the patch broke the application.
"The result of our comprehensive testing is that at the time of release, only one minor quality issue was known and guidance as well as a hotfix was ready for customers at the same time of release," Reavey said. That turned out to be the RealTek issue.
The release of the patch fixed seven issues in Windows, three of which existed on the new Vista OS platform.
One of them was the critical animated cursor flaw.
Microsoft has long touted the improved security of the Vista platform, but it appears that legacy issues affecting older Windows editions, at least in this case, can still plagued the latest product.
About
the Author:
David Utter is a technology writer for SecurityProNews, WebProNews, and InternetFinancialNews.
|
|
,
Inc. 2549 Richmond Rd. Lexington KY, 40509
