Seen as though we’ve been having a good bash on Microsoft recently, here’s some more relevant news. The December update from Microsoft has delivered patches for 11 series flaws spanning both IE6 & IE7 and all their currently supported operating systems (Windows 2000, Windows XP and Windows Vista).

So if you are running Windows, make sure you get your updates downloaded and installed before you’re away from your PC during this festive season.

Microsoft today released software updates to plug at least 11 security holes in PCs powered by its Windows operating systems and other software. Windows users can download the fixes either directly through the Microsoft Update Web site or via Automatic Updates.

December’s seven update bundles includes fixes for four separate security holes in Internet Explorer 6 and IE7, vulnerabilities that are considered critical for Windows 2000, Windows XP and Windows Vista users. Microsoft rates a flaw “critical” if it can be exploited to break into vulnerable systems with little or no help from the user, save perhaps for browsing a Web site or by clicking on a malicious link in an e-mail or instant message.

Seems like even though Internet Exploder Explorer is such a ‘stable’ and ‘mature’ product – it’s not immune to serious problems. I’m sorry but it’s a web-browser..how complicated can it be!

Microsoft also issued critical updates to fix at least two different problems with the way Windows handles the processing and display of various video and audio files. The first of those is a serious vulnerability in the “Windows media file format” — chiefly, files that end in “.asf” and “.wmv” — used principally by the Windows Media Player software bundled with the operating system. Another patch addresses a critical flaw in most versions of “DirectX,” a Windows component that handles the display of a variety of video file formats (files that end in “.wav” and “.avi” for example). Again, these are especially dangerous flaws because they can be exploited merely by getting users to view maliciously crafted video files via a Web browser or e-mail.

Of the seven patch bundles released today, only two did not affect Windows Vista systems, suggesting that the vulnerable components were carried over into Vista from older versions of the OS despite the multi-year secure coding review conducted for Vista. That said, two of the bundles were released to plug security holes that were found exclusively in Vista.

This news directly related to what we have been discussing recently, how previous Windows flaws carry over into the supposidly ‘all-new’ Windows Vista.

Only TWO of the problems did not effect Vista, which shows that the problems that effect an OLD (8 years old now) OS like Windows 2000 are still effecting Vista.

Source: Security Fix

Ah more news about the insecurity of Vista and something we are all pretty aware of…the skewing of figures by Microsoft.

Microsoft apparently still hasn’t learned that counting vulnerabilities doesn’t establish some kind of ‘security level’.

You can read the report here:

Vista 6 Month Vuln Report [PDF]

The Microsoft “researcher” claims that Windows Vista is exponentially less vulnerable than many Linux distributions and Mac OS X. It may be true that the default Vista installation has had less public vulnerability reports, and that Linux has had many more, but this is due to the nature of Open Source. Jeff does not include any “silently fixed” vulnerabilities that have been patched since Vista was released and Microsoft has not disclosed such vulnerabilities publicly.

The methodology used was deeply flawed, as I briefly mentioned before, bugs in Firefox and other software like emacs count as a flaw for Linux whilst IE bugs get ignored for Vista.

The conclusions that are drawn are built on a lack of understanding by the Microsoft researcher. I highly encourage him to go back and take another look, and pare down the results to essential information that is absolutely critical to the conclusions, rather than just “Other OS’s have more bugs, see, look at my graphs”…

Good PR, but bad research? Seems par for the course.

And perhaps it could backfire PR wise, as the clued in people get pushed further away from Vista.

Source: Full Disclosure