Microsoft’s new 0 day flaws, upcoming patches and retirements

Microsoft Security Response Center logo

On the threat and vulnerability front Microsoft is dominating the headlines today. With patch Tuesday around the corner, new 0 day exploits being disclosed and the upcoming retirement of several major OS releases I figured it was a good time to do a news roundup.

Microsoft released details today for the July 13th, 2010 patch Tuesday release. In total there are two fixes for Windows, one Critical and one Important and two fixes for Office, both of which have a Critical severity rating.

Typically Microsoft does not provide specific information in advance of a monthly bulletin, but this month they are announcing that this release will address two high profile flaws.

First is the much debated SA 2219475, which is the 0 day exploit announced by Tavis Ormandy in the Windows Help Center which has been actively exploited in the wild. The other announcement is that they will be fixing SA 2028859, the bug in the Windows 7 x64 Aero GUI that could lead to remote code execution.

The Microsoft Help Center bug is a major one that we have seen exploited in the wild quite aggressively and should be a high priority on any IT administrators patch list. The Window 7 Aero bug is not known to be exploitable in any reliable way and is likely the advisory with the Important severity rating.

Windows 2000? Expired

Tuesday will be a landmark day for legacy Windows users as well when Microsoft officially ends support for both Windows 2000 and Windows XP Service Pack 2. Only customers with Premium Support and a migration plan to move to a support platform are eligible to purchase a custom support package for Windows 2000 or XP SP2.

Windows XP is no longer in mainstream support and is now under a “extended support” phase. If you haven’t started thinking about Vista or Windows 7 (or dare I say Linux or OS X) you should start planning your migration. XP will not be fully discontinued until 2014, but these things have a way of creeping up on you.

After last months disclosure by Tavis, Microsoft heavily criticized what they called his irresponsible disclosure. This did not go down well with many in the security community and led to the creation of an anonymous group of security researchers who refer to themselves as the Microsoft-Spurned Research Collective (MSRC). Of course historically MSRC has stood for the Microsoft Security Response Center and looks to be the beginning of a pissing match between Microsoft and some in the research community.

Message from spurned researchers

In the image on the right you can see the rather snarky poke the new “MSRC” makes at Microsoft in their Full Disclosure posting. We can only hope that this little war does not result in all of us being put unnecessarily at risk.

As a wise man once said “Don’t feed the trolls”. In this case it appears by harshly responding to a well respected researcher Microsoft has in fact fed the trolls… This is not likely to work out well for anyone and the spurned researchers have already published a flaw to the Full Disclosure mailing list and are actively recruiting new members.

Recently three other Microsoft flaws have been published including a flaw in the Microsoft Foundation Classes libraries, a bug in Internet Explorer 8/Windows 7 that allows DEP/ASLR to be bypassed and a vulnerability in Internet Information Server 5.1. So far Microsoft is downplaying the importance of these vulnerabilities

While Tuesday’s patches don’t fix all of these issues apply them as quickly as you can and prepare for the August release which will hopefully provide protection against most of these newly discovered issues.