Skip Microsoft's critical patch, focus on Adobe's, experts urge
PDF patches due later today more important than lone fix from Microsoft
Computerworld - Microsoft today issued just one security update for Windows, the lowest number on a Patch Tuesday since January 2009.
And for once, researchers urged users to spend their patching time dealing with updates from Adobe, also expected today, rather than Microsoft's fix.
Today's update patches just one vulnerability, which is rated "critical," Microsoft's highest threat ranking, for Windows 2000, but is rated "low" for all other versions of the operating system, up to and including the new Windows 7 and Windows Server 2008 R2.
The patch addresses a bug in how Windows Embedded OpenType (EOT) font engine decompresses specially-crafted EOT fonts, said Microsoft in the accompanying MS10-001 bulletin. EOT fonts are a compact form of fonts designed for use on Web pages, but they can also be used in Word and PowerPoint documents.
This was the second EOT bug fix in the last three months. In November, Microsoft patched a flaw in how the Windows kernel parsed EOT fonts.
Although the vulnerability could result in remote code execution -- security speak that means an attacker could use the bug to hijack a PC -- only Windows 2000 got the critical ranking. All others were tagged with the lowest threat rating in Microsoft's four-step scoring system.
Microsoft explained why in several ways. "These [other] Windows operating systems contain the vulnerable code but do not use this code in a way that may expose the vulnerability," the company said in the security bulletin.
"Due to the nature of bounds-checking performed on 32-bit systems XP and later, the only buffer+index combinations which would pass the old checks will point into address 0x80000000 and above," Brian Cavenah from the Microsoft Security Research Center engineering staff. "Because these regions cannot be accessed while running at IOPL 3, the process will crash (Access Violate) and the attempt to run arbitrary code would fail," Cavenah said on a company blog today.
Andrews Storms, director of security operations at nCircle Network Security, put that into plain English. "Versions newer than Windows 2000 have security provisions that prevents code execution of this vulnerability," he said. "Specifically, it's in the way that memory mapping happens. Running code will register certain opcodes in Windows XP and newer, and those versions then know not to allow code execution."
Richie Lai, the director of vulnerability research at security company Qualys, described it slightly differently. "It's more a hardening of the way Windows manages memory," he said, referring to the changes in Windows XP and later.
In fact, Storms continued, he bet that -- barring the critical nature of the bug for Windows 2000 -- Microsoft would have passed on even patching the vulnerability. "I think this is one they probably wished they didn't have to patch," Storms argued, noting the impending retirement of Windows 2000 from Microsoft support. "Windows 2000 is on its last legs, and except for it, they wouldn't have bothered."
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!