VISTA.BLORGE
TECH.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

August 16, 2008 |

Patch Tuesday update zaps third-party bugs, but Media Player fix on hold

By John Lister





Patch Tuesday update zaps third-party bugs, but Media Player fix on hold With the full details of Microsoft’s latest monthly update now available, it’s now emerged that it included two alterations to the Windows Registry designed to fix problems caused by third-party programs. Meanwhile there’s some mystery over a planned fix to Windows Media Player which was pulled from the update.

Although Microsoft outlined the basics of the update last week, the full details remain under wraps until the update itself. That’s to avoid giving hackers too much notice of information which could help them figure out ways to exploit problems before everyone has applied the patch.

This week’s update included two ‘Kill-Bit controls’. These are alterations to the Windows Registry (the central database that co-ordinates all facets of Windows and installed software). The alteration stops particular ActiveX controls being loaded by Internet Explorer, meaning they block a vulnerability being exploited rather than fixing the vulnerability itself.

In this case, the Kill-Bits are for HP’s Instant Support and Aurigma’s Image Uploader programs. Both companies concerned have already issued patches, so this measure is simply an added safeguard in case any users haven’t applied the patches.

The big surprise is that Microsoft failed to deliver a promised fix to a vulnerability in Windows Media Player which it listed as ‘critical’ in last week’s preview. It’s supposedly down to a quality control issue, with the firm telling ZDNet:

Microsoft has heard from customers that the quality of updates is very important and, as part of the process at the Microsoft Security Response Center (MSRC), Microsoft tests these updates continuously until they are ready for distribution to customers through our regularly scheduled security bulletin release.

In one sense you could argue it’s a good thing Microsoft isn’t prepared to send out a fix it knows isn’t up to the job. But a critical vulnerability in a program virtually every Windows user has installed, and most likely use regularly, is about as serious as it gets, so seeing a solution delayed for at least a month is pretty worrying.

Related:

  • Microsoft changing Patch Tuesday process
  • Microsoft monthly update 100% critical
  • Microsoft makes tenuous ‘critical-free’ claim for Patch Tuesday
  • IE7 and Windows Mail in Vista to receive ‘critical’ fixes on Patch Tuesday
  • Microsoft releases four patches for Vista ahead of SP1

    • Sign up for the BLORGE email newsletter

    Entry was posted on Saturday, August 16th, 2008 at 11:57 am under Microsoft, Security, Vista, internet explorer, windows 7, xp. Print This Post Print This Post

    Read more entries by John Lister.
    StumbleUpon Toolbar Stumble It!

    Leave a Reply:

    Copyright © 2007 Engaging and compelling blogs that entertain and inform