Record-tying Patch Tuesday fixes 1993 problem
Next week’s monthly security update from Microsoft will finally fix a loophole dating back to 1993. But there’s no fix yet for a problem Microsoft just confirmed which could make files accessible to hackers.
There will be a total of 13 bulletins (five “critical”, seven “important” and one “moderate”), tying last October for an all-time record, though the total number of bugs fixed isn’t yet known.
The update could be particularly tricky for network administrators as not only do six of the bulleting affect every currently supported version of Windows (both desktop and server), but 10 require a restart. For a home user that’s not a major problem, but for networks and servers, it may take some particularly careful planning to minimize disruption.
One of the issues being fixed this month has been around for 17 years, though was only discovered last June. It involves a Virtual DOS tool first introduced in Windows NT 3.1 to deal with 16-bit programs running on the new 32-bit system. The tool has been part of every subsequent edition of Windows except the 64-bit version of Windows 7.
The bug, discovered by a Google researcher, means a hacker who was able to cause a specially crafted 16-bit application to run on a computer could gain control over the Windows kernel. How Microsoft will fix it isn’t known, but it wouldn’t be surprising to see it simply disable the feature given how few people need to run 16-bit applications today.
The update won’t include a fix for the Internet Explorer issue discovered by Core Security and demonstrated at this week’s Black Hat Conference. The issue involves a series of minor loopholes being combined in a way which could give a hacker access to files on the user’s hard drive. Microsoft is still investigating the issue but has noted that both Vista and Windows 7′s Protected Mode will block such an attack. It’s advising XP users to set Internet Explorer’s security levels to High.
Related Posts:
