- Joined
- Feb 21, 2010
- Messages
- 165
- Reaction score
- 77
[FONT=Georgia, Times New Roman, Times, serif]IT News Happening Now[/FONT][FONT=Georgia, Times New Roman, Times, serif]Microsoft admits patch didn't fix vulnerability[/FONT]
[FONT=Verdana, Arial, Helvetica, sans-serif]Microsoft has yanked the security updates shipped in the MS10-025 bulletin after realizing the patch did not fix the underlying security vulnerability. by Ryan Naraine [/FONT]
[FONT=Verdana, Arial, Helvetica, sans-serif]READ FULL STORY[/FONT]
Microsoft has yanked the security updates shipped in the MS10-025 bulletin after realizing the patch did not fix the underlying security vulnerability.
The withdrawal of the bulletin means that affected Windows 2000 Server users should immediately consider applying mitigations and workarounds to avoid malicious hacker attacks.
The company did not explain why the bulletin was shipped with an inadequate patch. A brief blog post from Microsoft’s Jerry Bryant offered the following:
Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.
The issue only affects Windows 2000 Server customers who have installed Windows Media Services (a non-default configuration).
Bryant urged affected users with internet facing systems with Windows Media Services installed to evaluate and use firewall best practices to limit their overall exposure.
The MS10-025 bulletin is rated “critical” because attackers could launchi remote code execution if an attacker sent a specially crafted transport information packet to a Microsoft Windows 2000 Server system running Windows Media Services.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
Email Ryan Naraine
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
I hope everyone reads this and watch for the latest update for MS10-025 Microsoft have done this to further assist in protecting genuine microsoft user due to costs involved in security related issues.
Here’s the skinny from Microsoft’s advisory:
regards
jeffreyobrien
[FONT=Verdana, Arial, Helvetica, sans-serif]Microsoft has yanked the security updates shipped in the MS10-025 bulletin after realizing the patch did not fix the underlying security vulnerability. by Ryan Naraine [/FONT]
[FONT=Verdana, Arial, Helvetica, sans-serif]READ FULL STORY[/FONT]
- Thumbs UpThumbs Down
- +17
19
Microsoft has yanked the security updates shipped in the MS10-025 bulletin after realizing the patch did not fix the underlying security vulnerability.The withdrawal of the bulletin means that affected Windows 2000 Server users should immediately consider applying mitigations and workarounds to avoid malicious hacker attacks.
The company did not explain why the bulletin was shipped with an inadequate patch. A brief blog post from Microsoft’s Jerry Bryant offered the following:
Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.
Bryant urged affected users with internet facing systems with Windows Media Services installed to evaluate and use firewall best practices to limit their overall exposure.
The MS10-025 bulletin is rated “critical” because attackers could launchi remote code execution if an attacker sent a specially crafted transport information packet to a Microsoft Windows 2000 Server system running Windows Media Services.
Email Ryan Naraine
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
I hope everyone reads this and watch for the latest update for MS10-025 Microsoft have done this to further assist in protecting genuine microsoft user due to costs involved in security related issues.
Here’s the skinny from Microsoft’s advisory:
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
The flaw affects Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.
Here’s the danger:The flaw affects Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.
To exploit, an attacker could host a specially crafted Web site, or take advantage of a compromised website, and then convince a user to view the Web site. In all cases, however, an attacker would have no way to force users to visit these malicious Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message, that directs users to the attacker’s Web site. It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems. The Microsoft investigation concluded that setting the Internet zone security setting to “high” will protect users from the vulnerability addressed in this advisory.
Microsoft is considering an out-of-band emergency IE patch to fix this vulnerability.
regards
jeffreyobrien
Last edited:
