Microsoft welcomed for patches that many claim are overdue

By on

The latest patches from Microsoft have been welcomed despite many of the vulnerabilities having been reported several years ago.

Shavlik's Eric Schulte claimed that the eight patches, five of which were labelled critical, included ‘fixes for a number of issues that Microsoft previously identified as too laborious\complex to fix'.


Shavlik said: “This includes fixes for the Safari Carpet Bombing and SearchPath issues, additional enhancements for credential reflection (ala SMBRelay fix in MS08-068), and Service Isolation issues, as called out at a 2008 security conference.


“Microsoft had previously stated that each of these issues were either too complex to solve or didn't represent actual vulnerabilities. It's enlightening to see that they've taken a second look at each of these topics and have found solutions to address each.”


Schulte claimed that this was the ‘most ambitious patch to date', as Microsoft used Windows 7 developers to assist with the creation of the MS09-012 patch that addresses several elevation of privilege vulnerabilities in Microsoft Windows.


Schulte said: “We can only hope that Microsoft continues in this vein and re-examines other parts of the Operating System that were thought too complex to fix.”


Shavlik recommended the following preferential order for installation:  MS09-009

MS09-010; MS09-014; MS09-011; MS09-013; MS09-012 (if running IIS or SQL); MS09-015.


Meanwhile, blogger Aviv Raff praised Microsoft for releasing a patch for the ‘DLL-load Hijacking' vulnerability that he claimed to have reported two-and-a-half years ago.


Raff said: “I had a long discussion with Microsoft about this vulnerability, and we both had several twists as time went by.” He claimed that he originally reported it on October 29, 2006, which Microsoft acknowledged the same day, but the following day reported ‘if an attacker has the ability to modify/replace system files on a users system then it is very likely that the system is already compromised in many other ways'.


Raff said: “After almost two-and-a-half years since I first notified them about the vulnerability, and almost one year after I notified them about the ‘blended threat', Microsoft have finally released a patch. They broke their third promise (Windows 7, remember?), but this time for a good reason.”

See original article on

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?