Microsoft welcomed for patches that many claim are overdue

News by Dan Raywood

The latest patches from Microsoft have been welcomed despite many of the vulnerabilities having been reported several years ago.

The latest patches from Microsoft have been welcomed despite many of the vulnerabilities having been reported several years ago.


Shavlik's Eric Schultze claimed that the eight patches, five of which were labelled critical, included ‘fixes for a number of issues that Microsoft previously identified as too laborious\complex to fix'.


Schultze said: “This includes fixes for the Safari Carpet Bombing and SearchPath issues, additional enhancements for credential reflection (ala SMBRelay fix in MS08-068), and Service Isolation issues, as called out at a 2008 security conference.


“Microsoft had previously stated that each of these issues were either too complex to solve or didn't represent actual vulnerabilities. It's enlightening to see that they've taken a second look at each of these topics and have found solutions to address each.”


Schultze claimed that this was the ‘most ambitious patch to date' as Microsoft used Windows 7 developers to assist with the creation of the MS09-012 patch, that addresses several elevation of privilege vulnerabilities in Microsoft Windows.


Schultze said: “We can only hope that Microsoft continues in this vein and re-examines other parts of the Operating System that were thought too complex to fix.”


Shavlik recommended the following preferential order for installation:  MS09-009

MS09-010; MS09-014; MS09-011; MS09-013; MS09-012 (if running IIS or SQL); MS09-015.


Meanwhile blogger Aviv Raff praised Microsoft for releasing a patch for the ‘DLL-load Hijacking' vulnerability that he claimed that he reported to them two and half years ago.


Raff said: “I had a long discussion with Microsoft about this vulnerability, and we both had several twists as time went by.” He claimed that he originally reported it on 29th October 2006, which Microsoft acknowledged the same day, but the following day reported ‘if an attacker has the ability to modify/replace system files on a users system then it is very likely that the system is already compromised in many other ways'.


Raff said: “After almost two and a half years since I first notified them about the vulnerability, and almost one year after I notified them about the ‘blended threat', Microsoft have finally released a patch. They broke their third promise (Windows 7, remember?), but this time for a good reason.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike