News

Microsoft Issues New Windows Security Advisories

Microsoft issued even more details about Windows security concerns, even after releasing its August security update on Tuesday.

Late yesterday, Microsoft announced two security advisories. One is new, while the other updates a previously issued advisory. Meanwhile, IT pros already are tying to cope with this month's massive security update.

The updated advisory simply states that Microsoft has concluded its investigation into a security advisory issued in February. That problem concerns the Transport Layer Security and Secure Sockets Layer (TLS/SSL) protocols in general, and the Windows Secure Channel security package in particular.

The issue was addressed with critical security bulletin MS10-049 in Microsoft's August patch. It's designed address the flaw in Windows Server 2008, Windows 7 and 12 other supported versions of the Windows OS, including XP and Vista.

Left unpatched, the Windows Secure Channel vulnerability could allow attackers the ability to perform "man-in-the-middle" attacks via TLS/SSL connections. The problem is of general concern, and Microsoft's issuance of a fix suggests that broad industry engagement occurred, according to Jason Miller, data and security team manager at Shavlik Technologies.

"In recent months, we have heard of Microsoft working with other vendors such as Adobe to address vulnerabilities as a whole and not as a one-company issue," Miller said. "The release of MS10-049 shows that Microsoft is again working with the industry with vulnerability management."

Miller added that the fix from Microsoft had long been in the works. The TLS/SSL vulnerability was "not just Microsoft's problem" as it affected the "IT industry as a whole," he said.

Windows Service Isolation Flaw
Next up, Microsoft issued a new security advisory on Tuesday concerning a Windows Service Isolation feature that could enable elevation-of-privilege exploits. The operating systems involved include Windows XP, Windows Vista and Windows 7, as well as Windows Server 2003 and Windows Server 2008.

Microsoft said that an attacker could use this feature to elevate processes running on a Windows-based "NetworkService account" to the "LocalSystem account" on a server. It could give the attacker the ability to take control of a system.

At-risk Microsoft products include the Windows telephony application programming interfaces, SQL Server and Internet Information Services (IIS) in Windows Server 2003 and Windows Server 2008.

Because there is no known vulnerability and only a "potential" likelihood of such attacks at this time, Microsoft did not specify whether the issue would warrant further actions, such as the issuance of workarounds or patches. However, in this Knowledge Base article, the software giant describes various access control tools in both IIS and SQL that can restrict entry into the NetworkService account.

No Security Advisory for Clipboard Issue
On Wednesday, Microsoft provided an updated statement on the zero-day Windows kernel-level clipboard vulnerability uncovered last week by independent security researchers. The software giant said it will not release a security advisory for the heap overflow problem affecting all supported Windows versions.

For this issue to be exploited, it has to be an inside job, according to the rationale of the Microsoft security team. Redmond said "an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system."

This assessment rules out the prospect that an urgent out-of-band patch will arrive soon. However, Microsoft promised that the issue would be fixed in a future security update. Microsoft Security Response Center spokesperson Jerry Bryant wrote that Microsoft "will continue monitoring the threat landscape and alert customers if anything changes."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube