[ISN] Microsoft Issues First Patches For Vista

From: InfoSec News (alerts@private)
Date: Thu Aug 17 2006 - 01:33:36 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=192201435

By Gregg Keizer
TechWeb
Aug 16, 2006

Microsoft confirmed Tuesday that two of the 12 security bulletins issued 
last week affect Windows Vista Beta 2, the widely-used preview, and 
posted download instructions for the first security updates to its 
next-generation operating system.

"We are committed to releas[ing] Windows Vista updates for all MSRC 
[Microsoft Security Response Center] critical class issues that may 
arise during the beta testing period," wrote Alex Heaton, product 
manager for the Windows Vista security team, on the group's blog.

Out of the dozen bulletins released Aug. 8, two -- MS06-042 and MS06-051 
-- impact Vista Beta 2. "Of the seven critical Windows updates released 
in August, only 2 also affect Windows Vista Beta 2 or later," said 
Heaton.

MS06-042 is a cumulative security update for Internet Explorer that 
included patches for 8 different vulnerabilities; MS06-051 detailed a 
fix for a flaw in the Windows kernel that might let attackers hijack PCs 
by drawing users to malicious Web sites.

Neither bulletin, however, yet offers details on Vista Beta 2, nor even 
mention the operating system as among those impacted. The only 
explanation came from Heaton. "Microsoft does not include information 
about beta products in formal security bulletins." The company did not 
immediately respond to follow-up queries about how it released the Vista 
vulnerabilities' patches and why it chose to deliver them sans details.

The download sites for the updates -- this address for the IE 7 fix, 
this site for the kernel patch -- also lack the information normally 
posted by Microsoft in its security bulletins' FAQs.

"We really should have been told about these Vista vulnerabilities last 
week," said Michael Cherry, an analyst at Redmond, Wash.-based 
Directions on Microsoft. "Microsoft should have told us then that Vista 
needed to be patched, too."

Vista is in beta, Cherry acknowledged. "On one hand, it's not a 
supported release and people are supposed to take the appropriate 
cautions, and not put it into a production environment. But you can't 
test it that way. And this is a very wide beta."

More worrisome, said Cherry, is that Vista, even in beta, faces a much 
different security landscape than the last-released desktop client OS, 
2001's Windows XP. "Then, if you put a beta on a machine, someone might 
get to it and, say, deface a Web site," Cherry said. "Minor stuff. But 
now it's just as likely that they'll try to turn these Vista machines 
into zombies.

"The [security] environment has changed. I'm very nervous about using 
Vista Beta 2 like this because the [security] situation's changed."

Microsoft's Heaton, meanwhile, told Vista Beta 2 users that update 
support will end as soon as the preview's successor -- to be dubbed 
Release Candidate 1, or RC1 -- appears. "Updates will no longer be 
released for Windows Vista Beta 2 after RC1 has been released, and 
updates for pre-release versions will not be released after Windows 
Vista has released to manufacturing."

Whatever information Microsoft decides to provide on future security 
vulnerabilities within Vista will be posted to the support document 
tagged as "921583" and available here. In that document, Microsoft 
recommended users apply the updates "immediately."


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Thu Aug 17 2006 - 07:43:19 PDT