Thursday, September 2, 2010

Microsoft to patch XP Help hole and four others on Tuesday

Microsoft to patch XP Help hole and four others on Tuesday

Microsoft has promised a patch for the contentious XP Windows Help hole among its July Patch Tuesday fixes. Patch Tuesday is coming next week, July 13. The company will issue four patches that fix a total of five holes, with three patches rated critical.

Among the critical updates will be a fix for the XP Windows Help hole discovered by Travis Ormandy that has caused everyone so much grief. In June, Microsoft accused Ormandy, a Google security researcher, of putting Windows customers at risk of "broad attacks" by publishing code that exploits a zero-day vulnerability. Ormandy reportedly discovered this hole on his own time and not as part of his day job. Microsoft said that he gave the company less than five days notice between disclosing the hole and publishing proof-of-concept attack code. Microsoft then proceeded to document and publicize the attacks they found in the wild from the hole, via a blog post on the Microsoft Malware Protection Center.



The folks in Redmond say that at least 10,000 computers reported seeing the attack between June 15 and June 30.

Users were livid at Ormandy. But a group of rogue security researchers were just as enraged at Microsoft for what they perceived to be a public spanking of a researcher working on his own time because Microsoft is a rival with the researcher's employer, Google. The group this week vowed that they would publicize any Windows vulnerabilities they find, rather than report them quietly to Microsoft. It's a sad day when the white hats become indistinguishable from the black hats.

In any case, XP users (and Windows Server 2003 users, also affected) will get a patch for the hole on Tuesday, Microsoft says.

Of the four patches Microsoft will be releasing, two of them are for Windows, both rated critical and will likely require a restart. The Windows 7 and Windows Server 2008 patch fixes a vulnerability in the canonical display driver that could allow remote code execution. It was first reported on May 18. Server Core installations of Windows Server are not affected.

Two critical patches will be geared for Office and also may require a restart.

Here are the details of the software that will be affected, according to Microsoft.