| Next revision | Previous revision |
| security_now_episode_257 [2012/10/21 03:39] – created briancarnell | security_now_episode_257 [2014/12/04 19:02] (current) – external edit 127.0.0.1 |
|---|
| ====== Security Now1 - Episode 257 ====== | ====== Security Now! - Episode 257 ====== |
| |
| SERIES: Security Now! | SERIES: Security Now! |
| LEO: As always, there's a ton of stuff to talk about. Well, I'll tell you what, I have one commercial. We'll do it before we get to the questions. Let's start with the updates. And I know you like to start with patches. | LEO: As always, there's a ton of stuff to talk about. Well, I'll tell you what, I have one commercial. We'll do it before we get to the questions. Let's start with the updates. And I know you like to start with patches. |
| |
| STEVE: Yes. Well, we have, as it happens, just passed the second Tuesday of July. And everybody knows what that means. That was Microsoft's opportunity to fix things. The good news is they fixed four serious critical remote code execution vulnerabilities. The most significant one is the one that we've talked about now several times, the Help Center vulnerability, which was being actively exploited in the wild. That was the one where a couple weeks ago, I blogged about it actually, it was the HCP protocol. HCP:// was the way that Windows could access this Help Center, sort of with its own sort of pseudo URL. And Microsoft's little Fix it button, or changing the registry, could disable that functionality to protect people in the meantime. Well, they finally, with the second Tuesday of July, have that fixed. So that's behind us now. | STEVE: Yes. Well, we have, as it happens, just passed the second Tuesday of July. And everybody knows what that means. That was Microsoft's opportunity to fix things. The good news is they fixed four serious critical remote code execution vulnerabilities. The most significant one is the one that we've talked about now several times, the Help Center vulnerability, which was being actively exploited in the wild. That was the one where a couple weeks ago, I blogged about it actually, it was the HCP protocol. HCP:// was the way that Windows could access this Help Center, sort of with its own sort of pseudo URL. And Microsoft's little Fix it button, or changing the registry, could disable that functionality to protect people in the meantime. Well, they finally, with the second Tuesday of July, have that fixed. So that's behind us now. |
| |
| Also we talked quite a while ago about a problem that had been lurking in the video drivers for Windows Vista and Windows 7 with the Aero interface. And Microsoft's only workaround was, well, disable Aero until we get it patched. That will definitely require a restart for people because this is the video driver that you can't change on the fly. So that's been fixed also. And then there was an Office ActiveX vulnerability that was remote code execution that had been privately reported to Microsoft, not being exploited in the wild yet; and an Outlook vulnerability, both that allowed code to be executed, remote code to be executed locally on your system. All of that's fixed. | Also we talked quite a while ago about a problem that had been lurking in the video drivers for Windows Vista and Windows 7 with the Aero interface. And Microsoft's only workaround was, well, disable Aero until we get it patched. That will definitely require a restart for people because this is the video driver that you can't change on the fly. So that's been fixed also. And then there was an Office ActiveX vulnerability that was remote code execution that had been privately reported to Microsoft, not being exploited in the wild yet; and an Outlook vulnerability, both that allowed code to be executed, remote code to be executed locally on your system. All of that's fixed. |
| |
| Copyright (c) 2010 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED. This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details: http://creativecommons.org/licenses/by-nc-sa/2.5/. | Copyright (c) 2010 by Steve Gibson and Leo Laporte. SOME RIGHTS RESERVED. This work is licensed for the good of the Internet Community under the Creative Commons License v2.5. See the following Web page for details: http://creativecommons.org/licenses/by-nc-sa/2.5/. |
| |
