Microsoft Blogs Supplement Patch Tuesday News

By Larry Seltzer  |  Posted 2008-06-11 Print this article Print

Microsoft may be the biggest blogger factory in the world, and on some days they put out useful stuff.

Patch Tuesday is a big deal for everyone, including people at Microsoft. Starting not too long ago, Microsoft bloggers started getting active on Patch Tuesday. Sometimes they just reiterate what is in the advisories themselves, sometimes they add useful and interesting information.

This month (so far) I saw three entries. The most interesting one is in the Security Vulnerability Research & Defense blog. Originally I had viewed MS08-030 (Vulnerability in Bluetooth Stack Could Allow Remote Code Execution) as the most horrifying one today. Remote Bluetooth attackers could take control of a user's system and all they needed was for the user to be nearby.

The SVRD blog throws some water on this fire. First, they point out the short distance in which Bluetooth is effective, although the limits of this argument were demonstrated years ago with the Bluetooth Sniper Rifle. More to the point, they argue that while the vulnerability may be theoretically exploitable, as a practical matter it's very hard to do. The attacker has to flood the victim with SDP messages and trigger a small timing window, during which the system is vulnerable. The placement and duration of this window is dependent on the speed of the target system. Suffice it to say, they think it's not a reliable platform for exploitation.

Also interesting is the entry on the Office Sustained Engineering blog. Microsoft usually issues Outlook Junk Mail filter updates every month. This month there is an update for Outlook 2003, but not Outlook 2007. Expect updates to both in July, but what happened to Outlook 2007 this month? No word on that.

There is also news in that blog about an update that was released to Office 2007 SP1, correcting errors that prevented full installation of some language-specific components when used with WSUS (Windows Software Update Services). The blog links to a KB article with more information, but that link is dead as I try it.

There is also an entry on the Microsoft Security Response Center blog. Most of it just summarizes the bulletins released today and links to them, but there is added content at the bottom, linking to a series of Knowledge Base articles that explain procedures for installing any future security updates to Microsoft SQL Server 7, Microsoft SQL 2000 or Microsoft SQL Server 2005, including procedures that can be followed now to facilitate installing those patches if and when the time comes. SQL Server admins should read the blog and the KB articles.

The SVRD blog has a couple of other entries. One goes into detail on a workaround listed in MS08-033 having to do with changing ACL's on Quartz.dll. The other explains what PGM (Pragmatic General Multicast), the subject of MS08-036, is. The short answer, according to the blog: "PGM is a multicast transport protocol that guarantees reliable delivery from multiple sources to multiple receivers. It is a layer 4 transport protocol, peer to TCP and UDP. You can send/receive data with PGM by creating a socket with SOCK_RDM type and IPPROTO_RM protocol." More details in the blog.

Finally, the IE Blog pitches in with a brief notice about the June IE Cumulative Update. There's a note in there for IE8 beta testers about the update.

I read these sorts of blogs all day; it's my job and I wouldn't want to subject you to it, but it's worth fishing through them to find if some are particularly relevant to your work.

By the way, how many Microsoft bloggers are there? lists over 5,100 and lists 1,300-something. And there are more. True, many of these have no posts in them, but perhaps we're better off for that.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel