Patch Tuesday is a big deal for everyone, including people at Microsoft. Starting not too long ago, Microsoft bloggers started getting active on Patch Tuesday. Sometimes they just reiterate what is in the advisories themselves, sometimes they add useful and interesting information.
This month (so far) I saw three entries. The most interesting one is in the Security Vulnerability Research & Defense blog. Originally I had viewed MS08-030 (Vulnerability in Bluetooth Stack Could Allow Remote Code Execution) as the most horrifying one today. Remote Bluetooth attackers could take control of a user’s system and all they needed was for the user to be nearby.
The SVRD blog throws some water on this fire. First, they point out the short distance in which Bluetooth is effective, although the limits of this argument were demonstrated years ago with the Bluetooth Sniper Rifle. More to the point, they argue that while the vulnerability may be theoretically exploitable, as a practical matter it’s very hard to do. The attacker has to flood the victim with SDP messages and trigger a small timing window, during which the system is vulnerable. The placement and duration of this window is dependent on the speed of the target system. Suffice it to say, they think it’s not a reliable platform for exploitation.
Also interesting is the entry on the Office Sustained Engineering blog. Microsoft usually issues Outlook Junk Mail filter updates every month. This month there is an update for Outlook 2003, but not Outlook 2007. Expect updates to both in July, but what happened to Outlook 2007 this month? No word on that.
There is also news in that blog about an update that was released to Office 2007 SP1, correcting errors that prevented full installation of some language-specific components when used with WSUS (Windows Software Update Services). The blog links to a KB article with more information, but that link is dead as I try it.
There is also an entry on the Microsoft Security Response Center blog. Most of it just summarizes the bulletins released today and links to them, but there is added content at the bottom, linking to a series of Knowledge Base articles that explain procedures for installing any future security updates to Microsoft SQL Server 7, Microsoft SQL 2000 or Microsoft SQL Server 2005, including procedures that can be followed now to facilitate installing those patches if and when the time comes. SQL Server admins should read the blog and the KB articles.
The SVRD blog has a couple of other entries. One goes into detail on a workaround listed in MS08-033 having to do with changing ACL’s on Quartz.dll. The other explains what PGM (Pragmatic General Multicast), the subject of MS08-036, is. The short answer, according to the blog: “PGM is a multicast transport protocol that guarantees reliable delivery from multiple sources to multiple receivers. It is a layer 4 transport protocol, peer to TCP and UDP. You can send/receive data with PGM by creating a socket with SOCK_RDM type and IPPROTO_RM protocol.” More details in the blog.
Finally, the IE Blog pitches in with a brief notice about the June IE Cumulative Update. There’s a note in there for IE8 beta testers about the update.
I read these sorts of blogs all day; it’s my job and I wouldn’t want to subject you to it, but it’s worth fishing through them to find if some are particularly relevant to your work.
By the way, how many Microsoft bloggers are there? http://blogs.msdn.com/Opml.aspx lists over 5,100 and http://blogs.technet.com/Opml.aspx lists 1,300-something. And there are more. True, many of these have no posts in them, but perhaps we’re better off for that.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack