Microsoft’s relatively quiet week saw a significant Patch Tuesday and a new phase of life for its popular Kinect hands-free game controller.
June’s Patch Tuesday tackled some 24 bugs across 16 bulletins. It wasn’t quite as big as April’s session, but certainly covered a lot of ground: in addition to patching Windows, bulletins targeted vulnerabilities in all supported versions of Internet Explorer, Microsoft Office, SQL Server, Forefront, .NET/Silverlight, Active Directory and Hyper-V.
Microsoft rated nine of those patches as “critical” and seven as “important.” In a June 14 posting on the Microsoft Security Response Center blog, the company cited four of those critical updates as particularly important: MS11-042, targeting two issues in the DFS client for all versions of Windows; MS11-050, a patch for 11 bugs in all versions of Internet Explorer; MS11-052, aimed at another Windows operating system issue; and MS11-043, meant to repair the SMB Client on Windows.
Security IT administrators should pay particular attention to fixing the Internet Explorer issues, according to Joshua Talbot, security intelligence manager for Symantec Security Response. “The slew of Internet Explorer vulnerabilities presents a significant attack surface for cyber-criminals to poke at,” he said, citing how a similar IE flaw was used in “at least one” of the recent, well-publicized data breaches.
Microsoft’s Patch Tuesday also targeted the “cookie-jacking” vulnerability in HTML5 (MS11-037), which could allow a malicious Website to swipe cookies from users. Despite the availability of proof-of-concept code, the apparent inability for direct code execution makes this particular patch “important” as opposed to “critical.”
Microsoft is also aiming to fix a denial-of-service vulnerability in Hyper-V (MS11-047) on Windows Server 2008 and 2008 R2, which could let an attacker on a guest virtual machine execute a resource exhaustion denial-of-service on the host and affect other virtual machines.
When it came to code, though, this week wasn’t all about patching vulnerabilities: Microsoft also released its Kinect for Windows SDK beta, bringing the motion-control and voice-recognition technology to developers and researchers.
Microsoft had originally designed the Kinect controller, which was released in November 2010, as a way to play Xbox 360 games via gesture and the spoken word-hoping to appeal, in the process, to the same sort of casual gamers who had made the Nintendo Wii and its unconventional controllers such a massive hit.
Kinect turned out to be a massive hit, too, selling some 10 million units worldwide by March.
However, tech pros soon found a way to hack the Kinect’s 3D camera, which translates the movements of a user’s body to a digital avatar. Videos soon began to appear on YouTube, demonstrating the next-generation hardware at work controlling robots or allowing people to paint 3D images in mid-air.
At first, Microsoft publicly disapproved. Just as quickly, however, the company decided to pull an about-face and claim it had always intended Kinect to be open to modification.
Now the SDK beta’s arrived. Its system requirements include a Kinect for Xbox 360 sensor; a computer with a dual-core, 2.66-GHz (or faster) processor; a Windows 7-compatible graphics card with support for DirectX 9.0c capabilities, and 2GB of RAM.
Required software includes Windows 7, Visual Studio 2010 Express (or other 2010 edition), and Microsoft .NET Framework 4.0.
Microsoft itself intends to incorporate advances in 3D sensing for products beyond gaming. In late 2010, the company acquired Canesta, a maker of 3D-image sensor chips and camera modules that can be embedded in a variety of consumer products, including laptops and vehicle dashboards.
In totally unrelated news, Microsoft also issued a warning this week against fake tech-support and phone scams.
“The callers pretend to be from Microsoft and try to sell the victim something, direct them to a specific Website, asked for remote access, to install software, a credit card number, or run a bogus security scan that showed an infection,” Eric Foster, group manager for Microsoft Windows Marketing, wrote in a June 16 posting on The Windows Blog.
The scam seems to be taking place in English-speaking countries. A survey by Microsoft’s Trustworthy Computing Team found that, out of 7,000 people surveyed, some 1,000 had received calls-with 22 percent falling for the scam.
Foster’s blog post offered a series of tips for avoiding phone scams. “We want to remind you will never receive a legitimate call from Microsoft or our partners to charge you for computer fixes,” he wrote. “Please remember to question any unsolicited email or call.”