Clarification on Security Advisory 2896666 and the ANS for the November 2013 Security Bulletin...

News

Extraordinary Robot
Robot
Joined
Jun 27, 2006
Location
Chicago, IL
Today, we’re providing advance notification for the release of eight bulletins, three Critical and five Important, for November 2013. The Critical updates address vulnerabilities in Internet Explorer and Microsoft Windows, and the Important updates address issues in Windows and Office.

While this release won’t include an update for the issue first described in Security Advisory 2896666, we’d like to tell you a bit more about it. We’re working to develop a security update and we’ll release it when ready. In the meantime, the advisory includes a Fix it which prevents the attacks from succeeding and we recommend customers apply it to help protect their systems. We also want to provide clarification on the products that the advisory notes are affected. We’ve seen some confusion due to the shared nature of the GDI+ component, which is where the issue resides. There are three ways you can have the GDI+ component installed on your system: Office, Windows, and Lync.

For Office:

  • Office 2003 and Office 2007 are affected regardless of the installed operating system. Currently, we are only aware of targeted attacks against Office 2007 users.
  • Office 2010 is affected only if installed on Windows XP or Windows Server 2003. Office 2010 is not affected when installed on Windows Vista or newer systems.
  • Office 2013 is not affected, regardless of OS platform.

For Windows:

  • Supported versions of Windows Vista and Windows Server 2008 ship with the affected component but are not known to be under active attack.
  • Other versions of Windows are not directly impacted. Customers who use these systems are only impacted if they have an affected version of Office or Lync.

For Lync clients:

  • All supported versions of Lync client are affected but are not known to be under active attack.

Again, we’re only aware of targeted attacks against Office 2007. In those attacks, Windows XP was the operating system seen in use.

As always, we’ve scheduled the security bulletin release for the second Tuesday of the month, November 12, 2013, at approximately 10:00 a.m. PST. Revisit this blog at that time for analysis of the risk and impact, as well as deployment guidance, together with a brief video overview of this month’s updates. Until then, please review the ANS summary page for more information that will help customers prepare for security bulletin testing and deployment.

Don’t forget, you can also follow the MSRC team’s recent activity on Twitter at @MSFTSecResponse.

Thank you,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing


aggbug.aspx


Continue reading...
 
I won't pretend to fully understand the purpose and scope of this "fix", but what it sounds like is not a fix, but a break. The only graphics that I saw that it effected were .tiff files, which as far as I have ran into are scan images. I don't recall ever downloading any of them otherwise. If that is true, then I don't see how a locally generated file could be infected or exploited, unless they are merely the target of something else. If they are only targets, then it would seem to me that this fixit is pointing at the wrong target itself.

Personally I have quite a few .tiff files that I produced on my own person scanner, and a program that I use that is not among those three MS products uses them. I see no reason to cripple the results of something that I have spent a very, very long time creating, based on something no more than some vague warning of some equally vague threat.

I understand that the fix is supposed to be only a temporary workaround, but that raises the question of what a true update for this purpose will do, and if it will cripple the use of .tiffs also?
 
I won't pretend to fully understand the purpose and scope of this "fix", but what it sounds like is not a fix, but a break. The only graphics that I saw that it effected were .tiff files, which as far as I have ran into are scan images. I don't recall ever downloading any of them otherwise. If that is true, then I don't see how a locally generated file could be infected or exploited, unless they are merely the target of something else. If they are only targets, then it would seem to me that this fixit is pointing at the wrong target itself.

Personally I have quite a few .tiff files that I produced on my own person scanner, and a program that I use that is not among those three MS products uses them. I see no reason to cripple the results of something that I have spent a very, very long time creating, based on something no more than some vague warning of some equally vague threat.

I understand that the fix is supposed to be only a temporary workaround, but that raises the question of what a true update for this purpose will do, and if it will cripple the use of .tiffs also?
I must assume it would not cripple the use of TIF files. This would not be good for anyone. More than likely, this is an isolated vulnerability in the software, sort of a zero-day attack, but even I am not certain.
 
I guess your assumption is regarding the upcoming update, rather than the fix-it, because the latter clearly makes the use of the TIFs impossible. It is this kind of thing that I very much dislike about the way that MS handles such situations in general. They never really explain the nature of the problem so that the average person can access the potential risk, or explain any possible ramifications of applying their updates. They expect everyone to just accept their judgment on blind faith.
 
I guess your assumption is regarding the upcoming update, rather than the fix-it, because the latter clearly makes the use of the TIFs impossible. It is this kind of thing that I very much dislike about the way that MS handles such situations in general. They never really explain the nature of the problem so that the average person can access the potential risk, or explain any possible ramifications of applying their updates. They expect everyone to just accept their judgment on blind faith.
If they fully explain the nature of the exploit, it will become more widely used. But, I do see where you are coming from.
 
If they issue it out of cycle it is pretty bad.
I don't question the seriousness of this, but I think that they could at least tell us whether this problem is one already in the wild, or merely a potential one. If the vulnerability has already been exploited, then telling us about it would be far more helpful to us, than to the exploiters. The out of cycle aspect only relates to the fix-it, not the update, and I'm not one to assume that it's release is necessarily because of an eminent risk, but may just be their method of covering their own tails.
 
I don't question the seriousness of this, but I think that they could at least tell us whether this problem is one already in the wild, or merely a potential one. If the vulnerability has already been exploited, then telling us about it would be far more helpful to us, than to the exploiters. The out of cycle aspect only relates to the fix-it, not the update, and I'm not one to assume that it's release is necessarily because of an eminent risk, but may just be their method of covering their own tails.
The end-user license agreement precludes them from any liability to damaged hardware or software investments in nearly all of the software. The problem is that it was discovered by some guy at McAfee, it affects every version of Windows, and if anyone else finds out about it, it would probably become an eminent risk for outdated systems. If you have a good security suite, they've probably isolated the issue, but since Windows XP and Code Red (and all of that), it has been this way.
 
When I spoke of covering their tails, I didn't mean that they might be legally liable for the damage, but legality doesn't cover the manner in which the public's attitude toward them might be effected, and that effect would touch their bottom line, regardless of any legal aspects involved,
 
Back
Top Bottom