Microsoft still not ready for the Internet.

Posted by Dan on August 15, 2011   |  No Comments


This month Microsoft pushed 13 security bulletins to address 22 vulnerabilities in its software.  The 2 most notable vulnerable software issues were a flaw in the Windows DNS server, and 7 in their Internet Explorer browser.

The IE vulnerabilities affect all supported versions of Internet Explorer up to and including IE 9. The August Patch Tuesday update purportedly fixes errors in the way IE handles objects in memory and handles JavaScript handlers.

According to MS11-057, Microsoft said an attacker who successfully exploited any of the vulnerabilities could gain the same user rights as the local user, and the most severe vulnerabilities could allow remote code execution if a user uses IE to visit a specially crafted webpage.

Jason Miller, manager of research and development at VMware’s Shavlik Technologies, said the IE flaws and the Windows DNS error allows cybercriminals to attack systems remotely. Any time there’s a public vulnerability “out in the wild, it’s important to disclose it as soon as possible,” Miller said.

I remember as a young system administrator, back in 2000, maintaining a policy that no Windows host was allowed to receive connections directly from the Internet.  This policy was a result of experience, because any time anyone deviated from the policy the Windows hosts in question would be compromised.  As a result, we kept all the Windows hosts behind layers of firewalls, placed Sendmail hosts in front of the Exchange server, and reverse-proxies in front of IIS servers.   At the time  I remember thinking “well… Microsoft just isn’t mature enough to play on the Internet yet, that’s why we have UNIX/Linux.”

Seems not a lot has changed since then.

“Patching administrators also must address server-side vulnerabilities. MS11-058 addresses two privately reported vulnerabilities in the Windows DNS server. The flaws affect the server side rather than a client request to a DNS server. If the company DNS servers have caching of DNS relaying enabled, the system is at risk. Otherwise, if the DNS role is not enabled, users are not at risk, although they should still deploy the patch to be on the safe side,” Miller said.

Remote root attacks against DNS servers are so 1999.

I wonder if Microsoft will ever have an operating system that doesn’t require hand holding.  My guess is as long as people vote with their dollars, the answer is “no.”

This entry was posted in Security Blog and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>