Security Quest #10: Microsoft Patch Tuesday

Another second Tuesday of the month and another bundle of patches from Microsoft was expected. This time around there’s only one update for Microsoft desktops. Windows Vista goes patch-less this month.

MS07-061 is a critical update for Windows XP on the desktop. It’s for both the regular and 64-bit editions. It supersedes MS06-045 and patches a vulnerability that allowed remote code execution when a specially crafted URI was passed. Windows 2000 Professional & Windows Vista are not affected. Several server versions also require the patch. I needed to reboot after installing this patch through automatic update.

MS07-062 was also released but it is only for servers.

Old Business

I’d previously written about the Paypal security fob and VeriSign’s Personal Identity Protection program (PIP). Verisign has since added a credit card sized “security card” that can be carried in a wallet. It’s not available at the subsidized PayPal price and it’ll set you back $48. At least it appears these are gaining traction which is good. It appears that now multiple fobs can be registered with the same ID so you can have one for the home and one for the office if you don’t want to carry them.

News & Links

News.com: Microsoft exec calls XP hack ‘frightening’ – Not really news, but points out that patching is needed. A Windows XP SP1 PC without a firewall or other security software was easily hacked, is this really news? SP2 enables a firewall by default.

News.com: ‘Botmaster’ admits infecting 250,000 computers – Security consultant by day, botmaster by night. John Schiefer could get a 60 year jail sentence after pleading guilty.

News.com: Infamous Russian malware gang vanishes – The Russian Business Network has vanished. No one thinks they packed their toys away.

Wired.com: Encrypted E-Mail Company Hushmail Spills to Feds – HushMail’s easiest to use service not so private. Hushmail provides encrypted e-mail. They offer a service that provides encryption on their server. While easier to use it does mean they see your passphrase, unlike their client-side encrypt products.

arstechnica.com: Malware-pushing web sites on the rise, say researchers: 66,000 and counting – Malware hosting websites on the rise according to researchers.

crunchgear.com: Drive Erazer erazes your drivez – If you have a lot of hard drives that you really want to erase.

engadget.com: Some Maxtor Personal Storage 3200s shipped with virus – Oops.