Results 1 to 9 of 9

Thread: Heads up re upcoming Sept M$ patches

  1. #1

    Heads up re upcoming Sept M$ patches

    Looks like Microsoft plays favorites here. They have alerted their Premium partners about the upcoming September patches due out today 9/14/2004.

    http://arstechnica.com/news/posts/20040913-4179.html
    A known but undisclosed security flaw in Microsoft Windows and Office is receiving special attention from the Redmond Giant, who notified its Premium customers of the flaws before the general public. The flaw, the details of which are not yet known, apparently affects Windows, Microsoft Office, Microsoft Visual Studio, and Microsoft .NET Framework. The flaw is rated as critical and the patch is to be released as early as tomorrow. A second patch with a less severe rating of "important" will also be released for Office customers. According to the private notice:

    "At this time no additional information on these internal bulletins such as details regarding severity or details regarding the vulnerability will be made available until 14 September 2004."

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Ever since MS started doing the monthly updates they have been sending the security fix notifications to premier customers first. We don't get the patch early though, just a summary of what to expect. We get even more detailed bug lists than this generated for some products, but we use our contract Premier hours to pay for the MS engineer that puts together the report for us.

    Here is what the bulletin looks like-


    On 14 September 2004 the Microsoft Security Response Center is planning to release:

    - One Microsoft Security Bulletin affecting Microsoft Windows, Microsoft Office, Microsoft Home, Microsoft Visual Studio, and Microsoft .NET Framework. The greatest maximum severity rating for this security update is Critical. This security update may require a restart.

    - One Microsoft Security Bulletin affecting Microsoft Office. The greatest maximum severity rating for this security update is Important. This security update does not require a restart.

  3. #3

    Exclamation 2 M$ security bulletins released!!!

    Here are Microsoft's September security bulletins. The JPEG processing vulnerability is scary: it affects a TON of stuff, pretty much everything (see list below)...

    Microsoft Security Bulletin MS04-028:
    Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
    http://www.microsoft.com/technet/sec.../MS04-028.mspx
    ****SEE LIST OF AFFECTED SOFTWARE****

    Microsoft Security Bulletin MS04-027:
    Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)
    http://www.microsoft.com/technet/sec.../MS04-027.mspx

    Microsoft Security Bulletin MS04-028:
    Affected Software:
    * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
    * Microsoft Windows XP 64-Bit Edition Service Pack 1
    * Microsoft Windows XP 64-Bit Edition Version 2003
    * Microsoft Windows Server(tm) 2003
    * Microsoft Windows Server 2003 64-Bit Edition
    * Microsoft Office XP Service Pack 3 Microsoft Office XP Service Pack 3 Software:
    - Outlook. 2002
    - Word 2002
    - Excel 2002
    - PowerPoint. 2002
    - FrontPage. 2002
    - Publisher 2002
    * Microsoft Office 2003 Microsoft Office 2003 Software:
    - Outlook. 2003
    - Word 2003
    - Excel 2003
    - PowerPoint. 2003
    - FrontPage. 2003
    - Publisher 2003
    - InfoPath(tm) 2003
    - OneNote(tm) 2003
    * Microsoft Project 2002 Service Pack 1 (all versions)
    * Microsoft Project 2003 (all versions)
    * Microsoft Visio 2002 Service Pack 2 (all versions)
    * Microsoft Visio 2003 (all versions)
    * Microsoft Visual Studio .NET 2002 Microsoft Visual Studio .NET 2002 Software:
    - Visual Basic .NET Standard 2002
    - Visual C# .NET Standard 2002
    - Visual C++ .NET Standard 2002
    * Microsoft Visual Studio .NET 2003 Microsoft Visual Studio .NET 2003 Software:
    - Visual Basic .NET Standard 2003
    - Visual C# .NET Standard 2003
    - Visual C++ .NET Standard 2003
    - Visual J# .NET Standard 2003
    * The Microsoft .NET Framework version 1.0 SDK Service Pack 2
    * Microsoft Picture It!. 2002 (all versions)
    * Microsoft Greetings 2002
    * Microsoft Picture It! version 7.0 (all versions)
    * Microsoft Digital Image Pro version 7.0
    * Microsoft Picture It! version 9 (All Versions, including Picture It! Library)
    * Microsoft Digital Image Pro version 9
    * Microsoft Digital Image Suite version 9
    * Microsoft Producer for Microsoft Office PowerPoint (all versions) Microsoft Platform SDK Redistributable: GDI+ - Download the update
    * Internet Explorer 6 Service Pack 1
    * The Microsoft .NET Framework version 1.0 Service Pack 2
    * The Microsoft .NET Framework version 1.1

  4. #4
    Senior Member
    Join Date
    Jun 2003
    Posts
    723

    Re: Heads up re upcoming Sept M$ patches

    Originally posted here by ric-o
    Looks like Microsoft plays favorites here. They have alerted their Premium partners about the upcoming September patches due out today 9/14/2004.
    <sarcasm>I did not realize that they show the same great spirit in their communication as the do in their customer service for the little guy</sarcasm>. Do they put any restrictions on communicating the "Premium partner alerts" to the general public?. It would be nice to see them posted whenever they come out.
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  5. #5
    lumpy, I don't think that would really matter. Merely because they are only letting their members know ahead of time that a patch will be released. They do not get it any earlier nor any faster than anyone else. It is only a 'heads-up, you need to update soon' and nothing more.

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    Originally posted here by pooh sun tzu
    Merely because they are only letting their members know ahead of time that a patch will be released. They do not get it any earlier nor any faster than anyone else. It is only a 'heads-up, you need to update soon' and nothing more.
    I know, i read the post. But it still shows contempt for the little guy

    hmmmm, and you were saying what ...
    http://www.microsoft.com/technet/sec.../ms04-028.mspx
    knowing of this a whiles back could have been nice, considering the millions it affects who can't pay for the warning.
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  7. #7
    Originally posted here by lumpyporridge
    I know, i read the post. But it still shows contempt for the little guy
    Yeah, I agree with ya lumpy. I think security alerts from the software mfr should not be dolled out first to the highest bidder: all customers should be alerted of security issues equally. Couple caveats:

    1) if it could threaten a nations infrastructure security than the particular agency responsible for infosec in that country should know first
    or
    2) affects ISPs which carry Internet traffic.

    What M$ is doing here just struck a nerve and kind of reminds me of the recent situation where a particular software vendor tried to CHARGE their customers for a security patch...I think that was ISS that did that. Boy did that cause an uproar, as it should.

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Originally posted here by ric-o
    Yeah, I agree with ya lumpy. I think security alerts from the software mfr should not be dolled out first to the highest bidder: all customers should be alerted of security issues equally. Couple caveats:

    1) if it could threaten a nations infrastructure security than the particular agency responsible for infosec in that country should know first
    or
    2) affects ISPs which carry Internet traffic.

    What M$ is doing here just struck a nerve and kind of reminds me of the recent situation where a particular software vendor tried to CHARGE their customers for a security patch...I think that was ISS that did that. Boy did that cause an uproar, as it should.

    If they were providing any sort of great detail about the vulnerability I would agree with you.. But as it stands they don't. All they say is what you saw me post above. And yes, there are ND agreements so that we are technically not supposed to share those notices before hand. But I have on the occassion, where I fealt it was a big enough deal, let the cat out of the bag early here. In most cases, there isn't enough data in the alert to even worry about posting it.. MS doesn't give out any technical details to any customer until the patch is released. Unless of course you are the one who reported it, and you help them with the patch testing, which is a pretty common thing for MS to do when you report a bug to them.

    Just expect MS security patches around the 14th of every month. I think when you start looking at the corporate agreements that just about every major software vendor has, they do exactly the same thing as MS. I know of atleast two major software companies that release the entire patches to their high level corporate support partners first. We almost always get the new cisco patches before any thing is published about them.

  9. #9
    HFNetChk usually gets the updates before they hit the Windows Update page; it seems this post is a little off track to the fact that their premium customers are warned before the general public. Well here is a way to fix that
    There wasn\'t any paper used here, but millions of electrons were terribly inconvenienced

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •