Tag: patches

SAP releases patches

The software maker which makes esoteric expensive business programmes which no one is really sure what they do, has patched vulnerabilities in its latest HANA software.

The holes had a high risk of giving hackers control over databases and business applications used to run big multinational firms.

Vulnerabilities in big business software are more lucrative to attackers as these tools store data and run transactions. The flaws were “zero day” vulnerabilities and were the most critical ever found in HANA.  For those who came in late, HANA runs SAP’s latest database, cloud and other more traditional business apps.

The holes were spotted by the insecurity outfit Onapsis which said that the vulnerabilities lay in a HANA component known as “User Self Service” (USS) which would allow malicious insiders or remote attackers to fully compromise vulnerable systems, without so much as valid usernames and passwords.

It reported 10 HANA vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time.

The resulting patch issued by SAP on Tuesday was rated by it as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.

Onapsis Chief Executive Mariano Nunez praised SAP for doing such a great job by releasing fixes much faster than in past situations.


Microsoft to act to save XP

Software giant Microsoft is considering a plan to automatically switch on Windows Defender for those customers who insist on not running any system protection on old XP machines.

According to Microsoft’s own site, the Volish goal has been focused on getting as many of its customers off of the older Windows XP operating system onto something more modern and protected—Windows 8.1, if at all possible.

But Microsoft will discontinue support for Windows XP in April 2014, which means that if anyone continues to run the OS any holes will exist, unpatched, forever.

The idea is that as a customer goes into an unprotected state, Microsoft wants antivirus vendors to be installed as the first upgrade source. If the licence has expired, the first thing Microsoft asks them to do is to go upgrade.  If they have not got any AV products then Microsoft will automatically install its Defender product.

Vole said it will not nag, but at the same time to tell people that they’re not protected, and move them back into a protected state without them really knowing.

Windows XP makes up 22 percent of the worldwide user base, and in developing countries it can be under the bonnet of a third of machines.  It is possible that there could be a lot of machines which are suddenly protected by Windows Defender.

Microsoft downgrades MSN news service

Software giant Microsoft has made another one of its spectacularly stupid business own goals and slashed its MSN news service.

The Vole has been trying to work out what it should do with its MSN portal. After much soul searching, it decided that it could save a bob or two.  After all people don’t visit a site for the news, they come to be entertained by the adverts right?

Microsoft cut its MSN.com freelance and contract budget. In an industry where most of the original content comes from freelancers, this means that Microsoft is going to be playing it safe and following a news churn.

According to the Seattle Times, the cuts are a result of budget-tightening and a post-reorganisation cunning plan.

There is a little more to this than it appears.  MSN.com doesn’t really look to fit easily with the rest of the super new “devices and services” focused Microsoft.

Last year, Microsoft created a new version of the MSN.com site that was customised for use with Windows 8, Windows RT and IE 10. That version had a Metro-Style look and feel and was optimised for touch.  

But Microsoft had a bit of a problem.  Unlike most news services, where the idea is to tell the story, Microsoft insisted that the site market its technologies, like Bing search, Skype, and Outlook.  Needless to say, that did not work well and people treated it much like they did Windows 8.

The company had another crack at it. MSN News, along with an updated news portal featuring AP and Reuters, along with content from Microsoft’s own reporters was created following Microsoft’s sell-off of its 50 percent stake in the Microsoft-NBC MSNBC joint venture in 2012.

Earlier this year Vole was desperately trying to flog MSN.com to Yahoo in exchange for Yahoo’s search business. Yahoo said yahboo sucks.

The site brings in 100 million unique visitors each month to Microsoft, so this is a classic case of Microsoft cutting off its nose to spite its face. 

If any normal company had that many visitors it would be working out ways to make a lot of money from them.  Microsoft wants to kill all that off in favour of moving into an industry in which it has so far shown no competence.

Meanwhile Vole has been playing musical chairs with the magazine. In July, Microsoft moved MSN.com into its Applications and Services organisation under Qi Lu. It has combined MSN.com and the Bing AppEx team, which developed a number of consumer-focused Windows 8 and Windows Phone 8 apps.  The site is part of a new Microsoft Apps, Media and Publishing Group.

Microsoft botches another patch update

After the last Microsoft patch update, you would expect the Vole to get the next one right, but you would be wrong.

It seems that Microsoft has a policy of following Black Tuesday, or patch day, with Doomed Wednesday or Unpick The Patch Day.

There are loads of complaints on the Microsoft forums about the errors.  

The problem seems to be automatic patches KB 2817630, KB 2810009, KB 2760411, KB 2760588, and KB 2760583.

KB 2817630 is a functionality patch for Office 2013. The belief is that installing this patch, possibly in conjunction with the KB 2810009 patch that is part of MS13-074, causes the folder pane in Outlook 2013 to disappear. This is what happens when you use the latest version of the shared Office library mso.dll 15.0.4535.1002 from KB2817630 in combination with an outdated version of Outlook.

So far Microsoft has been slow to respond.  The patches were still available and still marked for automatic installation.

If you uninstall both patches you will get your folders back although there are other work arounds such as installing KB2817503 to update Outlook to the matching version 15.0.4535.1004. Updating Outlook with the August 2013 hotfix (KB2817503) restored the reading pane too.

The other errors were in KB 2760411, KB 2760588, and KB 2760583 are parts of the MS13-072 and MS13-073 security patches for Office 2007.

There are no error messages. Windows Update appears to install them; but the updates have not been installed.  They are listed as being important, but Windows will not run them.

Microsoft warns of critical hole

IT departments which are thinking that they can sit on the latest wave of patches from Microsoft might want to change their minds, pronto.

Normally there is a time lag between Redmond issuing patches and them being rolled out by the IT department.

However, in a statement from Microsoft, the IT department should roll out MS12-020, which was released in this month’s Patch Tuesday, as soon as possible.

The patch fixes two vulnerabilities in the Remote Desktop Protocol (RDP). One is critical and the other is moderate.

Angela Gunn, security response communications manager for Microsoft’s Trustworthy Computing Group, wrote from her bog that both problems were disclosed to Microsoft.

While the Vole does not know of any active exploitation in the wild, the first flaw is nasty for those who run RDP and is less problematic for those systems with Network Level Authentication (NLA) enabled.

It would allow a would-be attacker to achieve remote code execution on a machine running RDP (a non-default configuration) if the machine does not have NLA enabled. It means that the attacker would not require authentication for RCE access.

RDP enables remote access from the web, but preferably to an authenticated user. The flaw means that an attacker can potentially take complete control of the computer. If it succeeds, an attacker can bypass standard memory protection measures, however, they will have access at the kernel level. RDP is the default in cloud-based installations such as Amazon’s AWS. 

Microsoft to release bunch of patches next week

Microsoft has announced that it will be releasing a large and important security update package next week.

The software giant, which releases security patches on the second Tuesday of every month, has said the updates are to patch security vulnerabilities in Windows.

Windows 7 users will also receive four of the 11 updates, 5 of which have been labelled as “critical” and 5 which have been described as “important.”

Microsoft said it would also “release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Centre.”

Other updates include patches for Publisher, Office and for the company’s email client, Exchange. Microsoft has more details at this page.