Major Microsoft Bug is Patched Out of Band

Microsoft Corp. recently released an emergency security patch to a newly discovered vulnerability. In other news, Google, Inc. patched its Chrome browser to fix a malicious download exposure, while startup TextGuard is being launched to focus on preventing instant messaging (IM) and SMS text spam.

Focal Points:

• Officials from Microsoft recently announced that they were issuing an out-of-band security update. The patch is for a vulnerability that could let hackers take over a computer without the user taking any actions. This vulnerability affected all supported versions of Windows. The bug is listed as critical for Windows XP and older versions, because the flaw could be "wormable" for these older versions of Windows. This new vulnerability is in the Windows server service and potentially allows attackers to execute any code with a specially crafted remote procedure call (RPC). Microsoft officials said they released this patch ahead of the normal monthly schedule because they had seen an exploit of this vulnerability online.
• Officials from Google said that they had recently patched their Chrome browser to fix a bug that could be used to trick people into downloading and then executing malicious code. However, this bug fix is not part of the default update of the Chrome software. The bug can be downloaded by changing Chrome's default setting to receive all updates, including those in developer editions. The latest version of Chrome's beat, 0.3.154.3, changes the behavior of the browser on downloaded files that are executable. These files will now only be downloaded if the user confirms, where before the download would occur automatically. The new patch deletes unconfirmed downloads when Chrome exits from operation. However, since the file is still automatically downloaded, Experton Group believes a more robust patch is needed that does not start any downloads without confirmation by the end user.
• A new startup has created a product that is focused on minimizing the amount of spam that comes in to mobile devices via SMS, as well as instant messaging (IM). The company, TextGuard, created an application by the same name that can both monitor and block text messages on both Windows Mobile and Research in Motion Ltd. BlackBerry mobile phones. The software will track all messages on phones texted by employees, as well as block spam as it comes via common SMS devices. Parents could also use this software to monitor their children's texting activity. While the spam protection is likely to be welcome, monitoring all text messaging will be a major social change that Experton Group expects will take some time to adopt.

Experton Group believes the recent Microsoft server vulnerability should be immediately patched, since an exploit is known to exist and the vulnerability can be executed without the end user's knowledge or consent. Issues with Chrome are not as critical, since no companies are likely to allow use of Chrome in anything but test environments. This issue is sure to be resolved before a production version is released. While monitoring text environments is important, IT executives should ensure users clearly understand the impact of text and SMS monitoring before this is implemented.