PACKET RAT: It takes a village to patch an OS

The Rat

Michael J. Bechetti

Microsoft's latest 'Patch Tuesday' fixes had the Rat and his crew scrambling to test the 10 patches before pushing them out to the unwashed masses, er, users.

The wirebiter has routinely found the Internet Explorer fixes especially vexing, because they contain the fixes that Microsoft has made to circumvent the patents held by Eolas Technologies Inc., the holding company created mostly to get money from Microsoft over Internet Explorer's ActiveX implementation.

'Security, in this case, means financial security for Gates and his minions,' the Rat snarled as he read the patch description.

While Microsoft has been warning software developers of impending ActiveX trouble since December 2005, that warning didn't come with extra developers or money to fix the problem at the Rat's agency, where previous generations of Web-based applications are reacting with varying levels of tolerance (or lack thereof) to the IE changes.

While Microsoft says that the fix only adds one extra click to activate the ActiveX interface, that one extra click is causing some intranet apps to spasm. And Microsoft's official workaround requires recoding every HTML page that has 'helper app' objects on it. Every blessed one.

Meanwhile, some people are questioning what other parts the massive patch payload actually fixes. One bug fix, notes Matthew Murphy of security firm Securi-
Team, is actually there to fix a vulnerability that Microsoft theoretically already addressed'and one that is over two years old.

'[MS06-015] announced a patch which supposedly plugged a single 'Windows Shell Vulnerability' involving the shell's handling of COM objects,' Murphy''great name for a security expert,' the Rat reflected'wrote on his weblog. And Microsoft says that the vulnerability was not previously publicly disclosed.

But then, Microsoft added this note: 'The update for this vulnerability also addresses a publicly disclosed variation that has been assigned Common Vulnerability and Exposure number CVE-2004-2289.'

As Steven Christey of Mitre Corp. pointed out on the VIM mailing list, that bug was disclosed in May 2004''700-plus days ago,' Murphy summed up.

The issue here, among security wonks, is what Microsoft knew, and when did it know it? Was the 'variant' discovered after the privately disclosed additional bug? 'Regardless, the information as published is extremely misleading. ...' Murphy wrote.

All of that seems pretty academic at this point to the cyberrodent. All he knows is that he still has hundreds of pages of HTML to browse before he sleeps, and patches falling like snow. But he's got the problem covered for the future.

'From now on,' he said to his agency's software development manager, with T-ball bat in hand, 'we code for Firefox.'

The Packet Rat once managed networks but now spends his time ferreting out bad packets in cyberspace. E-mail him at rat@postnewsweektech.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above