Microsoft News Tracker

It’s hard to get excited about Microsoft’s monthly Patch Tuesday since its arrival is inevitable as death and taxes, so ”Microsoft fixes 14 flaws in biggest patch day since February” isn’t much of an eyebrow raiser, but Todd Bishop points out one interesting patch for Vista Gadgets:

(more…)

The two large collections of non-security Vista fixes whose existence was leaked a week ago have now been formally released by Microsoft as

• Update 938194 (compatibility and reliability)
• Update 938979 (performance and reliability)

(more…)

Yesterday, news leaked that Microsoft has released two new beta maintenance packs for Windows Vista to Windows Server 2008 beta testers. They are named the “Vista Performance and Reliability Pack” and the “Vista Compatibility and Reliability Pack” and provide fixes for many of the significant non-security problems early Vista users have encountered. Speculation has it that they will be released on the next regular Patch Tuesday which is August 14.

The natural question is why isn’t this Vista Service Pack 1 and speculation abounds there too, but since at least the promised search fixes for Google apparently aren’t included, the simple answer is that Microsoft has more work to do before SP1 is ready. In the meantime, there’s no reason they shouldn’t be shipping Vista bug fixes. As for the odd venue of a Windows Server 2008 beta program, it sounds like merely an expedient way to find some beta testers since the Vista testing program has ended.

Ryan Naraine comments at ZDNet about yesterday’s Patch Tuesday fixes from Microsoft:

The carefully crafted image of Windows Vista as the most secure operating system of all time is beginning to take a beating.

For the second time this month, Microsoft has shipped a security bulletin with patches for a “critical” Vista vulnerability that puts millions of users at risk of code execution attacks.

The first time was the out-of-band fix for the animated cursor flaw.

The update — MS07-021 — is one of five bulletins released in Microsoft’s scheduled batch of patches for April.
…
The remote code execution flaw that dinged Vista is an error in the way the Windows Client/Server Run-time Subsystem (CSRSS) process handles error messages. An attacker could exploit the vulnerability by constructing a specially crafted application that could potentially allow remote code execution.

In all, the MS07-021 update fixes three different CSRSS bugs, all affecting Vista.

In retrospect, the touting of Vista security was a poor marketing play because while Vista is better than Windows XP, there was never any chance that users (or Microsoft) were going to be freed of the security patching follies and that is all that really counts. Admittedly, there really wasn’t much else to say about Vista besides the improved security and the Aero “user experience” for those folks not sucked into Vista Home Basic and it was a pleasant dream while it lasted.

The seriousness of the drive-by security flaw in animated cursor handling in all recent Windows versions that was revealed last week prompted Microsoft to today release an “out-of-band” patch instead of waiting until the regular Patch Tuesday next week. The patch also fixes some other security vulnerabilities as well. Download the appropriate version by following the link or just running Windows Update.