1, 2, 3 ... Patch Day !
Par Daniel LUNGHI, vendredi 15 mai 2009 à 16:34 :: General :: #308 :: rss
Several editors have chosen Tuesday may 12th to release their patches:
- Microsoft with the traditional « Patch Tuesday »
- Apple with the 10.5.7 version of Mac OS X
- Adobe with new Acrobat Reader versions for 7.x, 8.x and 9.x branches
The first patch, MS09-017 
(Ref Lexsi 11515), fixes no less than 14 CVE concerning different Microsoft Powerpoint versions (2000, XP, 2003 and 2007). The fix is rated « critical » for Office 2000 and « important » for other versions. Amongst the fixed vulnerabilities, we recognize CVE-2009-0556, which is exploited in the wild since the beginning of April.
The particularity of this bulletin is that some of these vulnerabilities affect Powerpoint versions that have no fix at this time. Indeed, Office 2004 for Mac is affected by the famous CVE-2009-0556 but is not concerned by the MS09-017 patch. Same case for CVE-2009-0224 (undisclosed vulnerability until now) which affects not only Windows versions but also Office 2004 and 2008 for Mac, as well as Works 8.5 and 9.0. This is not common for the Redmond editor who usually waits for a patch to be applicable to all vulnerable versions before releasing it.
Microsoft explanation is that unlike Mac versions, fixes for Windows versions of Powerpoint were ready and tested before the monthly cycle release. Furthermore, only CVE-2009-0556 is actively exploited on internet, and Microsoft doesn't know of exploitation code for any but Windows versions of Powerpoint. Finally, the two other vulnerabilities (CVE-2009-0224 and CVE-2009-1130) which concerns among others Office 2004 for Mac have been responsibly reported to Microsoft (which means they have not been disclosed before the Microsoft patch release).
Some people already feel outraged by this behavior, described as inconsistent regarding the editor demands when a vulnerability is submitted to him : no timeline for patch release and no possibility of disclosure unless you want to be called « irresponsible ».
Both points of view have their arguments. When you think that with methods such as differential binary analysis, exploitation codes disclosure after a patch release is a matter of days (or even hours), it is likely that Mac users will find that time passes slowly during the coming month. Did that justify for the rest to wait one more month, whereas vulnerability exploitations are confirmed ?
Talking about confirmed vulnerabilities exploitation, Adobe has released 7.1.2, 8.1.5 and 9.1.1 versions of Acrobat Reader (Ref Lexsi 11625) fixing CVE-2009-1492 and CVE-2009-1493 flaws. The 7.1.2 for Mac is expected before end june.
Mac users could feel harmed. That is not taking into account the MacOS X 10.5.7 version release, which will eventually be the last Leopard update.
This version fixes no less than 68 vulnerabilities, of which 21 are new (Ref Lexsi 11700), where you can note a kernel vulnerability (CVE-2008-1517) allowing a local privilege escalation and 3 vulnerabilities (CVE-2008-3529, CVE-2009-0162 and CVE-2009-0945) fixed by the new 3.2.3 Safari version.
Bad luck comes in threes, Mac users of the Sophos antivirus who wish to fix the 68 vulnerabilities will have to be patient: the editor indicates that they shouldn't upgrade to the new Leopard version if they want to continue receiving infection alerts by mail ...