Microsoft and Apple tackle patch blunders

gallery

The top two commercial software giants have both had to look again at patching security flaws, one which Microsoft previously said it had dealt with and one that Apple reportedly claimed was not a security issue.

Microsoft released a fix for a critical flaw it said was affecting Windows use of the Bluetooth networking protocol for connecting peripheral devices to PCs wirelessly as part of its Patch Tuesday for June last week.

The MS08-030security bulletin was meant to stop an attacker in proximity of a Bluetooth-enabled PC from sending it malicious packets to gain control of the system without the user’s knowledge. But late yesterday it admitted the fix did not work on the most current versions of its Windows XP operating system (OS).

Christopher Budd, a Microsoft spokesman, wrote in a blog posting: “Our investigation found that while the other security updates were providing protections for the issues discussed in the bulletin, the Windows XP SP2 and SP3 updates were not."

Budd did not go into any further details about why the patch was itself flawed, except to say “early on, it appears that there may have been two separate human issues involved” and that an investigation had been launched.

He added affected users should test and deploy the new update, which is being made available through Microsoft’s usual automatic update systems.

Meanwhile, Apple yesterday seemed to do a u-turn on a decision not to patch a Safari flaw identified earlier this month, which prompted Microsoft to take the usual step of warning Windows users off running the rival’s web browser.

A hacker known as Aviv Raff discovered that PCs were particularly susceptible to the fact that Safari can automatically download certain files without needing the user's permission, because of the way Windows OS handles executable files on the desktop.

He reported that Apple had told him they did not see the blended threat as an urgent security issue at the time. This was despite the fact he posted code showing how the so-called ‘carpet bomb’ bug can be exploited to litter the victim’s desktop with executable files containing malicious code.

In an about-face, Apple yesterday issued a fix for the 3.1.2 version of its Safari browser for Windows, but not for Macs.

The vendor said the fix also addresses a less critical issue in the way Safari renders Bitmap and Gif images, which could allow attackers to view the contents of a victim’s computer memory.

Email to a friend

Print this page