trio of what appear to be new, yet-to-be-patched flaws in Microsoft Office has surfaced, according to security researchers at McAfee.
http://news.com.com/Office+zero-day+bugs+spoil+Patch+Tuesday/2100-1002_3-6175011.html?tag=html.alert
Yes, from Patch Tuesday we now have ‘zero-day Wednesday,’ from the same link…
[url=http://Cybercrooks have found that they can take advantage of Microsoft’s security update cycle by timing new attacks right before or just after Patch Tuesday–the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term “zero-day Wednesday” to describe that strategy.]Cybercrooks have found that they can take advantage of Microsoft’s security update cycle by timing new attacks right before or just after Patch Tuesday–the second Tuesday of each month when the software maker releases its fixes. Some security watchers have coined the term “zero-day Wednesday” to describe that strategy.[/url]
Does anybody know why Microsoft only releases patches on the second Tuesday and not any day as soon as possible? 
Hi Tech,
I think this has to do with testing the patches. Remember they repatched the ANI-cursor hole off-cycle patch, (with the first patch some applications ceased to function, like TugZip , because user.dll used a wrong memory area).
But just think about the consequences of a real very, very critical leak, this OS is not a play-thing, the whole of the world economy depends on this OS.
Really, I do not know, my dear Tech, why it is the way it is. It is like building the Tower of Babel, layer of layer of layer of code on top of each other. So the off-cycle not counted the total number of critical updates now stands at 75. Isn’t it time for SP3 or is it all “Oh-Wow, Vista”, and that is it?
polonus
I vote for XP SP3, though that’s not going to happen. As mentioned here in the forums many times, Microsoft would be better off just coming out with a fresh new OS, without backward compatability.
Let people use the old operating systems until they drop. Eventually, as developers create new programs for that fresh OS, both enterprise and consumer users would make the switch. Mac got away with it with OS X didn’t they?
Microsoft has gone public with a tentative date for its third service pack for Windows XP. And that date — the latter half of 2007 — is considerably later than many company watchers were expecting.
Unfortunately that is a rather old article Jan 2006, so we all know how Vista slipped from there, so too could XP SP3. So that later half of 2007 could be July - Dec 2007.
However this MS one, http://www.microsoft.com/windows/lifecycle/servicepacks.mspx slates it down for - SP3 for Windows XP is currently planned for 1H CY2008. This date is preliminary. Which could be Jan - June 2008 and even then that may slip, so don’t hold your breath for SP3.
I don’t know if this almost 4 year gap between SP2 and SP3 (see image) is a deliberate act on the part of M$ in the hope we will buy Vista, but in any case it stinks.
I can’t remember back to 2006, so I either didn’t see that news, or I forgot it. Like I said, I doubt it will happen, but we’ll see…
On a brighter note, Ubuntu 7.04 (the Feisty Fawn) will be released on 4/19.
Here’s a review of the beta. The final release will be rock solid:
http://www.osnews.com/story.php/17505/Ubuntu-Feisty-Fawn-Desktop-Linux-Matured/
Hi malware fighters,
Here is the link where the original Wednesday zero-day bugs were published. A Russian hacker by the name of muts found them with a Python fuzzer: http://securityvulns.com/Qdocument628.html
So it is OpenOffice or AbiWord for me until the next patch round follows. And hopefully someone does not start up his fuzzer again,
polonus
No apple did not, they had to create a Classic environment that runs Mac OS 9 apps which is still supported under OS X 10.4.x for PowerPC users. In addition they introduced Carbon, a common API shared by Mac OS 8.x, 9.x and 10.x to make it possible to create applications that run under Mac OS X while at the same time running under the classic OS. (so any app written to use carbon could run on all three major versions of the Mac OS) In fact the massive amount of code written to take advantage of carbon is the main reason MS Office and most Adobe apps took so long to port to intel, Mac OS X for intel does not support carbon so any universal apps must be completely OS X native not a OS X OS 9.x hybrid
So as you can see apple had to go to a lot of trouble to keep users and developers happy and never dropped the backwards compatibility until the Intel switch.
The Carbon APIs are published and accessed in the form of C header files and dynamically linkable libraries. In Mac OS X, much functionality is contained in ApplicationServices.framework. In Classic Mac OS, most functions are in a single library called CarbonLib. These different implementations of the APIs are interchangeable from the perspective of the executable. This permits a program that conforms to the Carbon specification to run natively on both operating systems.http://en.wikipedia.org/wiki/Carbon_%28API%29
That’s what I was thinking of.
Thanks for the additional information, very interesting.
No problem 
I think it’s time for MS to start fresh and do away with backwards compatibility.
According to an entry on the McAfee Avert Labs blog, "several" attacks exploiting weaknesses in Office were released in security forums on Monday.
We used to have viral Wednesday when exploits emerged the day after patch Tuesday. Now we have malware Monday when exploits emerge the day before.
http://www.theregister.co.uk/2007/04/11/new_microsoft_zerodays/
Hi FwF,
If that is the rate they are patching, MacAfee & others have nothing to fear. I mean the patch curve is not declining…
OK, Now I’m confused:
Microsoft disputes reports of new three flaws in its Office software, the company said today.
http://www.pcworld.com/article/id,130637-c,microsoftoffice/article.html
Anyone have any Ideas??
Maybe they want to keep it under wraps or maybe they tested it and there really are no flaws