OK patch Tuesday this month from Microsoft includes a few patches but the one that sparks the most interest to me is the Windows C runtime library vulnerability. Its a problem in the way it calculates memory to be allocated for media in memory. It is a critical patch because it could allow an attacker to execute code on your computer, which is pretty much the worst thing that they can do.
OK this is what that means, you can make a program either use the library by linking it in at build time, or you can have it link to it when the user runs the application. You might do this to keep up to date or to keep your program small. You might link it at build time so that you know the library won’t change on you or because you know it will. So along comes this vulnerability and you the user are patched by Microsoft but that only fixes those applications that are loading the library when you run it. Most programs don’t do it this way, most of them statically link it.
What that means is that even though you patch your computer with Microsoft’s patch there are programs on your system that use Microsoft’s old library and are still vulnerable. And I don’t know how you are ever going to know that all of your programs on your computer are fixed. Microsoft has done all they can do and made a patch and let everyone know that there maybe problems with other peoples apps. Now it’s up to those other developers to step up and recompile everything and let users know they can download a fixed version or if their app is not affected and you don’t need to worry.
Oh and there were some IE vulnerabilities but then who uses IE anymore, slow buggy and won’t do html5 or iQuery. I will try it again in Windows 8/ IE 10.
But in the mean time you are vulnerable. Sorry someone had to tell you. Try Linux?
- Critical Fixes from Microsoft, Adobe (krebsonsecurity.com)
- IE \”Security\”: Microsoft warns of dangerous IE browser vulnerabilities – ZDNet (blog) (zdnet.com)