Here's the feed URL to uppdate your RSS reader: http://feeds.ziffdavis.com/ziffdavis/eweek/security_watch
Auto-discovery works in IE 7 and Firefox 2.
Badly-mangled patches are rare, having a patch for a badly-mangled patch is extremely rare. Because of this, the onus is even higher on Microsoft to practice the vendor version of responsible disclosure -- don't bury the details, but actually speak with a loud, clear voice -- "Guys, this isn't a re-release of the update you already have, this is a new release you need to apply immediately"
** It was interesting to see that Computer Terrorism, the British hacking group that exposed Microsoft's inability to properly diagnose a flaw warning in Nov. 2005, is now working "responsibly" with software vendors. The group held its tongue for 402 days on the high-risk Publisher flaw and also worked closely with Adobe on the critical Flash patch that was also released alongside the Microsoft updates.
** It took Adobe 4 months (123 days) to push the Flash fix out the door. Computer Terrorism says a reliable multi-platform/multi-browser Web-based proof-of-concept was created and shared with the vendor.
** There are at least three publicly-known, high-risk flaws in Microsoft Office products that will remain unpatched for at least another 30 days. The most recent MS Word vulnerability, Microsoft confirms is being used in zero-day attacks was not addressed. Patches for two separate high-risk Excel vulnerabilities, known to Microsoft since at least July 2006 were also not fixed.
** The vulnerability covered in the MS Publisher bulletin is the 25th Office flaw fixed this year. That's not counting the silently fixed bugs that Microsoft admits it doesn't tell us about. By comparison, for all of 2005, the company only released fixes for five vulnerabilities. As an aside, a quick peek at the flaw credits in the barrage of Office bulletins has conspiracy theorists wondering whether Microsoft's decision to share the Windows source code with China is linked to the uptick of flaw warnings from the Far East.
** While we're counting, McAfee's Monty Ijzerman points out in an e-mail that Microsoft has already patched more critical vulnerabilities this year than they patched in 2004 and 2005 combined.
** Lastly, did Apple deliberately sneak out its critical QuickTime patch to hide behind Microsoft's Patch Day and the media glare of its more sexy iTunes/iTV/iPod announcements? This is a question I've asked before.
If you want my opinion, my opinion is this: Let Symantec, Kaspersky, F-Secure, and all the others use rootkit technology, it only makes their anti virus products more effective. Let anti-spyware companies like Sunbelt use rootkits against rootkits. Use fire against fire. I don't agree w/ people who say such approaches take away an administrators capability to administer a box. To solve the administrator problem, you only have to do one thing: Treat your rootkit features as a black box and uninstall them with the rest of your product. If an administrator doesn't want your product, then he can uninstall it. You aren't taking anything away.
"With the update available today, you certainly have the choice of deploying now or waiting until your normal release process. If it were my decision, I would move up the schedule. That is what we are doing in our IT operation here at Microsoft."
"We could see the mother of all worms here. My big fear is we’re going to wake up in the next week or two and have people warning users not to read their e-mail because something is going around that’s extremely virulent."