Skip Microsoft's critical patch, focus on Adobe's, experts urge

PDF patches due later today more important than lone fix from Microsoft

Microsoft today issued just one security update for Windows, the lowest number on a Patch Tuesday since January 2009.

And for once, researchers urged users to spend their patching time dealing with updates from Adobe, also expected today, rather than Microsoft 's fix.

Today's update patches just one vulnerability, which is rated "critical," Microsoft's highest threat ranking, for Windows 2000, but is rated "low" for all other versions of the operating system, up to and including the new Windows 7 and Windows Server 2008 R2.

The patch addresses a bug in how Windows Embedded OpenType (EOT) font engine decompresses specially-crafted EOT fonts, said Microsoft in the accompanying MS10-001 bulletin. EOT fonts are a compact form of fonts designed for use on Web pages, but they can also be used in Word and PowerPoint documents.

This was the second EOT bug fix in the last three months. In November, Microsoft patched a flaw in how the Windows kernel parsed EOT fonts.

Although the vulnerability could result in remote code execution -- security speak that means an attacker could use the bug to hijack a PC -- only Windows 2000 got the critical ranking. All others were tagged with the lowest threat rating in Microsoft's four-step scoring system.

Microsoft explained why in several ways. "These [other] Windows operating systems contain the vulnerable code but do not use this code in a way that may expose the vulnerability," the company said in the security bulletin.

"Due to the nature of bounds-checking performed on 32-bit systems XP and later, the only buffer+index combinations which would pass the old checks will point into address 0x80000000 and above," Brian Cavenah from the Microsoft Security Research Center engineering staff. "Because these regions cannot be accessed while running at IOPL 3, the process will crash (Access Violate) and the attempt to run arbitrary code would fail," Cavenah said on a company blog today .

Andrews Storms, director of security operations at nCircle Network Security, put that into plain English. "Versions newer than Windows 2000 have security provisions that prevents code execution of this vulnerability," he said. "Specifically, it's in the way that memory mapping happens. Running code will register certain opcodes in Windows XP and newer, and those versions then know not to allow code execution."

Richie Lai, the director of vulnerability research at security company Qualys, described it slightly differently. "It's more a hardening of the way Windows manages memory," he said, referring to the changes in Windows XP and later.

In fact, Storms continued, he bet that -- barring the critical nature of the bug for Windows 2000 -- Microsoft would have passed on even patching the vulnerability. "I think this is one they probably wished they didn't have to patch," Storms argued, noting the impending retirement of Windows 2000 from Microsoft support. "Windows 2000 is on its last legs, and except for it, they wouldn't have bothered."

Windows 2000, which according to metrics firm Net Applications, accounted for only 0.6% of all operating systems last month, is slated for support retirement July 13, 2010.

The light month from Microsoft is no surprise, said Jason Miller, the data and security team leader at patch management vendor Shavlik Technologies. In an e-mail, Miller said that January is typically a minor patch month: Microsoft released just one update in January 2009, and two bulletins in the first month of both 2008 and 2007.

"[But] administrators should be prepared for next month if trends hold true," Miller added, pointing out that in February 2009, Microsoft issued four updates, and in both February 2008 and February 2007 it released 11 bulletins.

Storms suggested that users and IT staff take advantage of the single Microsoft update to "get caught up from last year," which he thought more important than applying the one patch for Windows. "And let's not forget the double header today. People should focus on Adobe's update, and maybe Oracle 's, rather than Microsoft's."

Adobe is slated to patch multiple bugs in its Reader and Acrobat software today, including one that's been exploited by attackers since November, sometimes in large-scale hacker campaigns . Oracle is also slated to issue a security update today.

Other researchers also urged a focus on Adobe. "Time would be better spent on Adobe," agreed Wolfgang Kandek, chief technology officer at security company Qualys. "Exploits are out for Adobe's software."

As anticipated, Microsoft did not patch the Windows 7 bug crash bug that went public nearly two months ago. Last week, Microsoft acknowledged it didn't have a fix finished for the vulnerability in SMB (Server Message Block), a Microsoft-made network file and print-sharing protocol that, if exploited, crashes Windows 7 and Windows Server 2008 R2 machines so thoroughly that users have had to power off the system to regain control. Microsoft has maintained that the vulnerability cannot be used to hijack PCs.

"It is interesting to note that the SMB [denial-of-service] exposure is not being addressed, although Microsoft has been open about the fact that it would not be included, and does not have a history of rushing updates for denial-of-service conditions," said Josh Abraham, a security researcher with Rapid7, in an e-mail Tuesday.

This month's security update can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer , send e-mail to or subscribe to Gregg's RSS feed .

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags security patchMicrosoftadobe

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?