Slashdot Mirror
Microsoft Notes Critical Security Holes in Windows, Office
Scoria writes "CNN is reporting that the infamous Microsoft has disclosed six critical Internet Explorer vulnerabilities, including some that would allow an attacker to execute arbitary commands. According to the relevant TechNet bulletin, a cumulative patch has been released to address them." Please be sure to read the EULA before installing the patch.
Maybe now we can have UBER patches for ALL M$ products. Well kudos to them actually announcing it! FP!
People can get used to anything:)
Yet six more reasons why I dont allow my family to connect to the internet using MS. They can't be trusted.
-- 4 8 15 16 23 42
It's sad that, when I saw that the patch was released, the first thing I thought was, "I hope the EULA won't force me to accept automatic installs from now on."
I think I'd rather have an insecure system than one that gives MS carte blanche to install what it wants. There's something wrong with that.
Arbitrary commands run by strangers if I don't,
Arbitrary commards run by Microsoft if I do.
If only more sites complied with standards, I could dismiss MS entirely for Opera.
I can spell. I just can't type.
You're right, the fact that there are security holes isn't news but the fact the the MS programmers have finally got off their collective fat arses and released a patch IS news.
I'll be pressing the Windows Update button when I get home tonight.
Anyone want to bet on how long before the next MS vunerability is discovered?
And the people shall be oppressed, every one by another, and every one by his neighbour Isaiah 3:5
A problem... with a patch? And they announced it? No way... must be one of those infamous typo's. Or maybe just another repeat story...
-- Is "Sig" copyrighted by www.sig.com?
... it all boils down to the developers who work at the sweatshop right? When developers try to make operating systems more user friendly by binding commonly used social security holes (alt-ctrl-del) to intutive items like log into computer, we sure know where everything is headed. Does microsoft have a position open for a clue bat? ;)
Objects in the blog are closer then they ap
pronoblem
Download now to continue keeping your computer secure.
So apparently my computer is allready secure and there is no need to download the patch then!
Silly Microsoft.
Why hasn't M$ patented software bugs? I mean, they could easily prove prior art and by the sheer volume of bugs they produce, you'd think they'd want to own the concept.
As my grandfather who was a doctor said, "Doctors, mechanics and others like these all benefit from the misfortunes of others".
Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000. The people there are annoyed about all the patches, and we joked about it being "this months security update". Now there's this, and I'm going to be called in again to update their machines. On one hand it's irritating, on the other hand it gives me more work, which I need at the moment.
A few of them are curious about Linux, and I keep it in their mind - not telling them that it will solve all their problems, but that in the near future it may be beneficial for them to consider it. I let them know an alternative is there, and they are positive, no knee-jerk reactions. I'm honest to them about it's advantages and disadvantages - where it will help them and where it will be a challenge. When the time is ripe they will change over - it is inevitable. This won't eliminate the need for security patches, but I hope through the use of thin clients only one or two machines will ever need updating.
For the quickfixes listed on the url, there is no EULA to install them.
GPL'd web-based tradewars themed space game
I just installed it now (q323759.exe) and it didn't ask me to agree to anything. In fact the only question I got was "Do you want to install this update?".
For now, my PC is safe from Microsoft forced modifications (relativily speaking)
Avantslash - View Slashdot cleanly on your mobile phone.
Your Solution
I think you might do a little better with your own priorities than trolling /.
Trouble making decisions? Just flip for it.
haha... why should anyone be surprised? this happens time and time again and will continue to happen until microsoft sees the light and figures out that they don't write good software. if they would go through the software development method looking for flaws in their design or code in the first place we'd have significantly less problems. the other problem is that they try to get their software out before it's ready. this leaves all sorts of bugs that maybe would have been fixed. look at xp's first day service pack? how can anyone say that it was ready to be shipped when it did. i don't mind waiting for software as long as it's worth waiting for. in the case of microsoft none of their software is worth waiting for, because they dont' wait long enough to put it out.
I write code.
Browsing through the Microsoft link (the first one is a puff piece), it looks as though they still havn't patched the SSL certificate problem in IE/Windows. Will we have to wait until the next multiple security hole patch, or will they release it seperatly?
How funny it is to click on this story mocking Microsoft and then see the big fuckin ad for Microsoft Visual Studio.Net
A little too ironic, dontcha think?
SIG:Slashdot: indymedia for nerds.
Am I the only who noticed this does not include the fix for invalid SSL certificates? Pretty big (and very expensive) problem, I think....
The Right Reverend K. Reid Wightman,
You have to reboot to complete the installation. Great. Now all my server updates (please do not ask why, I just follow orders) are going to be a joy. I can't believe I have to reboot to patch a damn browser.
I don't want knowledge. I want certainty. - Law, David Bowie
If someone with the corporate edition key for XP Pro installed SP1, would they be able to apply this patch as well? I thought the SP1 would lock out all further updates?
Whoever stated that signature sizes should be limited to one hundred and twenty characters can just go ahead and kiss my
You know, I really hate this changing of the EULA... It should be illegal. Its their fault that they screwed up and had it insecure...
This is like Ford issuing a recall, then changing your lease/puchase agreement when you bring it in for the recall...
Slashdot is like Playboy: I read it for the articles
you forgot 'Microsoft warns about security holes'
posted on Friday August 23, @12:38PM
thank God the internet isn't a human right.
Ok, it's good that they are at least finding and fixing these, but how many ways to execute code through IE can there possibly be?!?
There already are 16 unpatched security holes in IE, and now there are even more holes. While these ones have patches out there, think about how many Windows users actually do patch their systems; it's not very many. For most home Windows users, there might as well not be a patch available, since they won't patch IE anyway.
In the mean time, I'm more than happy to keep using OpenOffice and Mozilla and know that arbitrary code won't be executed on my system if I click the "back" button. Thanks, Microsoft, for giving us yet another reason to use Mozilla.
A Question...
If I pirate XP.. am I bound by the EULA?
Seriously...
"OH MY GOSH!!!! MICROSOFT HAS ANOTHER VULNERABILITY!!! THAT'S NEWS!!!"
Just for kicks, I signed up for Microsoft security bulletins. I get hoards of e-mail every week, as new vulnerabilites are continually found in each of their products. Being an IE administrator it's important to subscribe to this stuff.
New IE patches come out about every 2 months. This patch is not all that big of a deal. All the fixed issues had workarounds, and a lot of it could be prevented by using a good proxy server.
The fact that Slashdot immediately jumps all over Microsoft for this is ludicrous. Get a life.
There is no reasonable defense against an idiot with an agenda
:wq
One interesting IE security resource happens to be PivX Solutions' "Unpatched IE Security Holes." Extensive information about many of the vulnerabilities addressed by this patch was available there months ago.
;)
My original title (which was edited by michael for purposes of clarity, I'm assuming) failed to mention Office; the CNN story and Microsoft TechNet article didn't seem to coincide. However, it's entirely possible that a few shared components may be vulnerable.
Do you like German cars?
...Microsoft has issued at least 30 security bulletins for flaws in its software.
Well, it seems that they're actually starting to solve some of the problems with their buggy and security flaw ridden software.
Well, as it's been said many times, the first step to solving any problem is to first realize there is a problem. The next step? Use Opera.
If you're looking here for something insightful or thought provoking, you're probably looking in the wrong place.
I know what you mean. Personally, I got tired of seeing that stupid ad, so I added the domain it came from (ad.doubleclick.net I believe) to my /etc/hosts file with the IP addy of 127.0.0.1, and now all I get is a little "Click Here" link instead of the ad.
C Pungent
Fine, you spend your life in greif and fear, I shall honor the dead by living free in my country. Putz.
-- Insert wisdom here:
When asked about what effects the EULA would have on security a Microsoft spokesman said,
'Giving us [Microsoft] access to your [the ELUA agreers] computer will ensure that your computer systems are impervious to viruses[Microsoft Windows]'
thank God the internet isn't a human right.
>Please be sure to read the EULA before installing the patch.
.com economy goes KABLOOEY!
/. effect, but with no viable evolution occurring
Okay, quick overview of the obvious:
1. Slashdot was born as Rob's blog.
2. Rob's blog was so neat that people told their friends who told their friends who told their friends who told there friends which means
3. Slashdot grows into a meta-geek-culture site.
(Funny to use 'a' there considering slashdot was probably the first, but I digress.)
4. Slashdot the hobby becomes Slashdot the business because Slashdot has juicy eyeball potential and everybody who's anybody is getting a web presence. Rob brings friends aboard to ride the train and help keep it big.
5.
6. Slashdot, struggling as a business model, reinvents its advertising model to essentially become OSDN's advertiser. Not enough banner ads purchased == put the owner's product on every page the eyeballs see.
(Trolls at this point would yell 'unless they pay to get out of it! HA ha ha!' Ahem. Behave.)
7. Slashdot still retains a sizable chunk of the eyeballs it originally grew in step 3. They can still produce the (in)famous
8. Slashdot becomes (reverts to?) Rob and Friend's blog.
Kay. Overview done. ONTO the comment..
>Please be sure to read the EULA before installing the patch.
Well, yeah. It's the same EULA that was in the last security update. That was in the update before that. That was in the update before that. I know, I got bored and started saving them. All of them say the same thing:
'All your microsoft belong to us.'
What I mean is, there's nothing new, nothing earth shatteringly different, it's the same old crap. You run Microsoft on your computer, Microsoft wants you to know that they pretty much own your computer.
Where is the news there? Precisely, what is it worth nothing about the EULA?
Then again, well, who cares? It's not a news site, it's Rob + Friends blog! If you don't like it, don't come back here. Is that it?
I just think it's odd that nearly every article michael posts starts off as a news piece, and then turns into a vehement OpEd. I mean, make up your mind, are you news, or are you a teenage blog?
Of course.. I could ignore michael in my preferences, but without Jon Katz around, I find I need somebody new to keep my testosterone pumping.
I'm tempted to send a warning to my Boss the following warning.
"Beware gophur attack in coming days.
Tunnels created by gophur may break windows.
Advise careful monitoring of the handler."
To see if he goes all Caddyshack on me.
I need more old protocols coming back purely to be used for my amusement.
Working for the (other) man
Is this a new technique to reduce the total number of patches they put out? They wait until 4-5 vulnerabilities come out before coming out with a patch. That way, they can say "in 2002, linux had 60 security patches, we only had 56".
Why is it that companies (and individuals) complain and complain about how much time/money/energy they spend on patching Microsoft products and yet don't do anything to change a) their practices and b) their product choices?
This is an honest question that I'm wondering about. I agree with the people who also wonder why Microsoft flaws get so much attention from /. and Linux/Solaris/Apple/etc flaws get next to none. To those that say "Because there aren't any worthwhile reporting on." I say "Read more." The recommended patch cluster from Sun has lots of interesting reading.
There seem to be _alot_ of alternatives for almost everything. How many of those alternatives are used by more than the developers of those alternatives? By more than the friends/family of the developers? For my part, I don't have the money right now to get a second machine and my current Windows machine is used primarily for games. However, when I get the money, I will be running something other than Microsoft products where possible. My browser of choice right now is Mozilla. But there are sites that require me to use I.E. much to my disappointment. What are the technically savvy people doing to help their companies move away from Microsoft and what alternatives are they proposing? [And no 'Linux' isn't a good answer. What distro of Linux?]
Personally, I'm glad Microsoft changed their EULA to say that it gives them the right to run whatever they want on your computer. It gave me a wakeup call to read the EULAs more carefully. Occasionally, I turn down the EULA and don't use the product. Are other people finding that they are reading EULAs more carefully and actually turning them down more?
--Maarten
.. that Microsoft products have new security holes or that Michael interjects yet another snide pseudo-troll at the end of the summary.
These were the people that said they couldn't open source their software because their products were so flawed with security that it would be a threat to national defense. Could it be that they were actually telling the truth for once?
There will always be security problems, fix it and move on. But when a company knows about it, sits on it forever, tries to silence anyone else who finds it, and denies it... then way down the road writes a fix (finally) and says "Look at us, we're taking proactive steps to insure our customers security", that's absurd.
I'll bet you $20,000 it will take 24 hours before the next MS vulnerability is discovered. Then I'll give Andreas Sandblad $10,000 and have him find another one. It was supposedly a fairly trivial process...
Don't -1 the parent, a good point was made , just not that well.
If your servers are configured correctly and you have redundancy in place then there should be no problem installing this update,
If you don't use load balancing then just bring the warm/cold server online while you take the server your about to update off line.
Spend a few days testing the updated server.
and then sync with the cold/warm server and repeat.
If you load balancing then take some servers out of the loop and run them concurrently to make sure Microsoft hasn't broken anything then repeat until all servers are updated.
If all of the above sounds like voodoo then you should be more concerned about you internal systems than any bugs that might be in Windows.
thank God the internet isn't a human right.
MSFT announces security patches.
Film at 11.
Next!
RedHat and Mandrake announce security patches.
Film at 12.
Next!
It just allowed the MPAA to post a banner ad on Slashdot!!!
I don't understand why people complain about the number of patches from MSFT. They're not that hard to apply. I think Linux is just as bad - I have 36 messages since 1st June (DSA-129-1 through DSA-157-1) in my Netscape folder for the Debian Security Announce mailing list. The only difference is that one OS normally requires rebooting after patching.
Really. I'm glad they are doing this. Glad they are taking some active measures to improve their security. If everyone who has a windows machine actually performs the update, we'll have a safer world of computing :)
If they don't pshaw the other holes that other people find and admit their seriousness now, I'll actually have one less reason to hate them.
-- Who is the bigger fool? The fool or the fool who follows him? --
You know. The time that someone thought it would be gnarly to hack OpenBSD's FTP server and trojan the makescripts?
The folks at OpenBSD still haven't explained how that's happened so we've got six theoretical bugs (which will undoubtedly become reality Real Soon Now) versus an unexplained, but very real, hack, which may or may not manifest itself elsewhere. And as long as we're calling apples and oranges, take a look at the size of the codebase and the amount of functionality of one versus the other.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
In the same e-mail, I sent a link to RedHat.
Hopefully, my family will finally switch to an OS that actually works.
Thanks Microsoft, for helping me make my family realize how much your software sucks -- couldn't have done it without you! *smiles*
When faced with a problem, many web developers say "I know, I'll use JavaScript!".
Now they have two problems.
So I have to choose between a dangerously insecure system, or one which Microsoft has some control over. Hrm....lets see...I don't patch and risk losing everthing to a malicious hacker, or I do patch and maybe, at some point on the future Microsoft MIGHT push a update onto my machine.
I think I'd rather have the secure machine...
Especially considering to get the "Designed for Windows 2000 / XP" Logo on your software, you have to have an install that doesn't require a reboot.
I am not a number! I am a man! And don't you
I think I have finally figured out why /. *pretends* that they don't like Microsoft.
/. readers know that the editors have a habit of posting the same story multiple times. This results in hordes of geeks complaining about having to read the same thing twice, making comments about the IQ of the editorial staff and generally having a good whine.
/. editors don't like M$. By pretending not to like M$ they simply make their jobs a lot easier.
Regular
But...
Articles bashing M$'s security are sure fire winners. There are so many security holes in M$ code having a duplicate story is difficult simply due to the laws of probability. And if you do manage a duplicate you can just point out (in perfect safety, without bothering to check whether it is true) that the hole hasn't been fixed yet and this is just an update on a critial security flaw.
So it isn't that the
People couldn't type. We realized: Death would eventually take care of this.
You mean there isn't already an M$ bug deadpool?
Jaysyn
There is a war going on for your mind.
from the bottom of the BBC article:
Damn never new about Mandrake. Its gone, hate them stinky French. Redhat always ran better anyway. Still M$ may be American but so are 90% of the other people in the country I can't stand.
Slashdot editors are prjudiced against handy capped people and BSD users. While submitting a story reguarding this handy new technology for deaf people to be able to talk to those who cannont sign, under this account, it got rejected in under 2 minutes. submitting the same story as "I am linus's ho", it is still pending, 10 minutes later. While another "ask slashdot" containing "why yo be playhating" earned me massive downmods in past comments deleiving me karma down from 'excellent' to 'good'. thusly, i conculude that slashdot editors are facist jew haters who hate bsd users and deaf people.
I'm gonna start smoking again and drinking and having unprotected sex and them I'm gonna stop paying taxes and start cursing out the the cops and run through the airport with a gun.
I can't cope anymore. Tomorrow there will be 6 more critical problems and 6 more and 6E5 more. What's the fucking point?
Get Naked And Start The Revolution!!
But I won't work on Windows computers in my free time, which means I will not help them fix their windows computers if and when they break.
Period.
Of course, my mom prefers GNU/Linux and hates her Windows box at work (her home Linux box works, and works well).
My sister's husband, on the other hand, prefers Windows. Fine. Their computer is broken alot and they have trouble finding anyone to help them fix it. *shrug*
The Future of Human Evolution: Autonomy
Fixing six vulnerabilities is good. They're not _finished_,
but it's progress.
Cut that out, or I will ship you to Norilsk in a box.
Is anyone else sick of these posts? This isn't newsworthy anymore, it's a damn MS flaming session.
-flamebait
It's not a news site, it's Rob + Friends blog! If you don't like it, don't come back here. Is that it?
Well, I'd put it like this: the site is concerned with open source software, free software, Linux, privacy issues especially related to technology, various general tech issues and toys etc., plus various cultural things of interest to its target audience, like anime, sci-fi, etc. If you don't share the interests and perspective, and aren't interested in learning more about those things, then yeah, you probably shouldn't be here. Then again, /. could probably do with the advertising dollars, so by all means stick around, just try to keep down the whining.
by another application. So if you have a trojan program masquerading as the Login Screen trying to capture people's passwords, pressing Alt-Ctrl-Del will bring up Task Manager.
Read the OpenBSD FAQ for the details of why the FTP server isn't an OpenBSD box, but IIRC it's basically because it's a donated box and bandwidth from a university, and beggars can't be choosers.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
The fact of the matter is Windows is the most common target of hackers. They occasionall find stuff, it gets fixed.
Then there is this warning to 'be sure to read the EULA' as if there is something in this EULA different than every other EULA for Microsoft Products? It is proprietary software, it has a EULA. Just like every piece of proprietary software from every other non-evil company. Get used to it. Not every company wants to make free software. Not every software makes sense to be created under a free model. And in a free world software developers should have that choice too, should they not?
The people that are really doing the user community a disservice are the ones who, out of misguided stubborness or as a misdirected 'protest' against Microsoft, (or because slashdot implied that the EULA with this patch was somehow troublesome) don't apply security patches. Because now that the vulnerability is well known every script kiddie on the planet can write a few lines of code to use it to do things that harm all users, like set up a DDOS attack on sites.
I'm sure my karma's going to take a hit for this, but here goes:
/. that really hasn't gotten the point that Micro$oft makes horribly insecure products? Why is it that every single time yet another gaping hole is found for IE that it gets frontpage treatment here? Is this really news? Is this really surprising to anyone here?
Is there anyone reading
It would seem to me that anyone having to deal with this problem (ie, the poor admins who have to look after Windows machines) would have already been alerted to this by the various security mailing lists available. The only point of posting these stories is for the militant OSS guys to pat themselves on the back and bemoan how Microsoft can't do anything right.
We already know this, people. Yes, IE is a POS. Yes, this is what happens when the marketing people dictate what direction your application development goes in. Yes, IE is more full of holes that swiss cheese.
Enough already.
"Oh my God! The dead have risen! And they're voting Republican!" - Bart Simpson
If you are really concerned enough about security in the first place, either don't plug in your ethernet cable or don't buy Windows. If you don't use Windows, why the hell are you complaining? You laugh at Microsoft because they have to fix security in their software all the time. Well, I'm laughing at Linux because your line of supported applications and games is comparable to the Mac section in any general computer store on Earth.
Come up with something else to complain about for once. Geez. Open source is great, monopolies are bad. Yipee. Now get off your asses and do something, you know, useful.
You're joking, right? By God I hope you are...
In the UK, the Unfair Contract Terms Act puts the onus on the company to prove that an apparently unfair contract term is in fact fair. If they can't prove it, the term doesn't apply. Threatening to force people to run insecure software unless they agree to allow arbitrary future modifications to their systems (or unless they agree to new unwanted restrictions on how they use those systems) sounds, prima facie, unfair.
The Act applies to consumers, but I don't know whether it applies to business customers as well. But it's a start.
My favorite part of the EULA is where you can not reveal the results of any benchmark tests of the .NET framework unless Microsoft gives you permission to do so.
What does that tell us about .NET?
I wonder if saying something like "I would like to tell you exactly how slow the .NET framework is, but then Microsoft would sue me" would be ok.
Interestingly enough, though...you only have to accept the EULA if you use the Windows Update feature of IE. If you just download the fix from TechNet, no EULA is mentioned.
Is it just this particular cafe in Spain, or has Hotmail been down for a few hours?
To have a monopoly (already proven in court), put out an inferior product and not have to worry about being sued for all the damaging worms and viruses that said products inflict upon your clients.
If a totalitarian regime put out software for it's masses it would be just like this.
(Go ahead Redmond disciples and mod me down. What good is a ton of karma if you can't burn it?)
I changed my own oil, Breaks, Plugs, Coil, alternator ........... as you expected.
So on one hand I sould learn to change my oil, topup my water etc...
But on the other I shouldn't learn C++, so that I can see what's gone into my operating system.
I can run my car will run with dirty oli no real problem, but I wouldn't like to run my computer with dirty software.
Comment removed based on user account deletion
and these people wonder why half the world hates them...
and for the record, americans didn't do jack shit in europe, in EITHER war. they just pulled the regular "cavalry entrance" once the war was over.
Hell, my 3 year old son gets it OK?
(While playing Zoboomafoo Alphabet the Critical Update came onto the screen obscuring the Lemurs. "Daaaad stupid Windows is bothering me!")
This
It'll cut that down to 10 minutes. Forget going to individual desktops - and FORGET MICROSOFT SMS.
heh heh
It's nothing, just you're carbodyluminocap acting up... just a couple of hours to fix.
Once there were a time where we pathed our Windows machine because we concerned about the security of our machine.
Now we think twice about install a patch because we are concerned about the security of our machine.
And about the new EULA's, it can be a Windows, Linux, FreeBSD, AIX, Solaris, Mac or whatever. I would never want my machine to update some components by itself. For the machine on my desk, I could live with it. But I do have machines running, doing more important tasks where I like to be completly in charge of what's updated.
Sure, it requires more work and attention, but what if the automatic installation of a patch could have implications that would render the service that the machine provides useless, or even worse the entire machine.
That's why you would choose to install updates by yourself. This enables you(with proper documentation) to pinpoint if a update is causing problems with a service, decide if the lack of the update is a threat to the security or uptime of the machine. And you can choose roll back to a previous state to correct the problem.
So while a automatic update is great idea for those without any knowledge about their personal computer that they have at home in their living room, I would never run a system where I could not choose myself if I want to use the automatic updates.
my sig
-dave
1) http://www.suse.com (or your fav *nix distro)
or
2) http://www.apple.com/switch/
As a secondary point, I don't know why this is but every time these vulnerabilities pop up the media writes about them as if they have the same effect as the EMP from a nuke airburst. I quote from their current article on these new vulnerabilities:
Jesus Christ! It's like the end of the world for my computer or something. The only thing missing is the bit about the vulnerability causing my computer to become artificially intelligent and start trying to annihilate all humans. Give me a break.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Wondering if MicroSoft builds in bugs which allows them to announce the fix, then ship an update which changes the EULA. Just need to supply enough bugs to handle the number of EULA changes expected. Obviously, they expect to change it frequently.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Just noticed, but it is probably very old.
* You may not disclose the results of any benchmark test of the
So, if we translate it to "Ford-style", I would not be allowded to post any performance results (mileage, design issues, bad tires...) of Ford SUV without consulting with Ford firts and getting their approval???
I'm no big M$ fan, but doesn't windows 2000 server support DNS and DHCP as is, I know Windows 2000 AS does.
Perhaps a database and mail server would make a better better argument.
thank God the internet isn't a human right.
...a lot of Microsoft patches do not under go regression testing.
HotFixes and QFE patches state that they have NOT been fully regression tested.
This is a known fact to most decent NT/W2K sysadmins.
Why? Windows has one purpose, Gaming!
Browse with mozilla or opera on linux using the junkbuster proxy
and never see another banner ad or popup again!
And when everyone's running some kind of *nix derivative and it gets the same kind of cracker attention and media coverage on security issues, what then?
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Comment removed based on user account deletion
Automatic update for home users that aren't technology-saavy like us = good
:)
Automatic update for my dad that only watches stock quotes and doesn't even know what to do when his windows box opens a menu like scandisk (so forget about patching and all) = good.
Automatic update for people that don't care about their machines being a hub for a potential DDoS attack = GOOD THING.
Automatic update for people that are knowledgable and responsible netizens = more or less evil.
Above but with no way to turn it off = just plain lame.
So okay, let them have it their way, and the DAY they send up a patch that breaks everything and kill all of their userbase with a major flaw, you will have enough ammos to fire back at them. Before that, nobody cares, people leech kazaa with spyware, they don't care as long as they get MP3s or videos, face it, if the majority don't care, you don't have a case. When the majority will face a serious flaw, bug, or their computers won't boot again and it will happen to their friends family and everyone, now they will pay more attention to the people that try to advocate this matter. It will happen, just be patient
--- Metamoderating abusive downgraders since my 300th post.
From a end-user support standpoint, this appears to a more critical bug due to the ease of use. Anyone can email someone a fake link that deletes their system folders. I'm not sure that Microsoft has addressed this in anyway. Maybe they don't know about it yet.
If link above goes down, here's the quoted text:
There has been a very serious flaw discovered in the "Help Center" included in Windows XP.
To try it out, do the following, but, BE WARNED. IT WILL LIKELY delete anything you put in the "test" directory.
Create a folder called "test" at the root directory of your hard drive. Put some files in it (junk, whatever, stuff you don't care about losing). YOU HAVE BEEN WARNED AGAIN!
Then, copy and paste the "link" below into any address bar and hit enter.
Wait a few seconds, then, check that directory again. Gone, gone, gone.
This is a HORRIBLE exploit because it can be a link in any web page and exploits a terrible flaw in the Windows Help Center included in XP.
hcp://system/DFS/uplddrvinfo.htm?file://c:\test\*
Ways to fix this issue:
Delete/rename the "uplddrvinfo.htm" file (located in C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS).
Or, open it , find, and delete the following section of code:
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" ); try { oFSO.DeleteFile( sFile ); }
Or unregister the hcp protocol handler.
Deleting the section of code breaks the exploit (I have verified it myself) and it is highly recommended that anyone here using XP take steps to fix this because it won't be fixed until SP1 for XP comes out.
You can run the 'clinet' inside of a VM on the firewall but that is kinda resourse intensive.
...at least not according to their lawyers.
Alas, Babylon.
Courts are already still a little leary about the EULA you agree to by opening the package containing the EULA; I don't think that one has ever even gone to court, and the enforcability of EULAs remains a big legal unknown. One purpose of the still-abortive UCITA is to nail this point down (with a "yes", of course).
But even in my most paranoid fantasies, I can't imagine a thing that you can't even see, ever, that you somehow "automatically" agree to, ever being binding. The EULA is not negated, in this case, it simply never existed.
I read the EULA comment as an attempt at humor, poking fun at the fact that everything this side of cola cans is starting to have a EULA slapped on it.
Seems like everyone is making too much of it...
One of the things this fixes is "a buffer overrun vulnerability affecting the Gopher protocol handler." Good lord, gopher's been dead for a decade! Why the hell does IE still bother supporting it at all?
I'm the stranger...posting to
Comment removed based on user account deletion
I used Windows Update to get the IE patches, and a EULA did appear. One of the EULA items said I could not publish a benchmark of the .NET framework without written consent from Microsoft.
You complain about it when it's patched.
You complain about it when it isn't patched.
You complain about them finding security holes.
You complain about them not finding security holes.
Grow up.
It's a big program used by a lot of people with a lot of other people trying to break it.
There will always be holes.
Nothing is perfect.
Nothing is totally secure.
Except possibly something broken and completely worthless, and probably not even then...
South side of Chicago? Harlem? Watts? Compton? Africa?
:)
Might get more than 10% then.
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
The EULA was shown to you at if you used microsoft's window's update website. I know that I am looking at it right now.
.NET Framework component of the OS Components to any third party without Microsoft's prior written approval."
.NET has been available. Wonder why they are so "afraid" of people saying what their benchmarks were.... Makes you wonder how doctored the results that they are publishing are if you can't disclose the ones that you receive.
"You may not disclose the results of any benchmark test of the
That is the main right that you giveup with this patch, but I think that has been in all their supplimental EULA's since
I did not see anything about forcing DRM on us in this patch, but don't think that will stay this way for long.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
He's my mate, He may be a Mac os user, but he keeps me occupied with all his fanatical posts(with quite a few lies). Read his journal
/. at some point soon. try trolling on some system architecture ideas too, he's sure to bite.
A great one to get a flame running with and quite arrogant too.
I am currently analysing his posts to generate a better profile of foobar104 in the hope of cutting some of his threads short before people start ranting.
Ok go for the political crowbar, try to fit communist or axis of evil into every post you make, he'll probably stop posting on
p.s. This is not a personal vendetta against mr foobar104, as I said earlier He keeps me amused.
i thought you ment IT administrator. it's really sad that the browser has so many holes you need an admin for it.
-- john
That's the beauty of it. When you work out in the open, you have the potential to make truly secure products. Everyone else relies on a small handful of programmers to identify and fix problems.
Doesn't OSX come with MSIE?
Slashdot needs a "-1: yet another ranting jackass" moderation button...
0 1 - just my two bits
for the record, americans didn't do jack shit in europe, in EITHER war. they just pulled the regular "cavalry entrance" once the war was over
Actually for some silly unknown reason Amercan and British boys were spilling their blood to save your country of cheese-eating surrender monkeys while your Grandmother was sucking off Gestapo officers for cigarettes and cheap wine.
by the time you finish reading the eula, a new patch will be out.
I must admit, Mr. Gates is one incredible business man.
Don't announce security holes unless you are ready to release a patch, then you look like you're acting fast with no delay to solve the problem. Customers like that. Customers don't like to be warned that there is a hole with no patch, even if it will help them avoid potential problems, because it makes your company look irresponsible or slow or lazy or whatever.
When I say customer, I mean the portion of the population that doesn't even know what an EULA is. I mean the portion who, if told they need to pay a monthly license fee, would shovel out the money as a necisary expense. I mean those who think a web browser or it's home page determine the ISP that you use.
TodayTM BillyJoelTM GoogleTMd for StitchTMes due to WindowsTM while RollerbladeTMing with an AppleTM and a PopsicleTM
Does this EULA have the infamous "we have the right to turn off functionality and delete files" clause that Microsoft has been putting in EULAs lately, in preparation for extra-aggressive digital rights management?
I have personally caught M$ stuff going around ZoneAlarm on two occasions:
... until Frontpage98. My first clue was when FP98 whined about being unable to find the nonexistent modem. ZAP didn't make a peep.
WinME, no patches, ZAPro; system had no modem, thus no internet connexion. ZAPro dutifully reported every attempt to connect (which a lot of programs try to do for one reason or another, usually innocently)
Win98, no patches, ZA Amateur 2.63 (I think); system has moden and DUN configured in the usual way. HAD been well-behaved. Made the mistake of installing TurboTax this past April, and it forcibly installed IE5.5. Which FUBAR'd DUN. When I finally got DUN working again and went online, ZA *immediately* reported an attempt to intrude, from a M$ IP address (I whois'd it, so I'm sure), IIRC on a UDP port. Excuse me? What business does M$ have trying to get into MY computer? And since IE5.5 wasn't running per se (I only use Netscape online), clearly it had suborned Windows itself. And again, ZA didn't make a peep, tho it had always reported every other attempt to get in or out.
This is why I IEradicated IE5.5 [see 98lite.net] and reverted the system to IE5.0, which had never exhibited any underhanded behaviour (tho I don't let it out on the net, I only use it for checking my HTML locally).
And yes, there is a hardware firewall in my future, exactly because of this sort of security breach.
~REZ~ #43301. Who'd fake being me anyway?
First off, im not saying that MS doesnt need to work harder at making thier software more secure BEFORE releasing it. But if you think about it, there really is nothing computer related that is 100% secure. Theres always someone that finds some way around whatever security that gets implemented. Windows is the #1 OS by a long shot, and therefore has WAY more people trying to exploit any vulnerabilities. I believe that if Linux or some other OS had such a huge market share that perhaps there would be a lot more people finding security holes in those systems. Personally, I run FreeBSD on my server, but I use WinXP on my personal box, b/c its primarily used for gaming. Anyway, just my viewpoint
R.
Mr bar, I hope you don't get a little worm in you ohhhh soooo secure network or you NAS server may be doing a bit more than a NAS server should.
Don't forget this mr bar,
many security flaws are caused by buffer overruns and other bugs in the code, not by checking login information correctly. A bug that can be exploited to gain access can also cause you machine to crash or data to become corrupt. Don't think security patch think mangle the data on the HDD.
I can appreciate the advantages of open source, but the unfortunate truth is that hardly any casual computer user can set up and use an open source OS like they can with Windows. A furthering of that is that those are the people driving the computer industry by buying computers and software. It's a sad thing to say, but the geeks are minority.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
You get hoards of e-mail every week since subscribing to the security bulletin list? I think not.
This patch is bulletin number 47 for the year. By my primitive math, since this is the 34th week of the year, that would be about 1-2 pieces of mail a week.
You have an odd definition of "hoards".
You are just confusing it with yesterday's security hole, or was it two days ago, or was it the one from last week, or maybe that was the one in SQL or maybe I'm confusing it with the one in IIS...
It sure is news to all those who have to keep up with the patches (and the patches to the patches, ad infinitum until "trustworthy computing" arrives on the 31st of Never)!
In the Eula that specifically says
.. any how all you server people using win2k
... if you use your server to browse the
MS will download automatically download
into your system whatever files it wants
Perhaps MS looks at yer partition to see
if you have linux installed before giving
you that version of EULA because I sure as
hell can't find what people are talkinga bout
The only thing I did see is of course.. if you
didn't buy windows 2000 you are in violation
blablablalbla that's been in the EULA from way
back
server stop complaining about the browser/OS
issue
web You are definitely putting yourself at a
greater risk Regardless of OS.
Anyhow that EULA if anything is more of a
Anti Piracy feature. How many of you have
Paid for windows? (Raise your hands)
What 1 maybe 2?
So in essence even though it's software you have
to pay for.. I doubt many of you have
so in that sense it's pretty much free like
linux. And since most of you warez kiddies
out there just praise linux mostly cuz the
various programs for it are free... I really
don't see a purpose of you whining.
Better yet are those people who continue to use
windows yet complain about it all the time
For god sakes stop using the OS then if yer
gonna whine all the time about it.
I wonder if Microsoft's EULA could be considered a form of coercion? Look at it this way:
Microsoft creates a flawed piece of software. They sell it to millions of unsuspecting victims under one EULA.
Then, they release patches for flaws that are serious enough to destroy a business if left uncorrected. They tell the victims: ?Agree to this new EULA that takes away many of your rights or we won't fix our software!?
The race isn't always to the swift... but that's the way to bet!
PivX Solutions has a good list and commentary of remaining vulnerabilities in IE at http://www.pivx.com/larholm/unpatched
...
They say it best - for now best to run IE with Scripting turned off
"The basic tool for the manipulation of reality is the manipulation of words." - PK Dick
(Score: -1, Misspelt "viruses")
1: Learn English (there is no such word as "virii" in English)
2: Learn at least some Latin and basic Latin grammar (there is no such word as "virii" in Latin)
3: ??
4: PROFIT!
using internet explorer to surf the internet and do anything important is like fucking a prostitute with no condom
13 year old white supremacists are shitty web designers.
Yes, but it's a standalone app not integrated into the OS and won't run ActiveX objects.
Try updating Konqueror without shutting down KDE. :0)
Bruhahahaha!
"the unfortunate truth is that hardly any casual computer user can set up and use an open source OS like they can with Windows"
Same computer, same hardware, 5 operating systems:
Windows ME: Decent drivers for half the hardware didn't exist. Never worked right. Lost count of install program reboots after 30. Had to download drivers from 5 sites, and let me tell you, the Creative Labs site is a POS.
Windows 2000: 12 reboots to install drivers. Had to do things like configure obscure settings in the Device Manager to get the USB Drives working.
Mandrake Linux: Everything was configured. Everything was working, no obscure options.
SuSe Linux: Had to run a command line to get the sound card working.
BEos: Didn't support half the hardware, and no drivers existed. No shock, I tried it just for fun.
The argument about Linux being hard to install is an old chestnut that does not apply to most the current distros. Today Linux is easier to install and get up and running than Windows, even for beginners.
"Live Free or Die." Don't like it? Then keep out of the USA
I don't know how many times I've built 100% compliant pages only to see them rendered incorrectly on Opera. Not only that, Opera likes to render them differently damn near every time it loads them. Here's hopin' Opera 7 handles things better.
... isn't in Explorer... and this time not in Windows, too.
It's in the user. But we'll be sending an upgrade that will replace flawed users and also introduce new exciting innovative technologies like PBCAP (Pre-Emptying Big Cash AutoPayment) and GEAS (Global EULA Automatic Signup), a system to simplify upgrades even further by automating the obligatory EULA acceptance.
The pope announced today that all non-catholics are going to hell...
Russian Russian Russian RussianDollSig DollSig DollSig DollSig
Your comment is flat out wrong.
Below are quotes of the exact text from the "Designed for Windows XP spec v2.3" document:
"The application must not require or suggest an unnecessary reboot during or after installation."
* Installing a Windows Service Pack or authorized system redistributable may require a reboot.
* Installing a Graphical Identification and Authentication dynamic link library (GINA) requires a reboot."
The above quote comes straight from the horse's mouth.
That last WMP7 patch had the same language, and turned out to offer nothing new except DRM.
"Keeping your computer secure"
Maybe it implies that your computer is secure unless you download the patches regularly? Like a vulnerability is not a vulnerability until Microsoft acknowledges it?
Oh yeah that's right, it's a feature!
Ali
Ph33r m3!!!
water is wet
the sky is blue
... yadda yadda
...your computer will automatically cease to be secure.
indeed; however, kde is only a window manager. reloading kde does not mean rebooting the server [thus affecting everything else that the server is doing]
--- d'oh
"The security warnings are the latest headaches for the Redmond, Washington- based software company."
Headaches for Microsoft? How about headaches for their users?
Why the hell can't MS stop making these stupid mistakes and save us all form these damn headaches?
Then when something has a bug, we can turn it off.
Someone set us up the bomb, so shine we are!
Yet another Microsoft patch batch. Why don't they put out these patches in a FIFO manner? This buffered output hinders my impression of their responsiveness.
This corporation has performed an illegal operation and will be shut down. (That was irrelevant, but necessary.)
true && more || less
To clarify for the uninitiated, the "key generator" referred to here is, of course, TheBlueList's famous (infamous?) XP KeY ReCoVeRER AND DiSCOVErER 5.12 (xpkey.exe, 49152 bytes, crc 1F259976, md5sum AE01E7CB9215AF1899931C524359ABD7).
.NET. (Good.)
/a (which is the activation wizard), which should tell you you need to activate, select activate by phone and look for the option that allows you to change the product key. Be VERY sure you enter it correctly, because there's no hard checking here, before the reboot - and if it isn't valid, Windows won't boot (in which case you have to hold F8 and select Last Known Good, which should restore your old product key again - I say *should*).
It doesn't *generate* keys as such - it searches for valid keys. Not merely apparently-valid keys that pass some of the checks, but ones with a valid PID too. That's why it takes so damn long. If you let it generate about 600 keys, in fact, the probability is that amongst those somewhere is a REAL, ACTUAL product code of a copy of Windows XP that is still sitting in a warehouse for despatch somewhere, and you can activate it (and presumably cause a major hassle for whatever unlucky user or enterprise eventually buys that copy).
The keys WILL work, and the only way MS can disable them is to check for a range of sold keys, which they can't because I have enough genuine leaked volume license, and other, keys to know they aren't always contiguous or always in the low 640 range, or connect to the net to check the key against a database, which is, well, WPA and my guess is, they probably won't do that (for the same reason they created the corporate version in the first place). And yes, there are still things we can do even if that happens (like the obvious one, which is <sigh> patch the service pack... what have we come to?).
I reckon that even if they could come up with a way to separate the keys, a way which would undoubtedly give a large number of false negatives when checking for genuine keys, they wouldn't use it due to time constraints. SP1 is due Real Soon Now and should - I stress *should* - be in regression testing already, and the QA team really won't like it if the current logic bombs (which have a very low probability, but not zero, of misfiring due to a hash collision with a blocked key) get tweaked at the 11th hour.
I would, however, when SP1 comes out, recommend that you download the corporate deployment executable directly rather than use Windows Update, and disconnect from the net before applying. Just in case. This applies to legit users as well as those people who refuse to pay MS on principle, but just can't resist that yummy-but-evil Windows goodness. (You might want to wait until others have tried and look at their results with the release version - why risk messing your machine up when there's a queue of testers that long?)
Try turning off automatic updates completely, stop certain services (background transfer, automatic updates, ssdp discovery service, etc - use your imagination, that's what last known good and system restore are for) blocking incoming ports using the internal firewall if there's nothing else (it'll _do_) and using, say, Mozilla (or Opera, if you prefer, but if you're in the market for XP, you're probably spec'ed for Mozilla to run very well) to browse the 'net/email until you're patched.
But, for MS, there's no quick fix - or even slow fix (truly secure digital signatures are too big to fit into an existing product key, even using one of the minimal discrete log-ECC derivative schemes) - for TheBlueList. It's become a major headache for them, and is why they have decided to completely dump the existing product code system for
To change the product code, in case your copy of Windows has a logic bomb misfire, change at least one byte of the binary string at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\oobetimer (which will deactivate Windows, even a corp Windows), run %SYSTEMROOT%\system32\oobe\msoobe.exe
MS apparently support this method and have suggested this as a possible mitigation in the event that their logic bomb misfires and locks out legit users (which would be amusing, and if they try to lock BlueList keys, very very likely). If you can, and you aren't paying the tab, and you're legit, phone them up and shout at them if that happens. They probably won't get the message, but it'll make you feel better.
I happen to be on the same internet as software pirates, and don't want their machines being used by script kiddies as a staging post for DDoS attacks and/or active worms, and thus definitely do not support MS's hardline approach on updates. I'll leave the zealotry to others - after all, this IS Slashdot.
The information in this post may be used and copied freely. Share and enjoy.
- Just Another Anonymous Cracker
Funny how everyone's arguing over the EULA and fails to note that this patch doesn't do a damned thing about the SSL cert authentication bug.
And an odd spelling, too. Thus spake dictionary.com:
hoard (hôrd, hrd) n.
A hidden fund or supply stored for future use; a cache.
horde (hôrd, hrd) n.
1. A large group or crowd; a swarm: a horde of mosquitoes. See Synonyms at crowd 1.
To prepare for the Fall, there is a story of rebel coding in Finland. What happened to make Mr. Torvalds seek refugee status in India? And what version of the YQ terminal do you want in your head?
another EULA alteration (oh, and yet another critical patch needed!)...
which came first? the decision to change the EULA or the discovery of the hole?
I know its natural to want to use the same windows software, and its cool it can work... but likely, you'lll learn to love various apps for Linux like Noatun, XMMS, Galeon, Grip, Kmail, Evolution, GQView, Gimp, well I suppose you might have tried those but you only mentioned other stuff. Good luck and kudos for being brave enough to actually try it. i've been using Linux as my desktop OS for 2 1/2 years, buyt my brother still uses Windows... geez.
There are 6 new security holes in Windows, (The security hole is actually in Windows since you cannot separate Internet Explorer from the operating system, Michale please make sure that your statements are correct, a hole in IE is a hole in Windows.) and Office?
How can this be? Microsoft as been focusing on security all year, and I just patched my system last month.
Well, then setting up Red Hat takes even less time then with a kickstart diskette. Time: Put in disk and install CD, turn on computer, come back when it is done configuring everything.
Click here or here.
Shutting down KDE doesn't stop sshd, apache, oracle, ftpd, nfsd, or any other server from functioning. So an update to Konqueror could be done with 0 down time....
Though why you'd be using Konqueror on a critical server machine (where 0 down time was important) enough that you'd need to be updating it is another thing entirely....
Advanced users are users too!
He said, "we should be pushing for accountability". What I think he's saying is that if Microsoft refuses to open it's code, then that's fine - it's their right. However, if they don't, then they should be held liable for their incompetence or maliciousness (whichever applies today).
It's an interesting concept. Personally, I think Microsoft would be better off opening the code, rather than expose themselves to that kind of liability.
As an avid Microsoft software user I haven't come to expect anything less.
At least they come out with patches and fixes relatively promptly and have a good software-based distribution system to get the fixes to everybody.
But it does seem they are producing fixes more often than not.
would be the cost of the oil change.
Read the fine print, and the flip-side of the oil change contract.
Well sure, they have to do it. Great Wall of China: Hey, here's a hole! Several hundred chinese go patch it up. What eventually happened? Same bunch took over both sides of the wall, so no wall needed for a while. That won't happen to internet security, for there is always us vs. them. Then, the wall was in part, disassembled (whoah, short circuit) for building materials. Then, rebuilt during communist era to act as showpiece for Nixon visits, etc. Gee, none of this applies... Well, anyway, I'm using Mozilla with win 98 instead of ie6. I really don't have to keep utd on the patches, unless I have nothing else to do. Linux? Gave up long ago trying to keep up with the patches. Redhat swamped me with them. I just install the latest version, and for a few days, everythings patched!
Rapidweather's Linux Screenshots.
Comment removed based on user account deletion
I totally agree. I have been using Mandrake 7.x stuff for about 2 years. Recently, ( 1:30am up 6 days, 22:24, 2 users ), I DL'd 8.2. Backed up the important stuff and wiped the disk. Install took 10 minutes. All hardware detected and working properly, cable modem, dhcp, NAT, for two win 98 boxes, ftp & telnet (for lan), etc.., worked on post install reboot. Spent 1/2 the day tweaking for personal choice stuff like iceWM and apps I like. Other than my personal preference stuff, I had a fully patched, running and decently configured system in under 20 minutes.
My wifes' system is WIN98SE, she is the master of the reinstall, it still takes her 6 hours just to get the bare OS installed and configured. Something about rebooting 25 times in 6 hours is just a bit time consuming.
End result, the current revs of the bigger distros are pretty damn slick and the installs are FAR better than anything I ever experienced. The developement rate of linux is quite astounding.
I can only imagine what Mandrake 9 or higher will be like. The GUI config stuff is getting to the point that you only use CLI if you want to.
Hats off to the OSS world. I am impressed.
Bill