Slashdot Mirror
Microsoft Notes Critical Security Holes in Windows, Office
Scoria writes "CNN is reporting that the infamous Microsoft has disclosed six critical Internet Explorer vulnerabilities, including some that would allow an attacker to execute arbitary commands. According to the relevant TechNet bulletin, a cumulative patch has been released to address them." Please be sure to read the EULA before installing the patch.
For the quickfixes listed on the url, there is no EULA to install them.
GPL'd web-based tradewars themed space game
I just installed it now (q323759.exe) and it didn't ask me to agree to anything. In fact the only question I got was "Do you want to install this update?".
For now, my PC is safe from Microsoft forced modifications (relativily speaking)
Avantslash - View Slashdot cleanly on your mobile phone.
ever hear of group policy? why apply patches manually?
Browsing through the Microsoft link (the first one is a puff piece), it looks as though they still havn't patched the SSL certificate problem in IE/Windows. Will we have to wait until the next multiple security hole patch, or will they release it seperatly?
don't even mention the finger worm or sendmail
from the bottom of the BBC article:
If only more sites complied with standards, I could dismiss MS entirely for Opera.
.99, I have not had a reason to use IE again, and I suspect I won't for quite some time.
Have you tried out Mozilla lately? The quirks mode in Mozilla renders bad HTML just as well as IE does, IMHO. Ever since Mozilla
I'm sure some people raised there hands. Now if those people found a hole some would share it with the rest of us. Get it yet?
Oh and I work on my own car and go through source code in my spare time so your points don't work much on me. I don't trust M$ nor mechanics.
BTW a friend works at Jiffy Lube and always has interesting stories on how the boss makes him take suckers to the cleaners.
Read the OpenBSD FAQ for the details of why the FTP server isn't an OpenBSD box, but IIRC it's basically because it's a donated box and bandwidth from a university, and beggars can't be choosers.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
-dave
From a end-user support standpoint, this appears to a more critical bug due to the ease of use. Anyone can email someone a fake link that deletes their system folders. I'm not sure that Microsoft has addressed this in anyway. Maybe they don't know about it yet.
If link above goes down, here's the quoted text:
There has been a very serious flaw discovered in the "Help Center" included in Windows XP.
To try it out, do the following, but, BE WARNED. IT WILL LIKELY delete anything you put in the "test" directory.
Create a folder called "test" at the root directory of your hard drive. Put some files in it (junk, whatever, stuff you don't care about losing). YOU HAVE BEEN WARNED AGAIN!
Then, copy and paste the "link" below into any address bar and hit enter.
Wait a few seconds, then, check that directory again. Gone, gone, gone.
This is a HORRIBLE exploit because it can be a link in any web page and exploits a terrible flaw in the Windows Help Center included in XP.
hcp://system/DFS/uplddrvinfo.htm?file://c:\test\*
Ways to fix this issue:
Delete/rename the "uplddrvinfo.htm" file (located in C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS).
Or, open it , find, and delete the following section of code:
var oFSO = new ActiveXObject ( "Scripting.FileSystemObject" ); try { oFSO.DeleteFile( sFile ); }
Or unregister the hcp protocol handler.
Deleting the section of code breaks the exploit (I have verified it myself) and it is highly recommended that anyone here using XP take steps to fix this because it won't be fixed until SP1 for XP comes out.
>The fact of the matter is Windows is the most common target of hackers. They occasionall find stuff, it gets fixed.
No, the fact of the matter is that the oldest security hole still present in internet explorer is over...
2 years and 2 months old.
Look, if they ACTUALLY fixed their OS (and by OS I mean browser, which MS says is the OS) we wouldn't care. But, you see, since they don't care to fix their OS (and if you can't fix it in 2 years then you are one very pathetic uncaring company) then we will care to explain to others that they don't care.
Get it?
You can apply every security patch in the world, but IE is still lets any site read:
- Any and all of your files
- Run any code they please
- Upload files of their choosing
- Modify files they want to
- Delete files they want to
- Delete your BIOS so you can't boot up your computer
- Make your computer dial 911 constantly, tying up emergency systems
- Install viruses on your computer
- Make your computer do DDOS attacks
- Make your computer email bomb threats to the president under your name
All without warning you. And any amount of patching won't affect it.
Is that not serious enough? Do they need to set your computer on fire to make it serious enough? Does your computer have to reach out and throttle you before you see how serious it is?
Sheesh.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
The EULA was shown to you at if you used microsoft's window's update website. I know that I am looking at it right now.
.NET Framework component of the OS Components to any third party without Microsoft's prior written approval."
.NET has been available. Wonder why they are so "afraid" of people saying what their benchmarks were.... Makes you wonder how doctored the results that they are publishing are if you can't disclose the ones that you receive.
"You may not disclose the results of any benchmark test of the
That is the main right that you giveup with this patch, but I think that has been in all their supplimental EULA's since
I did not see anything about forcing DRM on us in this patch, but don't think that will stay this way for long.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
#4: Turn off all the stuff that shouldn't have been on by default to make the system run better and more secure.
#5: Download and install all the security patches you need.
So, there's another half an hour or so right there...
Don't you wish your girlfriend was a geek like me?
I have personally caught M$ stuff going around ZoneAlarm on two occasions:
... until Frontpage98. My first clue was when FP98 whined about being unable to find the nonexistent modem. ZAP didn't make a peep.
WinME, no patches, ZAPro; system had no modem, thus no internet connexion. ZAPro dutifully reported every attempt to connect (which a lot of programs try to do for one reason or another, usually innocently)
Win98, no patches, ZA Amateur 2.63 (I think); system has moden and DUN configured in the usual way. HAD been well-behaved. Made the mistake of installing TurboTax this past April, and it forcibly installed IE5.5. Which FUBAR'd DUN. When I finally got DUN working again and went online, ZA *immediately* reported an attempt to intrude, from a M$ IP address (I whois'd it, so I'm sure), IIRC on a UDP port. Excuse me? What business does M$ have trying to get into MY computer? And since IE5.5 wasn't running per se (I only use Netscape online), clearly it had suborned Windows itself. And again, ZA didn't make a peep, tho it had always reported every other attempt to get in or out.
This is why I IEradicated IE5.5 [see 98lite.net] and reverted the system to IE5.0, which had never exhibited any underhanded behaviour (tho I don't let it out on the net, I only use it for checking my HTML locally).
And yes, there is a hardware firewall in my future, exactly because of this sort of security breach.
~REZ~ #43301. Who'd fake being me anyway?
PivX Solutions has a good list and commentary of remaining vulnerabilities in IE at http://www.pivx.com/larholm/unpatched
...
They say it best - for now best to run IE with Scripting turned off
"The basic tool for the manipulation of reality is the manipulation of words." - PK Dick
To clarify for the uninitiated, the "key generator" referred to here is, of course, TheBlueList's famous (infamous?) XP KeY ReCoVeRER AND DiSCOVErER 5.12 (xpkey.exe, 49152 bytes, crc 1F259976, md5sum AE01E7CB9215AF1899931C524359ABD7).
.NET. (Good.)
/a (which is the activation wizard), which should tell you you need to activate, select activate by phone and look for the option that allows you to change the product key. Be VERY sure you enter it correctly, because there's no hard checking here, before the reboot - and if it isn't valid, Windows won't boot (in which case you have to hold F8 and select Last Known Good, which should restore your old product key again - I say *should*).
It doesn't *generate* keys as such - it searches for valid keys. Not merely apparently-valid keys that pass some of the checks, but ones with a valid PID too. That's why it takes so damn long. If you let it generate about 600 keys, in fact, the probability is that amongst those somewhere is a REAL, ACTUAL product code of a copy of Windows XP that is still sitting in a warehouse for despatch somewhere, and you can activate it (and presumably cause a major hassle for whatever unlucky user or enterprise eventually buys that copy).
The keys WILL work, and the only way MS can disable them is to check for a range of sold keys, which they can't because I have enough genuine leaked volume license, and other, keys to know they aren't always contiguous or always in the low 640 range, or connect to the net to check the key against a database, which is, well, WPA and my guess is, they probably won't do that (for the same reason they created the corporate version in the first place). And yes, there are still things we can do even if that happens (like the obvious one, which is <sigh> patch the service pack... what have we come to?).
I reckon that even if they could come up with a way to separate the keys, a way which would undoubtedly give a large number of false negatives when checking for genuine keys, they wouldn't use it due to time constraints. SP1 is due Real Soon Now and should - I stress *should* - be in regression testing already, and the QA team really won't like it if the current logic bombs (which have a very low probability, but not zero, of misfiring due to a hash collision with a blocked key) get tweaked at the 11th hour.
I would, however, when SP1 comes out, recommend that you download the corporate deployment executable directly rather than use Windows Update, and disconnect from the net before applying. Just in case. This applies to legit users as well as those people who refuse to pay MS on principle, but just can't resist that yummy-but-evil Windows goodness. (You might want to wait until others have tried and look at their results with the release version - why risk messing your machine up when there's a queue of testers that long?)
Try turning off automatic updates completely, stop certain services (background transfer, automatic updates, ssdp discovery service, etc - use your imagination, that's what last known good and system restore are for) blocking incoming ports using the internal firewall if there's nothing else (it'll _do_) and using, say, Mozilla (or Opera, if you prefer, but if you're in the market for XP, you're probably spec'ed for Mozilla to run very well) to browse the 'net/email until you're patched.
But, for MS, there's no quick fix - or even slow fix (truly secure digital signatures are too big to fit into an existing product key, even using one of the minimal discrete log-ECC derivative schemes) - for TheBlueList. It's become a major headache for them, and is why they have decided to completely dump the existing product code system for
To change the product code, in case your copy of Windows has a logic bomb misfire, change at least one byte of the binary string at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\oobetimer (which will deactivate Windows, even a corp Windows), run %SYSTEMROOT%\system32\oobe\msoobe.exe
MS apparently support this method and have suggested this as a possible mitigation in the event that their logic bomb misfires and locks out legit users (which would be amusing, and if they try to lock BlueList keys, very very likely). If you can, and you aren't paying the tab, and you're legit, phone them up and shout at them if that happens. They probably won't get the message, but it'll make you feel better.
I happen to be on the same internet as software pirates, and don't want their machines being used by script kiddies as a staging post for DDoS attacks and/or active worms, and thus definitely do not support MS's hardline approach on updates. I'll leave the zealotry to others - after all, this IS Slashdot.
The information in this post may be used and copied freely. Share and enjoy.
- Just Another Anonymous Cracker
Well, then setting up Red Hat takes even less time then with a kickstart diskette. Time: Put in disk and install CD, turn on computer, come back when it is done configuring everything.
Click here or here.