Microsoft Notes Critical Security Holes in Windows, Office

Scoria writes "CNN is reporting that the infamous Microsoft has disclosed six critical Internet Explorer vulnerabilities, including some that would allow an attacker to execute arbitary commands. According to the relevant TechNet bulletin, a cumulative patch has been released to address them." Please be sure to read the EULA before installing the patch.

Sad state of affairs....

[jerkychew]

It's sad that, when I saw that the patch was released, the first thing I thought was, "I hope the EULA won't force me to accept automatic installs from now on."

I think I'd rather have an insecure system than one that gives MS carte blanche to install what it wants. There's something wrong with that.

Re:Sad state of affairs....

[Neon+Spiral+Injector]

What if Microsoft has an API to by pass the filters Zone Alarm hooks in?

I have never seen the sense in firewalling a machine with the same machine.

Re:Sad state of affairs....

[Dudio]

Maybe it's just me, but I fail to see a single mention of the EULA, much less a statement that it changes when you apply this patch. Even when installing, the only dialog presented to the user is the "Do you want to install this update?" box. I'm as concerned as the next guy about Microsoft's propensity to sneak in unannounced EULA changes and automatic updates without telling you, but let's not point fingers where there's nothing to see.

Re:Sad state of affairs....

[EnVisiCrypt]

People who actually examine the patches on their Open Source O.S. raise your hands.

Linus put your hand down.

Seriously, we should be pushing for accountability, not a world were everybody's grandma has to learn C++ just to make sure that the big bad software company hasn't installed a trojan horse.

When you got your oil changed last, did you take the engine apart to make sure that your mechanic didn't put a rabbit in there?

I know that you probably change your own oil. It's an example.

Re:Sad state of affairs....

[Oztun]

I'm sure some people raised there hands. Now if those people found a hole some would share it with the rest of us. Get it yet?

Oh and I work on my own car and go through source code in my spare time so your points don't work much on me. I don't trust M$ nor mechanics.

BTW a friend works at Jiffy Lube and always has interesting stories on how the boss makes him take suckers to the cleaners.

Re:Sad state of affairs....

[Mirk]

People who actually examine the patches on their Open Source O.S. raise your hands.

Linus put your hand down.

First off, this is funny! :-)

But it does kinda miss the point, as no doubt many people will be quick to explain. (Don't you think ``You missed the point'' should be the Official Slashdot Motto? :-)

The point is that if a patch is open source, and if only 1% of the 10,000 people who install it bother to read through, then that's still 100 pairs of eyeballs that will spot any funny business. So, crucially, the other 99% (and yes, I admit to falling into the 9,900 here more often than not) also benefit from the code's openness.

Summary: I don't want it open so I can look at it; I want it open so Linus can look at it for me and tell me if there's anything wrong with it! :-)

ObDisclaimer: no, I'm not really a degenerate freeloader. Usually I am in the 99% that doesn't read the code. But every often - say 1% of the time - I will read it. See also my open source Net::Z3950 module at perl.z3950.org before you dare question my Free Software credentials. Infidel! :-)

Re:Sad state of affairs....

[Fjord]

I use debian, which has a distributed system of people who approve patches, typically separate from the OSS projects that produce the patches. I'm not going to say Debian is the perfect system (a patch may be integrated without really looking at it, or a server may be hacked and malicious code uploaded), but it is good enough that I don't really feel I have to worry about it.

Then again, I don't worry too much about MS on the malicious code side. I won't install a patch the first day it comes out and will watch for installer's reactions (with debian I'll install and if I'm havign a new problem I'll check debian boards about the patch). I am, however, getting more and more upset on the EULA side. For a product that is supposed to be free, I.E. sure asks for a lot.

Re:Sad state of affairs....

[dillon_rinker]

Hey, those of you who actually operate a printing press raise your hands.

See? There's only about three of them. There's no point in freedom of the press if only three people use it.

Ok, now everyone who's been arrested this week raise your hands.

Only a couple dozen out of a couple hundred thousand? Ok, no point in rights for the accused, then.

Next up, let's see how many of you are black. Only about ten percent? Well, what's the point in those equal protection and non-discrimination clauses? Most people don't need them.

Re:Sad state of affairs....

[krasni_bor]

When you got your oil changed last, did you take the engine apart to make sure that your mechanic didn't put a rabbit in there?

No, because I could sue my mechanic for breaking my car. I can't sue Microsoft for breaking my computer.

Re:Sad state of affairs....

[gilroy]

Blockquoth the poster:

For example, I could have bought and installed a Windows 2000 license for that machine for less than $500, but I wouldn't have been able to also run DNS and DHCP services on it without more software.

Plus you still have spent two+ hours on that, or another, installation issue.

Re:Sad state of affairs....

[DrSkwid]

what's the point of having an extra box to do what your computer can do already?

do you even have (a)/dsl?

Checking my log for today I've had over 50 people try and initiate unauthorised connections. The only server I run is HTTP and ident so there's no reason for any of them to try any other ports than those.

nslooking up their ip and I get mostly dial-up users or No such server.

Windows shares are the usual culprit. I did some scanning myself after cable modems launched in our area. I found myself on someone's shared C: drive will full rights. I trawled through some files to try and get some sort of ID. c:\program files\icq\ did me nicely and I was able to get the person's ICQ number. I looked them up on the ICQ whitepages and couldn't believe it when it turned out to be my uncle!

You don't need to waste a whole PC on it either

I've got one of these :

befsx41

Works great, no trouble in 3 years. Not a single piece of software has had trouble with it. Can't recommend it enough for home/soho users.

Re:Sad state of affairs....

[mpe]

For me, the cost of running Red Hat 7.3 on that machine is not zero. It was about two hours of my time.

But you would have spent time setting up the machine, whatever the OS.

Re:Sad state of affairs....

[foobar104]

But you would have spent time setting up the machine, whatever the OS.

Nope. Installing Windows 2000 Professional is about three ten-minute jobs, separated by big gaps of free time to do other things. Job #1: boot from the CD and partition and format the drive. Go do something else for an hour or so. Job #2: kick off the OS install. Go do something else, or have lunch, or whatever. Job #3: finish the OS install and set up the RAID set. Go home while the RAID set formats overnight.

Total time from start to finish is measured by looking at a calendar. Total time spent on the job is about half an hour.

Re:Sad state of affairs....

[Ironica]

#4: Turn off all the stuff that shouldn't have been on by default to make the system run better and more secure.
#5: Download and install all the security patches you need.

So, there's another half an hour or so right there...

Great!

[RhetoricalQuestion]

Arbitrary commands run by strangers if I don't,
Arbitrary commards run by Microsoft if I do.

If only more sites complied with standards, I could dismiss MS entirely for Opera.

Re:Great!

[gosand]

Arbitrary commands run by strangers if I don't,
Arbitrary commards run by Microsoft if I do.

You know, I think I would rather trust the strangers.

Re:Great!

[Consul]

You know, I think I would rather trust the strangers.

I believe the phrase is, "Better the Devil you know."

This means Microsoft, sorry to say. Of course, I use Mozilla exclusively on a Mac and a Linux machine. No Windows boxes for me at all.

No need for this patch.

[geoffeg]

Windows Update (windowsupdate.microsoft.com) has a description of this security patch, the last line of which reads:

Download now to continue keeping your computer secure.

So apparently my computer is allready secure and there is no need to download the patch then!

Silly Microsoft.

Re:No need for this patch.

[Tony-A]

Download now to continue keeping your computer secure.
Microsoft's idea of security. It's really just as secure after the download and patch as it was before ;) I stopped messing with patches a couple of years ago, and am probably much safer than anyone who is almost current.

Irritating but beneficial too

[Tyreth]

As my grandfather who was a doctor said, "Doctors, mechanics and others like these all benefit from the misfortunes of others".
Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000. The people there are annoyed about all the patches, and we joked about it being "this months security update". Now there's this, and I'm going to be called in again to update their machines. On one hand it's irritating, on the other hand it gives me more work, which I need at the moment.

A few of them are curious about Linux, and I keep it in their mind - not telling them that it will solve all their problems, but that in the near future it may be beneficial for them to consider it. I let them know an alternative is there, and they are positive, no knee-jerk reactions. I'm honest to them about it's advantages and disadvantages - where it will help them and where it will be a challenge. When the time is ripe they will change over - it is inevitable. This won't eliminate the need for security patches, but I hope through the use of thin clients only one or two machines will ever need updating.

Re:Irritating but beneficial too

[AntiNorm]

Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000.

If you don't like constantly having to patch MS Office, then don't use it. There are plenty of alternatives, including WordPerfect Office Suite, which is what I use.

Re:Irritating but beneficial too

[MrResistor]

Don't do it! (Install Linux for them, I mean) Your support calls will dry up!

I installed a Linux fileserver at a company I used to work at, and when I was laid off we agreed that they would call on me if they ever had a problem with the server and we would "work something out". I haven't recieved a single call, and it's been over 6 months! When I run into my former coworkers at the store and such I ask them how the servers doing and they always say "Great, we haven't had a single problem".

If you depend on support calls to make your living, the last thing you want to do is install Linux!

Re:Irritating but beneficial too

[archen]

Dude, if you really want support you just make a perl script to disable something minor every now and then within... say every 2-3 months.

Since you schedule it with cron, you can make sure it doesn't happen on your vacation. Some would say this is dishonest, but then again some would say "So is installing NT on purpose".

There is no EULA attached.

[iamsure]

For the quickfixes listed on the url, there is no EULA to install them.

No EULA

[Mr_Silver]

Please be sure to read the EULA before installing the patch.

I just installed it now (q323759.exe) and it didn't ask me to agree to anything. In fact the only question I got was "Do you want to install this update?".

For now, my PC is safe from Microsoft forced modifications (relativily speaking)

Re:No EULA

[debaere]

I noticed the same thing. The question is, does the lack of oppurtunity to view the EULA negate it?

SSL Cert.

[zmalone]

Browsing through the Microsoft link (the first one is a puff piece), it looks as though they still havn't patched the SSL certificate problem in IE/Windows. Will we have to wait until the next multiple security hole patch, or will they release it seperatly?

Re:SSL Cert.

[gosand]

they still havn't patched the SSL certificate problem in IE/Windows.

That's because their PR people haven't acknowledged that it is a problem yet. Give them 6-8 months. Sheesh, you Open Source people sure are impatient.

SSL?

[giminy]

Am I the only who noticed this does not include the fix for invalid SSL certificates? Pretty big (and very expensive) problem, I think....

And even on 2000/XP

[Flower]

You have to reboot to complete the installation. Great. Now all my server updates (please do not ask why, I just follow orders) are going to be a joy. I can't believe I have to reboot to patch a damn browser.

Re:And even on 2000/XP

[catfood]

The browser is an integral part of the operating system!

Re:And even on 2000/XP

[Alsee]

Maybe the question you should ask is 'Why are you running a GUI on a server'

Why are you running a GUI on a server?

-

About the leaked corp edition...

[Kredal]

If someone with the corporate edition key for XP Pro installed SP1, would they be able to apply this patch as well? I thought the SP1 would lock out all further updates?

Re:ha!

[phil+reed]

this happens time and time again and will continue to happen until microsoft sees the light and figures out that they don't write good software.

They already know. Remember a couple of months ago, when Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. The architecture of Windows is inherently insecure and cannot be fixed. Read all about it here.

call the exterminators

[Yaruar]

I'm tempted to send a warning to my Boss the following warning.

"Beware gophur attack in coming days.
Tunnels created by gophur may break windows.
Advise careful monitoring of the handler."

To see if he goes all Caddyshack on me.

I need more old protocols coming back purely to be used for my amusement.

Re:Suprise suprise suprise....

[Cutriss]

Yet six more reasons why I dont allow my family to connect to the internet using MS. They can't be trusted.

Who? Microsoft, or your family? :-)

Truly ironic

[Codex+The+Sloth]

Especially considering to get the "Designed for Windows 2000 / XP" Logo on your software, you have to have an install that doesn't require a reboot.

How it happened not really relevant

[Goonie]

The OpenBSD project's FTP server doesn't run on OpenBSD, so the details of how the hack happened aren't that relevant to OpenBSD's security.

Read the OpenBSD FAQ for the details of why the FTP server isn't an OpenBSD box, but IIRC it's basically because it's a donated box and bandwidth from a university, and beggars can't be choosers.

My favorite part of the EULA...

[Snowgen]

My favorite part of the EULA is where you can not reveal the results of any benchmark tests of the .NET framework unless Microsoft gives you permission to do so.

What does that tell us about .NET?

I wonder if saying something like "I would like to tell you exactly how slow the .NET framework is, but then Microsoft would sue me" would be ok.

Interestingly enough, though...you only have to accept the EULA if you use the Windows Update feature of IE. If you just download the fix from TechNet, no EULA is mentioned.

OK , OK, we get it

[ellem]

Hell, my 3 year old son gets it OK?

(While playing Zoboomafoo Alphabet the Critical Update came onto the screen obscuring the Lemurs. "Daaaad stupid Windows is bothering me!")

Not to mention remote root on SQL Server

[daveaitel]

Running a fully patched SQL Server or Exchange 2000 (a full time job in itself), check out: http://www.immunitysec.com/vulnerabilities/ :>

-dave

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:News for Nerds, Twisted to Make MS Look Evil

[shepd]

>The fact of the matter is Windows is the most common target of hackers. They occasionall find stuff, it gets fixed.

No, the fact of the matter is that the oldest security hole still present in internet explorer is over...

2 years and 2 months old.

Look, if they ACTUALLY fixed their OS (and by OS I mean browser, which MS says is the OS) we wouldn't care. But, you see, since they don't care to fix their OS (and if you can't fix it in 2 years then you are one very pathetic uncaring company) then we will care to explain to others that they don't care.

Get it?

You can apply every security patch in the world, but IE is still lets any site read:

- Any and all of your files
- Run any code they please
- Upload files of their choosing
- Modify files they want to
- Delete files they want to
- Delete your BIOS so you can't boot up your computer
- Make your computer dial 911 constantly, tying up emergency systems
- Install viruses on your computer
- Make your computer do DDOS attacks
- Make your computer email bomb threats to the president under your name

All without warning you. And any amount of patching won't affect it.

Is that not serious enough? Do they need to set your computer on fire to make it serious enough? Does your computer have to reach out and throttle you before you see how serious it is?

Sheesh.

Re:For crying out loud.....

[Lxy]

Why is it that a company can use such a poor security model and people will still think they should make up for it buy buying all sorts of band-aids to the real problem of a late implementation of a security model by Microsoft?

Because Microsoft owns the computer industry. It sucks. Their software is worthless. What's an admin supposed to do? Go deploying linux boxes at every workstation? Sure, I'd love that. There's a few UNIX geeks in various departments who would love that too. For the people who have no business using a computer, having e-mail, or getting on the internet, it'd take us years to train them in on linux. Then all we'd hear is "why can't I install this dancing puppy thingy that my stupid ass aunt sent me?"

The fact is, to deploy linux and force users into it goes against everything that an IT department stands for. We have to cater to the greater audience. If 90% of our users refuse to use anything other than Windows, we're screwed. Wed can hold daily meetings about what Microsoft has done NOW, why they're eveil, why their software is bad for us, they still won't get it.

When it comes to anti-virus, firewall, and ad blocking, open source is a great option. Squid, MIMEDefang, SpamAssassin, junkbuster, it's all good. Better yet, it's all free. An IT department can put up an open source blockade at the door, the users don't know the difference, and we're much happier.

So, to sum it up, we know MS sucks. I hate their software with a passion. SOMETIMES YOU JUST DON'T HAVE A CHOICE. I run linux at work and at home. We run linux products at the T1 entry point here at work. We have to run Windows on most desktops because THE PEOPLE WHO USE THEM ARE MORONS AND DON'T CARE ABOUT SECURITY.

Is there a "we can turn you off" clause?

[Animats]

Does this EULA have the infamous "we have the right to turn off functionality and delete files" clause that Microsoft has been putting in EULAs lately, in preparation for extra-aggressive digital rights management?

I've CAUGHT M$ stuff sneaking past ZA...

[Reziac]

I have personally caught M$ stuff going around ZoneAlarm on two occasions:

WinME, no patches, ZAPro; system had no modem, thus no internet connexion. ZAPro dutifully reported every attempt to connect (which a lot of programs try to do for one reason or another, usually innocently) ... until Frontpage98. My first clue was when FP98 whined about being unable to find the nonexistent modem. ZAP didn't make a peep.

Win98, no patches, ZA Amateur 2.63 (I think); system has moden and DUN configured in the usual way. HAD been well-behaved. Made the mistake of installing TurboTax this past April, and it forcibly installed IE5.5. Which FUBAR'd DUN. When I finally got DUN working again and went online, ZA *immediately* reported an attempt to intrude, from a M$ IP address (I whois'd it, so I'm sure), IIRC on a UDP port. Excuse me? What business does M$ have trying to get into MY computer? And since IE5.5 wasn't running per se (I only use Netscape online), clearly it had suborned Windows itself. And again, ZA didn't make a peep, tho it had always reported every other attempt to get in or out.

This is why I IEradicated IE5.5 [see 98lite.net] and reverted the system to IE5.0, which had never exhibited any underhanded behaviour (tho I don't let it out on the net, I only use it for checking my HTML locally).

And yes, there is a hardware firewall in my future, exactly because of this sort of security breach.

EULA a form of coercion?

[Eric+Damron]

I wonder if Microsoft's EULA could be considered a form of coercion? Look at it this way:
Microsoft creates a flawed piece of software. They sell it to millions of unsuspecting victims under one EULA.

Then, they release patches for flaws that are serious enough to destroy a business if left uncorrected. They tell the victims: ?Agree to this new EULA that takes away many of your rights or we won't fix our software!?

Re: oh my!

[TCaptain]

Maybe now we can have UBER patches for ALL M$ products

We do, its called linux.

Re:News for Nerds, Twisted to Make MS Look Evil

[Ironica]

It makes them look worse, because it's a perfect example of how browser security holes *should* look. There's one hole, it was patched immediately. Rather than a laundry list of issues ranging from a couple weeks to a couple years old.

From following that link, you can see that it is obviously *possible* to build a browser (a good one, in my experience... upgraded to Mozilla 1.0 from Netscape 4.7, since I hated NS6 and won't use IE) that has relatively few security holes, and it is also possible to fix them as they come up. What excuse do you want to give on MS's behalf for being so behind, especially when they have a lot more resources to throw at the issue?

Quick installation

[totallygeek]

Installing Windows 2000 Professional is about three ten-minute jobs, separated by big gaps of free time to do other things.

Well, then setting up Red Hat takes even less time then with a kickstart diskette. Time: Put in disk and install CD, turn on computer, come back when it is done configuring everything.