Slashdot Mirror
Microsoft Notes Critical Security Holes in Windows, Office
Scoria writes "CNN is reporting that the infamous Microsoft has disclosed six critical Internet Explorer vulnerabilities, including some that would allow an attacker to execute arbitary commands. According to the relevant TechNet bulletin, a cumulative patch has been released to address them." Please be sure to read the EULA before installing the patch.
Arbitrary commands run by strangers if I don't,
Arbitrary commards run by Microsoft if I do.
If only more sites complied with standards, I could dismiss MS entirely for Opera.
I can spell. I just can't type.
Download now to continue keeping your computer secure.
So apparently my computer is allready secure and there is no need to download the patch then!
Silly Microsoft.
As my grandfather who was a doctor said, "Doctors, mechanics and others like these all benefit from the misfortunes of others".
Today I just spent 3 1/2 hours updating security patches on a group of machines in an office for office 2000. The people there are annoyed about all the patches, and we joked about it being "this months security update". Now there's this, and I'm going to be called in again to update their machines. On one hand it's irritating, on the other hand it gives me more work, which I need at the moment.
A few of them are curious about Linux, and I keep it in their mind - not telling them that it will solve all their problems, but that in the near future it may be beneficial for them to consider it. I let them know an alternative is there, and they are positive, no knee-jerk reactions. I'm honest to them about it's advantages and disadvantages - where it will help them and where it will be a challenge. When the time is ripe they will change over - it is inevitable. This won't eliminate the need for security patches, but I hope through the use of thin clients only one or two machines will ever need updating.
For the quickfixes listed on the url, there is no EULA to install them.
GPL'd web-based tradewars themed space game
I just installed it now (q323759.exe) and it didn't ask me to agree to anything. In fact the only question I got was "Do you want to install this update?".
For now, my PC is safe from Microsoft forced modifications (relativily speaking)
Avantslash - View Slashdot cleanly on your mobile phone.
Browsing through the Microsoft link (the first one is a puff piece), it looks as though they still havn't patched the SSL certificate problem in IE/Windows. Will we have to wait until the next multiple security hole patch, or will they release it seperatly?
Am I the only who noticed this does not include the fix for invalid SSL certificates? Pretty big (and very expensive) problem, I think....
The Right Reverend K. Reid Wightman,
You have to reboot to complete the installation. Great. Now all my server updates (please do not ask why, I just follow orders) are going to be a joy. I can't believe I have to reboot to patch a damn browser.
I don't want knowledge. I want certainty. - Law, David Bowie
They already know. Remember a couple of months ago, when Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. The architecture of Windows is inherently insecure and cannot be fixed. Read all about it here.
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
What if Microsoft has an API to by pass the filters Zone Alarm hooks in?
I have never seen the sense in firewalling a machine with the same machine.
Maybe it's just me, but I fail to see a single mention of the EULA, much less a statement that it changes when you apply this patch. Even when installing, the only dialog presented to the user is the "Do you want to install this update?" box. I'm as concerned as the next guy about Microsoft's propensity to sneak in unannounced EULA changes and automatic updates without telling you, but let's not point fingers where there's nothing to see.
Yet six more reasons why I dont allow my family to connect to the internet using MS. They can't be trusted.
:-)
Who? Microsoft, or your family?
"Mod, mod, mod...and another troll bites the dust."
People who actually examine the patches on their Open Source O.S. raise your hands.
Linus put your hand down.
Seriously, we should be pushing for accountability, not a world were everybody's grandma has to learn C++ just to make sure that the big bad software company hasn't installed a trojan horse.
When you got your oil changed last, did you take the engine apart to make sure that your mechanic didn't put a rabbit in there?
I know that you probably change your own oil. It's an example.
*everything* is Orwellian to cats.
Especially considering to get the "Designed for Windows 2000 / XP" Logo on your software, you have to have an install that doesn't require a reboot.
I am not a number! I am a man! And don't you
I'm sure some people raised there hands. Now if those people found a hole some would share it with the rest of us. Get it yet?
Oh and I work on my own car and go through source code in my spare time so your points don't work much on me. I don't trust M$ nor mechanics.
BTW a friend works at Jiffy Lube and always has interesting stories on how the boss makes him take suckers to the cleaners.
First off, this is funny! :-)
But it does kinda miss the point, as no doubt many people will be quick to explain. (Don't you think ``You missed the point'' should be the Official Slashdot Motto? :-)
The point is that if a patch is open source, and if only 1% of the 10,000 people who install it bother to read through, then that's still 100 pairs of eyeballs that will spot any funny business. So, crucially, the other 99% (and yes, I admit to falling into the 9,900 here more often than not) also benefit from the code's openness.
Summary: I don't want it open so I can look at it; I want it open so Linus can look at it for me and tell me if there's anything wrong with it! :-)
ObDisclaimer: no, I'm not really a degenerate freeloader. Usually I am in the 99% that doesn't read the code. But every often - say 1% of the time - I will read it. See also my open source Net::Z3950 module at perl.z3950.org before you dare question my Free Software credentials. Infidel! :-)
--
What short sigs we have -
One hundred and twenty chars!
Too short for haiku.
Read the OpenBSD FAQ for the details of why the FTP server isn't an OpenBSD box, but IIRC it's basically because it's a donated box and bandwidth from a university, and beggars can't be choosers.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
My favorite part of the EULA is where you can not reveal the results of any benchmark tests of the .NET framework unless Microsoft gives you permission to do so.
What does that tell us about .NET?
I wonder if saying something like "I would like to tell you exactly how slow the .NET framework is, but then Microsoft would sue me" would be ok.
Interestingly enough, though...you only have to accept the EULA if you use the Windows Update feature of IE. If you just download the fix from TechNet, no EULA is mentioned.
Hey, those of you who actually operate a printing press raise your hands.
See? There's only about three of them. There's no point in freedom of the press if only three people use it.
Ok, now everyone who's been arrested this week raise your hands.
Only a couple dozen out of a couple hundred thousand? Ok, no point in rights for the accused, then.
Next up, let's see how many of you are black. Only about ten percent? Well, what's the point in those equal protection and non-discrimination clauses? Most people don't need them.
Hell, my 3 year old son gets it OK?
(While playing Zoboomafoo Alphabet the Critical Update came onto the screen obscuring the Lemurs. "Daaaad stupid Windows is bothering me!")
This
No, because I could sue my mechanic for breaking my car. I can't sue Microsoft for breaking my computer.
what's the point of having an extra box to do what your computer can do already?
:
do you even have (a)/dsl?
Checking my log for today I've had over 50 people try and initiate unauthorised connections. The only server I run is HTTP and ident so there's no reason for any of them to try any other ports than those.
nslooking up their ip and I get mostly dial-up users or No such server.
Windows shares are the usual culprit. I did some scanning myself after cable modems launched in our area. I found myself on someone's shared C: drive will full rights. I trawled through some files to try and get some sort of ID. c:\program files\icq\ did me nicely and I was able to get the person's ICQ number. I looked them up on the ICQ whitepages and couldn't believe it when it turned out to be my uncle!
You don't need to waste a whole PC on it either
I've got one of these
befsx41
Works great, no trouble in 3 years. Not a single piece of software has had trouble with it. Can't recommend it enough for home/soho users.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
>The fact of the matter is Windows is the most common target of hackers. They occasionall find stuff, it gets fixed.
No, the fact of the matter is that the oldest security hole still present in internet explorer is over...
2 years and 2 months old.
Look, if they ACTUALLY fixed their OS (and by OS I mean browser, which MS says is the OS) we wouldn't care. But, you see, since they don't care to fix their OS (and if you can't fix it in 2 years then you are one very pathetic uncaring company) then we will care to explain to others that they don't care.
Get it?
You can apply every security patch in the world, but IE is still lets any site read:
- Any and all of your files
- Run any code they please
- Upload files of their choosing
- Modify files they want to
- Delete files they want to
- Delete your BIOS so you can't boot up your computer
- Make your computer dial 911 constantly, tying up emergency systems
- Install viruses on your computer
- Make your computer do DDOS attacks
- Make your computer email bomb threats to the president under your name
All without warning you. And any amount of patching won't affect it.
Is that not serious enough? Do they need to set your computer on fire to make it serious enough? Does your computer have to reach out and throttle you before you see how serious it is?
Sheesh.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Why is it that a company can use such a poor security model and people will still think they should make up for it buy buying all sorts of band-aids to the real problem of a late implementation of a security model by Microsoft?
Because Microsoft owns the computer industry. It sucks. Their software is worthless. What's an admin supposed to do? Go deploying linux boxes at every workstation? Sure, I'd love that. There's a few UNIX geeks in various departments who would love that too. For the people who have no business using a computer, having e-mail, or getting on the internet, it'd take us years to train them in on linux. Then all we'd hear is "why can't I install this dancing puppy thingy that my stupid ass aunt sent me?"
The fact is, to deploy linux and force users into it goes against everything that an IT department stands for. We have to cater to the greater audience. If 90% of our users refuse to use anything other than Windows, we're screwed. Wed can hold daily meetings about what Microsoft has done NOW, why they're eveil, why their software is bad for us, they still won't get it.
When it comes to anti-virus, firewall, and ad blocking, open source is a great option. Squid, MIMEDefang, SpamAssassin, junkbuster, it's all good. Better yet, it's all free. An IT department can put up an open source blockade at the door, the users don't know the difference, and we're much happier.
So, to sum it up, we know MS sucks. I hate their software with a passion. SOMETIMES YOU JUST DON'T HAVE A CHOICE. I run linux at work and at home. We run linux products at the T1 entry point here at work. We have to run Windows on most desktops because THE PEOPLE WHO USE THEM ARE MORONS AND DON'T CARE ABOUT SECURITY.
There is no reasonable defense against an idiot with an agenda
:wq
I have personally caught M$ stuff going around ZoneAlarm on two occasions:
... until Frontpage98. My first clue was when FP98 whined about being unable to find the nonexistent modem. ZAP didn't make a peep.
WinME, no patches, ZAPro; system had no modem, thus no internet connexion. ZAPro dutifully reported every attempt to connect (which a lot of programs try to do for one reason or another, usually innocently)
Win98, no patches, ZA Amateur 2.63 (I think); system has moden and DUN configured in the usual way. HAD been well-behaved. Made the mistake of installing TurboTax this past April, and it forcibly installed IE5.5. Which FUBAR'd DUN. When I finally got DUN working again and went online, ZA *immediately* reported an attempt to intrude, from a M$ IP address (I whois'd it, so I'm sure), IIRC on a UDP port. Excuse me? What business does M$ have trying to get into MY computer? And since IE5.5 wasn't running per se (I only use Netscape online), clearly it had suborned Windows itself. And again, ZA didn't make a peep, tho it had always reported every other attempt to get in or out.
This is why I IEradicated IE5.5 [see 98lite.net] and reverted the system to IE5.0, which had never exhibited any underhanded behaviour (tho I don't let it out on the net, I only use it for checking my HTML locally).
And yes, there is a hardware firewall in my future, exactly because of this sort of security breach.
~REZ~ #43301. Who'd fake being me anyway?