Slashdot Mirror

← Back to Stories (view on slashdot.org)

Weekly Microsoft Critical Security Issue

Posted by CmdrTaco on from the yet-another-choice-hole dept.

An anonymous reader sent in linkage to a zd story discussing the latest Windows Security Patches including an especially nice hole letting Java apps gain total control of your machine and assist you in reclaiming disk space by, say, reformating your drive.

10 of 455 comments (clear)

  1. jvm by AbdullahHaydar · · Score: 5, Interesting

    which virtual machine is it that caused this? The one before or after Microsoft added their own extensions? (which caused the whole MS-Sun lawsuit)

    --


    Suicide Booth: You are now dead! Thank you for using Stop and Drop, America's favorite since 2008.
    1. Re:jvm by fervent_raptus · · Score: 5, Insightful

      I doubt Microsoft would intentionally break their over version of Java. Of course they want to make Java look bad, but creating holes in their own version would simply cause people to switch to Sun's version.

  2. But quickly fixed... by pro-mpd · · Score: 5, Informative

    OK, so I hate MS for building unsafe software. But this time, I have to give them credit. I woke up this morning to my computer telling me that there was a critial update waiting to be installed, and it was this one. I read about the vulnerability on the web *after* installing the patch, so I am kinda glad that MS shoves updates down my throat.

    1. Re:But quickly fixed... by ManUMan · · Score: 5, Interesting

      One can be excited when they patch things this quickly. My real concern is to whether we will see tons of patches for forthcoming software. That is, will all of the talk of more 'secure' computing be just talk.

      I certainly agree that Win 2k, XP, etc. all seem to have more security bugs than you can shake a stick at. Given the problem, the question is can MS make any sort of headway? Can they actually offer a product that will really be stable and secure? My theory is that we will know a lot more about the answer to these questions in six months. If Win 2003 server has 18Mb of patches in the first 6 months then we will know the answer. Personally, I am hoping the start doing better.

      --
      If you are never moderated, do you really exist?
    2. Re:But quickly fixed... by bittmann · · Score: 5, Interesting

      Yes, maybe, but...

      Thanks to a long list of overlapping issues, this is going to cause my employer (and a vendor that shall remain nameless to protect the guilty) a bit of a headache--and I doubt that we're alone in the world on this one.

      We are running a Digital Imaging (digital radiology) sytstem that has a web-based server for allowing physicians to review images and interp from "any PC". The viewer itself is Java based...no client required (ahem...vendor speak. Client is downloaded automatically, perhaps? Anyway...) The elimination of the need to manage/install/maintain a client on thousands of different machines was one of the biggest reasons that management chose this particular system/particular vendor.

      Background:

      Here's how the IT assessment of the product went...

      Yay...Java! This will run on any PC! Well, not Mac or Linux, but since we aren't a Mac or Linux shop, this is acceptable (this should have been our first clue).

      Well--make that "any PC running Internet Explorer". Perhaps it's something with a particular DOM. We can live with that. We're running IE on all of our machines, anyway.

      OK--make that "any Windows PC running Internet Explorer, using Microsoft's Virtual Machine. Sun's won't work". WTF? I thought this was JAVA. Let me guess...this was written using MS Visual J++, right?? Anyway, according to our management (who is undoubtedly quoting straight from the vendor), "it's a lot faster this way."

      Ummm--make that "any Windows PC running Internet Explorer, using one of a few versions of Microsoft's Virtual Machine...the most recent ones will *break* the app". Now, where did *that* come from? But sure enough, if an employee gets overly "helpful" and tries to update their system (we still have some 9x systems on the network, and the boss won't let me firewall the Windows Update site), the application breaks. So whatever the vendor did isn't entirely "legal"...the latest VMs "fix" an undocumented feature that they are depending on...

      Final analysis: "This sucks. Either plan on installing their Honest-to-Pete MS-VC++ client on 1,000 PCs or pick another vendor."

      So, yes, management went ahead and bought the package - warts, J++ and all - from the vendor for a goodly sum, over the objections of the IS review committee. Yes, we've fought with said vendor for the last few months, to no avail (yet). No, the vendor (until now) claims that there is no reason to update their code to be fully Java-as-in-Sun compliant (or even Java-as-in-current-Microsoft compliant, for that matter), and that we should basically stop whining and get over it. But perhaps, just perhaps, we can now point to this and say "Look. Your cusomers *are* at risk. We *must* upgrade our JVM...we have no choice. If your software won't run on the resulting platform then it's not performing as indicated, which frees us from the contract and any pending payments coming due. Hint Hint."

      Well, I'm not holding my breath on the vendor updating their code. I am holding my breath about this cycle of Windows Update problems, however. I imagine that the trouble tickets are already starting to come in to our PC support area. "The Radiology viewer doesn't work," they say. "I can't do my job...fix it now!" they demand. Much work to uninstall the new VM. Much work to re-install an older version so they can "do their job". And much sweating while we hope to dodge the bullet of a malicious Java applet through a combination of virus detection software and dumb luck.

      Sometimes, a blind patch via Windows Update isn't the best thing to do, unfortunately.

      Am I blaming Microsoft for building unsafe Operating System software? Well, yes, but I'm also a realist--you can't expect perfection. But what I'm really blaming Microsoft for is their knowing and purposeful design and dissimenation of a Java VM and Java development environment that was built to be incompatible with Sun's Java. I'm also blaming the vendor for helping support Microsof

  3. Reformatting my hard drive by s20451 · · Score: 5, Funny

    That'll work out great. I just downloaded the RH9 ISOs.

    --
    Toronto-area transit rider? Rate your ride.
  4. JDK by WPIDalamar · · Score: 5, Funny


    Good thing Microsoft JRE is so broken, that all exploits ended up not working!

    Write once, debug everwhere.

  5. Dilemma. by Anonymous Coward · · Score: 5, Funny

    So I now have two options.

    * Let baddies in at their will.
    * Run Windows Update, expose my machine to Msoft, sign away my soul through the patch EULA.

    Help!

  6. Let the Slashdot Madlibs Begin. . . by Fritz+Benwalla · · Score: 5, Funny

    Let me save many of us some time:

    "Well here we go again. A gaping security hole in Microsoft [ Operating System ]. This never would have happened if Bill Gates weren't just trying to make more money so he could buy more [ plural noun ] to fill up his mansion in [ place ]

    This is just one more reason why [ circuit court ] should [ verb ] that [ expletive ] company once and for all.

    [ Unix-based operating system ] only had this problem [ number ] in it's entire history, and there was a patch posted in under [ number ] minutes!

    [ Text-based word processor ] rulez! Micr- [ Insulting variation on 'soft' ] is the [ Traditional evil diety ]!"

    -----

    --

    Believe me, I'm as surprised by my comment as you are.
  7. Clueless by Thomas+A.+Anderson · · Score: 5, Insightful

    You're right... Last year Readhat issued nearly twice as many security bulletins as Microsoft.

    I'm sure the above is a troll, but I'll answer anyways. When you install windows, you get, well, windows. And internet explorer, and freecell. That's about it.

    When you install linux from RedHat (or Mandrake or...) you get the OS, severl browsers and mail clients, 2+ office suites, 4+ text editors, java, perl, c, python, 25+ games, 3+ window manages, etc (not that you have to install all that - but they're available in the install).

    I'd say Redhat is doing great to only have 2x the security bulletins as microsoft considering they supply 4x or 5x the software on their cd's.

    Plus, it's been documented many times before that bugfixes are available much quicker in the OS world than the MS world.

    I'm increasingly convinced that Linux is dying off. The lies and distortions we are seeing on slashbot have become more and more desperate over the past two years.

    Name one "lie" regarding linux that you've seen on slashdot that's demonstratable not true (articles only, not posts). Remember, nobody is going to agree with all the opinions expressed on this site.

    --
    Personally its not God I dislike, its his fan club I cant stand (bash.org)