Slashdot Mirror
Microsoft Issues Five New Security Warnings
smelroy writes "Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site. Four of the problems affect Microsoft's Office desktop software.
You can read the story here and the security bulletins here."
i'm having this funny feeling of deja vu...
Confused me because I couldn't figure out why Microsoft was releasing bug reports for openoffice. (Aside from the obvious conspiracy theory that Microsoft would be trying to make the competition look bad)
There comes to a point where you just can't patch things anymore, and it's time to start over new. And, hopefully get it right this time!
Same old sh*t, different day. Other than alerting admins who really should know this is there a reason for having it on the front page?
wouldn't ANY vba flaw be critical. if i recall correctly, through vba, you can manipulate the entire file system. while it doesn't give you low level access, it has access to every COM object on your system. in fact, weren't the code red and i love you virii (and many others) written in VBA. VBA seems to be such a big reason that businesses can't move away from windows/office. to me, it seems like a reason TO move away from office.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
...without either e-mail from RedHat about a bug or news from MS about one. Lucky me, today I have both.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
1.SuSE
2.Red Hat
3.Mandrake
4.Debian
5.Gentoo
I say two month... I really hope this time it won't be that bad. The bluster worm just restarted computers but what if the next one will spread, be silent for a while and format computers - that could lead to disaster. I wish there was some way of testings the software for 100% bulletproff security flaws but I guess there isn't.
Dont just mail it - Maileet
Crap! That means I have to touch every machine in the enterprise--again! Just two weeks after "touching 'em all" (not in the baseball sense) from the last round of worm patches.
How I long for the old days of Novell... Ah...take me away!
Who did what now?
This is a story that informed us of bugs that need to be pathed, including one that can allow arbitrary code to run. Many people here use MS products every day, and getting a heads up like this is good.
Maybe you should be off patching instead of bitching about slashdot.
I thought Visual Basic was a flaw!
"Some things have to be believed to be seen." - Ralph Hodgson
I remember in HS I could own any mac in school that had office installed on it. At that time office had a find file program built in with the added "feature" that it could move files around once you found them. The security program on the macs of course disabled apples find file and locked certain folders so you couldnt delete programs. Office bypassed all that. All you had to do was find and move the security programs preference file to the trash and restart the computer. The password would be reset to the default password, which I happened to know (admin:admin is pretty easy) Voila, Office as a hacking tool. And it was a feature of office!
Microsoft is quickly starting to look like Swiss cheese.
A blog like any other.
"This looks like another story to laugh and mock MS. In reality, it is you zealots that look like mormons."
That doesn't make any sense. A Linux zealot can't even get a date, let alone several wives!
How are you going to keep them down on the farm once they've seen Karl Hungus?
It doesn't make any sense for a company to keep building something that requires a patch every few days. Are they actually making money off of these patches?
It's just that I've never heard of anything so blatantly broken that is so successful.
Maybe I'm just angry because some scumware got into my computer system.
in girum imus nocte et consumimur igni
M$ bug? I keep getting this Deja vu.
When we get more like 50 of these a week, then we'll know that they've really gotten serious. Large systems have a lot of holes in them -- especially when no one was plugging the holes for oh, 10 years or so.
stuff |
My tinfoil cap has 2 pennies.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
(Oops... hit the 'Submit' button before I was done)
What is fscking wrong with this company? I can't believe that any developer that works for them can be proud of the software they write. Is it just the culture among the developers to care about bugs or security? Do the managers not care? Is it just plain arrogance on everyone's part that they know people will just keep buying their stuff? I'm not trolling, just really curious.
I'm thinking MS could save a whole lot of time if they'd just get rid of the network and user input drivers!
Flaws in Visual BASIC are documented right here
Stick Men
At least the Office updates don't require a reboot. That makes things a bit easier for me.
*slinks away to update co-workers machines*
for all my fellow IT guys (and girls).......PATCHERS, start your engines!!
xao
xao
http://TheHillforum.hopto.org
...why don't ya! Maybe automatic use of MS Update is the only way to solve this problem. This morning I read about an exploit, this afternoon it seems there is some kind of 'Virus' released that exploits it. Now if MS hadn't told everyone of the exploit would it have been exploited by some script kiddie so quickly? Is MS good or bad for telling us so fast of so many critical problems, the way I see it, their talk of making automatic update compulsory could be a good thing, that way they can patch the vulnerabilities and then tell us about them afterwards. That must be better than telling all the script kiddies "Hey guys, here's a new way to screw windows users, how fast can you write something to take advantage of it then?". First prize -Infamny and a visit from the local FBI officials, Second prize...
"If it's lost, it'll turn up. Things always do" "I love it when a plan comes together"
[29 Aug 2003] DSA-375 node - buffer overflow, format string
[26 Aug 2003] DSA-374 libpam-smb - buffer overflow
[26 Aug 2003] DSA-344 unzip - directory traversal (new revision)
[18 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution (new revision)
[16 Aug 2003] DSA-373 autorespond - buffer overflow
[16 Aug 2003] DSA-372 netris - buffer overflow
[13 Aug 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities (new revision)
[11 Aug 2003] DSA-371 perl - cross-site scripting
[09 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities (new revision)
[08 Aug 2003] DSA-370 pam-pgsql - format string
[08 Aug 2003] DSA-369 zblast - buffer overflow
[08 Aug 2003] DSA-368 xpcd - buffer overflow
[08 Aug 2003] DSA-367 xtokkaetama - buffer overflow
Stop calling the kettle black! Fix your own problems. This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!
This is an anti-piracy ploy by M$. I just tried to install the patch and it told me to find my installation disk and product key. Since when do you need that crap to install a patch?
I don't happen to believe anything Microsoft does or says will reduce the number of bugs they produce; with that in mind, the only result is people dropping M$ products in favor of other, more reliable, software. I think exploits are good in the long run because it puts a spotlight on the flaws that were always there.
Microsoft Windows. Ford Pinto. Any questions?
Someone asked if I had patched against MSBlast; I said yes, I installed Linux.
What's the big deal here? Microsoft finds a flaw, issues the patches, get coverage from slashdot.
Things that happen all the time with unix/linux OS and apps.
Don't be mistaken, i ain't pro-Microsoft. I just think that slashdot is often bashing MS products for no reason. Their ideology is bad. The world domination plan is bad. But i'm tired of "hardcore" unix/C fanatics that dismisses
Whining and moaning everytime they issue a security warning is just plain childish...oh wait this is slashdot
In Redmond Washington, Deja vu gets you!
Crazy enough though, it's true. Over and over.
read... "do whatever the fuck they want"
heh.
"if i'd known it was harmless, i'd have killed it myself"
I hope this wins some more business and government contracts for non-Windows based systems.
Windows is ok for some applications. But this sort of thing (actually a whole month of bad security press) should jar a lot of decision makers to recognize that MS is not the ONLY REAL OS OUT THERE, as there marketing strategy has led all non-tech inclined business execs to beleive.
The Truth will set you free.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
Welcome to the family, WS2K3!
Get a couple of friends together.
Each person throws in a buck.
Each person guesses when the next security patch will be released by Microsoft.
Wait for next patch (This will not take long).
Winner takes all the money.
Start over.
Slashdot rarely, if ever, publishes security holes in non-MS software, so I have to read about them somewhere else.
What is Slashdot trying to hide?
Good. Now it is officially Thursday - the latest security issues under Windows have been announced.
Yet more for the
Official
So
Happy
It's
Thursday
movement.
www.eFax.com are spammers
Is it Thursday already?
... but we should really be debating how we get this right on an OSS platform. If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box.
This is a community of smart people, the race is on to figure out how to best solve this issue for our end users. Microsoft appears to be beating us by requiring far less updates to be applied than a randomly chosed Linux distro.
We need to think about the process of distribution and application of these patches, if we can get that right then we get a larger percentage of the desktop.
Today any undereducated end user who is judging security by the number of patches that jumps to a Linux distro because they've "heard" it is more secure will quickly be jumping back to Windows.
We should probably be trying to explain to everyone that it's necessary to actually install this stuff... IT people who don't are incompetent, and they will bear some of the blame for the next worm.
Maybe Microsoft has started offering their developers $20 for each security fix...
At what point are M$ patches no longer news?
Just wondering...
There are patch releases all the time. We all know it's bad, M$ sucks...blah blah blah di blah...
If a hippo was able to parallel park a car, that would be news. That would be stuff that matters. But if the hippo did it every week, is it still news? Does it still matter?
if you've lived through the past few weeks and still decide to procrastinate on applying these patches.
There does come a time when rewriting is easier and more practical than patching. For example when Linus rewrote USB drivers from scratch instead of trying to work with Inaky's driver.
Microsoft SHOULD rewrite their entire OS. Did they do that with Longhorn? I seem to recall something about that. My memory seems to recall that is exactly what they did with IIS.
There is little doubt they should start over on software such as Windows 98 instead of patching but since that is an old and soon to be retired product it doesn't make economical sense.
In the F/OSS world it can be done at any time since there is no profit motivation. In the end, this is exactly why F/OSS is the way of the future for software and why companies such as SCO and Microsoft loathe and fear it. Don't like a piece of software or it is really buggy? Rewrite from scratch. Take five years to finish it if necessary because there are no stock holders screaming about it (Public distribution companies not included).
your box is only as secure as the person administering it.
and apparently, windows users, left to their own devices don't know, or don't care about keeping up to date on security patches.
although, when enough of them are willing to just go ahead and doubleclick on any attachment from an unknown sender (msblast), these kinda exploits aren't really even necessary.
all the tools for a secure windows box are already there.
(though a security-patch-only windowsupdate flavor would be very helpful).
// "Can't clowns and pirates just -try- to get along?"
I wonder, though, how many people will apply these patches. How many people even know they exist? Perhaps the blaster fiasco has made end users more aware of computer security? Somehow, I doubt that. Most of the end users I have had to deal with just want someone else to come and fix their problem (read: why does my computer keep rebooting?). So if there is no perceived problem there will be no fix.
Personally, I think it is a problem that Microsoft has indirectly contributed to this problem by making Computers For The Masses. IMO, *NIX doesn't have such a large problem because its user base is much more aware.
But when will Microsoft realize that their users don't care about security until its too late and if they do what will they do about it?
Because the Engligh language is dynamic?
Keep saying virii guys, once it becomes the 'standard' way of saying viruses, no document (or group of Perl programmers crying) on Earth will change the fact that virii is plural for virus.
Yes, I LOVE going against the grain. I equally love shoving 'proper' back in the face of zealots.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
didn't make "our products will not kill customers and burn down buildings" one of it's "top priorities"
think- where we would be then?
every day http://en.wikipedia.org/wiki/Special:Random
Hey, what's up with that? I didn't know you got to change peoples words before making fun of them.
Suddenly the possibilities for humorous retort are limitless.
Maybe
This is why I hope OpenOffice never achieves perfect harmony with Microsoft Office.
90% of everything is crap. Also, crap is relative.
I'm in a mixed environment where we have some Dells that came with Small Business Edition (either SR1 or original), and other users who needed Access that we purchased Office 2000 Pro for. Because Microsoft requires the original CD, it really adds to the burden of updating because you have to figure out which friggin' disc to use on each individual station. If they would just let us run the damn patch without the CD verification it would be easier.
.
Plus, their order of updates is fux0r3d. They have the spell checker update listed as more recent than SP2, but when I run it I get an error message that the update only runs on SP1
It's bad enough to need so many patches, but there are many basic things like the above that Microsoft could easily improve.
...Windows Update already automatically downloaded and installed the patches last night on all my machines.
And no, I didn't do a week of regression testting either.
Suddenly the possibilities for humorless retort are limitless.
I'll have to agree with you there.
Free Mac Mini. Yes, I'm
...which definitely outnumbers five.
Here comes the part where people's excuse is that it's a joint effort, unable to be pinpointed as a "Linux hole." What does that mean? Nobody gets blame because a lot of people contribute? A lot of people contribute to Microsoft as well. They're just behind the moniker of a company label.
"Sufferin' succotash."
on about Oct 4th we should see a few viruses come out. won't be too bad since it will have to hit office apps, but it will still spread well and annoy MS SysAdmins
"Infector" "Go"
"Scanner" "Go"
"Spammer" "Go"
"DDOS agent" Go"
"All systems go, ready for virus launch..."
10...9...8...
Now I hope and pray that I will But today I am still, just a bill
News for Nerds. Stuff that matters, now reads
Slashdot
and the bashing bashers that bash them. An unfair and biased look at Microsoft.
I'm not trying to troll, i'm trying to be funny, but I do suck at it.
moo.
I just got a new pc with XP on it after a mb failed on old one last week. Decided to run windows update this morning. 30 "critical" updates, 11 xp updates and 3 driver updates. And this is a pc packaged in July.
Hurr Micro$oft is nothing but bad and evil and bay they charge money and won't give their product away for free Bill Gates is the devil hurrr
...is anyone surprised? /. anymore. We know MS writes buggy and vulnerable software.
I'm not even sure this belongs on
Of course, MS isn't the only company to write such buggy software. But before anyone says a word about MS being bashed too much, let's remember that 95% statistic. When a company's software runs on approximately 95% of the world's computers, they have the moral responsibility to ensure its stability before they release it.
We could always blame sysadmins for being too stupid to check for and install updates, but instead, why don't we just educate people on why they should run Windows Update every week (or sooner).
I'd think billions of dollars in damages to the economy would be enough to get executives cracking the whip at their IT staff. Then again, I also thought Bush lost the election.
If you can find an Office CD! I seldom apply office patches, because I have to find the installation CD each time.
To me this is an unacceptable barrier. "We can give you a patch, but please prove that you have the exact version of the CD that you used to install office originally". Arg, what BS!!!
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
I'd love to see ol' Borg Bill wearing a black patch over his other eye...
Are you telling me I have to install patches? Since when does a reboot not solve all windows problems? I feel cheated...and dirty..two key words when using windows.
It's always funny until someone gets hurt. Then it's just hilarious. -B.Hicks-
Alright, the OS patches are one thing--I can automatically have our machines update if I wish. The office updates, however, require access to the installation media. As we have a volume license agreement and our individual users to not have copies of the media, I will have to have a tech personally visit each of our 500 or so machines to put in the CD and load the patches--or ignore this "critical" fix and hope for the best. I wish I had the option of forcing an different office application solution but in an academic environment it is difficult at best. Something like this really lays the foundations for class-action.
Rather than excuse Linux, I think the people hate these MS warnings most of all because MS-users, unlike most Linux users, don't patch their systems. What normally ensues within a couple of weeks of the vulnerabilities is some exploit wreaks absolute havoc with the internet.
If MS gets the patch out the door, and everyone installs it before some script-kiddie can exploit it, then who really cares? It's a pain downloading all the patches, but that would be the extent of the problem.
Instead, the horde of zombies kills the internet. We've only just recovered from the last attack.
-- james
While the thought of bad press for Microsoft makes me pretty damn giddy, this is turning into a nightmare for M$ as well as for Large Companies who must be wondering exactly what they are paying for. M$ needs to seriously sort out the people who work on this stuff in the first place, and get off the "we are M$, what else could you possibly want?" high horse.
From personal experience, patches for MS Office require the user to have the CD available.
In the corporate environment, this usually isn't a problem (except for the different flavors of Office we have floating around: MS Office Professional, MS Office Premium, MS Office Academic version, OEM non-retail version, etc. make it a pain).
However, home users may have MS Word and MS Excel pre-installed on their systems from the store. But they don't have the Office CD itself.
How can they apply the necessary MS Office patches and service packs?
None and however long it takes for someone to think a Gnu/Linux made of nothing but patches would be cool.
And, hopefully get it right this time! And not get sued by SCO
Ahem... SCO sued IBM not Linux (There is no entity called Linux that SCO can sue).
If IBM can't avoid being sued by SCO nobody can. (And in one interview Darl McBride said he believed SCO code could be found in ALL major operating systems and planned to sue everybody).
However so far the SCO clames are basicly "Linux has.. CODE and so dose SCO Unix... They stold that from us"
I don't actually exist.
Good troll, but try coming back with an analysis of the actual severity of the holes.
I better hurry to run off and patch a hole in some obscure OSS app I don't have installed as opposed to the constant REMOTE ROOT EXPLOITS in the core Microsoft OS.
you fanboys blow this all out of proportion. It is 2 bugs with one that happens to effect 4 products. The reason they list sperate announcements for each product is because some people don't have them all installed but still need it for the one app you use.
Quick quiz, hot shot Troll: Here are the first 5 vulnerabilities from that list:
atari800, gallery, eroaster, mindi, phpwebsite,
Now, how many of those are "linux" (i.e. the linux kernel, shell and important utilities.) None.
How many are remotely exploitable? None.
Given the user base of those 5 obscure programs, how many would *you* rate as critical?
Guess you've never subscribed to Red Hat's errata updates, have you? I don't even want to bother reinstalling 9 because I know I'll get a HUGE list...
Debian has more than 10 updates listed just for August alone, almost all buffer-overflows.
Anyone want me to go on? Because I could. Remember the filesystem-corrupting kernel "turkey" release? Heck, 2.4.x was riddled with problems its entire run. But that doesn't matter when we've got hatred to burn on Microsoft, right? Sigh.
NEWS FLASH--Companies issue patches for their software. The more used the software is, the more possible holes will be found to be patched. The more updated it will be. Why is it so surprising that something with 95+ marketshare is going to be given patches? Wouldn't be...I don't know...a good thing in people's eyes?
Here comes the ranting Linux fanboy to tell me I'm wrong, and that everything Microsoft does is wrong. Sigh.
"Sufferin' succotash."
In the case where Microsoft Word is being used as the HTML e-mail editor for Microsoft Outlook, this document could be an e-mail, however the user would need to reply to, or forward the mail message in order for the vulnerability to be exploited.
From reading the security bulletin, if you use Word as your email editor and you reply/forward a message with this bug in the html, you could get infected. How long before someone silently embeds this in every outgoing email message? If someone exploits this, it could be REALLY bad.
Yeah, I'm thinking the Church of Linux should arrange marriages between young members that our wise leaders see as compatible in their faith. The ministers of local Linux User Groups could fulfill this important societal function by discreetly pairing members as they see fit. On a global level, the mating of Linux User Group leaders would be arranged by higher-level luminaries such as Eric S. Raymond and Larry Wall. I believe this would be a very important development for the Linux community. I shall start a sourceforge project ASAP, and bring this up in my local LUG. Details will follow as soon as we figure them out. --jon
Thank you Microsoft, for keeping all of us Techical Support people employed. Without you, the other half of slashdot would be unemployed.
Perhaps comparing all the security vulnerabilities for all software that could possibly run on Windows to this list would be SLIGHTLY more fair.
As it stands now you are comparing all open source applications to the Windows Oerating System.
So good job on attempting to call the Slashdot community on hyprocracy, unfortunatly you seem to be very confused about what Linux is and unable to make a valid comparison.
Finkployd
Why must we have a discussion on every single MS update? This is like posting a major news announcement at every virus that comes around. Set up critical updates to download & install when you are ready, set up anti-virus to auto-update, and move on with the important things that we as a community of intelligent computer users can benefit from. It's not news if MS already discovered it, researched it, wrote a patch, tested it, and released the patch.
In other news: Elvis Presley is still dead and the teddy bear icon virus still runs rampant.
If we must post security advisories do it for a *nix platform where critical updates aren't automatically applied and mission critical apps are in danger of being compromised.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
There were Multiple Linux Kernel 2.4 Vulnerabilities recently reported. Yet I didn't notice a front page article from Slashdot concerning that.
Here's an idea, editors: try to at least to pretend to be unbiased. I'm sure you still can get your ad-revenue boosting comment circlejerks even with a bit of balanced reporting thrown in.
I just thought of something - what do companies like Dell do? They just sell the stock OS on their systems, right? Everyone always complains that people don't patch their systems, but what if you buy a new machine from Dell? I am sure people don't think "oh man, I have a new system, I need to go out and figure out which patches to install". They fire it up and go. Should OEMs be required to sell systems that are up to date on the OS patches?
My beliefs do not require that you agree with them.
Is it me, or does Microsoft seem to be embracing their security flaws and the patches that go with them? Are they actually trying to scare people into upgrading?
I mean, seriously, does anyone on Slashdot still use Windows?
Scott
No. This is the part where one of us mentions that Linux is available free of charge and that one rightfully should expect more from a multi-billion dollar company which charges hundreds of dollars for their software.
I do not have a signature
Nothing new here...
It's good that Microsoft is STARTING to take this sereously.
Let's hope it stays that way.
Patching Windows is probably one of the better features of the system. Microsoft can patch over the entire operating system if they wanted.
But Microsoft has not taken the problem sereously in so long a time it's going to take a while before Microsoft can find all the decade old bugs.
Microsoft didn't take industry complaints about Dos sereously when they made Windows.
Microsoft didn't take security sereously when they made the "Bug free" Windows 95 leaving the system with a sereous back door left open.
Microsoft didn't take security sereously when they produced Windows NT not fully implementing the password encription technology found in Unix systems.
Now that they take Linux sereously they take security sereously.
Ahem... About freaking time guys.
I don't actually exist.
Maybe us I.T. people are the real patches. We keep Micro$oft in business by rebooting the PCs that their patches run on.
We've only just recovered from the last attack.
I'm glad you can say that. Our network at work is still up and down regularly from all the traffic spewing out of Blaster infected game consoles....
"City hall" in German is "Rathaus" Kinda explains a few things......
Important to note that most holes not found by Microsoft.
After trustworthy computing, one might expect to see an increase in the number of security patches, given the increase in developer time searching for them. Take a look at the credits for these patches. Not one attributed to MS internal security audit team.
"...which definitely outnumbers five."
If you use 5 different distros, and some fairly unusual apps, then gee, I guess you're right.
You should change to your handle to Overly Simplistic Guy.
as far back as i've been reading slashdot, and even further since i've read old stories-slashdot was pretty anti-ms. About the time Rob got more than just his good friends to read it. Actually, doesn't he mention that he hated win95 and thats why he switched to linux? I don't know...but saying "[slashdot] used to be a cool technology site that posted some great stories, but now [it's an evil ms-bashing site]..." is pretty silly, dontcha think? It's always been ms-bashing...maybe because it's always funny to bash something that has been extremely frustrating to you. A little therapy, ya know?
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
I develop lots of VBA stuff for our office. But all of our installation disks are 75 miles away at the main office. I have an Office XP Upgrade disk that was used on older here, but my full-blown Dell-installed Office XP won't accept it. So how am I supposed to patch this *critical* bug *immediately*?
Vote for global prefs bug
Software is O(1).
:-P
Because I have like 357 hotfixes in that list now.
Damn, it's going to take me about 5 minutes to scroll down to uninstall any software that starts with a "Y" or "Z"
A person I know had their computer get totally fucked up after a recent round of Windows Update for Windows XP. Random hangs, wierd audio snags, sponaneous reboots, you name it.
Healthcare article at Kuro5hin
"How To Make a Software Quilt."
MS does not patch flaws in "Photoshop for Windows", or "CorelDraw for Windows" or Quicken, or Win32 Mozilla, or any number of the millions of Windows shareware apps. Unless you start counting those vulnerabilities as "MS vulnerabilities" you're not comparing like with like.
All those Linux application flaws are in products (usually obscure ones) written by companies other than Linux distribution vendors. They package them with they're distros because they can, and they promulgate the patchs (also written elsewhere) because its good practice.
Yes, I know. IHBT. IHL.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Welcome to yesterday...
0 6&mode=nested&tid=141&tid=188
http://slashdot.org/article.pl?sid=03/09/03/22232
While I've just about managed to educate friends and familly about the need to run Windows Update, WU does not in itself warn of critical security issues - you have to remember to visit Office Update manually... and who is going to do that? No one, in my experience.
but it gets better - The Office Security updates require you to insert the original CD. This seems a mighty strange move, and not terribly useful for me since the CD is several thousand miles away locked up in a cupboard on the other side of the Atlantic.
Can anyone explain the warped logic here? I could understand it if the new patches enabled new functionality? but these are security patches.
50 of these a week
Actually, given that Windows and Office together are probably over 100 million lines of code, you should really expect thousands of patches per week to think Microsoft is serious. At a few thousand patches per week, they will probably have everything covered after a few years.
Healthcare article at Kuro5hin
"Woo-hoo! I'm gonna write me a new minivan this afternoon!"
When I looked at this thread, the Quote Of The Day was:
Perhaps the biggest disappointments were the ones you expected anyway.
How appropriate!
"Perhaps the biggest disappointments were the ones you expected anyway." -- cute slashdotty quote found on the bottom of this story.
The World Wide Web is dying. Soon, we shall have only the Internet.
Blaster was a worm, and thus spread through user inaction, not action. SoBig is the attachment virus you are thinking of. Might want to "keep up to date" on all those viruses yourself. ;)
========
Together, we will drive the rats from the tundra.
- Black hats knew about the vulnerability before Microsoft
- Widespread attacks come some days after Microsoft finally get know of it, but don't releases any advise of the danger because they had no patch ready, so it took final users by surprise.
With linux at least you could have the warning even before the patch (like one of the latest apache vulnerabilities) so you can take measures before the patch is ready/tested/approved/signed/whatever.First, why don't you do the work and prove that the vulnerabilities are dangerous or otherwise. Granted the off the cuff remark you threw back would gain karma on Slashdot.
However, the truth is, there is no public declaration of Linux vulnerabilities when found. We don't see much about those discovered because Linux still isn't that popular.
If Linux popularity does approach the levels needed to be noticed by the good virus writers who will take resposibility for notifying the public that they need a particular patch. Who will accept accountability for the problem? Worse, who is going to go through the myraid choices we have in releases and providers?
Its a constant that MS will get ridiculed here for telling people about issues, let alone when one occurs. Yet these same people have not one whit about what to do when it comes to Linux.
It isn't the readers here who are the problem, nor is the same true for Microsoft. Its all those people out there using the product who don't take the time to be informed.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Should OEMs be required to sell systems that are up to date on the OS patches?
No, because that would be a configuration management and helpdesk nightmare (not that it isn't already). I would hope that Dell tries to ship something that at least will boot the first time. With patches, who knows?
Fact: Windows Update is not perfect and Microsoft's patches are not perfect. So, Dell would have to find a way to validate each system after every patch, so at least they know what they are dealing with. Of cource, Dell chose to resell Microsoft software, so perhaps they just don't give a damn.
Healthcare article at Kuro5hin
Oh, really? So, if I want to remove Internet Explorer because it's such a buggy, hole-ridden program tied right to the OS, Microsoft has a tool for me to do that? So, if I don't want to install the RPC service on my W2k box at home, I can do that during the installation? So, if I want to forgoe Explorer because I don't need pretty point and click interfaces, I can do that?
You've got it backwards. Unlike well-designed systems, Microsoft DOESN'T provide you with the tools to make the box secure. That's one of the biggest problems - you have to rely on their "one-a-day" pills to make the box secure, and even then, it's not secure, it's just you filling one of many holes in the dam.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Criticality of this is horribly underrated by Microsoft.
.DOC extension, Word will be invoked directly when the user double-clicks the attachment. Word will automatically recognize and convert the document, and run the hostile code with no further opportunity for the user to stop the virus.
This is critically important for all Windows MS Office users - "the user must open the attachment" is no protection because most users open attachments to see what they are.
If the infected Word Perfect document is given a
The vulnerability could also be exploited through a web page, and the user would get no chance to say "No" if ActiveX is enabled.
People criticize mircosoft not because that more vulnerabilities are reported on that platform but because of their approach to the entire issue. Even though microsoft releases patches/fixes for the vulnerablities, sysadmin cant install them with confidence as they are notorius for breaking existing applications and softwares. Then comes the rebooting issue. For almost every pathes, you need to reboot the machine, which is not the case with linux ( except kernel pathces). All these make it extremely difficult to patch the MS systems REGULARLY AND FAST . People cant afford to have extensive test, install, reboot ...blah blah on server systems. This is the reason why even networks like that of BMW get infected by MS worms and exploits. On the other hand in linux , even though there are almost equal number of vulnerabilities , the fast and easy managment of patch system makes it possible for everyone to keep updated and secured.
http://www.nasirudheen.blogspot/
MICROSOFT ADMITS SOMETHIN ELSE IS WRONG
In todays news Microsoft has been forced to admit their operating system suck yet again! Microsoft engineer Billy Joe Bob is quoted sayin "Welp we done found yet anouther bug in the werks and we are gunna just fix this right up fer ya".
Users are asked to visit Microsoft's site where they will be able to get an update. Users will only be required to tell Microsfot what's on their hard drive and why they have a dual boot setup with an unidentifiable operating system. Users will also have to agree to love Microsoft through the next three upgrade cycles.
See the Pictures of the Flood of '08
This article posting is missing a snide comment about Microsoft or how the patch is a Linux CD installation disk.
I thought Tuesday was bash Microsoft day ??!!??
Tired of being "punished" by the Slashdot $rtbl since 2002. I'm now over at http://soylentnews.org/ .
So when is one of the people who were arguing that it's the USERS fault for not patching gonna step up and tell me how to get those patch down in a reasonable amount of time over my 28.8 dial up connection?
Bueller? Bueller? Bueller?
1. Open word
2. ALT+F11
3. Key in Shell "cmd.exe", VB_Normal_Focus
3. F5
This simple example runs a shell, but you can guess what happens when you can load a kernel debugger or alternative win32 shell and have system access.
This isn't shocking and I've seen everyone try to remove the DOS subsystem, rename net.exe and disable and even remove cmd.exe/command.com by using filesystem tricks and depending on windows lame application's handling of these tricks.
Basicly you can't secure a Windows machine in public use -- btw if you have acess to the usb port and a jump drive you can get in without a keyboard and send viri/spam/etc from someone else's machine.
Window's Office VBA system and IE are the ultimate root kit imho.
I didn't know that Linus decided to integrate sendmail, php, LinuxNode, an Amateur Packet Radio Node program, perl, up2date (Red Hat), pam_smb, vmware, horde MTA, gdm, Mindi, eroaster, Gallery, and atari800 into the offical Linux kernal. Is this the new Mega Supersized Linux Macrokernal?
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
The correct terms of art are bubble gum and string. These are what you hold a kludge together with.
You use bubble gum to plug a hole, and string to hold together pieces which are falling apart. Eventually, you get an OS like Windows; which is nothing but buble gum and string.
Big Brother Bush is doubleplus ungood.
Keep in mind that there still isn't any patch for this DCOM issue. So far, only a DoS exploit for Windows 2000 has been posted, but how can you be sure that no further, more severe attacks are possible?
While they show the date to be yesterdays date, the status is still red and active. Road runner is choked up right now because of MS problems.
Email is just about non-flowing.
I talked to my son at college last night and the entire dorm is dead stopped because there are 150 pc's (excluding his Linux box) that are virused 6 ways to sunday and have brought the school system to a halt. He can't use the internet because of the MS machines bringing it down.
Now THAT's sad. With 150 machines in his dorm it's turned into a virus P2P network. The viruses propogate so rapidly because they are protect by the univeristy firewall from the outside world but there is no internal protection against *anything*....
The people that run networks, like schools and businesses need to manage their systems better. This stuff is not funny anymore and it's already gone was past the prank stage.
It's time for some extremely severe prison terms. No more wrist slapping.
Status Red
9/2/2003 7:24 AM
9/3/2003 6:02 PM
ALL Areas.
Road Runner subscribers in all areas could experience slow browsing and/or packet loss when accessing Microsoft sites and services. This could include microsoft.com, windowsupdate.com, msn.com, msnbc.com, hotmail.com, vicinity.com, the Messenger service and any Microsoft websites and services at this time. Our Engineers are working to get these issues resolved as quickly as possible. Thank you for your patience.
A quick look at MS03-036 and MS03-035 shows that patches are readily downloadable for Office 2000 and newer. They say there is a fix for Office97 but it looks like you need to contact MS support to get it.
Does MS realize how many of us are still using Office 97?
Anyone know of a place to download the Office 97 patches for these?
If you look a bit more closely at those "linux" security holes, then you notice that they are programs such as "eroaster" and "Atari800" that have the vulnerabilities. These are simply programs that can be installed on the systems that may be in the Gentoo portage for example, or FreeBSD ports system or a RedHat package.
The only "Linux" software you can really blame, is the kernel, besides that if a distribution has a hole in a default install that is a big issue. Otherwise, if the user installs software that has a hole you can't really blame linux for it. Microsoft wrote and distributes all the softwares which had the holes listed in this story, so they can be held accountable (unlike Linux in your story).
On that page at 9AM PDT there are ZERO bugs which fall into the category of serious issues that are Linux / *nix or Linux Distribution's fault. They are all stand alone software that have vulns.
If they listed every software on the windows platform which had vulnerabilities the MS list would be massively enhanced also. They aren't audited as much as unix programs because a lot less of them are open source... so the bugs are just sitting there, unfixed.
Another FUD bites the dust....
Just a note that in order to be fully covered for MS patches, you have to use BOTH Windows Update and Office Update.
The Windows Update service (automatic or manual) will not detect or install Office patches.
according to a former employee, so microsoft comes out with another string of patches. GE-Harris Unix based custom system failed to provide usable alerts (just reams of annoying everyday warnings that operators ignore). TRS (Transient Recording System). Biggest and costliest Software F.U. in history. Guess I'll go patch my Office software.
If it were done when 'tis done, then t'were well it were done quickly... MacBeth
"It was a Unix system that failed in the blackout"
Um, wouldn't have EVERYTHING failed in the BLACKOUT??
BTW, "UNIX"(R) sucks. It's freaking ancient and it just sucks. No one can seriously depend on it anymore, not for mission critical issues.
Besides, you get what you ask for for using a SCO product.. (Had to get that in!)
Exactly. Then they should be required to offer systems with no OS (without having to pay the OEM fees to MS either). It is irresponsible to ship systems with known, documented vulnerabilities. If they aren't willing to provide a patched system, they should be required to provide a blank system. I don't care what headaches it causes them, unpatched systems cause all of us headaches.
My beliefs do not require that you agree with them.
- You have no sense of logical argument, or
- You are trolling.
I go for the second, because you have found a way to get modded up and spur useless discussion in every story that I have read over the last week, saying exactly the same thing every time.Next time you post this drivel, make it worth my time to read and make a list of remotely exploitable bugs (or some severity that you may choose yourself) that are in a normal desktop/server (your choice) install of Redhat (or, again, any other distribution, preferably a common one) and compare this to a comparably loaded Windows machine. To blindly post a link to a security website where the information cannot be, in any realistic sense, compared to Windows is lazy, and to do it repeatedly over the course of a week is repulsive and trollish.
Otherwise, I may have to start allowing myself to moderate just so that I can blast your stupid posts to -1.
Stop trolling and start contributing to the discussion, please.
Dan
Put identity in the browser.
Look at my sig and see all the REMOTE CODE EXECUTION vulnerabilities. I'm not surprised you were modded up.
"Sufferin' succotash."
Small correction: Those 5 new security problems are not remote root exploits. They are about opening a document (proactive user action) which can cause buffer overflow.
Still very serious. However, as we saw with SoBig, one doesn't need to exploit buffer overflows to run arbitrary code on the machine of the user who opens any email attachment.
Yes, the more software is used, the more possible holes will be found to be patched. That's why companies/teams serious about releasing unbuggy software stress the heck out of it *before* they release it to customers rather than relying on customers to be the major portion of their Test effort.
thats why the mormon religon is the way to go. A women can't get into 'heaven' unless invited there by her husband. So if she displeases him here on earth, she don't get in.
I am saddend that women still get treated like this, and that they put up with it.
The Kruger Dunning explains most post on
Like a whore's nightie? :-)
Joking aside, I heard my wife (a militant non-geek, but who has been quite content with the Linux system I set up for her) saying "Nyah-Nyah-Nyah-Nyah-Nyah-Nyah" to one of her friends who got bitten by the bug last week. I thought this was sort of amusing, since she is usually the first to roll her eyes if anybody evangelises for any OS...
You don't know anything about Linux do you??
1. People that use Linux stay on top and keep things patched and up to date.
2. Look at the versions of Linux listed, most of them are OLDER versions. We've moved on past those versions.
3. It's just not a big problem. Linux is much harder to comprimise. Script kiddies can hack Windows real easy, it takes no brains, just a mouse.
Linux takes BRAINS to hack, which script kiddies don't have..
Sorry, no soap for you..
I came across this article last week. Sounds like this is just was being waited for, hypothetically speaking). article
Why doesn't DHS ("Department of Homeland Security") do something? Like require MS to ship products that are secure out-of-the-box. Then MS could make support money telling people that need (want?) to run insecure software how to do it.
They (DHS) worry about terrorists taking down the net, but don't seem to realize that the work of crackers and spammers is just as much a threat. It certainly consumes the resources of ISPs, not to mention all the lost time (money) of individual and business users.
-Rock
I'm sure this will get modded down, or ignored by the moderators all together, as off topic; but I feel it's a good camparison. I have two, relatively similar, workstations. One running Red Hat 9 and the other WinXP. I use RH Up2Date on the Linux bawx and Windows Update on the XP machine religiously. The observation that I have made are pretty amazing. Microsoft releases roughly 4 patches for every 1 that RH releases. The RH packages, other than kernel updates, do not require any reboots; where most of the MS ones do. I've not had a single occurrance of an adverse effect on my Linux machine from any patches, where I have had a miriad of issues with the XP/Office updates (insert CD, permissions issues, BSODs, etc). I'm not at all trying to scream the virtues of Linux and downplay MS, but there are real issues. Not to even mention never having adware, spyware, etc. installed on my RH machine without my knowledge. I'm extremely carefull with all of my machines and I stilled managed to get some IE search bar added to my browser. I removed it quickly with Spybot search and destroy, but it still happened. I think MS needs to take a step back from the cash register and seriously evealuate their tactics and practice where desktops are conncered. That is, if they ever want their update service to be even close to as effective as RH. But thats just my two cents and I'm sure there are a line of people out there to tell me I'm wrong and/or full of crap; but these are real world observations from someone who is completely OS neutral. ..jab
"Reality is a crutch for people who can't handle drugs" - George Bernard Shaw (1856 - 1950)
Why am I not surprised to find lots of ways to hack a system in a kitchen sink software package. If you think Word is bad, you ought to take a look at Access and Excel...
-- $G
Oh well another day as Mac administrator for my office. Wonder what's going on, lets see whats on Slashdot. Oh another computer worm that only affects Windows machines, ho hum, well our Mac Mail doesn't run scripts so no problem there. Hmm another MS security update, yawn, got all the Macs here running software update, nothing for me to do here. Well, I guess I'll go back to reading "Star Wars: Dark Force Rising", ho hum ....
Hi! I see you're writing a pro-Microsoft Astro-Troll. Would you like to:
1.) Show us how these Linux vulneriblities are as bad as these MS vulnerablities.
2.) Show us how to run these Linux vulnerabilities remotely.
3.) Fuck off & Die.
4.) Do nothing.
Okay I see a lot of Microsoft apologists saying that "all software has bugs", "Linux has problems too", "dumb admins need to keep their machines up to date".. etc...
.. you gotta ask yourself .. is "similar to Linux" in terms of security problems the BEST they can do?
.. the problem today, right now, is Microsoft. The constant flood of pings to my machine are coming from microsoft machines. The viruses are coming from microsoft machines. When is it going to stop??
Let's see:
Linux written by volunteers and small companies.
Windows written by a company with tens of billions in the bank.
Linux used mostly on servers and installed by educated admins.
Windows used by everyone from grandma to the CEO.
Linux on a small percentage of servers.
Windows on 96% of machines (or whatever the figure is). Windows used in ATMs, in medical equipment, by the government, etc., etc. The Microsoft antitrust ruling was typed out on a Windows machine.
And given their resources, their cash, the number of frickin' PhD's on the payroll, and the fact that the entire world economy depends on Windows crap OS (yes even us folks who use Mac/BSD/Linux are still affected indirectly)
They have a huge responsibility, and they have chosen not to meet it. Why? Is it so that the government will pass software quality laws that will place a huge burden on Free software, thus weakining it or killing it off?
Or is it because people have their heads in the sand and refuse to acknowledge that Microsoft is not worth the time and money any more. That's probably it. People are sitting there constantly patching their Windows boxes and not realizing that, hey, maybe there are alternatives. Microsoft has you all by the nuts.
Why are you guys making excuses for Microsoft? Microsoft's products should be the most secure on the planet given their resources and abilities.
I used to think, hey, all computers have problems, but after using software like qmail and OpenBSD, I realized, Microsoft is doing about 1% of what they could do. Even just closing ports and making email attachments not be executable would solve a lot of problems. They need to make their software more secure.
Instead they come up with Palladium or whatever it's called now, a gigantic complex scheme to solve this problem (and a lot of other imaginary "problems" too). Can't they try some simple stuff first?
So don't apologize for Microsoft, don't say "well, if Linux was everywhere we'd have the same problems"
The point is that all the vulnerabilities in the list on the page you linked to (with the exception of sendmail) are fairly obscure "3rd party" apps.
If a vulnerability was found in some obscure windows ftp server that you got off tucows for example, you wouldn't list that as a windows vulnerability would you?
I lay awake last night wondering where the sun had gone, then it dawned on me.
This entire flamefest is based on 5 Microsoft Office bugs, so what's your point?
Also, just looking at the RedHat list: up2date, pam_smb, nfs_util, XFree86, xinetd, glibc -- these are core "operating system" components. Calling them "stand alone" is bullshit. Oh, and there's also four Linux kernel patches in the last 3 months too.
A nice quote from KOMO, a station in Seattle (next door to Redmond for those that are unfamiliar with the area).
Then they should be required to offer systems with no OS (without having to pay the OEM fees to MS either).
The ideal solution would be OEMs that can sell blank systems without fearing Microsoft. Microsoft is essentially an organized criminal organization, now, it seems.
Healthcare article at Kuro5hin
Shouldn't this be in the TCLUG mailing list instead? :-)
philcrissman.com.
Exactly. Then they should be required to offer systems with no OS (without having to pay the OEM fees to MS either).
4 &mode=thread&tid=109.
They already do.
See also:
http://slashdot.org/article.pl?sid=02/08/14/13624
Where've you been?
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
Newsbrief (Redmond):... A bold, new plan by the company formerly known as Microsoft has taken place. In an attempt to calm growing fears about the lack of security with Microsoft products, Microsoft has decided to rename itself to.....Linnux!. This is a dual strategy aimed at improving Microsofts own image while at the same time through FUD, will decrease the publics perception of Linux a a more secure platform.....
..........FULL STOP.
I've been patching our department's ~75 systems by hand (cheap student labor). But now I want something to automate it.
I looked at SUS a while back, but then I saw it was based on IIS. I drew a line in the sand 2 years back (no new MS apps) and have pretty much stuck with it. So I'm looking for something else.
Hmmm, and as someone else posted, SUS doesn't work for Office updates.
It may be just coincidence by MS released an updater for the Mac version of Office yesterday. It's available here.
The description reads: "This update addresses several stability issues with PowerPoint(R), Excel, and Visual Basic for Applications for Officev.X."
i like this part -
"Last and, according to Microsoft, of least significance is a hole in NetBIOS that a hacker could use to view information on a Windows PC or server. At worst, Toulouse says, a hacker might see "fragmented and random" data in system memory."
so an individual who exploited this hole on a government computer could potentially see:
alsdfakshflkahsd LAUNCH CODES 1234567890 liasdflashfkkh
Why did I lurk so long before registering for a Slashdot account? I could have had a Slashdot ID of less than 100000.
Bug fixes are only supplied for Office 2000 and 2003 on Windows.
I've been running Office 97 at home.
I'm NOT paying $200 to upgrade from Office 97 to Office 2000 when Office 2000 doesn't fix ANY of the major bugs in 97 (and there ARE major bugs).
Time to switch to Open Office. At least I know it will read in my Word and Excel docs acceptably well.
Anyone know how the automatic numbering system in OO is supposed to work?
Jon Acheson
All opinions expressed herein are my own, and not those of my employers, who are appalled.
n/t
To patch the security vulnerabilities in Microsoft Word, you have to 1) download the patch, 2) find the original Word CD and put it in the CD drive, 3) run the patch, 4) wait while a lot of processing is done with the CD, and 5) put the CD away again. It seems to me that, since this was a patch for a severe security vulnerability, Microsoft could have skipped the time-consuming 2, 4, and 5 steps. Think how many total hours will be lost throughout the world by users or computer professionals whose time is extremely valuable. The TCO just went up.
that will help windows users lose their craving for windows...
But you are screaming into the wind here with such rational thoughts my friend. Do your best to fight the tide of stupidity, but it's a long hard road to take :(
Good point, and hopefully that obscure OSS app you're not using is sendmail :oP
[[ the only 15 letter word that is spelled without repeating a letter is uncopyrightable: it may soon be, however. ]]
Its deja vu all over again. - Yogi Berra
I'm going to say something here that will please M$ astroturfers and might displease the majority of the /. constituency.
This and the story yesterday about Longhorn delays could be bad news for us Linux/Free Software advocates. This could very well be evidence of the "new Microsoft committment to security."
The terribly security of MS's products has always been one of the most popular ways to advocate Free Software and to attack (yes, attack) MS software. I don't think this is a good advocacy strategy in the long run. Why? Because although this looks like more of the same old, it and the delay story could well be the result of a genuine effort to find and fix the flaws. We could soon be up against an opponent that is much more difficult to attack on this basis.
But even if this is not the case, gloating over the shoddiness and weakness of MS products is not the best sort of advocacy. I think the better approach is to play to our strengths. Cost and Freedom. These are the areas where Microsoft simply cannot compete. Sure, we stomp them on security now, but they really can fix that. We shouldn't work so hard on attacking them there. In fact, we shouldn't work on attacking them at all. Just educate on the financial and productivity advantages.
Look closer... the up2date merely says an update is required... I was talking about all the items on the main page, which look like a lot of security holes at first glance, but turn out to not be anything meaningful. Of course linux has bugs, everything does, but it is not anything like the poster made it out to be.
Some of these microsoft office bugs are BIG bugs, such as the ACCESS one. The point you seem to be missing is that this page was given to show how horrible linux security is, when it merely shows that many open source apps have vulnereabilities in them. This does not not compare to the holes which Microsoft has constantly (need I remind you of the DOCM vulnerability recently?).
It's called RegEdit man. Learn it. Love it.
I can't believe a Unix fan is objecting to using an arcane, poorly documented, super-user program. Is it that it doesn't add the extra complexity of a CLI that you really object to?
>I didn't have to do a thing because my system updated itself.
t .aspx
Well, now you're out of luck. Joe Sixpack not only needs autoupdate on 24/7 he also needs to visit officeupdate to get the office patches: http://office.microsoft.com/ProductUpdates/defaul
Can MS make this more confusing for the average user? KB824993 and KB826292 do not show on a fresh Windowsupdate.com scan or with the MSBL tool.
Update Expertfrom st. bernard software works pretty well.
Expensive, though. Especially when compared to SUS (isn't it free?).
For one reason or another, things are different in the Windows world.
Yes, things are different in the Windows (Simplified) World. In the Windows World; you buy PC XYZ from company ABC complete with Windows. You unbox it, turn in on, and let the 'magic' do its' thing. There's no muss, no fuss and I've got a working PC. Oh, never mind that the OS isn't patched with the latest patches--the average home user doesn't know (or understand) that it needs to be--regardless of the media coverage of worm/virus Qbert. The average home user is NOT technically inclined. Therein lies the source of the problem--lack of sufficient instruction, which is the delegated responsibility of the OEM System Builder.Consequently, every little bug gets passed along, and we end up with MSBlaster type problems.
In the Linux world; the average user is technical, or has had the system set up by someone technical. They take care of the system, understand how to patch the system and ensure that it has been patched. For this reason, problems are short lived.
We live in a simplified world. From fast food; disposable diapers, razors, etc.; to all-in-one super stores; everything is simplified for us. I don't have to know how to make Veal Scallopini; I can buy it pre-made at the grocery. We want everything easy, because we don't want to take the time top do otherwise.
Granted, this is an oversimplified view. I didn't factor in regression testing of patches at the corporate level in order to ensure that the new patch doesn't break something else in use, due to the tight integration of code with the Microsoft OS (unlike Unix/Linux Applications). This takes time (stakeholders and their ilk tend to be a testy when their application breaks) and may result in infection before testing is complete. The point is people have been brainwashed into believing that computers are simple, when in fact they require a lot of attention, like a toddler or a puppy.
How did we do things without computers before? I know..paper and pencil. At least there we didn't have to worry about viruses--unless it's a cold. LOL... Maybe regression is a good thing this time?
In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
VBA wouldn't be anywhere near so dangerous if the OS protected the memory & disk resources properly. Perl is dangerous in Windows, so is everything! No matter how hard you try to lock down the machine, even the most restricted user can probably kill it without really trying. If they weren't getting clobbered by VBA it would be something else -- the end game remains the same.
The grandparent poster specifically left Office out of the comparison, counting only VBA and Windows.
That wasn't insightful at all! Pay attention!
I haven't had to patch my linux system in ages.
Second, did you even bother to read those security alerts or investigate what the packages are? Briefly:
node: "Amateur Packet Radio Node program"
libpam-smb: arbitrary code, but no privilege escalation
unzip: no privilege escalation, no arbitrary code, and who uses it?
man-db: only if you go against install-time advice and make it setuid
autorespond: "This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply."
netris: "A free, networked version of T*tris"
linux-kernel-2.4.18: most are local only, "STP protocol", or an nfs3 DOS with no arbitrary code or remote root
perl: yes, "execute arbitrary web script within the context of the generated page"
kdelibs: konqueror only, client only
pam-pgsql: arbitrary code, but no privilege escalation
zblast: "shoot 'em up space game"
xpcd: local only
xtokkaetama: local only
"This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!"
And this is why I call troll.
From Debian security FAQ:
"The most important guideline when making a new package that fixes a security problem is to make as few changes as possible. Our users and developers are relying on the exact behaviour of a release once it is made, so any change we make can possibly break someone's system. This is especially true in case of libraries: make sure you never change the Application Program Interface (API) or Application Binary Interface (ABI), no matter how small the change is.
This means that moving to a new upstream version is not a good solution, instead the relevant changes should be backported. Generally upstream maintainers are willing to help if needed, if not the Debian security team might be able to help.
In some cases it is not possible to backport a security fix, for example when large amounts of source code need to be modified or rewritten. If that happens it might be necessary to move to a new upstream version, but this has to be coordinated with the security team beforehand."
.sig Realistic fines for copyright in
of people constantly comparing "linux" with "windows"?
....
Remember its....
Windows or
Debian or
Redhat or
Suse or
or or or or
Have your flame wars - but leave the *colonel* out of it will ya?
Well that last one is certainly good to know. If my information is going to be disclosed I'd certainly prefer that it be my random information rather than my much more valuable, um, organized information.
I'm wondering if there are not a team of "Mitigation Specialists" at Microsoft charged with coming up with these things. I think this is something I could handle pretty well. I think I'll send them a resume.
Here is a sample of my work:
Mitigating Factors:
* User must have not only installed Windows and Office, but actually be using these products for any harm to, or exposer of user data to occur.
~*~ Small pets, farm animals, or other domesticated wildlife will not be harmed by the use of these products, even if human user fails to exercise due caution.
*# Extra-Terrestrial life-forms are completely safe even when in the same room as an operating Windows environment.
I really think I could come up with a lot of these. How about you? Do you have a future as a Microsoft Mitigation Specialist?
You can also install Windows without network support. In this case, I believe (but am not sure) that the flaws in Windows networking will not impact you.
So in this case it is truly a flaw in the network support, not in the OS.
Will I retire or break 10K?
Windows Update only shows a small fraction of the overall software picture on a typical Windows installation; he even lists an update to "unzip" for Windows, but fails to mention the problems with WinZip over the past while. Deb/Gentoo/AptRpm/Up2Date, on the hand, show almost all the software on a Linux install (but not all, if you install things "by hand").
The wheel is turning, but the hamster is dead.
How long until there is a virus built around these vunerabilities, and the subsequent whining that MS never makes patches available for bugs until it is to late?
Maybe if the users had the impression they were getting some value for their efforts they'd be more inclined to apply the patches. As it is, all they see is more headaches and less improvements.
Big Brother Bush is doubleplus ungood.
You don't know anything about Linux do you??
Not-a-thing...
1. People that use Linux stay on top and keep things patched and up to date.
Nice generalization. It'd be nicer if it were true.
2. Look at the versions of Linux listed, most of them are OLDER versions. We've moved on past those versions.
I suppose, then, Microsoft could make the same claim about anything prior to XP when a vulnerability is reported. "Oh, we've moved on..." Furthermore, seeing that these vulnerabilities are found up into Linux kernel 2.4.21 and the latest stable is 2.4.22, one can hardly call these "old."
3. It's just not a big problem. Linux is much harder to comprimise. Script kiddies can hack Windows real easy, it takes no brains, just a mouse.
I'm afraid typing `gcc -o 0day exploit.c; 0day` doesn't take much more in the way of intelligence, either.
Linux takes BRAINS to hack, which script kiddies don't have..
It seems script kiddies aren't the only ones lacking brains who are able to find their way around a Linux system. Have a nice day.
Okay, time for me to switch careers.
Wonder if there are any openings at the US Post Office in Truro, Massachusetts.....
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
I've been right here, watching. What you refer to was just for select business systems. What about the average person buying a PC?
Where is the option for no OS?
My beliefs do not require that you agree with them.
pam_smb and sendmail "obscure"? And that's only in the past, what, five days...
Mother is the best bet and don't let Satan draw you too fast.
Core? Four of these are in Office, and the last is in vb scripting, hardly a critical core component.
If French Fries= Freedom Fries and French Toast = Freedom Toast I want to leave the US and go live in Freedom
You are free to leave the US anytime you want to. Now, will you find more freedom somewhere else than what you have here? I don't know the answer to that.
I've been right here, watching. What you refer to was just for select business systems. What about the average person buying a PC?
Where is the option for no OS?
Well, thats not the question you initally asked.
Besides, buy a system and then sue to get the $ back for the OS you're not using.
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
Right now I'm looking at silently packaging things together for a mix of Windoze 98 SE clients running Orifice 2K/XP and Windoze 2K clients running Orifice XP. Every month I deliver at least a half dozen of their damn security patches and typically can comprehend the proper command line switches (usu. Microsoft's setup.exe or hotfix.exe format) to make these deployments *NOT* require a mandatory reboot and *NOT* require a lot of user input.
What drives me crazy about the VBA patches is that they require:
Upgrading to Windoze Installer 2.0.
Applying all subsequent Service Packs (SP1a and SP3 for Orifice 2K; SP1 and SP2 for Orifice XP).
Finally applying the VBA patches to either Orifice 2K or Orifice XP.
So all in all it will take at least a week to code, test, and deploy in the least intrusive manner possible. But the Windoze Installer keeps on requiring installation media (CD or file share). Not exactly automated. So I guess I'll dig through the MSI docs to determine how to disable this known flaw (Q268800).
For a one-man show I'm really looking forward to all of the lost productivity. Almost as bad as figuring out a way to silently install the DirectX 9.0b upgrade since Microsoft left out the command-line switches. That one took me two days to workaround.
When will people get fed up with all of this crap? I have worked with computers since 1981 and am practically ready to abandon them and go back to damn typewriters and daytimers!
I loved the article over at NewScientist (here)
A Microsoft spokeswoman told New Scientist the risk was lessened by the fact that exploiting any of the vulnerabilities would require a victim to open a document or carry out some other active task. She added: "We don't know of any worms being created."
Uh...Open a document? You mean like an email with the attached virus/worm that says: "Here is the document you requested"?
Sigh...Damage control must be getting lazy or something.
Sig it.
I'd say the first is awfully obscure, seeing as how I've used Linux now for nine years and have yet to find a system which actually uses it.
And sendmail? Hardly a linux-specific application, wouldn't you say? Besides, most Linux distros no longer use it.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Keep saying virii guys, once it becomes the 'standard' way of saying viruses, no document (or group of Perl programmers crying) on Earth will change the fact that virii is plural for virus.
No, it is just going to make you look like an idiot.
Thank you, drive through.
Dacels Jewelers can't be trusted.
Lovely. They say that Word97 is affected,
but that OfficeUpdate doesn't support Office97.
Head on over to the manual download section for
Office97. NOTHING TO BE FOUND RELATED TO
THIS in the office section. Under Word alone, the latest
update is from 2001.
Gee, go figure. Yet another reason to spend money
I don't have for a product I don't want.
Oh, and for all you astroturfers & M$ Fanboys -
at least when Linux does have a flaw, it doesn't
require me to spend 400 bucks on an upgrade to a
later, flawed version.
From the same site that you just mindlessly grabed these advisories off of:
[29 Aug 2003] DSA-375 node - buffer overflow, format string
For the stable distribution (woody) this problem has been fixed in version 0.3.0a-2woody1.
For the unstable distribution (sid) this problem has been fixed in version 0.3.2-1.
[26 Aug 2003] DSA-374 libpam-smb - buffer overflow
For the stable distribution (woody) this problem has been fixed in version 1.1.6-1.1woody1.
The unstable distribution (sid) does not contain a libpam-smb package.
[26 Aug 2003] DSA-344 unzip - directory traversal (new revision)
For the stable distribution (woody) this problem has been fixed in version 5.50-1woody2.
For the unstable distribution (sid) this problem has been fixed in version 5.50-3.
[18 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution (new revision)
For the current stable distribution (woody), these problems have been fixed in version 2.3.20-18.woody.4.
For the unstable distribution (sid), these problems have been fixed in version 2.4.1-13.
[16 Aug 2003] DSA-373 autorespond - buffer overflow
For the stable distribution (woody) this problem has been fixed in version 2.0.2-2woody1.
For the unstable distribution (sid) this problem will be fixed soon.
[16 Aug 2003] DSA-372 netris - buffer overflow
For the current stable distribution (woody) this problem has been fixed in version 0.5-4woody1.
For the unstable distribution (sid) this problem is fixed in version 0.52-1.
[13 Aug 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities (new revision)
This advisory covers only the i386 and alpha architectures. Other architectures will be covered by separate advisories.
For the stable distribution (woody) on the i386 architecture, these problems have been fixed in kernel-source-2.4.18 version 2.4.18-13, kernel-image-2.4.18-1-i386 version 2.4.18-11, and kernel-image-2.4.18-i386bf version 2.4.18-5woody4.
For the stable distribution (woody) on the alpha architecture, these problems have been fixed in kernel-source-2.4.18 version 2.4.18-13 and kernel-image-2.4.18-1-alpha version 2.4.18-10.
For the unstable distribution (sid) these problems are fixed in kernel-source-2.4.20 version 2.4.20-9.
[11 Aug 2003] DSA-371 perl - cross-site scripting
For the current stable distribution (woody) this problem has been fixed in version 5.6.1-8.3.
For the unstable distribution (sid) this problem has been fixed in version 5.8.0-19.
[09 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities (new revision)
For the current stable distribution (woody) these problems have been fixed in version 2.2.2-13.woody.8 of kdelibs and 2.2.2-6woody2 of kdelibs-crypto.
For the unstable distribution (sid) these problems have been fixed in kdelibs version 4:3.1.3-1. The unstable distribution does not contain a separate kdelibs-crypto package.
[08 Aug 2003] DSA-370 pam-pgsql - format string
For the stable distribution (woody) this problem has been fixed in version 0.5.2-3woody1.
For the unstable distribution (sid) this problem has been fixed in version 0.5.2-7.
[08 Aug 2003] DSA-369 zblast - buffer overflow
For the current stable distribution (woody) this problem has been fixed in version 1.2pre-5woody2.
For the unstable distribution (sid) this problem is fixed in version 1.2.1-7.
[08 Aug 2003] DSA-368 xpcd - buffer overflow
For the stable distribution (woody) this problem has been fixed in version 2.08-8woody1.
For the unstable distribution (sid) this problem will be fixed soon.
[08 Aug 2003] DSA-367 xtokkaetama - buffer overflow
For the current stable distribution (woody) this problem has been fixed in version 1.0b-6woody2.
For the unstable distribution (sid) this problem is fixed in version 1.0b-9.
Of the two highlighted advisories which do not have fixes available, one is an autoresponder for qmail (which is not installed by default) and the other is a collection of tools for working with PhotoCDs (also not installed by default).
So in other words, KISS MY ASS, TROLL.
Jay (=
I believe the only distro that installs exim by default (rather than sendmail) is debian, but I'm not 100% certain, there might be others.
Mother is the best bet and don't let Satan draw you too fast.
He did so because he saw how successfull Microsoft was after integrating VBA and the Office programs in the XP kernel.
Programming can be fun again. Film at 11.
If you think so, but you'll never find the following posted by me in a public forum:
Thank you, drive through..
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
This guy is so right. Tragically I don't have any mod points for the moment, so I can't do it myself.
#include "sig.h"
If you think so, but you'll never find the following posted by me in a public forum:
Confusing forgetfullness and idiocy is a very silly thing.
You should try to understand the difference, you will get further in life. At least my website isn't an affront to all that is good and holy in the world. Tone down your colors, get off shitty weblog software, and learn English.
Dacels Jewelers can't be trusted.
Like a prom dress put together from carpet patches!
The bulk of problems that actually take place with MS related code occur well AFTER MS publically decalres it.
/. maneuvor of attacking anything related to MS to support your lack of facts.
You also again failed to read my reply, instead performing the standard
Key to my message, people usually on this forum are not the type that have the problems, either Ms or Linux. The key here was, its the fact that when it does become popular the same people who routinely don't do patches on MS products won't patch their Linux products either. Hence, we end up in the same boat, except you won't be able to find the donkey to pin the tail on as easy.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Please. You CA's are way too high strung.
You should try to understand the difference, you will get further in life. At least my website isn't an affront to all that is good and holy in the world. Tone down your colors, get off shitty weblog software, and learn English.
Just like posting this reply.. I really have better things to do.
Life, enjoy it. It occurs outside the computer world as well.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Please. You CA's are way too high strung.
CA? What the hell is a CA?
Life, enjoy it. It occurs outside the computer world as well.
Yes, but when I'm stuck in a cube waiting for someone to finish up some code there isn't much else to do than point out the idiots on slashdot who don't have better things to do but claim they do.
Those who don't, admit it. Like me. I don't have anything better to do right now. I wish I did. 30 minutes isn't enough to do much other than make fun of you and play chess.
Dacels Jewelers can't be trusted.
Hmm got the impression you were in California from somewhere.. My mistake.
Yes, but when I'm stuck in a cube waiting for someone to finish up some code there isn't much else to do than point out the idiots on slashdot who don't have better things to do but claim they do.So fix this:
http://www.nerdfarm.org/nf/Portal/Forums
Obviously, quality color is in the eye of the beholder..
Those who don't, admit it. Like me. I don't have anything better to do right now. I wish I did. 30 minutes isn't enough to do much other than make fun of you and play chess.
I have better stuff to do, in fact I just showed the owner how to scan and email a document. Doesn't take more than a few minutes.. just like this post.
I feel for you.. How can you not do anything better in 30 minutes than reply to Slashdot posts?
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
A lot of people contribute to Microsoft as well. They're just behind the moniker of a company label.
That and the fact that these patches apply to well over $1000 worth of software.
I am not a zealot, but when you are well aware that your software runs on ~90% of the machines in the world, and you are making billions of dollars a year off of it, you had better make it secure out of the box.
If you fall off a building, go real limp, because maybe you'll look like a dummy and people will be like hey, free dummy
Um, they just now discovered this issue which existed in a six year old codebase? Insane.
Weeeee don' need no stinkin' patches!
So fix this:
http://www.nerdfarm.org/nf/Portal/Forums
Nope, I'm at work. That's a personal project. I can sit here and tell you that you are an idiot, but not work on my personal projects that don't benefit work in some way.
Obviously, quality color is in the eye of the beholder..
Blue on Blue on Blue is ugly. Period. Use a color harmony tool.
I feel for you.. How can you not do anything better in 30 minutes than reply to Slashdot posts?
Because it's remarkably fun telling you that you are an idiot in each post and having you still respond.
Dacels Jewelers can't be trusted.
beyond the fact that your post just doesn't make any sense...
It was a Unix system that failed in the blackout according to a former employee
I've been watching this for awhile and have heard nothing about the OS on the computers that failed. The reason I find this interesting is that it was just about the time that Blaster and lovsan were heating up. If you have any SOLID evidence for one or the other, I would sure like to hear!
Comment removed based on user account deletion
You don't know anything about Linux do you??
:-))
:-)
Not-a-thing...
Ah...honesty, I like you already! (said as a joke, but realy heartfelt
1. People that use Linux stay on top and keep things patched and up to date.
Nice generalization. It'd be nicer if it were true.
Full points for you! Seriously, people that use linux are just that, people that use linux.
There is no mythical linux user!
2. Look at the versions of Linux listed, most of them are OLDER versions. We've moved on past those versions.
I suppose, then, Microsoft could make the same claim about anything prior to XP when a vulnerability is reported. "Oh, we've moved on..." Furthermore, seeing that these vulnerabilities are found up into Linux kernel 2.4.21 and the latest stable is 2.4.22, one can hardly call these "old."
Hmmmm...well I think we can safely say that the parent poster is a bit of a zealous moron. Anyway MS actually does this with older versions of windows and I think they should have a bigger obligation than software that comes free!
With free software the upgrade path is more natural. As long as there is interest it will be maintained. Even when it is no longer maintained the cost of upgrading will be no more then the cost of upgrading itself plus the cost of any help you might need.
3. It's just not a big problem. Linux is much harder to comprimise. Script kiddies can hack Windows real easy, it takes no brains, just a mouse.
I'm afraid typing `gcc -o 0day exploit.c; 0day` doesn't take much more in the way of intelligence, either.
Uhm this is a bit of a silly argument. The fact that you can compile a virus on a system doesn't make the system vurnerable to that virus.
Anyway, you werer right about the parent poster
What a rotten party, have we run out of beer or something?
Posting on Slashdot isn't a personal project..Let's think about that..
Blue on Blue on Blue is ugly. Period. Use a color harmony tool.You have to use a tool to decide what you like? Or do you assume I set it up asking myself what others would think?
Because it's remarkably fun telling you that you are an idiot in each post and having you still respond.
You obviously haven't noticed the genius of my subject. It applies infinitely. Therefore, I can respond infinitely.
And having been in the workforce more than a year, I can have just as much fun dealing with the childish.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
You have to use a tool to decide what you like? Or do you assume I set it up asking myself what others would think?
I am color deficient, and even I know that your website is an affront to all that is Good and Pure. 1997 called, they want their layout back.
You obviously haven't noticed the genius of my subject. It applies infinitely. Therefore, I can respond infinitely.
And you can be replaced by a very small perl script. Of course, so can I. But then again, that's my point.
And having been in the workforce more than a year, I can have just as much fun dealing with the childish.
I'm sure you can, after all it's easy when you dole out happy meals?
Dacels Jewelers can't be trusted.
Your lack of originality shows your weakness.
And you can be replaced by a very small perl script. Of course, so can I. But then again, that's my point.SCO called, they want their post back.
Your girlfriend mentioned something about replacing a very small 'perl script' last night.
I'm sure you can, after all it's easy when you dole out happy meals?Is it? Please fix your Perl script. Ironically, it doesn't have all the in's and out's of the English langauge yet.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
Your lack of originality shows your weakness.
SCO called, they want their post back.
Does it serve you well to mirror what I say?
Is it? Please fix your Perl script. Ironically, it doesn't have all the in's and out's of the English langauge yet.
What's a langauge? Oh, haha, I crack myself up! See, I'm trying your tactic here. Being a fucking retard and just repeating what you say back at you. Pee-Wee Herman would be proud of you, son.
Dacels Jewelers can't be trusted.
When we get more like 50 of these a week, then we'll know that they've really gotten serious.
When you find yourself spending all day, every day, applying patches, you know they've gotten really, really serious.
Have you got your LWN subscription yet?
--Rick "If it isn't broken, take it apart and find out why."
I've been using Linux for few years now, been using Windows since 3.1. Over the few years that I've run Linux (Red Hat and Mandrake) I've been rooted 3 times, yet I've never had my Windows machine hacked. And no, I don't check for patches every day because I don't have time for it.
If I want to read communist propaganda, I'll go read Slashdot
Yeah, it makes me laugh.
What's a langauge? Oh, haha, I crack myself up!Yeah, you screwed up.
See, I'm trying your tactic here. Being a fucking retard and just repeating what you say back at you. Pee-Wee Herman would be proud of you, son.
Now that's the cover tactic: Attempting to pull readers away from the irony of your English kabosh.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
I run linux. I've not installed patches for any of the things on the page your sig links to. Yet I'm not vulnerable to any of them.
/vmlinuz, /bin/init, or /bin/sh, (and other things that no linux system can do without) then you might have a point, but it isn't, so you don't.
Could it be that it isn't actually _linux_ that's vulnerable.
i.e. if it's
Shit, I fed th troll.
YAW.
Your head of state is a corrupt weasel, I hope you're happy.
...there are only five new security warnings.
Now that's the cover tactic: Attempting to pull readers away from the irony of your English kabosh.
Everything I wrote reads in proper English. So, I ask you what type of error was it? I don't even think you know exactly what type of error it classifies itself. Seldom do I actually write in a manner that is correct, at least in that regard.
You see why? Because English is dynamic. But it isn't idiotic. Sorry to burst your little bubble, sparky.
Dacels Jewelers can't be trusted.
"""
Any system with samba installed will most definitely have it, or be essentially useless.
"""
Absolute nonsense.
YAW.
Your head of state is a corrupt weasel, I hope you're happy.
Two years into Microsoft's "security initiative" in which all their code was supposed to be tightened up and made more secure?
Reminds me of the Max Headroom line:
"Remember when we said there was no future? Well, this is it!"
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
You just have to laugh at this...
If you got all the Microsoft Security Bulletin's check out how the PGP version used to sign each one changed.
Especially this one:
Microsoft Security Bulletin MS03-036: Buffer Overrun in WordPerfect Converter Could Allow Code Execution(827103)
If you didn't get it or can't be bothered reading it:
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com
Warning: you are logged into reality as root...
I can probably count the number of people I know that still use sendmail on one hand... and that exploit is not a root exploit.
One thing you forgot: there is a lot more variation between any given GNU/linux install and another than there is between Windows installs. This makes it much, much harder to write a virus/worm for GNU/Linux that can propagate quickly and become a widespread pest.
How about reading my sig and all the remote code exploits due to buffer overflows? Sorry to burst your bubble.
I'm not surprised my post was somehow modded as "Troll" just because Slashbots disagreed with it.
"Sufferin' succotash."
Hmmmm...well I think we can safely say that the parent poster is a bit of a zealous moron. Anyway MS actually does this with older versions of windows and I think they should have a bigger obligation than software that comes free!
:-) ;-) Take care...
That they should, that they should. But if Microsoft shared pair-a-noyd's outlook on the matter, they wouldn't have bothered providing patches for the DCOM vulnerability on Windows NT 4.x or Windows 2000, seeing that they are older systems. Now can one realistically expect either vendor to maintain platforms like Windows 3.1 or Linux kernel 2.0.x? Probably not. But relatively recent releases should be--and, for the most part, are--maintained.
Uhm this is a bit of a silly argument. The fact that you can compile a virus on a system doesn't make the system vurnerable to that virus.
That wasn't quite the point I was trying to make. Given a working exploit for either Windows/Linux, it doesn't take much ability to use it, regardless of the platform. pair-a-noyd for some reason thinks that Linux is somehow more difficult for a script monkey to root than a Windows system. I have a feeling he's going to find out otherwise one of these days.
Anyway, you werer right about the parent poster
I doubt he'd agree with us.
Slashdot = Doesn't want to hear about it anymore
Linux = Alternative that you should look into...
"I assumed blithely that there were no elves out there in the darkness"
The pam_smb module controls the NT authentication of Linux boxes, permiting them to connect to a windows network.
/etc/passwd, or ldap, or some other auth system.
Um, yeah, whatever you say. It actually allows you to use windows machines for authentication rather than
The only time I've ever used it was when I wanted cross platform auth, so ran a samba server and had the linux boxes use that via pam_smb.
As for sendmail - well, vendors who ship wuftpd and sendmail are a major problem in the linux world - but a halfway competant admin can install a better tool and the problem goes away - not so easy for Microsoft RPC services.
MS's website lists security update for MS03-35/36 to be applicable to everything from Word 97 to MS office 2003. So the same bugs that were there in 97 is still there now. My question - "What has changed in MS office 2003, from Word 97?" I'm not buying any more software for my lifetime, considering MS will only change the box and sell me the same thing for another 50 years!
Thank you for finally agreeing with my parent post.
My condolances to your wife/girlfriend.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
I think they just know something. ;)
errr.. something that looks like really 50m37h!Ng
You sound just like my old highschool teacher when 50% of his class fail the final exam because "those students are stupid" - Not because most of the time he got hangovers from the night before. IMHO, if the mainstream of people fail to get it, then it mostly because there's something wrong with the logic behind. How many times have we heard about critical flaw in MS products and everytime it got worse and worse. And do mainstream people get it that they need to update and patch system regularly? No. Now who do you think whose fault is it? MS or those millions of users?
Luminescent weather balloons or autodestructing scorpions weren't enough?
Oh really. How, then, do you authenticate to a Windows domain? Or use samba with any windows later than NT?
Mother is the best bet and don't let Satan draw you too fast.
MinX is just outside the new office
The Singularity is closer than you think
Quant
Windows 2000 sp3 and Windows XP sp1 give Microsoft full access to your data. So for most bankers, doctors, insurance companies, and so on, if they run MS-Windows they get to choose from getting taken out by the worm of the week now or grabbing their ankles and waiting for the lawyers to read the license.
There is a third option, which is cheaper and more practical: upgrade to linux, using your existing hardware. Or, next time it's time for new hardware, re-examine lower TCO options.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Running windows NT is good enough for the largest-profit-making company in Europe. A company that also has its own internal linux distribution, which contains samba, but doesn't contain that particular pam.
So yes, really.
Of course, by 2005 NT will almost certainly have been phased out, but in 2003 it's still maintained. In particular with the downturn in the economy the replacement of OSes to more modern ones has been abated somewhat.
Either way, we're talking thousands of desks presently.
YAW.
Your head of state is a corrupt weasel, I hope you're happy.
YAR.
Mother is the best bet and don't let Satan draw you too fast.
Even Linux gets me frustrated as well. Certain tasks and apps are ready for prime time, while most others are still not mature products. Apache/PHP, MySQL, and a few other apps are where they should be. The rest are lacking in being fully developed. I have toyed with having Linux being everything from a Windoze Domain Controller to a Netware emulated server back in the day. I have a Sharp Zaurus SL-5500 that runs Samba, VNC, Apache/PHP, WLAN, WVoIP, MySQL, GCC, etc. and can see how superior the potential is. It definitely has limitless capabilities. But as of this point and time the majority of it is still unrealized. I know the attractiveness of an open source user community all pitching in and raising the bar too. I prefer this side of the fence to M$ for sure.
But all of that being said, most companies that have already laid out capital for software from Micro$loth would be hesitant to pitch it all and go with something else. IMHO it would take the equivalent of a straight week's worth of downtime due to unpatched exploits for most to abandon their product line. I don't agree with this mentality, but am taking the stance of typical PHB'es.
Actually, linux has demonstrably more patches released more often and more rapidly than on MS systems, although it's easy to argue this as a benefit of linux.
:)
On windows, you don't know what the vulnerabilities are until they're being exploited, you don't know when MS will release a patch, when they do, you don't know if it'll break more than it fixes, etc.
On linux, you're welcome to audit the code, it's possible to know of all vulnerabilities, all vulnerabilities get found and fixed rapidly, you can trust that patches wont' break anything, etc.
The network support comes in default when you install Windows. MsOffice does not
Most Windows users who run an Internet connection without an external firewall are home users. Most home users who "install Windows" do so by buying a computer with Windows installed. Microsoft Office, or at least the Microsoft Word component of the Works Suite, comes as part of many PC makers' bundles.
You said, "You can install MsWindows without MsOffice." You did not say, "You are financially encouraged not to install MsWindows without MsOffice." A while ago (Windows 3.x days), users were financially encouraged not to install networking support because the Trumpet Winsock was sold separately.
Whether it's bundled with the base install of the home edition of the operating system is not nearly as important as whether it installs itself as a core OS service and has security holes.
Will I retire or break 10K?
I have a heap of browsers I use for testing web pages, but tend to use Thunderbird at the moment. So Microsoft demanding that I use Internet Explorer to download their bug fixes is an annoyance rather than a major hassle.
Mine main peeve is that Microsoft are so lazy that they refuse to write standards compliant code. In the real world this would be the scenario, but I'm too much of a cynic and tend to think it's a forced coersion technique.
Of more interest is the helpful suggestion page you see when you dare to use another browser, you get an option to download their shiny IE browser. My question is, what do they plan to do when they move to their option of IE being an OS only toy and no longer being freely available? Sounds a little like painting yourself into a corner.
and the werewolves came...
and they ate him...
and they drank his beer...
It seems like another security warning is posted every other day. Microsoft, for Longhorn, code it to be secure in the first place, and don't integrate IE into the operating system! It causes nothing but problems for Windows users because some hacker can traipse in and plant shit on their hard drive or open up pr0n windows while Junior is browsing some Barney site.
Of course, if you use Gator, don't even bother downloading the patches. Gator opens all your ports and lets a hacker do anything he wants. I've heard of PCs that got Gatored to death because their ports were opened.