Slashdot Mirror
Microsoft Issues Five New Security Warnings
smelroy writes "Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site. Four of the problems affect Microsoft's Office desktop software.
You can read the story here and the security bulletins here."
You do know where the name "Apache" comes from, right? Supposedly (there's some dispute) from the fact that it started out as a patch for the NCSA web server, but got to the point where there simply was no need for anyone to use the NCSA part of the code: the patches replicated the entire functionality of the server.
Flaws in Visual BASIC are documented right here
Stick Men
*sigh* Why don't people get the plural of virus right? This is why babies cry.
I don't think it's fair to blame office for that -- the old macos didn't have real file system permissions, and that's why it was insecure. Locking the finder down was the best they could do, but it just wasn't a realistic solution.
...Windows Update already automatically downloaded and installed the patches last night on all my machines.
And no, I didn't do a week of regression testting either.
Speaking as someone who has written full-blown applications in VBA, OOo and StarOffice use StarBasic, which isn't quite the same thing as VBA. VBA is a lot more at the system level and gives you more control over the machine.
My journal has hot
you fanboys blow this all out of proportion. It is 2 bugs with one that happens to effect 4 products. The reason they list sperate announcements for each product is because some people don't have them all installed but still need it for the one app you use.
Quick quiz, hot shot Troll: Here are the first 5 vulnerabilities from that list:
atari800, gallery, eroaster, mindi, phpwebsite,
Now, how many of those are "linux" (i.e. the linux kernel, shell and important utilities.) None.
How many are remotely exploitable? None.
Given the user base of those 5 obscure programs, how many would *you* rate as critical?
Guess you've never subscribed to Red Hat's errata updates, have you? I don't even want to bother reinstalling 9 because I know I'll get a HUGE list...
Debian has more than 10 updates listed just for August alone, almost all buffer-overflows.
Anyone want me to go on? Because I could. Remember the filesystem-corrupting kernel "turkey" release? Heck, 2.4.x was riddled with problems its entire run. But that doesn't matter when we've got hatred to burn on Microsoft, right? Sigh.
NEWS FLASH--Companies issue patches for their software. The more used the software is, the more possible holes will be found to be patched. The more updated it will be. Why is it so surprising that something with 95+ marketshare is going to be given patches? Wouldn't be...I don't know...a good thing in people's eyes?
Here comes the ranting Linux fanboy to tell me I'm wrong, and that everything Microsoft does is wrong. Sigh.
"Sufferin' succotash."
Should have used running Office application. I went WTF the first time a read it.
You might see more, but Microsoft still hasn't grasped the sandbox principle: any code that isn't explicitly trusted should not be allowed to access any data or functionality outside a strictly limited area. It can play all it wants inside that sandbox, but won't be allowed out to do harm. ActiveX and COM are two of the most dangerous Microsoft inventions from a security standpoint, since they don't place enough restrictions on what a remote programmer can do with your machine.
The higher the technology, the sharper that two-edged sword.
Bah. WS2K3 was affected by that silly DirectX/MIDI vulnerability.
Because, you know, servers need DirectX. Just like they need themes.
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
"...which definitely outnumbers five."
If you use 5 different distros, and some fairly unusual apps, then gee, I guess you're right.
You should change to your handle to Overly Simplistic Guy.
Sounds like what you are looking for is SUS. This will allow you to push security updates to your clients centrally.
Takes an afternoon to get set up and running, but after that, it runs with minimal intervention. Test your security updates, then authorize them to be distributed by the SUS server, and it takes care of the rest.
Of course, this assumes that you are running win2k or better on the client side. If not, you are stuck with logon scripting stuff for old machines. Not pretty. If you do have w2k or better, though, this is a huge timesaver. Works pretty good too. Those few that have already discovered it were able to stand on the sidelines, amused, as those who were trying to windows update machines one by one got eaten up by blaster.
Course, in fairness, there is another product that protects you from these kinds of worms, too... and it's sexy as hell.
- Black hats knew about the vulnerability before Microsoft
- Widespread attacks come some days after Microsoft finally get know of it, but don't releases any advise of the danger because they had no patch ready, so it took final users by surprise.
With linux at least you could have the warning even before the patch (like one of the latest apache vulnerabilities) so you can take measures before the patch is ready/tested/approved/signed/whatever.Well, *mostly* that's true. However, it can call other procceses which may or may not be priveleged. Remember that the COM/DCOM stuff runs with admin privs.
My journal has hot
Criticality of this is horribly underrated by Microsoft.
.DOC extension, Word will be invoked directly when the user double-clicks the attachment. Word will automatically recognize and convert the document, and run the hostile code with no further opportunity for the user to stop the virus.
This is critically important for all Windows MS Office users - "the user must open the attachment" is no protection because most users open attachments to see what they are.
If the infected Word Perfect document is given a
The vulnerability could also be exploited through a web page, and the user would get no chance to say "No" if ActiveX is enabled.
People criticize mircosoft not because that more vulnerabilities are reported on that platform but because of their approach to the entire issue. Even though microsoft releases patches/fixes for the vulnerablities, sysadmin cant install them with confidence as they are notorius for breaking existing applications and softwares. Then comes the rebooting issue. For almost every pathes, you need to reboot the machine, which is not the case with linux ( except kernel pathces). All these make it extremely difficult to patch the MS systems REGULARLY AND FAST . People cant afford to have extensive test, install, reboot ...blah blah on server systems. This is the reason why even networks like that of BMW get infected by MS worms and exploits. On the other hand in linux , even though there are almost equal number of vulnerabilities , the fast and easy managment of patch system makes it possible for everyone to keep updated and secured.
http://www.nasirudheen.blogspot/
A quick look at MS03-036 and MS03-035 shows that patches are readily downloadable for Office 2000 and newer. They say there is a fix for Office97 but it looks like you need to contact MS support to get it.
Does MS realize how many of us are still using Office 97?
Anyone know of a place to download the Office 97 patches for these?
Just a note that in order to be fully covered for MS patches, you have to use BOTH Windows Update and Office Update.
The Windows Update service (automatic or manual) will not detect or install Office patches.
That's funny.. last time there were security vulns I read about them on 3 different news sites and I didn't have to do a thing because my system updated itself.
It is the distro's job to make sure you are protected when a new exploit is discovered just as it's Microsoft's job when the problem is in windows. Also, if you think anyone accepts accountability for the problem in windows land you may want to read through the EULA again because it sure isn't MS.
Linux distros get bashed just as much over this and some of us actually avoid the distros with overly bad security records.
You also need to keep in mind that there is less downtime involved when upgrading Linux systems. My Linux servers are all fully upgraded but have not been shutdown in months. Window? 4 patches 3 reboots.. yuck
SUS focuses primarily on Windows Updates and not patches involving Office or other Microsoft server and client applications (since it pulls the updates from the same repository as windowsupdates.microsoft.com).
Instead, for Office applications, you would just need to update the administrative install points (which I'm doing now) and using a client management system (SMS, LANDesk, Group Policies, what have you) to run a batch file that points to the administrative install point for the version of Office installed on the client with the appropriate switches... it can be done completely quiet or showing progress.
Of course, the time it takes to update all of the different editions and versions of Office is still quite a bit... unless if you have a really, really fast machine with fast disk performance.
2. ALT+F11
3. Key in Shell "cmd.exe", VB_Normal_Focus
3. F5
This simple example runs a shell, but you can guess what happens when you can load a kernel debugger or alternative win32 shell and have system access.
So what? I can use the ! command in Emacs and other programs to accomplish the same thing on any Unix-based system.
Office runs at whatever privilege level you currently have on the machine. If you already have permissions to debug the kernel or do other administrative tasks, you can just as easily do so by going to Start -> Run. If you don't have these permissions, Office isn't going to magically give them to you.
Just some tenets of SUS:
Requires a standalone W2K Server. If you are properly licensed, that is at least $400-$600 just for the software alone.
Requires pretty beefy hardware, depending on your organization.
Is flaky. In many NT forums around the world people are reporting a few clients that WILL NOT PICK UP SOME UPDATES, and will pick up others.
Doesn't cover Office, for now. Office should be installed at an administrative point anyway, and you would only need to patch that point, and not other machines.
All-in-all, a good start for Microsoft, given their record, but still flawed enough not to depend on.
Have you tried using the office administration kit? It will allow you to make a scripted install that won't ask for CDs or any of that other annoying crap.
All of Microsoft's installers and patches these days are MSI packages, which you can use several available tools to make "transform" files that skip all the screens, EULAs, next presses, and CD check crap.
I believe the office administration kit is available for download from Microsoft's office website somewhere. I'll let a karma whore dig up the link...
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
The MSI installer used for Word is indeed terribly slow.
I took this opportunity to install Office 2K SP3 plus these two fixes, and it easily eats 10 minutes per PC, to install about 12MB of patches. That could be done in 10 seconds.
This argument is debunked constantly.
Apache has a very dominant role as a webserver, but IIS has far more vulnerabilities with far greater reach.
From my vantage point, Unix systems would be far more advantageous to compromise because they are more often used for mission-critical apps in large corporations. However, Windows servers are more often cracked, despite the larger volume of *nix servers out there.
Microsoft is a target because:
a) They write buggy code which is not thoroughly tested before release and patches often create additional problems.
b) Their OS is not as easy to update remotely or in batch as *nix boxes are.
c) They patch individual vulnerabilties, not the underlying causes.
d) They write code with these ideals (in order):
ease of coding, ease of use, ability to upsell, functionality, security
e) They have no interest in writing solid and safe software, only in selling software.
They have put their profits above the safety of their customers. Imagine if you bought a refrigerator that required an hour of maintenance a week; now imagine you are your grandmother and you own that refrigerator.
Someone asked if I had patched against MSBlast; I said yes, I installed Linux.
Window? 4 patches 3 reboots.. yuck
Erm - that would be four patches - one reboot.
No, many Windows updates require that you reboot before installing any other update.
Right now I'm looking at silently packaging things together for a mix of Windoze 98 SE clients running Orifice 2K/XP and Windoze 2K clients running Orifice XP. Every month I deliver at least a half dozen of their damn security patches and typically can comprehend the proper command line switches (usu. Microsoft's setup.exe or hotfix.exe format) to make these deployments *NOT* require a mandatory reboot and *NOT* require a lot of user input.
What drives me crazy about the VBA patches is that they require:
Upgrading to Windoze Installer 2.0.
Applying all subsequent Service Packs (SP1a and SP3 for Orifice 2K; SP1 and SP2 for Orifice XP).
Finally applying the VBA patches to either Orifice 2K or Orifice XP.
So all in all it will take at least a week to code, test, and deploy in the least intrusive manner possible. But the Windoze Installer keeps on requiring installation media (CD or file share). Not exactly automated. So I guess I'll dig through the MSI docs to determine how to disable this known flaw (Q268800).
For a one-man show I'm really looking forward to all of the lost productivity. Almost as bad as figuring out a way to silently install the DirectX 9.0b upgrade since Microsoft left out the command-line switches. That one took me two days to workaround.
When will people get fed up with all of this crap? I have worked with computers since 1981 and am practically ready to abandon them and go back to damn typewriters and daytimers!