Slashdot Mirror
Microsoft Issues Five New Security Warnings
smelroy writes "Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site. Four of the problems affect Microsoft's Office desktop software.
You can read the story here and the security bulletins here."
Flaws in Visual BASIC are documented right here
Stick Men
I don't think it's fair to blame office for that -- the old macos didn't have real file system permissions, and that's why it was insecure. Locking the finder down was the best they could do, but it just wasn't a realistic solution.
Speaking as someone who has written full-blown applications in VBA, OOo and StarOffice use StarBasic, which isn't quite the same thing as VBA. VBA is a lot more at the system level and gives you more control over the machine.
My journal has hot
Quick quiz, hot shot Troll: Here are the first 5 vulnerabilities from that list:
atari800, gallery, eroaster, mindi, phpwebsite,
Now, how many of those are "linux" (i.e. the linux kernel, shell and important utilities.) None.
How many are remotely exploitable? None.
Given the user base of those 5 obscure programs, how many would *you* rate as critical?
You might see more, but Microsoft still hasn't grasped the sandbox principle: any code that isn't explicitly trusted should not be allowed to access any data or functionality outside a strictly limited area. It can play all it wants inside that sandbox, but won't be allowed out to do harm. ActiveX and COM are two of the most dangerous Microsoft inventions from a security standpoint, since they don't place enough restrictions on what a remote programmer can do with your machine.
The higher the technology, the sharper that two-edged sword.
Sounds like what you are looking for is SUS. This will allow you to push security updates to your clients centrally.
Takes an afternoon to get set up and running, but after that, it runs with minimal intervention. Test your security updates, then authorize them to be distributed by the SUS server, and it takes care of the rest.
Of course, this assumes that you are running win2k or better on the client side. If not, you are stuck with logon scripting stuff for old machines. Not pretty. If you do have w2k or better, though, this is a huge timesaver. Works pretty good too. Those few that have already discovered it were able to stand on the sidelines, amused, as those who were trying to windows update machines one by one got eaten up by blaster.
Course, in fairness, there is another product that protects you from these kinds of worms, too... and it's sexy as hell.
- Black hats knew about the vulnerability before Microsoft
- Widespread attacks come some days after Microsoft finally get know of it, but don't releases any advise of the danger because they had no patch ready, so it took final users by surprise.
With linux at least you could have the warning even before the patch (like one of the latest apache vulnerabilities) so you can take measures before the patch is ready/tested/approved/signed/whatever.Criticality of this is horribly underrated by Microsoft.
.DOC extension, Word will be invoked directly when the user double-clicks the attachment. Word will automatically recognize and convert the document, and run the hostile code with no further opportunity for the user to stop the virus.
This is critically important for all Windows MS Office users - "the user must open the attachment" is no protection because most users open attachments to see what they are.
If the infected Word Perfect document is given a
The vulnerability could also be exploited through a web page, and the user would get no chance to say "No" if ActiveX is enabled.
That's funny.. last time there were security vulns I read about them on 3 different news sites and I didn't have to do a thing because my system updated itself.
It is the distro's job to make sure you are protected when a new exploit is discovered just as it's Microsoft's job when the problem is in windows. Also, if you think anyone accepts accountability for the problem in windows land you may want to read through the EULA again because it sure isn't MS.
Linux distros get bashed just as much over this and some of us actually avoid the distros with overly bad security records.
You also need to keep in mind that there is less downtime involved when upgrading Linux systems. My Linux servers are all fully upgraded but have not been shutdown in months. Window? 4 patches 3 reboots.. yuck
SUS focuses primarily on Windows Updates and not patches involving Office or other Microsoft server and client applications (since it pulls the updates from the same repository as windowsupdates.microsoft.com).
Instead, for Office applications, you would just need to update the administrative install points (which I'm doing now) and using a client management system (SMS, LANDesk, Group Policies, what have you) to run a batch file that points to the administrative install point for the version of Office installed on the client with the appropriate switches... it can be done completely quiet or showing progress.
Of course, the time it takes to update all of the different editions and versions of Office is still quite a bit... unless if you have a really, really fast machine with fast disk performance.