Microsoft Issues Five New Security Warnings

smelroy writes "Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site. Four of the problems affect Microsoft's Office desktop software. You can read the story here and the security bulletins here."

critical VBA flaw

[b17bmbr]

wouldn't ANY vba flaw be critical. if i recall correctly, through vba, you can manipulate the entire file system. while it doesn't give you low level access, it has access to every COM object on your system. in fact, weren't the code red and i love you virii (and many others) written in VBA. VBA seems to be such a big reason that businesses can't move away from windows/office. to me, it seems like a reason TO move away from office.

Re:critical VBA flaw

[mforbes]

OpenOffice and StarOffice also having built-in scripting languages. Perhaps the risks of buffer overruns aren't as common under those (I don't know, since I lack much experience with those scripting languages), but in all fairness to MS, if OpenOffice were the leading suite & de facto standard, it would also see many attacks. The problem in this case isn't that the flaw exists-- patches are easy enough to apply. It's that with the near-monopoly MS has over hundreds of millions of users, you can always guarantee some large subset of users won't have the patches installed, and thus will be vulnerable to attack.

Doesn't make any sense..

[euxneks]

It doesn't make any sense for a company to keep building something that requires a patch every few days. Are they actually making money off of these patches?

It's just that I've never heard of anything so blatantly broken that is so successful.

Maybe I'm just angry because some scumware got into my computer system.

Re:Doesn't make any sense..

[EvilTwinSkippy]

It's just that I've never heard of anything so blatantly broken that is so successful.

You are obviously not remembering the "good old days" very well. Every computer system is crummy. Linux is crummy. It's just a matter of how much we are paying for suckness.

At least Linux us honest about its suckworthyness. You don't see Linus making grand speeches about "Trustworthy" computing, or "Security through fill in the methodology". He and his cadre are out there coding for fun. They will tell you as much. Many just happen to be paid to do it for a living.

I personally use Linux. And it has nothing to do with quality. I'm constantly tweaking, patching, or scripting. It's about utility.

Finally! They're fixing the bugs

[192939495969798999]

When we get more like 50 of these a week, then we'll know that they've really gotten serious. Large systems have a lot of holes in them -- especially when no one was plugging the holes for oh, 10 years or so.

Re:Snapshot Viewer affected?

[nairnr]

Kinda makes you yearn for thin clients again... Make a few changes that affect all users. It seems to be something that would start making some sense again, with the number of times that systems are affected in a coporate environment, a more centralized server system does have its advantages. It would be interesting if this frequent patch cycle is affecting how people deploy large scale systems.

Ah, X-servers :-)

Re:deja vu

[KDan]

If only they could actually wall all the Windows... maybe the worms wouldn't get in anymore.

Daniel

Re:what % of Windows is patches?

[n3rd]

And how long until the entire operating system, and all the Microsoft applications, are all just patches?

Interesting? Come on.

Linux was released. Then patched. Then patched again. And again until it became what it is today.

Apache web server anyone?

Latest Debian gnu/Linux seccurity warnings!

[29 Aug 2003] DSA-375 node - buffer overflow, format string
[26 Aug 2003] DSA-374 libpam-smb - buffer overflow
[26 Aug 2003] DSA-344 unzip - directory traversal (new revision)
[18 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution (new revision)
[16 Aug 2003] DSA-373 autorespond - buffer overflow
[16 Aug 2003] DSA-372 netris - buffer overflow
[13 Aug 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities (new revision)
[11 Aug 2003] DSA-371 perl - cross-site scripting
[09 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities (new revision)
[08 Aug 2003] DSA-370 pam-pgsql - format string
[08 Aug 2003] DSA-369 zblast - buffer overflow
[08 Aug 2003] DSA-368 xpcd - buffer overflow
[08 Aug 2003] DSA-367 xtokkaetama - buffer overflow

Stop calling the kettle black! Fix your own problems. This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!

Re:Latest Debian gnu/Linux seccurity warnings!

[akiaki007]

The only one that *truely* affects Debian here is the kernel bugs. Everything else is software and shouldn't be considered that.

The MS bugs pertain to the MS release software that directly affect the OS and the Office suite. And I would only really consider the VBA and the OS security bulletins here as being that important as that is what affects Windows. So that's 2.

For debian we have 1. The rest are other software! If I wanted to talk about bugs with every piece of software being used in Windows, then let's do that. But clearly you're not.

Stop comparing apples to oranges.

Re:Latest Debian gnu/Linux seccurity warnings!

[blastedtokyo]

Ummm...Office is _application software_

Slashdot just loves MS security bulletins

What's the big deal here? Microsoft finds a flaw, issues the patches, get coverage from slashdot.

Things that happen all the time with unix/linux OS and apps.

Don't be mistaken, i ain't pro-Microsoft. I just think that slashdot is often bashing MS products for no reason. Their ideology is bad. The world domination plan is bad. But i'm tired of "hardcore" unix/C fanatics that dismisses .NET without any knowledge of it.

Whining and moaning everytime they issue a security warning is just plain childish...oh wait this is slashdot

Re:Slashdot just loves MS security bulletins

[akiaki007]

I use .Net. And I won't dismiss it. But all the bugs are really annoying. Some seem small. For instance, you can't use customized MenuItems in a ContextMenu in a NotifyIcon. That's quite useful if you think about it. If you want a simple application that runs a lot of other programs and processes in your company, it would make sense to use a NotifyIcon application. But every menu (no images allowed here) looks exactly the same. It would be very helpful to have icons and colours. but you can't. This is just one bug. There are quite a few, even within the compilers.

I'm not dismissing it completely, but .Net released by MS is still very much a beta. Even at the 1.1 level.

Every bit helps

[Doesn't_Comment_Code]

I hope this wins some more business and government contracts for non-Windows based systems.

Windows is ok for some applications. But this sort of thing (actually a whole month of bad security press) should jar a lot of decision makers to recognize that MS is not the ONLY REAL OS OUT THERE, as there marketing strategy has led all non-tech inclined business execs to beleive.

The Truth will set you free.

It's funny to laugh at Microsoft...

[Osrin]

... but we should really be debating how we get this right on an OSS platform. If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box.

This is a community of smart people, the race is on to figure out how to best solve this issue for our end users. Microsoft appears to be beating us by requiring far less updates to be applied than a randomly chosed Linux distro.

We need to think about the process of distribution and application of these patches, if we can get that right then we get a larger percentage of the desktop.

Today any undereducated end user who is judging security by the number of patches that jumps to a Linux distro because they've "heard" it is more secure will quickly be jumping back to Windows.

Re:It's funny to laugh at Microsoft...

[pmz]

Microsoft appears to be beating us by requiring far less updates to be applied than a randomly chosed Linux distro.

This is a fallacy, as Windows is closed source. Microsoft will fix only those bugs that are either publicly disclosed, mandated by some court case, or, sometimes, actually found internally by their undersized QA staff. So, of course, Microsoft will appear to have fewer patches. Also, have you considered that the maintainers of your randomly-chosen Linux distribution are actually honest and believe offering a patch is better policy than offering none to save face?

Open Source (open, transparent, honest)
Microsoft (closed, opaque, lying assholes)

Gee, who do we choose? Well, I guess we choose Microsoft, because they have fewer patches!

Re:It's funny to laugh at Microsoft...

[bogie]

"This is a community of smart people, the race is on to figure out how to best solve this issue for our end users. Microsoft appears to be beating us by requiring far less updates to be applied than a randomly chosed Linux distro."

A) Linux and its associative apps are opensource so your going to find more security flaws due to the nature of opensource. This is a GOOD thing.
B) The ratio of packages per "average" linux distro vs. say 2k server or 2k3 server is what? 15 to 1? So judging by that fact its surprising that Microsoft continues to have as many problems as they do. When comparing correctly there is no comparison, MS loses hands down.

"... but we should really be debating how we get this right on an OSS platform. If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box."

Any admin who actually knows how to use update and secure both linux and windows would say different. With Microsoft patches there is decent chance that the patch will not only not work and require a second patch, but also might hose your system. All those admins who get nailed by worms aren't just lazy. Many of them have been burned by MS patches and choose just not to use them.

Let's also not forget about huge mega patch service packs that you have to use which are somehow ignored in your "count". Forgot about those huh? How many patches do these monsters hold? Hundreds? At a minimum. And of course nobody's system EVER gets hosed by service packs....

How about those great new restrictive licensing terms which get forced down your throat just because you want to secure your box?

Lastly even though 2k3 is better about it, I'll also enjoy not having to reboot my system for a simple patch. Don't you think average downtime should be added into the equation?

I'll take Red Hat's or any other linux vendors patching system any day of the week thanks.

Rather than bashing MS...

[astrashe]

We should probably be trying to explain to everyone that it's necessary to actually install this stuff... IT people who don't are incompetent, and they will bear some of the blame for the next worm.

education and administration still the weak spot

[*weasel]

your box is only as secure as the person administering it.

and apparently, windows users, left to their own devices don't know, or don't care about keeping up to date on security patches.

although, when enough of them are willing to just go ahead and doubleclick on any attachment from an unknown sender (msblast), these kinda exploits aren't really even necessary.

all the tools for a secure windows box are already there.
(though a security-patch-only windowsupdate flavor would be very helpful).

Office Updates EXTREMELY Frustrating

[syntap]

I'm in a mixed environment where we have some Dells that came with Small Business Edition (either SR1 or original), and other users who needed Access that we purchased Office 2000 Pro for. Because Microsoft requires the original CD, it really adds to the burden of updating because you have to figure out which friggin' disc to use on each individual station. If they would just let us run the damn patch without the CD verification it would be easier.

Plus, their order of updates is fux0r3d. They have the spell checker update listed as more recent than SP2, but when I run it I get an error message that the update only runs on SP1 .

It's bad enough to need so many patches, but there are many basic things like the above that Microsoft could easily improve.

Re:what % of Windows is patches?

[kryptobiotic]

Isn't it funny that apache.org has 2 separate theories on the origin of the name and both are considered correct. One would think that the group that came up with the name should be able to keep track of the truth about where it came from. Must be that the person that wrote the timeline never read the FAQ.

According to this, the server was named after the Apache indians and the " A patchy server" is just a cute coincidence.

Who should I bill for this?

[yiantsbro]

Alright, the OS patches are one thing--I can automatically have our machines update if I wish. The office updates, however, require access to the installation media. As we have a volume license agreement and our individual users to not have copies of the media, I will have to have a tech personally visit each of our 500 or so machines to put in the CD and load the patches--or ignore this "critical" fix and hope for the best. I wish I had the option of forcing an different office application solution but in an academic environment it is difficult at best. Something like this really lays the foundations for class-action.

Re:And yet, look at my sig for Linux vulnerabiliti

[hype7]

Here comes the part where people's excuse is that it's a joint effort, unable to be pinpointed as a "Linux hole." What does that mean? Nobody gets blame because a lot of people contribute? A lot of people contribute to Microsoft as well. They're just behind the moniker of a company label.

Rather than excuse Linux, I think the people hate these MS warnings most of all because MS-users, unlike most Linux users, don't patch their systems. What normally ensues within a couple of weeks of the vulnerabilities is some exploit wreaks absolute havoc with the internet.

If MS gets the patch out the door, and everyone installs it before some script-kiddie can exploit it, then who really cares? It's a pain downloading all the patches, but that would be the extent of the problem.

Instead, the horde of zombies kills the internet. We've only just recovered from the last attack.

-- james

Re:And yet, look at my sig for Linux vulnerabiliti

[BurritoWarrior]

Good troll, but try coming back with an analysis of the actual severity of the holes.

I better hurry to run off and patch a hole in some obscure OSS app I don't have installed as opposed to the constant REMOTE ROOT EXPLOITS in the core Microsoft OS.

Wow, not ONE of them was for Linux

[finkployd]

Perhaps comparing all the security vulnerabilities for all software that could possibly run on Windows to this list would be SLIGHTLY more fair.

As it stands now you are comparing all open source applications to the Windows Oerating System.

So good job on attempting to call the Slashdot community on hyprocracy, unfortunatly you seem to be very confused about what Linux is and unable to make a valid comparison.

Finkployd

Oh come on

[Cat_Byte]

Why must we have a discussion on every single MS update? This is like posting a major news announcement at every virus that comes around. Set up critical updates to download & install when you are ready, set up anti-virus to auto-update, and move on with the important things that we as a community of intelligent computer users can benefit from. It's not news if MS already discovered it, researched it, wrote a patch, tested it, and released the patch.

In other news: Elvis Presley is still dead and the teddy bear icon virus still runs rampant.

If we must post security advisories do it for a *nix platform where critical updates aren't automatically applied and mission critical apps are in danger of being compromised.

Hmm. Does this affect OEMs?

[gosand]

I just thought of something - what do companies like Dell do? They just sell the stock OS on their systems, right? Everyone always complains that people don't patch their systems, but what if you buy a new machine from Dell? I am sure people don't think "oh man, I have a new system, I need to go out and figure out which patches to install". They fire it up and go. Should OEMs be required to sell systems that are up to date on the OS patches?

Re:Yes, there is a reason

[gowen]

yet ignore that Linux application vulnerabilities are announced almost every day. But, they say, this is MICROSOFT! It's somehow DIFFERENT!

Yes, it is different. All those Microsoft flaws are in products written and tested by Microsoft themselves.

MS does not patch flaws in "Photoshop for Windows", or "CorelDraw for Windows" or Quicken, or Win32 Mozilla, or any number of the millions of Windows shareware apps. Unless you start counting those vulnerabilities as "MS vulnerabilities" you're not comparing like with like.

All those Linux application flaws are in products (usually obscure ones) written by companies other than Linux distribution vendors. They package them with they're distros because they can, and they promulgate the patchs (also written elsewhere) because its good practice.

Yes, I know. IHBT. IHL.

And Office Update process is broken.

[Angostura]

a couple of points on this.

While I've just about managed to educate friends and familly about the need to run Windows Update, WU does not in itself warn of critical security issues - you have to remember to visit Office Update manually... and who is going to do that? No one, in my experience.

but it gets better - The Office Security updates require you to insert the original CD. This seems a mighty strange move, and not terribly useful for me since the CD is several thousand miles away locked up in a cupboard on the other side of the Atlantic.

Can anyone explain the warped logic here? I could understand it if the new patches enabled new functionality? but these are security patches.

Re:And Office Update process is broken.

Can anyone explain the warped logic here?

Yes, it's very simple: Microsoft is more concerned about piracy than they are about your security!

Re:Honestly...

[sharkey]

I also thought Bush lost the election.

Really? I though America lost the election.

Re:education and administration still the weak spo

[the_mad_poster]

all the tools for a secure windows box are already there

Oh, really? So, if I want to remove Internet Explorer because it's such a buggy, hole-ridden program tied right to the OS, Microsoft has a tool for me to do that? So, if I don't want to install the RPC service on my W2k box at home, I can do that during the installation? So, if I want to forgoe Explorer because I don't need pretty point and click interfaces, I can do that?

You've got it backwards. Unlike well-designed systems, Microsoft DOESN'T provide you with the tools to make the box secure. That's one of the biggest problems - you have to rely on their "one-a-day" pills to make the box secure, and even then, it's not secure, it's just you filling one of many holes in the dam.

Re:what % of Windows is patches?

[MadChicken]

That's not how I remember it...

Win95 ran on DOS, though they hid it. So, it was more of an incremental change to Win 3.1. They clearly rewrote quite a bit, but it was certainly not "starting over".

NT 3.1 was the "completely starting over" part. And it wasn't too bad of a platform, really... Consider that 3.5,3.51,4,Win2k + 2 versions of XP are building on that foundation... And it is fairly stable. Since I got XP bundled with my machine, I haven't been desperate to reboot into Mandrake. It doesn't crash, it plays the games, and runs Mozilla and OOo very well...

The big problem is still their QA, really. If they fixed that up, they'd have a strong product.

Re:And yet, look at my sig for Linux vulnerabiliti

[frekio]

If you look a bit more closely at those "linux" security holes, then you notice that they are programs such as "eroaster" and "Atari800" that have the vulnerabilities. These are simply programs that can be installed on the systems that may be in the Gentoo portage for example, or FreeBSD ports system or a RedHat package.

The only "Linux" software you can really blame, is the kernel, besides that if a distribution has a hole in a default install that is a big issue. Otherwise, if the user installs software that has a hole you can't really blame linux for it. Microsoft wrote and distributes all the softwares which had the holes listed in this story, so they can be held accountable (unlike Linux in your story).

On that page at 9AM PDT there are ZERO bugs which fall into the category of serious issues that are Linux / *nix or Linux Distribution's fault. They are all stand alone software that have vulns.

If they listed every software on the windows platform which had vulnerabilities the MS list would be massively enhanced also. They aren't audited as much as unix programs because a lot less of them are open source... so the bugs are just sitting there, unfixed.

Another FUD bites the dust....

Many hours will be lost patching Word.

[Futurepower(R)]

To patch the security vulnerabilities in Microsoft Word, you have to 1) download the patch, 2) find the original Word CD and put it in the CD drive, 3) run the patch, 4) wait while a lot of processing is done with the CD, and 5) put the CD away again. It seems to me that, since this was a patch for a severe security vulnerability, Microsoft could have skipped the time-consuming 2, 4, and 5 steps. Think how many total hours will be lost throughout the world by users or computer professionals whose time is extremely valuable. The TCO just went up.

Autoupdate does not cover Office!

[gad_zuki!]

>I didn't have to do a thing because my system updated itself.

Well, now you're out of luck. Joe Sixpack not only needs autoupdate on 24/7 he also needs to visit officeupdate to get the office patches: http://office.microsoft.com/ProductUpdates/default .aspx

Can MS make this more confusing for the average user? KB824993 and KB826292 do not show on a fresh Windowsupdate.com scan or with the MSBL tool.

Windows (Simplified) World

[knghtrider]

For one reason or another, things are different in the Windows world.

Yes, things are different in the Windows (Simplified) World. In the Windows World; you buy PC XYZ from company ABC complete with Windows. You unbox it, turn in on, and let the 'magic' do its' thing. There's no muss, no fuss and I've got a working PC. Oh, never mind that the OS isn't patched with the latest patches--the average home user doesn't know (or understand) that it needs to be--regardless of the media coverage of worm/virus Qbert. The average home user is NOT technically inclined. Therein lies the source of the problem--lack of sufficient instruction, which is the delegated responsibility of the OEM System Builder.Consequently, every little bug gets passed along, and we end up with MSBlaster type problems.

In the Linux world; the average user is technical, or has had the system set up by someone technical. They take care of the system, understand how to patch the system and ensure that it has been patched. For this reason, problems are short lived.

We live in a simplified world. From fast food; disposable diapers, razors, etc.; to all-in-one super stores; everything is simplified for us. I don't have to know how to make Veal Scallopini; I can buy it pre-made at the grocery. We want everything easy, because we don't want to take the time top do otherwise.

Granted, this is an oversimplified view. I didn't factor in regression testing of patches at the corporate level in order to ensure that the new patch doesn't break something else in use, due to the tight integration of code with the Microsoft OS (unlike Unix/Linux Applications). This takes time (stakeholders and their ilk tend to be a testy when their application breaks) and may result in infection before testing is complete. The point is people have been brainwashed into believing that computers are simple, when in fact they require a lot of attention, like a toddler or a puppy.

How did we do things without computers before? I know..paper and pencil. At least there we didn't have to worry about viruses--unless it's a cold. LOL... Maybe regression is a good thing this time?

Troll. Read the alerts/ Debian backports to stable

[The+Revolutionary]

First, realize that these security alerts arise from a set of over 8710 packages. This is an incredibly large base of software, the great majority of which you will not have installed, and certainly not have installed in a production environment.

Second, did you even bother to read those security alerts or investigate what the packages are? Briefly:

node: "Amateur Packet Radio Node program"

libpam-smb: arbitrary code, but no privilege escalation

unzip: no privilege escalation, no arbitrary code, and who uses it?

man-db: only if you go against install-time advice and make it setuid

autorespond: "This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply."

netris: "A free, networked version of T*tris"

linux-kernel-2.4.18: most are local only, "STP protocol", or an nfs3 DOS with no arbitrary code or remote root

perl: yes, "execute arbitrary web script within the context of the generated page"

kdelibs: konqueror only, client only

pam-pgsql: arbitrary code, but no privilege escalation

zblast: "shoot 'em up space game"

xpcd: local only

xtokkaetama: local only

"This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!"

And this is why I call troll.

From Debian security FAQ:
"The most important guideline when making a new package that fixes a security problem is to make as few changes as possible. Our users and developers are relying on the exact behaviour of a release once it is made, so any change we make can possibly break someone's system. This is especially true in case of libraries: make sure you never change the Application Program Interface (API) or Application Binary Interface (ABI), no matter how small the change is.

This means that moving to a new upstream version is not a good solution, instead the relevant changes should be backported. Generally upstream maintainers are willing to help if needed, if not the Debian security team might be able to help.

In some cases it is not possible to backport a security fix, for example when large amounts of source code need to be modified or rewritten. If that happens it might be necessary to move to a new upstream version, but this has to be coordinated with the security team beforehand."

Re:And yet, look at my sig for Linux vulnerabiliti

[Dot.Com.CEO]

pam_smb and sendmail "obscure"? And that's only in the past, what, five days...

Re:And yet, look at my sig for Linux vulnerabiliti

[Wakko+Warner]

I'd say the first is awfully obscure, seeing as how I've used Linux now for nine years and have yet to find a system which actually uses it.

And sendmail? Hardly a linux-specific application, wouldn't you say? Besides, most Linux distros no longer use it.

- A.P.

Re:Oh?

[Ice_Balrog]

Almost every Windows vuln article I see this argument. And very time it gets refuted. Yes the Windows troll just will not go away.

Debian distrobutes how many thousands of different packages? I don't remember, but it was over 2,000.
Now then, how mnay different packages does MS make? 200-250. 5 out of 250 MS pacakges. 10 out of more than 2,000 Debian packages. Now Debian doesn't sound so bad, does it?


On top of that, most of the Debian security vulnerabilities are theoretical or requite access to the machine to use the exploit. Hardly as big of a threat as MS vulnerabilities.

PGP version

[The+Snailman]

You just have to laugh at this...
If you got all the Microsoft Security Bulletin's check out how the PGP version used to sign each one changed.
Especially this one:
Microsoft Security Bulletin MS03-036: Buffer Overrun in WordPerfect Converter Could Allow Code Execution(827103)

If you didn't get it or can't be bothered reading it:
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com