Microsoft Issues Five New Security Warnings
smelroy writes "Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site. Four of the problems affect Microsoft's Office desktop software.
You can read the story here and the security bulletins here."
wouldn't ANY vba flaw be critical. if i recall correctly, through vba, you can manipulate the entire file system. while it doesn't give you low level access, it has access to every COM object on your system. in fact, weren't the code red and i love you virii (and many others) written in VBA. VBA seems to be such a big reason that businesses can't move away from windows/office. to me, it seems like a reason TO move away from office.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
And how long until the entire operating system, and all the Microsoft applications, are all just patches?
Interesting? Come on.
Linux was released. Then patched. Then patched again. And again until it became what it is today.
Apache web server anyone?
[29 Aug 2003] DSA-375 node - buffer overflow, format string
[26 Aug 2003] DSA-374 libpam-smb - buffer overflow
[26 Aug 2003] DSA-344 unzip - directory traversal (new revision)
[18 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution (new revision)
[16 Aug 2003] DSA-373 autorespond - buffer overflow
[16 Aug 2003] DSA-372 netris - buffer overflow
[13 Aug 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities (new revision)
[11 Aug 2003] DSA-371 perl - cross-site scripting
[09 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities (new revision)
[08 Aug 2003] DSA-370 pam-pgsql - format string
[08 Aug 2003] DSA-369 zblast - buffer overflow
[08 Aug 2003] DSA-368 xpcd - buffer overflow
[08 Aug 2003] DSA-367 xtokkaetama - buffer overflow
Stop calling the kettle black! Fix your own problems. This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!
I'm in a mixed environment where we have some Dells that came with Small Business Edition (either SR1 or original), and other users who needed Access that we purchased Office 2000 Pro for. Because Microsoft requires the original CD, it really adds to the burden of updating because you have to figure out which friggin' disc to use on each individual station. If they would just let us run the damn patch without the CD verification it would be easier.
.
Plus, their order of updates is fux0r3d. They have the spell checker update listed as more recent than SP2, but when I run it I get an error message that the update only runs on SP1
It's bad enough to need so many patches, but there are many basic things like the above that Microsoft could easily improve.
While I've just about managed to educate friends and familly about the need to run Windows Update, WU does not in itself warn of critical security issues - you have to remember to visit Office Update manually... and who is going to do that? No one, in my experience.
but it gets better - The Office Security updates require you to insert the original CD. This seems a mighty strange move, and not terribly useful for me since the CD is several thousand miles away locked up in a cupboard on the other side of the Atlantic.
Can anyone explain the warped logic here? I could understand it if the new patches enabled new functionality? but these are security patches.