Slashdot Mirror
Microsoft Issues Five New Security Warnings
smelroy writes "Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site. Four of the problems affect Microsoft's Office desktop software.
You can read the story here and the security bulletins here."
There comes to a point where you just can't patch things anymore, and it's time to start over new. And, hopefully get it right this time!
Same old sh*t, different day. Other than alerting admins who really should know this is there a reason for having it on the front page?
Crap! That means I have to touch every machine in the enterprise--again! Just two weeks after "touching 'em all" (not in the baseball sense) from the last round of worm patches.
How I long for the old days of Novell... Ah...take me away!
Who did what now?
I remember in HS I could own any mac in school that had office installed on it. At that time office had a find file program built in with the added "feature" that it could move files around once you found them. The security program on the macs of course disabled apples find file and locked certain folders so you couldnt delete programs. Office bypassed all that. All you had to do was find and move the security programs preference file to the trash and restart the computer. The password would be reset to the default password, which I happened to know (admin:admin is pretty easy) Voila, Office as a hacking tool. And it was a feature of office!
My tinfoil cap has 2 pennies.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
Slashdot rarely, if ever, publishes security holes in non-MS software, so I have to read about them somewhere else.
What is Slashdot trying to hide?
I just got a new pc with XP on it after a mb failed on old one last week. Decided to run windows update this morning. 30 "critical" updates, 11 xp updates and 3 driver updates. And this is a pc packaged in July.
...is anyone surprised? /. anymore. We know MS writes buggy and vulnerable software.
I'm not even sure this belongs on
Of course, MS isn't the only company to write such buggy software. But before anyone says a word about MS being bashed too much, let's remember that 95% statistic. When a company's software runs on approximately 95% of the world's computers, they have the moral responsibility to ensure its stability before they release it.
We could always blame sysadmins for being too stupid to check for and install updates, but instead, why don't we just educate people on why they should run Windows Update every week (or sooner).
I'd think billions of dollars in damages to the economy would be enough to get executives cracking the whip at their IT staff. Then again, I also thought Bush lost the election.
From personal experience, patches for MS Office require the user to have the CD available.
In the corporate environment, this usually isn't a problem (except for the different flavors of Office we have floating around: MS Office Professional, MS Office Premium, MS Office Academic version, OEM non-retail version, etc. make it a pain).
However, home users may have MS Word and MS Excel pre-installed on their systems from the store. But they don't have the Office CD itself.
How can they apply the necessary MS Office patches and service packs?
We've only just recovered from the last attack.
I'm glad you can say that. Our network at work is still up and down regularly from all the traffic spewing out of Blaster infected game consoles....
"City hall" in German is "Rathaus" Kinda explains a few things......
Important to note that most holes not found by Microsoft.
After trustworthy computing, one might expect to see an increase in the number of security patches, given the increase in developer time searching for them. Take a look at the credits for these patches. Not one attributed to MS internal security audit team.
I develop lots of VBA stuff for our office. But all of our installation disks are 75 miles away at the main office. I have an Office XP Upgrade disk that was used on older here, but my full-blown Dell-installed Office XP won't accept it. So how am I supposed to patch this *critical* bug *immediately*?
Vote for global prefs bug
I've been using .NET. It's neat, and has a lot of cool features over VB6, ASP, and MFC, and yes, even Java. But as interesting as the technology is, why would anyone want to deal with a company that acts the way Microsoft does?
Vote for global prefs bug
-- if OpenOffice were the leading suite & de
-- facto standard, it would also see many attacks.
This has nothing to do with the popularity of Windows or Office.
If the apps were secure and the OS didn't have gaping flaws that allowed people to write things like Sobig and Code Red then there wouldn't be an issue.
A secure and popular OS would not generate this many issues...the problem is that MS is a popular and dramatically unsecure OS.
1. Open word
2. ALT+F11
3. Key in Shell "cmd.exe", VB_Normal_Focus
3. F5
This simple example runs a shell, but you can guess what happens when you can load a kernel debugger or alternative win32 shell and have system access.
This isn't shocking and I've seen everyone try to remove the DOS subsystem, rename net.exe and disable and even remove cmd.exe/command.com by using filesystem tricks and depending on windows lame application's handling of these tricks.
Basicly you can't secure a Windows machine in public use -- btw if you have acess to the usb port and a jump drive you can get in without a keyboard and send viri/spam/etc from someone else's machine.
Window's Office VBA system and IE are the ultimate root kit imho.
While they show the date to be yesterdays date, the status is still red and active. Road runner is choked up right now because of MS problems.
Email is just about non-flowing.
I talked to my son at college last night and the entire dorm is dead stopped because there are 150 pc's (excluding his Linux box) that are virused 6 ways to sunday and have brought the school system to a halt. He can't use the internet because of the MS machines bringing it down.
Now THAT's sad. With 150 machines in his dorm it's turned into a virus P2P network. The viruses propogate so rapidly because they are protect by the univeristy firewall from the outside world but there is no internal protection against *anything*....
The people that run networks, like schools and businesses need to manage their systems better. This stuff is not funny anymore and it's already gone was past the prank stage.
It's time for some extremely severe prison terms. No more wrist slapping.
Status Red
9/2/2003 7:24 AM
9/3/2003 6:02 PM
ALL Areas.
Road Runner subscribers in all areas could experience slow browsing and/or packet loss when accessing Microsoft sites and services. This could include microsoft.com, windowsupdate.com, msn.com, msnbc.com, hotmail.com, vicinity.com, the Messenger service and any Microsoft websites and services at this time. Our Engineers are working to get these issues resolved as quickly as possible. Thank you for your patience.
you have to figure out which friggin' disc to use on each individual station
It's not just a difference between SBE and Pro. It turns out that all Pros are not created equal. The newer machines here were set up in two batches several months apart. All have Office XP Pro, but we discovered when trying to install the patch that the newer Office CDs are not the same as the older ones. Patches on the newer Office XP Pro require a file called PRORET.MSI on the CD, while the less new Office XP Pro needs a file named PRO.MSI on the CD.
We figured this out after a frustrating attempt to patch my computer. A CD was in there, but the Office Updater didn't like it. It worked fine when we dug out the exact same CD that was originally used to install Office XP Pro on this computer.
Your fantasies contain the seeds of important concepts.
I'm sure this will get modded down, or ignored by the moderators all together, as off topic; but I feel it's a good camparison. I have two, relatively similar, workstations. One running Red Hat 9 and the other WinXP. I use RH Up2Date on the Linux bawx and Windows Update on the XP machine religiously. The observation that I have made are pretty amazing. Microsoft releases roughly 4 patches for every 1 that RH releases. The RH packages, other than kernel updates, do not require any reboots; where most of the MS ones do. I've not had a single occurrance of an adverse effect on my Linux machine from any patches, where I have had a miriad of issues with the XP/Office updates (insert CD, permissions issues, BSODs, etc). I'm not at all trying to scream the virtues of Linux and downplay MS, but there are real issues. Not to even mention never having adware, spyware, etc. installed on my RH machine without my knowledge. I'm extremely carefull with all of my machines and I stilled managed to get some IE search bar added to my browser. I removed it quickly with Spybot search and destroy, but it still happened. I think MS needs to take a step back from the cash register and seriously evealuate their tactics and practice where desktops are conncered. That is, if they ever want their update service to be even close to as effective as RH. But thats just my two cents and I'm sure there are a line of people out there to tell me I'm wrong and/or full of crap; but these are real world observations from someone who is completely OS neutral. ..jab
"Reality is a crutch for people who can't handle drugs" - George Bernard Shaw (1856 - 1950)
Okay I see a lot of Microsoft apologists saying that "all software has bugs", "Linux has problems too", "dumb admins need to keep their machines up to date".. etc...
.. you gotta ask yourself .. is "similar to Linux" in terms of security problems the BEST they can do?
.. the problem today, right now, is Microsoft. The constant flood of pings to my machine are coming from microsoft machines. The viruses are coming from microsoft machines. When is it going to stop??
Let's see:
Linux written by volunteers and small companies.
Windows written by a company with tens of billions in the bank.
Linux used mostly on servers and installed by educated admins.
Windows used by everyone from grandma to the CEO.
Linux on a small percentage of servers.
Windows on 96% of machines (or whatever the figure is). Windows used in ATMs, in medical equipment, by the government, etc., etc. The Microsoft antitrust ruling was typed out on a Windows machine.
And given their resources, their cash, the number of frickin' PhD's on the payroll, and the fact that the entire world economy depends on Windows crap OS (yes even us folks who use Mac/BSD/Linux are still affected indirectly)
They have a huge responsibility, and they have chosen not to meet it. Why? Is it so that the government will pass software quality laws that will place a huge burden on Free software, thus weakining it or killing it off?
Or is it because people have their heads in the sand and refuse to acknowledge that Microsoft is not worth the time and money any more. That's probably it. People are sitting there constantly patching their Windows boxes and not realizing that, hey, maybe there are alternatives. Microsoft has you all by the nuts.
Why are you guys making excuses for Microsoft? Microsoft's products should be the most secure on the planet given their resources and abilities.
I used to think, hey, all computers have problems, but after using software like qmail and OpenBSD, I realized, Microsoft is doing about 1% of what they could do. Even just closing ports and making email attachments not be executable would solve a lot of problems. They need to make their software more secure.
Instead they come up with Palladium or whatever it's called now, a gigantic complex scheme to solve this problem (and a lot of other imaginary "problems" too). Can't they try some simple stuff first?
So don't apologize for Microsoft, don't say "well, if Linux was everywhere we'd have the same problems"
The point is that all the vulnerabilities in the list on the page you linked to (with the exception of sendmail) are fairly obscure "3rd party" apps.
If a vulnerability was found in some obscure windows ftp server that you got off tucows for example, you wouldn't list that as a windows vulnerability would you?
I lay awake last night wondering where the sun had gone, then it dawned on me.