Slashdot Mirror
Microsoft Issues Five New Security Warnings
smelroy writes "Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site. Four of the problems affect Microsoft's Office desktop software.
You can read the story here and the security bulletins here."
i'm having this funny feeling of deja vu...
Confused me because I couldn't figure out why Microsoft was releasing bug reports for openoffice. (Aside from the obvious conspiracy theory that Microsoft would be trying to make the competition look bad)
There comes to a point where you just can't patch things anymore, and it's time to start over new. And, hopefully get it right this time!
Same old sh*t, different day. Other than alerting admins who really should know this is there a reason for having it on the front page?
wouldn't ANY vba flaw be critical. if i recall correctly, through vba, you can manipulate the entire file system. while it doesn't give you low level access, it has access to every COM object on your system. in fact, weren't the code red and i love you virii (and many others) written in VBA. VBA seems to be such a big reason that businesses can't move away from windows/office. to me, it seems like a reason TO move away from office.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
...without either e-mail from RedHat about a bug or news from MS about one. Lucky me, today I have both.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
1.SuSE
2.Red Hat
3.Mandrake
4.Debian
5.Gentoo
Crap! That means I have to touch every machine in the enterprise--again! Just two weeks after "touching 'em all" (not in the baseball sense) from the last round of worm patches.
How I long for the old days of Novell... Ah...take me away!
Who did what now?
I thought Visual Basic was a flaw!
"Some things have to be believed to be seen." - Ralph Hodgson
I remember in HS I could own any mac in school that had office installed on it. At that time office had a find file program built in with the added "feature" that it could move files around once you found them. The security program on the macs of course disabled apples find file and locked certain folders so you couldnt delete programs. Office bypassed all that. All you had to do was find and move the security programs preference file to the trash and restart the computer. The password would be reset to the default password, which I happened to know (admin:admin is pretty easy) Voila, Office as a hacking tool. And it was a feature of office!
"This looks like another story to laugh and mock MS. In reality, it is you zealots that look like mormons."
That doesn't make any sense. A Linux zealot can't even get a date, let alone several wives!
How are you going to keep them down on the farm once they've seen Karl Hungus?
It doesn't make any sense for a company to keep building something that requires a patch every few days. Are they actually making money off of these patches?
It's just that I've never heard of anything so blatantly broken that is so successful.
Maybe I'm just angry because some scumware got into my computer system.
in girum imus nocte et consumimur igni
When we get more like 50 of these a week, then we'll know that they've really gotten serious. Large systems have a lot of holes in them -- especially when no one was plugging the holes for oh, 10 years or so.
stuff |
My tinfoil cap has 2 pennies.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
I'm thinking MS could save a whole lot of time if they'd just get rid of the network and user input drivers!
Flaws in Visual BASIC are documented right here
Stick Men
[29 Aug 2003] DSA-375 node - buffer overflow, format string
[26 Aug 2003] DSA-374 libpam-smb - buffer overflow
[26 Aug 2003] DSA-344 unzip - directory traversal (new revision)
[18 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution (new revision)
[16 Aug 2003] DSA-373 autorespond - buffer overflow
[16 Aug 2003] DSA-372 netris - buffer overflow
[13 Aug 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities (new revision)
[11 Aug 2003] DSA-371 perl - cross-site scripting
[09 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities (new revision)
[08 Aug 2003] DSA-370 pam-pgsql - format string
[08 Aug 2003] DSA-369 zblast - buffer overflow
[08 Aug 2003] DSA-368 xpcd - buffer overflow
[08 Aug 2003] DSA-367 xtokkaetama - buffer overflow
Stop calling the kettle black! Fix your own problems. This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!
What's the big deal here? Microsoft finds a flaw, issues the patches, get coverage from slashdot.
Things that happen all the time with unix/linux OS and apps.
Don't be mistaken, i ain't pro-Microsoft. I just think that slashdot is often bashing MS products for no reason. Their ideology is bad. The world domination plan is bad. But i'm tired of "hardcore" unix/C fanatics that dismisses
Whining and moaning everytime they issue a security warning is just plain childish...oh wait this is slashdot
read... "do whatever the fuck they want"
heh.
"if i'd known it was harmless, i'd have killed it myself"
I hope this wins some more business and government contracts for non-Windows based systems.
Windows is ok for some applications. But this sort of thing (actually a whole month of bad security press) should jar a lot of decision makers to recognize that MS is not the ONLY REAL OS OUT THERE, as there marketing strategy has led all non-tech inclined business execs to beleive.
The Truth will set you free.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
Welcome to the family, WS2K3!
... but we should really be debating how we get this right on an OSS platform. If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box.
This is a community of smart people, the race is on to figure out how to best solve this issue for our end users. Microsoft appears to be beating us by requiring far less updates to be applied than a randomly chosed Linux distro.
We need to think about the process of distribution and application of these patches, if we can get that right then we get a larger percentage of the desktop.
Today any undereducated end user who is judging security by the number of patches that jumps to a Linux distro because they've "heard" it is more secure will quickly be jumping back to Windows.
Maybe Microsoft has started offering their developers $20 for each security fix...
your box is only as secure as the person administering it.
and apparently, windows users, left to their own devices don't know, or don't care about keeping up to date on security patches.
although, when enough of them are willing to just go ahead and doubleclick on any attachment from an unknown sender (msblast), these kinda exploits aren't really even necessary.
all the tools for a secure windows box are already there.
(though a security-patch-only windowsupdate flavor would be very helpful).
// "Can't clowns and pirates just -try- to get along?"
didn't make "our products will not kill customers and burn down buildings" one of it's "top priorities"
think- where we would be then?
every day http://en.wikipedia.org/wiki/Special:Random
I'm in a mixed environment where we have some Dells that came with Small Business Edition (either SR1 or original), and other users who needed Access that we purchased Office 2000 Pro for. Because Microsoft requires the original CD, it really adds to the burden of updating because you have to figure out which friggin' disc to use on each individual station. If they would just let us run the damn patch without the CD verification it would be easier.
.
Plus, their order of updates is fux0r3d. They have the spell checker update listed as more recent than SP2, but when I run it I get an error message that the update only runs on SP1
It's bad enough to need so many patches, but there are many basic things like the above that Microsoft could easily improve.
I just got a new pc with XP on it after a mb failed on old one last week. Decided to run windows update this morning. 30 "critical" updates, 11 xp updates and 3 driver updates. And this is a pc packaged in July.
...is anyone surprised? /. anymore. We know MS writes buggy and vulnerable software.
I'm not even sure this belongs on
Of course, MS isn't the only company to write such buggy software. But before anyone says a word about MS being bashed too much, let's remember that 95% statistic. When a company's software runs on approximately 95% of the world's computers, they have the moral responsibility to ensure its stability before they release it.
We could always blame sysadmins for being too stupid to check for and install updates, but instead, why don't we just educate people on why they should run Windows Update every week (or sooner).
I'd think billions of dollars in damages to the economy would be enough to get executives cracking the whip at their IT staff. Then again, I also thought Bush lost the election.
The bluster worm
was that written by ballmer perchance.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Alright, the OS patches are one thing--I can automatically have our machines update if I wish. The office updates, however, require access to the installation media. As we have a volume license agreement and our individual users to not have copies of the media, I will have to have a tech personally visit each of our 500 or so machines to put in the CD and load the patches--or ignore this "critical" fix and hope for the best. I wish I had the option of forcing an different office application solution but in an academic environment it is difficult at best. Something like this really lays the foundations for class-action.
Rather than excuse Linux, I think the people hate these MS warnings most of all because MS-users, unlike most Linux users, don't patch their systems. What normally ensues within a couple of weeks of the vulnerabilities is some exploit wreaks absolute havoc with the internet.
If MS gets the patch out the door, and everyone installs it before some script-kiddie can exploit it, then who really cares? It's a pain downloading all the patches, but that would be the extent of the problem.
Instead, the horde of zombies kills the internet. We've only just recovered from the last attack.
-- james
From personal experience, patches for MS Office require the user to have the CD available.
In the corporate environment, this usually isn't a problem (except for the different flavors of Office we have floating around: MS Office Professional, MS Office Premium, MS Office Academic version, OEM non-retail version, etc. make it a pain).
However, home users may have MS Word and MS Excel pre-installed on their systems from the store. But they don't have the Office CD itself.
How can they apply the necessary MS Office patches and service packs?
Good troll, but try coming back with an analysis of the actual severity of the holes.
I better hurry to run off and patch a hole in some obscure OSS app I don't have installed as opposed to the constant REMOTE ROOT EXPLOITS in the core Microsoft OS.
you fanboys blow this all out of proportion. It is 2 bugs with one that happens to effect 4 products. The reason they list sperate announcements for each product is because some people don't have them all installed but still need it for the one app you use.
Quick quiz, hot shot Troll: Here are the first 5 vulnerabilities from that list:
atari800, gallery, eroaster, mindi, phpwebsite,
Now, how many of those are "linux" (i.e. the linux kernel, shell and important utilities.) None.
How many are remotely exploitable? None.
Given the user base of those 5 obscure programs, how many would *you* rate as critical?
Guess you've never subscribed to Red Hat's errata updates, have you? I don't even want to bother reinstalling 9 because I know I'll get a HUGE list...
Debian has more than 10 updates listed just for August alone, almost all buffer-overflows.
Anyone want me to go on? Because I could. Remember the filesystem-corrupting kernel "turkey" release? Heck, 2.4.x was riddled with problems its entire run. But that doesn't matter when we've got hatred to burn on Microsoft, right? Sigh.
NEWS FLASH--Companies issue patches for their software. The more used the software is, the more possible holes will be found to be patched. The more updated it will be. Why is it so surprising that something with 95+ marketshare is going to be given patches? Wouldn't be...I don't know...a good thing in people's eyes?
Here comes the ranting Linux fanboy to tell me I'm wrong, and that everything Microsoft does is wrong. Sigh.
"Sufferin' succotash."
Thank you Microsoft, for keeping all of us Techical Support people employed. Without you, the other half of slashdot would be unemployed.
Perhaps comparing all the security vulnerabilities for all software that could possibly run on Windows to this list would be SLIGHTLY more fair.
As it stands now you are comparing all open source applications to the Windows Oerating System.
So good job on attempting to call the Slashdot community on hyprocracy, unfortunatly you seem to be very confused about what Linux is and unable to make a valid comparison.
Finkployd
Why must we have a discussion on every single MS update? This is like posting a major news announcement at every virus that comes around. Set up critical updates to download & install when you are ready, set up anti-virus to auto-update, and move on with the important things that we as a community of intelligent computer users can benefit from. It's not news if MS already discovered it, researched it, wrote a patch, tested it, and released the patch.
In other news: Elvis Presley is still dead and the teddy bear icon virus still runs rampant.
If we must post security advisories do it for a *nix platform where critical updates aren't automatically applied and mission critical apps are in danger of being compromised.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
I just thought of something - what do companies like Dell do? They just sell the stock OS on their systems, right? Everyone always complains that people don't patch their systems, but what if you buy a new machine from Dell? I am sure people don't think "oh man, I have a new system, I need to go out and figure out which patches to install". They fire it up and go. Should OEMs be required to sell systems that are up to date on the OS patches?
My beliefs do not require that you agree with them.
"...which definitely outnumbers five."
If you use 5 different distros, and some fairly unusual apps, then gee, I guess you're right.
You should change to your handle to Overly Simplistic Guy.
I develop lots of VBA stuff for our office. But all of our installation disks are 75 miles away at the main office. I have an Office XP Upgrade disk that was used on older here, but my full-blown Dell-installed Office XP won't accept it. So how am I supposed to patch this *critical* bug *immediately*?
Vote for global prefs bug
Software is O(1).
:-P
Because I have like 357 hotfixes in that list now.
Damn, it's going to take me about 5 minutes to scroll down to uninstall any software that starts with a "Y" or "Z"
MS does not patch flaws in "Photoshop for Windows", or "CorelDraw for Windows" or Quicken, or Win32 Mozilla, or any number of the millions of Windows shareware apps. Unless you start counting those vulnerabilities as "MS vulnerabilities" you're not comparing like with like.
All those Linux application flaws are in products (usually obscure ones) written by companies other than Linux distribution vendors. They package them with they're distros because they can, and they promulgate the patchs (also written elsewhere) because its good practice.
Yes, I know. IHBT. IHL.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
While I've just about managed to educate friends and familly about the need to run Windows Update, WU does not in itself warn of critical security issues - you have to remember to visit Office Update manually... and who is going to do that? No one, in my experience.
but it gets better - The Office Security updates require you to insert the original CD. This seems a mighty strange move, and not terribly useful for me since the CD is several thousand miles away locked up in a cupboard on the other side of the Atlantic.
Can anyone explain the warped logic here? I could understand it if the new patches enabled new functionality? but these are security patches.
"Woo-hoo! I'm gonna write me a new minivan this afternoon!"
- Black hats knew about the vulnerability before Microsoft
- Widespread attacks come some days after Microsoft finally get know of it, but don't releases any advise of the danger because they had no patch ready, so it took final users by surprise.
With linux at least you could have the warning even before the patch (like one of the latest apache vulnerabilities) so you can take measures before the patch is ready/tested/approved/signed/whatever.Oh, really? So, if I want to remove Internet Explorer because it's such a buggy, hole-ridden program tied right to the OS, Microsoft has a tool for me to do that? So, if I don't want to install the RPC service on my W2k box at home, I can do that during the installation? So, if I want to forgoe Explorer because I don't need pretty point and click interfaces, I can do that?
You've got it backwards. Unlike well-designed systems, Microsoft DOESN'T provide you with the tools to make the box secure. That's one of the biggest problems - you have to rely on their "one-a-day" pills to make the box secure, and even then, it's not secure, it's just you filling one of many holes in the dam.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Criticality of this is horribly underrated by Microsoft.
.DOC extension, Word will be invoked directly when the user double-clicks the attachment. Word will automatically recognize and convert the document, and run the hostile code with no further opportunity for the user to stop the virus.
This is critically important for all Windows MS Office users - "the user must open the attachment" is no protection because most users open attachments to see what they are.
If the infected Word Perfect document is given a
The vulnerability could also be exploited through a web page, and the user would get no chance to say "No" if ActiveX is enabled.
People criticize mircosoft not because that more vulnerabilities are reported on that platform but because of their approach to the entire issue. Even though microsoft releases patches/fixes for the vulnerablities, sysadmin cant install them with confidence as they are notorius for breaking existing applications and softwares. Then comes the rebooting issue. For almost every pathes, you need to reboot the machine, which is not the case with linux ( except kernel pathces). All these make it extremely difficult to patch the MS systems REGULARLY AND FAST . People cant afford to have extensive test, install, reboot ...blah blah on server systems. This is the reason why even networks like that of BMW get infected by MS worms and exploits. On the other hand in linux , even though there are almost equal number of vulnerabilities , the fast and easy managment of patch system makes it possible for everyone to keep updated and secured.
http://www.nasirudheen.blogspot/
1. Open word
2. ALT+F11
3. Key in Shell "cmd.exe", VB_Normal_Focus
3. F5
This simple example runs a shell, but you can guess what happens when you can load a kernel debugger or alternative win32 shell and have system access.
This isn't shocking and I've seen everyone try to remove the DOS subsystem, rename net.exe and disable and even remove cmd.exe/command.com by using filesystem tricks and depending on windows lame application's handling of these tricks.
Basicly you can't secure a Windows machine in public use -- btw if you have acess to the usb port and a jump drive you can get in without a keyboard and send viri/spam/etc from someone else's machine.
Window's Office VBA system and IE are the ultimate root kit imho.
I didn't know that Linus decided to integrate sendmail, php, LinuxNode, an Amateur Packet Radio Node program, perl, up2date (Red Hat), pam_smb, vmware, horde MTA, gdm, Mindi, eroaster, Gallery, and atari800 into the offical Linux kernal. Is this the new Mega Supersized Linux Macrokernal?
1f u c4n r34d th1s u r34lly n33d t0 g37 l41d
While they show the date to be yesterdays date, the status is still red and active. Road runner is choked up right now because of MS problems.
Email is just about non-flowing.
I talked to my son at college last night and the entire dorm is dead stopped because there are 150 pc's (excluding his Linux box) that are virused 6 ways to sunday and have brought the school system to a halt. He can't use the internet because of the MS machines bringing it down.
Now THAT's sad. With 150 machines in his dorm it's turned into a virus P2P network. The viruses propogate so rapidly because they are protect by the univeristy firewall from the outside world but there is no internal protection against *anything*....
The people that run networks, like schools and businesses need to manage their systems better. This stuff is not funny anymore and it's already gone was past the prank stage.
It's time for some extremely severe prison terms. No more wrist slapping.
Status Red
9/2/2003 7:24 AM
9/3/2003 6:02 PM
ALL Areas.
Road Runner subscribers in all areas could experience slow browsing and/or packet loss when accessing Microsoft sites and services. This could include microsoft.com, windowsupdate.com, msn.com, msnbc.com, hotmail.com, vicinity.com, the Messenger service and any Microsoft websites and services at this time. Our Engineers are working to get these issues resolved as quickly as possible. Thank you for your patience.
A quick look at MS03-036 and MS03-035 shows that patches are readily downloadable for Office 2000 and newer. They say there is a fix for Office97 but it looks like you need to contact MS support to get it.
Does MS realize how many of us are still using Office 97?
Anyone know of a place to download the Office 97 patches for these?
If you look a bit more closely at those "linux" security holes, then you notice that they are programs such as "eroaster" and "Atari800" that have the vulnerabilities. These are simply programs that can be installed on the systems that may be in the Gentoo portage for example, or FreeBSD ports system or a RedHat package.
The only "Linux" software you can really blame, is the kernel, besides that if a distribution has a hole in a default install that is a big issue. Otherwise, if the user installs software that has a hole you can't really blame linux for it. Microsoft wrote and distributes all the softwares which had the holes listed in this story, so they can be held accountable (unlike Linux in your story).
On that page at 9AM PDT there are ZERO bugs which fall into the category of serious issues that are Linux / *nix or Linux Distribution's fault. They are all stand alone software that have vulns.
If they listed every software on the windows platform which had vulnerabilities the MS list would be massively enhanced also. They aren't audited as much as unix programs because a lot less of them are open source... so the bugs are just sitting there, unfixed.
Another FUD bites the dust....
Just a note that in order to be fully covered for MS patches, you have to use BOTH Windows Update and Office Update.
The Windows Update service (automatic or manual) will not detect or install Office patches.
That's funny.. last time there were security vulns I read about them on 3 different news sites and I didn't have to do a thing because my system updated itself.
It is the distro's job to make sure you are protected when a new exploit is discovered just as it's Microsoft's job when the problem is in windows. Also, if you think anyone accepts accountability for the problem in windows land you may want to read through the EULA again because it sure isn't MS.
Linux distros get bashed just as much over this and some of us actually avoid the distros with overly bad security records.
You also need to keep in mind that there is less downtime involved when upgrading Linux systems. My Linux servers are all fully upgraded but have not been shutdown in months. Window? 4 patches 3 reboots.. yuck
I'm sure this will get modded down, or ignored by the moderators all together, as off topic; but I feel it's a good camparison. I have two, relatively similar, workstations. One running Red Hat 9 and the other WinXP. I use RH Up2Date on the Linux bawx and Windows Update on the XP machine religiously. The observation that I have made are pretty amazing. Microsoft releases roughly 4 patches for every 1 that RH releases. The RH packages, other than kernel updates, do not require any reboots; where most of the MS ones do. I've not had a single occurrance of an adverse effect on my Linux machine from any patches, where I have had a miriad of issues with the XP/Office updates (insert CD, permissions issues, BSODs, etc). I'm not at all trying to scream the virtues of Linux and downplay MS, but there are real issues. Not to even mention never having adware, spyware, etc. installed on my RH machine without my knowledge. I'm extremely carefull with all of my machines and I stilled managed to get some IE search bar added to my browser. I removed it quickly with Spybot search and destroy, but it still happened. I think MS needs to take a step back from the cash register and seriously evealuate their tactics and practice where desktops are conncered. That is, if they ever want their update service to be even close to as effective as RH. But thats just my two cents and I'm sure there are a line of people out there to tell me I'm wrong and/or full of crap; but these are real world observations from someone who is completely OS neutral. ..jab
"Reality is a crutch for people who can't handle drugs" - George Bernard Shaw (1856 - 1950)
Okay I see a lot of Microsoft apologists saying that "all software has bugs", "Linux has problems too", "dumb admins need to keep their machines up to date".. etc...
.. you gotta ask yourself .. is "similar to Linux" in terms of security problems the BEST they can do?
.. the problem today, right now, is Microsoft. The constant flood of pings to my machine are coming from microsoft machines. The viruses are coming from microsoft machines. When is it going to stop??
Let's see:
Linux written by volunteers and small companies.
Windows written by a company with tens of billions in the bank.
Linux used mostly on servers and installed by educated admins.
Windows used by everyone from grandma to the CEO.
Linux on a small percentage of servers.
Windows on 96% of machines (or whatever the figure is). Windows used in ATMs, in medical equipment, by the government, etc., etc. The Microsoft antitrust ruling was typed out on a Windows machine.
And given their resources, their cash, the number of frickin' PhD's on the payroll, and the fact that the entire world economy depends on Windows crap OS (yes even us folks who use Mac/BSD/Linux are still affected indirectly)
They have a huge responsibility, and they have chosen not to meet it. Why? Is it so that the government will pass software quality laws that will place a huge burden on Free software, thus weakining it or killing it off?
Or is it because people have their heads in the sand and refuse to acknowledge that Microsoft is not worth the time and money any more. That's probably it. People are sitting there constantly patching their Windows boxes and not realizing that, hey, maybe there are alternatives. Microsoft has you all by the nuts.
Why are you guys making excuses for Microsoft? Microsoft's products should be the most secure on the planet given their resources and abilities.
I used to think, hey, all computers have problems, but after using software like qmail and OpenBSD, I realized, Microsoft is doing about 1% of what they could do. Even just closing ports and making email attachments not be executable would solve a lot of problems. They need to make their software more secure.
Instead they come up with Palladium or whatever it's called now, a gigantic complex scheme to solve this problem (and a lot of other imaginary "problems" too). Can't they try some simple stuff first?
So don't apologize for Microsoft, don't say "well, if Linux was everywhere we'd have the same problems"
The point is that all the vulnerabilities in the list on the page you linked to (with the exception of sendmail) are fairly obscure "3rd party" apps.
If a vulnerability was found in some obscure windows ftp server that you got off tucows for example, you wouldn't list that as a windows vulnerability would you?
I lay awake last night wondering where the sun had gone, then it dawned on me.
A nice quote from KOMO, a station in Seattle (next door to Redmond for those that are unfamiliar with the area).
To patch the security vulnerabilities in Microsoft Word, you have to 1) download the patch, 2) find the original Word CD and put it in the CD drive, 3) run the patch, 4) wait while a lot of processing is done with the CD, and 5) put the CD away again. It seems to me that, since this was a patch for a severe security vulnerability, Microsoft could have skipped the time-consuming 2, 4, and 5 steps. Think how many total hours will be lost throughout the world by users or computer professionals whose time is extremely valuable. The TCO just went up.
Is there some sort of ANSI standard-Strip-club-naming-convention that I'm not aware of?
philcrissman.com.
>I didn't have to do a thing because my system updated itself.
t .aspx
Well, now you're out of luck. Joe Sixpack not only needs autoupdate on 24/7 he also needs to visit officeupdate to get the office patches: http://office.microsoft.com/ProductUpdates/defaul
Can MS make this more confusing for the average user? KB824993 and KB826292 do not show on a fresh Windowsupdate.com scan or with the MSBL tool.
For one reason or another, things are different in the Windows world.
Yes, things are different in the Windows (Simplified) World. In the Windows World; you buy PC XYZ from company ABC complete with Windows. You unbox it, turn in on, and let the 'magic' do its' thing. There's no muss, no fuss and I've got a working PC. Oh, never mind that the OS isn't patched with the latest patches--the average home user doesn't know (or understand) that it needs to be--regardless of the media coverage of worm/virus Qbert. The average home user is NOT technically inclined. Therein lies the source of the problem--lack of sufficient instruction, which is the delegated responsibility of the OEM System Builder.Consequently, every little bug gets passed along, and we end up with MSBlaster type problems.
In the Linux world; the average user is technical, or has had the system set up by someone technical. They take care of the system, understand how to patch the system and ensure that it has been patched. For this reason, problems are short lived.
We live in a simplified world. From fast food; disposable diapers, razors, etc.; to all-in-one super stores; everything is simplified for us. I don't have to know how to make Veal Scallopini; I can buy it pre-made at the grocery. We want everything easy, because we don't want to take the time top do otherwise.
Granted, this is an oversimplified view. I didn't factor in regression testing of patches at the corporate level in order to ensure that the new patch doesn't break something else in use, due to the tight integration of code with the Microsoft OS (unlike Unix/Linux Applications). This takes time (stakeholders and their ilk tend to be a testy when their application breaks) and may result in infection before testing is complete. The point is people have been brainwashed into believing that computers are simple, when in fact they require a lot of attention, like a toddler or a puppy.
How did we do things without computers before? I know..paper and pencil. At least there we didn't have to worry about viruses--unless it's a cold. LOL... Maybe regression is a good thing this time?
In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
Second, did you even bother to read those security alerts or investigate what the packages are? Briefly:
node: "Amateur Packet Radio Node program"
libpam-smb: arbitrary code, but no privilege escalation
unzip: no privilege escalation, no arbitrary code, and who uses it?
man-db: only if you go against install-time advice and make it setuid
autorespond: "This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply."
netris: "A free, networked version of T*tris"
linux-kernel-2.4.18: most are local only, "STP protocol", or an nfs3 DOS with no arbitrary code or remote root
perl: yes, "execute arbitrary web script within the context of the generated page"
kdelibs: konqueror only, client only
pam-pgsql: arbitrary code, but no privilege escalation
zblast: "shoot 'em up space game"
xpcd: local only
xtokkaetama: local only
"This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!"
And this is why I call troll.
From Debian security FAQ:
"The most important guideline when making a new package that fixes a security problem is to make as few changes as possible. Our users and developers are relying on the exact behaviour of a release once it is made, so any change we make can possibly break someone's system. This is especially true in case of libraries: make sure you never change the Application Program Interface (API) or Application Binary Interface (ABI), no matter how small the change is.
This means that moving to a new upstream version is not a good solution, instead the relevant changes should be backported. Generally upstream maintainers are willing to help if needed, if not the Debian security team might be able to help.
In some cases it is not possible to backport a security fix, for example when large amounts of source code need to be modified or rewritten. If that happens it might be necessary to move to a new upstream version, but this has to be coordinated with the security team beforehand."
.sig Realistic fines for copyright in
Well that last one is certainly good to know. If my information is going to be disclosed I'd certainly prefer that it be my random information rather than my much more valuable, um, organized information.
I'm wondering if there are not a team of "Mitigation Specialists" at Microsoft charged with coming up with these things. I think this is something I could handle pretty well. I think I'll send them a resume.
Here is a sample of my work:
Mitigating Factors:
* User must have not only installed Windows and Office, but actually be using these products for any harm to, or exposer of user data to occur.
~*~ Small pets, farm animals, or other domesticated wildlife will not be harmed by the use of these products, even if human user fails to exercise due caution.
*# Extra-Terrestrial life-forms are completely safe even when in the same room as an operating Windows environment.
I really think I could come up with a lot of these. How about you? Do you have a future as a Microsoft Mitigation Specialist?
pam_smb and sendmail "obscure"? And that's only in the past, what, five days...
Mother is the best bet and don't let Satan draw you too fast.
Right now I'm looking at silently packaging things together for a mix of Windoze 98 SE clients running Orifice 2K/XP and Windoze 2K clients running Orifice XP. Every month I deliver at least a half dozen of their damn security patches and typically can comprehend the proper command line switches (usu. Microsoft's setup.exe or hotfix.exe format) to make these deployments *NOT* require a mandatory reboot and *NOT* require a lot of user input.
What drives me crazy about the VBA patches is that they require:
Upgrading to Windoze Installer 2.0.
Applying all subsequent Service Packs (SP1a and SP3 for Orifice 2K; SP1 and SP2 for Orifice XP).
Finally applying the VBA patches to either Orifice 2K or Orifice XP.
So all in all it will take at least a week to code, test, and deploy in the least intrusive manner possible. But the Windoze Installer keeps on requiring installation media (CD or file share). Not exactly automated. So I guess I'll dig through the MSI docs to determine how to disable this known flaw (Q268800).
For a one-man show I'm really looking forward to all of the lost productivity. Almost as bad as figuring out a way to silently install the DirectX 9.0b upgrade since Microsoft left out the command-line switches. That one took me two days to workaround.
When will people get fed up with all of this crap? I have worked with computers since 1981 and am practically ready to abandon them and go back to damn typewriters and daytimers!
I loved the article over at NewScientist (here)
A Microsoft spokeswoman told New Scientist the risk was lessened by the fact that exploiting any of the vulnerabilities would require a victim to open a document or carry out some other active task. She added: "We don't know of any worms being created."
Uh...Open a document? You mean like an email with the attached virus/worm that says: "Here is the document you requested"?
Sigh...Damage control must be getting lazy or something.
Sig it.
I'd say the first is awfully obscure, seeing as how I've used Linux now for nine years and have yet to find a system which actually uses it.
And sendmail? Hardly a linux-specific application, wouldn't you say? Besides, most Linux distros no longer use it.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Lovely. They say that Word97 is affected,
but that OfficeUpdate doesn't support Office97.
Head on over to the manual download section for
Office97. NOTHING TO BE FOUND RELATED TO
THIS in the office section. Under Word alone, the latest
update is from 2001.
Gee, go figure. Yet another reason to spend money
I don't have for a product I don't want.
Oh, and for all you astroturfers & M$ Fanboys -
at least when Linux does have a flaw, it doesn't
require me to spend 400 bucks on an upgrade to a
later, flawed version.
He did so because he saw how successfull Microsoft was after integrating VBA and the Office programs in the XP kernel.
Programming can be fun again. Film at 11.
You just have to laugh at this...
If you got all the Microsoft Security Bulletin's check out how the PGP version used to sign each one changed.
Especially this one:
Microsoft Security Bulletin MS03-036: Buffer Overrun in WordPerfect Converter Could Allow Code Execution(827103)
If you didn't get it or can't be bothered reading it:
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com
Warning: you are logged into reality as root...