Microsoft Issues Five New Security Warnings

smelroy writes "Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site. Four of the problems affect Microsoft's Office desktop software. You can read the story here and the security bulletins here."

deja vu

i'm having this funny feeling of deja vu...

Re:deja vu

Could this be a glitch in the Matrix?

Re:deja vu

[Winterblink]

*draws dual 9mms* It's a glitch in the Matrix. It happens when they patch something.

Re:deja vu

Re:deja vu (Score:0)
by Anonymous Coward on Thursday September 04, @10:11AM (#6868436)
Could this be a glitch in the Matrix?

Re:deja vu (Score:2)
by Winterblink (575267) on Thursday September 04, @10:11AM (#6868444)
*draws dual 9mms* It's a glitch in the Matrix. It happens when they patch something.

Two identical posts at the exact same time. Now that *has* to be a glitch in the Matrix!

Re:deja vu

[EvilTwinSkippy]

Was it 2 patches, or the same patch twice?

Re:deja vu

[RLW]

documentary style music.
Voice over: It's the wheel of glitches.

Location: M$aFT glitch preserve.

M$aFT Tour Guide: The life cycle of the glitch is an often fast and furrious one, many only living for a few short days upto a few months typically. Although on some low exposure less used systems they may obtain a Methuselahn life span of a several years.
slight pause
Tour Guide Continues: Here at the M$aFT glitch preserve we try to breed and raise our glitches for survival in the wild.

Interupting Guide Tour member: Why do you breed and raise glitchtes anyway? Aren't there enough bugs in the wild already. I mean ...

Cutting off the Tour member Tour Guide: They are glitches, not bugs. As far as the number of glitches in the wild each glitch performs important ecological functions. There are some that encourage users to upgrade their Office packages, there are others that spark the need to upgrade development IDEs and there are others still that motivate upgrades to new versions of our glitch preserve, uh, I mean OS.

Re:deja vu

[MarkGriz]

Linus, I need an exit... fast!

Re:deja vu

[syle]

Because like a strip club, Microsoft shows you a good time, but eventually leaves you to go home depressed, penniless, and unsatisfied.

Had me confused for a second

[greechneb]

The most serious of the flaws could let an attacker execute code from an open Office application.

Confused me because I couldn't figure out why Microsoft was releasing bug reports for openoffice. (Aside from the obvious conspiracy theory that Microsoft would be trying to make the competition look bad)

critical VBA flaw

[b17bmbr]

wouldn't ANY vba flaw be critical. if i recall correctly, through vba, you can manipulate the entire file system. while it doesn't give you low level access, it has access to every COM object on your system. in fact, weren't the code red and i love you virii (and many others) written in VBA. VBA seems to be such a big reason that businesses can't move away from windows/office. to me, it seems like a reason TO move away from office.

Re:critical VBA flaw

[mforbes]

OpenOffice and StarOffice also having built-in scripting languages. Perhaps the risks of buffer overruns aren't as common under those (I don't know, since I lack much experience with those scripting languages), but in all fairness to MS, if OpenOffice were the leading suite & de facto standard, it would also see many attacks. The problem in this case isn't that the flaw exists-- patches are easy enough to apply. It's that with the near-monopoly MS has over hundreds of millions of users, you can always guarantee some large subset of users won't have the patches installed, and thus will be vulnerable to attack.

Re:critical VBA flaw

[Surak]

Speaking as someone who has written full-blown applications in VBA, OOo and StarOffice use StarBasic, which isn't quite the same thing as VBA. VBA is a lot more at the system level and gives you more control over the machine.

Re:critical VBA flaw

[ScrewMaster]

You might see more, but Microsoft still hasn't grasped the sandbox principle: any code that isn't explicitly trusted should not be allowed to access any data or functionality outside a strictly limited area. It can play all it wants inside that sandbox, but won't be allowed out to do harm. ActiveX and COM are two of the most dangerous Microsoft inventions from a security standpoint, since they don't place enough restrictions on what a remote programmer can do with your machine.

Sigh... it seems a day doesn't go by

[winkydink]

...without either e-mail from RedHat about a bug or news from MS about one. Lucky me, today I have both.

Microsoft Issues Five New Security Warnings

1.SuSE

2.Red Hat

3.Mandrake

4.Debian

5.Gentoo

Snapshot Viewer affected?

[Karl+Cocknozzle]

Crap! That means I have to touch every machine in the enterprise--again! Just two weeks after "touching 'em all" (not in the baseball sense) from the last round of worm patches.

How I long for the old days of Novell... Ah...take me away!

Re:Snapshot Viewer affected?

[nairnr]

Kinda makes you yearn for thin clients again... Make a few changes that affect all users. It seems to be something that would start making some sense again, with the number of times that systems are affected in a coporate environment, a more centralized server system does have its advantages. It would be interesting if this frequent patch cycle is affecting how people deploy large scale systems.

Ah, X-servers :-)

Re:Why Does Slashdot Care???!!

[jpsst34]

"This looks like another story to laugh and mock MS. In reality, it is you zealots that look like mormons."

That doesn't make any sense. A Linux zealot can't even get a date, let alone several wives!

Finally! They're fixing the bugs

[192939495969798999]

When we get more like 50 of these a week, then we'll know that they've really gotten serious. Large systems have a lot of holes in them -- especially when no one was plugging the holes for oh, 10 years or so.

Trustworthy Computing

[EvilTwinSkippy]

Trustworth computing at work. Interesting how they have a critical flaw in Office at about the same time they are espousing new lock in features and DRM.

My tinfoil cap has 2 pennies.

Flaws in Visual Basic

[turgid]

Flaws in Visual BASIC are documented right here

Re:what % of Windows is patches?

[n3rd]

And how long until the entire operating system, and all the Microsoft applications, are all just patches?

Interesting? Come on.

Linux was released. Then patched. Then patched again. And again until it became what it is today.

Apache web server anyone?

Latest Debian gnu/Linux seccurity warnings!

[29 Aug 2003] DSA-375 node - buffer overflow, format string
[26 Aug 2003] DSA-374 libpam-smb - buffer overflow
[26 Aug 2003] DSA-344 unzip - directory traversal (new revision)
[18 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution (new revision)
[16 Aug 2003] DSA-373 autorespond - buffer overflow
[16 Aug 2003] DSA-372 netris - buffer overflow
[13 Aug 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities (new revision)
[11 Aug 2003] DSA-371 perl - cross-site scripting
[09 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities (new revision)
[08 Aug 2003] DSA-370 pam-pgsql - format string
[08 Aug 2003] DSA-369 zblast - buffer overflow
[08 Aug 2003] DSA-368 xpcd - buffer overflow
[08 Aug 2003] DSA-367 xtokkaetama - buffer overflow

Stop calling the kettle black! Fix your own problems. This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!

Re:Latest Debian gnu/Linux seccurity warnings!

[akiaki007]

The only one that *truely* affects Debian here is the kernel bugs. Everything else is software and shouldn't be considered that.

The MS bugs pertain to the MS release software that directly affect the OS and the Office suite. And I would only really consider the VBA and the OS security bulletins here as being that important as that is what affects Windows. So that's 2.

For debian we have 1. The rest are other software! If I wanted to talk about bugs with every piece of software being used in Windows, then let's do that. But clearly you're not.

Stop comparing apples to oranges.

Every bit helps

[Doesn't_Comment_Code]

I hope this wins some more business and government contracts for non-Windows based systems.

Windows is ok for some applications. But this sort of thing (actually a whole month of bad security press) should jar a lot of decision makers to recognize that MS is not the ONLY REAL OS OUT THERE, as there marketing strategy has led all non-tech inclined business execs to beleive.

The Truth will set you free.

NetBios Problem: Affected Platforms

[burgburgburg]

Affected platforms include Windows XP, Windows 2000, Windows NT 4.0 Server, and Windows Server 2003.

Welcome to the family, WS2K3!

Re:what % of Windows is patches?

[Doesn't_Comment_Code]

And how long until the entire operating system, and all the Microsoft applications, are all just patches?

It should be a lot easier to pirate a copy of Windows when you can reconstruct the entire operating system by downloading patches directly from MS, and piecing them together like legos.

Re:what % of Windows is patches?

[Sun+Tzu]

The difference between Linux and Windows that the original poster was obviously referring to is this:

Linux consists of 99%+ functionality patches

Windows consists of 182%+(*) security patches, many of which, unfortunately, have security issues

(*) Totals exceed 100% due to previous patches getting patched for new security issues.
--
Send us your Linux programming articles

It's funny to laugh at Microsoft...

[Osrin]

... but we should really be debating how we get this right on an OSS platform. If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box.

This is a community of smart people, the race is on to figure out how to best solve this issue for our end users. Microsoft appears to be beating us by requiring far less updates to be applied than a randomly chosed Linux distro.

We need to think about the process of distribution and application of these patches, if we can get that right then we get a larger percentage of the desktop.

Today any undereducated end user who is judging security by the number of patches that jumps to a Linux distro because they've "heard" it is more secure will quickly be jumping back to Windows.

Office Updates EXTREMELY Frustrating

[syntap]

I'm in a mixed environment where we have some Dells that came with Small Business Edition (either SR1 or original), and other users who needed Access that we purchased Office 2000 Pro for. Because Microsoft requires the original CD, it really adds to the burden of updating because you have to figure out which friggin' disc to use on each individual station. If they would just let us run the damn patch without the CD verification it would be easier.

Plus, their order of updates is fux0r3d. They have the spell checker update listed as more recent than SP2, but when I run it I get an error message that the update only runs on SP1 .

It's bad enough to need so many patches, but there are many basic things like the above that Microsoft could easily improve.

Re:Slashdot just loves MS security bulletins

[akiaki007]

I use .Net. And I won't dismiss it. But all the bugs are really annoying. Some seem small. For instance, you can't use customized MenuItems in a ContextMenu in a NotifyIcon. That's quite useful if you think about it. If you want a simple application that runs a lot of other programs and processes in your company, it would make sense to use a NotifyIcon application. But every menu (no images allowed here) looks exactly the same. It would be very helpful to have icons and colours. but you can't. This is just one bug. There are quite a few, even within the compilers.

I'm not dismissing it completely, but .Net released by MS is still very much a beta. Even at the 1.1 level.

Re:And yet, look at my sig for Linux vulnerabiliti

[BurritoWarrior]

Good troll, but try coming back with an analysis of the actual severity of the holes.

I better hurry to run off and patch a hole in some obscure OSS app I don't have installed as opposed to the constant REMOTE ROOT EXPLOITS in the core Microsoft OS.

Re:And yet, look at my sig for Linux vulnerabiliti

Quick quiz, hot shot Troll: Here are the first 5 vulnerabilities from that list:

atari800, gallery, eroaster, mindi, phpwebsite,

Now, how many of those are "linux" (i.e. the linux kernel, shell and important utilities.) None.

How many are remotely exploitable? None.

Given the user base of those 5 obscure programs, how many would *you* rate as critical?

Wow, not ONE of them was for Linux

[finkployd]

Perhaps comparing all the security vulnerabilities for all software that could possibly run on Windows to this list would be SLIGHTLY more fair.

As it stands now you are comparing all open source applications to the Windows Oerating System.

So good job on attempting to call the Slashdot community on hyprocracy, unfortunatly you seem to be very confused about what Linux is and unable to make a valid comparison.

Finkployd

This is the origin of the apache servers name...

[evil_one666]

http://www.apache.org/history/timeline.html

Brian Behlendorf started collecting patches to be applied to the last version of NCSA. The initial versions of Apache are available primarily as a series of patches. Hence, initially, the name Apache, as it was "a patchy server". At least, so the legend goes.

And Office Update process is broken.

[Angostura]

a couple of points on this.

While I've just about managed to educate friends and familly about the need to run Windows Update, WU does not in itself warn of critical security issues - you have to remember to visit Office Update manually... and who is going to do that? No one, in my experience.

but it gets better - The Office Security updates require you to insert the original CD. This seems a mighty strange move, and not terribly useful for me since the CD is several thousand miles away locked up in a cupboard on the other side of the Atlantic.

Can anyone explain the warped logic here? I could understand it if the new patches enabled new functionality? but these are security patches.

Re:what % of Windows is patches?

[brkello]

Oh come on, at lease be fair. I can't believe you are modded insightful....I'd say funny. If you think linux patches are all functionality, then you don't work with Linux. The real difference between linux and windows is that you have a 99.9% better chance of getting modded up if you bash Microsoft patches than if you were to say something truly interesting.

Re:what % of Windows is patches?

[gmuslera]

Maybe MummyOS, by this time you don't see any skin, is all patches and bandages.

Criticality of this is horribly underrated

[benploni]

Criticality of this is horribly underrated by Microsoft.

This is critically important for all Windows MS Office users - "the user must open the attachment" is no protection because most users open attachments to see what they are.

If the infected Word Perfect document is given a .DOC extension, Word will be invoked directly when the user double-clicks the attachment. Word will automatically recognize and convert the document, and run the hostile code with no further opportunity for the user to stop the virus.

The vulnerability could also be exploited through a web page, and the user would get no chance to say "No" if ActiveX is enabled.

Re:Face it, Linux is popular enough.

[gmack]

That's funny.. last time there were security vulns I read about them on 3 different news sites and I didn't have to do a thing because my system updated itself.

It is the distro's job to make sure you are protected when a new exploit is discovered just as it's Microsoft's job when the problem is in windows. Also, if you think anyone accepts accountability for the problem in windows land you may want to read through the EULA again because it sure isn't MS.

Linux distros get bashed just as much over this and some of us actually avoid the distros with overly bad security records.

You also need to keep in mind that there is less downtime involved when upgrading Linux systems. My Linux servers are all fully upgraded but have not been shutdown in months. Window? 4 patches 3 reboots.. yuck

Comparing Red Hat updates to MS..

[saintjab]

I'm sure this will get modded down, or ignored by the moderators all together, as off topic; but I feel it's a good camparison. I have two, relatively similar, workstations. One running Red Hat 9 and the other WinXP. I use RH Up2Date on the Linux bawx and Windows Update on the XP machine religiously. The observation that I have made are pretty amazing. Microsoft releases roughly 4 patches for every 1 that RH releases. The RH packages, other than kernel updates, do not require any reboots; where most of the MS ones do. I've not had a single occurrance of an adverse effect on my Linux machine from any patches, where I have had a miriad of issues with the XP/Office updates (insert CD, permissions issues, BSODs, etc). I'm not at all trying to scream the virtues of Linux and downplay MS, but there are real issues. Not to even mention never having adware, spyware, etc. installed on my RH machine without my knowledge. I'm extremely carefull with all of my machines and I stilled managed to get some IE search bar added to my browser. I removed it quickly with Spybot search and destroy, but it still happened. I think MS needs to take a step back from the cash register and seriously evealuate their tactics and practice where desktops are conncered. That is, if they ever want their update service to be even close to as effective as RH. But thats just my two cents and I'm sure there are a line of people out there to tell me I'm wrong and/or full of crap; but these are real world observations from someone who is completely OS neutral. ..jab