Microsoft Announces Three More Critical Vulnerabilities

weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.

Uh-oh

[SpiffyMarc]

Now that the word is out on these, Microsoft is going to have to post a big link to all the articles about that new Mac OS X trojan all over their homepage...

Re:Uh-oh

A lot of people joke about Mac vulnerabilties, but the simple fact is that something like that could really wreak havoc somewhere like an art school or large interior design firm.

Re:Uh-oh

[ringbarer]

So nowhere important then.

Re:Uh-oh

[Sn_wC_t]

got *nux?

Re:Uh-oh

Nope. I got *nix, though.

Re:Uh-oh

[SphericalCrusher]

Ever since that Mac OS X incident, I've heard a lot of Windows users taunt and make fun of Apple. Then we wake up the next morning and continue on with the rest of our lives... which includes MORE holes in the Microsoft operating system. This is getting OUT OF HAND!

Take this into question. Would you rather be shot one small time in the leg, or five big times in the chest? Compare Mac OS X to Windows in that way, where Mac = smaller shot and Windows = more holes. It's scary, but true.

Re:Uh-oh

[vensub]

and the great(called free, stolen, but has a corporate version and and still bug programmed by many ongoing) LINUX doesn't have any bugs. End of it. All slashdot.....s to go for a drink and they will never discuss anymore. EOM

- Bill Gates

Re:Uh-oh

[Geek+of+Tech]

Better that than something else like a nuclear power plant

Re:Uh-oh

[Neo's+Nemesis]

Haven't we already have had enuff this year. People will melt away if d(vulnerabilities)/dt from t=0 to t=1yr equation for MS holds extremely large values. Please have some pity on security experts and virus hunter. STOP MAKING YOUR ****ING BUGGY CRAP

Re:Uh-oh

[tbone1]

something like that could really wreak havoc somewhere like an art school or large interior design firm.

And this is bad because ... ?

Yours sincerely,
Dan Dierdorf
Host of Straight Eye for the Queer Guy

Re:Uh-oh

[Douglas+Simmons]

Now that was fucking funny and clever. Why are we so PC in our modding? This is why I have all troll-marked comments to come up as +5 on my account and I recommend you all do the same.

Re:Uh-oh

[Deraj+DeZine]

I guess the majority of Mac users that have mod points on Slashdot just aren't ready to come out of the closet, yet.

I also noticed it was modded overrated by someone. Hmmm, could that be someone who doesn't want to be metamoded for being a homo?

In other news

Three "critical" vulnerabilities were released for the Linux operating system this week, but no one on this so-called pro-Linux site gives a crap.

Re:In other news

[BoldAC]

"The RPC/DCOM Runtime vulnerability should be of special concern to all users," said Gullotto. "There's great potential for another worm that exploits this."

Great... "Here comes the worms again..."

Any idea if these exploits were discovered from the Microsoft's leaked code... or if they were discovered out in the wild?

AC

Re:In other news

[ymgve]

If some of these exploits were the ones listed on eEye's page (Google cache with the old info), and they seem to be since they're removed now, they got discovered long before the source code got leaked.

Re:In other news

[dustmite]

That's 'cause most of us are secretly using Windows ;)

Re:In other news

Any idea if these exploits were discovered from the Microsoft's leaked code... or if they were discovered out in the wild?

Does it really make any difference? In no way does it validate or invalidate "Microsoft's security through obscurity" stance. God knows the hackers were able to find plaenty of vulnerabilities without access to the source and, in spite of Microsoft's new security initiative, plenty have been showing up that don't seem to be related to the source code leak.

Microsoft's single biggest problem is not bugs, although there are certainly plenty of those. Their single biggest problem is stupid design decisions and (partially because of stupid design decisions) an overall lack of modular design that prevents isolating and limiting collateral damage by security breaches.

Re:In other news

[technos]

Sorry, we already apt-get updated those bugs away while we were sipping our morning coffee and never noticed. Unlike Windows, I don't have to worry about a simple bugfix blowing up the box, or causing downtime, nor do I have to reboot the damn thing four times.

Oh, and application bugs are not "Linux" bugs. Linux refers to the kernel and kernel alone. Unlike on a Microsoft product, where they make Outlook/IE the default for everything and unremovable, hence being part of the OS and countable as an OS exploit, the same is not true of Linux systems.

Re:In other news

Slashdot is not about Linux anymore. It is an idiot magnet. Those who use Linux one way or another want to feel like clever people. They all come here, say stupid things including Linux and Windows, and they all live happily. Slashdot owners are also happy since idiots spend more time browsing here and that's how they make money, through ads.

Re:In other news

[John+Courtland]

Biting the troll...

I quote, "you stupid." - Way to go! The first fucking sentence in your paragraph describing how someone is stupid, is, ironically, stupid. I also notice your lack of participles. If you're going to try to rip on someone, make sure your grammar is correct, poor grammar really invalidates your credibility.

Next, yes Outlook Express is "packaged" with the OS, but it has been the vector for countless virii for simply that reason. Same with IE. For all intents and purposes, removing IE cripples the UI aspect of Windows. Since Windows doesn't have great command-line utilities, I don't think I need to go further. IE is very vulnerable and no firewall will stop it. Let's not forget to mention how Windows won't even work without its precious RPC service. I'd call that an achilles heel if I ever saw one.

To deal with the rest of your idiotic drivel, apt-get can be run as a cron job, just like Windows Automated Updates. No one has to touch it, just like Windows! Wow. What's even better is that the only rebooting necessary is for kernel updates. Windows is sadly dissimilar in this regard.

I wonder what makes you so qualified to write an attack and start talking about CS majors like they are the all mighty computer wizards? Most CS majors I know don't know shit. Sure, they can write "Hello World," in various languages, but give them a problem and watch them fail. Just like you just did.

Re:In other news

[nvrrobx]

There is a very bad, glaringly false statement in your post.

Even on Linux, it is possible for a simple bugfix to take down an entire system.

XFree86 drivers can do this.
Kernel updates can do this.
Third party kernel driver updates can do this.

Hell, a bug / exploit in kdm could make your machine remotely vulnerable, or a simple bug could cause your machine to stop allowing logins (and don't tell me that you can Ctrl-Alt-F1 and login. That doesn't apply to end users)

I saw a problem on a friend's machine where his PAM config got trashed after an update. Guess what, his machine stopped asking for passwords on IMAPS, POP3S and ssh. If a simple misconfiguration can cause that, so can a code bug. That's no different then Windows.

All software has bugs, and those bugs can either be harmless annoyances, or critical problems. Linux can have them just as easily as Windows. Linux/UNIX software releases patches faster because they don't have complicated software development cycles (QA checks, usability, legal, etc) that has to happen before the release.

Re:In other news

[rbmyers]

Nothing secret about it. I use both, and I'm up at 4am to be able to get access to the #%@*& Microsoft update servers and they are slow as molasses. Gates and Ballmer are narcissistic, sociopathic boobs who are a threat to national security, and I want one of those other narcissistic, sociopathic boobs in Washington who are a threat to national security to do something about them.

Oh, and...

[Apostata]

...their lawyers are waiting in line to press charges in case you complain.

Re:Oh, and...

Don't joke about that. Although Microsoft has admitted an error on their part (and rightfully so), any form of harassment as such could be punishable under the full penalty of the law.

In fact, you could even be sued for libel if you parade about online forums spreading false information about Microsoft, like "their code is insecure" and so on and so forth.

Just be careful what you say, and make sure what you're saying is correct.

Safety First...

Prepare the fire extinguishers

Re:Safety First...

[geekbruin]

Ah, bless'd job security...

I've noticed

[markalot]

That a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

Re:I've noticed

You also don't hear about how much John Kerry and the liberals suck on Al Franken's radio show, now do you?

Re:I've noticed

no -- that's just not true.

there are misinformed people who don't understand the issues with the bugs reported in linux who then fan the flames about "holes in linux" as if they are of the same level of problem as these weekly holes in windows.

a theoretical overflow on a linux server running openssh is a lot different than a open hole that runs executable attachments

as a windows user, you should spend your time patching windows, not reading news.com

Re:I've noticed

[cybermancer]

...a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

news.com is a real news site, so they post real news. I am surprised anyone resports vulnerabilities in MS Windows as news. The only reason to report these is so people know to update again, and to poke fun at the joke that is Microsoft's quality control. Real news would be if they go for an extended period of time without a vulnerability!

For Linux on the other hand it is an event when there is a vulnerability reported.

Re:I've noticed

[pilgrim23]

It is a game you know: "He who crashes with the most vulnerabilities wins!" Bill hates to loose... -and to think that after 4 major iterations of OS X they can only muster one puny Trojan. Poor poor Apple...

Re:I've noticed

That's because seeing Linux in the news at all is still an "event". Something to think about next time you're moaning about how Microsoft has all the market share.

Re:I've noticed

Real news would be if they go for an extended period of time without a vulnerability!

It wouldn't be news because it's so common. After all, we all know that Microsoft waits until there's at least 10 remote root vulns in the wild before they announce the patches ; )

Re:I've noticed

yeah... i second that motion

Re:I've noticed

[markalot]

So then why do only anonomous cowards reply? Go ahead and tell me I'm wrong, exploits are exploits and all should be fixed. I'm rooting for both Windows and Linux, sorry if I'm not radical enough for ya.

Re:I've noticed

[beegle]

A hint: those ssh exploits aren't theoretical. They're in active use.

Have you run Tripwire (/AIDE/whatever) lately?

Re:I've noticed

That's because news.com is a REAL news site whereas Slashdot is little more than a temple where the Linux zealots can pat each other on the back and stick their noses in the air secure in the knowledge that they are somehow a superior form of life than everyone else.

Linux zealotry is the primary wall that will prevent Linux from ever making it to the big-time.... that and the fact that it's basically a piece of shit.

Re:I've noticed

[awkScooby]

I have yet to see a single Microsoft patch for a theoretical security hole. It is routine with Open Source software to see a patch released to fix something that potentially could be a security risk. Often there's a suspicion by the developers that there is no actual way to exploit the issue, but they fix it just in case. Well written code is a matter of pride.

Microsoft, on the other hand, learns about remotely exploitable vulnerabilities and then takes 6 or 7 months to figure out how to fix it. Security researchers have to hound Microsoft to fix these things, despite the obvious severity of the holes.

Not all exploits are equal. If my box is only used by me, then local privilege elevation exploits are not an issue. Remotely exploitable holes in services I can't turn off are an issue.For many multi-user servers, local privilege elevation exploits are an issue. If your users are mostly trustworthy, then the remote execution holes are still worse.

Re:I've noticed

You probably never used Linux in your lifetime. Your flaming about Linux shows that you don't know what Linux vulnerability means. Linux is a less secure system than Windows, that's why people do not use it. Zero-day attacks are quite common and you're depending on volunteers whose names are not known even on slashdot. Everybody assumes that somebody is taking care of these issues, but we just don't know that. In fact, number of people posting on slashdot are so stupid that, even after years of bitching about Microsoft, nothing much changed for Linux, except taking market share from Unix machines, whereas Microsoft also took market share from Unix. So overall it looks like Linux is not the choice for many Unix shops. Did you ask why? Because they don't give a damn about so many number of stupid slashdotters like you. They make objective evaluation of Linux and they conclude that Linux sucks and quite insecure. Nobody has any doubt about it. News.com is by no means a news site, it is a tabloid web site just like slashdot. In fact it is mostly referred by mac idiots who just like news.com's design. It is quite stupid but that's a fact.

Re:oh no!

[Radish03]

No, not just one more patch. Three!

More than three

[untermensch]

Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable. Microsoft has bundled the patches for these into 4 separate downloads - 3 for Windows and 1 for Outlook Express.

Worm Writer's Delight

[Dynamoo]

What's frightening is that there are *so* many remote code execution vulnerabilities in this one. At least they're all rolled up into one patch. But this gives so many potential backdoors for a Blaster style worm.

Here we go again...

Re:Worm Writer's Delight

[Joe+the+Lesser]

"Sir Gates, we've analyzed their attack plan and their is a danger. Should we have your shuttle ready?"

Evacuate? In our moment of triumph? You underestimate their chances.

Re:Worm Writer's Delight

[zackeller]

Overestimate.

Re:Worm Writer's Delight

[G-funk]

Dude this is so not the place to misquote the holy trilogy ;-)

Re:Worm Writer's Delight

[Joe+the+Lesser]

I shall accept full responsibility for my misquote, and apoligize to /. personally.

Re:Worm Writer's Delight

[Rallion]

I think you just redeemed yourself.

Re:Worm Writer's Delight

[GileadGreene]

That, sir, is a beautiful sig.

Re:Worm Writer's Delight

If we don't go again, do you admit that you are an idiot who is simply trying to spread the FUD against Microsoft. If you admit that, do you also agree to the fact that since you are being dishonest with others, all of your points in this issue is all invalidated. Linux has been more insecure than Windows, thus you should first learn how to be honest. Then maybe we can take you seriously, until then your words will be taken seriously only on slashdot.

Yay!

I love rebooting. There goes my uptime!

Re:Yay!

[pudding7]

You're worried about your "uptime" but you have no problem making pointless posts on Slashdot?

Idiot.

Re:Yay!

[sumdumass]

Thats because the computer does more work then he does. If your computer did more work than you do you would be worried about uptime too. Not all tha surprising.

Re:Yay!

dood, you need to get laid. chill out codewarriorwannabe.

Honesty is sometime stupid

[Assoupis]

Microsoft could just send is service pack, and as usual, during installation, printing meanless phrases such as: registering component, building registry, etc...

Re:Honesty is sometime stupid

[mistermund]

registering component, building registry, etc... Reticulating splines....

Re:Honesty is sometime stupid

Reticulating splines

Re:Honesty is sometime stupid

bogomips

I was wondering about that

[ObviousGuy]

I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.

What a surprise. My bandwidth was halved by the invisible download.

Whoops. Be right back. Install is finished, gotta reboot.

Re:I was wondering about that

[Numeric]

I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage

Why don't you just download Netscape/Opera/FireFox and just use IE for windows update? You should manually be able to control what updates you are doing then.

Re:I was wondering about that

For whatever reason, I can't get Flash configured correctly in Moz and FireFox.

OG

Re:I was wondering about that

[Gates82]

Bandwidth is only cut in half? The one (and only) thing I like about MS is that they have really fast servers. Windows update will fill my 5mb/s line everytime.

Re:I was wondering about that

22Mbps.

OG

Re:I was wondering about that

Try Mandrake Linux. I know the 9.2 PowerPack comes with Flash, etc plugins that work fine fresh off the install, and 10.0 should have them too.

Re:I was wondering about that

Every time I'm really happy with a new browser, I pass it on to someone who, without even trying, comes up with something that is absolutely critical to their life, and completely fails to work under the new browser.

Most recent example are Mozilla FireFoos with WebCT.

Re:I was wondering about that

[zaffir]

Are you using an installer, or the registry patch? You need to do one of those so that the flash installer knows that Mozilla/firefox is installed. The same goes for Java and a few other plugins i think.

Re:I was wondering about that

I used the installer as per the instructions on the FireFox (then Firebird) webpage. It was too much of a hassle, so I gave it up.

Setting the IE UserAgent to Netscape fixes my problems, so I'm happy enough with that.

OG

Re:I was wondering about that

[fpga_guy]

For the past couple months there has been nary a one patch, then today a whole handful of them.

I'm doing a manual update now - slow slow slow...

Microsoft have initiated a DoS attack on their own server!

Re:I was wondering about that

[Rallion]

Not right now...the page won't even load.

Re:I was wondering about that

[CodeSniper]

The page took around 5 times longer than normal to load for me too.
But the actual patches downloaded just as fast as they normally do.

Re:I was wondering about that

[TrentC]

I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage

Why don't you just download Netscape/Opera/FireFox and just use IE for windows update?

Because he wants the stability of MSIE with the site compatibility of Mozilla, of course...

Jay (=

Re:I was wondering about that

[toddestan]

I've got IE configured to present itself to websites as Netscape ...

Isn't that like putting the "VTEC" and "Type R" badges on a '87 Civic?

Re:I was wondering about that

Are you sure? I had zero problems using flash and java in Phoenix/Firebird/Firefox if the browser itself was installed via their executable installer which automatically adds the necessary registry keys for any plugin such as Shockwave Flash and Java to find FireFox and install itself correctly into its plugins folder.

Re:I was wondering about that

I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.

Although I don't go through windowsupdate.microsoft.com, I use Software Update Services (which publishes the same patches I believe), and I didn't get any notification of these new ones until today, so don't feel left out. I also checked for patches just yesterday and there were none available.

Re:I was wondering about that

Positive. The plugin is started but it does not load the swf file.

Go figure.

OG

I continue not caring...

[forkazoo]

I hate to sound like a troll, but I really don't care about all the MS security vulnerabilities. I've cleaned up a bunch of systems in the last week that were all virus and spyware infested, because the user clicked on things they shouldn't have. If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.

Re:I continue not caring...

My concern is, are ye Olde operating systems (98/NT) going to get a security patch/working hotfix now that support has ended and these OS's are obsolete?

Maybe now some of my stupid clients will replace thair ancient NT servers! /greedy PC salesman

Re:I continue not caring...

[Doomrat]

"Nobody without a geek code should be granted an IP address."

You mean you want the Internet populated by people who think a limited category-based character description scheme makes for witty signature material and valid personal Web page content? Thankfully it's only people with very limited personalities who care about these very limited personality rankings.

Re:I continue not caring...

Of course, the types of people that don't patch are probably the same types that would enter their admin password whenever they are asked.

Re:I continue not caring...

[imemyself]

Yeah, I'd kinda agree with the geek code thing. People should have to pass a test about computers and vulnerabilities before they are able to access the internet.

Re:I continue not caring...

[omicronish]

If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

The Windows defaults with regards to user privileges are crap, and you are right, these vulnerabilities don't matter when everyone has administrative privileges anyway.

Requiring a password to install a program would be difficult in Windows, however, since the installation programs are provided by the software, not Windows (unless it's a Windows Installer package, in which case there's full support for requiring Administrator privileges to install applications). Windows really has no way of telling the difference between a normal application and an installer.

However, what you can do is lock down file permissions. What I did on Windows XP was remove Users write access to the boot drive, Windows directory, Program Files directory, and Documents and Settings (except for the user's profile). Installation programs can still run, but they won't be able to install software to any important location. At worst, the user can install to their profile, but any malicious program becomes a problem only for that user. It's akin to untaring, compiling, and running a program from your home directory on Linux.

I've heard of bad programs that require Administrator privileges or write access to their Program Files directory, in which case this setup will present problems. Still, it's a problem with the program itself, not a Windows problem, although lax or non-existent installation guidelines may have contributed. I personally think all these permissions should've been defaults years ago.

Re:I continue not caring...

[forkazoo]

Well, if they manage to get to the geek code web page without having internet access, I suppose that makes them 1337 enough to deserve an IP, regardless of whether or not they agree with it. :)

Re:I continue not caring...

[forkazoo]

Most people who have spyware installed, have no farking idea how it got there. If the computer forced them to have some active participation, they might at least try to be aware of what's going on, rather than just clicking okay. A system level alert box that proudly declares "You Are Installing Software On Your Computer" wouldn't stop most people from installing it, but for god's sake, at least they'd *know* they were installing something!

Re:I continue not caring...

Then how, pray tell, can you install virtually any of Microsoft's software? Everything I installed from Microsoft in the past required about a 1000 dlls written to the Windows system directory. Now I stopped caring around about win2k, but has that changed significantly in XP?

Re:I continue not caring...

[Daltorak]

How would that make a difference? A program doesn't need administrator access to destroy all your data, deliver thousands of spam emails a day, or participate in DDoS attacks against websites. In fact, all this stuff is trivially simple even as a Standard User.

Re:I continue not caring...

[omicronish]

Then how, pray tell, can you install virtually any of Microsoft's software? Everything I installed from Microsoft in the past required about a 1000 dlls written to the Windows system directory. Now I stopped caring around about win2k, but has that changed significantly in XP?

Well, you log on as Administrator to install software, just like how you have to be root on Linux to install software. The point of the file security restrictions is to prevent regular users from installing software.

Re:I continue not caring...

We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.

You know, that wouldn't be too hard to do. They (the users) would be all like, "Can I get the Internet?" and we'd just be like, "No."

Re:I continue not caring...

[Deraj+DeZine]

At least then I could get a few FPs here...

Re:I continue not caring...

[GSloop]

Problem is, about half the software around simply doesn't run right when run as non-admin.

Sure, non-admin privs sounds like a great thing until you try to use it. For many of my clients, it's simply not a workable thing.

That's not MS's fault, per se' but given the lack of a care about security in the past, everyone who develops apps for windows has grown accustomed to no security and apps simply don't work as they should.

In short, the buck IMHO still comes back to rest at MS's door-step. They are still doing far too little to fix the problem.

Cheers,
Greg

Re:I continue not caring...

[Gary+Destruction]

It can't participate in DoS attacks unless the user has administrative privileges. Admin privileges are needed for raw socket access. And since you're probably on a DMZ, you have to assume the worst. Someone is going to break into your sytem and there's nothing you can do to stop it short of severing the physical layer. Either A) They'll have restricted access or B) They'll have full access.

Re:I continue not caring...

[soulhuntre]

This is trivially easy to set up... especially on Windows XP.

Not only is it easy to set up a dedicated admin account and make the user accounts non admin, but when one wants to install software you only have to right click and "Run As" to supply an admin password and install normally.

Enjoy :)

Re:I continue not caring...

I've heard of bad programs that require Administrator privileges or write access to their Program Files directory, in which case this setup will present problems. Still, it's a problem with the program itself, not a Windows problem, although lax or non-existent installation guidelines may have contributed. I personally think all these permissions should've been defaults years ago.

Such as a bunch of games, because they need Admin access to install that silly driver to make sure you have the original CD. As if people don't work around those anyway...

I do agree though; it's just busted programs that need Admin access. For now, I'm very happy with runas - it's so nice to be able to sudo.

Re:I continue not caring...

[KshGoddess]

We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.

Then implement training at your site. At least suggest it. Computers are tools. We don't require people to get socket-wrench certified, or expect (most of) them to take telephone answering lessons. Most people think of computers in the same way.

Why should we expect users (consumers, customers, grandmas) to know everything about the complex tool that they've been given? Most people use their computer for email and surfing the web. They don't care about or want to know how it works. As long as it does.

As a "sysadmin", it is your job to make sure that users are able to work. Within those bounds, you may encounter issues with users doing stupid things. Most of the time, they don't realize what they're doing is what's bogging down their computer. Usually, if you say "I found that the problem was that you have [kazaa | bearshare | napster] installed, and it's what's bogging your PC down, and oh by the way, these things aren't allowed," people listen. Sometimes they even learn something.

Someone within your organization should have the authority to say "X is allowed, Y is not." and to have the authority to also say "You signed this piece of paper saying you wouldn't Y, and we have concrete evidence that you Y all the time. Your manager and HR have been notified."

IT is a service organization. Being arrogant about what you know versus what your users know doesn't work very well, and ends up getting us all branded as Nick Burns, Computer Guy.

As for the permissions bit, MS is both really good and really horrifyingly awful about user permissions. Yes, you can set it up so that the user has no power to install software, modify the registry, etc., but you'll end up with (a) a user who resents you or (b) several one-offs where the user has to have admin privileges to do their job or even (c) a user who finds their way around your rules and limitations.

Re:I continue not caring...

[jonadab]

> We need internet licenses. Nobody without a geek code should be granted an
> IP address. It's that simple.

No, I think we should give everyone an IP address, and just make them
calculate their own subnet mask :-)

Re:I continue not caring...

[Asic+Eng]

You are right, however I think *if* MS would make this sort of thing the default, then most software vendors would adjust. Similarly MS could provide a "ask for root password before starting the install" mechanism. Once that's there and many users work as non-admin by default, software vendors would start to use it. Otherwise if there software is difficult to install they would lose sales.

Re:I continue not caring...

[jdunn14]

Once that's there and many users work as non-admin by default, software vendors would start to use it.

Sorry, that'll probably never happen. Most boxes out there are single user (especially in the windows world), so people do not see the point of running as a non-(root|administrator) user. Couple guys I work with leave their Linux desktop boxes logged in as root all the time. I cringe everytime I see the bright red X desktop. Still haven't gotten around to sending those threatening emails from their accounts yet....

Unfortunately you'll never teach many home users about security. The computer has to intelligently take care of that itself through default automatic updates (I know, I know, security and stability hole) and forcing the users to behave in a somewhat safe manner. There should always be overrides for such annoying defaults, but as a whole most people treat the devices as appliances. "I don't have to patch my VCR all the time, why should I have to worry about my computer." **cringe**

Re:I continue not caring...

[eljasbo]

but many programs will not run correctly unless installed as the user themselves. This is getting better with newer programs, but multiple users on a windows box was clearly an added on afterthought, unlike *nix where multiple users on one box was designed in from the beginning. A common program that clearly stands out is an older version of Palm Desktop. It simply would not work correct unless you give admin privledges to the user, run the install as the user, and then take away the admin privledges. Even Microsoft programs have this problem, i have noticed on more than one occasion i will run the installer for Office XP as myself and then when the user goes to run it it will ask for a disk, even though i did a full install. I have even had it run fine for a user opening the program and editing word files and such, but when the user tried the 'save as' command it asked for a disk, but it would work fine when i ran word. There is something clearly wrong with this, and microsoft cannot even make their own products run correct on a multiple user machine. Windows XP is trying hard to become a multiple user machine, but it still seems flakey more often than not. I use the 'run as' for a lot of programs, but some that just wont work.

Re:I continue not caring...

[Asic+Eng]

Well the last SuSE installation I used automatically created a user and a root account. Logging in with kdm, user root is not even visible. Given that, it wouldn't even occur to most newbies that they could start a desktop session as root. MS should use the same system.

Similarly SuSE automatically checks for updates, and if it finds security updates it will display a red "!" in the taskbar.

I tend to agree that users should not have to patch their computer all the time - unfortunately quality is still rather low in the software field. It should really be up to the software vendors to thoroughly test their products before shipping them. Patches *ought* to be a rare occurance. :-)

I think you are right - for the medium term auto-update as default is probably the only way to go.

These has been known about for a LONG time...

[tweakt]

These were listed on eEye's page as undisclosed critical vulnerabilities affecting upwards of 300 million systems, along with original discovery date, and time since notification. They typically give 30 days, but last I checked it was 90 and 100+ days late. These are over 6 months old I think.

Sorry, no link because the site seems to be down/slow... it must be linked to from another announcement posted elsewhere.

Re:These has been known about for a LONG time...

That's shown by someonelse in this thread to be bullshit. Probably you are spreading the same lie over and over again. Why are you so dishonest to even your fellow slashdot monkies? I know they want to hear these lies, but then these people will be kicked out of their jobs if the boss finds out that they were lying to him. So, if you want to do something good for them, just tell the truth. Linux is a very insecure system, even debian people couldn't manage it. Sooner or later you box will be hacked.

There's a market for...

[tyrani]

A good, easy to read, consumer grade local port sniffer / analyzer. How hard would it be to build a frontend that reported on "odd" behavior?

Re:There's a market for...

[Carnildo]

A good, easy to read, consumer grade local port sniffer / analyzer. How hard would it be to build a frontend that reported on "odd" behavior?

There are any number of consumer "intrusion detection systems". They all suffer from the same problem: in order to convince the end-user that they're working, they report every single intrusion-like activity, making them useless for actual security work.

"Key" data

I hope the key data they steal is not the Ctrl-Alt-Del data, that would be serious!

A happy penguin!

Excellent!

[Trejkaz]

Now that the vulnerabilities are known, let's all get to work writing the next Blaster variant!

Service Pack 2

[-tji]

That site with their bulletins also has a link to the XP Service Pack 2 release candidate.. That thing has been in the works for so long. Hopefully it makes some useful improvements in their security.

It looks like the firewall will basically be a built-in ZoneAlarm, with better inbound abilities, and outbound application controls.

They also have some buffer overflow protections. Are they good enough to make a difference?

Re:Service Pack 2

In my beta copy there was no possibility to configure rules based on different interfaces ... but perhaps i missed it ... tweak tweak

Re:Service Pack 2

[linusthefish]

Useful improvements? Such as, say, patching the security holes I can drive trucks through? Seriously, if I had an extra 10KB/s for each insecure line of code, I could be a backbone provider.

Re:Service Pack 2

[JoeShmoe950]

Yes, it helps the firewall a lot. It also forces the user to choose or not choose auto-update (Great idea), and, it modifies IE. IE lets you know when something tries to install itself, and you need to right click and go through some steps. Its not just a simple yes/no dialog that the user always clicks yes on without reading. Helps keep people from getting spyware IMO.

Re:Service Pack 2

[PingXao]

Just last night I was rummaging around the MS Windows XP security newsgoup. The new SP2 ICF firewall will NOT challenge outgoing communications. The rules you can set up with it generally apply only to incoming connections. If an application tries to establish a listening port ICF will challenge that, but outgoing connections aren't controlled.

Re:Service Pack 2

Yeah, it's nice to have all the security patches in one big download.

But, I think the interesting thing about SP2 is that it is actually supposed to change behavior in some apps & the OS. So, maybe WinXP won't be such a sieve in the future (that's doubtful.. but they can't do much worse than they have thus far).

Yeeeees, *sneak* in

[sparkie]

Yea, the hackers are 'sneaking' in, like a green beret in vietnam, and your data is their buddies, behind enemy lines.

Sorry, but

This is no longer news. I'm just not interested anymore. Either auto-patch or move on with your life.

OE exploit?

[xpl_the_myst]

What I don't understand about the OE exploit is that it basically results from running HTML code in something called a Local Security Zone of IE. Isn't that a vulnerability in IE itsel? That's what I can make out from the article itself :

An attacker would have to entice users to read a maliciously-crafted HTML e-mail message or use IE to surf to a malicious Web site to grab control of the PC ...

Re:OE exploit?

Isn't that a vulnerability in IE itself?

Not neccesarily. IE is just the browser, but it does not dictate the context in all cases. Hard to say without knowing how IE works, but it appears that the OS, or calling program might set the context depending upon where things are located. IE is probably doing what MS programmed it to do, but OE is telling IE the site should have the wrong permissions. Truthfully this looks more like a bad design to me - IE should verify everything it tries to open (like is this page really on the company intranet, etc).

Re:OE exploit?

[jonadab]

> What I don't understand about the OE exploit is that it basically results
> from running HTML code in something called a Local Security Zone of IE.

There's a lot of technical mumbo jumbo, but the long and short of it is, OE
takes whatever data anybody sends you by email and mostly trusts it. Normal
mail clients don't trust the data at *all*; they just store and display it.
If you want to see an excellent example of a user-friendly mailreader that
gets this right, try Pegasus Mail. It's freeware, it's pretty featureful,
and if you want to use it to catch a virus, you have to jump through hoops.
(Specifically, you have to click on Attachments, select the executable virus
attachment, click the Save button; a dialog box pops up with the word VIRUS
in the title and a big nasty exclamation point, warning that the attachment
is executable and could be a virus. You have to click Okay (the default is
Cancel), and then a normal Save As dialog comes up, so you can pick where to
save it and (if desired) change the filename. Then you have to open the
folder where you saved it and double click on the executable file that you
saved.)

You only have to jump through this type of hoops for executable stuff.
Images and HTML are displayed inline (although you can turn these features
off in the options if desired).

Windows Critical Vulnerabilities

[rdsmith4]

Windows Critical Vulnerabilities come every few weeks...doubtless they'll get them all in time.

By time they finish perfecting XP, Longhorn will be about ready for testing (i.e. release on an unsuspecting world of Joe Users, to be followed by a vast number of Critical Updates).

Re:Windows Critical Vulnerabilities

[WhiteWolf666]

Finish perfecting XP?

Are you kidding??

They need to finish perfecting 95 first, then start to get 98/SE/ME done, then get 2000 out of beta, then try and desperately lockdown XP.

Seriously, MS operating systems never get finished. . . .

They simply get discarded.

Re:Windows Critical Vulnerabilities

[betelgeuse-4]

" Seriously, MS operating systems never get finished. . . ." No non-trivial piece of software is ever finished. There are always bugs to fix, features to add or optimizations to be performed.

Re:Windows Critical Vulnerabilities

[deathazre]

here's where we're hitting a problem with two meanings for critical.
not all "critical updates" are ranked as critical. it so happens that six of the 14 (from what I've heard) are considered critical by redmond--and that's the highest they have.

Re:Windows Critical Vulnerabilities

[LochNess]

By time they finish perfecting XP

Some of the vulnerabilities are present in Windows NT 4.0, which has been out for almost 10 years, so I doubt they'll ever get close to "perfecting" XP.

Re:Windows Critical Vulnerabilities

There are always bugs to fix, features to add or optimizations to be performed.

bugs to fix hahaha ROTFL! Notice that some of the 20 security patches just fixed have existed since NT 4.0! Yeah, they probably got 'em all this time (chuckle)

The precise problem with features to add is that is that each new "feature" from Microsoft carries along a whole buncha new vulnerabilties! XP, as far as I am concerned, was a lot buggier than win2k precisely beacuse of all the new "features" (nothing I wanted or needed).

As for optimizations to be performed, each new release of Windows requires more CPU, more memory and more hard disk. The only optimizations being perfomed are to Microsoft's bottom line.

Unless and until Microsoft starts to treat QA as something more than a drain on the bottom line, this is going to be commonplace and MS operating systems will be a trivial piece of software; already finished in my book!

Re:Windows Critical Vulnerabilities

[Tantrum420]

>Seriously, MS operating systems never get finished. . . .

You prolly coulda left off the 'MS'. What (significant) operating system built in the last 15 years has been completely finished?

T

Re:Windows Critical Vulnerabilities

[GAlain]

You prolly coulda left off the 'MS'. What (significant) operating system built in the last 15 years has been completely finished?

OpenVMS

i believe i speak for us all when i say

[LordMyren]

who gives a rats ass?

Re:i believe i speak for us all when i say

[Welsh+Dwarf]

And I'll awnser: all the slashdotters who run Windows....

Re:i believe i speak for us all when i say

How about: all the people who support those who run Windows?

14 new Linux advisories Just this week !!!

http://www.linux.com/article.pl?sid=04/04/09/12432 53

This week, advisories were released for the Linux kernel, interchange, fte, sysstat, oftpd, squid, heimdal, tcpdump, portage, kde, tcpdump, sysstat, ClamAV, Automake, and mplayer. The distributors include Debian, Gentoo, Mandrake, and Turbolinux.

Recently, I stumbled across a relatively new tool called AFICK. It stands for Another File Integrity CHecker. It is similar to both Tripwire and AIDE. AFICK is GPLed and completely written in PERL. It is extremely flexible has been tested on a wide range of Linux, Windows, and Unix system. According to the AFICK project website, it has a decent performance advantage over AIDE. However, I have not independently verified this. If you're looking for a new toy to play with, I recommend giving it a try.

Installing and using AFICK is a piece of cake. The core piece of code is command line based. A perl-based GUI and webmin module is also available for easy administration. AFICK is available as an independent tar.gz, zip, RPM, and Debian package. It is good idea to take a look at the afick.conf file before attempting to execute the script.

AFICK can be used with only a few simple commands. To use AFICK, an OS configuration file must be specified and then your system initialized. This can be done with the following command:

http://www.linux.com/article.pl?sid=04/04/09/124 32 53

http://www.google.com/press/zeitgeist.html

Re:14 new Linux advisories Just this week !!!

Are most of those programs core to, and 'intergrated' with, the Linux kernel, like IE, OE, etc? Nope.

Re:14 new Linux advisories Just this week !!!

Most of these programs run as run or setuid to root and are even more problematic than the Windows virii

You are an asswipe... film at 11

Re:14 new Linux advisories Just this week !!!

Outlook Express isn't integrated with the kernel. There is even a Microsoft Knowledge Base article describing how to remove it.

Granted it should be removable in Add/Remove Programs but isn't. But the point is that OE isn't integrated.

Re:14 new Linux advisories Just this week !!!

[shaitand]

First of all, your on crack, most of those programs don't run as root as root out of the box, don't recommend running as root in the installation documentation, or at least are configured not to run as root by every distribution which is even vaguely popular.

In addition only one thing there has anything to do with a linux vulnerability, the kernel. The rest are user application software even if they were running as root. If root executes vi then it's running with root privilages, that hardly makes it part of the OS aka kernel.

Re:14 new Linux advisories Just this week !!!

It's you're ... you stupid raghead.

Re:14 new Linux advisories Just this week !!!

[bot24]

First, I hate how everybody is listing Gentoo as having the flaws, the flaws are just discovered by Gentoo usually. They do have some patches, but they aren't know to intruduce bugs. They are doing everybody a favor by reporting these, and then people make it look like it's a Gentoo specific bug.

Most of those vulnerabilities are already patched or discovered in obsoleate software(like KDE 3.1). Gentoo is actually more secure because you can quickly update all your software with two commands.

Also, who cares if you can DOS your self with iptools? That would be more user-error than exploit(especialy as I believe that you need root permisions to do so).

Is Microsoft just stupid?

[bigattichouse]

1) patch the OS, since no one can see it, with a bit of code to "simulate" a buffer overrun... in actuality it reports back to MS home office the IP address of the affected machine. Call it a "straw man" flaw
2) release a patch for other problems and have this new item go with the patch
3) release a "known flaw".. await for the first few reports of the flaw
4) show up at the butthead's house with a few large baseball bats
5)??
6) profit!

Re:Is Microsoft just stupid?

stupid to waste bandwith on all the downloads? yees, very stupid.

and comments like that get modded up....

Re:More than three

[Proud+like+a+god]

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.

Another reason for home users and gamers to stick with 98SE. Obviously most businesses aren't so lucky. :-S

They don't sound all that bad

SQL querries and email links bah. Who cares. No worms will exploit these ones move along.

good work practice

letting off steam -> happier worker -> more productive

Windows update server is running kind of slowly

[Igottapoop]

I think we /.ed microsoft!!

Re:Windows update server is running kind of slowly

[Sporkinum]

Yep.. looks like Windows Update is Slashdotted.

Re:Windows update server is running kind of slowly

[WuphonsReach]

I think we /.ed microsoft!!

Dream on... Windows Update was pretty much hosed over an hour ago. (Which was about 30 minutes after I got the e-mail from our hosting service about the latest update.)

Re:Windows update server is running kind of slowly

Oh that's what happend. I set Konqueror to identify itself as IE on Windows XP and went to the site (I really am that curious). I just figured nothing happened because MS realized it wasn't really IE.

Re:Windows update server is running kind of slowly

I think we /.ed microsoft!!

Now might be a good time to grab that 23M .Net update and Media Player 9, weighing in at 10M.

Won't announcing vulnerabilities cause exploits?

[David+Hume]

Won't announcing the vulnerabilities cause them to be expoited??

Shouldn't Microsoft as a result slow down the security patch cycle?

Re:Linux is still less secure.

[kinzillah]

and this has happened when?

Maybe...

[psi42]

Maybe if MS manages to generate enough panic with its exponentially growing number of remote security exploits, it can get some support for mad Palladium.

I wouldn't be at all suprised.

Re:Maybe...

[MonTemplar]

Uh-huh. And I wouldn't be surprised if you were wearing a aluminium-foil hat while typing the above... :)

-MT.

Re:Maybe...

[psi42]

Come on. Everyone knows the hat's gotta be plated with lead and ceramite for it to be of any use... :)

Re:More than three

[Proud+like+a+god]

That is, wrt bulletins MS04-011, MS04-012 and MS04-014.

Of course MS04-013 is about Outlook Express so you may still be vulnerable on these OSs.

Meh.

[amalcon]

My windows box is behind a nice little NAT device, in addition to ZoneAlarm. No virii on the router because it's all firmware. No virii on the win box because no unrequested traffic ever gets to it. ZoneAlarm is just there so that if someone else is ever using it, and does the stupid, I can turn off the spyware/spam relay/ddos without having to hunt it down in 50 places.

Re:Meh.

yes, just keep telling yourself your safe

Re:Meh.

[cpghost]

Are you sure that you're secure, just because your router uses firmware? Most firmware is stored in flash memory nowadays, and I've already seen exploits upload their own code to some of those nice NAT boxes. By doing a bit of research on bugtraq or other full-disclosure mailing lists, you'll quickly dig up a few announcements... Now, how often do you update your firmware?

Re:Meh.

My windows box is behind a nice little NAT device, in addition to ZoneAlarm. No virii on the router because it's all firmware. No virii on the win box because no unrequested traffic ever gets to it.

Ok, great, no one can get in.

If you have DirectX installed, guess what happens when you visit a web page using IE that contains embedded media. You can easily embed a virus in a midi file.

Older and forgotten technologies make the best expoits. Don't be so confident about your network until you sniff it. You can still get attacked from the inside out.

-Joe

Re:Meh.

[kir]

Did you know that virii is not correct?

http://tinyurl.com/298pt

http://dictionary.reference.com/help/faq/language/ v/virus.html

http://en.wikipedia.org/wiki/Plural_of_virus

Re:Meh.

[amalcon]

Visit a web page using IE? Why would anyone ever do that?

My system is secure as long as I'm not stupid...

Re:Meh.

[MonTemplar]

Yeah, but if you applied that patches, most of the malware wouldn't even get as far as tripping up ZoneAlarm.

Anyway, if the malware turns around and decides to trash your PC instead, what are you going to do then? Won't look so smug, that's for sure, especially if you've not backed your important stuff up recently.

I've got a NAT/firewall attached to my broadband at home, but I still run Norton Antivirus, and practice safe hex. You need to keep your grey matter up to date as well, you know...

-MT.

Why should we be surprised?

[scooby111]

Not only is this not a surprise, it's a non-starter.

So what? There were several new vulnerabilities that were identified by Microsoft before there were any exploits for them. Microsoft has also owned up to the fact that the exploits exist at all. Sounds to me like their new focus on security is working correctly.

Yes, they are severe problems for a home user if they don't get patched, but most networks aren't really in jeopardy at all unless they aren't running some sort of network security. I can patch my servers at my leisure and reboot whenever I have time.

My only complaint is that the windows update site has been running quite slowly today.

New Rule

[Monkelectric]

I'm sick of seeing security articles for laymen talking about the CONSEQUENCES of vulnerabilities. There are really only a few kinds of bugs, and of those kinds, 90% are "Stack Overflow" and another 9% are "Privilege Escalation", and pretty much everything else fits into that 1%.

So what im saying is, we dont need to sensationalize stack overflow bugs because, they're as old as time more or less.

Re:New Rule

[shaitand]

I think your numbers are a bit screwed, I suppose if your looking at computing in general your probably a bit exaggerated but the concept is right.

However when looking at microsoft vulnerabilities it's a different story, they are extremely varied generally because they are due to a lack of consideration when coding and extremely poor structure and design. For instance, Active X, it's a security flaw, 90% of the sub-flaws reported in it are there because the flaw itself, is poorly designed (hence why it's a flaw) rather than fix the problem (a redesign or elimination of activeX) they create a patchwork changing this or that detail of how it functions.

same old news

[bwy]

Slashdot posts these stories every couple of days. Does anybody really care? I never read the articles. Why bother? I've got better things to talk about at the water cooler or at lunch than the latest security hole in Windows. Maybe if I were a security expert, I'd find this kind of thing interesting. I don't. Do you?

Re:same old news

[geekoid]

we know you don't read the articles, but there just 'code' for stories that actually a talking about you.

oopsy

Related to the MS Source leak

[gavinjolly]

Are any of these new Critical Fixes related to the recent MS source code release/leak.
Were any known about in house but not fixed?
Now they are less obscure MS must do something about them.

I don't even patch this crap anymore

I've given up trying to keep a Windows box secure. I do it through other means.

First, I adopt the concept that my Windows desktop is fundamentally insecure. This mindset in itself saves a lot of aggrivation.

Second, Eudora makes a great alternative to Outlook.

Third, I firewall the thing off (even at home)using OpenBSD, which is damn near impenetrable.

As for work clients ... well, I'm just glad I got out of desktop support a long time ago... Now I'm a security engineer, so I just have to focus on the big picture, and not all of the annoying users who clicked the one thing they've been told not to 87 times.

When I patch my winblows systems it's usually for something major and of enough note to be worth the exercise. Otherwise, I simply have better things to do than keep up with Redmond's inability to get it right.

Slashdotted

[Milo+Fungus]

Windows Update is getting a bit slow. Can someone set up a mirror? The link at this page doesn't seem to be working.

Re:Slashdotted

[nacturation]

I found a mirror at http://www.w1ndowsupdate.ru/update.scr. I guess this must be Microsoft's Russian offices?

Re:Slashdotted

[acgetchell]

Sure ... I'd rather get my security patches from an unknown source ...

Re:Slashdotted

[MachineShedFred]

Yup. Definetly a Microsoft website. It doesn't work in Safari

I hate all of you

[RevDobbs]

So, "We only use Linux" cries the slashdot crowd...

Then why the hell is windowsupdate.microsoft.com slashdoted? You bastards.

Re:I hate all of you

"You must be running a Microsoft Windows operating system in order to use Windows Update."

damn. that's always happens to me when i try to run windows update. i don't understand it. someone help.

Re:I hate all of you

[Tantrum420]

>Then why the hell is windowsupdate.microsoft.com slashdoted? You bastards.

W32.MS_SlashBlaster.Worm ?

Just a thought...
T

Actually..

[theobscurest]

..Microsoft recently (last Fall I think) changed their critical update release schedule to coincide with the second Tuesday of each month to supposedly take some of the workload off of the sysadmins. Thus, today is the day.

However, as a sysadmin I still have mixed feelings about this. If something is a critical vulnerability, I think a patch needs to be released as soon as it becomes available. At the same time, it's a real pain in the butt to have to go around to hundreds of computers to make sure auto update is actually doing its job. More specifically, the last time I checked machines to see if they were auto-updating, at least a third of them weren't even though they are always on and set up to do so. Not to mention the machines that fatally crash due to windows updates..

You know,

[warrax_666]

there is a difference between REMOTE ROOT exploits and LOCAL PRIVILEGE-ESCALATION exploits. But then, you just wanted to appear clever, didn't you?

Re:You know,

[bonch]

Or, you could read farther than the past 15 vulnerabilities. :P I've seen plenty of remote root exploits.

Besides, local privilege escalation exploits are up there as being just as bad in my book.

Nothing's perfect--it's all in how it's reported. On Slashdot, it's spun so that Windows is portrayed as hole-ridden and Linux is pristine. That's simply not the case, and that's what I was pointing out--both the non-pristine and the spin that hides it.

Re:You know,

[finkployd]

Besides, local privilege escalation exploits are up there as being just as bad in my book.

I can't think of a nice way to say this...

Your book sucks. :)

Finkployd

Re:You know,

[gad_zuki!]

>Besides, local privilege escalation exploits are up there as being just as bad in my book.

Exactly. A lot of good that firewall does when your coworkers click on an email attachment that sails right through the firewall.

Re:You know,

[Tantrum420]

>>Besides, local privilege escalation exploits are up there as being just as bad in my book.

>I can't think of a nice way to say this...
>
>Your book sucks. :)
>
>Finkployd

Why? Maybe you're just trolling here but I don't see why you'd think that. Remote root exploits get you "everything" _now_. Privilege escalation exploits get you the nearly the same result.

This is particularily true in the Windows world. Setting up (functional) local user rights is a pain in the ass. It seems like the most that the majority of these exploits get used for are just Scriptk1ddies installing root kits to launch their Warez sites, IRC bots, or just some kind of bounce box to hide in. You don't need true root privileges for any of that.

--Then again, what do I know?
T

Re:You know,

Maybe he did, but you just couldn't resist exposing yourself as another slashdot monkey, didn't you? Saying 2*2=4 doesn't mean you want to appear clever, that's more about stating the obvious facts to those liars and idiots.

Re:You know,

[Deviate_X]

Actually there a couple of remote type vulnerabilities listed... look closer

Re:You know,

[halowolf]

Unless of course your firewall disables the mail attachment as it goes through as does mine

I'm not trying to be a troll, I'm just saying that some firewall products do more than just firewall. I have successfully used common sense and a firewall to protect myself from virus's and other threats that plague my familiy and friends. Oh, I also don't use Outlook or IE unless I damn well have to :)

ZoneAlarm Pro does annoy me every now and then, but I have yet to find a replacement that doesn't annoy me more.

Plus there are anti-virus products that won't let users run a infected attachement, (and alert tech support if you try) so if there are users out there punishing you by clicking on every infected attachment in a mail then a product like that may just be for you...

Re:You know,

[finkployd]

To do local privilege escalation you need to have a local user account no? Remote exploits let the whole world in.

Finkployd

Re:You know,

[Chuck+Chunder]

You don't need true root privileges for any of that.

Indeed, that's why remote exploits are more annoying in many cases than local ones. People in general don't have much of a motive to want root on a machine they have access to, they can usually pretty much do what they want already. In many environments priviledges etc aren't there for "hard" security reasons but merely to protect the system and users from unintentional harm from other users.

For remote exploits, root or otherwise, it only takes one numbnut to code a self-propagating exploit and anyone and everyone is in the firing line.

Re:You know,

[cheezit]

Love your sig..."if you want to age 20 years in a blink, think conservative!" Does it still apply to liberal 70-year olds?

Re:You know,

[jwkane]

15 recent vulnerabilities posted in the last 6 days across all linux distros.

Of the 15; 14 really since 2 are dupe reports of the same exploit in the Gentoo compile of Scorched Earth 3D. (oh no, exploit exploit!)

If you _could_ find out how many bugs were discovered in the same period of time that could in theory be exploitable in any windows applications I have little doubt it would be far greater than 14 due to the pure volumn of windows applications.

The fundamental factor you arn't addressing is the ease with which a typical programmer can develop good bug-free non-exploitable code.

Re:You know,

[Tantrum420]

>To do local privilege escalation you need to have a local user account no? Remote exploits let the whole world in.

Sure... but local user accounts are usually a dime a dozen.

If you're targeting a particular system, a phone call can usually get you a password reset or some sort of guest account. If that doesn't work, it might take a little more effort to recon it for a user account but an account name at least is usually available.

If you're out "shopping" for any old WinBoxen that will do, a simple SNMP query across an IP scope will turn up a good number of public IP'd machines that are more than happy to tell you all about it's local users (and much much more).

Then, of course, there's good old fashioned guesswork... It's amazing how often people have the same password as their user name, or just use their last name, or the town they live in, or no password at all... Sure, administrators usually lock that stuff down but not very many cablemodem users with Windows Me have an administrator...

C:\> net use f: \\XX.XX.XX.XX\c$
The password is invalid for \\XX.XX.XX.XX\c$

Enter the user name for 'XX.XX.XX.XX': XX.XX.XX.XX\Bill
Enter the password for 10.10.5.101: ****
The command completed successfully.

or (my favorite)...
Enter the user name for 'XX.XX.XX.XX': XX.XX.XX.XX\administrator
Enter the password for 10.10.5.101:
The command completed successfully.

(note the lack of astericks in the password prompt)

Once you have some local user's account (admittedly, not always trivial but not usually difficult) it might as well be a remote root exploit, anyway.

My $0.05 (keep the change),
T

Re:You know,

[Ckwop]

Hmm your threat model should include people who have a local user account?

I mean, do the l33t|sts just give up trying to get a valid user account?

What about the disgruntled employee who wants to waste some time by destroying his own PC?

Simon.

Re:You know,

If your coworkers have to click something, it's not a privilege escalation exploit, your coworkers are giving the privileges. That's why I modded this as overrated.

Re:You know,

[finkployd]

Yes, I know it is bad. My only point is that it is not as bad a remote root exploits.

Finkployd

Re:You know,

[finkployd]

Yes, I know it can be bad. My only point is that it is not as bad a remote root exploits.

Finkployd

Re:You know,

[HiThere]

I've often wondered about that...
It seems to me that a local privilege escalation is sufficient in many cases to allow even a moderately subtle trojan to root the machine. Say one that disguised itself as a shell script to do something else... you'ld need to pack it into a tarball or some such, and have it unpack to replace a script run frequently, such as at logout?... a script run at logon would be too obvious, but I'm not aware of what scripts, if any, get run at logout.

Still, perhaps it could modify a vanilla .bashrc file by appending to it. Most users wouldn't notice, as most don't modify the .bashrc. And that's a user writeable file that seems to not need special permissions. This would allow a local privilege escalation to be remotely exploitable, if only via social engineering.

Therefore, a local privilege escalation is a very serious remotely exploitable danger. The benefit is that something like this could only spread slowly, since it depends on a file being downloaded and unpacked. It might even depend on the file being unpacked in the ~ directory (I've never tried building a tar with an unpack link to ~/xxx, so possibly it can't be done. Perhaps the only danger is when you are intentionally installing software.

But I don't know, so I worry a bit.

Re:You know,

[Dalcius]

Local exploits allow in-company users to crack things. Here you get rootkits and the like as a result.

But with remote exploits, anyone can get in. Here you get automated rootkit scripts, viruses/worms/trojans, etc.

Which has done more damage in the past 3 years?

Local exploits are very important... but to put them on the level with remote exploits is inane.

Cheers

Agenda at play

[bonch]

It's funny how, despite security advisories constantly being announced for Linux distros at placed like Linuxsecurity, and also breakins to Savannah, Gentoo, Debian, Gnome, GNU...hell, I can't keep track of them all...Slashdot still falls over itself posting "Microsoft Critical Vulnerabilities" fast enough. One would be naive to pretend there isn't an implied agenda--which is to say "Look! Windows still isn't secure! In your face, Bill!" It's silly because Linux is no better--and according to that study Slashdot posted a couple of months back, Linux is the most-breached operating system anyway.

Moral of the story--nothing is secure, every OS releases security patches (Linux has even had to update for outright kernel exploits), and sysadmins who keep systems up to date are the key. Stop the agenda BS. We know you editors don't like Windows.

Re:Agenda at play

even if everything you just said is true, what's wrong with that?

noone's trying to hide the fact that slashdot is targeted to the open source community, of which microsoft is not a part and moreover is publicly fighting against.

if you don't consider yourself part of that group or don't agree with it's philosophies, then you simply shouldn't post/be here.

Re:Agenda at play

[jrockway]

YOU have the choice to read slashdot. Don't like it? Don't let the door hit you on the way out!

Yeah, we like reading about why M$ sucks. Sorry if you're not smart enough to see why M$ is a problem. Your loss.

The uptime game is not for Windows admins

I do enjoy watching the huge uptimes on my Linux and FreeBSD servers, but I don't even bother trying for long uptimes with our Windows servers. In fact, if Microsoft actually goes more than a couple weeks without requiring me to patch something, I tend to go ahead and reboot them anyway just to be safe.

Yeah, this statement will be considered inflamatory by some people, but I'm not joking. I highly recommend against trying for long uptimes on production Windows servers!

Re:More than three

[dj245]

The number of the vulnerablilies shall be 3. 3 shall be the number of the vulnerabilities, the number of the vulnerabilities shall be 3....

Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable.

HOLY #*&$*!!! /me patches like mad

The people who previously expressed the number of vulnerablilies as 3 have been sacked. In a separate sacking, the person responsible for bundling downloads for Windows and Outlook Express separately, thus making even more confusion, has also been sacked.

The person responsible for not defining all remotely exploitable vulnerablilies as critical has also been sacked.

As this is a /. joke, and nobody at microsoft has actually been sacked, the writer of this post has also been sacked, having failed in actually sacking the previously aforementioned sacked.

mod parent +funny!

[harveyswik]

please? :-)

Windows Says:

[AvantLegion]

"Fuck you, Mac. You think you got exploits? You ain't got SHEEIT, son! Go play with your dollies, leave security holes to Daddy."

Announcements = Security Risk?

[Amon+CMB]

Do these announcements of security patches not alert hackers and virus authors to capitalize on them? It's alerting criminals to the exact vulnerabilities.

You can bet that it's likely the majority of Windows users have failed to install this patch (and many other patches)

Look at Blaster. Even after the patch was announced and distributed, the worm was still able to infect millions of machines.

Re:Announcements = Security Risk?

[Pidder]

Do these announcements of security patches not alert hackers and virus authors to capitalize on them? It's alerting criminals to the exact vulnerabilities.

Well... at the time a patch is issued the vulnerability has probably been known in the security community for a long time.

The fact that people don't download the patches isn't exactely Microsoft's fault. Some people are just stupid and/or ignorant. I'm beginning to think that windows update should be a service that you are unable to turn off. Sure, people would scream about their freedom but I sure as hell wouldn't complain if it got rid of all worms I'm attacked by daily.

Re:Announcements = Security Risk?

Look at Blaster. Even after the patch was announced and distributed, the worm was still able to infect millions of machines.

I'm STILL getting copies of MyDoom in my inbox, and it got the most press of any virus I've ever seen.

That rips it.

It's back to a chisel and stone tablet for me.

Go here for what you need

[bonch]

LinuxSecurity.com Advisories. It gives you the last 15 advisories (right now it's 15 in the past three days!), and you can click on each distro, including the BSDs, and get archived advisories for each one. Very useful, complete with links to the actual bulletins.

Yes, you are right--these things never appear on Slashdot except when there are major kernel exploits. To be honest, I've noticed lately a dissident tide in Slashdot, where people are a little weary of the anti-Microsoft spin. Nothing wrong with posting about Windows vulnerabilities, of course, but you do have to view the context with which it's posted--an OSDN-owned website that posts pro-Linux articles and just so happens never to mention Linux security advisories. But a user-run executable will become front page news as a new "Microsoft Worm."

I've just noticed more people annoyed by it lately, even the partyline pro-OSS guys. Simplistic agendas shouldn't be something to embrace on a site that is touted as the epicenter for geek tech news on the Internet. I guess my sig reflects that I've become one of those people as well who feels the need to balance out the spin going on... :P

Re:Go here for what you need

[RoLi]

I just looked at your site and for my distribution (SuSE) the only REMOTE vulnerability in the LAST YEAR was gaim which I don't even use (I use LICQ).

All the others where denial of service vulnerabilities or elevation of privileges problems, which in case of the kernel are of course a bad thing and which have been reported on Slashdot several times.

So in the last year, I had exactly ZERO vulnerabilities that would represent an immedieate danger to my Linux boxes (elevation of privileges is bad, but not an immediate danger for me because I don't run any mass-user hosts) and in the meantime the Windows-world had MS-Slammer, MS-Blaster and many, many other problems.

If you want to stick your head into the sand, do so, but please don't think that you are smart doing so or that anybody else has got a "party line".

Re:Go here for what you need

[Azi+Dahaka]

Yes, but there truly is a difference. That page lists vulnerabilities for linux packages, not Linux or a specific linux distribution. For example, I see scorched 3d in there twice. You probably would not say an AIM security flaw is evidence of Windows insecurity.

Next, a lot of these will not be running on all systems, especially considering several are vendor specific.

Most are not remote, complete system takeover vulnerabilities either. They tend to either be DoS, run arbitrary functions as a daemon (www-data, nobody, gid games, etc), or local exploits.

Plus, many aren't so much privilege escalation or DoS, but rather is a way to evade auditing or monitoring, for example the Squid vulnerability.

Admittedly several of those are pretty bad (the pwlib and ipsec-tools ones for example), but this is a poor comparison. To really compare, compare vulnerabilities found in an out-of-box installation of a single distribution. And even then, only use it as evidence of that distribution's insecurity.

And not that it matters much, but 12 April to 7 April is five days, and today is the 13th. There are only two items listed for the past three days.

I seem to recall an openssl, openssh, apache and linux kernel exploits making headlines at slashdot, but you can't expect every vulnerability for every package to be listed. This news of 20 vulnerabilities being fixed at once seems newsworthy.

Re:Go here for what you need

[eclectro]

I agree that there is an too much of an anti-microsoft slant on Slashdot. Windows is a secure, reliable *##buffer overflow##* platform. It will only become more @@#-ha ha ha ha-#@@ secure as time passes, and trusted %$@-I 0wn3r j00-@$% computing will become a reality. I myself have run Windows %$%-I'm s0 133t-$%$ with little problems for years. I too think this is way overblo@@@@NO CARRIER

Re:Go here for what you need

a site that is touted as the epicenter for geek tech news on the Internet

you're the only one touting it as that. most people understand that slashdot's target audience is the open source community - period.

Does anyone care?

[mo0nsh1ne]

Is /. running out of things to post as news? Like security problems in M$ software is what we are all worried about. If you run windows you should know to go and run a windows update every 30 minutes or your going to get some new lame virus. Start posting some useful information, not crap about Microsoft hacks.

Re:Does anyone care?

[MonTemplar]

You forget, most Slashbots turn that stuff off, they don't want Bill sticking his software on their computer without their consent. So /. posting stories like this is probably the first most of them will have heard about the patches being available.

Me, I turned on my home PC this morning, and was notified of the patches within a few minutes (yay for broadband!) and it was patched up by the time I'd finished breakfast.

-MT.

Re:Does anyone care?

[mo0nsh1ne]

If you are running a windows machine do you still need to be reminded to do updates? Running updates should be a part of your every day computer use if you are running M$ products.

put it on the list

[t_allardyce]

first post

in soviet russia critical vulnerabilities announce Microsoft!

1. Announce critical vulnerability
2. ??
3. Profit

if people used linux/oss this wouldnt happen
- oh sure, just because slashdot doesnt report linux vulnerabilities!

natalie portman naked and vulnerable?

can someone point me to a mirror the site is down?

can someone point me to an open source version of this?

this wouldnt happen if it was ogg based.

Re:put it on the list

Hey hey, at least do it right:

I, for one, welcome our new critical-vulnerability-security bulletin-patcher-and-maker overlords!

Re:put it on the list

Imagine a beowulf cluster of vulberabilities, oh wait...

can you run linux on the vulerability?

the vulnerabilities are more/less userfriendly then a GUI.

and so on.

Re:put it on the list

you forgot the goatse link, you insensitive clod!

Re:put it on the list

[sharkdba]

Can /. culture be defined by these statements?

Not sure if to be sad or happy, or just neutrally informed.

Re:put it on the list

[DuncMan]

In Soviet Russia, new critical-vulnerability-security bulletin-patcher-and-maker overlords welcome you.

Re:More than three

[Seven001]

Actually, there were 5 including the Internet Explorer one.

Starting To Respect Microsoft

[nathanh]

It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting. I remember a time when the bugs wouldn't get announced until the exploit was already wreaking havoc. Now it seems the bugs get reported and patched before there are any exploits. That's very professional; they can't be perfect but they can be responsible.

I have a lot of respect for that.

Re:Starting To Respect Microsoft

I don't think it's up to them. Think about it. What if they didn't report necessary updates? No one would know to update, virii would run rampant, and Windows would be revealed for the security nightmare it is. Of *course* they're going to avoid that scenario by advertizing how on-top-of-it they are in regards to security.

Re:Starting To Respect Microsoft

As somebody else here has already pointed out eEYE took down a couple of security advisories that have been there a long time. They were reputed to have been exploited in the wild already (sorry, I didn't keep a copy of them, I no longer care). Some them were NOT identified by Microsoft before there were any exploits for them, it took thenm a long time to fix and we all have no idea how much havoc was wreaked before the fixes were announced.

I have NO respect for that!

Re:Starting To Respect Microsoft

That was a joke right? You weren't really serious,right?

Billy doesn't ever, Ever, EVER volunteer
information about vulnerabilities with
his crapware unless someone is holding a
large gun to the most important part
of his anatomy: his wallet.

Most likely the vulnerabilities have already been
seen in the wild, or some security firm is blackmailing him to make the announcement or
they'll do it for him.

Re:Starting To Respect Microsoft

[Tough+Love]

"It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting."

That's because you're gullible. A bunch of these vulnerabilities have been known for months and Microsoft hasn't announced them. Maybe so they can argue that Microsoft has the shortest time from vulnerability announcement to patch availablity, like they tried to say last week.

Starting to be honest, huh, looks like more of the same to me.

Re:Starting To Respect Microsoft

[WARM3CH]

A bunch of these vulnerabilities have been known for months and Microsoft hasn't announced them.

Would you please point us to some more information about such exploits? Known for months? Can you please direct us where we can see the evidences for your claims? It's rather simple to say "yeah, yeah, we knew it for months" when everyone like to bash MS but I think it will be a little bit difficult if you'd need to back your claims...

Re:Starting To Respect Microsoft

Here you go:
http://www.eeye.com/html/Research/Advisories/ index .html

Some of the "critical" fixes in todays patchset from Microsoft are reported on that page some 6 months ago. eEye also pulled some MS related advisories some months ago that no one has heard anything about since, hmm... wonder why.

Here ya go

Just so ya'll don't get into the "see how much teh windoze sux". No problem.

Searching through past advisories is also fun. Make sure all your Linux "boxen" are properly patched. Who knows, maybe one day you'll actually be popular and we'll all laugh whenever another exploit is published.

oh the irony!

[BinaryJono]

seeing the microsoft security ad (http://m2.doubleclick.net/viewad/930640/MRS03141_ ityouwe_728x90_anima.gif) at the top of the page while reading this article was just too much...

Free karma...

[Turmio]

It was fast for me :)

Re:More than three

Last I looked Outlook Express was not part of the Windows 98 OS. I use 98SE at home and never used Outlook, nor even installed it. In fact, the only Microsoft programs I run on my box are the OS and its support programs (accessories, system tools), everything else, including my browser and email reader, are 3rd party.

Re:Meanwhile...

[Ianoo]

What you don't seem to realise is that most of these vulnerabilities would fall into the realm of "third party products" on a Microsoft-powered box. Linux may get more security advisories, but if you compare the number of packages a Linux security advisory site covers compared with what's included in an out of the box Windows install (certainly no professional quality Web Server with XP, for example), the number is still proportionally lower.

That's actually true

[bonch]

According to CmdrTaco, the majority of Slashdot visitors use IE. Kind of puts things into perspective as far as the "movement" goes.

Re:That's actually true

[Aneurysm9]

I could be using IE on Linux, if I were feeling sick and twisted.

Re:That's actually true

[freeweed]

I'd say it's more likely the majority (or at least a goodly chunk) of Slashdot users use something like Opera or Mozilla*, which lets you spoof your browser ID to websites. I do it, or I'd be locked out of a good many moronic sites (one being my bank) that only think IE works.

Although with the level of pro-MS posting and moderating on a dramatic increase over the past year, I wouldn't be surprised if we have a lot of IE users here now.

(Quick! To get some instant karma, talk about some obscure SSH/apache/whatever exploit that wouldn't affect anyone using Linux as a *desktop* system and is only applicable to a service that isn't run by default on any major distro, and claim that Linux is as insecure as Windows! Then whine about Slashdot's "bias" towards Linux to make sure you keep getting modded up!)

Re:That's actually true

[interiot]

And the majority of visitors don't post, many don't read the comments. Just because they use Slashdot as a way to keep from missing important tech news doens't mean they're necessarily sympathetic to OSS philosophy.

Re:That's actually true

ruby -rbase64 -e 'puts decode64( "RnVjayB5b3UuIEkgYW0gbm90IGEgcGlnLg==" )'

Re:That's actually true

[Avoid_F8]

I would guess that's because the majority of slashdot visitors every day are browsing from work, and most work environments seem to be using IE.

Re:That's actually true

[glitch23]

According to CmdrTaco, the majority of Slashdot visitors use IE. Kind of puts things into perspective as far as the "movement" goes.

The movement is stronger in some areas than others. How many of those users that use IE are accessing the site from home, how many from work? Those numbers matter. You can't just lump them together.

Re:That's actually true

[vensub]

YES they are going to use a new multi-vomitted linux like OS called sinux soon and will include a paid subscription for corp.

Re:That's actually true

You seem to be doing a good enough job of this yourself.

Re:That's actually true

ruby -rbase64 -e 'puts decode64( "SGUgZGlkbnQgc2F5IHlvdSB3ZXJl" )'

Re:That's actually true

[cbreaker]

Lots of people do Slashdot from work, where lots of us have no choice but to use IE.

That can easily sway the numbers.

Re:That's actually true

[rhuntley12]

I'd bet many of us are on IE just because we are at work. I'm at work on a windows machine and I'm not allowed to install mozilla. Funny that they have no problems having me install Divx codecs and players and watching movies, but installing Mozilla? Yeah right.

Re:That's actually true

True but I am running it under WINE

Re:That's actually true

ruby -rbase64 -e 'puts decode64( "c3RvcCwgdGhpcyBpcyBnZXR0aW5nIGFubm95aW5nbHkgbmVyZ Hk=" )'

Re:That's actually true

[johnkoer]

IIRC, FireFox does not need to be installed on a machine, it can just be plopped in a directory and run. Heck you could run it from a USB thumb drive if you wanted. Now that doesn't gaurantee that it will make it past your firewall, but if you are looking for alternatives it may be worth a shot.

Re:That's actually true

[Firehawke]

Well, here's how I see it..

You don't webbrowse from a server, and management typically mandates Windows for desktop machines in most places I've seen, so why SHOULDN'T Windows/IE show up so frequently? I mean, I use Windows AND Linux at home, but from work I'm always going to show up to Slashdot as a Mozilla/Windows user.

Re:That's actually true

That's my excuse... from home I'd be hitting with Safari.

Re:That's actually true

[winokungfu]

That most of the "movement" should be getting back to work?

LMFAO...

[Zuka]

Three vulnerabilities? Boy, that's a record. What's that up to for the year 2004? 78,962,322,505.5???? Pft. This is why I don't use Microcrap. I can't even believe people still use such an out-dated, inferior OS as Winblows. PEOPLE: IT'S CALLED LINUX! IT'S CALLED MAC! FOR THE LOVE OF GOD, MAKE THE SWITCH TO SOMETHING THAT WILL GRANT YOU FREEDOM AND HAPPINESS!

Re:LMFAO...

[Killswitch1968]

For the majority of people these vulnerabilities are never capitalized on and their computers remain unaffected. People will switch when Windows because so burdensome to use that they won't mind tearing their hair out trying to install a program with Linux.

Re:LMFAO...

[bonch]

Actually, there haven't been Critical Updates posted to Windows Update since the beginning of this year. On the contrary, LinuxSecurity.com posts more advisories every day.

But, hey, you used the term "Microcrap," and who can argue with that?

Re:LMFAO...

[MonTemplar]

Haven't you heard? All us Windows users are idjits who don't have a clue about keeping their PCs safe. At least, that's what I've read on Slashdot... :)

-MT.

Re:LMFAO...

[Walkiry]

It's called a "Game".

Your call.

Re:LMFAO...

[Bambi+Dee]

Yeah, I understand my computer is supposed to simultaneously crash, display popups, spy on me, emit noxious fumes, enlarge my breasts and/or penis and chant "join us... join us..." right now, but, oddly enough, it isn't. Does that make me an MS shill/troll/apologist/zealot? Nah, I'm just using my computer. I'm actually trying to decide on my next Linux distro right now, after somehow managing to render the previous five unbootable. Sure, that could be my fault for being but a lowly illiterate Windummy crybaby, but that doesn't change the fact that it happened. Whelp, I'm sorry about the antagonistic tone, but this is what it was like for me. I always liked it as long as it lasted, it's different and less bureaucratic and demeaning than Windows, and each new distro worked better than the ones before it, but something always went awry and I'm just so tired of seeing Linux advertised as some sort of panacea that'll magically make me happy and productive and secure as though the OS had all that much to do with it. I'll "switch" in due time -- when the apps I need (or want) are there, when using Linux won't mean having to run Wine or CrossoverOffice or whatever else half the time because this or that doesn't have an "equivalent". Any other advantages using Linux would have for me are, at this point, either ideological or "recreational tinkering"-related. And I don't mind if you call it "Microcrap Winblows" or "out-dated, inferior". I call it worse things sometimes and haven't really felt the need to defend any computer since my Amiga days. I don't like MS either, I don't like Windows, but still, most of the time I hardly notice it. (I'm primarily typing right now, not enjoying my "Windows eXPerience", blech.)

patches

patches can be found at freebsd.org or kernel.org =)

Uh

Did you not read past that first page? I see plenty of remote exploits listed..surprised me for Gentoo in particular

Re:Uh

Gentoo consist of over 5000 packagaes/programs. Hopefully you don't have them all installed at once.

Re:Uh

[JET+666]

No, still wating on the compile.

Just exactly how does this happen.

[Talinom]

This isn't a troll. This is an honest question.

How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability? I read just about every week or so about "Application X" or "OS Y" having a security issue and a deeper understanding of what is going on is a good thing to help judge the threat of the warning. It will also help reduce the FUD factor a little bit. If an example (current or outdated) could be given showing HOW the security of a system is compromised that would also be beneficial.

Re:Just exactly how does this happen.

[cpghost]

Try "Smashing the Stack for Fun and Profit", Phrack 49, Art. 14. It's a nice introductory tutorial to the common class of buffer overruns.

Re:Just exactly how does this happen.

[hobuddy]

How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability?

Of course there's an infinite number of ways to write a vulnerable program, but the most common is to run afoul of a buffer overflow. A buffer overflow is a relatively simple flaw, but it's an easy mistake to make in C and C++ because those languages give economy of computational resources precedence over every other consideration, including security and stability.

There's an illustrated and fairly concise introduction to buffer overflows at LinuxJournal.

Re:Just exactly how does this happen.

[jliendo]

Good question, and maybe a reference that may be of some use for you is the "Exploiting Software" book by Hoglund and McGraw (it was for me)...very good book describing why software errors ocurs...they basically states that because the "input space" of a program is so big, there can be no quality assurance process that can meassure how the software will behave under all the different sets of posibly inputs so basically what we get is that all the software (it doesn't matter if it is comercial or opensource) goes into production only partially tested...

higly recomended book...

Re:Just exactly how does this happen.

[MJN222]

This is x86 specific since I'm talking about the stack frame and specific registers, etc. but can be "ported" to other architectures with similar ideas

foo.c
#include <string.h>

int main(int argc, char *argv[])
{
char buf[5];
strcpy(buf, argv[1]);
return 0;
}

> make foo && ./foo AAAAAAAAAAAAAAAAAAAAAAAAAA

This is an example of a trivial buffer overflow. These types of attacks happen due to the nature of the stack. All local variables are stored on the stack - along with the saved ebp AND the return address. strcpy doesn't do any sort of bounds checking on the buffers it is copying between. In this case, buf is filled with the first 5 A's, but then the other n-5 A's must go somewhere else as well. What will happen is that eventually the saved value of ebp will be corrupted and become 0x65656565 ("AAAA") and the RETURN ADDRESS (this is the location that will be jumped to upon exiting the function) will be corrupted and become 0x65656565 ("AAAA"). If the malicious user is crafty enough in the creation of the exploit string he will specify an actual address somewhere relatively close to the current buffer and to jump to. Since that memory will have been copied by the call to strcpy, after completing this function, the program will jump to the attackers code and happily execute it. Thus allowing arbitrary code to be executed.

For a more detailed explanation of how these things work check out "Smashing the Stack for Fun and Profit" in phrack #49. Actually, reading old phracks is a good way to get an idea about lots of different issues in security :)

You can also check out these slides from an introductory systems course at Carnegie Mellon University. (OK, its a shameless plug of sorts since I'm TAing it, but they actually are pretty good slides. :-P)

Re:Just exactly how does this happen.

"A buffer overflow is a relatively simple flaw, but it's an easy mistake to make in C and C++ because those languages give economy of computational resources precedence over every other consideration, including security and stability."

Never forget that the whole idea of "economy of computational resources" is totally obsolete for 99.99% of application programs, because of the cleverness of optimizing compilers and ever faster CPU hardware!

Re:Just exactly how does this happen.

I read just about every week or so about "Application X" or "OS Y" having
...or "Application Y" or "OS X"

Sack you!!!!!

... and now the credits will proceed in a different style.

Phew

In fact, you could even be sued for libel if you parade about online forums spreading false information about Microsoft, like "their code is insecure"

Thank goodness it's just "false information".

This M$ game won't last for years...

Wait several years, and Linux will grab Windows user one by one. 10 years from now, M$ won't have to release security patches anymore, they just won't have any Windows users anymore. Don't joke with security. You don't want your computer to become a zombie and to send thousands of child porn spams while you check your mail.

Every few weeks? You're trolling

[bonch]

Windows Critical Vulnerabilities come every few weeks...doubtless they'll get them all in time.

They haven't had a critical update patch on Windows Update since the beginning of this year.

Like hell that's insightful

[nathanh]

That a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

Open source vulnerabilities and incidents get reported all the freaking time on Slashdot.

Sorry to burst your bubble, guys

[bonch]

But the people pointing out the one-sided reporting on Slashdot are right.

Re:Sorry to burst your bubble, guys

[Zuka]

wow..then you live in a VERY, VERY small world. Everyone I know, hates Windows...even if their forced to use it, they hate it. I wonder why? I won't go into it now, but the point is, all of these MS haters can't be wrong.

Re:Sorry to burst your bubble, guys

[...] all of these MS haters can't be wrong.

You have committed the the appeal to popularity logical fallacy.

Re:Sorry to burst your bubble, guys

From that page, Ad Verecundiam is Latin for ``Appeal to Authority.'' What is the Latin for ``Appeal to One's Own Authority?''

Re:Sorry to burst your bubble, guys

[bonch]

Everyone you know hates Windows. Can't argue with that kind of research.

Re:Sorry to burst your bubble, guys

[cpghost]

In the Real World(tm), most people won't even bother updating their windows boxes (or their AV sigfiles); so we'll have to live with those spam sending zombies for a long time...

Re:Sorry to burst your bubble, guys

But the people pointing out the one-sided reporting on Slashdot are right.

Says who?

Look again at that list of announced vulnerabilities. It does include some common Linux programs, like kde and the kernel. But what the heck is "fte"? I assume that "oftpd" is an ftp daemon, but I've never heard of it. "portage" is vulnerable only on Gentoo, of course, because it's the only one which has it. And "ClamAV"? Great, now "Linux vulnerabilities" incude every commercial product which run on Linux.

See the problem here? You're comparing a wide variety of Linux software to just core Windows vulnerabilities. Of course there will be lots of Linux vulnerabilities if you count every program out there. But realistically, most people don't care if "interchange" (whatever that is) has a remote information disclosure vulnerability.

Which, by the way, is a second point: some vulnerabilities are too small to be front-page news. A bug which allows a DoS on some obscure FTP server just isn't news.

Comparing apples and oranges is pointless enough, but some people only seem to be capable of _counting_ the number of apples and oranges, so that's what they compare. That is truly pointless.

Re:Sorry to burst your bubble, guys

wow..then you live in a VERY, VERY small world. Everyone I know, hates Windows...even if their forced to use it, they hate it. I wonder why? I won't go into it now, but the point is, all of these MS haters can't be wrong.

Talk about the pot calling the kettle black. Hi, my name is Anonymous Coward. Nice to meet you, I don't hate Windows because it does what I need it to, without having to ever use a command line, and it supports all of my hardware, even USB peripherals, by just plugging them in, and using it. Just like that!

Yearly updates

[cove209]

I wonder (and I am not slamming macs here since I own one) if Microsoft released a new version of Windows yearly like Apple does (for a fee most times) if it would address issues such as this one. The again, if MS released Windows XP 2004 and charged $129, would most people install it?

Re:Yearly updates

[MonTemplar]

The again, if MS released Windows XP 2004 and charged $129, would most people install it?

If they included the next version of IE, with the pop-up ad blocking? They wouldn't be able to keep up with the demand from retailers as the boxes fly off the shelves.

(Yeah, I know, they could install Firefox or Opera, but that's a whole different topic, and certainly not something that will cross the mind of Joe Average End-User...)

-MT.

Sp2 Beta

[OneArmedMan]

I have Win XP sp2 on my work machine here ( dont ask )

and i just did a windows update then .. and behold for there were no critical Windows updates to be found anywhere ..

so either MS is broken ( heh ) or MS knew about these problems a looooooong time ago and already had the patches in SP2, cause i have been running this SP2 beta for at least 3 or 3 weeks now...

Re:Sp2 Beta

[aderusha]

or option c) SP2 beta isn't recognized by winupdate, so you're going to be exposed.

Re:Sp2 Beta

Isn't there a specific beta windows update site SP2 users are meant to go to? v4.windowsupdate.com won't work correctly AFAIK

Re:Sp2 Beta

[OneArmedMan]

troll or not.

i have used windows update before with Sp2 beta installed and have received updates with out a problem .. several of them in the *critical* area as well ..

shrug , my firewall should take care of most of that for me anyways .. but still makes you wonder what exactly MS is upto ... not that anyone is ever likely to know.

wait wait wait... anyone else here suspect this?

[ShadowRage]

that the fact microsoft is suddnely letting people know more about this, saying they'll up security, etc think it's a sham so when longhorn comes out on a palladium DRM locked system, and it's announced it's more secure than ever, people will flock to that, or at least, what they hope?

Re:Value Added Bugs

[iminplaya]

It appears that the only thing you value is money. That attitude won't get you into heaven. :-)

Windows Update in Firefox

[Faizdog]

Well,
After the Nth spyware that infected IE, about 10 days ago I finally had enough of it and switched to Firefox. Haven't looked back since, Firefox rocks.

So after I read this /. story, went to the Windows Update website, and lo and behold, it only works with IE. I can go to the Microsoft Download Center if I use another browser besides IE, but I actually like the way Windows update works, scanning my computer and giving me options for what I can install.

Looked through the Firefox FAQs, couldn't find any mention of this. Anyone have another suggestion, or should I use IE for updates and Firefox for everything else?

Re:Windows Update in Firefox

[Dave2+Wickham]

AFAIK Windows Update uses ActiveX, so you need to use IE anyway.

Note: I don't often deal with Windows Update, being a Linux user myself, so I could well be wrong.

Re:Windows Update in Firefox

[elleomea]

It's impossible to use Firefox for this task since the Windows Update system uses ActiveX controls to handle things.
ActiveX is also one of the main reasons for many of the security issues and spyware installing programs, etc. in IE. This is due to the fact that, unlike Java, it doesn't run in a sandbox, allowing ActiveX programs complete access to the system.

Re:Windows Update in Firefox

If you're running XP,

Right click my computer, go to properties, click on the automatic updates tab.

Set it do notify you when they're available, but do not download and install them.

Then, you get a nice Windows Update icon in your tray, double click it, and voila, a list of updates you can install without needing to use IE.

By the way, if you really wanted to, you could get an ActiveX plugin for firefox, but I really suggest you don't. ActiveX is just one big security hole.

Re:Windows Update in Firefox

[steveha]

You need to use IE for Windows Update. Full stop.

One of the things that makes Firefox more secure is that it is just an application, it cannot install software for you. One of the things that makes Windows Update work is that IE can install software for you.

Windows Update is the main reason IE is still on my Win2K desktop computer.

steveha

Re:Windows Update in Firefox

[Deviate_X]

If you have disabled IE you can install and run the Security Baseline Advisor. It basically does the same thing as Windows update.

Re:Windows Update in Firefox

[_Sprocket_]

Then, you get a nice Windows Update icon in your tray, double click it, and voila, a list of updates you can install without needing to use IE.

Are you sure? It would seem like Microsoft to just run some IE / ActiveX bit without making it look like it's IE. Not that it would make any difference, I guess.

Re:Windows Update in Firefox

You can be sure that it uses the same HTTP & XML backends as IE, but that's true of many windows programs.

Re:Windows Update in Firefox

[Kenneth+Parker]

99% of spyware can't install unless you are running as root aka Administrator. Rule 1: Don't run as root. Rule 2: Remember rule 1. Rule 3: If you can't remember rule 1 and 2, don't admit you install spyware on slashdot.

Re:Windows Update in Firefox

I don't know how many times this has come up on Slashdot and don't want to start the thread again.

Many windows programs require admin access to funciton. Stupid, we all agree, but it's true. I guess I should keep a pointer to those threads, so I point you to it.

Re:Windows Update in Firefox

And, as is mentioned everytime that comes up, there is the runas functionality that allows you to do this.

Re:Windows Update in Firefox

Or you could just give the correct permissions to the folders (only those folders) that the program needs.

Jeez but that would be too logical.

Re:Windows Update in Firefox

If you have a Windows server you can install Software Update Services.

http://www.microsoft.com/windowsserversystem/sus /d efault.mspx

Re:Windows Update in Firefox

[ashayh]

There are places where you can get most of the critical updates.
Autopatcher is what I use. Notice how it installs ALL patches and utilities that it comes with in one go.
I dont care about windows update scans and "suggestions".. all I want are the critical patches.

Re:Windows Update in Firefox

[Bambi+Dee]

Is this really true? The only programs I need admin privileges for (besides admin tools, obviously) are two CD/DVD-related tools. The overwhelming majority of, uhm, non-conforming apps "merely" insist on having write access to their directories; it's annoying and you need to find workarounds if you need per-user settings, but it doesn't mean they need to be run as administrator. It's sort of funny how all the "originally Linux" apps I use are so well-behaved and so much Windows-only freeware isn't. Oh well. Sorry for bringing it up again.

Re:Windows Update in Firefox

[mr.capaneus]

I wish to God this were true. Where I work, users are given the "power user" privelege. It is possible for them to install spyware crap from the web and it happens VERY often. It is one of the most frustrating parts of my job. Of course, we could restrict them from installing just about anything by restricting their access to the Software key in the registry but the PHB doesn't think that's a good idea so I get to spend my time removing spyware and doing trainings on not installing spyware.

unannounced critical vulnerabilities

Microsoft generally announces these critical security issues after they have patches for them. Who knows how many critical issues they haven't announced?

bittorrent of the patches

[Danathar]

Damn....the MS update site is so overloaded....can anybody provide a bittorrent to the patch files?!

REALLY!

Re:bittorrent of the patches

[JessLeah]

That would almost CERTAINLY be a EULA and/or Copyright and/or "Trade Secrets" and/or DMCA violation...

No reporting, major problems.

[MacFury]

If no one reports the exploits, M$ simply won't fix them. They have no incentive to unless there is a public backlash. Even still, they would just settle out of court. :-) I think we should coin a new phrase. Whenever someone is clearly in the wrong, and just settles out of court...we should call it M S'ing (em ess ing)

Sort of like BSing.

Re:That's actually true (obligatory spoofing ref)

[YetAnotherDave]

from my proxy config:

user-agent "Mozilla/4.0 (compatible; MSIE 9.01; Windows NT Sucks)"

Re:More than three

[daishin]

ARTHUR: How do you do, good lady. I am Arthur, King of the Microsoftons. Who's
castle is that?
WOMAN: King of the who?
ARTHUR: The Microsoftons.
WOMAN: Who are the Microsoftons?
ARTHUR: Well, we all are. We are all Microsoftons, and I am your king.
WOMAN: I didn't know we had a king. I thought we were an autonomous
collective.
DENNIS: You're fooling yourself. We're living in a dictatorship. A self-
perpetuating autocracy in which the working classes--
WOMAN: Oh, there you go, bringing class into it again.
DENNIS: That's what it's all about. If only people would hear of--
ARTHUR: Please, please good people. I am in haste. Who lives in that castle?
WOMAN: No one live there.
ARTHUR: Then who is your lord?
WOMAN: We don't have a lord.
ARTHUR: What?
DENNIS: I told you. We're an anarcho-syndicalist commune. We take it in
turns to act as a sort of executive officer for the week.
ARTHUR: Yes.
DENNIS: But all the decision of that officer have to be ratified at a special
bi-weekly meeting--
ARTHUR: Yes, I see.
DENNIS: By a simple majority in the case of purely internal affairs,--
ARTHUR: Be quiet!
DENNIS: But by a two-thirds majority in the case of more major--
ARTHUR: Be quiet! I order you to be quiet!

Linux is not 100% secure

[RoLi]

... just like a Volvo is not 100% secure. But the Volvo is more secure than a 1960 Yugo.

So, I'd rather choose the system that while not perfect is pretty good than a crappy system whose vendor chooses to put out press-releases about security instead of actually dealing with the problems.

As usual, in theory, Windows is great:

• In theory, everybody uses those super-fine-grained permissions in Windows. (In real life those permissions are so complicated that most ignore them)
• According to MS-PR theory, Linux is very dangerous because "everybody" can put evil backdoors in. (In real life there has never been a case of a intentinal backdoor in any OSS-project with more than 1 contributor while there have been numerous examples of such backdoors in CSS)
• In theory and in all total cost of ownership studies, the cost of viruses, worms and security problems on Windows is zero. (In real life millions are paid for virus scanners and much more is lost in productivity)
• In theory, viruses/trojans/worms are only written for the market-leader platform. (In real life, Apache leads the market and has not had a single worm comparable to Code Red or Nimda)
• In theory, Microsoft's latest "security initiatives" are a big success. (In real life the biggest epidemies like MS Blaster happened after those initiatives started.)

In theory, Windows is great. In real life it's a buggy, insecure piece of trash that should be avoided whenever possible.

Re:Linux is not 100% secure

Preach on, brotha.

Re:Linux is not 100% secure

[WinterpegCanuck]

The biggest difference I see is that any kid with their new pc smelling wal-mart special can run the nice GUI based attacks against windoze systems while Linux attacks usually require a basic reading level. No system is totally secure, it's just a matter of making the hack las longer then the average attenti. . . . sweet. . . blinking lights and buzzers. I wonder if monster garage is on.

Re:Linux is not 100% secure

[hallaballa]

"so complicated"... 1) Complex, not complicated. 2) nobody said that training was optional, regardless of OS. "evil backdoors" -- the comparison you make between oss/css has nothing to do with oss/css -- it's a difference in process. There's nothing inherent in either oss or css that promotes/prevents trojans. Then again, with all these remote exploits we see, isn't that just trojans+plausible deniability? "millios are paid" -- how on earth does anyone objectively measure that? "Apache has not had a single worm comparable..." -- true, but this is not because Apache has not had remotely exploitable holes. The reason is something else. Microsoft's security initiatives are not big success -- well, these patches notwithstanding, far as I can see the trend is that Windows actually is getting more secure. It's slow progress, but it _is_ progress. Only time will tell though..

Re:Linux is not 100% secure

Linux may be a little more secure than Windows, but it's really far from being secure.

UGO sucks big time. period. end of discussion. I agree that some sys admin wanabees might think fine-frained permission are too complicated, but it's because they are morons. I hope that SELinux becomes the norm.

Your statement about backdoor in OSS-project is stupid. And there was a real example not so long ago.

MS Blaster happened AFTER there was a patch. The main problem in security are users. You can be pretty sure that if Linux become popular one day, then a lot of people will use the root account to download that nice program that will display porn.

Stop your FUD.

Right now, Linux is no better than Windows. If we want Linux to succeed, we must make Linux a lot better than Windows in every aspect.

Re:Linux is not 100% secure

[smitty+werbenjuegerm]

If I am not mistaken, didn't someone manage to sneak in a backdoor to elevate privleges into the linux 2.5.x kernel? (using a = instead of a == for a comparison or something like that?)

Re:Linux is not 100% secure

[aastanna]

The way I feel about windows and patches is you're never going to be secure enough to connect a windows box directly to the internet. Outlook and Outlook express aren't secure enough to be used to receive email. IE isn't secure enough to browse random web sites.

So, if you can afford it, have two computers. Get your email and do your work on a Linux box or a OSX laptop, and save Windows for games, windows development, and those gems of applications you've found that only runs on Windows. Install firefox and use that to browse if you must.

Always keep your Windows box behind a hardware firewall, that tends to stop most of the remote "I just plugged in my computer and now it has a virus" sort of things. Keep any OSX or Linux boxes behind a firewall too if you can.

Oh well...rant over...that's my "what people should know about computers before using them" speech. It really doesn't matter how many of these exploits are patched. These were from 2003, and I'm sure there's another dozen waiting in the wings. Just assume your box is insecure and act appropriately.

Oh, one more thing. I miss the days when you could listen to your computer's hard drive and know what it was doing. If it started up and a odd time you'd know something wasn't right. These days on windows the hard drive seems to randomly grind a way for a second every once and a while...it's...disconcerting. My mac doesn't seem to do that, can't remember if Linux does.

Re:Linux is not 100% secure

Someone tried, but it was discovered before reaching any official kernel.

The attacker used a bug in the BitKeeper to CVS gateway to add the backdoor to the kernel in CVS, but since the official kernels come from the BitKeeper tree which was NOT affected, he needed someone to accidentally send his change to Linus. I.e. he needed a good amount of luck.

It was discovered before that happened, because the CVS and BitKeeper versions were out of sync, which caused the BitKeeper people to examine the trees.

Re:Linux is not 100% secure

[RoLi]

"millios are paid" -- how on earth does anyone objectively measure that?

Just add up all revenue of all anti-virus companies.

Of course that doesn't include the time to install all that stuff and the time needed to clean up in case a virus/worm hits.

Re:Linux is not 100% secure

Why slashdot monkies love these stupid car analogies? You go on and on about your stupid ideas without any substance and yet at the end you totally throw out what you said and come up with a stupid Microsoft bashing sentence. If your point is that you are an idiot and will come up with the same stupid Microsoft bashing sentence, why do you go ahead and try to covince us that you are not an idiot.

Re:Linux is not 100% secure

Use enters! Then I w/could actually read your post.

Re:Linux is not 100% secure

[randomblast]

i think you'll find he posted as HTML, intending to post as plain-text.
an easy mistake to make. what he was actually missing was
's, newlines have the same effect as a space in HTML.

Re:Linux is not 100% secure

[Polymath+Crowbane]

"millios are paid" -- how on earth does anyone objectively measure that?

It's fairly simple for companies to measure the cost of viruses, et. al., by adding the direct cost of the staff required to clean machines and an estimate of the indirect cost of time lost by employees while computers and email are down. It can be significant: the multinational company with which I was associated during the Melissa attack lost email for two days. The direct costs alone (of people to clean up machines) was documented at over $1,000,000.

Here is the real trap in proprietary standards: if a vendor's product cost a company over $1MM because of a flaw, you can bet that vendor would be gone in a heartbeat. However, because mission critical systems are tied to proprietary standards for which there is no practical substitute, companies are, for the most part, stuck.

The sad reality is this: when a company is locked into your product, for any reason, your motivation for spending money on enhancements/customer service is greatly reduced. This is true for many companies, not just Microsoft. It's called human nature and greed.

Re:Linux is not 100% secure

[jonadab]

> Oh, one more thing. I miss the days when you could listen to your computer's
> hard drive and know what it was doing. If it started up and a odd time you'd
> know something wasn't right. These days on windows the hard drive seems to
> randomly grind a way for a second every once and a while...it's...
> disconcerting. My mac doesn't seem to do that, can't remember if Linux does.

Not generally (assuming you have a decent amount of RAM), but cron jobs can
cause a similar effect, especially the ones that rotate logfiles and stuff.
Of course, since you can control exactly what time of day these happen, they
are technically not random, but still they can catch you by surprise.

Re:Linux is not 100% secure

[KUHurdler]

I have 1.25 GB of RAM and my hard drive was crunching all the time.

I figured out that it will stop if you turn off indexing.

Its supposed to help it search faster or something like that.

Re:Linux is not 100% secure

you said:

I miss the days when you could listen to your computer's hard drive and know what it was doing. If it started up and a odd time you'd know something wasn't right. These days on windows the hard drive seems to randomly grind a way for a second every once and a while...it's...disconcerting.

i said:

that's probably the search thingy making indexes of everything when there are free cpu cycles to burn. you can turn it off by asking the dog not to anymore.

Re:Linux is not 100% secure

[HiThere]

It's the MS version of updatedb...but when I used MSWind it seemed more intrusive than it does on Linux. Mind you, there was a version of Red Hat a few years ago that was worse about it than the version of MSWind95B.

Re:Linux is not 100% secure

[hallaballa]

No, it is not that simple.

First off, it's just an estimation -- and in cases like this, whoever has the highest estimation "wins", because that's what media will pick up on, that's what will be repeated by press and forums like this one.

Second, this estimation includes costs that should not be directly attributed to the virus outbreak. E.g. cost of cleaning machines and getting them up and running - in many cases this was just waiting to happen. The virus just happened to triggered it, but it could just as well have happened due to a hardware failure.

Third, what you're presenting is not an objective way of measuring, as it's depending on the companies' reportin truthfully and accurately.

I'm not claiming that virus outbreaks do not have a cost, but any reports of cost must be taken with a grain of salt. Or two.

Re:Linux is not 100% secure

[hallaballa]

Right. And it includes money spent by those who bought protection and weren't hit by this particular outbreak. This shouldn't be counted. And it doesn't count those who didn't buy antivirus software and subsequently got hit. And it equats the anti-virus companies profits with the cost of clean up.

So, all things considered, your post is pretty irrelevant.

Re:Linux is not 100% secure

[RoLi]

And it includes money spent by those who bought protection and weren't hit by this particular outbreak. This shouldn't be counted.

Of course this should be counted because running anti-virus software is part of the total cost of ownership of running Windows.

Re:Linux is not 100% secure

[ClioCJS]

I think you unix zealots are ALL paranoid.

I'd rather be hacked once every 10 yrs than be crippled my whole life by an open-source culture that, while being morally superior, is functionally inferior.

But I have high hopes for the future when unix actually will become better than Windows. It's not here yet, but it's inevitable.

Good luck guys. You'll need it.

Re:Linux is not 100% secure

(In real life there has never been a case of a intentinal backdoor in any OSS-project with more than 1 contributor while there have been numerous examples of such backdoors in CSS)

What about that time recently when someone tried to insert a local root exploit into the kernel by having a "x = 0" instead of "x == 0", but Linus noticed it on his master copy? One thing supposedly learned from this was to always put "0 == x" with the constant on the left, so that the compiler will complain if you "accidentally" have an assignment instead of an equality test.

Re:Linux is not 100% secure

[jonadab]

> indexing. Its supposed to help it search faster or something like that.

Oh, that, yeah. I'm pretty sure that's not a Linux feature per se but an
application that some distros have bundled. I think Mandrake includes it,
but I never turned it on.

MacOS 9 has something similar, except that instead of running in the background
it ties up the whole system. Fortunately, there's a cancel button, but I have
never figured out how to make it not happen at startup, so the user doesn't
have to click cancel every morning. (It's probably easy, but my use of the
Classic MacOS is pretty much limited to end-user stuff; I mostly avoid that
platform when I can. So I'm not very familiar with the administrative type
of details like this.)

Re:More than three

[Proud+like+a+god]

I know it isnt part of the OS, and I never used Outlook or OE when booting 98SE, so I seperately mentioned that some 98ers might still be vulnerable but only if they run non-core apps like OE.

has anyone tried updating windows without using IE

[-O.ster_66]

"Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. You need to be running a version of Internet Explorer 5 or higher in order to use Windows Update. Download the latest version of Internet Explorer Once Internet Explorer is installed, you can go to the Windows Update site by typing http://windowsupdate.microsoft.com into the address bar of Internet Explorer. If you prefer to use a different Web browser, updates to Windows may be downloaded from the Microsoft Download Center."

Mirror

[KalvinB]

since Microsoft's Windows Update page is getting really bogged down you can download the patches from this Mirror.

Ben

Re:Mirror

That would be a lot funnier without the tag after the link.

Re:Mirror

[M.C.+Hampster]

Ha, ha, you so funny. Of course, I get more security related emails from Red Hat than I do Microsoft, so what's your point?

Re:Mirror

[kayen_telva]

not about the OS you don't

Re:Mirror

[M.C.+Hampster]

That's a distinction with a difference. If they are programs that are installed with any of the three preset configurations, they are as much a part of the OS as Outlook Express is in Windows.

Two things...

[KeeperS]

This illustrates two important points:

1) Windows is full of security holes. (as if everyone didn't already know that)

2) Microsoft is trying to fix their security problems.

I have to wonder, though, how many more unknown or unpatched security vunerabilities Windows has and how hard Microsoft is working on security. I'd suspect that the answer to both questions is "a lot," but that's just pure speculation on my part.

Re:Two things...

You illustrate one unimportant point

1) You are an idiot.

Wake up man, slashdot is a joke. Slashdot monkies are not even serious programmers. There are simply too many idiots, just look around you, including yourself. You are a pure idiot. You got to grow up, and start learning something about computers. Linux is only serious on the server, not desktop. Sooner or later Linux will lose on the server also. FUD against Microsoft will not work once people's machines are getting hacked. People who use Linux are only idiots who don't want to use Microsoft technology. Linux had 3 critical security holes just this week, but you are not even aware of it. Many more distributions still didn't release the security patches yet. Your boxes can be compromised at any time. I hope you have a firewall.

Re:Two things...

Steve Balmer, didn't your mother tell you NOT to post as AC???

Hmm, nothing specified for me

[GarbanzoBean]

Hmm, I just connected to the windowsupdate.microsoft.com and it said I don't need any updates (I don't have autoupdate turned on). I'm running Win98SE.

Re:Hmm, nothing specified for me

[huchida]

Perhaps because they're abandoned support for your OS?

Outlook Express complete removal?

[Reads MS technical details and FAQ...]

It's bad enough that there are vulnerabilities in Outlook Express, which MS happily informs us is "installed by default", but even if you don't use it, you are still vulnerable to remote exploits. How nice. The patches are not exactly helpful (I'm not even sure what version of Outlook Express is on my system). Rather than patching, does anybody know how to remove the stupid thing entirely? Will that innoculate the system? Unhelpfully, MS does not say if this would cure the problem, or even if it is possible to do.

Re:Meanwhile...

[spinkham]

Yeah, this is what burns me up with these security bug comparisons. In Linux, 99% of software you run on your computer you get from your distribution, while very little of your software under Windows comes as a part of Windows. Of course there are more bugs in a complete computer setup with 10 different ftp servers to choose from, irc clients, a complete development suite(or 3), etc...

IMO

[Kjella]

...they peaked around 2000. Or should I call it purely accidental, since NT was solid but not usable for common people. They've been turning it into this XP Premium crap since then, fortunately they did the basics first and needed to release something, so there was Win2k.

By the time that one is EoL'd, I expect I'll be running Linux full-time. Windows seem to be going in completely the wrong direction as far as I'm concerned, whereas Linux is getting to the "poweruser but not interested in hacking config from terminal" level I'd like.

Kjella

Maybe false alarm for Win98

[GarbanzoBean]

The faq says that these vulnerabilities are not critical in Win98. Do they still exist? not clear from the text.

Still have to patch a dozen computers. Oh well, at least the server is running linux.

Yay M$!!!

:0)

Re:This is why microsoft are insecure

[The+Bungi]

They've gone to scheduled patch releases on the second tuesday of every month to make it easier for admins and users. That's today in case you missed it. AFAIK all the vulnerabilities had been published earlier by third parties.

If and when there's an actual exploit in the wild for a given vulnerability then they'll release the patch immediately, just like they've done before.

Whoever modded you "Insightful" should have used the "-1, Another Stupid Conspiracy Theory" mod instead.

MOD PARENT UP +5 FUNNY!

Mod parent up. :P

Re:More than three

[XorNand]

Not to threadjack, but...

One of my jobs is to plug holes like this when they pop up. I know that I can keep watch on SecurityFocus, NTBugTraq, etc., but does anyone know of a service that I can subscribe to that will proactively send me security alerts? I'd like to be able to pick the products/vendors that I support and get timely and relavant notices.

Mirror here

Mirror for the patches.

(Sorry couldn't resist)

Now let me burst your bubble

Uh "Linux and vulnerabilities" in the same sentence is a joke. You can't hack into Linux through the web browser, or by running a script in the background to do damage to your OS.

Re:Now let me burst your bubble

[ColdZero]

vi hi2u.sh #!/bin/sh rm -rf / :wq sh hi2u.sh & Sorry...I had to do it.

Check out www.eeye.com

[khasim]

http://www.eeye.com/html/Research/Advisories/index .html

Looks like a whole bunch of those holes were reported to Microsoft by eeye and Microsoft FINALLY got around to patching them.

Some of them had been reported over 6 months ago.

Re:Check out www.eeye.com

Yeah right, we believe you khasim. It is amazing how many idiots are out there to give points to anybody who is simply lying about facts. I guess slashdot monkies have no sense of decency and dignity. That's why Linux will die at the end. If you lie to your users, sooner or later they will catch you.

shit...

[adamofgreyskull]

...I thought lower was better for uptime...

What's new?!

Everyone knows that Microsoft operating systems are nothing but junk. So, news of a new MS vulnerability shouldn't be a surprise - nor should it be news. People who stay with Microsoft operating systems deserve to be hacked. Maybe it'll teach them to throw MS software in the trash where it belongs - they obviously don't care about their own security or well-being.

LONG LIVE LINUX!!!

Re:What's new?!

[JonnyRo88]

The problem really is that there are people that want to have their hands held in their computing experience. These are not generally the people that follow ESR's how to ask a question guidelines. They want to know the absolute least possible about their computer to get it to do what they want. Microsoft caters to this group. The question then becomes, do you want to take over that duty? I sure dont want to take care of people who have no will to learn anything on their own. This is why I still install winblowz on client computers when I cannot be around to support them. (client desktops, i always install linux servers for clients).

What really pisses me off is when M$ tries to make it hard for linux to move up in the other spaces, besides joe idiot user.

Yes, such bitterness comes from being a former windows NT/2k admin for about 4 years before finding linux.

Re:has anyone tried updating windows without using

[Lshmael]

Windows Update uses ActiveX controls to check which updates are installed on your computer, so you actually do need Internet Explorer to use it.

Re:More than three

[wpmegee]

Good luck trying to use more than 256mb of ram on that Win98 box. Sure, Win98 supports it, but can't effectively utilize more than that.

Most games need at least 512mb to perform properly nowadays. Battlefield Vietnam still occasionally swaps to the hard drive on my XP Pro box with a gig of ram, as does Planetside (MMOFPS), and Warcraft III also fills up 512mb regularly.

And as for home users: WinXP is much nicer (newbie-friendly) for pictures, cd burning, and basic networking. Better hardware support too.

Re:Windows Update in Firefox suggestion

These are the steps you need to take:
1. Backup all personal files,
2. Format your hard drive,
3. Install a Linux distribution,
4. Have fun.

Re:Won't announcing vulnerabilities cause exploits

This *IS* the slow patch cycle :-)

SP5?

[TimTheFoolMan]

Hmmm... in the details for Security Bulletin MS04-011, they list the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update s\Windows 2000\ SP5\KB835732\Filelist

Looks like we've now seen the first light of SP5.

Tim

Re:SP5?

[hallaballa]

MS classifies anything post-spN as spN+1. So, on the off-chance that there'll be a SP5, this fix will be included in it.

Re:SP5?

If you are lucky -- W2000 SP1 de-applied a few of the "gold" SP0 patches. Same thing happened with NT4 several times.

Re:Meanwhile...

[rcamera]

1) why would you need 10 different ftp servers? one would think that just installing the one you plan to use makes more sense... same goes for developement suites. chances are that you'll be using one - not three

2) ftp IS a bug. try ssh. there are many ssh servers available. but once again, one ssh server will probably suffice.

Microsoft Announces Three More Critical Vulnerabil

Nice to see /. falling into the MS fud campaign. There are not 3 vulnerabilities, there are 20, and it is only 3 patches.

Score a point to MS for making us think 20 = 3.

Of cource we also buy MS telling us the linux mem-remap exploit was 5+ vulnerabilites (Debian, Mandrake, Redhat, Suse, et. al.)

As of this point, if someone from MS told me the grass was green, I would go outside and see for myself. You simply cannot believe a single word spewing forth from the Redmond Dragon.

Re:Lies, opinions, and half-truths

what the hell does this have to do with this post? why didn't you bodge this onto someone elses post nearer the top?

Re:has anyone tried updating windows without using

[ocelotbob]

Except that ActiveX is available for mozilla. So really, the only reason that MS requires IE is to lock you in, not any real technical reason.

Not prepared?

[SamMichaels]

First time I ever saw this upon loading Windows Update:

HTTP/1.1 Server Too Busy

Updates that break things

[hotspotbloc]

It seems that one of updates broke TS on a 2k Server (and I'm too far away to get to the console tonight). Has anyone else heard of any other services or apps that break because of these updates?

Re:Updates that break things

Lots of stuff, mostly the OS it seems.

See the thread in this slashdot topic titled:
Kills Windows 2000

Also do a google groups for 835732 and you will see some more issues.

Related to the release of windows source?

[deadlysloth]

Hey, any one else get the feeling that all these remote exploits could be related to the leak of windows source some time back? Just a thought, but this is a lot of critical updates.

In other news...

Some people in the Middle East hate some other people in the Middle East.

Numerous outbound connections detected on update?

[aelfwyne]

When I installed this, my firewall went crazy during the update with attempted connections all over the net by the update installer (after the download had finished)....

Anybody know what's up with that? What exactly are they doing with this update that requires connecting to several different hosts during the install?

Your sig

[Vainglorious+Coward]

--

The number of the modding shall be three, four shall the number of the modding not be, neither shall it be 2...

5 is right out.

Your sig

--

rejected (19) accepted (0)
Is there a psychological term related to getting your stories rejected on slashdot?

No, but there is a term related to moaning about it in your sig. It's "nerd".

Kind of like this?

[melted]

http://docs.info.apple.com/article.html?artnum=617 98

Apple never "fixes" security holes. They only "improve handling" or something like this. Yet everyone pees their pants about MacOS X.

Re:Kind of like this?

[nathanh]

Apple never "fixes" security holes. They only "improve handling" or something like this. Yet everyone pees their pants about MacOS X.

Yeah, kind of like how companies always call them "issues" and "incidents" rather than "bugs" and "major fuckup". It's marketting spin.

Btw, I don't pee my pants over MacOS X. I think there's too much hype in that particular arena. It's FreeBSD/Mach and the NEXTSTEP GUI with some whizzy 3D effects. You'd think Apple had invented the Holy Grail the way some people rabbit on about it, though. I wonder where all these cheerleaders were when MacOS 6 had a good GUI on a crappy foundation. Probably using DOS and writing CONFIG.SYS files for their ISA sound card. Obviously the GUI and autoconfig wasn't that important.

Re:Kind of like this?

[amRadioHed]

Excuse me? Am I just imagining it, or does Apple use the word "fixes" in every update listed on that page you gave.

* CUPS Printing: Fixes CAN-2004-0382 to improve the security of the printing system. This is a configuration file change that does not affect the underlying Printing system. Credit to aaron@vtty.com for reporting this issue.
* libxml2: Fixes CAN-2004-0110 to improve the handling of uniform resource locators.
* Mail: Fixes CAN-2004-0383 to improve the handling of HTML-formatted email. Credit to aaron@vtty.com for reporting this issue. ...
...
...

My point

[AntiMac]

http://slashdot.org/comments.pl?sid=103769&cid=884 4370

Thanks for proving my point, weekendwarrior1980

explanation

[Mr+44]

RTFA (Read the F'in Advisory).
The bug is in the pluggable protocol handler for MHTML, which is implemented in outlook express.

For better or worse, IE is nearly infinitely extensible, and it calls out to other components to parse extra protocols.

Re:More than three

[EvanTaylor]

Rather thank you personally for that than mod your post funny. Again, Thankyou.

Re:Windows Says....

[WanderingFighter]

Oh my god *falls out of chair laughing*

Hidden agenda

[freeze128]

I just got back from the Microsoft Security Summit, and now it makes sense. They didn't want me to see this story.

Wow.

[boarder8925]

Finally up to, oh, crap I lost count after 57,683 exploits.

Hrm

[bonch]

I guess I'm not one to ignore certain vulnerabilities and glorify others simply because one comes from Windows.

Besides, Linux has had plenty--and has had many public break-ins in the past six months.

Re:Hrm

[finkployd]

I guess I'm not one to ignore certain vulnerabilities and glorify others simply because one comes from Windows.

Nor do I (and frankly I am not sure HOW you got that weird point of view from my comment).

I do however consider remote root vulnerabilities to be significantly more alarming than local privilege escalation.

Besides, Linux has had plenty--and has had many public break-ins in the past six months.

I would never imply otherwise.

Finkployd

Re:Won't announcing vulnerabilities cause exploits

Clearly this joke went over everyone's head. Not one +1 funny and a clueless AC post t'boot.

I laughed, best funny comment I've read today. My thanks to David Hume.

Uh

[bonch]

Great, now "Linux vulnerabilities" incude every commercial product which run on Linux.

Nope--they aren't Linux vulnerabilities, they're vulnerabilities in those Linux distributions. That is to say, the Gentoo Linux operating system has several security advisories announced every week. I don't see a difference between that and Windows.

Nice try, though. :)

Re:has anyone tried updating windows without using

Except that ActiveX is available for mozilla. So really, the only reason that MS requires IE is to lock you in, not any real technical reason.

What? You're going to install ActiveX into Mozilla? Get real. Either I except that you're stupid or the rest of your comment is mute. Either way, your conclusion is irrelevant.

Sorry, that sounds like a flame, but I'm not sure how to word it better. Microsoft sucks, but your comment doesn't really say anything about that.

Re:has anyone tried updating windows without using

[ruiner13]

Good thing they have self-contained downloads available. Yes, they don't make 'em easy to find, but you can burn say, Win2K SP4 in all its 135MB glory onto a cd to do offline updates. This is the only way you can practically update a 56K modem-bound 'puter.

IE spoofing

[Murf_E]

what mozilla extention do I need to spoof this or where to change the settings?

Re:IE spoofing

[next1]

user agent switcher

i have to switch user agent to access one of my bank sites too but that's the only time i have to do it.

i always switch it straight back as well - support mozilla!!

microsoft advertisements about security

i read the techweb page about the new vulnerabilities and i notice half advertiseents on this page are abouts microsoft

the first one is a kind of "linux sucks , windows rulez"

The second is "protect your data , comunications... protect your infrastructures use microsoft product

every day are the 1st april for microsoft what a funny company !!

*sigh*

[shiftless]

It's "frist post", you insensitive clod. Learn how to spell!

Re:Meanwhile...

[ImpTech]

Well yeah, nobody needs 10... but try to explain that to the guys who want to throw vulnerabilities from all 10 into the general "Linux vulnerability" category.

Re:This is why microsoft are insecure

Microsoft *is*, not Microsoft are.

I find two things particularly interesting here...

[Malor]

First, this isn't three vulnerabilities, it is TWENTY, addressed with three patches to make it look less severe. (And I don't really think this once-per-month patch cycle is to make adminsitrators' lives easier; I think it's to make Microsoft look better.)

Second, Microsoft has also increased the load on their servers by, oh, thirty times. While they have enough money to provision themselves with thirty times the incoming bandwidth to handle the huge burst of patch traffic once per month, at this point they don't appear to have actually DONE THIS. I am just barely able to get the Windows Update page to display at all, much less actually do anything useful like, say, download patches.

So, here I sit with a machine with twenty vulnerabilities, which they didn't tell me about all month to save face, and now that they HAVE told me, I can't patch because I can't reach their site.

Anyone keeping track?!

[bonez_net11]

Is anyone keeping track of exactly how many "critical" (and other categories?) bugs microsoft announces? If I could find a good source, I'd love to point it out in a meeting at work. We are mostly Mac but have been FORCED to buy some Windoze machines lately to access some Win2k+ and IE 5+ web tools (departmental timekeeping, purchasing, inventory, insurance, etc). Why people can't write simple web tools so they work on a "standard" web browser is beyond me, but anyways back to my question. If I had a good source maybe I could try and get my work to -not- buy a PC when someone asks for it, without a very good reason. Sure would save me a lot of time.. especially when people call for phone help.
Speaking of phone help... Can anyone tell me why Windows has you click through so many options when connecting to a wireless access point? There is no reason for all those options to be there. Almost everything can be totally automatic, except for choosing -which- access point and entering the -password-. Ding ding, that's -TWO- options. Why are there like, 10+? WHY? Why are there so damn many settings? I know what they all mean, and they don't all need to be there. On my Powerbook, I just choose the AP's name from a menu and type the password. Easy as that.

Notice "to improve" blahblahblah

[melted]

It's not like there was a security hole, we're just making our secure system even more secure.

What a crock of bullshit.

Re:Notice "to improve" blahblahblah

[amRadioHed]

Of course I see the "to improve" part, it's right after the word "Fixes" that I was only pointing out because you said they never used it.

Apple has at times used corporate doublespeak for things that really pissed me off. This is not one of those times. This is nothing.

Re:has anyone tried updating windows without using

[Lshmael]

Microsoft reasoning aside, the current ActiveX solutions for Mozilla (as described in this thread), either do not work in Windows Update, or, like Neptune, use Internet Explorer rendering engine and security model. This nullifies any possible benefit, and I assume that you would still need Internet Explorer.

US-CERT Technical Cyber Security Alert TA04-104A

[ElliotLee]

Multiple Vulnerabilities in Microsoft Products Original release date: April 13, 2004 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows Operating Systems * Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) subsystems * Microsoft Windows MHTML Protocol Handler * Microsoft Jet Database Engine Overview Microsoft Corporation has released a series of security bulletins affecting most users of the Microsoft Windows operating system. Users of systems running Microsoft Windows are strongly encouraged to visit the "Windows Security Updates for April 2004" site at and take actions appropriate to their system configurations. I. Description Microsoft has released four security bulletins listing a number of vulnerabilities which affect a variety of Microsoft Windows software packages. The following section summarizes the issues identified in their bulletins. Summary of Microsoft Bulletins for April 2004 Security Bulletin MS04-011: Security Update for Microsoft Windows (835732) This bulletin addresses 14 vulnerabilities affecting the systems listed below. There are several new vulnerabilities address by this bulletin, and several updates to previously reported vulnerabilities. Impact Remote attackers could execute arbitrary code on vulnerable systems. Systems affected * Windows NT Workstation 4.0 * Windows NT Server 4.0 * Windows NT Server 4.0, Terminal Server Edition * Windows 2000 * Windows XP * Windows Server 2003 Security Bulletin MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) This bulletin addresses several new vulnerabilities affecting the systems listed below. These vulnerabilities are in Microsoft Windows Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM). Impact Remote attackers could execute arbitrary code on vulnerable systems. Systems affected * Windows NT Workstation 4.0 * Windows NT Server 4.0 * Windows NT Server 4.0, Terminal Server Edition * Windows 2000 * Windows XP * Windows Server 2003 Security Bulletin MS04-013:Cumulative Security Update for Outlook Express (837009) This bulletin addresses a vulnerability affecting the systems listed below. The vulnerability affects the Microsoft Windows MHTML Protocol handler and any applications that use it, including Microsoft Outlook and Internet Explorer. This vulnerability has been assigned VU#323070 and CAN-2004-0380. Note: MS04-013 includes patches remediating the vulnerability described in TA04-099A. Impact Remote attackers could execute arbitrary code on vulnerable systems. Systems affected * Windows NT Workstation 4.0 * Windows NT Server 4.0 * Windows NT Server 4.0, Terminal Server Edition * Windows 2000 * Windows XP * Windows Server 2003 * Windows 98 * Windows 98 Second Edition (SE) * Windows Millennium Edition (Windows Me) Note: This issue affects systems with Outlook Express installed. Outlook Express is installed by default on most (if not all) current versions of Microsoft Windows. Security Bulletin MS04-014: Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001) This bulletin addresses a vulnerability affecting the systems listed below. There is a buffer overflow vulnerability in Microsoft's Jet Database Engine (Jet). An attacker could take control of a vulnerable system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. This vulnerability has been assigned VU#740716 and CAN-2004-0197. Impact Remote attackers could execute arbitrary code on vulnerable systems. Systems affected * Windows NT Workstation 4.0 * Windows NT Server 4.0 * Windows NT Server 4.0, Terminal Server Edition * Windows 2000 * Windows XP * Windows Server 2003 Update to TA04-099A Microsoft has released a patch that addresses the cross-domain vulnerability discussed in TA04-099A: "Vulnerability in Internet Explorer ITS Protocol Handler". US-CERT is tracking this issue as VU

Yaaaawwwnnnnn

[cbdavis]

Here we go again. Nothing new here. Everybody
go to windows update, again.

DRAT I need to...oh wait...

[sadler121]

I was about to crap in my pants, but then i relized I was running Linux. :-P

The joke is on YOU!

[Tibor+the+Hun]

We didn't make YUGOs in 1960s!
Shoot, we were lucky if we had a Lada, or if you were really good to The Party, maybe a Citroen!

Re:Meanwhile...

[imroy]

Yes, Linux distros come "bundled" with tonnes of software whereas Windows is very bare out of the box. I'm not sure if this is what you're referring to, but let me rant for a moment about what really annoys me. It's when some MS shill "analyst" writes a "report" puporting to compare the relative security of each system by counting bug reports. What they will do every f**king time is 1. Count all the bundled software as being part of "Linux" and 2. Aggregrate all the Linux's together thus counting most of the bugs multiple times. Surprise surprise, MS wins with a lower number of supposed bugs. Laura Didio[t] recently did one of these hack jobs (which resulted in the joint press-release from Debian, Red Hat, Mandrake, and SuSe) but it wasn't the first. This is about the third or fourth of these reports that has come out in as many years.

Re:Meanwhile...

[spinkham]

as to 1) That's part of my point. No one has all that software installed, and yet since it is availible from whatever distro is being counted for bugs, all that software is included. They points at 99% of software available for linux and quote the bugs in that against a much smaller population of software on Windows, though there is a decent amount of code in Windows proper these days.
It's just not a fair comparison.
As for 2), yes, I don't have a world visable ftp server anymore, and very few places do except for anonymous FTP service. There is usually only one port open on my computer, and that is for SSH. I don't even allow ICMP through, cuz I am a bit over-paranoid. However, there is only one implementation of SSH available in most distro's, so it didn't make a good example for my point ;-)

No need to wait

[sadler121]

There's no need to wait several years, Linux is already ready for the desktop. If you don't believe me check out Mephis, Knoppix, or Xandros.

I presonally prefer Gentoo Linux becouse of the freedom you have in choosing what applications you want on your computer, though for a noob, it is a bit daunting.

What is the point of this?

[Ayanami+Rei]

As of late any time someone wants to look "smart" or "insightful" they post a link to linuxsecurity.org in response to a inane comment about Windows security. You take a site which wants to be honest about security issues in free OSs and use it as some kind of childish comeback.

Real good sleuthing there, Sherlock.

The only thing you've done is start a pissing contest. Just don't reply to posts that don't need replying to. The parent wasn't making an argument, but a joke. You should know that we bash Microsoft here, whether they deserve it or not, AND EVERYBODY KNOWS THAT. It's not like they need to be actively defended.

What's interesting about the 3 bugs, DIPSHIT, is that they were discovered by eEye (and others) some time back in late 2003 and they sat on their hands waiting for Microsoft to publically acknowledge them and release patches.

Meanwhile all of the listings on that front page are fresh and current, and advise you to disable services there aren't already patches for. So sit and spin, my friend.

Re:What is the point of this?

YHBT.
YHL.
HAND.

Re:What is the point of this?

[Douglas+Simmons]

Hey. Asshole. What was inane and childish was the original remark, and since everyone's bashing MS and Mac, why not parenthetically call attention to the 14+ bugs on Linux reported in one day? Try to step away from the /. mentality.. a quick breather.

JESUS FUCKING CHRIST

[Ayanami+Rei]

Get a life.

It's Finally Been Proven!!!

[zer0mass]

HOLY SHIT! After many years of experimental proof, the WIG (window$ is gay) Theory has been proven once and for all!

Now, time to prove the more general MIG (micro$oft is gay) theory. Damn, this one's gonna be a toughie, but together, I think we can pull it off!

Mention linuxsecurity one more time...

[Ayanami+Rei]

and I'm going to feed a used tampon down your fucking throat.

At first I got tired of the slashdot groupthink against MS. Now I'm tired of the slashdot anti-groupthink MS apologists.

Would you please stop replying in these threads unless you can put the article into a useful context instead of slinging shit around.

Also, catch SARS. Thanks.

Newer versions of AIM install spyware

[Gary+Destruction]

Newer version of AOL Instant Messenger install spyware. It's called Wild Tangent. Considering the number of people that use AIM, alot of people have spyware and don't even realize it.

The Worm is already out there

[TekGoNos]

Well, maybe.

Anyway, today a worm completly took over my universities network.
We are the CS-Departement, we know what were doing (well, we still dont use Linux, I'm trying to convince them but ...) and we keep our machines up-to-date.

It spreads by a file called ascdl.exe through a remotely exploitable vulnerability. Nobody knows about this Virus (neither Symmantec, nor Google) and it spreads fast. When we delete the file, it is back a few minutes later. So I guess it may use one of these new exploits.

BTW, the internet is slow today and I guess it is this baby. It will probably infect the better part of vulnerable machines before it even has a name. I just hope it doesnt do anything nasty.

Hopefully by tomorrow AV Vendors will have analysed it and issued an update, but I predict it to become REALLY BIG (potentially bigger than Blaster).

Oh, and it changes the WINDOWS\system32\drivers\etc\hosts - file, so that you can no longer contact sites of AV Vendors and Nortons LiveUpdate is blocked too. So once you catch it, you cannot get rid of it because you cannot download the new signature file. You have to remove it manually (or it least edit the hosts-file, but who knows about it?). So the bigger part of the population will continue to have it and their computers will no longer update the definition list.

Again, I dont know if it uses one of the new vulnerabilities, but by the speed this baby spreads and by blocking LiveUpdate this is gonna be HUGE.

So if a process called ascdl.exe suddenly uses 50% of your CPU, KILL IT!

Turn off Automatic Update

[archveult]

Stupid feature. That followed by 4 minutes watching the progress bar, praying that the 97% video encoding that had taken hours already would finish first. Of course it didn't.

Re:Turn off Automatic Update

[jpop32]

Stupid feature.

Yup, there is definitely a certain amount of stupid going on. Now, is it the software, or the user who told it to automatically install the patches instead of asking for confirmation? I'm not sure...

Am I the only one who's machine got disabled

I applied the patches to my Win 2000 box and now services.exe is using 100% of the CPU, takes more than 20 minutes to boot.

Ahh, SUS Delight..

It is days like this that I am glad I have Software Update Services installed for my Windows boxes. Nothing worse than having to apply 18 patches to 6 machines on your Home LAN. And to think I just checked for updates at Microsoft exactly 24 hours ago and there were none available.

Re:slashdot == getting lame

Amen.

Uh, no.

[Urine1diot]

That is to say, the Gentoo Linux operating system has several security advisories announced every week. I don't see a difference between that and Windows.

There's a huge difference, in that the vast majority of the GLSA's that Gentoo issues are for 3rd party packages--not kernel or critical toolchain packages. But of course, to you a vulnerability is a vulnerability, so I suppose if one was found in, say, Adobe Acrobat Reader (for Windows), then that would be Microsoft's fault? By your logic, it would. And don't get me started on the turnaround time it takes for an open source package to patch its vulnerabilities compared to how long it takes Microsoft.

Nice try, though. :)

Re:has anyone tried updating windows without using

[Myen]

I'm fairly sure it also uses VBScript. At least it does in the containing frame.
I doubt anybody other than MS would support that anytime soon...

Kills Windows 2000

[hisdad]

One of either KB837001, KB828741 or KB835732
kills Win2k Pro machines. These are normal business machines with the netware client installed.
'System' uses near 100% CPU and the system is incredibly slow. A long time to boot into even Safe-Cmd Mode. Its done it to 2 machines now and I'm scratching as to how to recover.

Any help?

Re:Kills Windows 2000

[hisdad]

I've determined that KB835732 is the culprit.
Now to see if 'Uninstall' works..

Re:Kills Windows 2000

[terrox]

what does that one fix and did it remove itself?

Re:Kills Windows 2000

It caused 100% CPU usage by system on my machine, rendered it completely unusable.

Uninstalling 835732 worked and seemed to make the machine happy again.

Bunch of stuff in this one:
http://www.microsoft.com/technet/security/bu lletin /MS04-011.mspx

Re:Kills Windows 2000

[cjellibebi]

It doesn't kill mine.

I just installed all the latest patches on two Windows 2000 Pro machines, and don't notice any slowdown. The installation history said that 'KB835732' was installed, and I even checked for additional critical updates after a reboot. I also checked the processes with task-manager, and the stsyem-idle process was at 99%.

Perhaps the patches interfere with some other software that's installed on your machine.

Re:Kills Windows 2000

Quite a number of people seem to be having problems with this update.

Take a look at the recent posts in these newsgroups:
microsoft.public.windowsupdate
micro soft.public.win2000.windows_update

Some people seem to be fine but others fail. Don't know what the common problem is.

Mine that had the problem is:
Sony Viao
PIII 500MHz laptop
256MB RAM

Lots of software including:
zonealarm (note I disabled this and tried a reboot, no improvement)
Avast antivirus

Re:Kills Windows 2000

[hisdad]

Hi Folks,
Thanks for your info.

Its a generalised security update with about 20 fixes in it.

It is possible to uninstall it, although it takes ages.
Worse is that it is installed automatically if you install
KB820888
KB822831
Q818043
and likely others.
The only thing to do is to hold off on any security updates until ms publish a fix.

Re: Pot, meet kettle

Either I except that you're stupid or the rest of your comment is mute.

"except" should be "expect" or "accept", depending on what you mean.
"mute" should be "moot".

Re:That's actually true (obligatory spoofing ref)

[tonyr60]

And here's mine...
Mozilla/5.0 (Windows; MVS; OS390; en-NZ; rv:2.8.2) By allowing me access, you waive all rights and policies regarding my access.

DivX Player

hmm.. DivX Player isn't working anymore. Wonder if this "security update" had anything to do with it?

1960 Yugo

[rduke15]

But the Volvo is more secure than a 1960 Yugo.

No, the 1960 Yugo is much more secure! Because it didn't exist, and everyone knows pedestrians are safer...

The cars made in Yugoslavia at the time were Fiats, patriotically called Zastava (which means flag).

Re:1960 Yugo

[tbone1]

everyone knows pedestrians are safer.

Oh? When's the last time you got mugged by someone who was driving a car?

Freedom of choice is important for security.

[master_p]

If Internet Explorer was not part of the O/S distribution, it would be easier to uninstall it and install something better, like Opera or Mozilla Firefox (or make an option during O/S installation). The same goes for Outlook and Outlook Express.

Now that IE and Outlook is bundled with Windows, most people don't care to install anything different, resulting in many compromized machines.

three? just three?

[MozillaFireBird]

Microsoft warned that three 'critical'-rated flaws in the Windows operating system
Just three? Heck, my granny can find 3 'critical' flaws. First one, "it sucks". Why can't they just admit that the OS is full of holes and is crappy?

and other programs could allow hackers to sneak into personal computers and snoop on sensitive data.

A note the whom ever it may concern. IT'S CRACKERS, not hackers. Thought `hackers' don't snoop on sensitive data by sneaking into computers. Eric Raymond Doo, where are you? We got some work to do here!!!

Re:Windows Update in Firefox suggestion

[Bambi+Dee]

Wanna come visit and help me with step 4? All the others I can handle just fine.

No mention of Windows 95

[UrGeek]

I have seen not mention of Windows 95. Of course, we all know that support has ended for that turkey, and seriously, I cannot blame Microsoft for that - it is sooo beyond hope. But I met dweeps who STILL use it and have this attitude that "who cares, I have nothing important on my computer" and do not realize that they could be a spam engine or distributing kiddie porn or part of a terrorist network.

Spread the word to the mundunes and ungeeked! Windows 95 must die and die NOW!

Re:No mention of Windows 95

[surgeonsmate]

According to Google Zeitgeist, Win95 has the same user base as Linux (all flavours).

I rather suspect that after nine years, the users are pretty devoted to their OS.

Re:No mention of Windows 95

[UrGeek]

"Win95 has the same user base as Linux (all flavours)."

That statement does not make sense. What are you talking about? All Linux users also use Win95? I think not.

bad idea

[Vvall]

I'm not so sure that the mass patch release thing is a good idea...I've already spent over 40 minutes trying to download a 3 meg patch that should have completed in less than 2. One would think that it would be better to release the patches as they are developed to get the fix out more quickly, and to prevent this type of flooding of the update server. Just my 2 cents.

Re:US-CERT Technical Cyber Security Alert TA04-104

[MonTemplar]

-1, Shouldn't Post To /. With A Defective ENTER Key :-)

Bounds checking

[ByteSlicer]

With all these buffer overflows, I wonder why they don't use array bounds checking in critical program parts. It's a bit slower, but it would be worth it (running a worm or virus slows your computer down even more). C/C++ doesn't have bounds checking, but I'm sure i've heard of compiler extensions that do it. Or they could use a language like Pascal (yes, I know, not my favorite either, but still a useful and bounds safe language) for security critical parts.

Affects linux too!

[FedeTXF]

I run windows XP using bochs, so it affects linux, right?

Money Talks...

[16K+Ram+Pack]

Personally, I cease using their sites if they don't support Mozilla/Firefox. I was going to switch my electricity supplier, and the site wouldn't work with Firefox, so I went elsewhere.

My only exception is Microsoft with Windows Update.

Re:In Soviet Russia...

[CrackedButter]

ah well, karma be damned for trying.

Re:That's actually true (obligatory spoofing ref)

[terrox]

nice. good answer to "by clicking enter you agree to these terms"

Volvo vs. Yugo?

[OhHellWithIt]

... just like a Volvo is not 100% secure. But the Volvo is more secure than a 1960 Yugo.

I don't know about that. A broken-down motor vehicle in the yard is less likely to get into a collsion than one that is operational.

256mb

[Fantastic+Lad]

Good luck trying to use more than 256mb of ram on that Win98 box.

Hm. I didn't know that! Though, since my current hardware doesn't even support more than 256mb, I guess I'll worry about it another time.

Though, I'll tell you. . . When the world is crashing and burning all around me and my out-dated Win98 box is still chugging away on critical projects, (not games,) with no problems, I can only thank myself for deciding to jump off the MS Bandwagon of DOOM before the turn of the century.

I'm switching to Linux soon anyway, now that they've solved the CMYK issue.

-FL

My Dad on Windows

[Paulrothrock]

"Yeah, it sucks, but I don't want to have to buy all new software."

Re:Meanwhile...

[jonadab]

> 1) why would you need 10 different ftp servers?

You probably don't even need one. But if you do need one, it's nice to be
able to pick your favourite one, install it right off your distro CD, and
have it configured and running in two minutes flat. Since not everyone has
the same idea about which one they want (see, some people prefer wu-ftp, but
those in the know use proftpd), the distro includes all the major ones, so
you can pick whichever one you want.

The other poster's point was that when a vulnerability is reported in a
distro, in many cases it's in some optional package like that that most users
aren't even using. Not in every case, of course. There were those openssh
issues a while back, for example... those were pretty major, because there
are alternatives to openssh but nobody seems to use them and most distros
don't even include them. And a lot of distros turn on sshd by default. So
a vulnerability in that impacts nearly everyone. But a lot of the "Linux
vulnerabilities" you hear about are not like this at all, more like "Hey,
all users of Bob's Fancy MP3 Jukebox, it has been discovered that the plugin
for playing Windows Media format files directly off the internet is vulnerable
to a cross-site cookie vulnerability that can allow a malicious site you
play music from to track you; users are advised to update to version 0.1.18
of the plugin and version 0.2.8 or higher of BFMJ."

Even a lot of the security advisories that theoretically have to do with
stuff everyone uses don't actually impact most people. For example, there
was an Apache issue a while back that only hit you if you were using some
fairly specific configuration; I don't recall the details, only that none
of the five systems I look after that have Apache on them needed an update,
since none of them were using whatever it was that was vulnerable.

Re:More than three

[jonadab]

> There are 20 separate vulnerabilities in Windows and Outlook Express

No. No, no, no. There is *one* vulnerability in Outlook and Outlook Express,
one that has been public knowledge for about a decade now and Microsoft has
thus far made no attempt to fix. The vulnerability is, Outlook and Outlook
Express deliberately treat untrusted data in ways that untrusted data should
NEVER be treated under ANY circumstances. Their whole approach to security
is, instead of the correct this-data-is-untrusted approach, a dain brammaged
fix-specific-problems approach, wherein the data that ought to be untrusted
is stopped from doing certain specific things that have been known to cause
problems in the past but still allowed to do basically anything else.

There may be 20 separate specific ways this can be exploited, and more will
be discovered next week, but it's fundamentally *one* issue.

Executive summary: Outlook and Outlook Express don't *have* security holes;
they *are* security holes, big fat wide-open ones.

Re:More than three

[Erik+Fish]

It was my understanding that the OS itself can't use more than 256, however applications can.

Did you guys Slashdot MS?

[red+floyd]

Windows Update is getting hammered! I've got a box I need to update (yeah, it's a work box...) and I've had to try 6 times so far, because WU is so fscking slow!

-1 redundant

[Douglas+Simmons]

Thanks for explaining the joke you asshole. Go back to fucking your mom.

Debian!

[Douglas+Simmons]

Not to mention that I don't see Debian on this list, which is not only a linux distro, it is a popular and 31337 distro. I like the guy's post and hate how it was modded, but he should have noted that Debian is the b0mb.

It'd be insightful the first time.

[Ayanami+Rei]

But the parent managed to post essentially the exact same thing (a link to linuxsecurity and a snide comment) at least FIVE TIMES in that article's comments.

And examining his posting history, he's done it a few other times too.

And I've seen some other anti-slashbots (if that's what you call them) doing the exact same thing, with mostly the exact same advisories.

HOW IS THAT ANY BETTER THAN ANY OTHER SLASHDOT BULLSHIT?

Hur hur... I posted a link to a LUNIX advistory. Take that micheal HUR HUR! Oh wow, I just came all over myself. HUR HUR.