Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Announces Three More Critical Vulnerabilities

Posted by michael on from the patch-and-wait dept.

weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.

32 of 486 comments (clear)

  1. More than three by untermensch · · Score: 5, Informative

    Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable. Microsoft has bundled the patches for these into 4 separate downloads - 3 for Windows and 1 for Outlook Express.

  2. These has been known about for a LONG time... by tweakt · · Score: 4, Informative
    These were listed on eEye's page as undisclosed critical vulnerabilities affecting upwards of 300 million systems, along with original discovery date, and time since notification. They typically give 30 days, but last I checked it was 90 and 100+ days late. These are over 6 months old I think.

    Sorry, no link because the site seems to be down/slow... it must be linked to from another announcement posted elsewhere.

  3. Re:More than three by Proud+like+a+god · · Score: 5, Informative

    Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
    No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.

    Another reason for home users and gamers to stick with 98SE. Obviously most businesses aren't so lucky. :-S

  4. Re:More than three by Proud+like+a+god · · Score: 2, Informative

    That is, wrt bulletins MS04-011, MS04-012 and MS04-014.

    Of course MS04-013 is about Outlook Express so you may still be vulnerable on these OSs.

  5. Actually.. by theobscurest · · Score: 2, Informative

    ..Microsoft recently (last Fall I think) changed their critical update release schedule to coincide with the second Tuesday of each month to supposedly take some of the workload off of the sysadmins. Thus, today is the day.

    However, as a sysadmin I still have mixed feelings about this. If something is a critical vulnerability, I think a patch needs to be released as soon as it becomes available. At the same time, it's a real pain in the butt to have to go around to hundreds of computers to make sure auto update is actually doing its job. More specifically, the last time I checked machines to see if they were auto-updating, at least a third of them weren't even though they are always on and set up to do so. Not to mention the machines that fatally crash due to windows updates..

  6. Re:Worm Writer's Delight by zackeller · · Score: 5, Informative

    Overestimate.

  7. Go here for what you need by bonch · · Score: 4, Informative

    LinuxSecurity.com Advisories. It gives you the last 15 advisories (right now it's 15 in the past three days!), and you can click on each distro, including the BSDs, and get archived advisories for each one. Very useful, complete with links to the actual bulletins.

    Yes, you are right--these things never appear on Slashdot except when there are major kernel exploits. To be honest, I've noticed lately a dissident tide in Slashdot, where people are a little weary of the anti-Microsoft spin. Nothing wrong with posting about Windows vulnerabilities, of course, but you do have to view the context with which it's posted--an OSDN-owned website that posts pro-Linux articles and just so happens never to mention Linux security advisories. But a user-run executable will become front page news as a new "Microsoft Worm."

    I've just noticed more people annoyed by it lately, even the partyline pro-OSS guys. Simplistic agendas shouldn't be something to embrace on a site that is touted as the epicenter for geek tech news on the Internet. I guess my sig reflects that I've become one of those people as well who feels the need to balance out the spin going on... :P

    1. Re:Go here for what you need by Azi+Dahaka · · Score: 2, Informative

      Yes, but there truly is a difference. That page lists vulnerabilities for linux packages, not Linux or a specific linux distribution. For example, I see scorched 3d in there twice. You probably would not say an AIM security flaw is evidence of Windows insecurity.

      Next, a lot of these will not be running on all systems, especially considering several are vendor specific.

      Most are not remote, complete system takeover vulnerabilities either. They tend to either be DoS, run arbitrary functions as a daemon (www-data, nobody, gid games, etc), or local exploits.

      Plus, many aren't so much privilege escalation or DoS, but rather is a way to evade auditing or monitoring, for example the Squid vulnerability.

      Admittedly several of those are pretty bad (the pwlib and ipsec-tools ones for example), but this is a poor comparison. To really compare, compare vulnerabilities found in an out-of-box installation of a single distribution. And even then, only use it as evidence of that distribution's insecurity.

      And not that it matters much, but 12 April to 7 April is five days, and today is the 13th. There are only two items listed for the past three days.

      I seem to recall an openssl, openssh, apache and linux kernel exploits making headlines at slashdot, but you can't expect every vulnerability for every package to be listed. This news of 20 vulnerabilities being fixed at once seems newsworthy.

  8. Free karma... by Turmio · · Score: 4, Informative

    It was fast for me :)

  9. Like hell that's insightful by nathanh · · Score: 5, Informative
    That a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

    Open source vulnerabilities and incidents get reported all the freaking time on Slashdot.

  10. Sorry to burst your bubble, guys by bonch · · Score: 3, Informative

    But the people pointing out the one-sided reporting on Slashdot are right.

  11. Re:Service Pack 2 by PingXao · · Score: 2, Informative

    Just last night I was rummaging around the MS Windows XP security newsgoup. The new SP2 ICF firewall will NOT challenge outgoing communications. The rules you can set up with it generally apply only to incoming connections. If an application tries to establish a listening port ICF will challenge that, but outgoing connections aren't controlled.

  12. Re:In other news by technos · · Score: 4, Informative

    Sorry, we already apt-get updated those bugs away while we were sipping our morning coffee and never noticed. Unlike Windows, I don't have to worry about a simple bugfix blowing up the box, or causing downtime, nor do I have to reboot the damn thing four times.

    Oh, and application bugs are not "Linux" bugs. Linux refers to the kernel and kernel alone. Unlike on a Microsoft product, where they make Outlook/IE the default for everything and unremovable, hence being part of the OS and countable as an OS exploit, the same is not true of Linux systems.

    --
    .sig: Now legally binding!
  13. Re:Windows Update in Firefox by Dave2+Wickham · · Score: 2, Informative

    AFAIK Windows Update uses ActiveX, so you need to use IE anyway.

    Note: I don't often deal with Windows Update, being a Linux user myself, so I could well be wrong.

  14. Re:Just exactly how does this happen. by cpghost · · Score: 4, Informative

    Try "Smashing the Stack for Fun and Profit", Phrack 49, Art. 14. It's a nice introductory tutorial to the common class of buffer overruns.

    --
    cpghost at Cordula's Web.
  15. Re:New Rule by shaitand · · Score: 4, Informative

    I think your numbers are a bit screwed, I suppose if your looking at computing in general your probably a bit exaggerated but the concept is right.

    However when looking at microsoft vulnerabilities it's a different story, they are extremely varied generally because they are due to a lack of consideration when coding and extremely poor structure and design. For instance, Active X, it's a security flaw, 90% of the sub-flaws reported in it are there because the flaw itself, is poorly designed (hence why it's a flaw) rather than fix the problem (a redesign or elimination of activeX) they create a patchwork changing this or that detail of how it functions.

  16. Re:Windows Update in Firefox by elleomea · · Score: 2, Informative

    It's impossible to use Firefox for this task since the Windows Update system uses ActiveX controls to handle things.
    ActiveX is also one of the main reasons for many of the security issues and spyware installing programs, etc. in IE. This is due to the fact that, unlike Java, it doesn't run in a sandbox, allowing ActiveX programs complete access to the system.

  17. Re:This is why microsoft are insecure by The+Bungi · · Score: 5, Informative
    They've gone to scheduled patch releases on the second tuesday of every month to make it easier for admins and users. That's today in case you missed it. AFAIK all the vulnerabilities had been published earlier by third parties.

    If and when there's an actual exploit in the wild for a given vulnerability then they'll release the patch immediately, just like they've done before.

    Whoever modded you "Insightful" should have used the "-1, Another Stupid Conspiracy Theory" mod instead.

  18. Re:Windows Update in Firefox by Anonymous Coward · · Score: 1, Informative

    If you're running XP,

    Right click my computer, go to properties, click on the automatic updates tab.

    Set it do notify you when they're available, but do not download and install them.

    Then, you get a nice Windows Update icon in your tray, double click it, and voila, a list of updates you can install without needing to use IE.

    By the way, if you really wanted to, you could get an ActiveX plugin for firefox, but I really suggest you don't. ActiveX is just one big security hole.

  19. Check out www.eeye.com by khasim · · Score: 5, Informative

    http://www.eeye.com/html/Research/Advisories/index .html

    Looks like a whole bunch of those holes were reported to Microsoft by eeye and Microsoft FINALLY got around to patching them.

    Some of them had been reported over 6 months ago.

  20. Re:Just exactly how does this happen. by hobuddy · · Score: 4, Informative

    How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability?

    Of course there's an infinite number of ways to write a vulnerable program, but the most common is to run afoul of a buffer overflow. A buffer overflow is a relatively simple flaw, but it's an easy mistake to make in C and C++ because those languages give economy of computational resources precedence over every other consideration, including security and stability.

    There's an illustrated and fairly concise introduction to buffer overflows at LinuxJournal.

    --
    Erlang.org: wow
  21. Re:has anyone tried updating windows without using by Lshmael · · Score: 3, Informative

    Windows Update uses ActiveX controls to check which updates are installed on your computer, so you actually do need Internet Explorer to use it.

  22. Re:Windows Update in Firefox by Deviate_X · · Score: 5, Informative

    If you have disabled IE you can install and run the Security Baseline Advisor. It basically does the same thing as Windows update.

  23. Re:Meanwhile... by rcamera · · Score: 1, Informative

    1) why would you need 10 different ftp servers? one would think that just installing the one you plan to use makes more sense... same goes for developement suites. chances are that you'll be using one - not three

    2) ftp IS a bug. try ssh. there are many ssh servers available. but once again, one ssh server will probably suffice.

    --
    Wave upon wave of demented avengers March cheerfully out of obscurity into the dream
  24. Microsoft Announces Three More Critical Vulnerabil by Anonymous Coward · · Score: 2, Informative

    Nice to see /. falling into the MS fud campaign. There are not 3 vulnerabilities, there are 20, and it is only 3 patches.

    Score a point to MS for making us think 20 = 3.

    Of cource we also buy MS telling us the linux mem-remap exploit was 5+ vulnerabilites (Debian, Mandrake, Redhat, Suse, et. al.)

    As of this point, if someone from MS told me the grass was green, I would go outside and see for myself. You simply cannot believe a single word spewing forth from the Redmond Dragon.

  25. Re:You know, by finkployd · · Score: 3, Informative

    To do local privilege escalation you need to have a local user account no? Remote exploits let the whole world in.

    Finkployd

  26. Re:Kind of like this? by amRadioHed · · Score: 2, Informative
    Excuse me? Am I just imagining it, or does Apple use the word "fixes" in every update listed on that page you gave.
    * CUPS Printing: Fixes CAN-2004-0382 to improve the security of the printing system. This is a configuration file change that does not affect the underlying Printing system. Credit to aaron@vtty.com for reporting this issue.
    * libxml2: Fixes CAN-2004-0110 to improve the handling of uniform resource locators.
    * Mail: Fixes CAN-2004-0383 to improve the handling of HTML-formatted email. Credit to aaron@vtty.com for reporting this issue. ...
    ...
    ...
    --
    We hope your rules and wisdom choke you / Now we are one in everlasting peace
  27. Re:has anyone tried updating windows without using by Lshmael · · Score: 2, Informative

    Microsoft reasoning aside, the current ActiveX solutions for Mozilla (as described in this thread), either do not work in Windows Update, or, like Neptune, use Internet Explorer rendering engine and security model. This nullifies any possible benefit, and I assume that you would still need Internet Explorer.

  28. Re:IE spoofing by next1 · · Score: 2, Informative

    user agent switcher

    i have to switch user agent to access one of my bank sites too but that's the only time i have to do it.

    i always switch it straight back as well - support mozilla!!

  29. Re:Linux is not 100% secure by Anonymous Coward · · Score: 2, Informative

    Someone tried, but it was discovered before reaching any official kernel.

    The attacker used a bug in the BitKeeper to CVS gateway to add the backdoor to the kernel in CVS, but since the official kernels come from the BitKeeper tree which was NOT affected, he needed someone to accidentally send his change to Linus. I.e. he needed a good amount of luck.

    It was discovered before that happened, because the CVS and BitKeeper versions were out of sync, which caused the BitKeeper people to examine the trees.

  30. Re:Linux is not 100% secure by Polymath+Crowbane · · Score: 2, Informative
    "millios are paid" -- how on earth does anyone objectively measure that?
    It's fairly simple for companies to measure the cost of viruses, et. al., by adding the direct cost of the staff required to clean machines and an estimate of the indirect cost of time lost by employees while computers and email are down. It can be significant: the multinational company with which I was associated during the Melissa attack lost email for two days. The direct costs alone (of people to clean up machines) was documented at over $1,000,000.

    Here is the real trap in proprietary standards: if a vendor's product cost a company over $1MM because of a flaw, you can bet that vendor would be gone in a heartbeat. However, because mission critical systems are tied to proprietary standards for which there is no practical substitute, companies are, for the most part, stuck.

    The sad reality is this: when a company is locked into your product, for any reason, your motivation for spending money on enhancements/customer service is greatly reduced. This is true for many companies, not just Microsoft. It's called human nature and greed.

  31. Re:I continue not caring... by KshGoddess · · Score: 3, Informative
    We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.

    Then implement training at your site. At least suggest it. Computers are tools. We don't require people to get socket-wrench certified, or expect (most of) them to take telephone answering lessons. Most people think of computers in the same way.

    Why should we expect users (consumers, customers, grandmas) to know everything about the complex tool that they've been given? Most people use their computer for email and surfing the web. They don't care about or want to know how it works. As long as it does.

    As a "sysadmin", it is your job to make sure that users are able to work. Within those bounds, you may encounter issues with users doing stupid things. Most of the time, they don't realize what they're doing is what's bogging down their computer. Usually, if you say "I found that the problem was that you have [kazaa | bearshare | napster] installed, and it's what's bogging your PC down, and oh by the way, these things aren't allowed," people listen. Sometimes they even learn something.

    Someone within your organization should have the authority to say "X is allowed, Y is not." and to have the authority to also say "You signed this piece of paper saying you wouldn't Y, and we have concrete evidence that you Y all the time. Your manager and HR have been notified."

    IT is a service organization. Being arrogant about what you know versus what your users know doesn't work very well, and ends up getting us all branded as Nick Burns, Computer Guy.

    As for the permissions bit, MS is both really good and really horrifyingly awful about user permissions. Yes, you can set it up so that the user has no power to install software, modify the registry, etc., but you'll end up with (a) a user who resents you or (b) several one-offs where the user has to have admin privileges to do their job or even (c) a user who finds their way around your rules and limitations.

    --
    It's a little wrong to say a tomato is a vegetable. It's a lot wrong to say it's a suspension bridge.