Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Announces Three More Critical Vulnerabilities

Posted by michael on from the patch-and-wait dept.

weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.

29 of 486 comments (clear)

  1. I've noticed by markalot · · Score: 0, Insightful

    That a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

    1. Re:I've noticed by Anonymous Coward · · Score: 5, Insightful

      no -- that's just not true.

      there are misinformed people who don't understand the issues with the bugs reported in linux who then fan the flames about "holes in linux" as if they are of the same level of problem as these weekly holes in windows.

      a theoretical overflow on a linux server running openssh is a lot different than a open hole that runs executable attachments

      as a windows user, you should spend your time patching windows, not reading news.com

    2. Re:I've noticed by cybermancer · · Score: 4, Insightful
      ...a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

      news.com is a real news site, so they post real news. I am surprised anyone resports vulnerabilities in MS Windows as news. The only reason to report these is so people know to update again, and to poke fun at the joke that is Microsoft's quality control. Real news would be if they go for an extended period of time without a vulnerability!

      For Linux on the other hand it is an event when there is a vulnerability reported.

      --
      "Anything is possible with enough programmers, time and pizza." (Substitute caffeine for time as needed.)
  2. I continue not caring... by forkazoo · · Score: 3, Insightful

    I hate to sound like a troll, but I really don't care about all the MS security vulnerabilities. I've cleaned up a bunch of systems in the last week that were all virus and spyware infested, because the user clicked on things they shouldn't have. If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

    We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.

    1. Re:I continue not caring... by omicronish · · Score: 5, Insightful

      If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

      The Windows defaults with regards to user privileges are crap, and you are right, these vulnerabilities don't matter when everyone has administrative privileges anyway.

      Requiring a password to install a program would be difficult in Windows, however, since the installation programs are provided by the software, not Windows (unless it's a Windows Installer package, in which case there's full support for requiring Administrator privileges to install applications). Windows really has no way of telling the difference between a normal application and an installer.

      However, what you can do is lock down file permissions. What I did on Windows XP was remove Users write access to the boot drive, Windows directory, Program Files directory, and Documents and Settings (except for the user's profile). Installation programs can still run, but they won't be able to install software to any important location. At worst, the user can install to their profile, but any malicious program becomes a problem only for that user. It's akin to untaring, compiling, and running a program from your home directory on Linux.

      I've heard of bad programs that require Administrator privileges or write access to their Program Files directory, in which case this setup will present problems. Still, it's a problem with the program itself, not a Windows problem, although lax or non-existent installation guidelines may have contributed. I personally think all these permissions should've been defaults years ago.

    2. Re:I continue not caring... by forkazoo · · Score: 3, Insightful

      Most people who have spyware installed, have no farking idea how it got there. If the computer forced them to have some active participation, they might at least try to be aware of what's going on, rather than just clicking okay. A system level alert box that proudly declares "You Are Installing Software On Your Computer" wouldn't stop most people from installing it, but for god's sake, at least they'd *know* they were installing something!

  3. Re:Yay! by pudding7 · · Score: 2, Insightful

    You're worried about your "uptime" but you have no problem making pointless posts on Slashdot?

    Idiot.

  4. Re:I was wondering about that by Numeric · · Score: 2, Insightful

    I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage

    Why don't you just download Netscape/Opera/FireFox and just use IE for windows update? You should manually be able to control what updates you are doing then.

    --
    -- ladies and gentlemen we are floating in space!
  5. You know, by warrax_666 · · Score: 5, Insightful

    there is a difference between REMOTE ROOT exploits and LOCAL PRIVILEGE-ESCALATION exploits. But then, you just wanted to appear clever, didn't you?

    --
    HAND.
    1. Re:You know, by gad_zuki! · · Score: 3, Insightful

      >Besides, local privilege escalation exploits are up there as being just as bad in my book.

      Exactly. A lot of good that firewall does when your coworkers click on an email attachment that sails right through the firewall.

    2. Re:You know, by Chuck+Chunder · · Score: 4, Insightful
      You don't need true root privileges for any of that.
      Indeed, that's why remote exploits are more annoying in many cases than local ones. People in general don't have much of a motive to want root on a machine they have access to, they can usually pretty much do what they want already. In many environments priviledges etc aren't there for "hard" security reasons but merely to protect the system and users from unintentional harm from other users.

      For remote exploits, root or otherwise, it only takes one numbnut to code a self-propagating exploit and anyone and everyone is in the firing line.
      --
      Boffoonery - downloadable Comedy Benefit for Bletchley Park
  6. Agenda at play by bonch · · Score: 0, Insightful

    It's funny how, despite security advisories constantly being announced for Linux distros at placed like Linuxsecurity, and also breakins to Savannah, Gentoo, Debian, Gnome, GNU...hell, I can't keep track of them all...Slashdot still falls over itself posting "Microsoft Critical Vulnerabilities" fast enough. One would be naive to pretend there isn't an implied agenda--which is to say "Look! Windows still isn't secure! In your face, Bill!" It's silly because Linux is no better--and according to that study Slashdot posted a couple of months back, Linux is the most-breached operating system anyway.

    Moral of the story--nothing is secure, every OS releases security patches (Linux has even had to update for outright kernel exploits), and sysadmins who keep systems up to date are the key. Stop the agenda BS. We know you editors don't like Windows.

  7. Starting To Respect Microsoft by nathanh · · Score: 3, Insightful

    It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting. I remember a time when the bugs wouldn't get announced until the exploit was already wreaking havoc. Now it seems the bugs get reported and patched before there are any exploits. That's very professional; they can't be perfect but they can be responsible.

    I have a lot of respect for that.

    1. Re:Starting To Respect Microsoft by Anonymous Coward · · Score: 1, Insightful

      As somebody else here has already pointed out eEYE took down a couple of security advisories that have been there a long time. They were reputed to have been exploited in the wild already (sorry, I didn't keep a copy of them, I no longer care). Some them were NOT identified by Microsoft before there were any exploits for them, it took thenm a long time to fix and we all have no idea how much havoc was wreaked before the fixes were announced.

      I have NO respect for that!

    2. Re:Starting To Respect Microsoft by Tough+Love · · Score: 4, Insightful

      "It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting."

      That's because you're gullible. A bunch of these vulnerabilities have been known for months and Microsoft hasn't announced them. Maybe so they can argue that Microsoft has the shortest time from vulnerability announcement to patch availablity, like they tried to say last week.

      Starting to be honest, huh, looks like more of the same to me.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  8. That's actually true by bonch · · Score: 4, Insightful

    According to CmdrTaco, the majority of Slashdot visitors use IE. Kind of puts things into perspective as far as the "movement" goes.

    1. Re:That's actually true by interiot · · Score: 5, Insightful

      And the majority of visitors don't post, many don't read the comments. Just because they use Slashdot as a way to keep from missing important tech news doens't mean they're necessarily sympathetic to OSS philosophy.

    2. Re:That's actually true by cbreaker · · Score: 2, Insightful

      Lots of people do Slashdot from work, where lots of us have no choice but to use IE.

      That can easily sway the numbers.

      --
      - It's not the Macs I hate. It's Digg users. -
  9. wait wait wait... anyone else here suspect this? by ShadowRage · · Score: 2, Insightful

    that the fact microsoft is suddnely letting people know more about this, saying they'll up security, etc think it's a sham so when longhorn comes out on a palladium DRM locked system, and it's announced it's more secure than ever, people will flock to that, or at least, what they hope?

  10. Re:Sorry to burst your bubble, guys by Anonymous Coward · · Score: 1, Insightful
    [...] all of these MS haters can't be wrong.
    You have committed the the appeal to popularity logical fallacy.
  11. Linux is not 100% secure by RoLi · · Score: 5, Insightful
    ... just like a Volvo is not 100% secure. But the Volvo is more secure than a 1960 Yugo.

    So, I'd rather choose the system that while not perfect is pretty good than a crappy system whose vendor chooses to put out press-releases about security instead of actually dealing with the problems.

    As usual, in theory, Windows is great:

    • In theory, everybody uses those super-fine-grained permissions in Windows. (In real life those permissions are so complicated that most ignore them)
    • According to MS-PR theory, Linux is very dangerous because "everybody" can put evil backdoors in. (In real life there has never been a case of a intentinal backdoor in any OSS-project with more than 1 contributor while there have been numerous examples of such backdoors in CSS)
    • In theory and in all total cost of ownership studies, the cost of viruses, worms and security problems on Windows is zero. (In real life millions are paid for virus scanners and much more is lost in productivity)
    • In theory, viruses/trojans/worms are only written for the market-leader platform. (In real life, Apache leads the market and has not had a single worm comparable to Code Red or Nimda)
    • In theory, Microsoft's latest "security initiatives" are a big success. (In real life the biggest epidemies like MS Blaster happened after those initiatives started.)

    In theory, Windows is great. In real life it's a buggy, insecure piece of trash that should be avoided whenever possible.

    1. Re:Linux is not 100% secure by hallaballa · · Score: 2, Insightful

      "so complicated"... 1) Complex, not complicated. 2) nobody said that training was optional, regardless of OS. "evil backdoors" -- the comparison you make between oss/css has nothing to do with oss/css -- it's a difference in process. There's nothing inherent in either oss or css that promotes/prevents trojans. Then again, with all these remote exploits we see, isn't that just trojans+plausible deniability? "millios are paid" -- how on earth does anyone objectively measure that? "Apache has not had a single worm comparable..." -- true, but this is not because Apache has not had remotely exploitable holes. The reason is something else. Microsoft's security initiatives are not big success -- well, these patches notwithstanding, far as I can see the trend is that Windows actually is getting more secure. It's slow progress, but it _is_ progress. Only time will tell though..

    2. Re:Linux is not 100% secure by aastanna · · Score: 4, Insightful

      The way I feel about windows and patches is you're never going to be secure enough to connect a windows box directly to the internet. Outlook and Outlook express aren't secure enough to be used to receive email. IE isn't secure enough to browse random web sites.

      So, if you can afford it, have two computers. Get your email and do your work on a Linux box or a OSX laptop, and save Windows for games, windows development, and those gems of applications you've found that only runs on Windows. Install firefox and use that to browse if you must.

      Always keep your Windows box behind a hardware firewall, that tends to stop most of the remote "I just plugged in my computer and now it has a virus" sort of things. Keep any OSX or Linux boxes behind a firewall too if you can.

      Oh well...rant over...that's my "what people should know about computers before using them" speech. It really doesn't matter how many of these exploits are patched. These were from 2003, and I'm sure there's another dozen waiting in the wings. Just assume your box is insecure and act appropriately.

      Oh, one more thing. I miss the days when you could listen to your computer's hard drive and know what it was doing. If it started up and a odd time you'd know something wasn't right. These days on windows the hard drive seems to randomly grind a way for a second every once and a while...it's...disconcerting. My mac doesn't seem to do that, can't remember if Linux does.

  12. Re:Windows Critical Vulnerabilities by Tantrum420 · · Score: 2, Insightful

    >Seriously, MS operating systems never get finished. . . .

    You prolly coulda left off the 'MS'. What (significant) operating system built in the last 15 years has been completely finished?

    T

  13. Re:In other news by nvrrobx · · Score: 3, Insightful

    There is a very bad, glaringly false statement in your post.

    Even on Linux, it is possible for a simple bugfix to take down an entire system.

    XFree86 drivers can do this.
    Kernel updates can do this.
    Third party kernel driver updates can do this.

    Hell, a bug / exploit in kdm could make your machine remotely vulnerable, or a simple bug could cause your machine to stop allowing logins (and don't tell me that you can Ctrl-Alt-F1 and login. That doesn't apply to end users)

    I saw a problem on a friend's machine where his PAM config got trashed after an update. Guess what, his machine stopped asking for passwords on IMAPS, POP3S and ssh. If a simple misconfiguration can cause that, so can a code bug. That's no different then Windows.

    All software has bugs, and those bugs can either be harmless annoyances, or critical problems. Linux can have them just as easily as Windows. Linux/UNIX software releases patches faster because they don't have complicated software development cycles (QA checks, usability, legal, etc) that has to happen before the release.

  14. Re:Hrm by finkployd · · Score: 2, Insightful

    I guess I'm not one to ignore certain vulnerabilities and glorify others simply because one comes from Windows.

    Nor do I (and frankly I am not sure HOW you got that weird point of view from my comment).

    I do however consider remote root vulnerabilities to be significantly more alarming than local privilege escalation.

    Besides, Linux has had plenty--and has had many public break-ins in the past six months.

    I would never imply otherwise.

    Finkployd

  15. Freedom of choice is important for security. by master_p · · Score: 2, Insightful

    If Internet Explorer was not part of the O/S distribution, it would be easier to uninstall it and install something better, like Opera or Mozilla Firefox (or make an option during O/S installation). The same goes for Outlook and Outlook Express.

    Now that IE and Outlook is bundled with Windows, most people don't care to install anything different, resulting in many compromized machines.

  16. Re:Meh. by MonTemplar · · Score: 3, Insightful

    Yeah, but if you applied that patches, most of the malware wouldn't even get as far as tripping up ZoneAlarm.

    Anyway, if the malware turns around and decides to trash your PC instead, what are you going to do then? Won't look so smug, that's for sure, especially if you've not backed your important stuff up recently.

    I've got a NAT/firewall attached to my broadband at home, but I still run Norton Antivirus, and practice safe hex. You need to keep your grey matter up to date as well, you know...

    -MT.

    --
    -MT.
  17. Re:More than three by jonadab · · Score: 4, Insightful

    > There are 20 separate vulnerabilities in Windows and Outlook Express

    No. No, no, no. There is *one* vulnerability in Outlook and Outlook Express,
    one that has been public knowledge for about a decade now and Microsoft has
    thus far made no attempt to fix. The vulnerability is, Outlook and Outlook
    Express deliberately treat untrusted data in ways that untrusted data should
    NEVER be treated under ANY circumstances. Their whole approach to security
    is, instead of the correct this-data-is-untrusted approach, a dain brammaged
    fix-specific-problems approach, wherein the data that ought to be untrusted
    is stopped from doing certain specific things that have been known to cause
    problems in the past but still allowed to do basically anything else.

    There may be 20 separate specific ways this can be exploited, and more will
    be discovered next week, but it's fundamentally *one* issue.

    Executive summary: Outlook and Outlook Express don't *have* security holes;
    they *are* security holes, big fat wide-open ones.

    --
    Cut that out, or I will ship you to Norilsk in a box.