Slashdot Mirror


Microsoft Announces Three More Critical Vulnerabilities

weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.

11 of 486 comments (clear)

  1. Re:I've noticed by Anonymous Coward · · Score: 5, Insightful

    no -- that's just not true.

    there are misinformed people who don't understand the issues with the bugs reported in linux who then fan the flames about "holes in linux" as if they are of the same level of problem as these weekly holes in windows.

    a theoretical overflow on a linux server running openssh is a lot different than a open hole that runs executable attachments

    as a windows user, you should spend your time patching windows, not reading news.com

  2. Re:I've noticed by cybermancer · · Score: 4, Insightful
    ...a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

    news.com is a real news site, so they post real news. I am surprised anyone resports vulnerabilities in MS Windows as news. The only reason to report these is so people know to update again, and to poke fun at the joke that is Microsoft's quality control. Real news would be if they go for an extended period of time without a vulnerability!

    For Linux on the other hand it is an event when there is a vulnerability reported.

    --
    "Anything is possible with enough programmers, time and pizza." (Substitute caffeine for time as needed.)
  3. You know, by warrax_666 · · Score: 5, Insightful

    there is a difference between REMOTE ROOT exploits and LOCAL PRIVILEGE-ESCALATION exploits. But then, you just wanted to appear clever, didn't you?

    --
    HAND.
    1. Re:You know, by Chuck+Chunder · · Score: 4, Insightful
      You don't need true root privileges for any of that.
      Indeed, that's why remote exploits are more annoying in many cases than local ones. People in general don't have much of a motive to want root on a machine they have access to, they can usually pretty much do what they want already. In many environments priviledges etc aren't there for "hard" security reasons but merely to protect the system and users from unintentional harm from other users.

      For remote exploits, root or otherwise, it only takes one numbnut to code a self-propagating exploit and anyone and everyone is in the firing line.
      --
      Boffoonery - downloadable Comedy Benefit for Bletchley Park
  4. Re:I continue not caring... by omicronish · · Score: 5, Insightful

    If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

    The Windows defaults with regards to user privileges are crap, and you are right, these vulnerabilities don't matter when everyone has administrative privileges anyway.

    Requiring a password to install a program would be difficult in Windows, however, since the installation programs are provided by the software, not Windows (unless it's a Windows Installer package, in which case there's full support for requiring Administrator privileges to install applications). Windows really has no way of telling the difference between a normal application and an installer.

    However, what you can do is lock down file permissions. What I did on Windows XP was remove Users write access to the boot drive, Windows directory, Program Files directory, and Documents and Settings (except for the user's profile). Installation programs can still run, but they won't be able to install software to any important location. At worst, the user can install to their profile, but any malicious program becomes a problem only for that user. It's akin to untaring, compiling, and running a program from your home directory on Linux.

    I've heard of bad programs that require Administrator privileges or write access to their Program Files directory, in which case this setup will present problems. Still, it's a problem with the program itself, not a Windows problem, although lax or non-existent installation guidelines may have contributed. I personally think all these permissions should've been defaults years ago.

  5. That's actually true by bonch · · Score: 4, Insightful

    According to CmdrTaco, the majority of Slashdot visitors use IE. Kind of puts things into perspective as far as the "movement" goes.

    1. Re:That's actually true by interiot · · Score: 5, Insightful

      And the majority of visitors don't post, many don't read the comments. Just because they use Slashdot as a way to keep from missing important tech news doens't mean they're necessarily sympathetic to OSS philosophy.

  6. Linux is not 100% secure by RoLi · · Score: 5, Insightful
    ... just like a Volvo is not 100% secure. But the Volvo is more secure than a 1960 Yugo.

    So, I'd rather choose the system that while not perfect is pretty good than a crappy system whose vendor chooses to put out press-releases about security instead of actually dealing with the problems.

    As usual, in theory, Windows is great:

    • In theory, everybody uses those super-fine-grained permissions in Windows. (In real life those permissions are so complicated that most ignore them)
    • According to MS-PR theory, Linux is very dangerous because "everybody" can put evil backdoors in. (In real life there has never been a case of a intentinal backdoor in any OSS-project with more than 1 contributor while there have been numerous examples of such backdoors in CSS)
    • In theory and in all total cost of ownership studies, the cost of viruses, worms and security problems on Windows is zero. (In real life millions are paid for virus scanners and much more is lost in productivity)
    • In theory, viruses/trojans/worms are only written for the market-leader platform. (In real life, Apache leads the market and has not had a single worm comparable to Code Red or Nimda)
    • In theory, Microsoft's latest "security initiatives" are a big success. (In real life the biggest epidemies like MS Blaster happened after those initiatives started.)

    In theory, Windows is great. In real life it's a buggy, insecure piece of trash that should be avoided whenever possible.

    1. Re:Linux is not 100% secure by aastanna · · Score: 4, Insightful

      The way I feel about windows and patches is you're never going to be secure enough to connect a windows box directly to the internet. Outlook and Outlook express aren't secure enough to be used to receive email. IE isn't secure enough to browse random web sites.

      So, if you can afford it, have two computers. Get your email and do your work on a Linux box or a OSX laptop, and save Windows for games, windows development, and those gems of applications you've found that only runs on Windows. Install firefox and use that to browse if you must.

      Always keep your Windows box behind a hardware firewall, that tends to stop most of the remote "I just plugged in my computer and now it has a virus" sort of things. Keep any OSX or Linux boxes behind a firewall too if you can.

      Oh well...rant over...that's my "what people should know about computers before using them" speech. It really doesn't matter how many of these exploits are patched. These were from 2003, and I'm sure there's another dozen waiting in the wings. Just assume your box is insecure and act appropriately.

      Oh, one more thing. I miss the days when you could listen to your computer's hard drive and know what it was doing. If it started up and a odd time you'd know something wasn't right. These days on windows the hard drive seems to randomly grind a way for a second every once and a while...it's...disconcerting. My mac doesn't seem to do that, can't remember if Linux does.

  7. Re:Starting To Respect Microsoft by Tough+Love · · Score: 4, Insightful

    "It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting."

    That's because you're gullible. A bunch of these vulnerabilities have been known for months and Microsoft hasn't announced them. Maybe so they can argue that Microsoft has the shortest time from vulnerability announcement to patch availablity, like they tried to say last week.

    Starting to be honest, huh, looks like more of the same to me.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
  8. Re:More than three by jonadab · · Score: 4, Insightful

    > There are 20 separate vulnerabilities in Windows and Outlook Express

    No. No, no, no. There is *one* vulnerability in Outlook and Outlook Express,
    one that has been public knowledge for about a decade now and Microsoft has
    thus far made no attempt to fix. The vulnerability is, Outlook and Outlook
    Express deliberately treat untrusted data in ways that untrusted data should
    NEVER be treated under ANY circumstances. Their whole approach to security
    is, instead of the correct this-data-is-untrusted approach, a dain brammaged
    fix-specific-problems approach, wherein the data that ought to be untrusted
    is stopped from doing certain specific things that have been known to cause
    problems in the past but still allowed to do basically anything else.

    There may be 20 separate specific ways this can be exploited, and more will
    be discovered next week, but it's fundamentally *one* issue.

    Executive summary: Outlook and Outlook Express don't *have* security holes;
    they *are* security holes, big fat wide-open ones.

    --
    Cut that out, or I will ship you to Norilsk in a box.