Slashdot Mirror


Microsoft Announces Three More Critical Vulnerabilities

weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.

24 of 486 comments (clear)

  1. In other news by Anonymous Coward · · Score: 0, Interesting

    Three "critical" vulnerabilities were released for the Linux operating system this week, but no one on this so-called pro-Linux site gives a crap.

  2. Worm Writer's Delight by Dynamoo · · Score: 5, Interesting
    What's frightening is that there are *so* many remote code execution vulnerabilities in this one. At least they're all rolled up into one patch. But this gives so many potential backdoors for a Blaster style worm.

    Here we go again...

    --
    Never email donotemail@WeAreSpammers.com
  3. I was wondering about that by ObviousGuy · · Score: 5, Interesting

    I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.

    What a surprise. My bandwidth was halved by the invisible download.

    Whoops. Be right back. Install is finished, gotta reboot.

    --
    I have been pwned because my /. password was too easy to guess.
  4. There's a market for... by tyrani · · Score: 2, Interesting

    A good, easy to read, consumer grade local port sniffer / analyzer. How hard would it be to build a frontend that reported on "odd" behavior?

    --
    rejected (19) accepted (0)
    Is there a psychological term related to getting your stories rejected on slashdot?
  5. Service Pack 2 by -tji · · Score: 4, Interesting

    That site with their bulletins also has a link to the XP Service Pack 2 release candidate.. That thing has been in the works for so long. Hopefully it makes some useful improvements in their security.

    It looks like the firewall will basically be a built-in ZoneAlarm, with better inbound abilities, and outbound application controls.

    They also have some buffer overflow protections. Are they good enough to make a difference?

  6. OE exploit? by xpl_the_myst · · Score: 2, Interesting
    What I don't understand about the OE exploit is that it basically results from running HTML code in something called a Local Security Zone of IE. Isn't that a vulnerability in IE itsel? That's what I can make out from the article itself :

    An attacker would have to entice users to read a maliciously-crafted HTML e-mail message or use IE to surf to a malicious Web site to grab control of the PC ...

    --
    This sig is empty.
  7. Is Microsoft just stupid? by bigattichouse · · Score: 2, Interesting

    1) patch the OS, since no one can see it, with a bit of code to "simulate" a buffer overrun... in actuality it reports back to MS home office the IP address of the affected machine. Call it a "straw man" flaw
    2) release a patch for other problems and have this new item go with the patch
    3) release a "known flaw".. await for the first few reports of the flaw
    4) show up at the butthead's house with a few large baseball bats
    5)??
    6) profit!

    --
    meh
  8. Won't announcing vulnerabilities cause exploits? by David+Hume · · Score: 5, Interesting
  9. Just exactly how does this happen. by Talinom · · Score: 3, Interesting

    This isn't a troll. This is an honest question.

    How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability? I read just about every week or so about "Application X" or "OS Y" having a security issue and a deeper understanding of what is going on is a good thing to help judge the threat of the warning. It will also help reduce the FUD factor a little bit. If an example (current or outdated) could be given showing HOW the security of a system is compromised that would also be beneficial.

    --
    "Giving money and power to governments is like giving whiskey and car keys to teenage boys." - P.J. O'Rourke
  10. Yearly updates by cove209 · · Score: 2, Interesting

    I wonder (and I am not slamming macs here since I own one) if Microsoft released a new version of Windows yearly like Apple does (for a fee most times) if it would address issues such as this one. The again, if MS released Windows XP 2004 and charged $129, would most people install it?

  11. Sp2 Beta by OneArmedMan · · Score: 3, Interesting

    I have Win XP sp2 on my work machine here ( dont ask )

    and i just did a windows update then .. and behold for there were no critical Windows updates to be found anywhere ..

    so either MS is broken ( heh ) or MS knew about these problems a looooooong time ago and already had the patches in SP2, cause i have been running this SP2 beta for at least 3 or 3 weeks now...

    1. Re:Sp2 Beta by aderusha · · Score: 4, Interesting

      or option c) SP2 beta isn't recognized by winupdate, so you're going to be exposed.

  12. Windows Update in Firefox by Faizdog · · Score: 4, Interesting

    Well,
    After the Nth spyware that infected IE, about 10 days ago I finally had enough of it and switched to Firefox. Haven't looked back since, Firefox rocks.

    So after I read this /. story, went to the Windows Update website, and lo and behold, it only works with IE. I can go to the Microsoft Download Center if I use another browser besides IE, but I actually like the way Windows update works, scanning my computer and giving me options for what I can install.

    Looked through the Firefox FAQs, couldn't find any mention of this. Anyone have another suggestion, or should I use IE for updates and Firefox for everything else?

    --
    -"Those who fought today will die tommorow."-
    1. Re:Windows Update in Firefox by steveha · · Score: 4, Interesting

      You need to use IE for Windows Update. Full stop.

      One of the things that makes Firefox more secure is that it is just an application, it cannot install software for you. One of the things that makes Windows Update work is that IE can install software for you.

      Windows Update is the main reason IE is still on my Win2K desktop computer.

      steveha

      --
      lf(1): it's like ls(1) but sorts filenames by extension, tersely
  13. Re:That's actually true by freeweed · · Score: 4, Interesting

    I'd say it's more likely the majority (or at least a goodly chunk) of Slashdot users use something like Opera or Mozilla*, which lets you spoof your browser ID to websites. I do it, or I'd be locked out of a good many moronic sites (one being my bank) that only think IE works.

    Although with the level of pro-MS posting and moderating on a dramatic increase over the past year, I wouldn't be surprised if we have a lot of IE users here now.

    (Quick! To get some instant karma, talk about some obscure SSH/apache/whatever exploit that wouldn't affect anyone using Linux as a *desktop* system and is only applicable to a service that isn't run by default on any major distro, and claim that Linux is as insecure as Windows! Then whine about Slashdot's "bias" towards Linux to make sure you keep getting modded up!)

    --
    Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  14. has anyone tried updating windows without using IE by -O.ster_66 · · Score: 2, Interesting
    "Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. You need to be running a version of Internet Explorer 5 or higher in order to use Windows Update. Download the latest version of Internet Explorer Once Internet Explorer is installed, you can go to the Windows Update site by typing http://windowsupdate.microsoft.com into the address bar of Internet Explorer. If you prefer to use a different Web browser, updates to Windows may be downloaded from the Microsoft Download Center."

    --
    "You get all the fun of sitting still, being quiet, writing down numbers, paying attention...science has it all."
  15. Re:Meanwhile... by spinkham · · Score: 4, Interesting

    Yeah, this is what burns me up with these security bug comparisons. In Linux, 99% of software you run on your computer you get from your distribution, while very little of your software under Windows comes as a part of Windows. Of course there are more bugs in a complete computer setup with 10 different ftp servers to choose from, irc clients, a complete development suite(or 3), etc...

    --
    Blessed are the pessimists, for they have made backups.
  16. Re:Go here for what you need by RoLi · · Score: 4, Interesting
    I just looked at your site and for my distribution (SuSE) the only REMOTE vulnerability in the LAST YEAR was gaim which I don't even use (I use LICQ).

    All the others where denial of service vulnerabilities or elevation of privileges problems, which in case of the kernel are of course a bad thing and which have been reported on Slashdot several times.

    So in the last year, I had exactly ZERO vulnerabilities that would represent an immedieate danger to my Linux boxes (elevation of privileges is bad, but not an immediate danger for me because I don't run any mass-user hosts) and in the meantime the Windows-world had MS-Slammer, MS-Blaster and many, many other problems.

    If you want to stick your head into the sand, do so, but please don't think that you are smart doing so or that anybody else has got a "party line".

  17. SP5? by TimTheFoolMan · · Score: 4, Interesting
    Hmmm... in the details for Security Bulletin MS04-011, they list the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update s\Windows 2000\ SP5\KB835732\Filelist
    Looks like we've now seen the first light of SP5.

    Tim

  18. Re:has anyone tried updating windows without using by ocelotbob · · Score: 2, Interesting

    Except that ActiveX is available for mozilla. So really, the only reason that MS requires IE is to lock you in, not any real technical reason.

    --

    Marxism is the opiate of dumbasses

  19. Re:has anyone tried updating windows without using by ruiner13 · · Score: 2, Interesting

    Good thing they have self-contained downloads available. Yes, they don't make 'em easy to find, but you can burn say, Win2K SP4 in all its 135MB glory onto a cd to do offline updates. This is the only way you can practically update a 56K modem-bound 'puter.

    --

    today is spelling optional day.

  20. I find two things particularly interesting here... by Malor · · Score: 2, Interesting

    First, this isn't three vulnerabilities, it is TWENTY, addressed with three patches to make it look less severe. (And I don't really think this once-per-month patch cycle is to make adminsitrators' lives easier; I think it's to make Microsoft look better.)

    Second, Microsoft has also increased the load on their servers by, oh, thirty times. While they have enough money to provision themselves with thirty times the incoming bandwidth to handle the huge burst of patch traffic once per month, at this point they don't appear to have actually DONE THIS. I am just barely able to get the Windows Update page to display at all, much less actually do anything useful like, say, download patches.

    So, here I sit with a machine with twenty vulnerabilities, which they didn't tell me about all month to save face, and now that they HAVE told me, I can't patch because I can't reach their site.

  21. The Worm is already out there by TekGoNos · · Score: 2, Interesting

    Well, maybe.

    Anyway, today a worm completly took over my universities network.
    We are the CS-Departement, we know what were doing (well, we still dont use Linux, I'm trying to convince them but ...) and we keep our machines up-to-date.

    It spreads by a file called ascdl.exe through a remotely exploitable vulnerability. Nobody knows about this Virus (neither Symmantec, nor Google) and it spreads fast. When we delete the file, it is back a few minutes later. So I guess it may use one of these new exploits.

    BTW, the internet is slow today and I guess it is this baby. It will probably infect the better part of vulnerable machines before it even has a name. I just hope it doesnt do anything nasty.

    Hopefully by tomorrow AV Vendors will have analysed it and issued an update, but I predict it to become REALLY BIG (potentially bigger than Blaster).

    Oh, and it changes the WINDOWS\system32\drivers\etc\hosts - file, so that you can no longer contact sites of AV Vendors and Nortons LiveUpdate is blocked too. So once you catch it, you cannot get rid of it because you cannot download the new signature file. You have to remove it manually (or it least edit the hosts-file, but who knows about it?). So the bigger part of the population will continue to have it and their computers will no longer update the definition list.

    Again, I dont know if it uses one of the new vulnerabilities, but by the speed this baby spreads and by blocking LiveUpdate this is gonna be HUGE.

    So if a process called ascdl.exe suddenly uses 50% of your CPU, KILL IT!

    --
    I have discovered a truly remarkable proof for my post which this sig is too small to contain.
  22. Re:You know, by Ckwop · · Score: 3, Interesting

    Hmm your threat model should include people who have a local user account?

    I mean, do the l33t|sts just give up trying to get a valid user account?

    What about the disgruntled employee who wants to waste some time by destroying his own PC?

    Simon.