Microsoft Announces Three More Critical Vulnerabilities
weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data.
The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.
Three "critical" vulnerabilities were released for the Linux operating system this week, but no one on this so-called pro-Linux site gives a crap.
Here we go again...
Never email donotemail@WeAreSpammers.com
I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.
What a surprise. My bandwidth was halved by the invisible download.
Whoops. Be right back. Install is finished, gotta reboot.
I have been pwned because my
A good, easy to read, consumer grade local port sniffer / analyzer. How hard would it be to build a frontend that reported on "odd" behavior?
rejected (19) accepted (0)
Is there a psychological term related to getting your stories rejected on slashdot?
That site with their bulletins also has a link to the XP Service Pack 2 release candidate.. That thing has been in the works for so long. Hopefully it makes some useful improvements in their security.
It looks like the firewall will basically be a built-in ZoneAlarm, with better inbound abilities, and outbound application controls.
They also have some buffer overflow protections. Are they good enough to make a difference?
An attacker would have to entice users to read a maliciously-crafted HTML e-mail message or use IE to surf to a malicious Web site to grab control of the PC ...
This sig is empty.
1) patch the OS, since no one can see it, with a bit of code to "simulate" a buffer overrun... in actuality it reports back to MS home office the IP address of the affected machine. Call it a "straw man" flaw
2) release a patch for other problems and have this new item go with the patch
3) release a "known flaw".. await for the first few reports of the flaw
4) show up at the butthead's house with a few large baseball bats
5)??
6) profit!
meh
Won't announcing the vulnerabilities cause them to be expoited??
Shouldn't Microsoft as a result slow down the security patch cycle?
Only Women Bleed (Sex, Sharia remix)
This isn't a troll. This is an honest question.
How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability? I read just about every week or so about "Application X" or "OS Y" having a security issue and a deeper understanding of what is going on is a good thing to help judge the threat of the warning. It will also help reduce the FUD factor a little bit. If an example (current or outdated) could be given showing HOW the security of a system is compromised that would also be beneficial.
"Giving money and power to governments is like giving whiskey and car keys to teenage boys." - P.J. O'Rourke
I wonder (and I am not slamming macs here since I own one) if Microsoft released a new version of Windows yearly like Apple does (for a fee most times) if it would address issues such as this one. The again, if MS released Windows XP 2004 and charged $129, would most people install it?
I have Win XP sp2 on my work machine here ( dont ask )
.. and behold for there were no critical Windows updates to be found anywhere ..
and i just did a windows update then
so either MS is broken ( heh ) or MS knew about these problems a looooooong time ago and already had the patches in SP2, cause i have been running this SP2 beta for at least 3 or 3 weeks now...
Well,
/. story, went to the Windows Update website, and lo and behold, it only works with IE. I can go to the Microsoft Download Center if I use another browser besides IE, but I actually like the way Windows update works, scanning my computer and giving me options for what I can install.
After the Nth spyware that infected IE, about 10 days ago I finally had enough of it and switched to Firefox. Haven't looked back since, Firefox rocks.
So after I read this
Looked through the Firefox FAQs, couldn't find any mention of this. Anyone have another suggestion, or should I use IE for updates and Firefox for everything else?
-"Those who fought today will die tommorow."-
I'd say it's more likely the majority (or at least a goodly chunk) of Slashdot users use something like Opera or Mozilla*, which lets you spoof your browser ID to websites. I do it, or I'd be locked out of a good many moronic sites (one being my bank) that only think IE works.
Although with the level of pro-MS posting and moderating on a dramatic increase over the past year, I wouldn't be surprised if we have a lot of IE users here now.
(Quick! To get some instant karma, talk about some obscure SSH/apache/whatever exploit that wouldn't affect anyone using Linux as a *desktop* system and is only applicable to a service that isn't run by default on any major distro, and claim that Linux is as insecure as Windows! Then whine about Slashdot's "bias" towards Linux to make sure you keep getting modded up!)
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
"You get all the fun of sitting still, being quiet, writing down numbers, paying attention...science has it all."
Yeah, this is what burns me up with these security bug comparisons. In Linux, 99% of software you run on your computer you get from your distribution, while very little of your software under Windows comes as a part of Windows. Of course there are more bugs in a complete computer setup with 10 different ftp servers to choose from, irc clients, a complete development suite(or 3), etc...
Blessed are the pessimists, for they have made backups.
All the others where denial of service vulnerabilities or elevation of privileges problems, which in case of the kernel are of course a bad thing and which have been reported on Slashdot several times.
So in the last year, I had exactly ZERO vulnerabilities that would represent an immedieate danger to my Linux boxes (elevation of privileges is bad, but not an immediate danger for me because I don't run any mass-user hosts) and in the meantime the Windows-world had MS-Slammer, MS-Blaster and many, many other problems.
If you want to stick your head into the sand, do so, but please don't think that you are smart doing so or that anybody else has got a "party line".
Tim
Except that ActiveX is available for mozilla. So really, the only reason that MS requires IE is to lock you in, not any real technical reason.
Marxism is the opiate of dumbasses
Good thing they have self-contained downloads available. Yes, they don't make 'em easy to find, but you can burn say, Win2K SP4 in all its 135MB glory onto a cd to do offline updates. This is the only way you can practically update a 56K modem-bound 'puter.
today is spelling optional day.
First, this isn't three vulnerabilities, it is TWENTY, addressed with three patches to make it look less severe. (And I don't really think this once-per-month patch cycle is to make adminsitrators' lives easier; I think it's to make Microsoft look better.)
Second, Microsoft has also increased the load on their servers by, oh, thirty times. While they have enough money to provision themselves with thirty times the incoming bandwidth to handle the huge burst of patch traffic once per month, at this point they don't appear to have actually DONE THIS. I am just barely able to get the Windows Update page to display at all, much less actually do anything useful like, say, download patches.
So, here I sit with a machine with twenty vulnerabilities, which they didn't tell me about all month to save face, and now that they HAVE told me, I can't patch because I can't reach their site.
Well, maybe.
...) and we keep our machines up-to-date.
Anyway, today a worm completly took over my universities network.
We are the CS-Departement, we know what were doing (well, we still dont use Linux, I'm trying to convince them but
It spreads by a file called ascdl.exe through a remotely exploitable vulnerability. Nobody knows about this Virus (neither Symmantec, nor Google) and it spreads fast. When we delete the file, it is back a few minutes later. So I guess it may use one of these new exploits.
BTW, the internet is slow today and I guess it is this baby. It will probably infect the better part of vulnerable machines before it even has a name. I just hope it doesnt do anything nasty.
Hopefully by tomorrow AV Vendors will have analysed it and issued an update, but I predict it to become REALLY BIG (potentially bigger than Blaster).
Oh, and it changes the WINDOWS\system32\drivers\etc\hosts - file, so that you can no longer contact sites of AV Vendors and Nortons LiveUpdate is blocked too. So once you catch it, you cannot get rid of it because you cannot download the new signature file. You have to remove it manually (or it least edit the hosts-file, but who knows about it?). So the bigger part of the population will continue to have it and their computers will no longer update the definition list.
Again, I dont know if it uses one of the new vulnerabilities, but by the speed this baby spreads and by blocking LiveUpdate this is gonna be HUGE.
So if a process called ascdl.exe suddenly uses 50% of your CPU, KILL IT!
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
Hmm your threat model should include people who have a local user account?
I mean, do the l33t|sts just give up trying to get a valid user account?
What about the disgruntled employee who wants to waste some time by destroying his own PC?
Simon.