Slashdot Mirror


Microsoft Announces Three More Critical Vulnerabilities

weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.

14 of 486 comments (clear)

  1. Worm Writer's Delight by Dynamoo · · Score: 5, Interesting
    What's frightening is that there are *so* many remote code execution vulnerabilities in this one. At least they're all rolled up into one patch. But this gives so many potential backdoors for a Blaster style worm.

    Here we go again...

    --
    Never email donotemail@WeAreSpammers.com
  2. I was wondering about that by ObviousGuy · · Score: 5, Interesting

    I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.

    What a surprise. My bandwidth was halved by the invisible download.

    Whoops. Be right back. Install is finished, gotta reboot.

    --
    I have been pwned because my /. password was too easy to guess.
  3. Service Pack 2 by -tji · · Score: 4, Interesting

    That site with their bulletins also has a link to the XP Service Pack 2 release candidate.. That thing has been in the works for so long. Hopefully it makes some useful improvements in their security.

    It looks like the firewall will basically be a built-in ZoneAlarm, with better inbound abilities, and outbound application controls.

    They also have some buffer overflow protections. Are they good enough to make a difference?

  4. Won't announcing vulnerabilities cause exploits? by David+Hume · · Score: 5, Interesting
  5. Just exactly how does this happen. by Talinom · · Score: 3, Interesting

    This isn't a troll. This is an honest question.

    How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability? I read just about every week or so about "Application X" or "OS Y" having a security issue and a deeper understanding of what is going on is a good thing to help judge the threat of the warning. It will also help reduce the FUD factor a little bit. If an example (current or outdated) could be given showing HOW the security of a system is compromised that would also be beneficial.

    --
    "Giving money and power to governments is like giving whiskey and car keys to teenage boys." - P.J. O'Rourke
  6. Sp2 Beta by OneArmedMan · · Score: 3, Interesting

    I have Win XP sp2 on my work machine here ( dont ask )

    and i just did a windows update then .. and behold for there were no critical Windows updates to be found anywhere ..

    so either MS is broken ( heh ) or MS knew about these problems a looooooong time ago and already had the patches in SP2, cause i have been running this SP2 beta for at least 3 or 3 weeks now...

    1. Re:Sp2 Beta by aderusha · · Score: 4, Interesting

      or option c) SP2 beta isn't recognized by winupdate, so you're going to be exposed.

  7. Windows Update in Firefox by Faizdog · · Score: 4, Interesting

    Well,
    After the Nth spyware that infected IE, about 10 days ago I finally had enough of it and switched to Firefox. Haven't looked back since, Firefox rocks.

    So after I read this /. story, went to the Windows Update website, and lo and behold, it only works with IE. I can go to the Microsoft Download Center if I use another browser besides IE, but I actually like the way Windows update works, scanning my computer and giving me options for what I can install.

    Looked through the Firefox FAQs, couldn't find any mention of this. Anyone have another suggestion, or should I use IE for updates and Firefox for everything else?

    --
    -"Those who fought today will die tommorow."-
    1. Re:Windows Update in Firefox by steveha · · Score: 4, Interesting

      You need to use IE for Windows Update. Full stop.

      One of the things that makes Firefox more secure is that it is just an application, it cannot install software for you. One of the things that makes Windows Update work is that IE can install software for you.

      Windows Update is the main reason IE is still on my Win2K desktop computer.

      steveha

      --
      lf(1): it's like ls(1) but sorts filenames by extension, tersely
  8. Re:That's actually true by freeweed · · Score: 4, Interesting

    I'd say it's more likely the majority (or at least a goodly chunk) of Slashdot users use something like Opera or Mozilla*, which lets you spoof your browser ID to websites. I do it, or I'd be locked out of a good many moronic sites (one being my bank) that only think IE works.

    Although with the level of pro-MS posting and moderating on a dramatic increase over the past year, I wouldn't be surprised if we have a lot of IE users here now.

    (Quick! To get some instant karma, talk about some obscure SSH/apache/whatever exploit that wouldn't affect anyone using Linux as a *desktop* system and is only applicable to a service that isn't run by default on any major distro, and claim that Linux is as insecure as Windows! Then whine about Slashdot's "bias" towards Linux to make sure you keep getting modded up!)

    --
    Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  9. Re:Meanwhile... by spinkham · · Score: 4, Interesting

    Yeah, this is what burns me up with these security bug comparisons. In Linux, 99% of software you run on your computer you get from your distribution, while very little of your software under Windows comes as a part of Windows. Of course there are more bugs in a complete computer setup with 10 different ftp servers to choose from, irc clients, a complete development suite(or 3), etc...

    --
    Blessed are the pessimists, for they have made backups.
  10. Re:Go here for what you need by RoLi · · Score: 4, Interesting
    I just looked at your site and for my distribution (SuSE) the only REMOTE vulnerability in the LAST YEAR was gaim which I don't even use (I use LICQ).

    All the others where denial of service vulnerabilities or elevation of privileges problems, which in case of the kernel are of course a bad thing and which have been reported on Slashdot several times.

    So in the last year, I had exactly ZERO vulnerabilities that would represent an immedieate danger to my Linux boxes (elevation of privileges is bad, but not an immediate danger for me because I don't run any mass-user hosts) and in the meantime the Windows-world had MS-Slammer, MS-Blaster and many, many other problems.

    If you want to stick your head into the sand, do so, but please don't think that you are smart doing so or that anybody else has got a "party line".

  11. SP5? by TimTheFoolMan · · Score: 4, Interesting
    Hmmm... in the details for Security Bulletin MS04-011, they list the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update s\Windows 2000\ SP5\KB835732\Filelist
    Looks like we've now seen the first light of SP5.

    Tim

  12. Re:You know, by Ckwop · · Score: 3, Interesting

    Hmm your threat model should include people who have a local user account?

    I mean, do the l33t|sts just give up trying to get a valid user account?

    What about the disgruntled employee who wants to waste some time by destroying his own PC?

    Simon.