Microsoft Announces Three More Critical Vulnerabilities
weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data.
The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.
Now that the word is out on these, Microsoft is going to have to post a big link to all the articles about that new Mac OS X trojan all over their homepage...
...their lawyers are waiting in line to press charges in case you complain.
This wasn't just plain terrible, this was fancy terrible. This was terrible with raisins in it. - Dorothy Parker
Prepare the fire extinguishers
No, not just one more patch. Three!
Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable. Microsoft has bundled the patches for these into 4 separate downloads - 3 for Windows and 1 for Outlook Express.
Here we go again...
Never email donotemail@WeAreSpammers.com
I love rebooting. There goes my uptime!
Microsoft could just send is service pack, and as usual, during installation, printing meanless phrases such as: registering component, building registry, etc...
I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.
What a surprise. My bandwidth was halved by the invisible download.
Whoops. Be right back. Install is finished, gotta reboot.
I have been pwned because my
I hate to sound like a troll, but I really don't care about all the MS security vulnerabilities. I've cleaned up a bunch of systems in the last week that were all virus and spyware infested, because the user clicked on things they shouldn't have. If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.
We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.
Sorry, no link because the site seems to be down/slow... it must be linked to from another announcement posted elsewhere.
"The RPC/DCOM Runtime vulnerability should be of special concern to all users," said Gullotto. "There's great potential for another worm that exploits this."
Great... "Here comes the worms again..."
Any idea if these exploits were discovered from the Microsoft's leaked code... or if they were discovered out in the wild?
AC
A good, easy to read, consumer grade local port sniffer / analyzer. How hard would it be to build a frontend that reported on "odd" behavior?
rejected (19) accepted (0)
Is there a psychological term related to getting your stories rejected on slashdot?
That site with their bulletins also has a link to the XP Service Pack 2 release candidate.. That thing has been in the works for so long. Hopefully it makes some useful improvements in their security.
It looks like the firewall will basically be a built-in ZoneAlarm, with better inbound abilities, and outbound application controls.
They also have some buffer overflow protections. Are they good enough to make a difference?
Yea, the hackers are 'sneaking' in, like a green beret in vietnam, and your data is their buddies, behind enemy lines.
An attacker would have to entice users to read a maliciously-crafted HTML e-mail message or use IE to surf to a malicious Web site to grab control of the PC ...
This sig is empty.
no -- that's just not true.
there are misinformed people who don't understand the issues with the bugs reported in linux who then fan the flames about "holes in linux" as if they are of the same level of problem as these weekly holes in windows.
a theoretical overflow on a linux server running openssh is a lot different than a open hole that runs executable attachments
as a windows user, you should spend your time patching windows, not reading news.com
By time they finish perfecting XP, Longhorn will be about ready for testing (i.e. release on an unsuspecting world of Joe Users, to be followed by a vast number of Critical Updates).
1) patch the OS, since no one can see it, with a bit of code to "simulate" a buffer overrun... in actuality it reports back to MS home office the IP address of the affected machine. Call it a "straw man" flaw
2) release a patch for other problems and have this new item go with the patch
3) release a "known flaw".. await for the first few reports of the flaw
4) show up at the butthead's house with a few large baseball bats
5)??
6) profit!
meh
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
:-S
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.
Another reason for home users and gamers to stick with 98SE. Obviously most businesses aren't so lucky.
I think we /.ed microsoft!!
Won't announcing the vulnerabilities cause them to be expoited??
Shouldn't Microsoft as a result slow down the security patch cycle?
Only Women Bleed (Sex, Sharia remix)
and this has happened when?
Douglas P. Price
Maybe if MS manages to generate enough panic with its exponentially growing number of remote security exploits, it can get some support for mad Palladium.
I wouldn't be at all suprised.
Defenestrate Windows...
news.com is a real news site, so they post real news. I am surprised anyone resports vulnerabilities in MS Windows as news. The only reason to report these is so people know to update again, and to poke fun at the joke that is Microsoft's quality control. Real news would be if they go for an extended period of time without a vulnerability!
For Linux on the other hand it is an event when there is a vulnerability reported.
"Anything is possible with enough programmers, time and pizza." (Substitute caffeine for time as needed.)
That is, wrt bulletins MS04-011, MS04-012 and MS04-014.
Of course MS04-013 is about Outlook Express so you may still be vulnerable on these OSs.
My windows box is behind a nice little NAT device, in addition to ZoneAlarm. No virii on the router because it's all firmware. No virii on the win box because no unrequested traffic ever gets to it. ZoneAlarm is just there so that if someone else is ever using it, and does the stupid, I can turn off the spyware/spam relay/ddos without having to hunt it down in 50 places.
-Amalcon
Not only is this not a surprise, it's a non-starter.
So what? There were several new vulnerabilities that were identified by Microsoft before there were any exploits for them. Microsoft has also owned up to the fact that the exploits exist at all. Sounds to me like their new focus on security is working correctly.
Yes, they are severe problems for a home user if they don't get patched, but most networks aren't really in jeopardy at all unless they aren't running some sort of network security. I can patch my servers at my leisure and reboot whenever I have time.
My only complaint is that the windows update site has been running quite slowly today.
So what im saying is, we dont need to sensationalize stack overflow bugs because, they're as old as time more or less.
Religion is a gateway psychosis. -- Dave Foley
And I'll awnser: all the slashdotters who run Windows....
Ask 8 slackers a question, get 10 awnsers (a citation, but I can't remember from who)
Are any of these new Critical Fixes related to the recent MS source code release/leak.
Were any known about in house but not fixed?
Now they are less obscure MS must do something about them.
The weathers here - Wish you were beautiful
If some of these exploits were the ones listed on eEye's page (Google cache with the old info), and they seem to be since they're removed now, they got discovered long before the source code got leaked.
Windows Update is getting a bit slow. Can someone set up a mirror? The link at this page doesn't seem to be working.
That's 'cause most of us are secretly using Windows ;)
So, "We only use Linux" cries the slashdot crowd...
Then why the hell is windowsupdate.microsoft.com slashdoted? You bastards.
..Microsoft recently (last Fall I think) changed their critical update release schedule to coincide with the second Tuesday of each month to supposedly take some of the workload off of the sysadmins. Thus, today is the day.
However, as a sysadmin I still have mixed feelings about this. If something is a critical vulnerability, I think a patch needs to be released as soon as it becomes available. At the same time, it's a real pain in the butt to have to go around to hundreds of computers to make sure auto update is actually doing its job. More specifically, the last time I checked machines to see if they were auto-updating, at least a third of them weren't even though they are always on and set up to do so. Not to mention the machines that fatally crash due to windows updates..
there is a difference between REMOTE ROOT exploits and LOCAL PRIVILEGE-ESCALATION exploits. But then, you just wanted to appear clever, didn't you?
HAND.
Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable.
HOLY #*&$*!!! /me patches like mad
The people who previously expressed the number of vulnerablilies as 3 have been sacked. In a separate sacking, the person responsible for bundling downloads for Windows and Outlook Express separately, thus making even more confusion, has also been sacked.
The person responsible for not defining all remotely exploitable vulnerablilies as critical has also been sacked.
As this is a /. joke, and nobody at microsoft has actually been sacked, the writer of this post has also been sacked, having failed in actually sacking the previously aforementioned sacked.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
please? :-)
Do these announcements of security patches not alert hackers and virus authors to capitalize on them? It's alerting criminals to the exact vulnerabilities.
You can bet that it's likely the majority of Windows users have failed to install this patch (and many other patches)
Look at Blaster. Even after the patch was announced and distributed, the worm was still able to infect millions of machines.
Men believe what they want. - Caesar
LinuxSecurity.com Advisories. It gives you the last 15 advisories (right now it's 15 in the past three days!), and you can click on each distro, including the BSDs, and get archived advisories for each one. Very useful, complete with links to the actual bulletins.
:P
Yes, you are right--these things never appear on Slashdot except when there are major kernel exploits. To be honest, I've noticed lately a dissident tide in Slashdot, where people are a little weary of the anti-Microsoft spin. Nothing wrong with posting about Windows vulnerabilities, of course, but you do have to view the context with which it's posted--an OSDN-owned website that posts pro-Linux articles and just so happens never to mention Linux security advisories. But a user-run executable will become front page news as a new "Microsoft Worm."
I've just noticed more people annoyed by it lately, even the partyline pro-OSS guys. Simplistic agendas shouldn't be something to embrace on a site that is touted as the epicenter for geek tech news on the Internet. I guess my sig reflects that I've become one of those people as well who feels the need to balance out the spin going on...
Is /. running out of things to post as news? Like security problems in M$ software is what we are all worried about. If you run windows you should know to go and run a windows update every 30 minutes or your going to get some new lame virus. Start posting some useful information, not crap about Microsoft hacks.
first post
in soviet russia critical vulnerabilities announce Microsoft!
1. Announce critical vulnerability
2. ??
3. Profit
if people used linux/oss this wouldnt happen
- oh sure, just because slashdot doesnt report linux vulnerabilities!
natalie portman naked and vulnerable?
can someone point me to a mirror the site is down?
can someone point me to an open source version of this?
this wouldnt happen if it was ogg based.
This comment does not represent the views or opinions of the user.
Actually, there were 5 including the Internet Explorer one.
It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting. I remember a time when the bugs wouldn't get announced until the exploit was already wreaking havoc. Now it seems the bugs get reported and patched before there are any exploits. That's very professional; they can't be perfect but they can be responsible.
I have a lot of respect for that.
seeing the microsoft security ad (http://m2.doubleclick.net/viewad/930640/MRS03141_ ityouwe_728x90_anima.gif) at the top of the page while reading this article was just too much...
It was fast for me :)
What you don't seem to realise is that most of these vulnerabilities would fall into the realm of "third party products" on a Microsoft-powered box. Linux may get more security advisories, but if you compare the number of packages a Linux security advisory site covers compared with what's included in an out of the box Windows install (certainly no professional quality Web Server with XP, for example), the number is still proportionally lower.
According to CmdrTaco, the majority of Slashdot visitors use IE. Kind of puts things into perspective as far as the "movement" goes.
Three vulnerabilities? Boy, that's a record. What's that up to for the year 2004? 78,962,322,505.5???? Pft. This is why I don't use Microcrap. I can't even believe people still use such an out-dated, inferior OS as Winblows. PEOPLE: IT'S CALLED LINUX! IT'S CALLED MAC! FOR THE LOVE OF GOD, MAKE THE SWITCH TO SOMETHING THAT WILL GRANT YOU FREEDOM AND HAPPINESS!
This isn't a troll. This is an honest question.
How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability? I read just about every week or so about "Application X" or "OS Y" having a security issue and a deeper understanding of what is going on is a good thing to help judge the threat of the warning. It will also help reduce the FUD factor a little bit. If an example (current or outdated) could be given showing HOW the security of a system is compromised that would also be beneficial.
"Giving money and power to governments is like giving whiskey and car keys to teenage boys." - P.J. O'Rourke
Windows Critical Vulnerabilities come every few weeks...doubtless they'll get them all in time.
They haven't had a critical update patch on Windows Update since the beginning of this year.
Open source vulnerabilities and incidents get reported all the freaking time on Slashdot.
It is a game you know: "He who crashes with the most vulnerabilities wins!" Bill hates to loose... -and to think that after 4 major iterations of OS X they can only muster one puny Trojan. Poor poor Apple...
- Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
But the people pointing out the one-sided reporting on Slashdot are right.
I wonder (and I am not slamming macs here since I own one) if Microsoft released a new version of Windows yearly like Apple does (for a fee most times) if it would address issues such as this one. The again, if MS released Windows XP 2004 and charged $129, would most people install it?
I have Win XP sp2 on my work machine here ( dont ask )
.. and behold for there were no critical Windows updates to be found anywhere ..
and i just did a windows update then
so either MS is broken ( heh ) or MS knew about these problems a looooooong time ago and already had the patches in SP2, cause i have been running this SP2 beta for at least 3 or 3 weeks now...
that the fact microsoft is suddnely letting people know more about this, saying they'll up security, etc think it's a sham so when longhorn comes out on a palladium DRM locked system, and it's announced it's more secure than ever, people will flock to that, or at least, what they hope?
It appears that the only thing you value is money. That attitude won't get you into heaven. :-)
What?
Well,
/. story, went to the Windows Update website, and lo and behold, it only works with IE. I can go to the Microsoft Download Center if I use another browser besides IE, but I actually like the way Windows update works, scanning my computer and giving me options for what I can install.
After the Nth spyware that infected IE, about 10 days ago I finally had enough of it and switched to Firefox. Haven't looked back since, Firefox rocks.
So after I read this
Looked through the Firefox FAQs, couldn't find any mention of this. Anyone have another suggestion, or should I use IE for updates and Firefox for everything else?
-"Those who fought today will die tommorow."-
Damn....the MS update site is so overloaded....can anybody provide a bittorrent to the patch files?!
REALLY!
Sort of like BSing.
from my proxy config:
user-agent "Mozilla/4.0 (compatible; MSIE 9.01; Windows NT Sucks)"
ARTHUR: How do you do, good lady. I am Arthur, King of the Microsoftons. Who's
castle is that?
WOMAN: King of the who?
ARTHUR: The Microsoftons.
WOMAN: Who are the Microsoftons?
ARTHUR: Well, we all are. We are all Microsoftons, and I am your king.
WOMAN: I didn't know we had a king. I thought we were an autonomous
collective.
DENNIS: You're fooling yourself. We're living in a dictatorship. A self-
perpetuating autocracy in which the working classes--
WOMAN: Oh, there you go, bringing class into it again.
DENNIS: That's what it's all about. If only people would hear of--
ARTHUR: Please, please good people. I am in haste. Who lives in that castle?
WOMAN: No one live there.
ARTHUR: Then who is your lord?
WOMAN: We don't have a lord.
ARTHUR: What?
DENNIS: I told you. We're an anarcho-syndicalist commune. We take it in
turns to act as a sort of executive officer for the week.
ARTHUR: Yes.
DENNIS: But all the decision of that officer have to be ratified at a special
bi-weekly meeting--
ARTHUR: Yes, I see.
DENNIS: By a simple majority in the case of purely internal affairs,--
ARTHUR: Be quiet!
DENNIS: But by a two-thirds majority in the case of more major--
ARTHUR: Be quiet! I order you to be quiet!
(\_/)
(O.o) This is Bunny. Add Bunny to your signature
(> <) to help him achieve world domination.
So, I'd rather choose the system that while not perfect is pretty good than a crappy system whose vendor chooses to put out press-releases about security instead of actually dealing with the problems.
As usual, in theory, Windows is great:
In theory, Windows is great. In real life it's a buggy, insecure piece of trash that should be avoided whenever possible.
Sorry, we already apt-get updated those bugs away while we were sipping our morning coffee and never noticed. Unlike Windows, I don't have to worry about a simple bugfix blowing up the box, or causing downtime, nor do I have to reboot the damn thing four times.
Oh, and application bugs are not "Linux" bugs. Linux refers to the kernel and kernel alone. Unlike on a Microsoft product, where they make Outlook/IE the default for everything and unremovable, hence being part of the OS and countable as an OS exploit, the same is not true of Linux systems.
.sig: Now legally binding!
I know it isnt part of the OS, and I never used Outlook or OE when booting 98SE, so I seperately mentioned that some 98ers might still be vulnerable but only if they run non-core apps like OE.
"You get all the fun of sitting still, being quiet, writing down numbers, paying attention...science has it all."
since Microsoft's Windows Update page is getting really bogged down you can download the patches from this Mirror.
Ben
Work Safe Porn
This illustrates two important points:
1) Windows is full of security holes. (as if everyone didn't already know that)
2) Microsoft is trying to fix their security problems.
I have to wonder, though, how many more unknown or unpatched security vunerabilities Windows has and how hard Microsoft is working on security. I'd suspect that the answer to both questions is "a lot," but that's just pure speculation on my part.
Hmm, I just connected to the windowsupdate.microsoft.com and it said I don't need any updates (I don't have autoupdate turned on). I'm running Win98SE.
Yeah, this is what burns me up with these security bug comparisons. In Linux, 99% of software you run on your computer you get from your distribution, while very little of your software under Windows comes as a part of Windows. Of course there are more bugs in a complete computer setup with 10 different ftp servers to choose from, irc clients, a complete development suite(or 3), etc...
Blessed are the pessimists, for they have made backups.
...they peaked around 2000. Or should I call it purely accidental, since NT was solid but not usable for common people. They've been turning it into this XP Premium crap since then, fortunately they did the basics first and needed to release something, so there was Win2k.
By the time that one is EoL'd, I expect I'll be running Linux full-time. Windows seem to be going in completely the wrong direction as far as I'm concerned, whereas Linux is getting to the "poweruser but not interested in hacking config from terminal" level I'd like.
Kjella
Live today, because you never know what tomorrow brings
The faq says that these vulnerabilities are not critical in Win98. Do they still exist? not clear from the text.
Still have to patch a dozen computers. Oh well, at least the server is running linux.
First of all, your on crack, most of those programs don't run as root as root out of the box, don't recommend running as root in the installation documentation, or at least are configured not to run as root by every distribution which is even vaguely popular.
In addition only one thing there has anything to do with a linux vulnerability, the kernel. The rest are user application software even if they were running as root. If root executes vi then it's running with root privilages, that hardly makes it part of the OS aka kernel.
If and when there's an actual exploit in the wild for a given vulnerability then they'll release the patch immediately, just like they've done before.
Whoever modded you "Insightful" should have used the "-1, Another Stupid Conspiracy Theory" mod instead.
Not to threadjack, but...
One of my jobs is to plug holes like this when they pop up. I know that I can keep watch on SecurityFocus, NTBugTraq, etc., but does anyone know of a service that I can subscribe to that will proactively send me security alerts? I'd like to be able to pick the products/vendors that I support and get timely and relavant notices.
Entrepreneur : (noun), French for "unemployed"
http://www.eeye.com/html/Research/Advisories/index .html
Looks like a whole bunch of those holes were reported to Microsoft by eeye and Microsoft FINALLY got around to patching them.
Some of them had been reported over 6 months ago.
...I thought lower was better for uptime...
Windows Update uses ActiveX controls to check which updates are installed on your computer, so you actually do need Internet Explorer to use it.
So then why do only anonomous cowards reply? Go ahead and tell me I'm wrong, exploits are exploits and all should be fixed. I'm rooting for both Windows and Linux, sorry if I'm not radical enough for ya.
Tim
1) why would you need 10 different ftp servers? one would think that just installing the one you plan to use makes more sense... same goes for developement suites. chances are that you'll be using one - not three
2) ftp IS a bug. try ssh. there are many ssh servers available. but once again, one ssh server will probably suffice.
Wave upon wave of demented avengers March cheerfully out of obscurity into the dream
Nice to see /. falling into the MS fud campaign. There are not 3 vulnerabilities, there are 20, and it is only 3 patches.
Score a point to MS for making us think 20 = 3.
Of cource we also buy MS telling us the linux mem-remap exploit was 5+ vulnerabilites (Debian, Mandrake, Redhat, Suse, et. al.)
As of this point, if someone from MS told me the grass was green, I would go outside and see for myself. You simply cannot believe a single word spewing forth from the Redmond Dragon.
Except that ActiveX is available for mozilla. So really, the only reason that MS requires IE is to lock you in, not any real technical reason.
Marxism is the opiate of dumbasses
First time I ever saw this upon loading Windows Update:
HTTP/1.1 Server Too Busy
A hint: those ssh exploits aren't theoretical. They're in active use.
Have you run Tripwire (/AIDE/whatever) lately?
--
It seems that one of updates broke TS on a 2k Server (and I'm too far away to get to the console tonight). Has anyone else heard of any other services or apps that break because of these updates?
"I hate to advocate drugs, alcohol, violence or insanity but they've always worked for me" - HST
Hey, any one else get the feeling that all these remote exploits could be related to the leak of windows source some time back? Just a thought, but this is a lot of critical updates.
Biting the troll...
I quote, "you stupid." - Way to go! The first fucking sentence in your paragraph describing how someone is stupid, is, ironically, stupid. I also notice your lack of participles. If you're going to try to rip on someone, make sure your grammar is correct, poor grammar really invalidates your credibility.
Next, yes Outlook Express is "packaged" with the OS, but it has been the vector for countless virii for simply that reason. Same with IE. For all intents and purposes, removing IE cripples the UI aspect of Windows. Since Windows doesn't have great command-line utilities, I don't think I need to go further. IE is very vulnerable and no firewall will stop it. Let's not forget to mention how Windows won't even work without its precious RPC service. I'd call that an achilles heel if I ever saw one.
To deal with the rest of your idiotic drivel, apt-get can be run as a cron job, just like Windows Automated Updates. No one has to touch it, just like Windows! Wow. What's even better is that the only rebooting necessary is for kernel updates. Windows is sadly dissimilar in this regard.
I wonder what makes you so qualified to write an attack and start talking about CS majors like they are the all mighty computer wizards? Most CS majors I know don't know shit. Sure, they can write "Hello World," in various languages, but give them a problem and watch them fail. Just like you just did.
Slashdot is proof that Sturgeon's Law applies to mankind.
When I installed this, my firewall went crazy during the update with attempted connections all over the net by the update installer (after the download had finished)....
Anybody know what's up with that? What exactly are they doing with this update that requires connecting to several different hosts during the install?
-- If it ain't broke - overclock it more.
--
The number of the modding shall be three, four shall the number of the modding not be, neither shall it be 2...
5 is right out.
My next sig will be ready soon, but subscribers can beat the rush
There is a very bad, glaringly false statement in your post.
Even on Linux, it is possible for a simple bugfix to take down an entire system.
XFree86 drivers can do this.
Kernel updates can do this.
Third party kernel driver updates can do this.
Hell, a bug / exploit in kdm could make your machine remotely vulnerable, or a simple bug could cause your machine to stop allowing logins (and don't tell me that you can Ctrl-Alt-F1 and login. That doesn't apply to end users)
I saw a problem on a friend's machine where his PAM config got trashed after an update. Guess what, his machine stopped asking for passwords on IMAPS, POP3S and ssh. If a simple misconfiguration can cause that, so can a code bug. That's no different then Windows.
All software has bugs, and those bugs can either be harmless annoyances, or critical problems. Linux can have them just as easily as Windows. Linux/UNIX software releases patches faster because they don't have complicated software development cycles (QA checks, usability, legal, etc) that has to happen before the release.
http://slashdot.org/comments.pl?sid=103769&cid=884 4370
Thanks for proving my point, weekendwarrior1980
==========
Intelligence should not be rewarded; ignorance should be punished
==========
Yeah, kind of like how companies always call them "issues" and "incidents" rather than "bugs" and "major fuckup". It's marketting spin.
Btw, I don't pee my pants over MacOS X. I think there's too much hype in that particular arena. It's FreeBSD/Mach and the NEXTSTEP GUI with some whizzy 3D effects. You'd think Apple had invented the Holy Grail the way some people rabbit on about it, though. I wonder where all these cheerleaders were when MacOS 6 had a good GUI on a crappy foundation. Probably using DOS and writing CONFIG.SYS files for their ISA sound card. Obviously the GUI and autoconfig wasn't that important.
RTFA (Read the F'in Advisory).
The bug is in the pluggable protocol handler for MHTML, which is implemented in outlook express.
For better or worse, IE is nearly infinitely extensible, and it calls out to other components to parse extra protocols.
Rather thank you personally for that than mod your post funny. Again, Thankyou.
Sleep is for the weak.
Oh my god *falls out of chair laughing*
$>man woman
$>Segmentation fault (core dumped)
I just got back from the Microsoft Security Summit, and now it makes sense. They didn't want me to see this story.
Finally up to, oh, crap I lost count after 57,683 exploits.
Keep your eyes to the sky.
I guess I'm not one to ignore certain vulnerabilities and glorify others simply because one comes from Windows.
Besides, Linux has had plenty--and has had many public break-ins in the past six months.
Great, now "Linux vulnerabilities" incude every commercial product which run on Linux.
:)
Nope--they aren't Linux vulnerabilities, they're vulnerabilities in those Linux distributions. That is to say, the Gentoo Linux operating system has several security advisories announced every week. I don't see a difference between that and Windows.
Nice try, though.
The problem really is that there are people that want to have their hands held in their computing experience. These are not generally the people that follow ESR's how to ask a question guidelines. They want to know the absolute least possible about their computer to get it to do what they want. Microsoft caters to this group. The question then becomes, do you want to take over that duty? I sure dont want to take care of people who have no will to learn anything on their own. This is why I still install winblowz on client computers when I cannot be around to support them. (client desktops, i always install linux servers for clients).
What really pisses me off is when M$ tries to make it hard for linux to move up in the other spaces, besides joe idiot user.
Yes, such bitterness comes from being a former windows NT/2k admin for about 4 years before finding linux.
The Ro Factor - Jeep/Linux Weblog
Good thing they have self-contained downloads available. Yes, they don't make 'em easy to find, but you can burn say, Win2K SP4 in all its 135MB glory onto a cd to do offline updates. This is the only way you can practically update a 56K modem-bound 'puter.
today is spelling optional day.
what mozilla extention do I need to spoof this or where to change the settings?
this sig intentionally left blank
First, I hate how everybody is listing Gentoo as having the flaws, the flaws are just discovered by Gentoo usually. They do have some patches, but they aren't know to intruduce bugs. They are doing everybody a favor by reporting these, and then people make it look like it's a Gentoo specific bug.
Most of those vulnerabilities are already patched or discovered in obsoleate software(like KDE 3.1). Gentoo is actually more secure because you can quickly update all your software with two commands.
Also, who cares if you can DOS your self with iptools? That would be more user-error than exploit(especialy as I believe that you need root permisions to do so).
It's "frist post", you insensitive clod. Learn how to spell!
Well yeah, nobody needs 10... but try to explain that to the guys who want to throw vulnerabilities from all 10 into the general "Linux vulnerability" category.
First, this isn't three vulnerabilities, it is TWENTY, addressed with three patches to make it look less severe. (And I don't really think this once-per-month patch cycle is to make adminsitrators' lives easier; I think it's to make Microsoft look better.)
Second, Microsoft has also increased the load on their servers by, oh, thirty times. While they have enough money to provision themselves with thirty times the incoming bandwidth to handle the huge burst of patch traffic once per month, at this point they don't appear to have actually DONE THIS. I am just barely able to get the Windows Update page to display at all, much less actually do anything useful like, say, download patches.
So, here I sit with a machine with twenty vulnerabilities, which they didn't tell me about all month to save face, and now that they HAVE told me, I can't patch because I can't reach their site.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
we know you don't read the articles, but there just 'code' for stories that actually a talking about you.
oopsy
The Kruger Dunning explains most post on
Is anyone keeping track of exactly how many "critical" (and other categories?) bugs microsoft announces? If I could find a good source, I'd love to point it out in a meeting at work. We are mostly Mac but have been FORCED to buy some Windoze machines lately to access some Win2k+ and IE 5+ web tools (departmental timekeeping, purchasing, inventory, insurance, etc). Why people can't write simple web tools so they work on a "standard" web browser is beyond me, but anyways back to my question. If I had a good source maybe I could try and get my work to -not- buy a PC when someone asks for it, without a very good reason. Sure would save me a lot of time.. especially when people call for phone help.
Speaking of phone help... Can anyone tell me why Windows has you click through so many options when connecting to a wireless access point? There is no reason for all those options to be there. Almost everything can be totally automatic, except for choosing -which- access point and entering the -password-. Ding ding, that's -TWO- options. Why are there like, 10+? WHY? Why are there so damn many settings? I know what they all mean, and they don't all need to be there. On my Powerbook, I just choose the AP's name from a menu and type the password. Easy as that.
It's not like there was a security hole, we're just making our secure system even more secure.
What a crock of bullshit.
Microsoft reasoning aside, the current ActiveX solutions for Mozilla (as described in this thread), either do not work in Windows Update, or, like Neptune, use Internet Explorer rendering engine and security model. This nullifies any possible benefit, and I assume that you would still need Internet Explorer.
Here we go again. Nothing new here. Everybody
go to windows update, again.
I was about to crap in my pants, but then i relized I was running Linux. :-P
We didn't make YUGOs in 1960s!
Shoot, we were lucky if we had a Lada, or if you were really good to The Party, maybe a Citroen!
If you don't know what AltaVista is (was), get off my lawn.
YOU have the choice to read slashdot. Don't like it? Don't let the door hit you on the way out!
Yeah, we like reading about why M$ sucks. Sorry if you're not smart enough to see why M$ is a problem. Your loss.
My other car is first.
Yes, Linux distros come "bundled" with tonnes of software whereas Windows is very bare out of the box. I'm not sure if this is what you're referring to, but let me rant for a moment about what really annoys me. It's when some MS shill "analyst" writes a "report" puporting to compare the relative security of each system by counting bug reports. What they will do every f**king time is 1. Count all the bundled software as being part of "Linux" and 2. Aggregrate all the Linux's together thus counting most of the bugs multiple times. Surprise surprise, MS wins with a lower number of supposed bugs. Laura Didio[t] recently did one of these hack jobs (which resulted in the joint press-release from Debian, Red Hat, Mandrake, and SuSe) but it wasn't the first. This is about the third or fourth of these reports that has come out in as many years.
as to 1) That's part of my point. No one has all that software installed, and yet since it is availible from whatever distro is being counted for bugs, all that software is included. They points at 99% of software available for linux and quote the bugs in that against a much smaller population of software on Windows, though there is a decent amount of code in Windows proper these days. ;-)
It's just not a fair comparison.
As for 2), yes, I don't have a world visable ftp server anymore, and very few places do except for anonymous FTP service. There is usually only one port open on my computer, and that is for SSH. I don't even allow ICMP through, cuz I am a bit over-paranoid. However, there is only one implementation of SSH available in most distro's, so it didn't make a good example for my point
Blessed are the pessimists, for they have made backups.
There's no need to wait several years, Linux is already ready for the desktop. If you don't believe me check out Mephis, Knoppix, or Xandros.
I presonally prefer Gentoo Linux becouse of the freedom you have in choosing what applications you want on your computer, though for a noob, it is a bit daunting.
As of late any time someone wants to look "smart" or "insightful" they post a link to linuxsecurity.org in response to a inane comment about Windows security. You take a site which wants to be honest about security issues in free OSs and use it as some kind of childish comeback.
Real good sleuthing there, Sherlock.
The only thing you've done is start a pissing contest. Just don't reply to posts that don't need replying to. The parent wasn't making an argument, but a joke. You should know that we bash Microsoft here, whether they deserve it or not, AND EVERYBODY KNOWS THAT. It's not like they need to be actively defended.
What's interesting about the 3 bugs, DIPSHIT, is that they were discovered by eEye (and others) some time back in late 2003 and they sat on their hands waiting for Microsoft to publically acknowledge them and release patches.
Meanwhile all of the listings on that front page are fresh and current, and advise you to disable services there aren't already patches for. So sit and spin, my friend.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Get a life.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
HOLY SHIT! After many years of experimental proof, the WIG (window$ is gay) Theory has been proven once and for all!
Now, time to prove the more general MIG (micro$oft is gay) theory. Damn, this one's gonna be a toughie, but together, I think we can pull it off!
and I'm going to feed a used tampon down your fucking throat.
At first I got tired of the slashdot groupthink against MS. Now I'm tired of the slashdot anti-groupthink MS apologists.
Would you please stop replying in these threads unless you can put the article into a useful context instead of slinging shit around.
Also, catch SARS. Thanks.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Newer version of AOL Instant Messenger install spyware. It's called Wild Tangent. Considering the number of people that use AIM, alot of people have spyware and don't even realize it.
Well, maybe.
...) and we keep our machines up-to-date.
Anyway, today a worm completly took over my universities network.
We are the CS-Departement, we know what were doing (well, we still dont use Linux, I'm trying to convince them but
It spreads by a file called ascdl.exe through a remotely exploitable vulnerability. Nobody knows about this Virus (neither Symmantec, nor Google) and it spreads fast. When we delete the file, it is back a few minutes later. So I guess it may use one of these new exploits.
BTW, the internet is slow today and I guess it is this baby. It will probably infect the better part of vulnerable machines before it even has a name. I just hope it doesnt do anything nasty.
Hopefully by tomorrow AV Vendors will have analysed it and issued an update, but I predict it to become REALLY BIG (potentially bigger than Blaster).
Oh, and it changes the WINDOWS\system32\drivers\etc\hosts - file, so that you can no longer contact sites of AV Vendors and Nortons LiveUpdate is blocked too. So once you catch it, you cannot get rid of it because you cannot download the new signature file. You have to remove it manually (or it least edit the hosts-file, but who knows about it?). So the bigger part of the population will continue to have it and their computers will no longer update the definition list.
Again, I dont know if it uses one of the new vulnerabilities, but by the speed this baby spreads and by blocking LiveUpdate this is gonna be HUGE.
So if a process called ascdl.exe suddenly uses 50% of your CPU, KILL IT!
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
Stupid feature. That followed by 4 minutes watching the progress bar, praying that the 97% video encoding that had taken hours already would finish first. Of course it didn't.
Nice try, though.
At the end of the day, you just have to face the fact that foo bar baz.
I'm fairly sure it also uses VBScript. At least it does in the containing frame.
I doubt anybody other than MS would support that anytime soon...
One of either KB837001, KB828741 or KB835732
kills Win2k Pro machines. These are normal business machines with the netware client installed.
'System' uses near 100% CPU and the system is incredibly slow. A long time to boot into even Safe-Cmd Mode. Its done it to 2 machines now and I'm scratching as to how to recover.
Any help?
Microsoft, on the other hand, learns about remotely exploitable vulnerabilities and then takes 6 or 7 months to figure out how to fix it. Security researchers have to hound Microsoft to fix these things, despite the obvious severity of the holes.
Not all exploits are equal. If my box is only used by me, then local privilege elevation exploits are not an issue. Remotely exploitable holes in services I can't turn off are an issue.For many multi-user servers, local privilege elevation exploits are an issue. If your users are mostly trustworthy, then the remote execution holes are still worse.
And here's mine...
Mozilla/5.0 (Windows; MVS; OS390; en-NZ; rv:2.8.2) By allowing me access, you waive all rights and policies regarding my access.
But the Volvo is more secure than a 1960 Yugo.
No, the 1960 Yugo is much more secure! Because it didn't exist, and everyone knows pedestrians are safer...
The cars made in Yugoslavia at the time were Fiats, patriotically called Zastava (which means flag).
If Internet Explorer was not part of the O/S distribution, it would be easier to uninstall it and install something better, like Opera or Mozilla Firefox (or make an option during O/S installation). The same goes for Outlook and Outlook Express.
Now that IE and Outlook is bundled with Windows, most people don't care to install anything different, resulting in many compromized machines.
Microsoft warned that three 'critical'-rated flaws in the Windows operating system
Just three? Heck, my granny can find 3 'critical' flaws. First one, "it sucks". Why can't they just admit that the OS is full of holes and is crappy?
and other programs could allow hackers to sneak into personal computers and snoop on sensitive data.
A note the whom ever it may concern. IT'S CRACKERS, not hackers. Thought `hackers' don't snoop on sensitive data by sneaking into computers. Eric Raymond Doo, where are you? We got some work to do here!!!
Happy Hacking!!!
Nothing secret about it. I use both, and I'm up at 4am to be able to get access to the #%@*& Microsoft update servers and they are slow as molasses. Gates and Ballmer are narcissistic, sociopathic boobs who are a threat to national security, and I want one of those other narcissistic, sociopathic boobs in Washington who are a threat to national security to do something about them.
Wanna come visit and help me with step 4? All the others I can handle just fine.
I have seen not mention of Windows 95. Of course, we all know that support has ended for that turkey, and seriously, I cannot blame Microsoft for that - it is sooo beyond hope. But I met dweeps who STILL use it and have this attitude that "who cares, I have nothing important on my computer" and do not realize that they could be a spam engine or distributing kiddie porn or part of a terrorist network.
Spread the word to the mundunes and ungeeked! Windows 95 must die and die NOW!
I'm not so sure that the mass patch release thing is a good idea...I've already spent over 40 minutes trying to download a 3 meg patch that should have completed in less than 2. One would think that it would be better to release the patches as they are developed to get the fix out more quickly, and to prevent this type of flooding of the update server. Just my 2 cents.
-1, Shouldn't Post To /. With A Defective ENTER Key :-)
-MT.
No, still wating on the compile.
De sig boss de sig
With all these buffer overflows, I wonder why they don't use array bounds checking in critical program parts. It's a bit slower, but it would be worth it (running a worm or virus slows your computer down even more). C/C++ doesn't have bounds checking, but I'm sure i've heard of compiler extensions that do it. Or they could use a language like Pascal (yes, I know, not my favorite either, but still a useful and bounds safe language) for security critical parts.
I run windows XP using bochs, so it affects linux, right?
My only exception is Microsoft with Windows Update.
nice. good answer to "by clicking enter you agree to these terms"
I don't know about that. A broken-down motor vehicle in the yard is less likely to get into a collsion than one that is operational.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
Hm. I didn't know that! Though, since my current hardware doesn't even support more than 256mb, I guess I'll worry about it another time.
Though, I'll tell you. . . When the world is crashing and burning all around me and my out-dated Win98 box is still chugging away on critical projects, (not games,) with no problems, I can only thank myself for deciding to jump off the MS Bandwagon of DOOM before the turn of the century.
I'm switching to Linux soon anyway, now that they've solved the CMYK issue.
-FL
"Yeah, it sucks, but I don't want to have to buy all new software."
I'm in the hole of the broadband donut.
> 1) why would you need 10 different ftp servers?
You probably don't even need one. But if you do need one, it's nice to be
able to pick your favourite one, install it right off your distro CD, and
have it configured and running in two minutes flat. Since not everyone has
the same idea about which one they want (see, some people prefer wu-ftp, but
those in the know use proftpd), the distro includes all the major ones, so
you can pick whichever one you want.
The other poster's point was that when a vulnerability is reported in a
distro, in many cases it's in some optional package like that that most users
aren't even using. Not in every case, of course. There were those openssh
issues a while back, for example... those were pretty major, because there
are alternatives to openssh but nobody seems to use them and most distros
don't even include them. And a lot of distros turn on sshd by default. So
a vulnerability in that impacts nearly everyone. But a lot of the "Linux
vulnerabilities" you hear about are not like this at all, more like "Hey,
all users of Bob's Fancy MP3 Jukebox, it has been discovered that the plugin
for playing Windows Media format files directly off the internet is vulnerable
to a cross-site cookie vulnerability that can allow a malicious site you
play music from to track you; users are advised to update to version 0.1.18
of the plugin and version 0.2.8 or higher of BFMJ."
Even a lot of the security advisories that theoretically have to do with
stuff everyone uses don't actually impact most people. For example, there
was an Apache issue a while back that only hit you if you were using some
fairly specific configuration; I don't recall the details, only that none
of the five systems I look after that have Apache on them needed an update,
since none of them were using whatever it was that was vulnerable.
Cut that out, or I will ship you to Norilsk in a box.
> There are 20 separate vulnerabilities in Windows and Outlook Express
No. No, no, no. There is *one* vulnerability in Outlook and Outlook Express,
one that has been public knowledge for about a decade now and Microsoft has
thus far made no attempt to fix. The vulnerability is, Outlook and Outlook
Express deliberately treat untrusted data in ways that untrusted data should
NEVER be treated under ANY circumstances. Their whole approach to security
is, instead of the correct this-data-is-untrusted approach, a dain brammaged
fix-specific-problems approach, wherein the data that ought to be untrusted
is stopped from doing certain specific things that have been known to cause
problems in the past but still allowed to do basically anything else.
There may be 20 separate specific ways this can be exploited, and more will
be discovered next week, but it's fundamentally *one* issue.
Executive summary: Outlook and Outlook Express don't *have* security holes;
they *are* security holes, big fat wide-open ones.
Cut that out, or I will ship you to Norilsk in a box.
It was my understanding that the OS itself can't use more than 256, however applications can.
Windows Update is getting hammered! I've got a box I need to update (yeah, it's a work box...) and I've had to try 6 times so far, because WU is so fscking slow!
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
Thanks for explaining the joke you asshole. Go back to fucking your mom.
Not to mention that I don't see Debian on this list, which is not only a linux distro, it is a popular and 31337 distro. I like the guy's post and hate how it was modded, but he should have noted that Debian is the b0mb.
But the parent managed to post essentially the exact same thing (a link to linuxsecurity and a snide comment) at least FIVE TIMES in that article's comments.
And examining his posting history, he's done it a few other times too.
And I've seen some other anti-slashbots (if that's what you call them) doing the exact same thing, with mostly the exact same advisories.
HOW IS THAT ANY BETTER THAN ANY OTHER SLASHDOT BULLSHIT?
Hur hur... I posted a link to a LUNIX advistory. Take that micheal HUR HUR! Oh wow, I just came all over myself. HUR HUR.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON