Slashdot Mirror


Microsoft Announces Three More Critical Vulnerabilities

weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.

107 of 486 comments (clear)

  1. Uh-oh by SpiffyMarc · · Score: 5, Funny

    Now that the word is out on these, Microsoft is going to have to post a big link to all the articles about that new Mac OS X trojan all over their homepage...

    1. Re:Uh-oh by Anonymous Coward · · Score: 5, Funny

      A lot of people joke about Mac vulnerabilties, but the simple fact is that something like that could really wreak havoc somewhere like an art school or large interior design firm.

    2. Re:Uh-oh by ringbarer · · Score: 4, Funny

      So nowhere important then.

      --
      "Why did they cancel my favorite Sci-Fi show? I downloaded ALL the episodes!"
    3. Re:Uh-oh by tbone1 · · Score: 3, Funny
      something like that could really wreak havoc somewhere like an art school or large interior design firm.

      And this is bad because ... ?

      Yours sincerely,
      Dan Dierdorf
      Host of Straight Eye for the Queer Guy

      --

      The Independent: Reverend Spooner Arrested in Friar Tuck Incident - ISIHAC, Historical Headlines
  2. More than three by untermensch · · Score: 5, Informative

    Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable. Microsoft has bundled the patches for these into 4 separate downloads - 3 for Windows and 1 for Outlook Express.

  3. Worm Writer's Delight by Dynamoo · · Score: 5, Interesting
    What's frightening is that there are *so* many remote code execution vulnerabilities in this one. At least they're all rolled up into one patch. But this gives so many potential backdoors for a Blaster style worm.

    Here we go again...

    --
    Never email donotemail@WeAreSpammers.com
    1. Re:Worm Writer's Delight by Joe+the+Lesser · · Score: 4, Funny

      "Sir Gates, we've analyzed their attack plan and their is a danger. Should we have your shuttle ready?"

      Evacuate? In our moment of triumph? You underestimate their chances.

      --
      "I only speak the truth"
      Karma: null(Mostly affected by an unassigned variable)
    2. Re:Worm Writer's Delight by zackeller · · Score: 5, Informative

      Overestimate.

    3. Re:Worm Writer's Delight by Joe+the+Lesser · · Score: 4, Funny

      I shall accept full responsibility for my misquote, and apoligize to /. personally.

      --
      "I only speak the truth"
      Karma: null(Mostly affected by an unassigned variable)
  4. Honesty is sometime stupid by Assoupis · · Score: 5, Funny

    Microsoft could just send is service pack, and as usual, during installation, printing meanless phrases such as: registering component, building registry, etc...

    1. Re:Honesty is sometime stupid by mistermund · · Score: 5, Funny

      registering component, building registry, etc... Reticulating splines....

  5. I was wondering about that by ObviousGuy · · Score: 5, Interesting

    I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.

    What a surprise. My bandwidth was halved by the invisible download.

    Whoops. Be right back. Install is finished, gotta reboot.

    --
    I have been pwned because my /. password was too easy to guess.
    1. Re:I was wondering about that by Numeric · · Score: 2, Insightful

      I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage

      Why don't you just download Netscape/Opera/FireFox and just use IE for windows update? You should manually be able to control what updates you are doing then.

      --
      -- ladies and gentlemen we are floating in space!
    2. Re:I was wondering about that by toddestan · · Score: 2, Funny

      I've got IE configured to present itself to websites as Netscape ...

      Isn't that like putting the "VTEC" and "Type R" badges on a '87 Civic?

  6. I continue not caring... by forkazoo · · Score: 3, Insightful

    I hate to sound like a troll, but I really don't care about all the MS security vulnerabilities. I've cleaned up a bunch of systems in the last week that were all virus and spyware infested, because the user clicked on things they shouldn't have. If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

    We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.

    1. Re:I continue not caring... by omicronish · · Score: 5, Insightful

      If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

      The Windows defaults with regards to user privileges are crap, and you are right, these vulnerabilities don't matter when everyone has administrative privileges anyway.

      Requiring a password to install a program would be difficult in Windows, however, since the installation programs are provided by the software, not Windows (unless it's a Windows Installer package, in which case there's full support for requiring Administrator privileges to install applications). Windows really has no way of telling the difference between a normal application and an installer.

      However, what you can do is lock down file permissions. What I did on Windows XP was remove Users write access to the boot drive, Windows directory, Program Files directory, and Documents and Settings (except for the user's profile). Installation programs can still run, but they won't be able to install software to any important location. At worst, the user can install to their profile, but any malicious program becomes a problem only for that user. It's akin to untaring, compiling, and running a program from your home directory on Linux.

      I've heard of bad programs that require Administrator privileges or write access to their Program Files directory, in which case this setup will present problems. Still, it's a problem with the program itself, not a Windows problem, although lax or non-existent installation guidelines may have contributed. I personally think all these permissions should've been defaults years ago.

    2. Re:I continue not caring... by forkazoo · · Score: 3, Insightful

      Most people who have spyware installed, have no farking idea how it got there. If the computer forced them to have some active participation, they might at least try to be aware of what's going on, rather than just clicking okay. A system level alert box that proudly declares "You Are Installing Software On Your Computer" wouldn't stop most people from installing it, but for god's sake, at least they'd *know* they were installing something!

    3. Re:I continue not caring... by KshGoddess · · Score: 3, Informative
      We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.

      Then implement training at your site. At least suggest it. Computers are tools. We don't require people to get socket-wrench certified, or expect (most of) them to take telephone answering lessons. Most people think of computers in the same way.

      Why should we expect users (consumers, customers, grandmas) to know everything about the complex tool that they've been given? Most people use their computer for email and surfing the web. They don't care about or want to know how it works. As long as it does.

      As a "sysadmin", it is your job to make sure that users are able to work. Within those bounds, you may encounter issues with users doing stupid things. Most of the time, they don't realize what they're doing is what's bogging down their computer. Usually, if you say "I found that the problem was that you have [kazaa | bearshare | napster] installed, and it's what's bogging your PC down, and oh by the way, these things aren't allowed," people listen. Sometimes they even learn something.

      Someone within your organization should have the authority to say "X is allowed, Y is not." and to have the authority to also say "You signed this piece of paper saying you wouldn't Y, and we have concrete evidence that you Y all the time. Your manager and HR have been notified."

      IT is a service organization. Being arrogant about what you know versus what your users know doesn't work very well, and ends up getting us all branded as Nick Burns, Computer Guy.

      As for the permissions bit, MS is both really good and really horrifyingly awful about user permissions. Yes, you can set it up so that the user has no power to install software, modify the registry, etc., but you'll end up with (a) a user who resents you or (b) several one-offs where the user has to have admin privileges to do their job or even (c) a user who finds their way around your rules and limitations.

      --
      It's a little wrong to say a tomato is a vegetable. It's a lot wrong to say it's a suspension bridge.
  7. These has been known about for a LONG time... by tweakt · · Score: 4, Informative
    These were listed on eEye's page as undisclosed critical vulnerabilities affecting upwards of 300 million systems, along with original discovery date, and time since notification. They typically give 30 days, but last I checked it was 90 and 100+ days late. These are over 6 months old I think.

    Sorry, no link because the site seems to be down/slow... it must be linked to from another announcement posted elsewhere.

  8. There's a market for... by tyrani · · Score: 2, Interesting

    A good, easy to read, consumer grade local port sniffer / analyzer. How hard would it be to build a frontend that reported on "odd" behavior?

    --
    rejected (19) accepted (0)
    Is there a psychological term related to getting your stories rejected on slashdot?
  9. Re:Yay! by pudding7 · · Score: 2, Insightful

    You're worried about your "uptime" but you have no problem making pointless posts on Slashdot?

    Idiot.

  10. Service Pack 2 by -tji · · Score: 4, Interesting

    That site with their bulletins also has a link to the XP Service Pack 2 release candidate.. That thing has been in the works for so long. Hopefully it makes some useful improvements in their security.

    It looks like the firewall will basically be a built-in ZoneAlarm, with better inbound abilities, and outbound application controls.

    They also have some buffer overflow protections. Are they good enough to make a difference?

    1. Re:Service Pack 2 by PingXao · · Score: 2, Informative

      Just last night I was rummaging around the MS Windows XP security newsgoup. The new SP2 ICF firewall will NOT challenge outgoing communications. The rules you can set up with it generally apply only to incoming connections. If an application tries to establish a listening port ICF will challenge that, but outgoing connections aren't controlled.

  11. OE exploit? by xpl_the_myst · · Score: 2, Interesting
    What I don't understand about the OE exploit is that it basically results from running HTML code in something called a Local Security Zone of IE. Isn't that a vulnerability in IE itsel? That's what I can make out from the article itself :

    An attacker would have to entice users to read a maliciously-crafted HTML e-mail message or use IE to surf to a malicious Web site to grab control of the PC ...

    --
    This sig is empty.
  12. Re:I've noticed by Anonymous Coward · · Score: 5, Insightful

    no -- that's just not true.

    there are misinformed people who don't understand the issues with the bugs reported in linux who then fan the flames about "holes in linux" as if they are of the same level of problem as these weekly holes in windows.

    a theoretical overflow on a linux server running openssh is a lot different than a open hole that runs executable attachments

    as a windows user, you should spend your time patching windows, not reading news.com

  13. Is Microsoft just stupid? by bigattichouse · · Score: 2, Interesting

    1) patch the OS, since no one can see it, with a bit of code to "simulate" a buffer overrun... in actuality it reports back to MS home office the IP address of the affected machine. Call it a "straw man" flaw
    2) release a patch for other problems and have this new item go with the patch
    3) release a "known flaw".. await for the first few reports of the flaw
    4) show up at the butthead's house with a few large baseball bats
    5)??
    6) profit!

    --
    meh
  14. Re:More than three by Proud+like+a+god · · Score: 5, Informative

    Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
    No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.


    Another reason for home users and gamers to stick with 98SE. Obviously most businesses aren't so lucky. :-S

  15. Windows update server is running kind of slowly by Igottapoop · · Score: 5, Funny

    I think we /.ed microsoft!!

  16. Won't announcing vulnerabilities cause exploits? by David+Hume · · Score: 5, Interesting
  17. Re:Windows Critical Vulnerabilities by WhiteWolf666 · · Score: 5, Funny

    Finish perfecting XP?

    Are you kidding??

    They need to finish perfecting 95 first, then start to get 98/SE/ME done, then get 2000 out of beta, then try and desperately lockdown XP.

    Seriously, MS operating systems never get finished. . . .

    They simply get discarded.

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  18. Re:I've noticed by cybermancer · · Score: 4, Insightful
    ...a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

    news.com is a real news site, so they post real news. I am surprised anyone resports vulnerabilities in MS Windows as news. The only reason to report these is so people know to update again, and to poke fun at the joke that is Microsoft's quality control. Real news would be if they go for an extended period of time without a vulnerability!

    For Linux on the other hand it is an event when there is a vulnerability reported.

    --
    "Anything is possible with enough programmers, time and pizza." (Substitute caffeine for time as needed.)
  19. Re:More than three by Proud+like+a+god · · Score: 2, Informative

    That is, wrt bulletins MS04-011, MS04-012 and MS04-014.

    Of course MS04-013 is about Outlook Express so you may still be vulnerable on these OSs.

  20. Re:In other news by dustmite · · Score: 4, Funny

    That's 'cause most of us are secretly using Windows ;)

  21. I hate all of you by RevDobbs · · Score: 5, Funny

    So, "We only use Linux" cries the slashdot crowd...

    Then why the hell is windowsupdate.microsoft.com slashdoted? You bastards.

  22. Actually.. by theobscurest · · Score: 2, Informative

    ..Microsoft recently (last Fall I think) changed their critical update release schedule to coincide with the second Tuesday of each month to supposedly take some of the workload off of the sysadmins. Thus, today is the day.

    However, as a sysadmin I still have mixed feelings about this. If something is a critical vulnerability, I think a patch needs to be released as soon as it becomes available. At the same time, it's a real pain in the butt to have to go around to hundreds of computers to make sure auto update is actually doing its job. More specifically, the last time I checked machines to see if they were auto-updating, at least a third of them weren't even though they are always on and set up to do so. Not to mention the machines that fatally crash due to windows updates..

  23. You know, by warrax_666 · · Score: 5, Insightful

    there is a difference between REMOTE ROOT exploits and LOCAL PRIVILEGE-ESCALATION exploits. But then, you just wanted to appear clever, didn't you?

    --
    HAND.
    1. Re:You know, by finkployd · · Score: 4, Funny

      Besides, local privilege escalation exploits are up there as being just as bad in my book.

      I can't think of a nice way to say this...

      Your book sucks. :)

      Finkployd

    2. Re:You know, by gad_zuki! · · Score: 3, Insightful

      >Besides, local privilege escalation exploits are up there as being just as bad in my book.

      Exactly. A lot of good that firewall does when your coworkers click on an email attachment that sails right through the firewall.

    3. Re:You know, by finkployd · · Score: 3, Informative

      To do local privilege escalation you need to have a local user account no? Remote exploits let the whole world in.

      Finkployd

    4. Re:You know, by Chuck+Chunder · · Score: 4, Insightful
      You don't need true root privileges for any of that.
      Indeed, that's why remote exploits are more annoying in many cases than local ones. People in general don't have much of a motive to want root on a machine they have access to, they can usually pretty much do what they want already. In many environments priviledges etc aren't there for "hard" security reasons but merely to protect the system and users from unintentional harm from other users.

      For remote exploits, root or otherwise, it only takes one numbnut to code a self-propagating exploit and anyone and everyone is in the firing line.
      --
      Boffoonery - downloadable Comedy Benefit for Bletchley Park
    5. Re:You know, by Ckwop · · Score: 3, Interesting

      Hmm your threat model should include people who have a local user account?

      I mean, do the l33t|sts just give up trying to get a valid user account?

      What about the disgruntled employee who wants to waste some time by destroying his own PC?

      Simon.

  24. Re:More than three by dj245 · · Score: 5, Funny
    The number of the vulnerablilies shall be 3. 3 shall be the number of the vulnerabilities, the number of the vulnerabilities shall be 3....

    Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable.

    HOLY #*&$*!!! /me patches like mad

    The people who previously expressed the number of vulnerablilies as 3 have been sacked. In a separate sacking, the person responsible for bundling downloads for Windows and Outlook Express separately, thus making even more confusion, has also been sacked.

    The person responsible for not defining all remotely exploitable vulnerablilies as critical has also been sacked.

    As this is a /. joke, and nobody at microsoft has actually been sacked, the writer of this post has also been sacked, having failed in actually sacking the previously aforementioned sacked.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  25. mod parent +funny! by harveyswik · · Score: 2, Funny

    please? :-)

  26. Windows Says: by AvantLegion · · Score: 4, Funny
    "Fuck you, Mac. You think you got exploits? You ain't got SHEEIT, son! Go play with your dollies, leave security holes to Daddy."

  27. Go here for what you need by bonch · · Score: 4, Informative

    LinuxSecurity.com Advisories. It gives you the last 15 advisories (right now it's 15 in the past three days!), and you can click on each distro, including the BSDs, and get archived advisories for each one. Very useful, complete with links to the actual bulletins.

    Yes, you are right--these things never appear on Slashdot except when there are major kernel exploits. To be honest, I've noticed lately a dissident tide in Slashdot, where people are a little weary of the anti-Microsoft spin. Nothing wrong with posting about Windows vulnerabilities, of course, but you do have to view the context with which it's posted--an OSDN-owned website that posts pro-Linux articles and just so happens never to mention Linux security advisories. But a user-run executable will become front page news as a new "Microsoft Worm."

    I've just noticed more people annoyed by it lately, even the partyline pro-OSS guys. Simplistic agendas shouldn't be something to embrace on a site that is touted as the epicenter for geek tech news on the Internet. I guess my sig reflects that I've become one of those people as well who feels the need to balance out the spin going on... :P

    1. Re:Go here for what you need by RoLi · · Score: 4, Interesting
      I just looked at your site and for my distribution (SuSE) the only REMOTE vulnerability in the LAST YEAR was gaim which I don't even use (I use LICQ).

      All the others where denial of service vulnerabilities or elevation of privileges problems, which in case of the kernel are of course a bad thing and which have been reported on Slashdot several times.

      So in the last year, I had exactly ZERO vulnerabilities that would represent an immedieate danger to my Linux boxes (elevation of privileges is bad, but not an immediate danger for me because I don't run any mass-user hosts) and in the meantime the Windows-world had MS-Slammer, MS-Blaster and many, many other problems.

      If you want to stick your head into the sand, do so, but please don't think that you are smart doing so or that anybody else has got a "party line".

    2. Re:Go here for what you need by Azi+Dahaka · · Score: 2, Informative

      Yes, but there truly is a difference. That page lists vulnerabilities for linux packages, not Linux or a specific linux distribution. For example, I see scorched 3d in there twice. You probably would not say an AIM security flaw is evidence of Windows insecurity.

      Next, a lot of these will not be running on all systems, especially considering several are vendor specific.

      Most are not remote, complete system takeover vulnerabilities either. They tend to either be DoS, run arbitrary functions as a daemon (www-data, nobody, gid games, etc), or local exploits.

      Plus, many aren't so much privilege escalation or DoS, but rather is a way to evade auditing or monitoring, for example the Squid vulnerability.

      Admittedly several of those are pretty bad (the pwlib and ipsec-tools ones for example), but this is a poor comparison. To really compare, compare vulnerabilities found in an out-of-box installation of a single distribution. And even then, only use it as evidence of that distribution's insecurity.

      And not that it matters much, but 12 April to 7 April is five days, and today is the 13th. There are only two items listed for the past three days.

      I seem to recall an openssl, openssh, apache and linux kernel exploits making headlines at slashdot, but you can't expect every vulnerability for every package to be listed. This news of 20 vulnerabilities being fixed at once seems newsworthy.

    3. Re:Go here for what you need by eclectro · · Score: 2, Funny


      I agree that there is an too much of an anti-microsoft slant on Slashdot. Windows is a secure, reliable *##buffer overflow##* platform. It will only become more @@#-ha ha ha ha-#@@ secure as time passes, and trusted %$@-I 0wn3r j00-@$% computing will become a reality. I myself have run Windows %$%-I'm s0 133t-$%$ with little problems for years. I too think this is way overblo@@@@NO CARRIER

      --
      Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
  28. put it on the list by t_allardyce · · Score: 2, Funny

    first post

    in soviet russia critical vulnerabilities announce Microsoft!

    1. Announce critical vulnerability
    2. ??
    3. Profit

    if people used linux/oss this wouldnt happen
    - oh sure, just because slashdot doesnt report linux vulnerabilities!

    natalie portman naked and vulnerable?

    can someone point me to a mirror the site is down?

    can someone point me to an open source version of this?

    this wouldnt happen if it was ogg based.

    --
    This comment does not represent the views or opinions of the user.
  29. Starting To Respect Microsoft by nathanh · · Score: 3, Insightful

    It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting. I remember a time when the bugs wouldn't get announced until the exploit was already wreaking havoc. Now it seems the bugs get reported and patched before there are any exploits. That's very professional; they can't be perfect but they can be responsible.

    I have a lot of respect for that.

    1. Re:Starting To Respect Microsoft by Tough+Love · · Score: 4, Insightful

      "It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting."

      That's because you're gullible. A bunch of these vulnerabilities have been known for months and Microsoft hasn't announced them. Maybe so they can argue that Microsoft has the shortest time from vulnerability announcement to patch availablity, like they tried to say last week.

      Starting to be honest, huh, looks like more of the same to me.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  30. oh the irony! by BinaryJono · · Score: 5, Funny

    seeing the microsoft security ad (http://m2.doubleclick.net/viewad/930640/MRS03141_ ityouwe_728x90_anima.gif) at the top of the page while reading this article was just too much...

  31. Free karma... by Turmio · · Score: 4, Informative
  32. That's actually true by bonch · · Score: 4, Insightful

    According to CmdrTaco, the majority of Slashdot visitors use IE. Kind of puts things into perspective as far as the "movement" goes.

    1. Re:That's actually true by freeweed · · Score: 4, Interesting

      I'd say it's more likely the majority (or at least a goodly chunk) of Slashdot users use something like Opera or Mozilla*, which lets you spoof your browser ID to websites. I do it, or I'd be locked out of a good many moronic sites (one being my bank) that only think IE works.

      Although with the level of pro-MS posting and moderating on a dramatic increase over the past year, I wouldn't be surprised if we have a lot of IE users here now.

      (Quick! To get some instant karma, talk about some obscure SSH/apache/whatever exploit that wouldn't affect anyone using Linux as a *desktop* system and is only applicable to a service that isn't run by default on any major distro, and claim that Linux is as insecure as Windows! Then whine about Slashdot's "bias" towards Linux to make sure you keep getting modded up!)

      --
      Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
    2. Re:That's actually true by interiot · · Score: 5, Insightful

      And the majority of visitors don't post, many don't read the comments. Just because they use Slashdot as a way to keep from missing important tech news doens't mean they're necessarily sympathetic to OSS philosophy.

    3. Re:That's actually true by cbreaker · · Score: 2, Insightful

      Lots of people do Slashdot from work, where lots of us have no choice but to use IE.

      That can easily sway the numbers.

      --
      - It's not the Macs I hate. It's Digg users. -
  33. Just exactly how does this happen. by Talinom · · Score: 3, Interesting

    This isn't a troll. This is an honest question.

    How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability? I read just about every week or so about "Application X" or "OS Y" having a security issue and a deeper understanding of what is going on is a good thing to help judge the threat of the warning. It will also help reduce the FUD factor a little bit. If an example (current or outdated) could be given showing HOW the security of a system is compromised that would also be beneficial.

    --
    "Giving money and power to governments is like giving whiskey and car keys to teenage boys." - P.J. O'Rourke
    1. Re:Just exactly how does this happen. by cpghost · · Score: 4, Informative

      Try "Smashing the Stack for Fun and Profit", Phrack 49, Art. 14. It's a nice introductory tutorial to the common class of buffer overruns.

      --
      cpghost at Cordula's Web.
    2. Re:Just exactly how does this happen. by hobuddy · · Score: 4, Informative

      How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability?

      Of course there's an infinite number of ways to write a vulnerable program, but the most common is to run afoul of a buffer overflow. A buffer overflow is a relatively simple flaw, but it's an easy mistake to make in C and C++ because those languages give economy of computational resources precedence over every other consideration, including security and stability.

      There's an illustrated and fairly concise introduction to buffer overflows at LinuxJournal.

      --
      Erlang.org: wow
  34. Like hell that's insightful by nathanh · · Score: 5, Informative
    That a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

    Open source vulnerabilities and incidents get reported all the freaking time on Slashdot.

  35. Sorry to burst your bubble, guys by bonch · · Score: 3, Informative
  36. Yearly updates by cove209 · · Score: 2, Interesting

    I wonder (and I am not slamming macs here since I own one) if Microsoft released a new version of Windows yearly like Apple does (for a fee most times) if it would address issues such as this one. The again, if MS released Windows XP 2004 and charged $129, would most people install it?

  37. Sp2 Beta by OneArmedMan · · Score: 3, Interesting

    I have Win XP sp2 on my work machine here ( dont ask )

    and i just did a windows update then .. and behold for there were no critical Windows updates to be found anywhere ..

    so either MS is broken ( heh ) or MS knew about these problems a looooooong time ago and already had the patches in SP2, cause i have been running this SP2 beta for at least 3 or 3 weeks now...

    1. Re:Sp2 Beta by aderusha · · Score: 4, Interesting

      or option c) SP2 beta isn't recognized by winupdate, so you're going to be exposed.

  38. wait wait wait... anyone else here suspect this? by ShadowRage · · Score: 2, Insightful

    that the fact microsoft is suddnely letting people know more about this, saying they'll up security, etc think it's a sham so when longhorn comes out on a palladium DRM locked system, and it's announced it's more secure than ever, people will flock to that, or at least, what they hope?

  39. Windows Update in Firefox by Faizdog · · Score: 4, Interesting

    Well,
    After the Nth spyware that infected IE, about 10 days ago I finally had enough of it and switched to Firefox. Haven't looked back since, Firefox rocks.

    So after I read this /. story, went to the Windows Update website, and lo and behold, it only works with IE. I can go to the Microsoft Download Center if I use another browser besides IE, but I actually like the way Windows update works, scanning my computer and giving me options for what I can install.

    Looked through the Firefox FAQs, couldn't find any mention of this. Anyone have another suggestion, or should I use IE for updates and Firefox for everything else?

    --
    -"Those who fought today will die tommorow."-
    1. Re:Windows Update in Firefox by Dave2+Wickham · · Score: 2, Informative

      AFAIK Windows Update uses ActiveX, so you need to use IE anyway.

      Note: I don't often deal with Windows Update, being a Linux user myself, so I could well be wrong.

    2. Re:Windows Update in Firefox by elleomea · · Score: 2, Informative

      It's impossible to use Firefox for this task since the Windows Update system uses ActiveX controls to handle things.
      ActiveX is also one of the main reasons for many of the security issues and spyware installing programs, etc. in IE. This is due to the fact that, unlike Java, it doesn't run in a sandbox, allowing ActiveX programs complete access to the system.

    3. Re:Windows Update in Firefox by steveha · · Score: 4, Interesting

      You need to use IE for Windows Update. Full stop.

      One of the things that makes Firefox more secure is that it is just an application, it cannot install software for you. One of the things that makes Windows Update work is that IE can install software for you.

      Windows Update is the main reason IE is still on my Win2K desktop computer.

      steveha

      --
      lf(1): it's like ls(1) but sorts filenames by extension, tersely
    4. Re:Windows Update in Firefox by Deviate_X · · Score: 5, Informative

      If you have disabled IE you can install and run the Security Baseline Advisor. It basically does the same thing as Windows update.

  40. Re:Slashdotted by nacturation · · Score: 3, Funny

    I found a mirror at http://www.w1ndowsupdate.ru/update.scr. I guess this must be Microsoft's Russian offices?

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  41. No reporting, major problems. by MacFury · · Score: 2, Funny
    If no one reports the exploits, M$ simply won't fix them. They have no incentive to unless there is a public backlash. Even still, they would just settle out of court. :-) I think we should coin a new phrase. Whenever someone is clearly in the wrong, and just settles out of court...we should call it M S'ing (em ess ing)

    Sort of like BSing.

  42. Re:That's actually true (obligatory spoofing ref) by YetAnotherDave · · Score: 2, Funny

    from my proxy config:

    user-agent "Mozilla/4.0 (compatible; MSIE 9.01; Windows NT Sucks)"

  43. Re:More than three by daishin · · Score: 3, Funny

    ARTHUR: How do you do, good lady. I am Arthur, King of the Microsoftons. Who's
    castle is that?
    WOMAN: King of the who?
    ARTHUR: The Microsoftons.
    WOMAN: Who are the Microsoftons?
    ARTHUR: Well, we all are. We are all Microsoftons, and I am your king.
    WOMAN: I didn't know we had a king. I thought we were an autonomous
    collective.
    DENNIS: You're fooling yourself. We're living in a dictatorship. A self-
    perpetuating autocracy in which the working classes--
    WOMAN: Oh, there you go, bringing class into it again.
    DENNIS: That's what it's all about. If only people would hear of--
    ARTHUR: Please, please good people. I am in haste. Who lives in that castle?
    WOMAN: No one live there.
    ARTHUR: Then who is your lord?
    WOMAN: We don't have a lord.
    ARTHUR: What?
    DENNIS: I told you. We're an anarcho-syndicalist commune. We take it in
    turns to act as a sort of executive officer for the week.
    ARTHUR: Yes.
    DENNIS: But all the decision of that officer have to be ratified at a special
    bi-weekly meeting--
    ARTHUR: Yes, I see.
    DENNIS: By a simple majority in the case of purely internal affairs,--
    ARTHUR: Be quiet!
    DENNIS: But by a two-thirds majority in the case of more major--
    ARTHUR: Be quiet! I order you to be quiet!

    --
    (\_/)
    (O.o) This is Bunny. Add Bunny to your signature
    (> <) to help him achieve world domination.
  44. Linux is not 100% secure by RoLi · · Score: 5, Insightful
    ... just like a Volvo is not 100% secure. But the Volvo is more secure than a 1960 Yugo.

    So, I'd rather choose the system that while not perfect is pretty good than a crappy system whose vendor chooses to put out press-releases about security instead of actually dealing with the problems.

    As usual, in theory, Windows is great:

    • In theory, everybody uses those super-fine-grained permissions in Windows. (In real life those permissions are so complicated that most ignore them)
    • According to MS-PR theory, Linux is very dangerous because "everybody" can put evil backdoors in. (In real life there has never been a case of a intentinal backdoor in any OSS-project with more than 1 contributor while there have been numerous examples of such backdoors in CSS)
    • In theory and in all total cost of ownership studies, the cost of viruses, worms and security problems on Windows is zero. (In real life millions are paid for virus scanners and much more is lost in productivity)
    • In theory, viruses/trojans/worms are only written for the market-leader platform. (In real life, Apache leads the market and has not had a single worm comparable to Code Red or Nimda)
    • In theory, Microsoft's latest "security initiatives" are a big success. (In real life the biggest epidemies like MS Blaster happened after those initiatives started.)

    In theory, Windows is great. In real life it's a buggy, insecure piece of trash that should be avoided whenever possible.

    1. Re:Linux is not 100% secure by hallaballa · · Score: 2, Insightful

      "so complicated"... 1) Complex, not complicated. 2) nobody said that training was optional, regardless of OS. "evil backdoors" -- the comparison you make between oss/css has nothing to do with oss/css -- it's a difference in process. There's nothing inherent in either oss or css that promotes/prevents trojans. Then again, with all these remote exploits we see, isn't that just trojans+plausible deniability? "millios are paid" -- how on earth does anyone objectively measure that? "Apache has not had a single worm comparable..." -- true, but this is not because Apache has not had remotely exploitable holes. The reason is something else. Microsoft's security initiatives are not big success -- well, these patches notwithstanding, far as I can see the trend is that Windows actually is getting more secure. It's slow progress, but it _is_ progress. Only time will tell though..

    2. Re:Linux is not 100% secure by aastanna · · Score: 4, Insightful

      The way I feel about windows and patches is you're never going to be secure enough to connect a windows box directly to the internet. Outlook and Outlook express aren't secure enough to be used to receive email. IE isn't secure enough to browse random web sites.

      So, if you can afford it, have two computers. Get your email and do your work on a Linux box or a OSX laptop, and save Windows for games, windows development, and those gems of applications you've found that only runs on Windows. Install firefox and use that to browse if you must.

      Always keep your Windows box behind a hardware firewall, that tends to stop most of the remote "I just plugged in my computer and now it has a virus" sort of things. Keep any OSX or Linux boxes behind a firewall too if you can.

      Oh well...rant over...that's my "what people should know about computers before using them" speech. It really doesn't matter how many of these exploits are patched. These were from 2003, and I'm sure there's another dozen waiting in the wings. Just assume your box is insecure and act appropriately.

      Oh, one more thing. I miss the days when you could listen to your computer's hard drive and know what it was doing. If it started up and a odd time you'd know something wasn't right. These days on windows the hard drive seems to randomly grind a way for a second every once and a while...it's...disconcerting. My mac doesn't seem to do that, can't remember if Linux does.

    3. Re:Linux is not 100% secure by Anonymous Coward · · Score: 2, Informative

      Someone tried, but it was discovered before reaching any official kernel.

      The attacker used a bug in the BitKeeper to CVS gateway to add the backdoor to the kernel in CVS, but since the official kernels come from the BitKeeper tree which was NOT affected, he needed someone to accidentally send his change to Linus. I.e. he needed a good amount of luck.

      It was discovered before that happened, because the CVS and BitKeeper versions were out of sync, which caused the BitKeeper people to examine the trees.

    4. Re:Linux is not 100% secure by Polymath+Crowbane · · Score: 2, Informative
      "millios are paid" -- how on earth does anyone objectively measure that?
      It's fairly simple for companies to measure the cost of viruses, et. al., by adding the direct cost of the staff required to clean machines and an estimate of the indirect cost of time lost by employees while computers and email are down. It can be significant: the multinational company with which I was associated during the Melissa attack lost email for two days. The direct costs alone (of people to clean up machines) was documented at over $1,000,000.

      Here is the real trap in proprietary standards: if a vendor's product cost a company over $1MM because of a flaw, you can bet that vendor would be gone in a heartbeat. However, because mission critical systems are tied to proprietary standards for which there is no practical substitute, companies are, for the most part, stuck.

      The sad reality is this: when a company is locked into your product, for any reason, your motivation for spending money on enhancements/customer service is greatly reduced. This is true for many companies, not just Microsoft. It's called human nature and greed.

  45. Re:In other news by technos · · Score: 4, Informative

    Sorry, we already apt-get updated those bugs away while we were sipping our morning coffee and never noticed. Unlike Windows, I don't have to worry about a simple bugfix blowing up the box, or causing downtime, nor do I have to reboot the damn thing four times.

    Oh, and application bugs are not "Linux" bugs. Linux refers to the kernel and kernel alone. Unlike on a Microsoft product, where they make Outlook/IE the default for everything and unremovable, hence being part of the OS and countable as an OS exploit, the same is not true of Linux systems.

    --
    .sig: Now legally binding!
  46. has anyone tried updating windows without using IE by -O.ster_66 · · Score: 2, Interesting
    "Thank you for your interest in Windows Update Windows Update is the online extension of Windows that helps you get the most out of your computer. You need to be running a version of Internet Explorer 5 or higher in order to use Windows Update. Download the latest version of Internet Explorer Once Internet Explorer is installed, you can go to the Windows Update site by typing http://windowsupdate.microsoft.com into the address bar of Internet Explorer. If you prefer to use a different Web browser, updates to Windows may be downloaded from the Microsoft Download Center."

    --
    "You get all the fun of sitting still, being quiet, writing down numbers, paying attention...science has it all."
  47. Mirror by KalvinB · · Score: 5, Funny

    since Microsoft's Windows Update page is getting really bogged down you can download the patches from this Mirror.

    Ben

  48. Re:Meanwhile... by spinkham · · Score: 4, Interesting

    Yeah, this is what burns me up with these security bug comparisons. In Linux, 99% of software you run on your computer you get from your distribution, while very little of your software under Windows comes as a part of Windows. Of course there are more bugs in a complete computer setup with 10 different ftp servers to choose from, irc clients, a complete development suite(or 3), etc...

    --
    Blessed are the pessimists, for they have made backups.
  49. Re:New Rule by shaitand · · Score: 4, Informative

    I think your numbers are a bit screwed, I suppose if your looking at computing in general your probably a bit exaggerated but the concept is right.

    However when looking at microsoft vulnerabilities it's a different story, they are extremely varied generally because they are due to a lack of consideration when coding and extremely poor structure and design. For instance, Active X, it's a security flaw, 90% of the sub-flaws reported in it are there because the flaw itself, is poorly designed (hence why it's a flaw) rather than fix the problem (a redesign or elimination of activeX) they create a patchwork changing this or that detail of how it functions.

  50. Re:This is why microsoft are insecure by The+Bungi · · Score: 5, Informative
    They've gone to scheduled patch releases on the second tuesday of every month to make it easier for admins and users. That's today in case you missed it. AFAIK all the vulnerabilities had been published earlier by third parties.

    If and when there's an actual exploit in the wild for a given vulnerability then they'll release the patch immediately, just like they've done before.

    Whoever modded you "Insightful" should have used the "-1, Another Stupid Conspiracy Theory" mod instead.

  51. Re:Windows Critical Vulnerabilities by Tantrum420 · · Score: 2, Insightful

    >Seriously, MS operating systems never get finished. . . .

    You prolly coulda left off the 'MS'. What (significant) operating system built in the last 15 years has been completely finished?

    T

  52. Check out www.eeye.com by khasim · · Score: 5, Informative

    http://www.eeye.com/html/Research/Advisories/index .html

    Looks like a whole bunch of those holes were reported to Microsoft by eeye and Microsoft FINALLY got around to patching them.

    Some of them had been reported over 6 months ago.

  53. Re:has anyone tried updating windows without using by Lshmael · · Score: 3, Informative

    Windows Update uses ActiveX controls to check which updates are installed on your computer, so you actually do need Internet Explorer to use it.

  54. SP5? by TimTheFoolMan · · Score: 4, Interesting
    Hmmm... in the details for Security Bulletin MS04-011, they list the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update s\Windows 2000\ SP5\KB835732\Filelist
    Looks like we've now seen the first light of SP5.

    Tim

  55. Microsoft Announces Three More Critical Vulnerabil by Anonymous Coward · · Score: 2, Informative

    Nice to see /. falling into the MS fud campaign. There are not 3 vulnerabilities, there are 20, and it is only 3 patches.

    Score a point to MS for making us think 20 = 3.

    Of cource we also buy MS telling us the linux mem-remap exploit was 5+ vulnerabilites (Debian, Mandrake, Redhat, Suse, et. al.)

    As of this point, if someone from MS told me the grass was green, I would go outside and see for myself. You simply cannot believe a single word spewing forth from the Redmond Dragon.

  56. Re:has anyone tried updating windows without using by ocelotbob · · Score: 2, Interesting

    Except that ActiveX is available for mozilla. So really, the only reason that MS requires IE is to lock you in, not any real technical reason.

    --

    Marxism is the opiate of dumbasses

  57. Your sig by Vainglorious+Coward · · Score: 4, Funny

    --

    The number of the modding shall be three, four shall the number of the modding not be, neither shall it be 2...

    5 is right out.

    --
    My next sig will be ready soon, but subscribers can beat the rush
  58. Re:In other news by nvrrobx · · Score: 3, Insightful

    There is a very bad, glaringly false statement in your post.

    Even on Linux, it is possible for a simple bugfix to take down an entire system.

    XFree86 drivers can do this.
    Kernel updates can do this.
    Third party kernel driver updates can do this.

    Hell, a bug / exploit in kdm could make your machine remotely vulnerable, or a simple bug could cause your machine to stop allowing logins (and don't tell me that you can Ctrl-Alt-F1 and login. That doesn't apply to end users)

    I saw a problem on a friend's machine where his PAM config got trashed after an update. Guess what, his machine stopped asking for passwords on IMAPS, POP3S and ssh. If a simple misconfiguration can cause that, so can a code bug. That's no different then Windows.

    All software has bugs, and those bugs can either be harmless annoyances, or critical problems. Linux can have them just as easily as Windows. Linux/UNIX software releases patches faster because they don't have complicated software development cycles (QA checks, usability, legal, etc) that has to happen before the release.

  59. Re:Hrm by finkployd · · Score: 2, Insightful

    I guess I'm not one to ignore certain vulnerabilities and glorify others simply because one comes from Windows.

    Nor do I (and frankly I am not sure HOW you got that weird point of view from my comment).

    I do however consider remote root vulnerabilities to be significantly more alarming than local privilege escalation.

    Besides, Linux has had plenty--and has had many public break-ins in the past six months.

    I would never imply otherwise.

    Finkployd

  60. Re:has anyone tried updating windows without using by ruiner13 · · Score: 2, Interesting

    Good thing they have self-contained downloads available. Yes, they don't make 'em easy to find, but you can burn say, Win2K SP4 in all its 135MB glory onto a cd to do offline updates. This is the only way you can practically update a 56K modem-bound 'puter.

    --

    today is spelling optional day.

  61. I find two things particularly interesting here... by Malor · · Score: 2, Interesting

    First, this isn't three vulnerabilities, it is TWENTY, addressed with three patches to make it look less severe. (And I don't really think this once-per-month patch cycle is to make adminsitrators' lives easier; I think it's to make Microsoft look better.)

    Second, Microsoft has also increased the load on their servers by, oh, thirty times. While they have enough money to provision themselves with thirty times the incoming bandwidth to handle the huge burst of patch traffic once per month, at this point they don't appear to have actually DONE THIS. I am just barely able to get the Windows Update page to display at all, much less actually do anything useful like, say, download patches.

    So, here I sit with a machine with twenty vulnerabilities, which they didn't tell me about all month to save face, and now that they HAVE told me, I can't patch because I can't reach their site.

  62. Re:Kind of like this? by amRadioHed · · Score: 2, Informative
    Excuse me? Am I just imagining it, or does Apple use the word "fixes" in every update listed on that page you gave.
    * CUPS Printing: Fixes CAN-2004-0382 to improve the security of the printing system. This is a configuration file change that does not affect the underlying Printing system. Credit to aaron@vtty.com for reporting this issue.
    * libxml2: Fixes CAN-2004-0110 to improve the handling of uniform resource locators.
    * Mail: Fixes CAN-2004-0383 to improve the handling of HTML-formatted email. Credit to aaron@vtty.com for reporting this issue. ...
    ...
    ...
    --
    We hope your rules and wisdom choke you / Now we are one in everlasting peace
  63. Re:has anyone tried updating windows without using by Lshmael · · Score: 2, Informative

    Microsoft reasoning aside, the current ActiveX solutions for Mozilla (as described in this thread), either do not work in Windows Update, or, like Neptune, use Internet Explorer rendering engine and security model. This nullifies any possible benefit, and I assume that you would still need Internet Explorer.

  64. The joke is on YOU! by Tibor+the+Hun · · Score: 2, Funny

    We didn't make YUGOs in 1960s!
    Shoot, we were lucky if we had a Lada, or if you were really good to The Party, maybe a Citroen!

    --
    If you don't know what AltaVista is (was), get off my lawn.
  65. The Worm is already out there by TekGoNos · · Score: 2, Interesting

    Well, maybe.

    Anyway, today a worm completly took over my universities network.
    We are the CS-Departement, we know what were doing (well, we still dont use Linux, I'm trying to convince them but ...) and we keep our machines up-to-date.

    It spreads by a file called ascdl.exe through a remotely exploitable vulnerability. Nobody knows about this Virus (neither Symmantec, nor Google) and it spreads fast. When we delete the file, it is back a few minutes later. So I guess it may use one of these new exploits.

    BTW, the internet is slow today and I guess it is this baby. It will probably infect the better part of vulnerable machines before it even has a name. I just hope it doesnt do anything nasty.

    Hopefully by tomorrow AV Vendors will have analysed it and issued an update, but I predict it to become REALLY BIG (potentially bigger than Blaster).

    Oh, and it changes the WINDOWS\system32\drivers\etc\hosts - file, so that you can no longer contact sites of AV Vendors and Nortons LiveUpdate is blocked too. So once you catch it, you cannot get rid of it because you cannot download the new signature file. You have to remove it manually (or it least edit the hosts-file, but who knows about it?). So the bigger part of the population will continue to have it and their computers will no longer update the definition list.

    Again, I dont know if it uses one of the new vulnerabilities, but by the speed this baby spreads and by blocking LiveUpdate this is gonna be HUGE.

    So if a process called ascdl.exe suddenly uses 50% of your CPU, KILL IT!

    --
    I have discovered a truly remarkable proof for my post which this sig is too small to contain.
  66. Re:IE spoofing by next1 · · Score: 2, Informative

    user agent switcher

    i have to switch user agent to access one of my bank sites too but that's the only time i have to do it.

    i always switch it straight back as well - support mozilla!!

  67. Freedom of choice is important for security. by master_p · · Score: 2, Insightful

    If Internet Explorer was not part of the O/S distribution, it would be easier to uninstall it and install something better, like Opera or Mozilla Firefox (or make an option during O/S installation). The same goes for Outlook and Outlook Express.

    Now that IE and Outlook is bundled with Windows, most people don't care to install anything different, resulting in many compromized machines.

  68. Re:Meh. by MonTemplar · · Score: 3, Insightful

    Yeah, but if you applied that patches, most of the malware wouldn't even get as far as tripping up ZoneAlarm.

    Anyway, if the malware turns around and decides to trash your PC instead, what are you going to do then? Won't look so smug, that's for sure, especially if you've not backed your important stuff up recently.

    I've got a NAT/firewall attached to my broadband at home, but I still run Norton Antivirus, and practice safe hex. You need to keep your grey matter up to date as well, you know...

    -MT.

    --
    -MT.
  69. Re:Uh by JET+666 · · Score: 2, Funny

    No, still wating on the compile.

    --
    De sig boss de sig
  70. Re:1960 Yugo by tbone1 · · Score: 2, Funny
    everyone knows pedestrians are safer.

    Oh? When's the last time you got mugged by someone who was driving a car?

    --

    The Independent: Reverend Spooner Arrested in Friar Tuck Incident - ISIHAC, Historical Headlines
  71. Re:More than three by jonadab · · Score: 4, Insightful

    > There are 20 separate vulnerabilities in Windows and Outlook Express

    No. No, no, no. There is *one* vulnerability in Outlook and Outlook Express,
    one that has been public knowledge for about a decade now and Microsoft has
    thus far made no attempt to fix. The vulnerability is, Outlook and Outlook
    Express deliberately treat untrusted data in ways that untrusted data should
    NEVER be treated under ANY circumstances. Their whole approach to security
    is, instead of the correct this-data-is-untrusted approach, a dain brammaged
    fix-specific-problems approach, wherein the data that ought to be untrusted
    is stopped from doing certain specific things that have been known to cause
    problems in the past but still allowed to do basically anything else.

    There may be 20 separate specific ways this can be exploited, and more will
    be discovered next week, but it's fundamentally *one* issue.

    Executive summary: Outlook and Outlook Express don't *have* security holes;
    they *are* security holes, big fat wide-open ones.

    --
    Cut that out, or I will ship you to Norilsk in a box.