Microsoft Announces Three More Critical Vulnerabilities
weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data.
The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.
Now that the word is out on these, Microsoft is going to have to post a big link to all the articles about that new Mac OS X trojan all over their homepage...
Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable. Microsoft has bundled the patches for these into 4 separate downloads - 3 for Windows and 1 for Outlook Express.
Here we go again...
Never email donotemail@WeAreSpammers.com
Microsoft could just send is service pack, and as usual, during installation, printing meanless phrases such as: registering component, building registry, etc...
I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.
What a surprise. My bandwidth was halved by the invisible download.
Whoops. Be right back. Install is finished, gotta reboot.
I have been pwned because my
Sorry, no link because the site seems to be down/slow... it must be linked to from another announcement posted elsewhere.
That site with their bulletins also has a link to the XP Service Pack 2 release candidate.. That thing has been in the works for so long. Hopefully it makes some useful improvements in their security.
It looks like the firewall will basically be a built-in ZoneAlarm, with better inbound abilities, and outbound application controls.
They also have some buffer overflow protections. Are they good enough to make a difference?
no -- that's just not true.
there are misinformed people who don't understand the issues with the bugs reported in linux who then fan the flames about "holes in linux" as if they are of the same level of problem as these weekly holes in windows.
a theoretical overflow on a linux server running openssh is a lot different than a open hole that runs executable attachments
as a windows user, you should spend your time patching windows, not reading news.com
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
:-S
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.
Another reason for home users and gamers to stick with 98SE. Obviously most businesses aren't so lucky.
I think we /.ed microsoft!!
Won't announcing the vulnerabilities cause them to be expoited??
Shouldn't Microsoft as a result slow down the security patch cycle?
Only Women Bleed (Sex, Sharia remix)
Finish perfecting XP?
.
Are you kidding??
They need to finish perfecting 95 first, then start to get 98/SE/ME done, then get 2000 out of beta, then try and desperately lockdown XP.
Seriously, MS operating systems never get finished. . .
They simply get discarded.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
news.com is a real news site, so they post real news. I am surprised anyone resports vulnerabilities in MS Windows as news. The only reason to report these is so people know to update again, and to poke fun at the joke that is Microsoft's quality control. Real news would be if they go for an extended period of time without a vulnerability!
For Linux on the other hand it is an event when there is a vulnerability reported.
"Anything is possible with enough programmers, time and pizza." (Substitute caffeine for time as needed.)
That's 'cause most of us are secretly using Windows ;)
So, "We only use Linux" cries the slashdot crowd...
Then why the hell is windowsupdate.microsoft.com slashdoted? You bastards.
there is a difference between REMOTE ROOT exploits and LOCAL PRIVILEGE-ESCALATION exploits. But then, you just wanted to appear clever, didn't you?
HAND.
Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable.
HOLY #*&$*!!! /me patches like mad
The people who previously expressed the number of vulnerablilies as 3 have been sacked. In a separate sacking, the person responsible for bundling downloads for Windows and Outlook Express separately, thus making even more confusion, has also been sacked.
The person responsible for not defining all remotely exploitable vulnerablilies as critical has also been sacked.
As this is a /. joke, and nobody at microsoft has actually been sacked, the writer of this post has also been sacked, having failed in actually sacking the previously aforementioned sacked.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
LinuxSecurity.com Advisories. It gives you the last 15 advisories (right now it's 15 in the past three days!), and you can click on each distro, including the BSDs, and get archived advisories for each one. Very useful, complete with links to the actual bulletins.
:P
Yes, you are right--these things never appear on Slashdot except when there are major kernel exploits. To be honest, I've noticed lately a dissident tide in Slashdot, where people are a little weary of the anti-Microsoft spin. Nothing wrong with posting about Windows vulnerabilities, of course, but you do have to view the context with which it's posted--an OSDN-owned website that posts pro-Linux articles and just so happens never to mention Linux security advisories. But a user-run executable will become front page news as a new "Microsoft Worm."
I've just noticed more people annoyed by it lately, even the partyline pro-OSS guys. Simplistic agendas shouldn't be something to embrace on a site that is touted as the epicenter for geek tech news on the Internet. I guess my sig reflects that I've become one of those people as well who feels the need to balance out the spin going on...
seeing the microsoft security ad (http://m2.doubleclick.net/viewad/930640/MRS03141_ ityouwe_728x90_anima.gif) at the top of the page while reading this article was just too much...
It was fast for me :)
If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.
The Windows defaults with regards to user privileges are crap, and you are right, these vulnerabilities don't matter when everyone has administrative privileges anyway.
Requiring a password to install a program would be difficult in Windows, however, since the installation programs are provided by the software, not Windows (unless it's a Windows Installer package, in which case there's full support for requiring Administrator privileges to install applications). Windows really has no way of telling the difference between a normal application and an installer.
However, what you can do is lock down file permissions. What I did on Windows XP was remove Users write access to the boot drive, Windows directory, Program Files directory, and Documents and Settings (except for the user's profile). Installation programs can still run, but they won't be able to install software to any important location. At worst, the user can install to their profile, but any malicious program becomes a problem only for that user. It's akin to untaring, compiling, and running a program from your home directory on Linux.
I've heard of bad programs that require Administrator privileges or write access to their Program Files directory, in which case this setup will present problems. Still, it's a problem with the program itself, not a Windows problem, although lax or non-existent installation guidelines may have contributed. I personally think all these permissions should've been defaults years ago.
According to CmdrTaco, the majority of Slashdot visitors use IE. Kind of puts things into perspective as far as the "movement" goes.
Open source vulnerabilities and incidents get reported all the freaking time on Slashdot.
Well,
/. story, went to the Windows Update website, and lo and behold, it only works with IE. I can go to the Microsoft Download Center if I use another browser besides IE, but I actually like the way Windows update works, scanning my computer and giving me options for what I can install.
After the Nth spyware that infected IE, about 10 days ago I finally had enough of it and switched to Firefox. Haven't looked back since, Firefox rocks.
So after I read this
Looked through the Firefox FAQs, couldn't find any mention of this. Anyone have another suggestion, or should I use IE for updates and Firefox for everything else?
-"Those who fought today will die tommorow."-
So, I'd rather choose the system that while not perfect is pretty good than a crappy system whose vendor chooses to put out press-releases about security instead of actually dealing with the problems.
As usual, in theory, Windows is great:
In theory, Windows is great. In real life it's a buggy, insecure piece of trash that should be avoided whenever possible.
Sorry, we already apt-get updated those bugs away while we were sipping our morning coffee and never noticed. Unlike Windows, I don't have to worry about a simple bugfix blowing up the box, or causing downtime, nor do I have to reboot the damn thing four times.
Oh, and application bugs are not "Linux" bugs. Linux refers to the kernel and kernel alone. Unlike on a Microsoft product, where they make Outlook/IE the default for everything and unremovable, hence being part of the OS and countable as an OS exploit, the same is not true of Linux systems.
.sig: Now legally binding!
or option c) SP2 beta isn't recognized by winupdate, so you're going to be exposed.
since Microsoft's Windows Update page is getting really bogged down you can download the patches from this Mirror.
Ben
Work Safe Porn
Try "Smashing the Stack for Fun and Profit", Phrack 49, Art. 14. It's a nice introductory tutorial to the common class of buffer overruns.
cpghost at Cordula's Web.
Yeah, this is what burns me up with these security bug comparisons. In Linux, 99% of software you run on your computer you get from your distribution, while very little of your software under Windows comes as a part of Windows. Of course there are more bugs in a complete computer setup with 10 different ftp servers to choose from, irc clients, a complete development suite(or 3), etc...
Blessed are the pessimists, for they have made backups.
I think your numbers are a bit screwed, I suppose if your looking at computing in general your probably a bit exaggerated but the concept is right.
However when looking at microsoft vulnerabilities it's a different story, they are extremely varied generally because they are due to a lack of consideration when coding and extremely poor structure and design. For instance, Active X, it's a security flaw, 90% of the sub-flaws reported in it are there because the flaw itself, is poorly designed (hence why it's a flaw) rather than fix the problem (a redesign or elimination of activeX) they create a patchwork changing this or that detail of how it functions.
If and when there's an actual exploit in the wild for a given vulnerability then they'll release the patch immediately, just like they've done before.
Whoever modded you "Insightful" should have used the "-1, Another Stupid Conspiracy Theory" mod instead.
http://www.eeye.com/html/Research/Advisories/index .html
Looks like a whole bunch of those holes were reported to Microsoft by eeye and Microsoft FINALLY got around to patching them.
Some of them had been reported over 6 months ago.
How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability?
Of course there's an infinite number of ways to write a vulnerable program, but the most common is to run afoul of a buffer overflow. A buffer overflow is a relatively simple flaw, but it's an easy mistake to make in C and C++ because those languages give economy of computational resources precedence over every other consideration, including security and stability.
There's an illustrated and fairly concise introduction to buffer overflows at LinuxJournal.
Erlang.org: wow
Tim
--
The number of the modding shall be three, four shall the number of the modding not be, neither shall it be 2...
5 is right out.
My next sig will be ready soon, but subscribers can beat the rush
"It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting."
That's because you're gullible. A bunch of these vulnerabilities have been known for months and Microsoft hasn't announced them. Maybe so they can argue that Microsoft has the shortest time from vulnerability announcement to patch availablity, like they tried to say last week.
Starting to be honest, huh, looks like more of the same to me.
When all you have is a hammer, every problem starts to look like a thumb.
> There are 20 separate vulnerabilities in Windows and Outlook Express
No. No, no, no. There is *one* vulnerability in Outlook and Outlook Express,
one that has been public knowledge for about a decade now and Microsoft has
thus far made no attempt to fix. The vulnerability is, Outlook and Outlook
Express deliberately treat untrusted data in ways that untrusted data should
NEVER be treated under ANY circumstances. Their whole approach to security
is, instead of the correct this-data-is-untrusted approach, a dain brammaged
fix-specific-problems approach, wherein the data that ought to be untrusted
is stopped from doing certain specific things that have been known to cause
problems in the past but still allowed to do basically anything else.
There may be 20 separate specific ways this can be exploited, and more will
be discovered next week, but it's fundamentally *one* issue.
Executive summary: Outlook and Outlook Express don't *have* security holes;
they *are* security holes, big fat wide-open ones.
Cut that out, or I will ship you to Norilsk in a box.