Slashdot Mirror


Microsoft Announces Three More Critical Vulnerabilities

weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.

25 of 486 comments (clear)

  1. Uh-oh by SpiffyMarc · · Score: 5, Funny

    Now that the word is out on these, Microsoft is going to have to post a big link to all the articles about that new Mac OS X trojan all over their homepage...

    1. Re:Uh-oh by Anonymous Coward · · Score: 5, Funny

      A lot of people joke about Mac vulnerabilties, but the simple fact is that something like that could really wreak havoc somewhere like an art school or large interior design firm.

  2. More than three by untermensch · · Score: 5, Informative

    Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable. Microsoft has bundled the patches for these into 4 separate downloads - 3 for Windows and 1 for Outlook Express.

  3. Worm Writer's Delight by Dynamoo · · Score: 5, Interesting
    What's frightening is that there are *so* many remote code execution vulnerabilities in this one. At least they're all rolled up into one patch. But this gives so many potential backdoors for a Blaster style worm.

    Here we go again...

    --
    Never email donotemail@WeAreSpammers.com
    1. Re:Worm Writer's Delight by zackeller · · Score: 5, Informative

      Overestimate.

  4. Honesty is sometime stupid by Assoupis · · Score: 5, Funny

    Microsoft could just send is service pack, and as usual, during installation, printing meanless phrases such as: registering component, building registry, etc...

    1. Re:Honesty is sometime stupid by mistermund · · Score: 5, Funny

      registering component, building registry, etc... Reticulating splines....

  5. I was wondering about that by ObviousGuy · · Score: 5, Interesting

    I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.

    What a surprise. My bandwidth was halved by the invisible download.

    Whoops. Be right back. Install is finished, gotta reboot.

    --
    I have been pwned because my /. password was too easy to guess.
  6. Re:I've noticed by Anonymous Coward · · Score: 5, Insightful

    no -- that's just not true.

    there are misinformed people who don't understand the issues with the bugs reported in linux who then fan the flames about "holes in linux" as if they are of the same level of problem as these weekly holes in windows.

    a theoretical overflow on a linux server running openssh is a lot different than a open hole that runs executable attachments

    as a windows user, you should spend your time patching windows, not reading news.com

  7. Re:More than three by Proud+like+a+god · · Score: 5, Informative

    Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
    No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.


    Another reason for home users and gamers to stick with 98SE. Obviously most businesses aren't so lucky. :-S

  8. Windows update server is running kind of slowly by Igottapoop · · Score: 5, Funny

    I think we /.ed microsoft!!

  9. Won't announcing vulnerabilities cause exploits? by David+Hume · · Score: 5, Interesting
  10. Re:Windows Critical Vulnerabilities by WhiteWolf666 · · Score: 5, Funny

    Finish perfecting XP?

    Are you kidding??

    They need to finish perfecting 95 first, then start to get 98/SE/ME done, then get 2000 out of beta, then try and desperately lockdown XP.

    Seriously, MS operating systems never get finished. . . .

    They simply get discarded.

    --
    WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
  11. I hate all of you by RevDobbs · · Score: 5, Funny

    So, "We only use Linux" cries the slashdot crowd...

    Then why the hell is windowsupdate.microsoft.com slashdoted? You bastards.

  12. You know, by warrax_666 · · Score: 5, Insightful

    there is a difference between REMOTE ROOT exploits and LOCAL PRIVILEGE-ESCALATION exploits. But then, you just wanted to appear clever, didn't you?

    --
    HAND.
  13. Re:More than three by dj245 · · Score: 5, Funny
    The number of the vulnerablilies shall be 3. 3 shall be the number of the vulnerabilities, the number of the vulnerabilities shall be 3....

    Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable.

    HOLY #*&$*!!! /me patches like mad

    The people who previously expressed the number of vulnerablilies as 3 have been sacked. In a separate sacking, the person responsible for bundling downloads for Windows and Outlook Express separately, thus making even more confusion, has also been sacked.

    The person responsible for not defining all remotely exploitable vulnerablilies as critical has also been sacked.

    As this is a /. joke, and nobody at microsoft has actually been sacked, the writer of this post has also been sacked, having failed in actually sacking the previously aforementioned sacked.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  14. oh the irony! by BinaryJono · · Score: 5, Funny

    seeing the microsoft security ad (http://m2.doubleclick.net/viewad/930640/MRS03141_ ityouwe_728x90_anima.gif) at the top of the page while reading this article was just too much...

  15. Re:I continue not caring... by omicronish · · Score: 5, Insightful

    If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

    The Windows defaults with regards to user privileges are crap, and you are right, these vulnerabilities don't matter when everyone has administrative privileges anyway.

    Requiring a password to install a program would be difficult in Windows, however, since the installation programs are provided by the software, not Windows (unless it's a Windows Installer package, in which case there's full support for requiring Administrator privileges to install applications). Windows really has no way of telling the difference between a normal application and an installer.

    However, what you can do is lock down file permissions. What I did on Windows XP was remove Users write access to the boot drive, Windows directory, Program Files directory, and Documents and Settings (except for the user's profile). Installation programs can still run, but they won't be able to install software to any important location. At worst, the user can install to their profile, but any malicious program becomes a problem only for that user. It's akin to untaring, compiling, and running a program from your home directory on Linux.

    I've heard of bad programs that require Administrator privileges or write access to their Program Files directory, in which case this setup will present problems. Still, it's a problem with the program itself, not a Windows problem, although lax or non-existent installation guidelines may have contributed. I personally think all these permissions should've been defaults years ago.

  16. Like hell that's insightful by nathanh · · Score: 5, Informative
    That a lot of vulnerabilities that concern Linux never get posted to slashdot. Usually I read about these on news.com.

    Open source vulnerabilities and incidents get reported all the freaking time on Slashdot.

  17. Re:That's actually true by interiot · · Score: 5, Insightful

    And the majority of visitors don't post, many don't read the comments. Just because they use Slashdot as a way to keep from missing important tech news doens't mean they're necessarily sympathetic to OSS philosophy.

  18. Linux is not 100% secure by RoLi · · Score: 5, Insightful
    ... just like a Volvo is not 100% secure. But the Volvo is more secure than a 1960 Yugo.

    So, I'd rather choose the system that while not perfect is pretty good than a crappy system whose vendor chooses to put out press-releases about security instead of actually dealing with the problems.

    As usual, in theory, Windows is great:

    • In theory, everybody uses those super-fine-grained permissions in Windows. (In real life those permissions are so complicated that most ignore them)
    • According to MS-PR theory, Linux is very dangerous because "everybody" can put evil backdoors in. (In real life there has never been a case of a intentinal backdoor in any OSS-project with more than 1 contributor while there have been numerous examples of such backdoors in CSS)
    • In theory and in all total cost of ownership studies, the cost of viruses, worms and security problems on Windows is zero. (In real life millions are paid for virus scanners and much more is lost in productivity)
    • In theory, viruses/trojans/worms are only written for the market-leader platform. (In real life, Apache leads the market and has not had a single worm comparable to Code Red or Nimda)
    • In theory, Microsoft's latest "security initiatives" are a big success. (In real life the biggest epidemies like MS Blaster happened after those initiatives started.)

    In theory, Windows is great. In real life it's a buggy, insecure piece of trash that should be avoided whenever possible.

  19. Mirror by KalvinB · · Score: 5, Funny

    since Microsoft's Windows Update page is getting really bogged down you can download the patches from this Mirror.

    Ben

  20. Re:This is why microsoft are insecure by The+Bungi · · Score: 5, Informative
    They've gone to scheduled patch releases on the second tuesday of every month to make it easier for admins and users. That's today in case you missed it. AFAIK all the vulnerabilities had been published earlier by third parties.

    If and when there's an actual exploit in the wild for a given vulnerability then they'll release the patch immediately, just like they've done before.

    Whoever modded you "Insightful" should have used the "-1, Another Stupid Conspiracy Theory" mod instead.

  21. Check out www.eeye.com by khasim · · Score: 5, Informative

    http://www.eeye.com/html/Research/Advisories/index .html

    Looks like a whole bunch of those holes were reported to Microsoft by eeye and Microsoft FINALLY got around to patching them.

    Some of them had been reported over 6 months ago.

  22. Re:Windows Update in Firefox by Deviate_X · · Score: 5, Informative

    If you have disabled IE you can install and run the Security Baseline Advisor. It basically does the same thing as Windows update.