Slashdot Mirror
Latest SP2 News
Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"
SP2 isn't available through Windows Update, only through Automatic Update. There is a difference. Automatic Update runs in the background, checking your patch status against MS and downloading as required, its set up from Control Panel > Automatic Updates. Windows Update is the on-demand website visit. SP2 won't be available through Windows Update until the 25th August.
No.
The attack vectors described are:
and (in an email)
Neither seem likely to be able to self-replicate without use intervention. So no worm then.
My pics.
Except that they are pretty silly mistakes.
If they are prepared to sacrifice security for the sake of start-up performance by caching the ZoneID and not checking the file-modified date, which I guess is why the second flaw is present, it doesn't bode well for the future security of SP2.
Until then you need to get it via automatic update or an external installer. However these external installers are somewhat harder to come by than previously, as Microsoft has shut many of them down - which is a shame since they were very fast torrents. Oh well.
Yes, those external installers are very hard to come by indeed! But hopefully downloading directly from Microsoft's gigabit backbone qualifies as being fast enough for ya.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
They're probably trying to spread the load, and avoid having their servers bogged down by lots of people all trying to download it at once. I read somewhere that they're going to do a geographically-targetted rollout via automatic updates, eg one country will get it, then a couple of days later another, and so on.
Also, for modem users, getting it via automatic updates is a much better idea, as that can (I believe) handle resuming downloads, which using windows update probably can't do.
It's official. Most of you are morons.
actually it's not available through Windows Update OR Automatic Update (yet). It's only available as a direct download from here
You can also get it from Microsoft as a 266 meg download if you're impatient.
It should be out today:
- August 18: Release to Automatic Updates for users running XP Home only
- August 25: Release to Automatic Updates for all XP users, including those running XP Pro, and to Windows Update for interactive user installations
XP SP2 ... disappointing (may as well be WinXPSE much like Win98SE was)
XP SP2. Websites go out of their way to find security flaws and come up with this in a feeble attempt to keep the anti-MS flow going...sorry, but if this is the worst exploit they can manage to dig up from SP2 perhaps they need to point their arrows elsewhere...
People replying to my sig annoy me. That's why I change it all the time.
The problem with that suggestion is that SP2 has been out for at least a week. The only thing that has been delayed is its appearance on the Windows Update site for Joe Average User. You can in fact get the full service pack at this Microsoft link.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Bzzt! Wrong, bucko.
"Curiously, a poll on Slashdot suggests that approximately half of all Slashdot visitors actually use a Microsoft Windows operating system with only a third using some form of Linux".
There is also a quote by CmdrTaco that I can't find at the moment.
I don't want to get all pedantic but did you read what I said ?, I already knew that the majority of slashdotters run windows.
I said that the slashdot readership makes up a minority of all windows users.
You said that the slashdot readership makes up the majority of the all windows users.
Think about what you are trying to say.
The Sendmail issue you speak of was related to MS^T^TSCO's version of sendmail...
By SearchSecurity.com staff
02 Aug 2004 | SearchSecurity.com
SCO fixes two critical flaws in Sendmail
The SCO Group of Lindon, Utah has issued a fix for two old vulnerabilities in Sendmail that malicious people could use to launch a denial-of-service attack or compromise a vulnerable system. IT security firm Secunia of Copenhagen, Denmark calls the flaws "extremely critical." The first problem can be exploited to cause a denial-of-service attack and could allow a remote attacker to execute arbitrary code with the privileges of the Sendmail daemon, typically root, according to SCO's advisory. The second problem is in the prescan function in Sendmail 8.12.9, which allows remote attackers to execute arbitrary code via buffer overflow attacks. The vulnerabilities affect OpenServer 5.0.6 and 5.0.7. The SCO recommends users install the latest packages.
No, that's not the one. This was on bugtraq. Maybe a bit older than two weeks.
All rites reversed 2010
Well then I don't know what my computer has been running since yesterday then.
SP2 for me has already been downloaded and installed as part of Automatic Updates. It took a while amongst the other downloads though.
August 17 in Australia.
XP Pro.
No, that's SCO's belated response to an 'old' (as you quoted!) advisory CA-2003-25 (http://www.cert.org/advisories/CA-2003-25.html)
"off by default for usermode apps"
the only computers that can currently use this right now are those with Athlon64's or Opteron servers.
Whats so scary, exactly?
I am a viral sig. Please copy me and help me spread. Thank you.
What you do when you want a large system to be secure:
You implement a very small "core" or "security kernel" or "call it what you like". It is called a "reference monitor" in TCSEC. It is a piece of code that will be asked "can subject X do operation Y on object Z", whenever a user or program attempts any operation on any object (like a file or a network connection). This piece of code is so small and simple that you can inspect it and possibly even formally *prove* it to be correct.
The operating system kernel will then guarantee that the reference monitor is consulted on all such operations. This is, after all, what operating system kernels do, among other things.
Now; you can write a simple security policy for each subsystem in your operating system. One policy for your browser, one for your word processor, one for your regular secretaries, one for your accountants, etc. (a real OS with these features will of course have the majority of all policies set up and ready by default).
The system will now enforce the security policies on everything that goes on in the system. Because the OS is enforcing these policies, and because the subsystems cannot magially change the security policies set up for them, this is called "Mandatory Access Controls", or MAC for short.
MAC ensures that a bug in, say, your browser, cannot be exploited to, say, go thru your documents and harvest e-mail addresses. Simply because the system policy does not allow a browser with internet access to access local documents. Just an example.
This is how secure systems are built. This is what SELinux is trying to do, and this is what Trusted Solaris has done for a while. This is what is required if you want a TCSEC certification in the B (or A) class, not the kindergarten-security of the C class.
Or, under the common criteria, this is what you need to get certification against the LSPP (as Trusted Solaris has), instead of the kindergarten-security CAPP (as Win2000 can have in certain restricted setups), or even the home-grown "security targets" (which SuSE got).
This is old and well known technology. Too bad big businesses and governments never put pressure on the vendors to actually have real security built in.
Good to see SELinux coming along nicely, and Sun moving Trusted Solaris features into Solaris 10.
All is not lost - but trust me, they will be selling snow-cones in hell before you see MAC in Windows.
So, you're saying that there's nothing wrong with SP2?
Numen didn't say anything relating specifically to SP2 other than the fact that Slashdot editors try to find any small piece of information regarding Microsoft, and put their little slant into it just to bash Microsoft. Its easy to tell, just look at all the anti-SP2 articles that Slashdot has been posting in the past few weeks. First they complain about security problems in Windows (and how MS uses backward-compatibility as an excuse to not fix them), then they complain about Microsoft delaying SP2 (holy shit, you mean they test this stuff?), and then they complain about some old stuff not working after SP2 is installed (because of backward compatibility issues), and they complain about the firewall features. It just goes on and on.
Not hard to see unless you are completely biased. But hey, what am I saying, this is Slashdot right?
Or are you saying that everyone, including those that do know better, should carry on giving MS a free pass on their shit products for another 20 years?
If you know better, you will use the product that helps you complete your task - use the best tool for the job. Linux is great for certain tasks, but on the desktop it does not compare to Windows on many fronts. If you want to call Microsoft products shit, atleast at the desktop level, then I would hate to see how Linux products are compared.
actually it's not available through Windows Update OR Automatic Update (yet). It's only available as a direct download from here
Actually it is available both ways. The auto update method is kind of neat because it does not show up as an available download but downloads as a background download. Eventually the computer advertises updates to install and SP2 is one of them. I do not know if there is a special way to cause this behavior or not. I administer about 70 PCs and of those SP2 has appeared on around 20 of them?
This whole thing is wildly inaccurate. Rounding errors, ballot stuffers, dynamic IPs, firewalls. If you're using these numbers to do anything important, you're insane.
No Sig for you.!
XP SP2 was definitely made available on the 16th (Monday) for Software Update Services (SUS - soon to be called WUS), 'cause it shows up in my list of downloaded updates (and there was a big spike of incoming traffic in my MRTG logs on Monday morning) - not that I'll be approving it just yet ;) Whether they've pulled it from this distribution channel I'm not sure, but given that most SUS installs update daily it's probably too late to bother.
BTW, for any small NT network admins I'd highly recommend SUS. It's basically the same as Automatic Updates but centralized to one (or more) of your servers, saving you bandwidth and allowing control of which patches are approved for internal distribution (so can hold back until you've done your testing), amongst other things. For more info see the link above; it's remarkably easy to set up and roll out.My wife and I both own 3G iPods (connected via Firewire) and using the latest firmware.
No problems under Service Pack 2 whatsoever, though Windows Firewall did fuss about iTunes wanting to connect o the Internet.
From my experience, many of the times when an OS/feature breaks from a service pack installation, it's because the user's PC was already damaged by corrupt files, registry entries, or"tweaks". The Service Pack simply exposed them.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
That may be a bit misleading. Explorer.exe is set (on my system at least) so users in the Everyone group and the Power Users group can only read and execute this file. Members of the Administrators group and the SYSTEM account have full control. I'm sure other key files on the system are set this way as well.
The problem with Windows XP (and 2000?) isn't really that it allows users to delete key files, but that the default installation (at least in XP) makes the user a local administrator. Since the user is a local admin, he or she can delete these files. Most average Windows users are not aware of this, so they don't know that they can (or should) switch it. Running a Windows system as a normal user would cut down a bit on these problems and others.
Any installation manual on linux I've seen informs the user that he or she should create a regular user account. Even the graphical installers (e.g., Mandrake) have a screen to create a normal user account. This way, linux users do not run the entire system as root (unless they purposely do not create a user account or choose not to log in with it.
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
Like most things with computers, it's a matter of user-education. (Including users of other OS's which bash it because they don't know how to properly run it)
Actually there is something kind of like sudo that's been in windows since 2000 called runas. It doesn't always work as expected, but for the most part it is useful. Open a command line and type runas /? to see how it works. I just wish it was more consistent across the system. Sometimes you can right-click on an executable or shortcut and you get the runas context menu item, then sometimes you don't! In those cases you have to execute it from them command line. I've actually even seen some installers prompt you for login info if you're trying to install it under a normal user account.
I use it to control services that like to crap out all the time on users machines, like the print spooler service; said user has their printer shared, and like 50 different applications open, and of course they've went on break without saving anything, and everyone's too lazy to use the printer in the print room, so I right-click on the services icon in the control panel and login as myself to run the services control panel under the user's account (whew! longest sentence evar!).
Sometimes I launch iexplore.exe using runas to do various tasks like changing file permissions and stuff. Just don't try to launch explorer.exe using runas!
grep -iw skynet
Heise is! Didn't you even notice the "sample email worm" given by heise? How did this get modified informative? Stupid crack-smoking mods. Aren't you familiar with the oh-so-popular "email with executable attatched that the user must manually run to start the virus"? Once the machine is compromised, the game is already over, because the virus can run whatever code it wants regardless of WinXP's new security features.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
There was actually alot of chat about where this protection should be placed prior to SP2 RC1 and the general consensus amoung developers (both in and out of MS was that it should be placed in explorer). The problem with making it kernel level is that applications which use web auto-update methods to retrieve new binary versions of executables or dlls would block on an exec or CreateProcessEx and prompt the user. This would be such a pain in the ass and confusing in user space that it appeared most developers would rather invent their own auto-update strategies than take advantage of the strategies MS is beginning to push on the market. In the end, its more beneficial to end users to have a uniform update model - a uniform update model means that in the next generation of Windows Update Services, enterprises will be able to deploy updates and patches to all types of software regardless of vendors from a centralized repository. Also, it helps consumers in future versions of Windows Update when MS begins to allow third party signed binaries to be hosted on Windows Update itself.
chmod a+x readme.txt
I work for MS thus the AC (so you can choose to believe me or not, whatever). I know the guys managing the project (the distribution, not the actual SP2 development, don't know those guys), they planned for 2 million a day via auto update and for the first few days were doing that. I haven't spoken to them this week so not sure if they have stuck to that or not, but that was definitely the plan.