Slashdot Mirror
Latest SP2 News
Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"
SP2 isn't available through Windows Update, only through Automatic Update. There is a difference. Automatic Update runs in the background, checking your patch status against MS and downloading as required, its set up from Control Panel > Automatic Updates. Windows Update is the on-demand website visit. SP2 won't be available through Windows Update until the 25th August.
No.
The attack vectors described are:
and (in an email)
Neither seem likely to be able to self-replicate without use intervention. So no worm then.
My pics.
Until then you need to get it via automatic update or an external installer. However these external installers are somewhat harder to come by than previously, as Microsoft has shut many of them down - which is a shame since they were very fast torrents. Oh well.
Yes, those external installers are very hard to come by indeed! But hopefully downloading directly from Microsoft's gigabit backbone qualifies as being fast enough for ya.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
They're probably trying to spread the load, and avoid having their servers bogged down by lots of people all trying to download it at once. I read somewhere that they're going to do a geographically-targetted rollout via automatic updates, eg one country will get it, then a couple of days later another, and so on.
Also, for modem users, getting it via automatic updates is a much better idea, as that can (I believe) handle resuming downloads, which using windows update probably can't do.
It's official. Most of you are morons.
actually it's not available through Windows Update OR Automatic Update (yet). It's only available as a direct download from here
It should be out today:
- August 18: Release to Automatic Updates for users running XP Home only
- August 25: Release to Automatic Updates for all XP users, including those running XP Pro, and to Windows Update for interactive user installations
The Sendmail issue you speak of was related to MS^T^TSCO's version of sendmail...
By SearchSecurity.com staff
02 Aug 2004 | SearchSecurity.com
SCO fixes two critical flaws in Sendmail
The SCO Group of Lindon, Utah has issued a fix for two old vulnerabilities in Sendmail that malicious people could use to launch a denial-of-service attack or compromise a vulnerable system. IT security firm Secunia of Copenhagen, Denmark calls the flaws "extremely critical." The first problem can be exploited to cause a denial-of-service attack and could allow a remote attacker to execute arbitrary code with the privileges of the Sendmail daemon, typically root, according to SCO's advisory. The second problem is in the prescan function in Sendmail 8.12.9, which allows remote attackers to execute arbitrary code via buffer overflow attacks. The vulnerabilities affect OpenServer 5.0.6 and 5.0.7. The SCO recommends users install the latest packages.
No, that's SCO's belated response to an 'old' (as you quoted!) advisory CA-2003-25 (http://www.cert.org/advisories/CA-2003-25.html)
What you do when you want a large system to be secure:
You implement a very small "core" or "security kernel" or "call it what you like". It is called a "reference monitor" in TCSEC. It is a piece of code that will be asked "can subject X do operation Y on object Z", whenever a user or program attempts any operation on any object (like a file or a network connection). This piece of code is so small and simple that you can inspect it and possibly even formally *prove* it to be correct.
The operating system kernel will then guarantee that the reference monitor is consulted on all such operations. This is, after all, what operating system kernels do, among other things.
Now; you can write a simple security policy for each subsystem in your operating system. One policy for your browser, one for your word processor, one for your regular secretaries, one for your accountants, etc. (a real OS with these features will of course have the majority of all policies set up and ready by default).
The system will now enforce the security policies on everything that goes on in the system. Because the OS is enforcing these policies, and because the subsystems cannot magially change the security policies set up for them, this is called "Mandatory Access Controls", or MAC for short.
MAC ensures that a bug in, say, your browser, cannot be exploited to, say, go thru your documents and harvest e-mail addresses. Simply because the system policy does not allow a browser with internet access to access local documents. Just an example.
This is how secure systems are built. This is what SELinux is trying to do, and this is what Trusted Solaris has done for a while. This is what is required if you want a TCSEC certification in the B (or A) class, not the kindergarten-security of the C class.
Or, under the common criteria, this is what you need to get certification against the LSPP (as Trusted Solaris has), instead of the kindergarten-security CAPP (as Win2000 can have in certain restricted setups), or even the home-grown "security targets" (which SuSE got).
This is old and well known technology. Too bad big businesses and governments never put pressure on the vendors to actually have real security built in.
Good to see SELinux coming along nicely, and Sun moving Trusted Solaris features into Solaris 10.
All is not lost - but trust me, they will be selling snow-cones in hell before you see MAC in Windows.
XP SP2 was definitely made available on the 16th (Monday) for Software Update Services (SUS - soon to be called WUS), 'cause it shows up in my list of downloaded updates (and there was a big spike of incoming traffic in my MRTG logs on Monday morning) - not that I'll be approving it just yet ;) Whether they've pulled it from this distribution channel I'm not sure, but given that most SUS installs update daily it's probably too late to bother.
BTW, for any small NT network admins I'd highly recommend SUS. It's basically the same as Automatic Updates but centralized to one (or more) of your servers, saving you bandwidth and allowing control of which patches are approved for internal distribution (so can hold back until you've done your testing), amongst other things. For more info see the link above; it's remarkably easy to set up and roll out.My wife and I both own 3G iPods (connected via Firewire) and using the latest firmware.
No problems under Service Pack 2 whatsoever, though Windows Firewall did fuss about iTunes wanting to connect o the Internet.
From my experience, many of the times when an OS/feature breaks from a service pack installation, it's because the user's PC was already damaged by corrupt files, registry entries, or"tweaks". The Service Pack simply exposed them.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Like most things with computers, it's a matter of user-education. (Including users of other OS's which bash it because they don't know how to properly run it)
There was actually alot of chat about where this protection should be placed prior to SP2 RC1 and the general consensus amoung developers (both in and out of MS was that it should be placed in explorer). The problem with making it kernel level is that applications which use web auto-update methods to retrieve new binary versions of executables or dlls would block on an exec or CreateProcessEx and prompt the user. This would be such a pain in the ass and confusing in user space that it appeared most developers would rather invent their own auto-update strategies than take advantage of the strategies MS is beginning to push on the market. In the end, its more beneficial to end users to have a uniform update model - a uniform update model means that in the next generation of Windows Update Services, enterprises will be able to deploy updates and patches to all types of software regardless of vendors from a centralized repository. Also, it helps consumers in future versions of Windows Update when MS begins to allow third party signed binaries to be hosted on Windows Update itself.