Slashdot Mirror
Ten Security Bulletins From Microsoft
wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."
It's nice to know that they have made security such a high priority. Hopefully their next high priority will be 'doing something about it'.
This is my sig. There are many like it but this one is mine.
well, technically Links and Lynx are not parts of the shell.
Links or Lynx are both programs that can be called from a Linux Shell. (Command Line Interface)
Bad Troll, no Internet Cookies for you!
Just in case anyone is wondering, SP2 is not affected by any of these vulnerabilities, except for MS04-038. That's the fix for the "drag-and-drop" vulnerability that everyone's been crowing about.
Its interesting to note that the most critical patches - those for remote code execution - do not affect Windows XP with Service Pack 2 installed. When Microsoft built SP2, they did a lot of things right. IE has better security, for one. At my corporation, I have pushed out the updates with SUS already, but I am not too worried about this. I have already implemented SP2 across the corporation, and I am much more secure now than I was without SP2. Yeah, I know that security is a process, not a product, but SP2 helps that process a lot.
There are a number of user-friendly configuration tools for iptables. FireStarter is the first one that comes to mind, though there are others.
I must wonder...does this have to do with another story?
The newest version of XP is the safest and most secure version yet. Try counting how many of those bulletins have to do with SP2.
knoppix
me fail english? thats unpossible
hmmm. for comparison, Fedora has released 10 security patches since ...
2004-09-15
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
or you could just use any frontend, like:
http://www.e3.com.au/firewall/index.php
People like myself that use LiteStep for a shell under Win32 don't have to deal with the memory overhead of a web-enabled shell, or these web-based exploits.
It's pretty cool and it's open source and stable (unlike Windows sometimes) and has a decent-size user base, eventhough most of the themes are pretty worthless. (Then again, for any themable program, aren't the bulk of the themes crap?)
Anyhow, people that are stuck using Windows like I am (Lycoris' Tablet PC version of Linux is next to featureless) should give it a try, if nothing else but as a preventative measure against future bugs like this.
Actually, you don't even need Links or Lynx to have a web-enabled *nix shell. Bash can read from and write to any UDP or TCP port. For example:
orCmd.exe is the command line shell. The Windows shell is explorer.exe (which now has IE built in, or something like, as of Windows 98 you can surf the web from the "My Computer" Icon). Explorer has been the Windows shell since Windows 95. Before Windows 95 it used to be progman.exe (the Program Manager).
http://www.cert.org/advisories/CA-2002-07.html
You're welcome.
Why not? GCC has had it since 2001.
Karma: Segmentation fault (tried to dereference a null post)
Are you saying this doesn't happen with Linux? You do realize where the term "rootkit" originated, yes?
not plane, nor bird, nor even frog...
It doesn't eliminate all cases, of course, but the /GS compiler flag for Visual C++ does eliminate many of them. In essence, it checks if the return address has been trashed, and throws an exception if it has. Your app still crashes, but that's probably better than being 0wn3d.
Yes, it is possible to circumvent, and there are of course other kinds of attacks/bugs which this doesn't help with. Nor is it a substitute for actually fixing those buffer overflow problems. However, all that said, it's still a good extra level of defense that does improve the security of the system and apps by substantially mitigating a large class of potential bugs.
Actually CNET News.com is reporting 22 not 10. That's quite the grouping.
none of these vulnerabilities are known to be exploited.
1 31 4200&tid=172&tid=128&tid=1
That will change.
On the other hand, I wonder why things like these for soem reason never get posted.
Actually that did get posted.
http://it.slashdot.org/article.pl?sid=04/09/04/
Well, that's a tautology: if they're vulnerable, they're vulnerable. The point is that vulnerabilities are more likely, and more likely to be serious, in a web enabled shell than a plain web browser.
You see, "web enabled shell" means that the same piece of software is both your web browser and your application launcher. That makes it much easier for a flaw to cross over between the two uses, i.e. a flaw on the browsing side causing a (malicious) application to be launched.
Web enabled shells are a bad a idea because they combine two things that don't need to be combined in a way that creates a lot of risk. Browsers and shells work just fine when they're separate, for example Lynx and Bash.
As far as I know, no such thing exists. If it did, it would get a lot of sarcastic comments, and for a similar reason: PHP is run on the server side because that's where it belongs. As a result, it's very unlikely that even a serious PHP vulnerability will affect data that is stored on your desktop. Putting PHP in the browser would be risky, which is probably why it hasn't been done (as far as I know).
It's more like, "Aren't you glad your lawn mower is toilet enabled?" You should have them both, but not as an integrated unit.
-- . . ramblin' . . .
This batch of patches includes one for Office XP. After installing I now find that all Office XP applications pop up a window requiring me to accept an obnoxious EULA; if you decline the application closes. So far I can't find a way to uninstall, I may have to roll back the whole machine to get Office functioning again without accepting this. Be warned.
>>> It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows.
While the new compiler additions detect some buffer overruns/underruns, note that there is no way to get 100% buffer overrun detection with commercial C++ compilers. Usually, these overruns are detected by a variety of methods, like putting canary "values" at the beginning and/or at the end of each of the protected data buffers. These canary values are checked at certain moments of time, usually at the end of the buffer data lieftime - for example for stack-allocated blocks they are checked on routine exit; for heap allocated blocks when the blocks are freed.
The problem with canaries is that they won't detect memory writes that write directly in other "valid" data buffers. For example thread 1 writing overwriting the contents of some local variables in another stack, manipulated by thread 2.
There are other techniques, for example checksums for the user-mode data structures (like stack frames, C++ VTABLEs, heap data structures, constant data, etc). But these techniques have limited use too.
In addition, a malicious piece of code can always workaround the canary/checksum detection. The moment this malicious code has a chance to run in yoru process, all bets are off. It can eventually change the exception trap handlers, etc.
The only way to get 100% protection from buffer overruns would be to run Java/C#/VB.NET code (with certain restictions of course, for example avoiding unsafe code in C#). That said, you can also avoid buffer overruns to a certain degree in C++ too if you use proper class libraries like STL that perform things like automatic array bound checks, etc.
Don't try to use the force. Do or do not, there is no try.
How many times do I have to tell the computer that Firefox is my default browser?
Once, if Firefox is registered as the default browser correctly. My machine gets it right, why doesn't yours?
With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years).
Two options:
1) Update your AV software to a version that tells the security center when it is up to date.
2) Select the "I will manage my AV software myself" option, and the security center won't bug you about any AV related details.
In today's update, it keeps nagging me to reboot.
Your computer is still vulnerable until you reboot the machine. What's the point of applying the patch if the updated files don't get loaded?
And why do I have to sign yet another goddamned EULA to install critical patches?
For the same reason every company requires you to sign a EULA before installing/updating software. If you want a detailed reason, ask the lawyers.
As I don't know how to copy paste in elinks...
Regarding your mention of running certain apps using RunAs, PsExec, etc... it doesn't exactly work well. I've said it before and have begun sounding like a busted CD. Multi-user in Windows doesn't really work very well. Include the fact that most developers never take the multi-user environment into consideration.
Here's my example. I will not state a specific app since RunAs works for some, but not most apps out there. Run an app with RunAs. It loads with Administrator priviledges. It will then try to load settings stored in Documents and Settings. There's your problem. Most apps attempt to load stuff off of the current user account, not the account you RunAs'ed. So the app loads with Admin priviledges. But it loads data from the current logged-in account. To Joe Public, these makes the Windows look even more broken... which, as a true multi-user platform, it is.
1. Security in depth. Multilayered security = A Good Thing. ...and they're not on port 80...!
2. True, there shouldn't be ports we don't know about on user's PC's, but how about when they pop one open without knowing? They can't download or receive numerous file types & their peripherals are disabled, but users will be users. I've seen programs installed that install telnet or tftp servers. A decent personal firewall setup will alert the user *and* log that alert to a central console.
3. Mistakes happen. A nameless colleague quit-out halfway through creating a firewall rule. The default action is to create the rule regardless, so for 20 minutes a bunch of workstations were waaaay more accessible than they should be. Worms were spotted.
4. It's disastrous to think "We've got a firewall, ergo we're secure" (see above). Common example: User sits in internet cafe with laptop, some floppies, usb devices & cd rom. Effectively spreads legs & asks the world to infect him. Next day, brings laptop back & jacks into the LAN. My sturdy firewall is now worth jack. Personal firewalls all round, please.
5. And yes, I do filter ICMP. I'm sorry that you have to wait 60 seconds for your pings or whatever to fail, but I have to ask why were you scanning my LAN? You want me to turn on file&printer sharing too, so you can see what else is going on? It's my LAN, & within it I'll do whatever I can to keep it secure. Guess what - I run some web services....
As far I'm concerned there are valid reasons to run personal firewalls on the desktop.
Hand-in-hand with user education, security policies, patch management and effective anti-virus solutions they provide a robust & proven security benefit.
You're damn right I don't trust my computer. And I won't do until I control all access in and out, and it tells me when something tries to except those rules. Oh, wait! It does. It's my personal firewall.
> So run only those programs as admin.
On my kids' computer, this includes "Reader Rabbit Baby and Toddler". (Must write directly into video memory or something.) I thought that was pretty neat.
I will look into RunAs, PsExec, SUD, etc. Thanks for the tip.
No, they don't, unfortunately. XP SP2 only adds NX functionality on AMD64 and Itanium, their marketing material just omits to mention this in order to make it sound more secure ;)