Slashdot Mirror
Ten Security Bulletins From Microsoft
wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."
Man, I seriously need to learn Linux asap. If not cause of all the super holes found lately, as for the fact Microsoft doesn't seem to care too much about the user base.
links or lynx are programs they are not intigrated into the shell. I don't think you understand what a shell is.
Don't forget to thank the fine people at Mozilla as well. Their software recently allowed exploits in bitmap files.
So if your user has admin rights (as all at my site do b/c our toolset requires it) then you're screwed if they goto a mal-site.
Your 'toolset' requirements are kinda setting you up for the inevitable don't ya think?
Wouldn't that imply that they knew about this problem way before Service Pack 2, and their just now getting around to rolling those patches into previous releases?
Bye!
Not really. It implies that Microsoft changed the security in IE so that it would be much less likely to be vulnerable to certain types of situations. An analagous example is adding the No Execute (NX) code to hardware and software. It doesn't prevent coding mistakes, but it does prevent many ways of exploiting coding mistakes.
Comment removed based on user account deletion
Seriously, I hope that Microsoft gets their act together before too long.
I'm a little worried about the possibility of a "final" windows exploit that quickly and without warning kills every MS box it touches.
All these vulnerabilities are a bit disheartening.
Either Microsoft is really combing over their programs for errors or they are in trouble
Kind of makes me happy that I only rely on free/open source programs
The shell vulnerability only allows code execution as the user viewing the malicious web site.
On most XP installations, the only user is "Administrator".
Comment removed based on user account deletion
Only one vulnerability affects to SP2. In fact, the XP SP2 (desktop OS, you know) had less vulnerabilities than win 2k3/XPSP1, which shows the huge progress made in the SP2. I don't know how to take this..."good" because SP2 is good, or "bad" because the server OS is more insecure than the desktop OS. In any case, they're porting the work they did in SP2 to win 2003, so we'll see. They've raised the bar with the SP2, IMHO.
Why are there more big announcements about MS patches?
Because MS is the dominant OS, and many Slashdot readers need to know about these things.
There have been Slashdot articles on Linux bugs, but fewer. Why? Maybe because there are fewer critical bugs. Why? Market share.
Not everything is anti-MS. Some of it is just reality.
desiv
You must be new here not to realise the thinking behind that
a) Faq says the patch's not critical
b) Joe doesn't include this in the critical patches he's downloaded on to his system
c) boom! the system goes down the next week because of the msplaster virus targetting this vulnerability
d) Joe's not sure about the reason for the crash and re-installs the OS
e) (c) again after a week
f) Joe gets frustrated and contacts MS support ppl, who inform him that the brand new Microsoft Windows XP Professional with Service Pack 2, has everything to avoid such crashes
g) Joe buys what they say
windows_xp_sales++
easy!
Has anyone else noticed how everything is now classified as remote? For the zip one you have to download the file and then attempt to unzip it. THATS NOT REMOTE. You downloaded it and then got exploited. Its running local context! Its local! Remote for example would be the NNTP. Where a remote user directly exploits you without any user interaction.
I extend this classification to the GDI vuls. They are downloaded and then rendered by windows. Why should it matter that its not an executable file. From an 3rd party perspective it looks the exect same as someone downloading and running a trojan. It shouldn't matter how clever they are in hiding the execution or downloading of the file, if it runs in local context its LOCAL.
Fuck i'm so tired of seeing remote vul tacked on to everything.
For a presumably pro-Windows post, I wonder why you choose to be an Anonymous Coward especialy when your product is so loved by everyone. :)
This is my sig. There are many like it but this one is mine.
Ah, the beauty of Software Update Services... Sync'd w/ windowsupdate.microsoft.com. Test systems checked in first and had no problems. The joy of coming in and seeing the patchs installed when people turn on thier computers in the morning. Yawn, another MS patch done, that was like what 15 minutes of work?
Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?
What day-to-day operations are these? If your user is configured appropriately, you shouldn't have difficulty doing "day-to-day" stuff. Now, are you talking about applications that are coded to assume you have admin privs? We rail and rail against MS because they "force" us to run as admins - when it's really the fault of application developers. Unless you can give some specific examples.
Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website?
Is an attack on MS Windows, or on computers in general? What platform is this *not* the case on? Remember the Firefox vulnerability that would permit files in your download directory to be deleted?
I can tell you aren't an admin with 1,000 PC's to deal with. Say, how many months would it take you to do the other 999? And how much money would that cost your employer? And how much would that add to the prices that your employer's customers have to pay to cover it?
A complex web of inter-depending systems is never going to be more trustable than the least trustable system in the web.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Why run a firewall at all?
If you are directly connected to the net, then this is a standalone machine, and does not need to have any sockets open, except that which is supposed to be used on the net. Turn off unnecessary services, or switch them to local mode only. AFAIK, there are no vulnerabilities for closed ports.
If you have a LAN, then there is something that separates the LAN from the internet. This should not be your desktop machine.
If you have two machines separately on the net, then you should use ssh tunnels between them. That is more secure than firewalls anyway.
Outgoing connections? May I ask why are you running spyware?
Filtering ICMP? Why would you want to break network standards again. It is because of you the net is a pain to use. I like getting messages that my connection failed instead of waiting for 60 seconds.
People firewall for a simple reason: to have open services inside the network, and not outside. At this point you should be capable enough to either do it yourself, or have a complete solution (although NAT is not a firewall, it behaves as one)
As far as I am concerned there should be no need to run any firewalls on the desktop. In fact it is a sign of poor management, or a patch to a bigger problem (not trusting your own computer).
Is there something I am missing?
badness 10000
As far as Linux is concerned, a properly configured Linux box is relatively secure, even if the applications have holes. This is because you can run most servers under restricted user IDs and/or in chroot-ed environments. This means that someone breaking into a server application can't really go anywhere.
Linux' main "weakness" (diversity of implementations) is also its great strength on this. A Linux virus won't necessarily work on all Linux machines, because it is going to make assumptions about the nature of that machine which may not hold true. Applications can be configured on installation by the admin, but viruses don't usually get that benefit.
Finally, Linux has some extensions which make it bullet-proof against many types of attack. Mandatory Access Controls and filesystem ACLs mean that you can have an extremely fine-grained level of control over who can do what. This means that if some server software has a user ID of N, but N only has read permissions on N's files, then compromising the server can't even allow an attacker to modify the files they supposedly own.
All this means that Linux applications don't need to be that secure. The security is provided. It is helpful if they ARE secure, but it's not essential. With Windows, this isn't the case. The level of security isn't that great, and as more and more is integrated into the kernel, the vulnerabilties within any given application become ever-more dangerous to other parts of the OS.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you're still running Windows 98 or Windows ME then you really deserve to get burned. Windows XP has been out for years and is patched against this vulnerability. I mean for crying out loud. Red Hat 9 isn't patched against many recent vulnerabilities and that's less than 2 years old, so cut Microsoft some slack for not supporting a 6 year old operating system version. That'd be like expecting Red Hat to still support 6.0.
If I could summarize, you are saying that the desktop machine should be configured well and securely so that a firewall is not needed.
To answer your question, a firewall is for damage control when you don't know (or realize too late) that your machine is not perfectly configured. Some program has some vulnerability, or a trojan, or something. You are right --it SHOULD not be this way; but when it just IS, and the trojan starts spamming people or transmitting your private PGP keys onto IRC, the firewall is there to say, "Hey, waitaminnit, something weird is going on here."
A firewall is like a fireman. You hope that it doesn't have to do anything but sit there.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
this is my first post, hello all. /. is great!
I think that some users actually enjoy downloading the updates. Sure , MS has new vunerabilities every week it seems, but thats become a standard now, and I think that MS could use it to their advantage.
You think the scene with MS could be worse? Hell yes... MS could have all their customers lives constantly put on halt, except on fridays when MS releases an update that will only last for 1 day before another hole is found...
Here is the way it actually is...
If you get the majority of MS users to download a patch for some security hole, that never affected them in the first place, then they feel cared for and protected.
The rate at which MS releases patches, vs the rate at which people's lives grind to a halt because of the holes, is in favour of releasing.
And just food for thought, some marketing strategies done during heavy war times, are products that 'enhance' your life, make it more 'efficient', and protect you. So maybe while you consume updates you 'battle ready your PC'!
Post your thoughts!
Here's a better reason that so many computers are plugged: ignorant users that are gullible, believe everything they see on the Internet, and press yes or OK on every dialog box just to get them to go away (without reading them or caring about the content). This is just as possible with Firefox or KDE or any other complex system that people use: you can make resistence to stupidity, but stupidity will always win some battles.
Could Microsoft make the resistance higher? I guess. But then they would have to contend with cries of incompatibility and non-ease of use. It's a precarious balance.
You'd like more security, but you aren't a shareholder of Microsoft; I'm sure the company has done much research that says that invasive security makes users mad and reduces sales Yes, the admin default sucks for security. It is also only a default and so completely avoidable; the fact that users don't avoid it speaks of their ignorance.
If Windows XP automatically logged you on as a non-admin user, most people would be lost; they would have no idea why they can't install their new software. All they see is an ugly dialog box they don't understand and it isn't working. This news would get out, XP would be branded as impossible to use because some dumb columnist couldn't install Quicken 200X, and nobody would buy it. They would still be using 98 or ME with zero local security. Because it's easier than dealing with security hassles. These are the same people who have no idea what the consequences of installing Gator or whatever are, and if you try to tell them about it, they glaze over and continue to do what they always have done.
The compiler isn't a component in the end user system at all. It is the software used to build the system. A buffer overrun almost always causes the app to crash so it is safe to assume that the build system at MS does not have an overrun.
So I have no idea what you are talking about and suspect that neither do you.