Slashdot Mirror
Ten Security Bulletins From Microsoft
wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."
links or lynx are programs they are not intigrated into the shell. I don't think you understand what a shell is.
Wouldn't that imply that they knew about this problem way before Service Pack 2, and their just now getting around to rolling those patches into previous releases?
Bye!
Not really. It implies that Microsoft changed the security in IE so that it would be much less likely to be vulnerable to certain types of situations. An analagous example is adding the No Execute (NX) code to hardware and software. It doesn't prevent coding mistakes, but it does prevent many ways of exploiting coding mistakes.
The shell vulnerability only allows code execution as the user viewing the malicious web site.
On most XP installations, the only user is "Administrator".
Why are there more big announcements about MS patches?
Because MS is the dominant OS, and many Slashdot readers need to know about these things.
There have been Slashdot articles on Linux bugs, but fewer. Why? Maybe because there are fewer critical bugs. Why? Market share.
Not everything is anti-MS. Some of it is just reality.
desiv
You must be new here not to realise the thinking behind that
a) Faq says the patch's not critical
b) Joe doesn't include this in the critical patches he's downloaded on to his system
c) boom! the system goes down the next week because of the msplaster virus targetting this vulnerability
d) Joe's not sure about the reason for the crash and re-installs the OS
e) (c) again after a week
f) Joe gets frustrated and contacts MS support ppl, who inform him that the brand new Microsoft Windows XP Professional with Service Pack 2, has everything to avoid such crashes
g) Joe buys what they say
windows_xp_sales++
easy!
Yeah, for about 10 times more applications.
Karma: Segmentation fault (tried to dereference a null post)
Why run a firewall at all?
If you are directly connected to the net, then this is a standalone machine, and does not need to have any sockets open, except that which is supposed to be used on the net. Turn off unnecessary services, or switch them to local mode only. AFAIK, there are no vulnerabilities for closed ports.
If you have a LAN, then there is something that separates the LAN from the internet. This should not be your desktop machine.
If you have two machines separately on the net, then you should use ssh tunnels between them. That is more secure than firewalls anyway.
Outgoing connections? May I ask why are you running spyware?
Filtering ICMP? Why would you want to break network standards again. It is because of you the net is a pain to use. I like getting messages that my connection failed instead of waiting for 60 seconds.
People firewall for a simple reason: to have open services inside the network, and not outside. At this point you should be capable enough to either do it yourself, or have a complete solution (although NAT is not a firewall, it behaves as one)
As far as I am concerned there should be no need to run any firewalls on the desktop. In fact it is a sign of poor management, or a patch to a bigger problem (not trusting your own computer).
Is there something I am missing?
badness 10000
As far as Linux is concerned, a properly configured Linux box is relatively secure, even if the applications have holes. This is because you can run most servers under restricted user IDs and/or in chroot-ed environments. This means that someone breaking into a server application can't really go anywhere.
Linux' main "weakness" (diversity of implementations) is also its great strength on this. A Linux virus won't necessarily work on all Linux machines, because it is going to make assumptions about the nature of that machine which may not hold true. Applications can be configured on installation by the admin, but viruses don't usually get that benefit.
Finally, Linux has some extensions which make it bullet-proof against many types of attack. Mandatory Access Controls and filesystem ACLs mean that you can have an extremely fine-grained level of control over who can do what. This means that if some server software has a user ID of N, but N only has read permissions on N's files, then compromising the server can't even allow an attacker to modify the files they supposedly own.
All this means that Linux applications don't need to be that secure. The security is provided. It is helpful if they ARE secure, but it's not essential. With Windows, this isn't the case. The level of security isn't that great, and as more and more is integrated into the kernel, the vulnerabilties within any given application become ever-more dangerous to other parts of the OS.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If I could summarize, you are saying that the desktop machine should be configured well and securely so that a firewall is not needed.
To answer your question, a firewall is for damage control when you don't know (or realize too late) that your machine is not perfectly configured. Some program has some vulnerability, or a trojan, or something. You are right --it SHOULD not be this way; but when it just IS, and the trojan starts spamming people or transmitting your private PGP keys onto IRC, the firewall is there to say, "Hey, waitaminnit, something weird is going on here."
A firewall is like a fireman. You hope that it doesn't have to do anything but sit there.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Here's a better reason that so many computers are plugged: ignorant users that are gullible, believe everything they see on the Internet, and press yes or OK on every dialog box just to get them to go away (without reading them or caring about the content). This is just as possible with Firefox or KDE or any other complex system that people use: you can make resistence to stupidity, but stupidity will always win some battles.
Could Microsoft make the resistance higher? I guess. But then they would have to contend with cries of incompatibility and non-ease of use. It's a precarious balance.
You'd like more security, but you aren't a shareholder of Microsoft; I'm sure the company has done much research that says that invasive security makes users mad and reduces sales Yes, the admin default sucks for security. It is also only a default and so completely avoidable; the fact that users don't avoid it speaks of their ignorance.
If Windows XP automatically logged you on as a non-admin user, most people would be lost; they would have no idea why they can't install their new software. All they see is an ugly dialog box they don't understand and it isn't working. This news would get out, XP would be branded as impossible to use because some dumb columnist couldn't install Quicken 200X, and nobody would buy it. They would still be using 98 or ME with zero local security. Because it's easier than dealing with security hassles. These are the same people who have no idea what the consequences of installing Gator or whatever are, and if you try to tell them about it, they glaze over and continue to do what they always have done.