Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ten Security Bulletins From Microsoft

Posted by michael on from the making-america-safer dept.

wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."

5 of 392 comments (clear)

  1. Re:Shell enabled depends. by xsecrets · · Score: 5, Insightful

    links or lynx are programs they are not intigrated into the shell. I don't think you understand what a shell is.

  2. "only" by Anonymous Coward · · Score: 5, Insightful

    The shell vulnerability only allows code execution as the user viewing the malicious web site.

    On most XP installations, the only user is "Administrator".

  3. Market share?? by Anonymous Coward · · Score: 5, Insightful

    Why are there more big announcements about MS patches?

    Because MS is the dominant OS, and many Slashdot readers need to know about these things.

    There have been Slashdot articles on Linux bugs, but fewer. Why? Maybe because there are fewer critical bugs. Why? Market share.

    Not everything is anti-MS. Some of it is just reality.

    desiv

  4. Re:How is this different by jd · · Score: 5, Insightful
    Three of the holes were for "server" editions of Windows. This means that what the user does is largely irrelevent. If the server gets compromised (and, yes, NNTP and SMTP are listed amongst the systems with holes) then you could very easily end up with hostile code on your machine, no matter how updated it may be.


    As far as Linux is concerned, a properly configured Linux box is relatively secure, even if the applications have holes. This is because you can run most servers under restricted user IDs and/or in chroot-ed environments. This means that someone breaking into a server application can't really go anywhere.


    Linux' main "weakness" (diversity of implementations) is also its great strength on this. A Linux virus won't necessarily work on all Linux machines, because it is going to make assumptions about the nature of that machine which may not hold true. Applications can be configured on installation by the admin, but viruses don't usually get that benefit.


    Finally, Linux has some extensions which make it bullet-proof against many types of attack. Mandatory Access Controls and filesystem ACLs mean that you can have an extremely fine-grained level of control over who can do what. This means that if some server software has a user ID of N, but N only has read permissions on N's files, then compromising the server can't even allow an attacker to modify the files they supposedly own.


    All this means that Linux applications don't need to be that secure. The security is provided. It is helpful if they ARE secure, but it's not essential. With Windows, this isn't the case. The level of security isn't that great, and as more and more is integrated into the kernel, the vulnerabilties within any given application become ever-more dangerous to other parts of the OS.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  5. Re:Aren't you glad you need admin privileges ... by Foolhardy · · Score: 5, Insightful
    Many applications and games require admin privileges to install. Windows Update requires admin privileges. etc etc.
    So run only those programs as admin. Windows NT is (and always has been) multi-user. See RunAs, PsExec, SUD, etc. It would be a pretty lame excuse if I said that I had to run as root on Linux all the time because upgrading the kernel requires root access. You'd tell me to use su; do the same thing on Windows.
    Compare that to the Millions of Windows machines completely infected with spyware right now because Microsoft has no clue how to secure a web browser.
    That's funny, I've used IE without getting any malware.
    Here's a better reason that so many computers are plugged: ignorant users that are gullible, believe everything they see on the Internet, and press yes or OK on every dialog box just to get them to go away (without reading them or caring about the content). This is just as possible with Firefox or KDE or any other complex system that people use: you can make resistence to stupidity, but stupidity will always win some battles.
    Could Microsoft make the resistance higher? I guess. But then they would have to contend with cries of incompatibility and non-ease of use. It's a precarious balance.
    You'd like more security, but you aren't a shareholder of Microsoft; I'm sure the company has done much research that says that invasive security makes users mad and reduces sales
    But combine users running by default as Admin [...]
    Yes, the admin default sucks for security. It is also only a default and so completely avoidable; the fact that users don't avoid it speaks of their ignorance.
    If Windows XP automatically logged you on as a non-admin user, most people would be lost; they would have no idea why they can't install their new software. All they see is an ugly dialog box they don't understand and it isn't working. This news would get out, XP would be branded as impossible to use because some dumb columnist couldn't install Quicken 200X, and nobody would buy it. They would still be using 98 or ME with zero local security. Because it's easier than dealing with security hassles. These are the same people who have no idea what the consequences of installing Gator or whatever are, and if you try to tell them about it, they glaze over and continue to do what they always have done.