Slashdot Mirror
Ten Security Bulletins From Microsoft
wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."
So if your user has admin rights (as all at my site do b/c our toolset requires it) then you're screwed if they goto a mal-site. . . . Great.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Thank you microsoft for vulnerabilities that can take advantage of the so-far-assumed-to-be-safe data files like jpgs and zip files
txt file vulnerability anyone!?!
That is enough for me and my small company. I am using Open Office and Mozilla full time now. Adios Bill.
With linux, well...tried to configure IPtables lately? I have, and that made me switch back to windows!"
Hmmm
Is that a gap in the market I spot? Is there a need for an Iptables for dummies guide ;-?
Alternatively one could just get the following book : http://www.amazon.com/exec/obidos/tg/detail/-/0596 005695/qid=1097623820/sr=8-1/ref=pd_ka_1/103-30759 69-1611012?v=glance&s=books&n=507846
It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows.
Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?
Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website? Aren't you glad the only files that you can infect are the only files that you really care about?
You bet I'm glad my shell is web-enabled! After all, this Windows box belongs to my employer ... its his time that will be wasted.
See what I've been reading.
With the exception of a proof of concept GDI+ exploit posted to USENET, none of these vulnerabilities are known to be exploited.
The shell and compressed folder vulns require user interaction, just like 99% of all other "worms". As long as your mail application is patched you can't get hooked via email and if you visit "malicious websites" with anything other than Lynx you probably should be shot anyway. Ditto for a decent firewall.
On the other hand, I wonder why things like these for soem reason never get posted.
I find Firehol much more intuitive.
Protection, yes. It sure doesn't "eliminate any possibility of buffer overflows" as you claim.
/GS compiler flag's record isn't the cleanest. In Visual C++ 2002's compiler an out parameter that was modified by a buffer overflow to point to the security cookie variable would allow an attacker to get a predictable cookie value. You can use this to prevent the security trigger from firing and terminating the program. This isn't going to be fixed until Whidbey.
And the
Interesting that Microsoft is just now getting around to adding this in their Operating System. Linux has had exec-shield since kernel 2.4.21 (May 2003, I believe).
sigs, as if you care.
That does it. I'm switching to Linux- Ubuntu, *noppix- or even *BSD, anything but Windows.
Installing today's updates, it asked me if I wanted more information about a vulnerability- and proceeded to open a page with Internet Explorer. How many times do I have to tell the computer that Firefox is my default browser? Whose machine is this, anyway?
With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years). In today's update, it keeps nagging me to reboot.
And why do I have to sign yet another goddamned EULA to install critical patches?
There isn't any windows only software I need anymore. OO.org, Firefox, Thunderbird... and now GAIM (which I've gotten used to at work, working on FC1). I'll miss some of the usability features of XP, but I just can't handle it anymore. So long, Windows!
Information: "I want to be anthropomorphized"
any person with half a brain realises that making a workstation a firewall is just stupid.
A real firewall is a seperate box. Even a crappy one suffices.
Go get www.smoothwall.org and install that and you won't ever have to worry about IPSec rules etc again.
Bye Bye Windows take 2.
It is amusing that the much maligned WinME nowadays work better and doesn't suffer from half the problems in XP - "The Most Secure Windows Ever".
Oh well, what the hell...
Another Tuesday Patch roulette over with....
I've been trying to convince some people to switch to something secure. I said watch the Windows bugs. It's at least one new one found per week.
Wow 10 this week. I think I convinced them.
Now if I can get a few must have apps ported...
The truth shall set you free!
Am I the only one seeing more and more issues with firefox with every new MS patch...
Wait a second...
The great grandparent of this post writes something that either has got to be meant as a joke, or is just plain Stupid:
"It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows."
He gets 5: Interesting (which means that at least three people have been sitting in front of their monitor, thinking, "Duuude! Uh, yeah, maybe M$ has some secret supercompiler that removes all bugs. DUUDE!").
The parent writes something that's actually a quote straight from MS changelog for SP2:
""core Windows components have been recompiled with the most recent version of our compiler technology, which provides added protection against buffer overruns."
And get modded 5: Funny!? I mean, all right, not everybody on here is a developer but please, a reality check might be in order!
:wq!
There're some services (like the RPC server) which can't be switched off if you wnat to run windows