Ten Security Bulletins From Microsoft

wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."

My

[Rick+Zeman]

....Win2k patched fine. Another Tuesday Patch roulette over with....

Re:My

[pbranes]

Its interesting to note that the most critical patches - those for remote code execution - do not affect Windows XP with Service Pack 2 installed. When Microsoft built SP2, they did a lot of things right. IE has better security, for one. At my corporation, I have pushed out the updates with SUS already, but I am not too worried about this. I have already implemented SP2 across the corporation, and I am much more secure now than I was without SP2. Yeah, I know that security is a process, not a product, but SP2 helps that process a lot.

Re:My

[ADRA]

Wouldn't that imply that they knew about this problem way before Service Pack 2, and their just now getting around to rolling those patches into previous releases?

Re:My

[pbranes]

Not really. It implies that Microsoft changed the security in IE so that it would be much less likely to be vulnerable to certain types of situations. An analagous example is adding the No Execute (NX) code to hardware and software. It doesn't prevent coding mistakes, but it does prevent many ways of exploiting coding mistakes.

Re:My

[jerw134]

It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows.

Re:My

[ADRA]

They we-wrote the OS in .NET CLR??

"new compiler that basically eliminates any possibility of buffer overflows"

You're obviously not a programmer if you believe this.

Re:My

[jerw134]

Directly from Microsoft: "core Windows components have been recompiled with the most recent version of our compiler technology, which provides added protection against buffer overruns."

Source

Re:My

[ADRA]

Wouldn't your system require you to have the NX bit on your CPU? If your CPU doesn't implement NX, does that mean your vulnerable? I admit NX does help security, but assuming that the bug is magically fixed by a NX, a harware based solution on new hardware, I don't think even Microsoft's brazen enough to ignore computers that don't have NX.

Re:My

[the+unbeliever]

They also support it in software as well, apparently, to some degree. Or so Windows XP tells me.

Re:My

[NotoriousQ]

Replace any pointer dereference with a code that checks it first.

Pay some penalty in speed, but complete overflow protection. Maybe that is why windows has slowed down so much....

Re:My

[sploo22]

Why not? GCC has had it since 2001.

Re:My

[j0217995]

Ah, the beauty of Software Update Services... Sync'd w/ windowsupdate.microsoft.com. Test systems checked in first and had no problems. The joy of coming in and seeing the patchs installed when people turn on thier computers in the morning. Yawn, another MS patch done, that was like what 15 minutes of work?

Re:My

[adric]

It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows.

Directly from Microsoft: "core Windows components have been recompiled with the most recent version of our compiler technology, which provides added protection against buffer overruns."

Uh, there's quite a bit of difference between the two statements.

Re:My

Protection, yes. It sure doesn't "eliminate any possibility of buffer overflows" as you claim.

And the /GS compiler flag's record isn't the cleanest. In Visual C++ 2002's compiler an out parameter that was modified by a buffer overflow to point to the security cookie variable would allow an attacker to get a predictable cookie value. You can use this to prevent the security trigger from firing and terminating the program. This isn't going to be fixed until Whidbey.

Interesting that Microsoft is just now getting around to adding this in their Operating System. Linux has had exec-shield since kernel 2.4.21 (May 2003, I believe).

Re:My

[Aeiri]

Exactly, I can't even TRY to make an app that is vulnerable to buffer overflows... when I go to exploit it, it doesn't work (chops off extra data).

Re:My

[Aeiri]

I bet it makes you feel all good inside that installed those Windows Updates! That college degree really paid off, you are such a pro!

Re:My

[tc]

It doesn't eliminate all cases, of course, but the /GS compiler flag for Visual C++ does eliminate many of them. In essence, it checks if the return address has been trashed, and throws an exception if it has. Your app still crashes, but that's probably better than being 0wn3d.

Yes, it is possible to circumvent, and there are of course other kinds of attacks/bugs which this doesn't help with. Nor is it a substitute for actually fixing those buffer overflow problems. However, all that said, it's still a good extra level of defense that does improve the security of the system and apps by substantially mitigating a large class of potential bugs.

Re:My

Looking at the CAN numbers, it appears Microsoft has known about a lot of these for 6-9 months.

Re:My

[Technician]

Another Tuesday Patch roulette over with....


I've been trying to convince some people to switch to something secure. I said watch the Windows bugs. It's at least one new one found per week.

Wow 10 this week. I think I convinced them.

Now if I can get a few must have apps ported...

Re:My

psst, I think you got schooled

Re:My

[Scorillo47]

>>> It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows.

While the new compiler additions detect some buffer overruns/underruns, note that there is no way to get 100% buffer overrun detection with commercial C++ compilers. Usually, these overruns are detected by a variety of methods, like putting canary "values" at the beginning and/or at the end of each of the protected data buffers. These canary values are checked at certain moments of time, usually at the end of the buffer data lieftime - for example for stack-allocated blocks they are checked on routine exit; for heap allocated blocks when the blocks are freed.

The problem with canaries is that they won't detect memory writes that write directly in other "valid" data buffers. For example thread 1 writing overwriting the contents of some local variables in another stack, manipulated by thread 2.

There are other techniques, for example checksums for the user-mode data structures (like stack frames, C++ VTABLEs, heap data structures, constant data, etc). But these techniques have limited use too.

In addition, a malicious piece of code can always workaround the canary/checksum detection. The moment this malicious code has a chance to run in yoru process, all bets are off. It can eventually change the exception trap handlers, etc.

The only way to get 100% protection from buffer overruns would be to run Java/C#/VB.NET code (with certain restictions of course, for example avoiding unsafe code in C#). That said, you can also avoid buffer overruns to a certain degree in C++ too if you use proper class libraries like STL that perform things like automatic array bound checks, etc.

Re:My

The difference being that in the first statement, he's saying that unless a program is explicitly written to read code from memory, it won't.

The second is saying that programs are prevented from reading code from memory accidentally, thanks to the NX command.

Both are saying the same way, with the same meaning, just one was trying to sell it harder.

Re:My

[rvw]

....Win2k patched fine. Another Tuesday Patch roulette over with....

Well for me this roulette didn't turn out that well, although I should say it didn't turn out at all on most of our servers. :-( I just got red lines saying I should try again. I knew I should have betted on black... ;-)

Re:My

[antic]

I feel sad that you've contributed this epic and informative (I assume it's informative; I don't know anything about what you're discussing) post without anyone showing any recognition and moderating it positively. I was going to do that for you to brighten your day, but of course, now I've gone and written this reply and eliminated the opportunity of doing that.

Sorry!

Re:My

yor "corporation" must have exactly 3 people in it.
our company has over 30 thousand desktops over 6 different sites.. a major drug manufacturer.. i cant wait for the patch squad to hit our building

Re:My

[Torne]

No, they don't, unfortunately. XP SP2 only adds NX functionality on AMD64 and Itanium, their marketing material just omits to mention this in order to make it sound more secure ;)

Re:My

[the+unbeliever]

"Your computer's processor does not support hardware-based DEP. However, Windows can use DEP software to help prevent some types of attacks."

This is from Control Panel->System->Advanced->Performance Settings

Granted, I don't believe it, but Windows is still telling me that ;p

Re:My

[ledow]

Reading the related article on www.theregister.co.uk, it seems that Microsoft DID know about these before and the fix was already incorporated into SP2.

Re:My

We linux users bitch and complain all the time about M$ , We should stop and think though .
M$ are one of the biggest contributers to the security of the Linux operating systems
M$'s total refusal to release linux software is a god send ;)

Re:My

[Torne]

Without hardware support it will do stack smash protection for the recompiled system binaries, and it might also make a nonexecutable stack segment using the same trick Solar Designer's Linux implementation does..

Nothing to see here

[roman_mir]

please move along.

I think this is very reflective of the content of this report.

Ready...

[Seabass55]

Unleash the Microsoft bashing!!!

At least with windows

you don't have to have a CS degree to configure it safely. Using any number of freely available firewalls is a simple point-and-click matter.

With linux, well...tried to configure IPtables lately? I have, and that made me switch back to windows!

Re:At least with windows

[Metasquares]

There are a number of user-friendly configuration tools for iptables. FireStarter is the first one that comes to mind, though there are others.

Re:At least with windows

[vijaya_chandra]

I don't know about the status of these apps now.
But the last I remember, RH8 had a point and click config applet that's a front-end for iptables.
you want flexibility+power?!? spend an hour reading some good doc about iptables and save days that you might be wasting pointing and clicking else where.

On my system, all new incoming connections (except for ssh from a few servers) are blocked and all outgoing connections are allowed. Am damn sure google can get you tons of simple scripts for a minimal config. You definitely can't feel good with the same configuration in windows as you wouldn't know what god-awful-thing would be trying to call back home.

Ok! You set your point n click firewall to ask you as to what to do with an outgoing connection and you can keep getting irritated all through the day by those 'Do you want to accept the outgoing connection to A.B.C.D by the application XYZ?' dialogs

Not that you can't have spy/malware in linux and everything is safe, but the situation hasn't got to such a stage yet and hopefully would never get to

Re:At least with windows

[Faluzeer]

"you don't have to have a CS degree to configure it safely. Using any number of freely available firewalls is a simple point-and-click matter.

With linux, well...tried to configure IPtables lately? I have, and that made me switch back to windows!"

Hmmm

Is that a gap in the market I spot? Is there a need for an Iptables for dummies guide ;-?

Alternatively one could just get the following book : http://www.amazon.com/exec/obidos/tg/detail/-/0596 005695/qid=1097623820/sr=8-1/ref=pd_ka_1/103-30759 69-1611012?v=glance&s=books&n=507846

Re:At least with windows

What can I say, except that you shouldn't be allowed on slashdot, as you're clearly not a true geek.

Re:At least with windows

[LnxAddct]

What distro did you try? Almost every major distro preconfigures it for you. And not only that, has an easy to use configuration thingy for services to get through. If you want an easier way to configure iptables try out webmin or I think there is a gui program called guarddog or something like that. Anyway, don't play with big boy toys unless your willing to learn a little bit. Honestly, if you can't handle iptables with the easy to use methods that major distros have in place, then the many other capabilities that linux has to offer would probably also go over your head(not because your stupid, simply because your lazy because you apparently didn't give it much effort or looking at). You should not have gone back to Windows though. Go to MacOSX or maybe even Linspire. Don't just expect to sit down in front of another OS after you've been using Windows for 7 years or so. You forget that when you once first sat in front of windows, you also had no idea how to do many things, only after getting familiar with it you did anything productive. You now take that knowledge for granted. I'd try out linux again if I were you.
Steve

Re:At least with windows

or you could just use any frontend, like:
http://www.e3.com.au/firewall/index.php

Re:At least with windows

I find Firehol much more intuitive.

Re:At least with windows

[NotoriousQ]

Why run a firewall at all?

If you are directly connected to the net, then this is a standalone machine, and does not need to have any sockets open, except that which is supposed to be used on the net. Turn off unnecessary services, or switch them to local mode only. AFAIK, there are no vulnerabilities for closed ports.

If you have a LAN, then there is something that separates the LAN from the internet. This should not be your desktop machine.

If you have two machines separately on the net, then you should use ssh tunnels between them. That is more secure than firewalls anyway.

Outgoing connections? May I ask why are you running spyware?

Filtering ICMP? Why would you want to break network standards again. It is because of you the net is a pain to use. I like getting messages that my connection failed instead of waiting for 60 seconds.

People firewall for a simple reason: to have open services inside the network, and not outside. At this point you should be capable enough to either do it yourself, or have a complete solution (although NAT is not a firewall, it behaves as one)

As far as I am concerned there should be no need to run any firewalls on the desktop. In fact it is a sign of poor management, or a patch to a bigger problem (not trusting your own computer).

Is there something I am missing?

Re:At least with windows

> On my system, all new incoming connections (except for ssh from a few servers) are blocked and all outgoing connections are allowed. Am damn sure google can get you tons of simple scripts for a minimal config. You definitely can't feel good with the same configuration in windows as you wouldn't know what god-awful-thing would be trying to call back home.

How is "all outgoing connections are allowed" better than "you wouldn't know what god-awful-thing would be trying to call back home"? If you don't have IPtables logging enabled, you're in exactly the same position.

Re:At least with windows

any person with half a brain realises that making a workstation a firewall is just stupid.

A real firewall is a seperate box. Even a crappy one suffices.

Go get www.smoothwall.org and install that and you won't ever have to worry about IPSec rules etc again.

Bye Bye Windows take 2.

Re:At least with windows

[HermanAB]

You got to be a wee little bit more specific than 'Linux'.

Obviously you haven't tried the latest Mandrake Linux Multi-Network Firewall. The point and click firewall that even MSCEs can install.

Re:At least with windows

[LnxAddct]

Because when you run linux you know exactly what services are running, when they run, why they run, and if they need to connect to the internet. None of that "We'll block all of these ports except these 5 because windows services need them, and keep this one open too for good measure." Most linux systems on a fresh install have nothing that tries to connect outside, anything that might connect (say httpd ) is decided by the user at install time. In windows, you can't even boot up to a fresh install without having to connect to the internet or contact Microsoft and let them know what you've been doing with you computer.
Regards,
Steve

Re:At least with windows

With linux, well...tried to configure IPtables lately? I have, and that made me switch back to windows!

Try OpenBSD (or FreeBSD) with pf. It's not point and click, but it's nearly english.

Last time I configured a firewall on linux was in the days of ipchains. Consider yourself lucky.

Re:At least with windows

[inode_buddha]

actually, yes I have done iptables, from the commandline (acually put it into a script) and successfully. Nowdays yeah there's GUIs for it, most distros have one; I just used a bunch of RTFM and figured it out.

Re:At least with windows

[isorox]

Some vulnerability/user allows a virus/program to install a VNC-style thing without you knowing. If you're firewalled, no matter. If you're not, then anyone can control your computer

Re:At least with windows

[_Sprocket_]

I like fwbuilder. It provides a fairly advanced interface but also has some nice wizards to get a basic firewall / NAT platform going. And you can migrate your general firewall configuration between platforms (want to migrate from a Linux box to an OpenBSD firewall? Recompile your ruleset and install on the new box). Though... I have to admit... most of what I like about it would likely be lost on a neophyte.

Re:At least with windows

[welshwaterloo]

There are several reasons we're rolling out Symantec's personal firewall to desktop PC's.

1. Security in depth. Multilayered security = A Good Thing.
2. True, there shouldn't be ports we don't know about on user's PC's, but how about when they pop one open without knowing? They can't download or receive numerous file types & their peripherals are disabled, but users will be users. I've seen programs installed that install telnet or tftp servers. A decent personal firewall setup will alert the user *and* log that alert to a central console.
3. Mistakes happen. A nameless colleague quit-out halfway through creating a firewall rule. The default action is to create the rule regardless, so for 20 minutes a bunch of workstations were waaaay more accessible than they should be. Worms were spotted.
4. It's disastrous to think "We've got a firewall, ergo we're secure" (see above). Common example: User sits in internet cafe with laptop, some floppies, usb devices & cd rom. Effectively spreads legs & asks the world to infect him. Next day, brings laptop back & jacks into the LAN. My sturdy firewall is now worth jack. Personal firewalls all round, please.
5. And yes, I do filter ICMP. I'm sorry that you have to wait 60 seconds for your pings or whatever to fail, but I have to ask why were you scanning my LAN? You want me to turn on file&printer sharing too, so you can see what else is going on? It's my LAN, & within it I'll do whatever I can to keep it secure. Guess what - I run some web services.... ...and they're not on port 80...!

As far I'm concerned there are valid reasons to run personal firewalls on the desktop.
Hand-in-hand with user education, security policies, patch management and effective anti-virus solutions they provide a robust & proven security benefit.

You're damn right I don't trust my computer. And I won't do until I control all access in and out, and it tells me when something tries to except those rules. Oh, wait! It does. It's my personal firewall.

Re:At least with windows

[diegocgteleline.es]

There're some services (like the RPC server) which can't be switched off if you wnat to run windows

Re:At least with windows

Yes they can. These freeware tools can help:
- WWDC - http://www.firewallleaktester.com/wwdc.htm
- StopListening - http://www.nonebar.com/sl.html

Re:At least with windows

I don't run X on my servers. Can't anyone build a curses interface anymore.

Re:At least with windows

Yup, FWBuilder is good; Shorewall's spiffy too, though not as portable.

Re:At least with windows

[necro2607]

in reponse to point #5 of yours:

Pings are sent when any connection attempt is made.. trying to load a web page, connecting to an FTP server, joining a Quake server, logging onto an instant messaging service, etc. etc. etc...

The first thing the program will do is send out a ping to see if the machine it's trying to contact is up and running..

Point is, no one is "scanning your LAN"... if you're running a server of any kind, ignoring ICMP packets will very often make it impossible for people to connect to the server. Alternatively, they'll be able to get connected but later get dropped due to receiving no response to "keepalive" pings (depending on how well the software is written)....

Re:At least with windows

[welshwaterloo]

Ah. Fair enough.

I should've stated that webservers et al have all the necessary stuff & ting open to allow connections. It's workstations that haven't been Nat'd yet that we'd rather not reply to echo requests.

Thx

I give up

[darth_MALL]

I was just about to write a pro MS defence post to stave off the oncoming attack. I just re-read the article. I quit.

Re:I give up

[RealAlaskan]

I was just about to write a pro MS defence post ...

It's not enough to write de fencepost, ya gotta drive it through de heart of da monster. An' I t'ink it gotta be a wooden fencepost.

Re:I give up

[Hatta]

I'm a little confused. Windows has a shell?

Re:I give up

[electrofreak]

um.....yeah. Its not much of one but it does have it:

Start|Run "cmd"

Re:I give up

what, are you retarded? explorer.exe and cmd.exe [2k and up]

Re:I give up

[Aeiri]

To be compatible with Windows 3.1 and up, you should have said explorer.exe and command.com.

Re:I give up

[iminplaya]

It's progman.exe for me.

Re:I give up

Keeping their customers in the dark (again).
Who knows what they are still holding back, to stage manage (newer) bad news.
Sloppy support for older stuff (upgrade or suffer)
Not keeping up with the Jones's. This similar zip vuln was in *nix yonks ago. Can't they keep up with linux?
Modularity.
Corporate sites are shit scared of users getting to shell level, and even if the IE bit is fixed, all the (semi documented) hooks are just a .net call away, if you know what you are doing.
>>> Doze EAL Certification
With hindsight, becoming as useless and as respected as an arts degree.
Totally failed to pick up the biggies. Due dilligance?
Pick something else, or start bailing out, if security is an issue.

Re:I give up

[magefile]

Is that a Discworld quote? 'Cuz it reminds me of something Detritus (sp?) would say.

Re:I give up

[Keeper]

How many times do I have to tell the computer that Firefox is my default browser?

Once, if Firefox is registered as the default browser correctly. My machine gets it right, why doesn't yours?

With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years).

Two options:
1) Update your AV software to a version that tells the security center when it is up to date.
2) Select the "I will manage my AV software myself" option, and the security center won't bug you about any AV related details.

In today's update, it keeps nagging me to reboot.

Your computer is still vulnerable until you reboot the machine. What's the point of applying the patch if the updated files don't get loaded?

And why do I have to sign yet another goddamned EULA to install critical patches?

For the same reason every company requires you to sign a EULA before installing/updating software. If you want a detailed reason, ask the lawyers.

Re:I give up

[jb.hl.com]

Actually, yes.

Yesterday I installed Windows Services For Unix and compiled Bash on there, and now I have a full shell on my Windows 2000 install. Kicks ass, it does.

Re:I give up

why would you want win2k ruining a perfectly good unix shell?

Re:I give up

[Vint+Cerf]

You must have misread -- he said he installed BASH.

Re:I give up

[Dr.Opveter]

Why is this modded 5, Interesting? If you are unable to keep your XP machine running fine and there's no software you need to keep you on XP then don't use it if it's such a big problem to you. I keep my systems' virusscanners up to date, apply security patches and generally know what i'm doing and i haven't had security or virus problems for years. Especially with XP it's become much easier to keep things safe. I'm no genius, if i can do it so can you. People, don't mod someone up because they are incapable of maintaining their machine and they 'just can't handle it anymore'..

Re:I give up

[R.Caley]

I'm a little confused. Windows has a shell?

Windows is a shell.

Dangerous, with a brittle, thin outside, and a tendency to explode.

Re:I give up

[Erasmus+Darwin]

"Your computer is still vulnerable until you reboot the machine. What's the point of applying the patch if the updated files don't get loaded?"

In my case, the point is that rebooting would be inconvenient at the current time and I'm willing to take the calculated risk of being exposed until I turn my machine off for the night. If I'm playing UT2k4 instead of browsing the web, it doesn't matter how many unpatched IE vulnerabilities I have.

So does anyone have a way to keep Windows from pestering me with "[Reboot now] [Reboot later]" every 10 minutes? I tried killing the corresponding process, but something starts it back up almost immediately. I suppose I could just put off installing windows updates until bedtime, but that'd run the risk that I'd forget. So in a fit of wrong-headed irony, this new feature might actually cause my system to stay vulnerable longer.

Re:I give up

[SpooForBrains]

I'll miss some of the usability features of XP
What usability features? This is an entirely serious question, I personally can't think of anything XP's UI does that KDE doesn't do equally well or better. I'm sure the Gnome guys will say the same thing.

Re:I give up

[bergwitz]

Disable Automatic Updates stops Windows from pestering you the rest of the day. Enable it again when you restart the machine though. Though the whole security center thing is pure annoyance. It doesn't do anything! Except pestering me with messages and warnings that my computer is vulnerable since I set Automatic Updates to ask me before it download something.

Re:I give up

How many times do I have to tell the computer that Firefox is my default browser?

Once, if Firefox is registered as the default browser correctly. My machine gets it right, why doesn't yours?

Uhm... yeah, it IS the default browser, and everything else opens web pages with it, EXCEPT Windows update.

Select the "I will manage my AV software myself"

My bad. I should have clicked on the alert instead of closing it- I didn't remember that.

Your computer is still vulnerable until you reboot the machine.

Well, if I was surfing pr0n sites and downloading screen savers, it could be. And since it's sometimes inconvenient to reboot, I choose to wait an hour or two. It's my computer and I know how to use it, so the bottom line is it just shouldn't be nagging me- I should be in control, not some piece of software that's just there to allow me to run other software.

Re:I give up

Uhm, I never said I couldn't keep my machine running properly. This is not about security: I've been going 2 years without a reinstall or an A/V, and without a virus (I check regularly with Housecall or Norton, I just don't want them slowing down my machine)- so I think I have a clue what is required to stay safe.

What's annoying me is that the OS is trying to force me to do things a certain way or at a certain time when I think I know better. It uses IE when I told it to use only Firefox. WTF?

Re:I give up

[illtud]

How many times do I have to tell the computer that Firefox is my default browser?

Once, if Firefox is registered as the default browser correctly. My machine gets it right, why doesn't yours?

Did you read what he said? : Installing today's updates, it asked me if I wanted more information about a vulnerability- and proceeded to open a page with Internet Explorer.

He did set Firefox to be the windows default browser. Many windows applications (especially MS's own) bypass the proper API call to open using the default browser and call IE directly. Now unless you've tried installing the same update, clicked on the link and had it open in Firefox, I suggest you STFU.

Re:I give up

How many times do I have to tell the computer that Firefox is my default browser?

Once, if Firefox is registered as the default browser correctly. My machine gets it right, why doesn't yours?

There is a well-known issue with Firefox incorrectly setting itself as the default browser. I don't know when it was fixed, but my suspicion based on the number of recent reports is that it still affects 1.0PR (or perhaps it gets carried over when updating from 0.9).

Re:I give up

[Erasmus+Darwin]

"Disable Automatic Updates stops Windows from pestering you the rest of the day."

Cool, I'll try that. Thanks.

Re:I give up

It does open with Firefox you nitwit.

Re:I give up

[gbjbaanb]

the whole security center thing is pure annoyance

don't knock it - its purpose is simple and very clear: It says to users 'get some protection' and won't allow itself to go away until you do. (or turn the notifications off, but the kind of people who need the protection are the ones who won't know how to turn the notifications off!)

Shell enabled depends.

[rebeka+thomas]

> Aren't you glad your shell is web-enabled?

Does it matter? Is this meant to be an attack on Microsoft just for its own sake? It's becoming as inane as spelling "Micro$oft" or "Windoze".

Web enabled shells? Show me an in-use unix shell that doesn't have Links or Lynx already installed.

Re:Shell enabled depends.

well, technically Links and Lynx are not parts of the shell.

Re:Shell enabled depends.

[xsecrets]

links or lynx are programs they are not intigrated into the shell. I don't think you understand what a shell is.

Re:Shell enabled depends.

do you have any fucking idea what a shell is?!

Re:Shell enabled depends.

[evn]

How About Mac OS X?

Finder doesn't play with the WWW at all unless you count it's WebDAV support, and it doesn't ship with Lynx or Links either (much to my dismay)

. I might as well point out that BASH, ZSH, TCSH, are the shell: Lynx is a browser that you launch from the shell.

Re:Shell enabled depends.

do you have any fucking idea what a shell is?!

To put it in your fucking language, it makes no fucking difference when it comes to a fucking vulnerability. This is the OP's fucking point.

Re:Shell enabled depends.

Pay no attention to this troll. She doesn't know the difference between a shell and a web browsing program. The closest you'll get to having a web-enabled shell on *nix is to chsh -s /usr/bin/lynx (assuming that's a valid shell on your box).

Oddly enough, looking at her previous posts (regarding Bush being wonderful), it's no surprise that she'd make such an immature and thoughtless comment. Word of advice: stick to watching Fox News and driving your SUV.

Re:Shell enabled depends.

omg i know everyone knows its micro$haft winBLOWS!!!

hahaha

Re:Shell enabled depends.

Show me an in-use unix shell that doesn't have Links or Lynx already installed.

Actually, you don't even need Links or Lynx to have a web-enabled *nix shell. Bash can read from and write to any UDP or TCP port. For example:

$ (nc -lp http > bash_ls_output &) # fork netcat on port 80, may need root permission
$ ls > /dev/tcp/127.0.0.1/http
$ cat bash_ls_output

or

$ less < /dev/tcp/ftp.kernel.org/ftp

Re:Shell enabled depends.

> links or lynx are programs they are not intigrated into the shell. I
> don't think you understand what a shell is.

Which in the end doesn't make a lick of difference. If Links or Lynxs are vulnerable, it's not like their lack of integration in a shell of choice means they're going to be prevented from that vulnerability.

The sarcastic statement in the story was pointless. it's a "so what" statement. May as well say in response to a linux PHP vulnerability for example, "Aren't you glad your web browser is php enabled". It's a nothing statement.

Re:Shell enabled depends.

[burns210]

Fink(and fink commander) very nicely and graphically install lynx and irssi on my machine without prolems and without mistake.

Makes me feel warm inside when I can have text irc going around a lickable gui... *mmm*

Re:Shell enabled depends.

[meme_police]

Do you have any idea what a shell is? UNIX shells most definitely do not have browsers included.

Re:Shell enabled depends.

[lee7guy]

I might as well point out that BASH, ZSH, TCSH, are the shell: Lynx is a browser that you launch from the shell.

No.

Links is a browser that you launch from the shell.

Lynx is a browser that you launch from hell.

Re:Shell enabled depends.

[peachpuff]

"If Links or Lynxs are vulnerable, it's not like their lack of integration in a shell of choice means they're going to be prevented from that vulnerability."

Well, that's a tautology: if they're vulnerable, they're vulnerable. The point is that vulnerabilities are more likely, and more likely to be serious, in a web enabled shell than a plain web browser.

You see, "web enabled shell" means that the same piece of software is both your web browser and your application launcher. That makes it much easier for a flaw to cross over between the two uses, i.e. a flaw on the browsing side causing a (malicious) application to be launched.

Web enabled shells are a bad a idea because they combine two things that don't need to be combined in a way that creates a lot of risk. Browsers and shells work just fine when they're separate, for example Lynx and Bash.

"The sarcastic statement in the story was pointless. it's a 'so what' statement. May as well say in response to a linux PHP vulnerability for example, 'Aren't you glad your web browser is php enabled'. It's a nothing statement."

As far as I know, no such thing exists. If it did, it would get a lot of sarcastic comments, and for a similar reason: PHP is run on the server side because that's where it belongs. As a result, it's very unlikely that even a serious PHP vulnerability will affect data that is stored on your desktop. Putting PHP in the browser would be risky, which is probably why it hasn't been done (as far as I know).

It's more like, "Aren't you glad your lawn mower is toilet enabled?" You should have them both, but not as an integrated unit.

Re:Shell enabled depends.

[HermanAB]

My gawd, I tried that and it worked. This old dog never ceases to be amazed by the power of being Borneagain...

Re:Shell enabled depends.

[_Sprocket_]

If Links or Lynxs are vulnerable, it's not like their lack of integration in a shell of choice means they're going to be prevented from that vulnerability.

No - but I can uninstall or disable Links or Lynxs. Can you cleanly remove or disable the "web enabled" part of Windows' shell?

News For Nerds??

For a presumably Linux-centric site, we sure do get lots of Microsoft news, especially when it comes to security or bug issues.

I wonder why we don't get many Linux stories like this, seeing has how they have had some serious issues lately too.

Hmm....

Re:News For Nerds??

[ADRA]

We basically get notice of every major Firefox, kernel and OpenSSL exploit that gets released. Outside of that, We'd be posting hundreds of potentially relevent security articles that are better off in bugtraq anyways. If ANYONE here really cares about security their on Bugtraq anyways. This is like a 'look guys it really bad!' type of news. Since all Microsoft bugs seem to fall into that category, their listed a lot.

Re:News For Nerds??

Crawl back into your M$ cube you minimum wage AC dweeb.

Re:News For Nerds??

Dont worry the MS trolls, troll here enforce.

Re:News For Nerds??

This wasn't Microsoft "news". It's yet another security warning.

Those Linux slackers just haven't tried hard enough to ensure they get the same sort of coverage that Windows does. Maybe in the next release ;-)

Re:News For Nerds??

[mOoZik]

Why? Because this site is full of myopic nerds who don't respect anyone who charges money for their product, who feed on absolutely anything that is in any way opposite to Microsoft, and who believe that Linux will take over the desktop market in less than a decade.

Re:News For Nerds??

liberal bios?

Re:News For Nerds??

...as if MS bugs are news, even!

Re:News For Nerds??

[0x0d0a]

We actually do generally get notification of serious Linux kernel/Apache/OpenSSL problems.

They're just presented in a much, much more positive light.

Re:News For Nerds??

[Stevyn]

I used to think that. However I've gotten the feeling that a lot of people are using windows. Some use it at work because they have to. Some use it at home because they prefer it. Hey, I used to use it too. Windows XP if patched a lot, anti virus, firewall, using firefox, and ad-aware once a week will be relatively secure.

My friends (other engineering student geeks mind you) make fun of me for being such a linux geek. Using gentoo makes it even worse.

However, I see it as I have less work to do to maintain a healthy system. It took a little while to set up properly, but I feel it was worth the effort. I can keep my system packages and other software I use up to date very easily with portage.

My point to all that was windows can be a fine operating system if you maintain it a lot. That is why people here still use it, and these stories help them maintain it. That is why these stories are relevant to many people here.

Re:News For Nerds??

[naelurec]

I think these items should be posted as well as major security issues for FOSS/Linux (which they are). Given that I'd guess 99.9% of us know of people or use Windows ourselves, it is important to keep on top of these new vulnerabilities to protect the networks we admin, notify others who are not frequenting tech sites and of course, use as ammo for getting more FOSS in the workplace. :)

Re:News For Nerds??

[ad0gg]

Whats worse is that 9/10 of the bug fixes were patched in earlier bug fixes. So if you were already fully patched, only 1 could affect you. I don't understand how this is news. If you were running unpatched, you were already vunerable.

Re:News For Nerds??

[Foofoobar]

For a presumably pro-Windows post, I wonder why you choose to be an Anonymous Coward especialy when your product is so loved by everyone. :)

Re:News For Nerds??

[gl4ss]

most of us have to use windows and or support it for others.

***I wonder why we don't get many Linux stories like this, seeing has how they have had some serious issues lately too.*** and are you fucking blind? WE DO GET THEM.

Re:News For Nerds??

Anyone who charges money for their product should do a better job of creating it.

Re:News For Nerds??

[robochan]

If ANYONE here really cares about security their on Bugtraq anyways.

Except that these days, bugtraq is usually a day behind and seems to think that security news ceases to exist on weekends. Ahh, the beauty of a corporate buy-out.
The Full-Disclosure list is much more timely.

Re:News For Nerds??

[nmoog]

Hmm, maybe thats why this story got rejected: Microsoft scores well on security analysis..

Though I should probably attribute the rejection to my poor writing skills...

Re:News For Nerds??

[skinfitz]

Because they get covered up - just like the OSX holes.

For example (please try to be objective here people - I am merely posting facts) if you recall the recent OSX / Safari serious vulnerabilities that basically meant clicking a link could run code of attackers choice (pretty damn serious if you ask me) never made the front page and were only viewable from apple.slashdot.org.

Bit weird that don't you think? Especially for an OS that allegedly has less problems with vulnerabilities? Surely that would be of interest to everyone? Kind of like if OpenBSD had another out of the box vuln - that would be news of interest to everyone.

Re:News For Nerds??

[Stevyn]

Yeah that's a good point because it doesn't differentiate between installing a program that you want and spyware crap. I'm going to compile openoffice 1.1.3 tonight. I had to su into root, update portage, and emerge openoffice. It's become so easy at this point I don't think about it. But at the very least, it required the root password.

Re:News For Nerds??

[Xaoswolf]

Linux-centric

Since when is this linux centric?

Hell, back when I cared, 91% of the links going to my website from slashdot were on windows machines...

And let's also not forget that most of the machines out there are windows machines...

Re:News For Nerds??

For a presumably Linux-centric site, we sure do get lots of Microsoft news, especially when it comes to security or bug issues. I wonder why we don't get many Linux stories like this, seeing has how they have had some serious issues lately too.

Hi, welcome to Slashdot! You must be new here. Let me tell you how it works.

We don't like Micro$oft, so we do as much bashing as possible. This includes posting a story about every M$ bug. We intentionally ignore security bugs on platforms we like, and for programs we like. This includes Linux and OSX, as well as user applications like Firefox.

Now, don't get me wrong - we try to suggest some level of objectivity by posting about the occasional vulnerability in software not written by M$... (for example, the feature in Firefox where files in your download directory can be deleted, and how a website could make itself appear to be a secure (SSL) site when it really isn't.) But that's really just a gesture.

Anyway, I hope that clears things up. Enjoy your stay!

Re:News For Nerds??

[alw53]

We should all be nice to Microsoft because they would never bug their competitors' hotel rooms, perjure themselves in court, open their source code to China while claiming in court that opening it would damage national security, sabotage their competitors' applications by changing their API's, or promise delivery dates that they know they cannot meet in order to starve their competition. Everyone knows Linus does that kind of stuff all the time.

Re:News For Nerds??

[chris+mazuc]

I would attribute the rejection to the fact that the article is crap. Microsoft is more secure because they issue fewer security advisories? Ok, how many security advisories did Diebold issue this year?

Re:News For Nerds??

[HermanAB]

Yup, MS Windows is an excellent OS, if your time is worth nothing.

Re:News For Nerds??

[Stevyn]

Well, yeah. That's the point I was trying to make. If you want a secure windows system, you better be prepared to patch go through a slew of other things. If you want a secure Linux system, you're maintainance will be less. Linux and the packages you use will always have problems, but the problems are a lot easier to manage than in windows.

Re:News For Nerds??

> We should all be nice to Microsoft because they would never bug their competitors' hotel rooms, ...

The other ones I'll give you, but Google didn't have a reference to this one; where'd you hear about it?

Re:News For Nerds??

OMFG WTF p455 t3h tinf0il!!!11!!22@1

Re:News For Nerds??

[alw53]

Page 29 of the Microsoft File, by Wendy Goldman Rohm.

Sell exploit runs as user

[networkBoy]

So if your user has admin rights (as all at my site do b/c our toolset requires it) then you're screwed if they goto a mal-site. . . . Great.
-nB

Re:Sell exploit runs as user

So if your user has admin rights (as all at my site do b/c our toolset requires it) then you're screwed if they goto a mal-site.

Your 'toolset' requirements are kinda setting you up for the inevitable don't ya think?

Re:Sell exploit runs as user

[myowntrueself]

Under those conditions you should be evaluating exactly what sites your users need access to and arrange it so that those are the only sites which your proxy or firewall will allow access to.

We have a client who does this, and they run Linux desktops as well!

Squid does a remarkably good job of facilitating this sort of strapping down.

Re:Sell exploit runs as user

[networkBoy]

Precicely the proxy we use!
But for some reason the PHBs always overturn my DENY ALL by default proxy rule after it goes into effect (They always say do it when presented on paper/email/powerpoint/etc.); thus I am always trying to play keepup with what sites to blacklist etc.

I've actually given up personally and switched to a job as the SW dev and IT sec. guy for one of our smaller labs. In this environment I am god (little 'g' on purpose) and the firewall / proxy setup is so strict people actually assume we have no connectivity to the outside world (including the rest of the company intranet) until they see the list of favorites in IE (alas I can't use Firefox due to corp. specific toolsets again).
Can't win them all I guess.
-nB

Re:Sell exploit runs as user

[drsmithy]

So if your user has admin rights (as all at my site do b/c our toolset requires it) then you're screwed if they goto a mal-site. . . . Great.

I doubt you _really_ need to have them running as Admin all the time. Most likely you just need to give them write access to a few directories and/or registry keys. Worst case is you need to use "runas /savecred" to give SUID-ish capabilities to a few applications.

That a few apps here and there need to run as Administrator is _not_ justification for having users running as Administrator full time.

Re:Sell exploit runs as user

[Kaboom13]

Congratulations, Im sure your tight security will make up for the fact that noone can actually use the internet in any useful manner, and thus hates you and your arrogance. The admin's job is to help the users, not lord his power over them. Tight security is good, but unless you are the CIA, the users have to come first at some point, or they will being to do things to thwart your overly strict controls (for example, Bob brings his laptop in from home to use his desk phone and dial-up modem, so he can actually use the internet.)

Re:Sell exploit runs as user

[networkBoy]

In the lab I "Lord over" they do not need access to the internet. That's what their notebooks and 802.11x are for. (yes we have corp. wireless). All the lab machines contain company top security info and so should not see the internet as it is. I help my users more than they could immagine. Predominately by keeping our stock value up by preventing IP from leaking to competitors.
-nB

Insane

[vijaya_chandra]

Thank you microsoft for vulnerabilities that can take advantage of the so-far-assumed-to-be-safe data files like jpgs and zip files

txt file vulnerability anyone!?!

Re:Insane

[RLiegh]

txt file vulnerability anyone!?!

There's nothing funny about buffer overflow attacks. ;-)

Re:Insane

[jerw134]

Don't forget to thank the fine people at Mozilla as well. Their software recently allowed exploits in bitmap files.

Re:Insane

Crawl back into your cube you Redmond dweeb. BTW did you design the skin for it.slashdot? Fits: wear IT.

Re:Insane

Hi,
I'm the trash your hardware virus!
please fowrard this email to all your firends and after thats complete pick up your computer and drop it from a height of 1meter onto the floor

Re:Insane

What the hell are you talking about?

Re:Insane

[jrockway]

Libpng had the ability to run arbitrary code a few versions ago. Make a nice png signature on those sites that let you and you could root everyone that read your posts!

Re:Insane

[museumpeace]

text file vulnerabilty...see my comment about the ten holes not being a complete list. MSWord can crash and IE's habit of opening anything it finds out there as long as its claims a MS format means you can crash your browser by clicking on a suitably booby trapped DOC file.

Re:Insane

Mozilla is also an operating system?

Wow, thanks for the tip!

Re:Insane

[The+Bungi]

http://www.us-cert.gov/cas/techalerts/TA04-217A.ht ml
http://www.cert.org/advisories/CA-2002-07.html

You're welcome.

Re:Insane

Don't forget to thank the fine people at Mozilla as well. Their software recently allowed exploits in bitmap files.

Well if you want to get into recently, then MS has no ground to stand on at all -- especially when you take into account how quick they were(n't) to go from bugged to patched.

Re:Insane

[jerw134]

No, Mozilla is not an operating system. But, since the bug affected Internet Explorer, which is a web browser just like Mozilla, the comparison is valid.

Re:Insane

Fortunately for us Mozilla users, our web browser isn't tied directly into our operating system. For us, there _is_ a difference between a browser bug and and OS bug. Windows + IE users have no such luck.

Re:Insane

[irc.goatse.cx+troll]

Whats the difference? Theyre both application bugs in rendering engines running in userspace. Both lead to code execution.

Re:Insane

[LiquidCoooled]

Would posting the EICAR virus as a sig prevent access to this site for certain users ?

Re:Insane

[chris+mazuc]

I thought the browser was the shell in windows. If that's the case, wouldn't it be possible to be infected by just browsing to a directory containing an infected image with thumbnails enabled?

Re:Insane

[jerw134]

There is no difference. That's the point.

Re:Insane

[Zen+Punk]

I did it and I got a free iPod!

Re:Insane

[HermanAB]

Here you go, an executable text file: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIR US-TEST-FILE!$H+H*

Re:Insane

Yeah! but in order to get a buffer overflow you need:

^D^D^D^D^D^D^D^D^^D^D^D^D^D^D^D^D^DX5O!P%@AP[4\P ZX 54(P^)7CC)7}$EICAR-STANDARD-ANTIVIR US-TEST-FILE!$H+H*

Web enabled Shell

[12357bd]

Ok, Now is a really web enabled experience! :)

Re:Web enabled Shell

[burns210]

bummer, I wish bash had this feature... all i've got is lynx, and it doesn't even support ActiveX!

C&C

[schnits0r]

The recent GDI+ vulnerability

Good thing I choose to join NOD.


/rimshot

Re:C&C

awesome C&C reference! q:o)

Security is Job 1

[Foofoobar]

It's nice to know that they have made security such a high priority. Hopefully their next high priority will be 'doing something about it'.

Re:Security is Job 1

They did. Note that SP2 is not effected for most of the updates. They are most likely backporting fixes in SP2 to older versions of windows.

Re:Security is Job 1

[Foofoobar]

Yeah, SP2 was such a great answer. It only crashes 1 in 4 machines causing the user to have to reinstall. By Microsoft standards, that's a raging success! :)

Re:Security is Job 1

[Jedi+Alec]

at times it's a royal PITA though. I actually had to go into services and manually disable the firewall/internet sharing service in order to install my own router/firewall software. oh well, guess that means there's no way Joe Schmoe will be able to open up all the ports once again, which makes the net just a little safer for the rest of us.

Windows Shell?

What in the world is the Windows Shell?

Re:Windows Shell?

cmd.exe

Re:Windows Shell?

[Deorus]

Cmd.exe is the command line shell. The Windows shell is explorer.exe (which now has IE built in, or something like, as of Windows 98 you can surf the web from the "My Computer" Icon). Explorer has been the Windows shell since Windows 95. Before Windows 95 it used to be progman.exe (the Program Manager).

from the making-america-safer dept.

Yes, and I plan to do just that by voting for President Bush in 3 weeks.

Kerry is the choice of terrorists everywhere.

another reason to learn linux

[pawnIII]

Man, I seriously need to learn Linux asap. If not cause of all the super holes found lately, as for the fact Microsoft doesn't seem to care too much about the user base.

Re:another reason to learn linux

[user317]

knoppix

Re:another reason to learn linux

[noselasd]

hmmm. for comparison, Fedora has released 10 security patches since
2004-09-15 ...

Re:another reason to learn linux

[murderlegendre]

You should learn Linux anyway, if you are curious about it. If you enjoy computers, you will really appreciate what you can learn from Linux.

In terms of security, a well patched Linux system is almost certainly better than an unpatched Windows system. Microsoft provides the occasionally useful security patch, but if you stay aware, you will do better with Linux.. for now.

Re:another reason to learn linux

[red+floyd]

free editions generally do not include urpmi, yum, etc update utilities that will do it for you for free

Obviously you've never used Mandrake.

Re:another reason to learn linux

[sploo22]

Yeah, for about 10 times more applications.

Re:another reason to learn linux

[rsax]

In terms of security, a well patched Linux system is almost certainly better than an unpatched Windows system.

What kind of comparison is that? "In terms of protection, a well armoured personnel carrier is almost certainly better than an unarmoured personnel carrier".

Re:another reason to learn linux

[losinggeneration]

(A monkey could do it)
Are you calling me a monkey?

Re:another reason to learn linux

[John+Pliskin]

Yes.

DEVELOPERS!

$

Re:another reason to learn linux

[ZorbaTHut]

Not if it's running Windows - then it'll be full of holes! /rimshot

Re:another reason to learn linux

[Tim+C]

If they're in the default install, does it really matter? Either way, your average non-admin type user is going to get hosed.

Also, it could be argued that as the distribution is providing those apps, they are effectively certifying them as safe to the best of their ability to do so. Hey, we see many comments here railing against the "no warranty" clauses in EULAs, ignoring that the same clause is in the GPL; if MS should be responsible for their OS, why not RedHat, etc? Because it's free? Because they don't write all the code? True, but they choose it all, and have access to the source.

Perhaps it's time one distribution or another started to rationalise the software they ship (and no, I'm not volunteering, merely suggesting it as an idea to improve Linux). No-one needs a dozen text editors or four MTAs.

Re:another reason to learn linux

[KidHash]

emerge -uD world

Another reason to use gentoo linux

Re:another reason to learn linux

[_Sprocket_]

You may find Linux is a little harder to keep updated though when you do need to update something (free editions generally do not include urpmi, yum, etc update utilities that will do it for you for free).

It's interesthing that you suggest SuSE Personal Edition... then go on to suggest that it may be difficult to upgrade "free editions". My SuSE Personal Edition install gets no-cost updates fine. A previous install of Fedora had no-cost update sources. And, of course, distros like Debian are all about free (in more ways than one). And all of these provide the normal weatlth of tools to include the clicky-clicky kind.

Either you're thinking of something different, or your data is out of date.

Re:another reason to learn linux

[VanessaDannenberg]

Obligatory butchered "One, Two, Three" quote...

"We have emergency meeting with Redmond trade delegation. They sent us twenty carloads of Windows... Totally unacceptible. Full of holes!"

(Apologies to Billy Wilder and I.A.L. Diamond)

Re:another reason to learn linux

[kalidasa]

The only folks I've seen talking about "no warranty" clauses are SCO and Microsoft.

Nothing new here...

I think the first link on the page referenced above says it all:

Want Less Technical Detail?

A more accurate bulletin here

[Magickcat]

I can think of a more comprehensive bulletin:

1. Internet Explorer (All versions)
2. Microsoft Office (All versions)
3. Microsoft Windows OS (All versions)

Re:A more accurate bulletin here

Yes. I am just sure Mac IE and Office 2004 are affected.

Links or Lynx is NOT the same as....

...the Windows Shell (GUI) being web-enabled.

Links or Lynx are both programs that can be called from a Linux Shell. (Command Line Interface)

Bad Troll, no Internet Cookies for you!

SP2 Isn't Affected

[jerw134]

Just in case anyone is wondering, SP2 is not affected by any of these vulnerabilities, except for MS04-038. That's the fix for the "drag-and-drop" vulnerability that everyone's been crowing about.

Re:SP2 Isn't Affected

[93+Escort+Wagon]

Just in case anyone is wondering, SP2 is not affected by any of these vulnerabilities, except for MS04-038. That's the fix for the "drag-and-drop" vulnerability that everyone's been crowing about.

Actually I am just now running Windows Update on our XP SP2 box - the details of the "cumulative update" show a total of eight vulnerabilities being patched.

http://go.microsoft.com/fwlink/?LinkId=31851

Re:SP2 Isn't Affected

[jerw134]

Ah, but of those eight vulnerabilities, only one (drag-and-drop) affects SP2. Click on "Executive Summary" on that page to show exactly what's being patched, and what's affected.

Maybe YOUR Windows Shell is web enabled....

[aetherspoon]

OS: Windows XP Professional
Shell: Litestep ... but mine isn't. :P

Thread-o-matic

[JoeLinux]

Please select your argument here:
[ ] MS has these security exploits because it is the biggest OS
[ ] MS is a steaming pile when it comes to security
[ ] MS is working on fixing these things, and is doing the responsible thing.
[ ] 1337! I can't wait to #4x0r!

Re:Thread-o-matic

You forgot one:

[] CowboyNeil

Re:Thread-o-matic

[] All of the above ...
[] Profit!

Just because

MS Tech: Wait... you want to add web support to the shell? What the f**k for?

IT Manager: For kicks, for security, for some stupid reason the execs told me, I dunno. Why should I care? My job is the 3rd worst in the US after all...

Love this from the remote shell exploit faq

[codepunk]

Wow now these are guys I can trust!

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?

No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.

Don't sweat it, a remotely exploitable shell is
not critical!

Re:Love this from the remote shell exploit faq

[vijaya_chandra]

You must be new here not to realise the thinking behind that

a) Faq says the patch's not critical
b) Joe doesn't include this in the critical patches he's downloaded on to his system
c) boom! the system goes down the next week because of the msplaster virus targetting this vulnerability
d) Joe's not sure about the reason for the crash and re-installs the OS
e) (c) again after a week
f) Joe gets frustrated and contacts MS support ppl, who inform him that the brand new Microsoft Windows XP Professional with Service Pack 2, has everything to avoid such crashes
g) Joe buys what they say

windows_xp_sales++

easy!

Re:Love this from the remote shell exploit faq

[AKnightCowboy]

If you're still running Windows 98 or Windows ME then you really deserve to get burned. Windows XP has been out for years and is patched against this vulnerability. I mean for crying out loud. Red Hat 9 isn't patched against many recent vulnerabilities and that's less than 2 years old, so cut Microsoft some slack for not supporting a 6 year old operating system version. That'd be like expecting Red Hat to still support 6.0.

Re:Love this from the remote shell exploit faq

[HermanAB]

Actually, WinME is my favourite Windoze version.

Provided that you run PCLite and install the latest version of IE, Firefox and Thunderbird and keep it safe behind a Linux firewall and Samba server...

Re:Love this from the remote shell exploit faq

If your using IE on WinME your just asking for trouble.

Re:Love this from the remote shell exploit faq

YOU must be new here. You forgot the ??? part. :>

Re:Love this from the remote shell exploit faq

[ledow]

Maybe it comes from the fact that those operating systems probably have a completely different way of working and as such aren't affected (e.g. it might just crash instead of giving up privileges?) None of the above are multi user so maybe it just hangs the machines. And to be honest, a 98 machine hanging is not exactly critical and none of the above are EVER used on servers, just desktops, so it's even less critical if it happens to crash.

Re:Love this from the remote shell exploit faq

[skiman1979]

Some people can't afford to install the latest version. I run Win98SE at home and I haven't had much problem. I am on a dialup connection too, so I'm not always connected, which helps I guess.

Re:Love this from the remote shell exploit faq

If you're still running Windows 98 or Windows ME then you really deserve to get burned. Windows XP has been out for years and is patched against this vulnerability.

I work at a University, and when I started this past summer I was given a computer -- with Windows 98. My university (Case Western) is an all-Microsoft shop, so I can get XP for free for this PC, no problem. But can my computer handle XP? Not really.

They recently were looking to upgrade *one* computer in the department. As a faculty member, I had first dibs, but the grad student that needed to upgrade needed to run Mathematica. The chair asked, "Can this PC run XP and Mathematica?" The answer from the help desk was: it can run XP, or it can run Mathematica, but it can't run both.

After a few weeks, I was told that I was in charge of administering my machine. I'm running linux (and Mathematica, btw) happily now.

I mean for crying out loud.

Some of us don't have a lot of choice. I'd love a new PC, but I don't really need a new PC. And I sure don't need any Windows headaches...

Re:Love this from the remote shell exploit faq

[CreatureComfort]

You forgot the obligatory

h) Profit!!!

Re:Love this from the remote shell exploit faq

[Jason+Ford]

Deserve to get burned?

Suppose I bought a computer back in 1998, and that I use it for occasional web browsing. It's not the fastest computer, but it suits that particular need well.

Now, suppose I want to make sure this computer is as secure as possible. It has Windows 98 SE on it. Will I be able to install Windows XP on the computer? Will I be able to install it for free, and legally, too?

This is one of the reasons I use Debian GNU\Linux unstable. I can make sure that my system is up-to-date, for free, and it will likely perform even better than it did before I updated it. And since my data is stored on a separate /home partition, I can upgrade all of the programs on it with a single command without any downtime.

In any case, I don't think anybody deserves to get burned, unless maybe they post their IP address on the Web and invite some 1337 kiddies to have a go at it.

Re:Love this from the remote shell exploit faq

I mean for crying out loud. Red Hat 9 isn't patched against many recent vulnerabilities

The Fedora Legacy project maintains up-to-date security patches for Red Hat 9 and some other Red Hat based distros. So, yes it is patched against many recent vulnerabilities.

But how can this be?

[Tibor+the+Hun]

I thought XP is the safest and most secure version yet! That's what all the commercials and the blue installation screens say.
Does this mean that my potential (and therefore their passion) is full of security holes?

Re:But how can this be?

[jerw134]

The newest version of XP is the safest and most secure version yet. Try counting how many of those bulletins have to do with SP2.

Re:But how can this be?

[evn]

I thought XP is the safest and most secure version yet!

It is the most secure version yet, but that's a relative term. Past versions of Windows set the bar so low that just about anything would be the most secure Windows to date. Notice how they didn't say "Most secure OS" or even "Most secure Microsoft OS": the devil is in the details!

My last poop* is the least smelly one to date. It stinks an order of magnitude less than the shit from New Years 1997--that one was bad enough to make a janitor gag--but I wouldn't want to find it in my server close all the same.

* poop is an underrated word.

Re:But how can this be?

[AvantLegion]

Semantics. An OS that gets 100 fixes in a Service Pack is no different from an OS that gets 100 fixes from individual patches.

Re:But how can this be?

[burns210]

now count how many have to do with 98se.... aww... a mildly(spybot, avg, software firewall, patches, good reliable hardware drives, firefox, stupid settings turned OFF, etc) locked down 98se is arguably more secure than a mildly locked down 2k/xp, as 99% of new vulnerabilties are not applicaable.

Now a strongly(relatively) locked down(hardware firewall, etc) 98 or xp is a whole nother story entirely.

Re:But how can this be?

[leifb]

In related news, there are fewer bald three-year-olds than forty year olds. From this, we can conclude that baldness has been cured.

That is enough for me

[trolman]

That is enough for me and my small company. I am using Open Office and Mozilla full time now. Adios Bill.

Re:That is enough for me

Oh NOOO what ever will they do with ALL THE LOST SALES OF IE!?

10 Bulletins?

[nuclear305]

I must wonder...does this have to do with another story?

Re:10 Bulletins?

[ktakki]

MS10-01: Vulnerability in Internet Explorer may cause user to worship other gods.
MS10-02: Buffer overrun in Graven Image processing.
MS10-03: Vulnerability in RPC Service may cause the name of the Lord to be taken in vain.
MS10-04: Vulnerability in Task Scheduler may prevent computer from resting on the Sabbath Day.
MS10-05: Vulnerability in Windows Shell may allow child process to kill parent process.
MS10-06: Buffer overrun in DCE Locator Service may cause abnormal program termination.
MS10-07: Vulnerability in Outlook/Outlook Express may lead to adultery.
MS10-08: Vulnerability in MSKerberos may allow remote user to steal.
MS10-09: Vulnerability in Excel may allow workbooks or spreadsheets to bear false witness.
MS10-10: Vulnerability in Internet Explorer may cause user to covet neighbor's ass.

k.

Re:10 Bulletins?

[darkstream]

What? I don't get it. You mean Microsoft rushed to announce these bulletins because they were concerned about a 14-year-old girl that cut her finger on a Star-Kist tuna can? ;)

great marketing

[LiquidMind]

and (on my page) a microsoft windows server 2003 advertisement right below this article.

beautiful. fucking beautiful.

Re:great marketing

what advertisement?
________________________

Proud user of the Fox of Fire and Adblock.

Good use of a spell checker

Page title:

Microsoft Security Bulletin MS04-037: Vulnerability in Windows Shell Could Allow Remote Code Executione (841356)

Comment removed

[account_deleted]

Comment removed based on user account deletion

This better not be the end

[jack's+wasted+liver]

Seriously, I hope that Microsoft gets their act together before too long.

I'm a little worried about the possibility of a "final" windows exploit that quickly and without warning kills every MS box it touches.
All these vulnerabilities are a bit disheartening.

Either Microsoft is really combing over their programs for errors or they are in trouble
Kind of makes me happy that I only rely on free/open source programs

Re:This better not be the end

[jerw134]

They have gotten their act together. Did you happen to notice how many of those bulletins are for SP2?

Re:This better not be the end

[bot24]

That is highly unlikely. Most people who break in will try to install stuff onto the box to control it instead.

Re:This better not be the end

[quelrods]

That's just not possible. Worms need hosts to spread to. As you kill off hosts, the spread lessons. Plus people may have had their computers off a few days. You'd need to create some sort of worm to take over all hosts...then be able to send a kill command. In which case your just talking about a worm propogating a trojan. Though, maybe I can dream about such a thing existing tonight :)

Re:This better not be the end

[jack's+wasted+liver]

This sci-fi essay is what I was referring to. The worm only kills the host after compromising a set number of other hosts. It would be great to see but it would ultimately give incredible ammunition to TCPA supporters.

Lameness

Every other day there's another round of stupid problems that need yet more patches. Why doesn't anyone ever get tired of this security flaw shit from Windows?

mozilla/firefox

[mconeone]

Does the shell exploit still occur if you use mozilla/firefox?

Re:mozilla/firefox

it wouldn't be a shell exploit, it would be a browser exploit. can you see c://windows in mozilla?

NO! local file browsing is "not a registred protocol"

Re:mozilla/firefox

can you see c://windows in mozilla?

Actually, you can. Mozilla supports the file protocol, so you could type file:///C:/WINDOWS to see the directory. The good thing about it is that it's read-only access, so for the time being Mozilla's safe.

Reminds me of something

[Deorus]

"The best thing about Microsoft bugs is that there are so many to chose from..."

"only"

The shell vulnerability only allows code execution as the user viewing the malicious web site.

On most XP installations, the only user is "Administrator".

Re:"only"

[craXORjack]

On most XP installations, the only user is "Administrator".

Ain't that the truth. At work, we would love to lock down users to just user privledges but when we tried that so many people screamed bloody murder to their department heads that it became a political impossibility (even though we had already gotten a grudging buy in from them). Therefore we still have to track down about every new virus and worm that comes out and fix hundreds of screwed windows machines that the users have happily mucked up.

Ten holes huh? This list may not be complete

[museumpeace]

Microsoft is having a bad code day. Shocking! I'm shocked I tell you! Heres one the /. editors passed on back on the 7th. MS seems to have passed on it too.

About noon EDT, InfoWorld got report via Secunia, of a MSWord vulnerability that can crash a MSIE browser or any Office app that tries to load a properly poisoned word doc file . It is categorized as a potential DOS attack though it seems more a nuisance than a nightmare. My employer, a large and very security conscious federally funded laboratory used to discourage the use of MSIE and promote Mozilla. Today I find they have completely disabled all older or unpatched MSIE versons for browsing outside the lab firewalls.

Aren't you glad you need admin privileges ...

[RealAlaskan]

The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled?

Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?

Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website? Aren't you glad the only files that you can infect are the only files that you really care about?

You bet I'm glad my shell is web-enabled! After all, this Windows box belongs to my employer ... its his time that will be wasted.

Re:Aren't you glad you need admin privileges ...

Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?

What day-to-day operations are these? If your user is configured appropriately, you shouldn't have difficulty doing "day-to-day" stuff. Now, are you talking about applications that are coded to assume you have admin privs? We rail and rail against MS because they "force" us to run as admins - when it's really the fault of application developers. Unless you can give some specific examples.

Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website?

Is an attack on MS Windows, or on computers in general? What platform is this *not* the case on? Remember the Firefox vulnerability that would permit files in your download directory to be deleted?

Re:Aren't you glad you need admin privileges ...

[drsmithy]

Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?

For example ?

Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website?

Like that last Firefox bug that wiped out files and data just by trying to download something ?

Aren't you glad the only files that you can infect are the only files that you really care about?

Well, it's kinda hard to be able to do anything to your files if you can't access them.

Re:Aren't you glad you need admin privileges ...

[Aeiri]

"Like that last Firefox bug that wiped out files and data just by trying to download something ?"

That only wiped out files in the Download directory, IF you install an extension that exploited it.

Considering the Mozilla.org Firefox Extension page is the only page allowed to install extensions on with a default install, and the fact that when it DOES install an extension, it has a minimum 3 second wait time, you MIGHT be able to be tricked by an attacker if you try hard enough.

Re:Aren't you glad you need admin privileges ...

[bogie]

""Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?""

"For example ? "

Many applications and games require admin privileges to install. Windows Update requires admin privileges. etc etc.

""Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website?""

"Like that last Firefox bug that wiped out files and data just by trying to download something ? "

Wow one bug...which wasn't even widely exploited. Compare that to the Millions of Windows machines completely infected with spyware right now because Microsoft has no clue how to secure a web browser.

I've said a billions times that being closed or open source doesn't guarantee anything, security or quality-wise. But combine users running by default as Admin and the pathetic security of IE and you hava a receipe for diaster. Comparisons to Firefox just make your argument look more than a little lame.

Re:Aren't you glad you need admin privileges ...

[Foolhardy]

Many applications and games require admin privileges to install. Windows Update requires admin privileges. etc etc.

So run only those programs as admin. Windows NT is (and always has been) multi-user. See RunAs, PsExec, SUD, etc. It would be a pretty lame excuse if I said that I had to run as root on Linux all the time because upgrading the kernel requires root access. You'd tell me to use su; do the same thing on Windows.

Compare that to the Millions of Windows machines completely infected with spyware right now because Microsoft has no clue how to secure a web browser.

That's funny, I've used IE without getting any malware.
Here's a better reason that so many computers are plugged: ignorant users that are gullible, believe everything they see on the Internet, and press yes or OK on every dialog box just to get them to go away (without reading them or caring about the content). This is just as possible with Firefox or KDE or any other complex system that people use: you can make resistence to stupidity, but stupidity will always win some battles.
Could Microsoft make the resistance higher? I guess. But then they would have to contend with cries of incompatibility and non-ease of use. It's a precarious balance.
You'd like more security, but you aren't a shareholder of Microsoft; I'm sure the company has done much research that says that invasive security makes users mad and reduces sales

But combine users running by default as Admin [...]

Yes, the admin default sucks for security. It is also only a default and so completely avoidable; the fact that users don't avoid it speaks of their ignorance.
If Windows XP automatically logged you on as a non-admin user, most people would be lost; they would have no idea why they can't install their new software. All they see is an ugly dialog box they don't understand and it isn't working. This news would get out, XP would be branded as impossible to use because some dumb columnist couldn't install Quicken 200X, and nobody would buy it. They would still be using 98 or ME with zero local security. Because it's easier than dealing with security hassles. These are the same people who have no idea what the consequences of installing Gator or whatever are, and if you try to tell them about it, they glaze over and continue to do what they always have done.

Re:Aren't you glad you need admin privileges ...

[drsmithy]

Many applications and games require admin privileges to install. Windows Update requires admin privileges. etc etc.

So use Run As. Do you log in as root all the time because installing software and applying patches under Linux requires root privileges ?

Wow one bug...which wasn't even widely exploited.

And this IE bug hasn't been exploited at all and is now fixed. The point is it was just as easy to oblitirate important data under Firefox as under IE.

Compare that to the Millions of Windows machines completely infected with spyware right now because Microsoft has no clue how to secure a web browser.

You mean because millions of people browse dodgy websites and install anything they ask them to.

What makes you think Firefox would be any different ? It's just as capable of prompting the user to install malware and then doing so.

But combine users running by default as Admin and the pathetic security of IE and you hava a receipe for diaster.

So don't run as Admin and don't use IE.

Comparisons to Firefox just make your argument look more than a little lame.

At least I'm not so dumb as to think spyware for Firefox doesn't/won't exist and that stupid people don't/won't install it.

Re:Aren't you glad you need admin privileges ...

[csk_1975]

That's funny, I've used IE without getting any malware.

That's funny earlier this year I got malware all over one of my machines because I was using IE. The exploit the malware used was not patched at the time and standard (and up to date) personal firewall and antivirus software didn't help. You are kidding yourself if you think that a lack of ignorance is reasonable protection against flaws in any software. Especially when that software has proven itself to be riddled with holes, has complete access to all the resources on your machine and is constantly used to download untrusted content from untrusted sites on an untrusted network.

Re:Aren't you glad you need admin privileges ...

[thepoch]

As I don't know how to copy paste in elinks...

Regarding your mention of running certain apps using RunAs, PsExec, etc... it doesn't exactly work well. I've said it before and have begun sounding like a busted CD. Multi-user in Windows doesn't really work very well. Include the fact that most developers never take the multi-user environment into consideration.

Here's my example. I will not state a specific app since RunAs works for some, but not most apps out there. Run an app with RunAs. It loads with Administrator priviledges. It will then try to load settings stored in Documents and Settings. There's your problem. Most apps attempt to load stuff off of the current user account, not the account you RunAs'ed. So the app loads with Admin priviledges. But it loads data from the current logged-in account. To Joe Public, these makes the Windows look even more broken... which, as a true multi-user platform, it is.

Re:Aren't you glad you need admin privileges ...

[martinde]

> So run only those programs as admin.

On my kids' computer, this includes "Reader Rabbit Baby and Toddler". (Must write directly into video memory or something.) I thought that was pretty neat.

I will look into RunAs, PsExec, SUD, etc. Thanks for the tip.

Re:Aren't you glad you need admin privileges ...

[jackbird]

What day-to-day operations are these?

Running AutoCAD or Quickbooks, for two. So at a typical architecture firm, every box with business-critical data runs as Admin.

Re:Aren't you glad you need admin privileges ...

[Sublimed]

It is not my itent to attack the poster here.

As a network admin for about 90+ windows boxes in which we have taken AWAY administrative priv's i can tell you that is IT IS difficult to run on a day to day basis without them.

RunAs does not solve all your problems, trust me on this.

Re:Aren't you glad you need admin privileges ...

[skiman1979]

Well, it's kinda hard to be able to do anything to your files if you can't access them.

Couldn't the browser be designed to run as a separate "browser" user? The actual user that wants to browse the web could be part of the "web" group or something similar. The "browser" user account wouldn't have full access to the real user's files because "browser" is a different user. Just like with other programs like, say, MySQL. the MySQL daemon runs as mysql on my system. My username is part of the mysql group, and the mysql daemon does not have access to my files. Sure, that example is on linux, but Windows should be able to operate in a similar fashion.

Re:Aren't you glad you need admin privileges ...

[skiman1979]

See RunAs

I've tried to use RunAs to execute different things as an admin user from my normal account on XP Pro. Some things just don't seem to work right. For example, the Control Panel. Most programs you should be able to just right click, RunAs... but I haven't figured out how to do that for the control panel for things like adding/removing hardware/software, changing services, etc. I've even tried it at the console "runas /user: administrator control.exe" or something like that. RunAs doesn't always work in my experience. Unlike su in linux, works every time for me.

Re:Aren't you glad you need admin privileges ...

"If Windows XP automatically logged you on as a non-admin user, most people would be lost; they would have no idea why they can't install their new software."

Software installations are always tested on a default configuration of any supported OS. If the default for XP will be non-admin then anyone writing an installation will do something about it. Detecting that user does not having privileges and pop a dialog box describing what should be done will work.

Re:Aren't you glad you need admin privileges ...

Two points here:

1. I don't think XP Home even has "Run As...". As far as I can tell it has only 2 types of users, and the less privilaged one can't even run Word (or at least it's not working for me for some reason).

2. You said:

Here's a better reason that so many computers are plugged: ignorant users that are gullible, believe everything they see on the Internet, and press yes or OK on every dialog box just to get them to go away (without reading them or caring about the content). This is just as possible with Firefox...

To do this in Firefox would require several additional steps. You'd have to either manually download (right-click, save-as) and open the installer, or you'd have to add the site to your extensions whitelist then try again. You also can't be prompted to install anything just by visiting a page. You have to actually click the link.

In short, Firefox takes reasonable measures to prevent accidental or click-through software installations, and it began doing this within weeks of the first reports of malware targetting the XPInstall system. IE has had this issue for years, and as far as I know MS has done little if anything to fix it. Maybe they did some work on it for SP2, but I wouldn't know since I abandoned IE about a year and a half ago.

Re:Aren't you glad you need admin privileges ...

i did a google search on this program. it's designed for windows 95.
in XP:
you can right-click the short-cut link and choose
for it to run in win95 compatibility mode. it's right-click the program icon, then chose
properties, then Compatibility then:
"Run this program in compatibilty mode for ..."
i had to choose that (win95) for Halflife or it
wouldn't start, but after checking the
compatibilty thingy it worked ... good luck.

Re:Aren't you glad you need admin privileges ...

[Kagami001]

The easiest way to use RunAs is to use it to execute IE as a different user -- this gives you an explorer shell with the rights of that user.

On my system, I wound up setting the IE start page for my main admin account to a local folder containing shortcuts for my commonly used admin tasks, such as control panel applets.

MS, of course, makes no mention anywhere of the usefulness of this and has yet to provide a more elegant method of logging into an explorer shell with different credentials than those of the current desktop. It's a far cry from the automatic request for the root password that MacOS X and modern Linux distros use when you try to change something you need root privileges for.

Re:Aren't you glad you need admin privileges ...

[skiman1979]

Thanks for the tip. I'll keep that in mind. I'm glad modern linux distros automatically prompt for the root password when needed. As far as I'm concerned (on the windows side), having to open the entire shell (explorer) as admin in order to run a certain program (e.g., control panel) seems like bad design. But at least that option is there. I would at least like to see the commandline version of runas work as well as su does in linux.

Re:Aren't you glad you need admin privileges ...

[Foolhardy]

That's funny earlier this year I got malware all over one of my machines because I was using IE.

Name the malware package. Where can I find it? I want to try getting infected by it. I have VMs I can use safely for this. I'm not saying it's impossible, but I would appreciate a specific example.

... has complete access to all the resources on your machine ...

This would only be true if you were running the browser as admin. Don't do that.

You are kidding yourself if you think that a lack of ignorance is reasonable protection against flaws in any software.

It is reasonable protection if those flaws can be worked around. I submit that Windows's flaws are avoidable.

Re:Aren't you glad you need admin privileges ...

[Foolhardy]

Include the fact that most developers never take the multi-user environment into consideration.

This IS a serious problem. It really is the fault of the developers, though. Usually there are case-by-case workarounds available. It isn't pretty but it can work.

Here's my example. I will not state a specific app since RunAs works for some, but not most apps out there. Run an app with RunAs. It loads with Administrator priviledges. It will then try to load settings stored in Documents and Settings. There's your problem. Most apps attempt to load stuff off of the current user account, not the account you RunAs'ed. So the app loads with Admin priviledges. But it loads data from the current logged-in account. To Joe Public, these makes the Windows look even more broken... which, as a true multi-user platform, it is.

From the Runas docs:

/profile : Loads the user's profile. /profile is the default.

/no profile : Specifies that the user's profile is not to be loaded. This allows the application to load more quickly, but it can also cause a malfunction in some applications.

This implies that loading the specified user's profile is default.
In any case, the behavior can be controlled by a command line parameter.
For PsExec, use the -e flag to force the profile to be loaded.
SUD always tries to load the specified user's profile for the new process.

I would think that Joe User would want the same profile loaded regardless of priveledge level to work around broken apps: he wants to run app XYZ but XYZ requries admin acccess. Joe User doesn't care that this app requires admin; he just wants it to work. Joe doesn't want to keep seperate document directories because of this silly detail (silly to Joe). It would be more intutiave if all the apps, admin or not, used the same profile since the same real user is using both.

Re:Aren't you glad you need admin privileges ...

[Foolhardy]

Yeah, Runas does suck for scripting. Try SUD; it is great for this. You can create 'cfg' files that only run a specific program under a specific user without divulging the account's password. It's kinda like setuid. From the docs:

First create a SU configuration file using the following syntax :

1. su -u administrator -p - -c c:\temp\setup.exe -C c:\temp\su.cfg -S

and enter administrator's password ; this yields the creation of a crypted SU configuration file c:\temp\su.cfg.

Now, any user who has right to run su.exe and read c:\temp\su.cfg can enter the following command

1. su -C c:\temp\su.cfg

This command starts c:\temp\setup.exe in the security context of your local administrator, but the user ignores the password !

Re:Aren't you glad you need admin privileges ...

[Foolhardy]

I'm glad modern linux distros automatically prompt for the root password when needed.

This is a nice feature; I wish that Windows did the same.

As far as I'm concerned (on the windows side), having to open the entire shell (explorer) as admin in order to run a certain program (e.g., control panel) seems like bad design.

You can thank shell integration for this. Everything in the shell (including the control panel) likes to use the same libraries and run in the same process. Control.exe just signals the explorer process to open the control panel and exit. It goes back to the days of Win95 when extra processes cost precious memory; 95 had to run comfortably in FOUR megabytes. Unfortunately, this design choice was never reversed.

I would at least like to see the commandline version of runas work as well as su does in linux.

Take a look at SU/SUD. I think it works as good as su does on Linux. Yeah, it's third party, but it works.

Re:Aren't you glad you need admin privileges ...

[csk_1975]

The malware was hosted on a compromised parked server in the US at a company called Netfirms.com. I complained to them and they re-imaged the server. The exploit was patched in mid April so that particular malware is not going to work any more even if I had an active link to it. It installed various junk as well as a SDbot variant which Nortons recognised several months after I got it (I kept a copy and Nortons found it in my "samples of crappy spyware" folder after a definition update).

The only reason I got this malware was because I was looking for it - some of my user's machines had been infected with junk and I was interested in how this had happened. I checked the squid logs and tested the same URLs and hey presto my machine was suddenly in dire need of a re-image.

After this I tightened up squid to actively deny access to lots of bogus sites and to scan all content for viruses and malware using current patterns - this helps but it is not an ideal solution.

If you really want to test out malware I would suggest that you use google and also look in the various spyware chat boards. The other place is full disclosure and other mailing lists which discuss exploits as many people helpfully post links to POC code for new exploits.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Only one affects to SP2...and more surprises

[diegocgteleline.es]

Only one vulnerability affects to SP2. In fact, the XP SP2 (desktop OS, you know) had less vulnerabilities than win 2k3/XPSP1, which shows the huge progress made in the SP2. I don't know how to take this..."good" because SP2 is good, or "bad" because the server OS is more insecure than the desktop OS. In any case, they're porting the work they did in SP2 to win 2003, so we'll see. They've raised the bar with the SP2, IMHO.

Re:Only one affects to SP2...and more surprises

Or did they include fixes in SP2 that are now released separately for the other versions?

Market share??

Why are there more big announcements about MS patches?

Because MS is the dominant OS, and many Slashdot readers need to know about these things.

There have been Slashdot articles on Linux bugs, but fewer. Why? Maybe because there are fewer critical bugs. Why? Market share.

Not everything is anti-MS. Some of it is just reality.

desiv

Re:Market share??

Why are there more big announcements about MS patches?

Because Microsoft keeps blowing its own trumpet; louder and harder than anyone else. "Trusted computing", "increased security" and the like. And yet every day they have to eat humble pie.

There have been Slashdot articles on Linux bugs, but fewer. Why?

Because, by its very nature it is more secure. Different users are used to run different processes. Processes that are considered more insecure than others can be run in a "chroot jail" if need be. Thusly, when a problem is found the severity of it is not "critical".

An increased market share will not suddenly destabalise the fundamentals of an inherently more secure operating system.

Not everything is anti-MS. Some of it is just reality.

Indeed. Shit happens.

Re:Market share??

[http]

Ahem. Just to amplify what the other A/C said,

Jack Clarke, European product manager at McAfee, said, "So we will be seeing more Linux viruses as the OS becomes more common and popular."
Mr. Clarke is wrong.

-- Scott Granneman

Re:Market share??

[Tim+C]

From the article:

a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable

Yeah, and I've received a couple of viruses for Windows as zipped attachments to emails. I'd have had to save (or open) the zip file, extract the contents, then run the executable.

I still received it, so someone did that.

You may be too young to remember computers before the Internet came along*, but I'm not. I remember viruses back when there were half a dozen or more different home computer systems, and the only way to spread was via infected floppy. People still got them.

If and when Linux gains significant market share, people will target it with viruses and other malware. They may not be able to spread from machine to machine automatically, but they will exist, and they will cause damage. People using Linux are going to get used to typing in the root password when they need to install stuff, so they're going to do it for that little KDE applet that puts the weather forecast in their KDE taskbar, or whatever. That applet is going to install spyware, or have been infected with a virus, or whatever, and it's all going to be installed with root privileges.

It is extremely difficult to protect a machine from a clueless/inexperienced user with the administrative password. I know of no evidence that says that Linux is any different in that respect.

[* Man, do I feel old saying that - but I've been using computers for about 22 years now]

Re:Market share??

[http]

touche. I sit corrected.
I forgot my own maxim (though I don't think I'm the first to say it), "Consider the intelligence of the average user. Try not to wince. Then remember that by definition, half of all users are _not_ that intelligent."

Re:Market share??

if((badTaste(p) && mod.troll)||(illFormedOpinion(p)) && mod.flamebait)) {
markUnfair(mod);
}
else if ((idiot(p) && (wantsTo == "LookSmart") && (with == "code in sig intended to be humors")
{
mod.down(unmercifully)
}

Re:Market share??

[http]

fuck are you ever dumb. it wasn't intended to be funny nor look it.

Lets see

[codepunk]

Nasty hacker crafts email that appears to be from
microsoft talking about this great new software that can be downloaded from their site. Of course mindless MCSE network admin does not realize it is a phishing attack and clicks to see the greatest new stuff from the redmond lords. Now nasty hacker owns your entire network......priceless

Re:Lets see

[bot24]

It would be easier to make any E-Mail that the admin would open, and include an iframe in it.

just buy a mac :-)

just buy a mac :-)

'nuff said.

LiteStep

[PacoCheezdom]

People like myself that use LiteStep for a shell under Win32 don't have to deal with the memory overhead of a web-enabled shell, or these web-based exploits.

It's pretty cool and it's open source and stable (unlike Windows sometimes) and has a decent-size user base, eventhough most of the themes are pretty worthless. (Then again, for any themable program, aren't the bulk of the themes crap?)

Anyhow, people that are stuck using Windows like I am (Lycoris' Tablet PC version of Linux is next to featureless) should give it a try, if nothing else but as a preventative measure against future bugs like this.

Re:LiteStep

[sw155kn1f3]

How come you are not vulnerable? Windows shell code is still there, you just have to use IE to be exploited, be your default shell explorer.exe or litestep.
Well, if you're using firefox, you're safe anyway.

Re:LiteStep

[PacoCheezdom]

Who doesn't use firefox, though? :)

Compiler of GOD

Holy crap! Where can I find this compiler?

Re:Compiler of GOD

[Jim_Maryland]

I think it's a CD included on the back cover of the Bible. The EULA is a bit strict though. Make sure to get the most recent version (the one with the New Testament). Other GOD compiler's exist (although the licensing agreement for the predominant one may restrict you to only use it's version) for various operating systems so make sure to get the appropriate religious text.

Back to the topic and only being a novice programmer myself, I'd think that any feedback from the compiler on known exploit flaws could be useful. I wouldn't necessarily want to release software just relying on the compiler flags over good programming practices.

How is this different

[The+Bungi]

From everything in here again?

With the exception of a proof of concept GDI+ exploit posted to USENET, none of these vulnerabilities are known to be exploited.

The shell and compressed folder vulns require user interaction, just like 99% of all other "worms". As long as your mail application is patched you can't get hooked via email and if you visit "malicious websites" with anything other than Lynx you probably should be shot anyway. Ditto for a decent firewall.

On the other hand, I wonder why things like these for soem reason never get posted.

Re:How is this different

http://www.linuxsecurity.com/advisories/redhat.htm l

holy shit, and that's just for RH!!

Re:How is this different

[Carnildo]

Recently, someone broke into a number of ad servers, and uploaded malicious content to them. As a result, any web site showing banner ads from the companies could be considered a "malicious website".

Re:How is this different

[jd]

Three of the holes were for "server" editions of Windows. This means that what the user does is largely irrelevent. If the server gets compromised (and, yes, NNTP and SMTP are listed amongst the systems with holes) then you could very easily end up with hostile code on your machine, no matter how updated it may be.

As far as Linux is concerned, a properly configured Linux box is relatively secure, even if the applications have holes. This is because you can run most servers under restricted user IDs and/or in chroot-ed environments. This means that someone breaking into a server application can't really go anywhere.

Linux' main "weakness" (diversity of implementations) is also its great strength on this. A Linux virus won't necessarily work on all Linux machines, because it is going to make assumptions about the nature of that machine which may not hold true. Applications can be configured on installation by the admin, but viruses don't usually get that benefit.

Finally, Linux has some extensions which make it bullet-proof against many types of attack. Mandatory Access Controls and filesystem ACLs mean that you can have an extremely fine-grained level of control over who can do what. This means that if some server software has a user ID of N, but N only has read permissions on N's files, then compromising the server can't even allow an attacker to modify the files they supposedly own.

All this means that Linux applications don't need to be that secure. The security is provided. It is helpful if they ARE secure, but it's not essential. With Windows, this isn't the case. The level of security isn't that great, and as more and more is integrated into the kernel, the vulnerabilties within any given application become ever-more dangerous to other parts of the OS.

Re:How is this different

That wasn't a proof of concept exploit posted to Usenet, it was a real exploit. The proof of conecept was a jpg which only caused a heap overflow.

Re:How is this different

[the+eric+conspiracy]

none of these vulnerabilities are known to be exploited.

That will change.

On the other hand, I wonder why things like these for soem reason never get posted.

Actually that did get posted.

http://it.slashdot.org/article.pl?sid=04/09/04/1 31 4200&tid=172&tid=128&tid=1

Re:How is this different

[Foolhardy]

If the server gets compromised (and, yes, NNTP and SMTP are listed amongst the systems with holes) then you could very easily end up with hostile code on your machine, no matter how updated it may be.

So you download programs and give them privledged access on your computer based solely on the server they came from? That kind of trust should require you to trust that the server admins keep their computers up to date and would be aware of external control. You ought to have spoofing protection (mutual authentication) or it could all be for naught; you might not even be talking to your trusted server. This is not unique to Windows; it should apply to all secure networked environments.

As far as Linux is concerned, a properly configured Linux box is relatively secure, even if the applications have holes. This is because you can run most servers under restricted user IDs and/or in chroot-ed environments. This means that someone breaking into a server application can't really go anywhere.

The same is true on Windows. Services can be run under the security context of any user account with the SE_SERVICE_LOGON_NAME privilege. A service running under a normal user would be unable to comprimise the system without first exploiting a local kernel vulnerability. Can you name any current NT kernel vulns?

Finally, Linux has some extensions which make it bullet-proof against many types of attack. Mandatory Access Controls and filesystem ACLs mean that you can have an extremely fine-grained level of control over who can do what. This means that if some server software has a user ID of N, but N only has read permissions on N's files, then compromising the server can't even allow an attacker to modify the files they supposedly own.

NTFS has always had file ACLs. You can easily do everything you describe with them.

All this means that Linux applications don't need to be that secure. The security is provided. It is helpful if they ARE secure, but it's not essential. With Windows, this isn't the case.

How's this? Windows NT has all the local security that a standard unix does. Use it.

The level of security isn't that great, and as more and more is integrated into the kernel, the vulnerabilties within any given application become ever-more dangerous to other parts of the OS.

What, specifically, are you talking about 'integrated into the kernel'? First, are you referring to things running in kernel mode or things that are actually part of the kernel itself? Can you provide an example of something integrated in the kernel that shouldn't be there, or better yet: something that is causing a security vulnerability?

Re:How is this different

It's true that people are disproportionately critical of MS software, compared to how forgiving they are of many open source programs. I won't dispute that. But there are a number of ways in which the MS security issues tend to be worse (time to patch, the fact that people generally have to run as Administrator, etc.).

Also, your statement about existing exploits is incorrect. The drag-and-drop vulnerability was exploited by a web site that was advertised is spam messages as the opt-out page. My understanding is that an actual (though not very effective) virus using the GDI+ JPEG vulnerability was posted to USENET. Both of these were reported here on Slashdot.

Re:How is this different

[The+Bungi]

Couldn't have said it better.

does not matter.

[twitter]

Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?

Pity that, but so what? All the attacker has to do is upload a root kit via browser help object, cookie or similar then execute the kit. Who executes the kit should not matter if the kit is made right.

The thought of the day is, "just another hole in a screen door." Why are people still running Microsoft junk?

Re:does not matter.

[The+Bungi]

Are you saying this doesn't happen with Linux? You do realize where the term "rootkit" originated, yes?

Re:does not matter.

[bloo9298]

WTF? You really have no idea what a rootkit is, do you?

Remote Vuls

[wastedimage]

Has anyone else noticed how everything is now classified as remote? For the zip one you have to download the file and then attempt to unzip it. THATS NOT REMOTE. You downloaded it and then got exploited. Its running local context! Its local! Remote for example would be the NNTP. Where a remote user directly exploits you without any user interaction.

I extend this classification to the GDI vuls. They are downloaded and then rendered by windows. Why should it matter that its not an executable file. From an 3rd party perspective it looks the exect same as someone downloading and running a trojan. It shouldn't matter how clever they are in hiding the execution or downloading of the file, if it runs in local context its LOCAL.

Fuck i'm so tired of seeing remote vul tacked on to everything.

Re:Remote Vuls

Has anyone else noticed how everything is now classified as remote? For the zip one you have to download the file and then attempt to unzip it. THATS NOT REMOTE.

Did you even bother to read the report? It says:

An attacker could exploit the vulnerability by constructing a malicious compressed file that could potentially allow remote code execution if a user visited a malicious Web site.

Re:Remote Vuls

[wastedimage]

Yes damn you. Don't you know how that works. For fucks sake. YOU DOWNLOAD IT THEN IT RUNS. Get a virus scanner. ITS NOT A REMOTE VUL.

Ahem. RTFM{1000}

Re:Remote Vuls

Look. The issue is compressed folders. The Windows shell automatically uncompresses them when changing into such a folder. You can be rooted by simply changing into a web folder on a malicious host.

What you say is only true to the extent of there is data passing from server to client. But if you count that as "downloading", then pretty much any remote vulnerability isn't by your standards.

Microsoft calls it a remote vulnerability. The description indicates plenty of ways in which a remote system can compromise a local system. What the fuck is your problem?

Re:Remote Vuls

[wastedimage]

Yes, I consider data being passed from server to client DOWNLOADING when it is saved to a temporary file. It kinda FITS THE DEFINITION EXECTLY.

A remote vulnerability requires that is it COMPLETLY exploitable remotely. None of the new "remote vulnerabilities are" they all require some kind of social engineering to get the user to visit some www site download a file and run it. Thats a fucking joke. Thats not a remote vul. A romote vul is REMOTE and requires no user interaction. Thats my fucking problem.

Re:Remote Vuls

A romote vul is REMOTE and requires no user interaction.

No, a remote vulnerability is remote. You are the only one asserting that it requires no user interaction. If you arbitrarily decide to redefine words so that "remote" actually means "remote+awholebunchofotherstuff", then fine, just don't go around criticising people who say "remote" when they actually mean "remote".

Twitter: Life and times of a petulant cock-gobbler

Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR and RMS's feculent cocks and why don't you try to stop sucking quite so much? Get out of your parents' basement and see the real world - maybe then you'll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.

I would but...

[emidln]

Someone h4x0r3d my box before I could get to it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Gotta love Windows...

[cortana]

Updates were unable to be successfully installed

The following updates were not installed:
Microsoft .NET Framework 1.1 Service Pack 1
Cumulative Security Update for Internet Explorer for Windows XP Service Pack 2 (KB834707)

[Configure automatic updates] [Tough shit]

Thanks, Microsoft! What the hell am I supposed to do now! Oh well, this particular machine hasn't been installed for almost 1 year, it's about time I reset the cruft factor...

Re:Gotta love Windows...

I don't know if this is your problem but it was a problem I had recently that caused the updates to fail so you may want to check it.

They recently changed some services to be required as automatic in order to use the update page, I will list any dependent services that have been set to Manual or Disabled and you will have to change them to Automatic then reboot and try again.

It's easy to miss but look for the listing of missing services on the page.

You can do that by going to Control Panel/Administrative Tools/Services.

HOLY JESUS FUCK!

That pretty much sums it up.

Over to you, Dave.

thank god my shell isn't web enabled!

[curtlewis]

curl http://www.hackersite.com/deletefiles

DOH!

Curse you RedBaron!

This might be good news for some

[BigDave81]

For me in some sense this is good news
The more vulnerabilities and bugs that appear in MS software the greater my unix/linux skills will come into play in the private sector.
Am I the only one that doesnt want masses of people (lusers) to start attempting to use linux?
Just makes for less job security for me in 5-10 years.

Shat

[AvantLegion]

>> * poop is an underrated word.

So is "shat". Sometimes people use "shit" or even "shitted" as a past-tense verb instead of "shat", and they're missing out.

DAMN!

[AvantLegion]

Damn! I had 9 in the pool.

That's what I get for having faith in you, Microsoft!

Re:DAMN!

If you were in the pool for 9 vulnerabilities which didn't affect XP SP2, count yourself a winner.

Perhaps the problem is you didn't have ENOUGH faith, then?

Re:DAMN!

[AvantLegion]

>> If you were in the pool for 9 vulnerabilities which didn't affect XP SP2...

Same as, "If you were in a pool for 9 vulnerabilities which didn't affect a fully patched system..."

SP2's not a new OS. It's a big fat stack of patches. Don't pretend like it's a clean slate.

Yeah, only 999 systems to go.

I can tell you aren't an admin with 1,000 PC's to deal with. Say, how many months would it take you to do the other 999? And how much money would that cost your employer? And how much would that add to the prices that your employer's customers have to pay to cover it?

Re:Yeah, only 999 systems to go.

[j0217995]

Currently none of those windows boxes, all 100 in my organization are connected directly through the firewall. With anti-virus, intrusion dectection and intrusion prevention, and a desktop intrusion prevention device there is no big panic in a new patch. All 100 of those PCs will check into the SUS server, grab and install the updates. If I had 1,000 PCs setup a more powerful software management system, off the top of my head Altiris would do a great job.

Re:Yeah, only 999 systems to go.

[Vint+Cerf]

That's what you're paid for, janitor.

Re:Yeah, only 999 systems to go.

[mvpll]

connected directly through the firewall

Hmm, I can't parse that. Nevermind, I just wanted to ask what a 100 seat license costs for anti-virus and intrusion detection/prevention software? As well as a 100 desktop intrusion prevention devices, whatever they are.

Re:Yeah, only 999 systems to go.

[j0217995]

I can't parse that either :)

Well it depends on what you are using for anti-virus protection software. We use Trend Micro, the Office Scan product. As I didn't pay for it, I can't tell you that.
We are working on deploying Cisco's Security Agent and I think 100 of them are $3,000 don't remember off the top of my head right now, but that should be close to retail. The CSA works as a host based intrusion prevention system that reports to a centralized server. Had good sucess w/ that so far.
Intrusion Prevention and Detection are done at the entrance to the network from the internet and w/ CSA installed on the hosts we have it on the network as well.

Comment removed

[account_deleted]

Comment removed based on user account deletion

you can get patches...

[xutopia]

here, here and here

Cumulative bug reporting conspiracy

[RealProgrammer]

Microsoft saves these up so that

1. Users only need to patch their boxes once.
2. Sysadmins only need to frantically patch all of their boxes once.
3. It looks better if there is one bunch of ten patches on one day than if there are ten announcements of one patch each on ten different days. A lot of these bugs were announced earlier, but the releases are all announced now.
4. Saves ink on /.

Re:Cumulative bug reporting conspiracy

[_Sprocket_]

5. Provides "value added" to "preferred customer" support contracts who get alerts and full details in advance.

Re:Cumulative bug reporting conspiracy

[skiman1979]

Users only need to patch their boxes once.

per week

Sysadmins only need to frantically patch all of their boxes once.

per week

Saves ink on /.

Save ink?

[sarcasm]Don't tell me you're one of those users who writes on the monitor.[/sarcasm]

Re:Cumulative bug reporting conspiracy

[RealProgrammer]

>Saves ink?

metaphor: n., a figure of speech in which an expression is used to refer to something that it does not literally denote in order to suggest a similarity

Unfortunately...

[jd]

...As the compiler isn't a "core component", it presumably wasn't compiled this way, and therefore may produce incorrect code, which implies that the buffer overruns may still be there.

A complex web of inter-depending systems is never going to be more trustable than the least trustable system in the web.

marketing strategy...

[pizza_milkshake]

why release the patches one-by-one when they can release an extra-value ten pack?

Re:Ten holes huh? This list may not be complete

[jd]

No, ten bulletins. Twenty two holes, most of which (according to ZDNet) are critical and the remainder are "important" (read: critical but Microsoft won't say so).

I give up

[danharan]

That does it. I'm switching to Linux- Ubuntu, *noppix- or even *BSD, anything but Windows.

Installing today's updates, it asked me if I wanted more information about a vulnerability- and proceeded to open a page with Internet Explorer. How many times do I have to tell the computer that Firefox is my default browser? Whose machine is this, anyway?

With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years). In today's update, it keeps nagging me to reboot.

And why do I have to sign yet another goddamned EULA to install critical patches?

There isn't any windows only software I need anymore. OO.org, Firefox, Thunderbird... and now GAIM (which I've gotten used to at work, working on FC1). I'll miss some of the usability features of XP, but I just can't handle it anymore. So long, Windows!

mod parent up!

[xutopia]

actually, parent is my brother(that sentence sounds weird); I just want to make sure his comment is public so he has to carry through with it ;)

Re:mod parent up!

actually, parent is my brother

That's what you get for mucking around with time machines.

Readable version of this article

http://shit.slashdot.org/comments.pl?sid=125410

Correct reponse to Microsoft security holes

[crazyphilman]

When confronted with a new Microsoft security hole, which seems to one to have existed for a while, possibly leaving his entire organization at risk, one should never react with surprise or horror.

One must make a FRIEND of the horror.

Then, one can hear about the security issue, nod sagely with a wan smile, and whisper to the junior IT staff, "But of COURSE there is a hole. This is to be expected, young one. Run and patch, then we'll go to lunch."

Bonus points for leaning back in one's chair, folding one's hands across one's belly, and sighing loudly before addressing the novice.

Ahhh!

[Anonymous+Squonk]

Another blissfully ignorant day using OS/2 Warp!

i mostly agree...

[ecalkin]

but, there is poorly written software out there that 'requires' admin membership. so even if what you need are rights to a section of registry or file system, the program either checks for membership or tech support won't help unless it's set up their way.

these people should be boiled in oil.

eric

Re:i mostly agree...

[York+the+Mysterious]

That's what the whole compatibility security policy was for. It was kinda like making a normal user and power user / admin, but without all that admin horrribleness. You can build a custom policy and tweak registry access as well.

22 not 10 New Security Warnings

[allgood2]

Actually CNET News.com is reporting 22 not 10. That's quite the grouping.

Re:22 not 10 New Security Warnings

[allgood2]

Ughh...my bad 22 security flaws, only 10 security bulletins.

my /bin/sh is web-enabled too...

thanks to surfraw ;-)
http://freshmeat.net/projects/surfraw/

nope, not that way.

[twitter]

Are you saying this doesn't happen with Linux? You do realize where the term "rootkit" originated, yes?

Sorry, Bungi man, Linux browsers don't auto download and install as root browser help objects. They also don't give websites shell level access. Rootkits take more effort than that on Unix and Linux systems.

Re:nope, not that way.

[Foolhardy]

Linux browsers don't auto download and install as root browser help objects.

A Windows user can only install something as a root equivalent if the current user is already admin. The browser is not special. What is this 'auto download' that you speak of? How automatic is it; does the user have to agree to its installation via a dialog box?

They also don't give websites shell level access.

Konqueror is a web browser. It is integrated into a shell environment, KDE. I this case, the web browser is part of the shell, so it already gives websites access to parts of the shell.
Konqueror->KDE is the same relationship as Internet Explorer->Windows shell.

Rootkits take more effort than that on Unix and Linux systems.

Wait, you're saying that it's just as possible on unicies but it's harder? Just what makes it harder? Windows NT has at least all the local security features that a standard unix has: protected memory, a protected syscall interface, object security (like for files, processes, mutexes...), user logons, multiuser...

Re:nope, not that way.

[Tim+C]

What is this 'auto download' that you speak of?

Well, I believe that you can configure IE to always accept downloads from websites; that's not the default though, so you have to change it yourself to be so insecure. On the other hand, there have been a couple of exploits that have enabled sites to silently(?) install stuff without the user's knowledge. Of course, they've been patched, but this is /., where we harp on about things long after they've ceased to be the case.

Re:nope, not that way.

[The+Bungi]

Linux browsers don't auto download and install as root browser help objects.

Neither does IE - as long as you know what you're doing.

It's fairly obvious you have no idea what "root" or "browser help objects" are to begin with.

Windows Shell vulnerability

[MntlChaos]

Didn't Mozilla patch this a month ago? I remember reading something about the shell: protocol and URLs

Computer security is not protection

[gelfling]

Computer security is not protection it's the fear of penetration.

I think the original blurb goes...

"The nice thing about standards is that there are so many to choose from"

Stack/Buffer overflows

[jtshaw]

I'd really like to know how Windows handles process control blocks and such. Linux, as a last resort, has the stack grow into the PCB of the process. So if you do somehow cause a stack overflow you will blow away your own PCB and likely cause the process to get killed before anything truely nasty happens.

And water is wet

[OneFootIn]

Microsoft has released 10 "new" security bulletins, including one.... ZZZZZZZZZZZZZZzzzzzzzzzzzzzzzZZZZZZzzzz...

Thank Gawd for WinME

[HermanAB]

Most of these exploits don't apply to WindozeME.

It is amusing that the much maligned WinME nowadays work better and doesn't suffer from half the problems in XP - "The Most Secure Windows Ever".

Re:Thank Gawd for WinME

[DMNT]

Most of these exploits don't apply to WindozeME.

It is amusing that the much maligned WinME nowadays work better and doesn't suffer from half the problems in XP - "The Most Secure Windows Ever".

I think you meant to say "they don't publish exploits for Windows ME". Microsoft doesn't have will to search for the holes, the holes will come up anyway. ME isn't that widely used anymore, so black hat hackers don't write exploits to that and effectively MS never fixes bugs for ME alone.

I believe that worms for Linux don't exist for that reason too. Unpatched Linuxes are so rare compared to unpatched windows boxes and mr. B. H. Hacker wants as many compromised systems as possible.

Re:Thank Gawd for WinME

[MikeBabcock]

I actually prefer Windows 98 Second Edition myself, if I have to pick a version at all.

I run Linux exclusively at home.

scrapped

Windows should be scrapped and actually engineered next time. I'm really embarrassed for Bill Gates.

What about Win2k SP2?

[Windcatcher]

I wonder...I'm still running Win2k SP2 and none of the issues come up...MS's site says they only affect SP3 and SP4. Does it mean that they're assuming everyone has SP3/4 or that SP2 is safe from all this?

Re:What about Win2k SP2?

[Atrax]

W2k SP2 support has expired. that could have some bearing.

Not quite all versions...

What, you mean my Windows for Workgroups 3.11 is affected? Great. Now I have to upgrade to Windows 95 sooner than I had planned.

Ten Security Tips From Microsoft

[x] use Linux
[x] get a mac
[x] install firebird
[x] install thunderbird
[x] delete IE
[x] delete Outlook Express
[x] install Open Office
[x] install Zone Alarm
[x] install AVG Anti Virus
[x] unplug from internet when not actively online

PS - Have you ever noticed that the default selected option on the MS shutdown list is ...
[x] restart computer

Same if you upgrade from ME to Windows 3.1

Interesting, isn't it?

Why firewall? Because the world isn't perfect

[KWTm]

If I could summarize, you are saying that the desktop machine should be configured well and securely so that a firewall is not needed.

To answer your question, a firewall is for damage control when you don't know (or realize too late) that your machine is not perfectly configured. Some program has some vulnerability, or a trojan, or something. You are right --it SHOULD not be this way; but when it just IS, and the trojan starts spamming people or transmitting your private PGP keys onto IRC, the firewall is there to say, "Hey, waitaminnit, something weird is going on here."

A firewall is like a fireman. You hope that it doesn't have to do anything but sit there.

Re:Then patch it

So find the check in the software and NOP it out. After all, if people are expected to use regmon/filemon to determine the correct permissions (a common statement on /.) then why not patching software that has dumb checks for administrator? Microsoft offers windbg as a free download, so there is no excuse not to fix it.

Re:Insane: Mozilla As well

[losinggeneration]

I wonder if that bug was inherited from the old netscape codebase. Anyone know?

whats inside what?

[earthstar]

Is it bugs inside OS

OR

OS inside bugs?

I think the next windows version should be called
BUGHORN - Windows Inside.

NO CHARGE for BuG Update.CHARGE only for Win Update.

MS benefits from repeated security holes!

[ryanwarren]

this is my first post, hello all. /. is great! I think that some users actually enjoy downloading the updates. Sure , MS has new vunerabilities every week it seems, but thats become a standard now, and I think that MS could use it to their advantage. You think the scene with MS could be worse? Hell yes... MS could have all their customers lives constantly put on halt, except on fridays when MS releases an update that will only last for 1 day before another hole is found... Here is the way it actually is... If you get the majority of MS users to download a patch for some security hole, that never affected them in the first place, then they feel cared for and protected. The rate at which MS releases patches, vs the rate at which people's lives grind to a halt because of the holes, is in favour of releasing. And just food for thought, some marketing strategies done during heavy war times, are products that 'enhance' your life, make it more 'efficient', and protect you. So maybe while you consume updates you 'battle ready your PC'! Post your thoughts!

.NET faster than

Copied this from the eula... Hope i'm not violating the eula by doing that...

* You may not disclose the results of any benchmark test of the .NET Framework component of the OS Components to any third party without Microsoft's prior written approval.

Does this change to the eula fix some vulnerability?

XP Roulette lost: Office XP requires a new EULA

This batch of patches includes one for Office XP. After installing I now find that all Office XP applications pop up a window requiring me to accept an obnoxious EULA; if you decline the application closes. So far I can't find a way to uninstall, I may have to roll back the whole machine to get Office functioning again without accepting this. Be warned.

Re:XP Roulette lost: Office XP requires a new EULA

[suckmysav]

What exactly is so obnoxious about this particular EULA? What makes it more obnoxious than any other Microsoft EULA? They all pretty much suck, so what's so different about this one?

Some of them are known since March

[kmike]

If you look at the dates of CVE advisories, you'll see this:
Assigned (20040311)
Assigned (20040615)
Assigned (20040908)
Assigned (20040722)
...
Here you go, 7 months to fix shell vulnerability. They certainly took their time!

Another bug in an update?

[thisid]

As some of you may or may not know (not that it matters) I work support for a major OEM that ships systems with... you guessed it, Windows. It looks like one of these updates just might have a problem. We've seen a few XP users call tonight with an issue stemming from "Update 1 of 3." This is the last update that installs before the system reboots and starts coming back up to a screen that says the system needs to reboot. Anybody else having issues with this? I managed to fix one with Last Known Good Config but I'd still like to know which one caused it.

Re:Another bug in an update?

[langles]

From personal experience, the continuous reboot problem also affects Windows 2000, that is, my gaming machine.

Microsoft better have a good fix for this!

Re:Another bug in an update?

[mohearn]

I'm having a problem with update 840987 causing some of my desktops to bluescreen with a Kernel exception 0000007f (00000008,00000000,00000000,00000000) Consistent on three desktops (Dell Optiplex 150), but no problems on my servers, some other desktops.

As Nelson would say...

[GrahamCox]

Ha ha!

(Nelson uses a Mac).

Re:Then patch it

It's also a common statement of the Open Source (tn) community that anyone should go into the source code and fix whatever probems or add waht ever featrues yourself instead of complaining. Thanks for the double standard, zealots!

Sorry abuut my spealing and/or grammer: engrish is' me first langauge.

Not as bad as i sounds

[Lazy+T]

If you are running Windows XP SP2 there are only one patch you need to install. And in that patch there are only two security cavets that affect XP SP2.
Drag and Drop Vulnerability - CAN-2004-0839 Which is very hard to exploit.
Plug-in Navigation Address Bar Spoofing Vulnerability - CAN-2004-0843 Which is the most critical one but still hard to exploit in a useful way.

Now if you are running Windows 2000 you need to get your ass over to Windows Update right now.. :)

MS PR Tactic?

[Jackie_Chan_Fan]

This could be a great pr tactic. Release 10 new security problems that effect all windows/ie except the new spiffy XP SP2 :)

Tricky marketing? or just real evidence that MS has done something right?

who knows.

But i'm sure someone at MS will spin this.

on the down

[Exter-C]

On the down side this will just make more windows users with modem connections unable to download and fix thier systems due to the enormous time taken to complete the downloads. For example Downloading from windows update on a 33.6 from south africa is like walking across broken glass with bare feat and it raining vinegar.

On the plus side at least microsoft are now patching thier operating systems and the push forward in security is obviously occuring.

Does microsoft release thier updates on CD free? that would be a plus.

But seriously

Anybody got anything to say about the effectiveness and side-effects of running the patches? All i see is a bunch of whining, defending, gloating and cracking of jokes...

Twitter: Life and times of a petulant cock-gobbler

Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR's and RMS's feculent cocks and why don't you try to stop sucking quite so much? Get out of your parents' basement and see the real world - maybe then you'll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.

a zip vulnerability !?!?

[mennucc1]

the funniest part is that most brands of the antivirus sw that is installed in mail server would consider .zip attachment to be safe, and would mail me in disdain when I send .exe attachments, asking for it to be encapsulated in a zip; next time I will reply them with a .zip that exploits WInXP to its a**

Browser wars 2 ed?

Am I the only one seeing more and more issues with firefox with every new MS patch...

Re:Browser wars 2 ed?

[Firehawke]

What kind of problems?

Re:Browser wars 2 ed?

[ryanwarren]

interesting... someone should keep track of how many bugs are in Firefox on non-updated win machines vs updated ones.

Comment removed

[account_deleted]

Comment removed based on user account deletion

All bugs have shells.....

[hughk]

they are called exoskeletons.

NT4?

[hughk]

I am a consulting gig at a bank. We have some hardware provided for office work that is pretty old so we keep running NT 4 on it. Not XP, not even 2000. Heck, our version of office is Office 97.

Not everyone can always afford to deploy the latest software and hardware on every system. However, if I installed say Fedora Core 2, which I run myself , I can easily tune it down to run on older systems.

Re:Then patch it

[conteXXt]

Actually, I think parent DIDN'T say go to the SOURCE.

He said do the difficult and modify the COMPILED BINARY to skip the check.

Source would be much easier (and we would do it for you to boot).

Hmmmm not like the DirectTV thingy?

[ZX81]

Doesn't this bear just a slight resemblence to the DirectTV mods that came down. Do you reckon they're going to make all the pirated Windows versions die? :-)

Why not

[olderchurch]

use OpenBSD?

From their main page:
Only one remote hole in the default install, in more than 8 years!

.Net security nightmare

.Net and windoze just sucks with holes and bugs.

Moderators!?!?

[shaka]

Wait a second...

The great grandparent of this post writes something that either has got to be meant as a joke, or is just plain Stupid:

"It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows."

He gets 5: Interesting (which means that at least three people have been sitting in front of their monitor, thinking, "Duuude! Uh, yeah, maybe M$ has some secret supercompiler that removes all bugs. DUUDE!").

The parent writes something that's actually a quote straight from MS changelog for SP2:

""core Windows components have been recompiled with the most recent version of our compiler technology, which provides added protection against buffer overruns."

And get modded 5: Funny!? I mean, all right, not everybody on here is a developer but please, a reality check might be in order!

a sig-only post!

[Perdition]

To think, for once, my sig IS my comment!

Install windoze/.Not security fix here

http://www.mandrakelinux.com/en/ftp.php3

Download ISO make cds

Format harddrive and install linux

Download JDK from java.sun.com
install eclipse from eclipse.org

Re:Ten holes huh? This list may not be complete

[N3Z]

passed on back on the 7th. MS seems to have passed on it too.

If it had been October 7th 2003, MS would have included it.

NOTE TO MODERATORS:

[balster+neb]

Do not mod a post as +1 Informative automatically if it links to a news site or wikipedia. Try actually clicking the link. The above post was meant to be funny.

You don't say!

[goldspider]

"...a well patched Linux system is almost certainly better than an unpatched Windows system."

You win today's "No Shit!" award.

But what about a patched Windows system vs. and unpatched Linux system?

Another day....

[jonathanduty]

Another day another windows vulnerability. Looks like there are now 4 constants in life:

1) sun will rise in the East and set in the West
2) You will have to pay your taxes, one way or another
3) One day you will die.
4) there will always be another windows vulnerability

Hate to break it to you...

But your brother's a chump.

Still, I'm sure you're aware of this by now :)

It is not the users fault

[codepunk]

It is not the users fault his machine is infected with this stuff. Hell I watched a admin with a sp2 machine hit a web site yesterday with IE and the web site tried uploading some malicious code. It infected his machine and crashed it. Now tell me how on earth that it is his fault that IE allowed this to happen. Oh I know you are going to tell me he is visiting the wrong web sites right?

Re:It is not the users fault

[Foolhardy]

Which site was this? Post it. I have a hard time believing that the operating system crashed. IE is just another user mode program; it can't do anything special to crash the system.

Oh I know you are going to tell me he is visiting the wrong web sites right?

I won't tell you that. If you are right, then you have an excelent example of IE sucking. You should be able to view any websites without this happening.

What?

[Barlo_Mung_42]

The compiler isn't a component in the end user system at all. It is the software used to build the system. A buffer overrun almost always causes the app to crash so it is safe to assume that the build system at MS does not have an overrun.
So I have no idea what you are talking about and suspect that neither do you.

How exactly is this news?

[gillbates]

We need another category on /.: YAME - Yet Another Microsoft Exploit.

Posting stories about security holes in Microsoft products is about as exciting as watching paint dry, or as newsworthy as articles proclaiming, "Water is wet!", or "Ice is cold"...

It's not news for nerds - most of us stopped using these obsolete systems years ago. And yes, I understand Windows users do need to be concerned about these things, but it's still not news. This is business as usual for Microsoft.

Windows and Security holes are like Linux and vi: Yes, you can find systems without them, but they're the exception, rather than the rule.

And yet, I'm almost driven to tears when I hear people naively tell me that their Windows system is secure because they've downloaded the latest patches. Was it that this most recent exploit didn't exist a year ago? Or - could it be - that only crackers knew about it until now? Does patching today protect you from the exploit discovered tomorrow? Didn't it ever occur to people that undiscovered exploits might exist in the Microsoft patches? And if the company didn't do it right the first time, what makes you think they'll do it right this time?

I've seen six generations of Microsoft Windows, and not one of them delivered on the promises Microsoft made. Having watched Microsoft since the release of Windows 95, I've learned that constant security problems are a staple of the Windows experience. If you've been using computers for more than a year and haven't gotten a virus, seen your system crash, or had your machine zombied, then you aren't running Windows. It's that simple folks. Problems are an endemic part of the Windows experience.

A professor once said to me, "We use operating systems for what they're good at, not for what they're bad at..." He was referring to the decision to use Linux as a file and print server while maintaining Windows NT servers for other tasks.

• If you run Linux, don't bemoan the difficulty of setup, difficulty of use, or lack of multimedia support. Linux was designed to be secure and reliable, not glitzy. Don't complain that your favorite game doesn't run on it.
• If you run Windows, don't bemoan crashes and viruses and security exploits. Windows was designed for multimedia, not security or reliability. Don't complain when you get rooted; that's the price you pay for being able to run the latest games.

sp5 for w2k please!!!!!!

[ManyLostPackets]

This makes about 50 post sp4 patches. Takes about 75 megs of space.

Formula Solved!!!

[stryc9]

1.) Create service pack with bundled fixes for vulnerabilities you already know about
2.) Release fixes for those know vulns for lower service packs afterwords. Make sure to mention new service pack is not affected.
3.) SP2 r0x0rz!!! MS Rul3z!! Trusted Computing fo life!!

Whats Good About Windows

[lifespan]

Out of the box as a desktop OS :

• thumbnail view within image folders surprising how much I miss this one
• listings of music folders with properties from the id3 tages displayed in columns
• cd burning integrated into explorer (no 3rd party tool needed)
• clean and easily readable fonts
• consistent GUI's with meaningful icons
• very few dependency problems when installing software
• excellent hardware support built in and from manufacturers websites
• can run Mailwasher i miss u mailwasher
• can play MP3 without downloading codecs
• security holes big enough to drive a truck through
• meals required during installation process
• worms, viruses, macros, exploits.....
• lightens your wallett considerably
• constant nagging and micromanagement of my surfing habits and hardware setup

Windows has enough "features" to make it quite handy for the beginner to intermediate user. I agree that without the advantage of familiarity, a newuser learning Windows will find it just as hard as learning GUI Linux use. This is exactly what I found when teaching my Mum. Plus her friends aren't confident to go poking around in Linux, meddling-related breakdowns reduced massively..... now that is a REAL advantage!

Bad PGP signatures on MS Bulletins

Some of the recent MS Security Bulletins have been PGP signed, but the signatures do not verify. This is pathetic.

-merv.