Slashdot Mirror
Ten Security Bulletins From Microsoft
wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."
....Win2k patched fine. Another Tuesday Patch roulette over with....
I was just about to write a pro MS defence post to stave off the oncoming attack. I just re-read the article. I quit.
So if your user has admin rights (as all at my site do b/c our toolset requires it) then you're screwed if they goto a mal-site. . . . Great.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Thank you microsoft for vulnerabilities that can take advantage of the so-far-assumed-to-be-safe data files like jpgs and zip files
txt file vulnerability anyone!?!
Ok, Now is a really web enabled experience! :)
What's in a sig?
The recent GDI+ vulnerability
Good thing I choose to join NOD.
/rimshot
-------
Support Indy Music. Buy
It's nice to know that they have made security such a high priority. Hopefully their next high priority will be 'doing something about it'.
This is my sig. There are many like it but this one is mine.
Man, I seriously need to learn Linux asap. If not cause of all the super holes found lately, as for the fact Microsoft doesn't seem to care too much about the user base.
I can think of a more comprehensive bulletin:
1. Internet Explorer (All versions)
2. Microsoft Office (All versions)
3. Microsoft Windows OS (All versions)
Si tacuisses philosophus mansisses. If you had kept quiet, you would have remained a philosopher.
Links or Lynx are both programs that can be called from a Linux Shell. (Command Line Interface)
Bad Troll, no Internet Cookies for you!
links or lynx are programs they are not intigrated into the shell. I don't think you understand what a shell is.
Just in case anyone is wondering, SP2 is not affected by any of these vulnerabilities, except for MS04-038. That's the fix for the "drag-and-drop" vulnerability that everyone's been crowing about.
Please select your argument here:
[ ] MS has these security exploits because it is the biggest OS
[ ] MS is a steaming pile when it comes to security
[ ] MS is working on fixing these things, and is doing the responsible thing.
[ ] 1337! I can't wait to #4x0r!
There are a number of user-friendly configuration tools for iptables. FireStarter is the first one that comes to mind, though there are others.
Wow now these are guys I can trust!
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.
Don't sweat it, a remotely exploitable shell is
not critical!
Got Code?
That is enough for me and my small company. I am using Open Office and Mozilla full time now. Adios Bill.
I must wonder...does this have to do with another story?
The newest version of XP is the safest and most secure version yet. Try counting how many of those bulletins have to do with SP2.
and (on my page) a microsoft windows server 2003 advertisement right below this article.
beautiful. fucking beautiful.
This sig contains repetition and redundancy.
Comment removed based on user account deletion
I don't know about the status of these apps now.
But the last I remember, RH8 had a point and click config applet that's a front-end for iptables.
you want flexibility+power?!? spend an hour reading some good doc about iptables and save days that you might be wasting pointing and clicking else where.
On my system, all new incoming connections (except for ssh from a few servers) are blocked and all outgoing connections are allowed. Am damn sure google can get you tons of simple scripts for a minimal config. You definitely can't feel good with the same configuration in windows as you wouldn't know what god-awful-thing would be trying to call back home.
Ok! You set your point n click firewall to ask you as to what to do with an outgoing connection and you can keep getting irritated all through the day by those 'Do you want to accept the outgoing connection to A.B.C.D by the application XYZ?' dialogs
Not that you can't have spy/malware in linux and everything is safe, but the situation hasn't got to such a stage yet and hopefully would never get to
With linux, well...tried to configure IPtables lately? I have, and that made me switch back to windows!"
Hmmm
Is that a gap in the market I spot? Is there a need for an Iptables for dummies guide ;-?
Alternatively one could just get the following book : http://www.amazon.com/exec/obidos/tg/detail/-/0596 005695/qid=1097623820/sr=8-1/ref=pd_ka_1/103-30759 69-1611012?v=glance&s=books&n=507846
Seriously, I hope that Microsoft gets their act together before too long.
I'm a little worried about the possibility of a "final" windows exploit that quickly and without warning kills every MS box it touches.
All these vulnerabilities are a bit disheartening.
Either Microsoft is really combing over their programs for errors or they are in trouble
Kind of makes me happy that I only rely on free/open source programs
"The best thing about Microsoft bugs is that there are so many to chose from..."
The shell vulnerability only allows code execution as the user viewing the malicious web site.
On most XP installations, the only user is "Administrator".
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?
Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website? Aren't you glad the only files that you can infect are the only files that you really care about?
You bet I'm glad my shell is web-enabled! After all, this Windows box belongs to my employer ... its his time that will be wasted.
See what I've been reading.
or you could just use any frontend, like:
http://www.e3.com.au/firewall/index.php
Only one vulnerability affects to SP2. In fact, the XP SP2 (desktop OS, you know) had less vulnerabilities than win 2k3/XPSP1, which shows the huge progress made in the SP2. I don't know how to take this..."good" because SP2 is good, or "bad" because the server OS is more insecure than the desktop OS. In any case, they're porting the work they did in SP2 to win 2003, so we'll see. They've raised the bar with the SP2, IMHO.
Why are there more big announcements about MS patches?
Because MS is the dominant OS, and many Slashdot readers need to know about these things.
There have been Slashdot articles on Linux bugs, but fewer. Why? Maybe because there are fewer critical bugs. Why? Market share.
Not everything is anti-MS. Some of it is just reality.
desiv
People like myself that use LiteStep for a shell under Win32 don't have to deal with the memory overhead of a web-enabled shell, or these web-based exploits.
It's pretty cool and it's open source and stable (unlike Windows sometimes) and has a decent-size user base, eventhough most of the themes are pretty worthless. (Then again, for any themable program, aren't the bulk of the themes crap?)
Anyhow, people that are stuck using Windows like I am (Lycoris' Tablet PC version of Linux is next to featureless) should give it a try, if nothing else but as a preventative measure against future bugs like this.
With the exception of a proof of concept GDI+ exploit posted to USENET, none of these vulnerabilities are known to be exploited.
The shell and compressed folder vulns require user interaction, just like 99% of all other "worms". As long as your mail application is patched you can't get hooked via email and if you visit "malicious websites" with anything other than Lynx you probably should be shot anyway. Ditto for a decent firewall.
On the other hand, I wonder why things like these for soem reason never get posted.
Has anyone else noticed how everything is now classified as remote? For the zip one you have to download the file and then attempt to unzip it. THATS NOT REMOTE. You downloaded it and then got exploited. Its running local context! Its local! Remote for example would be the NNTP. Where a remote user directly exploits you without any user interaction.
I extend this classification to the GDI vuls. They are downloaded and then rendered by windows. Why should it matter that its not an executable file. From an 3rd party perspective it looks the exect same as someone downloading and running a trojan. It shouldn't matter how clever they are in hiding the execution or downloading of the file, if it runs in local context its LOCAL.
Fuck i'm so tired of seeing remote vul tacked on to everything.
Cmd.exe is the command line shell. The Windows shell is explorer.exe (which now has IE built in, or something like, as of Windows 98 you can surf the web from the "My Computer" Icon). Explorer has been the Windows shell since Windows 95. Before Windows 95 it used to be progman.exe (the Program Manager).
For a presumably pro-Windows post, I wonder why you choose to be an Anonymous Coward especialy when your product is so loved by everyone. :)
This is my sig. There are many like it but this one is mine.
Updates were unable to be successfully installed
.NET Framework 1.1 Service Pack 1
The following updates were not installed:
Microsoft
Cumulative Security Update for Internet Explorer for Windows XP Service Pack 2 (KB834707)
[Configure automatic updates] [Tough shit]
Thanks, Microsoft! What the hell am I supposed to do now! Oh well, this particular machine hasn't been installed for almost 1 year, it's about time I reset the cruft factor...
Are you saying this doesn't happen with Linux? You do realize where the term "rootkit" originated, yes?
That's what I get for having faith in you, Microsoft!
sigs, as if you care.
We should all be nice to Microsoft because they would never bug their competitors' hotel rooms, perjure themselves in court, open their source code to China while claiming in court that opening it would damage national security, sabotage their competitors' applications by changing their API's, or promise delivery dates that they know they cannot meet in order to starve their competition. Everyone knows Linus does that kind of stuff all the time.
That does it. I'm switching to Linux- Ubuntu, *noppix- or even *BSD, anything but Windows.
Installing today's updates, it asked me if I wanted more information about a vulnerability- and proceeded to open a page with Internet Explorer. How many times do I have to tell the computer that Firefox is my default browser? Whose machine is this, anyway?
With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years). In today's update, it keeps nagging me to reboot.
And why do I have to sign yet another goddamned EULA to install critical patches?
There isn't any windows only software I need anymore. OO.org, Firefox, Thunderbird... and now GAIM (which I've gotten used to at work, working on FC1). I'll miss some of the usability features of XP, but I just can't handle it anymore. So long, Windows!
Information: "I want to be anthropomorphized"
actually, parent is my brother(that sentence sounds weird); I just want to make sure his comment is public so he has to carry through with it ;)
Why run a firewall at all?
If you are directly connected to the net, then this is a standalone machine, and does not need to have any sockets open, except that which is supposed to be used on the net. Turn off unnecessary services, or switch them to local mode only. AFAIK, there are no vulnerabilities for closed ports.
If you have a LAN, then there is something that separates the LAN from the internet. This should not be your desktop machine.
If you have two machines separately on the net, then you should use ssh tunnels between them. That is more secure than firewalls anyway.
Outgoing connections? May I ask why are you running spyware?
Filtering ICMP? Why would you want to break network standards again. It is because of you the net is a pain to use. I like getting messages that my connection failed instead of waiting for 60 seconds.
People firewall for a simple reason: to have open services inside the network, and not outside. At this point you should be capable enough to either do it yourself, or have a complete solution (although NAT is not a firewall, it behaves as one)
As far as I am concerned there should be no need to run any firewalls on the desktop. In fact it is a sign of poor management, or a patch to a bigger problem (not trusting your own computer).
Is there something I am missing?
badness 10000
When confronted with a new Microsoft security hole, which seems to one to have existed for a while, possibly leaving his entire organization at risk, one should never react with surprise or horror.
One must make a FRIEND of the horror.
Then, one can hear about the security issue, nod sagely with a wan smile, and whisper to the junior IT staff, "But of COURSE there is a hole. This is to be expected, young one. Run and patch, then we'll go to lunch."
Bonus points for leaning back in one's chair, folding one's hands across one's belly, and sighing loudly before addressing the novice.
Farewell! It's been a fine buncha years!
Actually CNET News.com is reporting 22 not 10. That's quite the grouping.
It is amusing that the much maligned WinME nowadays work better and doesn't suffer from half the problems in XP - "The Most Secure Windows Ever".
Oh well, what the hell...
Well, that's a tautology: if they're vulnerable, they're vulnerable. The point is that vulnerabilities are more likely, and more likely to be serious, in a web enabled shell than a plain web browser.
You see, "web enabled shell" means that the same piece of software is both your web browser and your application launcher. That makes it much easier for a flaw to cross over between the two uses, i.e. a flaw on the browsing side causing a (malicious) application to be launched.
Web enabled shells are a bad a idea because they combine two things that don't need to be combined in a way that creates a lot of risk. Browsers and shells work just fine when they're separate, for example Lynx and Bash.
As far as I know, no such thing exists. If it did, it would get a lot of sarcastic comments, and for a similar reason: PHP is run on the server side because that's where it belongs. As a result, it's very unlikely that even a serious PHP vulnerability will affect data that is stored on your desktop. Putting PHP in the browser would be risky, which is probably why it hasn't been done (as far as I know).
It's more like, "Aren't you glad your lawn mower is toilet enabled?" You should have them both, but not as an integrated unit.
-- . . ramblin' . . .
Currently none of those windows boxes, all 100 in my organization are connected directly through the firewall. With anti-virus, intrusion dectection and intrusion prevention, and a desktop intrusion prevention device there is no big panic in a new patch. All 100 of those PCs will check into the SUS server, grab and install the updates. If I had 1,000 PCs setup a more powerful software management system, off the top of my head Altiris would do a great job.
If I could summarize, you are saying that the desktop machine should be configured well and securely so that a firewall is not needed.
To answer your question, a firewall is for damage control when you don't know (or realize too late) that your machine is not perfectly configured. Some program has some vulnerability, or a trojan, or something. You are right --it SHOULD not be this way; but when it just IS, and the trojan starts spamming people or transmitting your private PGP keys onto IRC, the firewall is there to say, "Hey, waitaminnit, something weird is going on here."
A firewall is like a fireman. You hope that it doesn't have to do anything but sit there.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
this is my first post, hello all. /. is great!
I think that some users actually enjoy downloading the updates. Sure , MS has new vunerabilities every week it seems, but thats become a standard now, and I think that MS could use it to their advantage.
You think the scene with MS could be worse? Hell yes... MS could have all their customers lives constantly put on halt, except on fridays when MS releases an update that will only last for 1 day before another hole is found...
Here is the way it actually is...
If you get the majority of MS users to download a patch for some security hole, that never affected them in the first place, then they feel cared for and protected.
The rate at which MS releases patches, vs the rate at which people's lives grind to a halt because of the holes, is in favour of releasing.
And just food for thought, some marketing strategies done during heavy war times, are products that 'enhance' your life, make it more 'efficient', and protect you. So maybe while you consume updates you 'battle ready your PC'!
Post your thoughts!
This could be a great pr tactic. Release 10 new security problems that effect all windows/ie except the new spiffy XP SP2 :)
Tricky marketing? or just real evidence that MS has done something right?
who knows.
But i'm sure someone at MS will spin this.
they are called exoskeletons.
See my journal, I write things there
1. Security in depth. Multilayered security = A Good Thing. ...and they're not on port 80...!
2. True, there shouldn't be ports we don't know about on user's PC's, but how about when they pop one open without knowing? They can't download or receive numerous file types & their peripherals are disabled, but users will be users. I've seen programs installed that install telnet or tftp servers. A decent personal firewall setup will alert the user *and* log that alert to a central console.
3. Mistakes happen. A nameless colleague quit-out halfway through creating a firewall rule. The default action is to create the rule regardless, so for 20 minutes a bunch of workstations were waaaay more accessible than they should be. Worms were spotted.
4. It's disastrous to think "We've got a firewall, ergo we're secure" (see above). Common example: User sits in internet cafe with laptop, some floppies, usb devices & cd rom. Effectively spreads legs & asks the world to infect him. Next day, brings laptop back & jacks into the LAN. My sturdy firewall is now worth jack. Personal firewalls all round, please.
5. And yes, I do filter ICMP. I'm sorry that you have to wait 60 seconds for your pings or whatever to fail, but I have to ask why were you scanning my LAN? You want me to turn on file&printer sharing too, so you can see what else is going on? It's my LAN, & within it I'll do whatever I can to keep it secure. Guess what - I run some web services....
As far I'm concerned there are valid reasons to run personal firewalls on the desktop.
Hand-in-hand with user education, security policies, patch management and effective anti-virus solutions they provide a robust & proven security benefit.
You're damn right I don't trust my computer. And I won't do until I control all access in and out, and it tells me when something tries to except those rules. Oh, wait! It does. It's my personal firewall.
There're some services (like the RPC server) which can't be switched off if you wnat to run windows
The compiler isn't a component in the end user system at all. It is the software used to build the system. A buffer overrun almost always causes the app to crash so it is safe to assume that the build system at MS does not have an overrun.
So I have no idea what you are talking about and suspect that neither do you.