Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ten Security Bulletins From Microsoft

Posted by michael on from the making-america-safer dept.

wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."

43 of 392 comments (clear)

  1. My by Rick+Zeman · · Score: 5, Funny

    ....Win2k patched fine. Another Tuesday Patch roulette over with....

    1. Re:My by ADRA · · Score: 4, Insightful

      Wouldn't that imply that they knew about this problem way before Service Pack 2, and their just now getting around to rolling those patches into previous releases?

      --
      Bye!
    2. Re:My by pbranes · · Score: 4, Insightful

      Not really. It implies that Microsoft changed the security in IE so that it would be much less likely to be vulnerable to certain types of situations. An analagous example is adding the No Execute (NX) code to hardware and software. It doesn't prevent coding mistakes, but it does prevent many ways of exploiting coding mistakes.

    3. Re:My by jerw134 · · Score: 5, Interesting

      It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows.

    4. Re:My by jerw134 · · Score: 5, Funny

      Directly from Microsoft: "core Windows components have been recompiled with the most recent version of our compiler technology, which provides added protection against buffer overruns."

      Source

    5. Re:My by sploo22 · · Score: 4, Informative

      Why not? GCC has had it since 2001.

      --
      Karma: Segmentation fault (tried to dereference a null post)
    6. Re:My by tc · · Score: 4, Informative

      It doesn't eliminate all cases, of course, but the /GS compiler flag for Visual C++ does eliminate many of them. In essence, it checks if the return address has been trashed, and throws an exception if it has. Your app still crashes, but that's probably better than being 0wn3d.

      Yes, it is possible to circumvent, and there are of course other kinds of attacks/bugs which this doesn't help with. Nor is it a substitute for actually fixing those buffer overflow problems. However, all that said, it's still a good extra level of defense that does improve the security of the system and apps by substantially mitigating a large class of potential bugs.

  2. I give up by darth_MALL · · Score: 5, Funny

    I was just about to write a pro MS defence post to stave off the oncoming attack. I just re-read the article. I quit.

    1. Re:I give up by Hatta · · Score: 4, Funny

      I'm a little confused. Windows has a shell?

      --
      Give me Classic Slashdot or give me death!
    2. Re:I give up by Keeper · · Score: 4, Informative

      How many times do I have to tell the computer that Firefox is my default browser?

      Once, if Firefox is registered as the default browser correctly. My machine gets it right, why doesn't yours?

      With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years).

      Two options:
      1) Update your AV software to a version that tells the security center when it is up to date.
      2) Select the "I will manage my AV software myself" option, and the security center won't bug you about any AV related details.

      In today's update, it keeps nagging me to reboot.

      Your computer is still vulnerable until you reboot the machine. What's the point of applying the patch if the updated files don't get loaded?

      And why do I have to sign yet another goddamned EULA to install critical patches?

      For the same reason every company requires you to sign a EULA before installing/updating software. If you want a detailed reason, ask the lawyers.

  3. Web enabled Shell by 12357bd · · Score: 5, Funny

    Ok, Now is a really web enabled experience! :)

    --
    What's in a sig?
  4. C&C by schnits0r · · Score: 5, Funny

    The recent GDI+ vulnerability

    Good thing I choose to join NOD.


    /rimshot

    --


    -------
    Support Indy Music. Buy
  5. Security is Job 1 by Foofoobar · · Score: 4, Informative

    It's nice to know that they have made security such a high priority. Hopefully their next high priority will be 'doing something about it'.

    --
    This is my sig. There are many like it but this one is mine.
  6. A more accurate bulletin here by Magickcat · · Score: 5, Funny

    I can think of a more comprehensive bulletin:

    1. Internet Explorer (All versions)
    2. Microsoft Office (All versions)
    3. Microsoft Windows OS (All versions)

    --

    Si tacuisses philosophus mansisses. If you had kept quiet, you would have remained a philosopher.

  7. Re:Shell enabled depends. by xsecrets · · Score: 5, Insightful

    links or lynx are programs they are not intigrated into the shell. I don't think you understand what a shell is.

  8. SP2 Isn't Affected by jerw134 · · Score: 5, Informative

    Just in case anyone is wondering, SP2 is not affected by any of these vulnerabilities, except for MS04-038. That's the fix for the "drag-and-drop" vulnerability that everyone's been crowing about.

  9. Thread-o-matic by JoeLinux · · Score: 5, Funny

    Please select your argument here:
    [ ] MS has these security exploits because it is the biggest OS
    [ ] MS is a steaming pile when it comes to security
    [ ] MS is working on fixing these things, and is doing the responsible thing.
    [ ] 1337! I can't wait to #4x0r!

  10. Re:At least with windows by Metasquares · · Score: 5, Informative

    There are a number of user-friendly configuration tools for iptables. FireStarter is the first one that comes to mind, though there are others.

  11. Love this from the remote shell exploit faq by codepunk · · Score: 4, Funny

    Wow now these are guys I can trust!

    Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?

    No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.

    Don't sweat it, a remotely exploitable shell is
    not critical!

    --


    Got Code?
    1. Re:Love this from the remote shell exploit faq by vijaya_chandra · · Score: 4, Insightful

      You must be new here not to realise the thinking behind that

      a) Faq says the patch's not critical
      b) Joe doesn't include this in the critical patches he's downloaded on to his system
      c) boom! the system goes down the next week because of the msplaster virus targetting this vulnerability
      d) Joe's not sure about the reason for the crash and re-installs the OS
      e) (c) again after a week
      f) Joe gets frustrated and contacts MS support ppl, who inform him that the brand new Microsoft Windows XP Professional with Service Pack 2, has everything to avoid such crashes
      g) Joe buys what they say

      windows_xp_sales++

      easy!

  12. Re:But how can this be? by jerw134 · · Score: 4, Informative

    The newest version of XP is the safest and most secure version yet. Try counting how many of those bulletins have to do with SP2.

  13. great marketing by LiquidMind · · Score: 5, Funny

    and (on my page) a microsoft windows server 2003 advertisement right below this article.

    beautiful. fucking beautiful.

    --
    This sig contains repetition and redundancy.
  14. Reminds me of something by Deorus · · Score: 5, Funny

    "The best thing about Microsoft bugs is that there are so many to chose from..."

  15. "only" by Anonymous Coward · · Score: 5, Insightful

    The shell vulnerability only allows code execution as the user viewing the malicious web site.

    On most XP installations, the only user is "Administrator".

  16. Aren't you glad you need admin privileges ... by RealAlaskan · · Score: 4, Interesting
    The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled?

    Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?

    Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website? Aren't you glad the only files that you can infect are the only files that you really care about?

    You bet I'm glad my shell is web-enabled! After all, this Windows box belongs to my employer ... its his time that will be wasted.

    --
    See what I've been reading.
    1. Re:Aren't you glad you need admin privileges ... by Foolhardy · · Score: 5, Insightful
      Many applications and games require admin privileges to install. Windows Update requires admin privileges. etc etc.
      So run only those programs as admin. Windows NT is (and always has been) multi-user. See RunAs, PsExec, SUD, etc. It would be a pretty lame excuse if I said that I had to run as root on Linux all the time because upgrading the kernel requires root access. You'd tell me to use su; do the same thing on Windows.
      Compare that to the Millions of Windows machines completely infected with spyware right now because Microsoft has no clue how to secure a web browser.
      That's funny, I've used IE without getting any malware.
      Here's a better reason that so many computers are plugged: ignorant users that are gullible, believe everything they see on the Internet, and press yes or OK on every dialog box just to get them to go away (without reading them or caring about the content). This is just as possible with Firefox or KDE or any other complex system that people use: you can make resistence to stupidity, but stupidity will always win some battles.
      Could Microsoft make the resistance higher? I guess. But then they would have to contend with cries of incompatibility and non-ease of use. It's a precarious balance.
      You'd like more security, but you aren't a shareholder of Microsoft; I'm sure the company has done much research that says that invasive security makes users mad and reduces sales
      But combine users running by default as Admin [...]
      Yes, the admin default sucks for security. It is also only a default and so completely avoidable; the fact that users don't avoid it speaks of their ignorance.
      If Windows XP automatically logged you on as a non-admin user, most people would be lost; they would have no idea why they can't install their new software. All they see is an ugly dialog box they don't understand and it isn't working. This news would get out, XP would be branded as impossible to use because some dumb columnist couldn't install Quicken 200X, and nobody would buy it. They would still be using 98 or ME with zero local security. Because it's easier than dealing with security hassles. These are the same people who have no idea what the consequences of installing Gator or whatever are, and if you try to tell them about it, they glaze over and continue to do what they always have done.
  17. Market share?? by Anonymous Coward · · Score: 5, Insightful

    Why are there more big announcements about MS patches?

    Because MS is the dominant OS, and many Slashdot readers need to know about these things.

    There have been Slashdot articles on Linux bugs, but fewer. Why? Maybe because there are fewer critical bugs. Why? Market share.

    Not everything is anti-MS. Some of it is just reality.

    desiv

  18. LiteStep by PacoCheezdom · · Score: 4, Informative

    People like myself that use LiteStep for a shell under Win32 don't have to deal with the memory overhead of a web-enabled shell, or these web-based exploits.

    It's pretty cool and it's open source and stable (unlike Windows sometimes) and has a decent-size user base, eventhough most of the themes are pretty worthless. (Then again, for any themable program, aren't the bulk of the themes crap?)

    Anyhow, people that are stuck using Windows like I am (Lycoris' Tablet PC version of Linux is next to featureless) should give it a try, if nothing else but as a preventative measure against future bugs like this.

  19. How is this different by The+Bungi · · Score: 5, Interesting
    From everything in here again?

    With the exception of a proof of concept GDI+ exploit posted to USENET, none of these vulnerabilities are known to be exploited.

    The shell and compressed folder vulns require user interaction, just like 99% of all other "worms". As long as your mail application is patched you can't get hooked via email and if you visit "malicious websites" with anything other than Lynx you probably should be shot anyway. Ditto for a decent firewall.

    On the other hand, I wonder why things like these for soem reason never get posted.

    1. Re:How is this different by jd · · Score: 5, Insightful
      Three of the holes were for "server" editions of Windows. This means that what the user does is largely irrelevent. If the server gets compromised (and, yes, NNTP and SMTP are listed amongst the systems with holes) then you could very easily end up with hostile code on your machine, no matter how updated it may be.


      As far as Linux is concerned, a properly configured Linux box is relatively secure, even if the applications have holes. This is because you can run most servers under restricted user IDs and/or in chroot-ed environments. This means that someone breaking into a server application can't really go anywhere.


      Linux' main "weakness" (diversity of implementations) is also its great strength on this. A Linux virus won't necessarily work on all Linux machines, because it is going to make assumptions about the nature of that machine which may not hold true. Applications can be configured on installation by the admin, but viruses don't usually get that benefit.


      Finally, Linux has some extensions which make it bullet-proof against many types of attack. Mandatory Access Controls and filesystem ACLs mean that you can have an extremely fine-grained level of control over who can do what. This means that if some server software has a user ID of N, but N only has read permissions on N's files, then compromising the server can't even allow an attacker to modify the files they supposedly own.


      All this means that Linux applications don't need to be that secure. The security is provided. It is helpful if they ARE secure, but it's not essential. With Windows, this isn't the case. The level of security isn't that great, and as more and more is integrated into the kernel, the vulnerabilties within any given application become ever-more dangerous to other parts of the OS.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  20. Re:Windows Shell? by Deorus · · Score: 4, Informative

    Cmd.exe is the command line shell. The Windows shell is explorer.exe (which now has IE built in, or something like, as of Windows 98 you can surf the web from the "My Computer" Icon). Explorer has been the Windows shell since Windows 95. Before Windows 95 it used to be progman.exe (the Program Manager).

  21. DAMN! by AvantLegion · · Score: 4, Funny
    Damn! I had 9 in the pool.

    That's what I get for having faith in you, Microsoft!

  22. Re:another reason to learn linux by sploo22 · · Score: 4, Insightful

    Yeah, for about 10 times more applications.

    --
    Karma: Segmentation fault (tried to dereference a null post)
  23. Cumulative bug reporting conspiracy by RealProgrammer · · Score: 4, Interesting
    Microsoft saves these up so that
    1. Users only need to patch their boxes once.
    2. Sysadmins only need to frantically patch all of their boxes once.
    3. It looks better if there is one bunch of ten patches on one day than if there are ten announcements of one patch each on ten different days. A lot of these bugs were announced earlier, but the releases are all announced now.
    4. Saves ink on /.
    --
    sigs, as if you care.
  24. Re:News For Nerds?? by alw53 · · Score: 5, Funny

    We should all be nice to Microsoft because they would never bug their competitors' hotel rooms, perjure themselves in court, open their source code to China while claiming in court that opening it would damage national security, sabotage their competitors' applications by changing their API's, or promise delivery dates that they know they cannot meet in order to starve their competition. Everyone knows Linus does that kind of stuff all the time.

  25. I give up by danharan · · Score: 5, Interesting

    That does it. I'm switching to Linux- Ubuntu, *noppix- or even *BSD, anything but Windows.

    Installing today's updates, it asked me if I wanted more information about a vulnerability- and proceeded to open a page with Internet Explorer. How many times do I have to tell the computer that Firefox is my default browser? Whose machine is this, anyway?

    With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years). In today's update, it keeps nagging me to reboot.

    And why do I have to sign yet another goddamned EULA to install critical patches?

    There isn't any windows only software I need anymore. OO.org, Firefox, Thunderbird... and now GAIM (which I've gotten used to at work, working on FC1). I'll miss some of the usability features of XP, but I just can't handle it anymore. So long, Windows!

    --
    Information: "I want to be anthropomorphized"
  26. mod parent up! by xutopia · · Score: 4, Funny

    actually, parent is my brother(that sentence sounds weird); I just want to make sure his comment is public so he has to carry through with it ;)

  27. Re:At least with windows by NotoriousQ · · Score: 4, Insightful

    Why run a firewall at all?

    If you are directly connected to the net, then this is a standalone machine, and does not need to have any sockets open, except that which is supposed to be used on the net. Turn off unnecessary services, or switch them to local mode only. AFAIK, there are no vulnerabilities for closed ports.

    If you have a LAN, then there is something that separates the LAN from the internet. This should not be your desktop machine.

    If you have two machines separately on the net, then you should use ssh tunnels between them. That is more secure than firewalls anyway.

    Outgoing connections? May I ask why are you running spyware?

    Filtering ICMP? Why would you want to break network standards again. It is because of you the net is a pain to use. I like getting messages that my connection failed instead of waiting for 60 seconds.

    People firewall for a simple reason: to have open services inside the network, and not outside. At this point you should be capable enough to either do it yourself, or have a complete solution (although NAT is not a firewall, it behaves as one)

    As far as I am concerned there should be no need to run any firewalls on the desktop. In fact it is a sign of poor management, or a patch to a bigger problem (not trusting your own computer).

    Is there something I am missing?

    --
    badness 10000
  28. Correct reponse to Microsoft security holes by crazyphilman · · Score: 4, Funny

    When confronted with a new Microsoft security hole, which seems to one to have existed for a while, possibly leaving his entire organization at risk, one should never react with surprise or horror.

    One must make a FRIEND of the horror.

    Then, one can hear about the security issue, nod sagely with a wan smile, and whisper to the junior IT staff, "But of COURSE there is a hole. This is to be expected, young one. Run and patch, then we'll go to lunch."

    Bonus points for leaning back in one's chair, folding one's hands across one's belly, and sighing loudly before addressing the novice.

    --
    Farewell! It's been a fine buncha years!
  29. Re:10 Bulletins? by ktakki · · Score: 5, Funny

    MS10-01: Vulnerability in Internet Explorer may cause user to worship other gods.
    MS10-02: Buffer overrun in Graven Image processing.
    MS10-03: Vulnerability in RPC Service may cause the name of the Lord to be taken in vain.
    MS10-04: Vulnerability in Task Scheduler may prevent computer from resting on the Sabbath Day.
    MS10-05: Vulnerability in Windows Shell may allow child process to kill parent process.
    MS10-06: Buffer overrun in DCE Locator Service may cause abnormal program termination.
    MS10-07: Vulnerability in Outlook/Outlook Express may lead to adultery.
    MS10-08: Vulnerability in MSKerberos may allow remote user to steal.
    MS10-09: Vulnerability in Excel may allow workbooks or spreadsheets to bear false witness.
    MS10-10: Vulnerability in Internet Explorer may cause user to covet neighbor's ass.

    k.

    --
    "In spite of everything, I still believe that people are really good at heart." - Anne Frank
  30. Why firewall? Because the world isn't perfect by KWTm · · Score: 4, Insightful

    If I could summarize, you are saying that the desktop machine should be configured well and securely so that a firewall is not needed.

    To answer your question, a firewall is for damage control when you don't know (or realize too late) that your machine is not perfectly configured. Some program has some vulnerability, or a trojan, or something. You are right --it SHOULD not be this way; but when it just IS, and the trojan starts spamming people or transmitting your private PGP keys onto IRC, the firewall is there to say, "Hey, waitaminnit, something weird is going on here."

    A firewall is like a fireman. You hope that it doesn't have to do anything but sit there.

    --
    404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
    [GPG key in journal]
  31. All bugs have shells..... by hughk · · Score: 4, Funny

    they are called exoskeletons.

    --
    See my journal, I write things there
  32. Re:At least with windows by welshwaterloo · · Score: 4, Informative
    There are several reasons we're rolling out Symantec's personal firewall to desktop PC's.

    1. Security in depth. Multilayered security = A Good Thing.
    2. True, there shouldn't be ports we don't know about on user's PC's, but how about when they pop one open without knowing? They can't download or receive numerous file types & their peripherals are disabled, but users will be users. I've seen programs installed that install telnet or tftp servers. A decent personal firewall setup will alert the user *and* log that alert to a central console.
    3. Mistakes happen. A nameless colleague quit-out halfway through creating a firewall rule. The default action is to create the rule regardless, so for 20 minutes a bunch of workstations were waaaay more accessible than they should be. Worms were spotted.
    4. It's disastrous to think "We've got a firewall, ergo we're secure" (see above). Common example: User sits in internet cafe with laptop, some floppies, usb devices & cd rom. Effectively spreads legs & asks the world to infect him. Next day, brings laptop back & jacks into the LAN. My sturdy firewall is now worth jack. Personal firewalls all round, please.
    5. And yes, I do filter ICMP. I'm sorry that you have to wait 60 seconds for your pings or whatever to fail, but I have to ask why were you scanning my LAN? You want me to turn on file&printer sharing too, so you can see what else is going on? It's my LAN, & within it I'll do whatever I can to keep it secure. Guess what - I run some web services.... ...and they're not on port 80...!

    As far I'm concerned there are valid reasons to run personal firewalls on the desktop.
    Hand-in-hand with user education, security policies, patch management and effective anti-virus solutions they provide a robust & proven security benefit.

    You're damn right I don't trust my computer. And I won't do until I control all access in and out, and it tells me when something tries to except those rules. Oh, wait! It does. It's my personal firewall.