Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ten Security Bulletins From Microsoft

Posted by michael on from the making-america-safer dept.

wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."

21 of 392 comments (clear)

  1. My by Rick+Zeman · · Score: 5, Funny

    ....Win2k patched fine. Another Tuesday Patch roulette over with....

    1. Re:My by jerw134 · · Score: 5, Interesting

      It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows.

    2. Re:My by jerw134 · · Score: 5, Funny

      Directly from Microsoft: "core Windows components have been recompiled with the most recent version of our compiler technology, which provides added protection against buffer overruns."

      Source

  2. I give up by darth_MALL · · Score: 5, Funny

    I was just about to write a pro MS defence post to stave off the oncoming attack. I just re-read the article. I quit.

  3. Web enabled Shell by 12357bd · · Score: 5, Funny

    Ok, Now is a really web enabled experience! :)

    --
    What's in a sig?
  4. C&C by schnits0r · · Score: 5, Funny

    The recent GDI+ vulnerability

    Good thing I choose to join NOD.


    /rimshot

    --


    -------
    Support Indy Music. Buy
  5. A more accurate bulletin here by Magickcat · · Score: 5, Funny

    I can think of a more comprehensive bulletin:

    1. Internet Explorer (All versions)
    2. Microsoft Office (All versions)
    3. Microsoft Windows OS (All versions)

    --

    Si tacuisses philosophus mansisses. If you had kept quiet, you would have remained a philosopher.

  6. Re:Shell enabled depends. by xsecrets · · Score: 5, Insightful

    links or lynx are programs they are not intigrated into the shell. I don't think you understand what a shell is.

  7. SP2 Isn't Affected by jerw134 · · Score: 5, Informative

    Just in case anyone is wondering, SP2 is not affected by any of these vulnerabilities, except for MS04-038. That's the fix for the "drag-and-drop" vulnerability that everyone's been crowing about.

  8. Thread-o-matic by JoeLinux · · Score: 5, Funny

    Please select your argument here:
    [ ] MS has these security exploits because it is the biggest OS
    [ ] MS is a steaming pile when it comes to security
    [ ] MS is working on fixing these things, and is doing the responsible thing.
    [ ] 1337! I can't wait to #4x0r!

  9. Re:At least with windows by Metasquares · · Score: 5, Informative

    There are a number of user-friendly configuration tools for iptables. FireStarter is the first one that comes to mind, though there are others.

  10. great marketing by LiquidMind · · Score: 5, Funny

    and (on my page) a microsoft windows server 2003 advertisement right below this article.

    beautiful. fucking beautiful.

    --
    This sig contains repetition and redundancy.
  11. Reminds me of something by Deorus · · Score: 5, Funny

    "The best thing about Microsoft bugs is that there are so many to chose from..."

  12. "only" by Anonymous Coward · · Score: 5, Insightful

    The shell vulnerability only allows code execution as the user viewing the malicious web site.

    On most XP installations, the only user is "Administrator".

  13. Market share?? by Anonymous Coward · · Score: 5, Insightful

    Why are there more big announcements about MS patches?

    Because MS is the dominant OS, and many Slashdot readers need to know about these things.

    There have been Slashdot articles on Linux bugs, but fewer. Why? Maybe because there are fewer critical bugs. Why? Market share.

    Not everything is anti-MS. Some of it is just reality.

    desiv

  14. How is this different by The+Bungi · · Score: 5, Interesting
    From everything in here again?

    With the exception of a proof of concept GDI+ exploit posted to USENET, none of these vulnerabilities are known to be exploited.

    The shell and compressed folder vulns require user interaction, just like 99% of all other "worms". As long as your mail application is patched you can't get hooked via email and if you visit "malicious websites" with anything other than Lynx you probably should be shot anyway. Ditto for a decent firewall.

    On the other hand, I wonder why things like these for soem reason never get posted.

    1. Re:How is this different by jd · · Score: 5, Insightful
      Three of the holes were for "server" editions of Windows. This means that what the user does is largely irrelevent. If the server gets compromised (and, yes, NNTP and SMTP are listed amongst the systems with holes) then you could very easily end up with hostile code on your machine, no matter how updated it may be.


      As far as Linux is concerned, a properly configured Linux box is relatively secure, even if the applications have holes. This is because you can run most servers under restricted user IDs and/or in chroot-ed environments. This means that someone breaking into a server application can't really go anywhere.


      Linux' main "weakness" (diversity of implementations) is also its great strength on this. A Linux virus won't necessarily work on all Linux machines, because it is going to make assumptions about the nature of that machine which may not hold true. Applications can be configured on installation by the admin, but viruses don't usually get that benefit.


      Finally, Linux has some extensions which make it bullet-proof against many types of attack. Mandatory Access Controls and filesystem ACLs mean that you can have an extremely fine-grained level of control over who can do what. This means that if some server software has a user ID of N, but N only has read permissions on N's files, then compromising the server can't even allow an attacker to modify the files they supposedly own.


      All this means that Linux applications don't need to be that secure. The security is provided. It is helpful if they ARE secure, but it's not essential. With Windows, this isn't the case. The level of security isn't that great, and as more and more is integrated into the kernel, the vulnerabilties within any given application become ever-more dangerous to other parts of the OS.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  15. Re:News For Nerds?? by alw53 · · Score: 5, Funny

    We should all be nice to Microsoft because they would never bug their competitors' hotel rooms, perjure themselves in court, open their source code to China while claiming in court that opening it would damage national security, sabotage their competitors' applications by changing their API's, or promise delivery dates that they know they cannot meet in order to starve their competition. Everyone knows Linus does that kind of stuff all the time.

  16. I give up by danharan · · Score: 5, Interesting

    That does it. I'm switching to Linux- Ubuntu, *noppix- or even *BSD, anything but Windows.

    Installing today's updates, it asked me if I wanted more information about a vulnerability- and proceeded to open a page with Internet Explorer. How many times do I have to tell the computer that Firefox is my default browser? Whose machine is this, anyway?

    With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years). In today's update, it keeps nagging me to reboot.

    And why do I have to sign yet another goddamned EULA to install critical patches?

    There isn't any windows only software I need anymore. OO.org, Firefox, Thunderbird... and now GAIM (which I've gotten used to at work, working on FC1). I'll miss some of the usability features of XP, but I just can't handle it anymore. So long, Windows!

    --
    Information: "I want to be anthropomorphized"
  17. Re:10 Bulletins? by ktakki · · Score: 5, Funny

    MS10-01: Vulnerability in Internet Explorer may cause user to worship other gods.
    MS10-02: Buffer overrun in Graven Image processing.
    MS10-03: Vulnerability in RPC Service may cause the name of the Lord to be taken in vain.
    MS10-04: Vulnerability in Task Scheduler may prevent computer from resting on the Sabbath Day.
    MS10-05: Vulnerability in Windows Shell may allow child process to kill parent process.
    MS10-06: Buffer overrun in DCE Locator Service may cause abnormal program termination.
    MS10-07: Vulnerability in Outlook/Outlook Express may lead to adultery.
    MS10-08: Vulnerability in MSKerberos may allow remote user to steal.
    MS10-09: Vulnerability in Excel may allow workbooks or spreadsheets to bear false witness.
    MS10-10: Vulnerability in Internet Explorer may cause user to covet neighbor's ass.

    k.

    --
    "In spite of everything, I still believe that people are really good at heart." - Anne Frank
  18. Re:Aren't you glad you need admin privileges ... by Foolhardy · · Score: 5, Insightful
    Many applications and games require admin privileges to install. Windows Update requires admin privileges. etc etc.
    So run only those programs as admin. Windows NT is (and always has been) multi-user. See RunAs, PsExec, SUD, etc. It would be a pretty lame excuse if I said that I had to run as root on Linux all the time because upgrading the kernel requires root access. You'd tell me to use su; do the same thing on Windows.
    Compare that to the Millions of Windows machines completely infected with spyware right now because Microsoft has no clue how to secure a web browser.
    That's funny, I've used IE without getting any malware.
    Here's a better reason that so many computers are plugged: ignorant users that are gullible, believe everything they see on the Internet, and press yes or OK on every dialog box just to get them to go away (without reading them or caring about the content). This is just as possible with Firefox or KDE or any other complex system that people use: you can make resistence to stupidity, but stupidity will always win some battles.
    Could Microsoft make the resistance higher? I guess. But then they would have to contend with cries of incompatibility and non-ease of use. It's a precarious balance.
    You'd like more security, but you aren't a shareholder of Microsoft; I'm sure the company has done much research that says that invasive security makes users mad and reduces sales
    But combine users running by default as Admin [...]
    Yes, the admin default sucks for security. It is also only a default and so completely avoidable; the fact that users don't avoid it speaks of their ignorance.
    If Windows XP automatically logged you on as a non-admin user, most people would be lost; they would have no idea why they can't install their new software. All they see is an ugly dialog box they don't understand and it isn't working. This news would get out, XP would be branded as impossible to use because some dumb columnist couldn't install Quicken 200X, and nobody would buy it. They would still be using 98 or ME with zero local security. Because it's easier than dealing with security hassles. These are the same people who have no idea what the consequences of installing Gator or whatever are, and if you try to tell them about it, they glaze over and continue to do what they always have done.