Slashdot Mirror
3 New Windows Security Problems Found
DotNM writes "USA Today is running a story that outlines three security issues in Microsoft Corporation's popular Windows desktop operating system product. It describes the issues and urges users not to download .hlp files from email attachments. Apparently there are issues, even for a Windows XP system patched with Service Pack Two."
Merry X-Mas from your friends in Redmond! Geez do they even search for flaws on their own?
Millions of grains of sand found!
Smoke me a kipper, I'll be back for breakfast.
"Microsoft Corporation's popular Windows desktop operating system product." /. headline?
What? Is there a minimum number of characters for a
Ha.
The requested URL (it/04/12/25/1433236.shtml?tid=172&tid=128&tid=201 &tid=1) was not found.
upon clicking the "comments" link...
According to a report on eWeek.com, one of the three vulnerabilities involves image handling, which has posed problems for Windows and Unix systems in the past. The other two vulnerabilities involve Windows' Help system and its .hlp files, and Windows' ANI (Automatic Number Identification) authentication capabilities.
That's what ANI is in the context of telephone networks. In the context of a Windows system, it's an animated mouse cursor.
Besides, these vulnerabilities were announced yesterday morning on Slashdot!
I claim first use of "Error No. 0B" - or "No. 0B error." It'll be the new ID 10T!
and somehow they dupe the story..
i mean camman, just read back 10 posts and you'll see the exact same story...!
MABASPLOOM!
"A Chinese security group reports..."
.hlp files attached and strongly encouraged to read e-mail in plain-text format to keep malicious images from utilizing LoadImage."
Why does this not inspire confidence?
"Users are urged to block e-mail attachments arriving with
This is new advice? Jeez, now my whole mail paradigm is hosed.
Ignorance is curable, stupid is forever.
Can someone show me the way to an OS with no security issues, please?
/S /Y then reboot. Voilà! No more virus or worm.
Do FORMAT C:
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
...two turtle doves and a partridge in a pear tree!
> Apparently there are issues...
What has become of the word "problem"? "Issue" is marketdroid-speak.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
dupe.
Good Tidings to all, and HO! HO! HO!
Human 1.0 has no known security issues. Isn't always too stable, however. And, like always, it can depend on the administrator.
Apparently there are issues, even for a Windows XP system patched with Service Pack Two.
...
*Gasp* Oh my god! Not SERVICE PACK 2, the horror
Sign up to receive our free Tech e-newsletter and get the latest tech news, Hot Sites & more in your inbox.
E-mail:
Select one: HTML [x] Text [ ]
err....?
Every time new vulnerabilities are announced, they say, "don't do this, don't download that, don't use this or that program/feature/bug". Enough of this has gone on that every program that was of any use in Windows is now unusable for fear of remaining undiscovered holes/patches that didn't take.
;-)
Let's now compile a list of these to give to people in order to convince them to switch to Linux. Meanwhile, so much functionality has been rendered unusable that when the next hole is found, they'll have to tell people not to use Windows at all
Hey, I can dream, can't I?
The difference between spam and poop is that you don't have to dig through septic tanks looking for real food. -- Me
Hey, let me give you all a tip.....even if the future service packs for XP reaches version 10, it will alway be insecure and full of critical issues that are discovered by people other than Microsoft.
At least with Linux, the community usually discovers them first and before the problem is made public there is already a patch available. Now, these poor saps with Windows machines will probably have to wait weeks for a patch. Meanwhile, thier machines are being zombified as I type and turned into spam gateways.
It's called, a GNU/Linux distribution.
Biggest laugh today
Dupe or not, the emphesized part still brings out the giggles in me.
Not Buzzword 2.0 compliant. Please speak english.
Human 1.0 is a buggy piece of crap. Apparently there's a hard coded uptime limit of somewhere around 16-48 hours, and rebooting takes up to 12 hours, but usually 8.
There are hundreds of DDoS attacks, including something as trivial as a potassium injection attack.
All in all, I can't recommend Human 1.0 for production use yet.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
...urges users not to download .hlp files from email attachments.
.hlp file attachment, or any random attachment that reaches their inbox.
Yet people will continue opening strange attachments.
I hardly blame Microsoft for this with people uneducated enough to open a
Merry Christmas, learn how to use the technology you spend your cash on, etc. Love Wilson.
- Wilson
Actually, models of the human 1.0 that recieved the "Y" chromosome are vulnerable because they will readily accept forbidden fruit packets without verifying the original senders identity. Transmitting such packets via a model of the Human 1.0 bearing only "X" chromosomes ensures 100% deliverability of any packets. This flaw exists because the "Y" model of the Human 1.0 only uses waist-level firmware when interactiong with the "X-only" model.
I told you! I told you not to eat that sauerkraut, but you wouldn't listen.
Even with the daily list of vulnerabilities, viruses, BSOD's, lock-ups, Windows Protection Errors, Ooga-Booga dances to keep the machine running, Windows XP is still the best OS out there! Linux may be stable, virus-free, more secure by design, have tons of free software available, frequent updates, and no restrictions on how many times you install it or where, but it is definitely not ready for the desktop. I mean, it may have more features than Windows, easily connect to just about any type of network service, but really, who can say that it's ready for people to use? So what if it takes under 20 minutes to install a full system with more software than I would ever want to use. Five hours of installation, patching, inserting software cds, installing and updating virus protection, installing effective firewall software, finding device drivers, entering license numbers for an equivalent system in Windows is a small thing compared to what you get with Windows, whatever that means... So what if there are Linux desktops that have not needed rebooting in nearly 2 years, and the only work performed on them was to type "apt-get upgrade dist"? That's just too boring and predictable! What fun is there in that? So what if you can install or upgrade all currently installed software over the internet with one command or by selecting it and clicking install? I'm sorry, but Linux is not ready for the primetime, not "Enterprise" ready. I'm not sure what that means, and frankly I'm not sure anyone else who says that does either, but they are absolutely correct! I can vouch for it.
--dingletec--
Unless, of course, the system files you copied to the hard drive weren't infected...
Try MS-DOS. No remote root exploits in over 23 years. No new viruses in a decade. No malware. No worms.
Of course, you have other options. You have the classic Mac OS, CP/M, Apple DOS, etc.
My point? Every OS that provides services to the Internet isn't 100% secure. Sure, Linux and *BSD may be more secure than Windows, but Linux and *BSD aren't perfect.
Not to be picky, but automobiles pay road taxes in the form of taxes applied to gasoline purchased and therefor they go further in supporting the cost of roadways. Bicycles do not. Bicycles belong on designated biking paths not riding on sidewalks, between cars, etc.
This is old news. If we're going to have articles about security issues with Windows, we might as well just have a static link to Microsoft.com on Slashdot's front page.
Here's one of the permanent security bulletins to put on that static link description: Do NOT open any attachments in Outlook, at all. I mean, this is becoming one of the basic rules like, "Don't touch the stove, little Jimmy.. HOT! Very hot."
Happy Christmas, Harry! Happy Christmas, Ron.
good laugh mpu
I got a 3G Motorola C975 on the 3 network for Christmas and it's just completely locked up while connected. It's running Micro$oft :(
Dupe it good!
SP2 adds NX "protection." While this adds protection against buffer overflows on the stack, it does nothing for overflows on the heap, which can be just as bad. Also, if the return address is simply changed to an address on the heap, code in the heap can be executed. The heap has the executable bit, because of dynamic libraries loaded into the heap.
I mod down pyramid schemes in sigs.
> I hardly blame Microsoft for this with people .hlp file attachment,
> uneducated enough to open a
> or any random attachment that reaches their
> inbox.
Why can you not blame Microsoft for distributing an MUA that executes attachments when they are "clicked" on?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
... for the color scheme here at least:
1 433236&threshold=-1&tid=172&tid=128&tid=201&tid=1
http://shit.slashdot.org/article.pl?sid=04/12/25/
... in 10 Oracle exploits posted on Bugtraq earlier. It's holiday time anyway, those DBs can wait.[/sarcasm]
of shit pack 2 was what? I guess to just add more ineffective bloat ware to everyones computer.
On one customers laptop (auto update allowed) SP2 changed the language to Boznian. Format re-install, dis-able auto screw up.
SP2 and Norton Internet Security 2003, or 2004 will almost always cause enough conflicts to require a R&R.
Professional Politicians are not the solution, they ARE the problem.
learn how to use the technology you spend your cash on
Or, spend a little more cash on the technology at time of purchase, and reap the benefits down the line-- i.e. buy a Mac, you cheap fucks, and spend more time using your computer instead of making sure some scumbag spammer can't use it.
Even before this, I've been wondering if there is an alternative to the MS Help viewer (hh.exe) for CHM files, like xCHM in Linux?
I did get xCHM running under Cygwin but for some reason the images don't show up...
This is a sig. Deal with it.
Have you ever tired to educate such a user?
AnamanFan - Trying to find the Truth, one post at a time.
We've seen this onebefore.
But last time, the submitter at least got the comments right.
Accurate, but not accurate enough for my taste.
The post should actually read: -kgj
-kgj
But there's a patch for the uptime limit. It usually comes in the form of 8oz. cans.
But you can fight off the attacker who uses the patassium.
Ain't nothing better than Human 1.0. Perfect? No.
SP2 is not vulnerable to the ANI or LoadImage exploits that the article describes. It is however vulnerable to a variation of the hlp heap overflow exploit.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Let me know when MS does something right. That will be news.
You know how on that show Cops, you'll occasionally see some redneck guy being stuffed into a police car? Then, in the background, you can hear his bloodied and bruised other half screaming (usually in a southern accent) 'I love him, don't you take him away!'
This runs through my mind each time another friend of mine replaces his dead Windows box with another. I believe Windows users like to be hit.
There is no way to compare flaws in Windows and Linux, and every attempt to do so is misguided. The reason is that the politics behind disclosure for Microsoft is entirely different than for Linux, so there is no way to link them statistically.
From the classic "there is one error for every thousand lines of code in a mature program" logic, a person could estimate how many bugs are present in both code bases and look at the number of published bugs to see who is covering their butts more. I'd guess Microsoft has more to lose from bad PR, so odds are they have internalized most knowledge about bugs.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
Yeah! Tell me about it. Nice present from Redmond guys. But let me tell you a happy story! Open Source world gave me the nicest Christmas present I could ever imagine! (well.. I had to download some software and compile a few libraries to make it work, but..)
Linux audio community gave me Yamaha DX-7 synthesizer! This is my dream come true, I can now play some great tunes that made this synthesizer one of the most well known synthesizers. This synthesizer was used on U2's Unforgettable Fire and The Joshua Tree albums. This synthesizer was used by these artists: the Crystal Method, Kraftwerk, Underworld, Orbital, BT, Talking Heads, Brian Eno, Tony Banks, Mike Lindup of Level 42, Jan Hammer, Roger Hodgson, Teddy Riley, Brian Eno, T Lavitz of the Dregs, Sir George Martin, Supertramp, Phil Collins, Stevie Wonder, Daryl Hall, Steve Winwood, Scritti Politti, Babyface, Peter-John Vettese, Depeche Mode, D:Ream, Front 242, U2, A-Ha, Enya, The Cure, Astral Projection, Fluke, Kitaro, Vangelis, Elton John, James Horner, Toto, Donald Fagen, Michael McDonald, Chick Corea, Level 42, Queen, Yes, Michael Boddicker, Julian Lennon, Jean-Michel Jarre, Sneaker Pimps, Greg Phillanganes, Stabbing Westward and Herbie Hancock to name a few.
Can you imagine that? And all this for FREE! Thanks to you guys who made that software synthesizer for Linux!
Wanna have it? Here's where to start.
You see, sometimes the best Christmas presents can be free! Happy Christmas and thank you very much, Open Source world!
...a person could estimate how many bugs are present in both code bases and look at the number of published bugs to see who is covering their butts more.
Just to reinforce my point: the above research still could not be used for any serious arguments. There are just too many unknowns.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
hlp files (or rather the engine which handles them) are part of windows. Microsoft has said as much in statements in court under oath. Subversion has never been installed on my (linux) computer, so you can't count it as part of linux. If a program is installed by default on most of the "big seven" distros, or just the majority of linux installs (but how would you ever check?) I suppose you could count it as part of linux, but that's probably rather unfair since those distros are far more functional by default than windows is. Finally, slashdot does tend to post flaws in major OSS. Whenever I've had to do a security upgrade, I've always found the story on /..
I am trolling
Wrong! Most states classify bikes as a vehice, and therefore they can go on roads and obey rules just like any other vehicle. They have to use turn signs, even obey lanes. (driving between cars is not considered OK in the US). The only restrictions on bikes is that they have to obey minimum speed limits when posted, and do not drive on self-propelled restricted roads (most roads with on-off ramps).
So, yes, if I want to be an ass, I can occupy a whole lane (just like a slow moving tractor can), and the cars will be either forced to wait, or have to pass. Most of the time I use as little of the road as possible, just to be nice.
Owners do not pay taxes because they are considered to not be a substantial burden on the road, and the cost is simply taken from the general tax (usually property/land), or taxes for cars.
As far as riding on sidewalks -- that is prohibited in most states. However, in areas where sidewalks are not everywhere, and pedestrians are a complete rarity, one can try to claim that a sidewalk is actually a bike path if stopped by a cop.
Just make sure you are wearing a helmet to give police less chance to stop you. Many times they will not, as they can not evven issue you a ticket, as you do not have to have identification. In that case they probably have to arrest you or trust you, and they really do not want to do that.
BTW, what does this have to do with XP vulnerabilities?
badness 10000
A help file should be "safe". Like a text file. Like a html file. People should not *run programs* from strange people over the internet, and I blame no one but the users for all the "run this security patch" type viruses, but people should be able to *view documents* from strange people over the internet. After all, that's the main idea behind the web.
I am trolling
There are hundreds of DDoS attacks, including something as trivial as a potassium injection attack.
I prefer the DDoS: hot female co-workers wearing low-cut V-neck sweaters.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
Three security issues in a short space of time is quite worrying. Compare it to OpenBSD. I would say it's news if something which happens to every os occasionally happens 3 times in quick succession to a particular one, just like it's news if someone has three car crashes in one week.
I am trolling
It's possible to be 100%. Qmail has had a bounty on any security hole for iirc 3 years which has not been claimed, meaning it looks to me like it's 100% secure - you assume that there are 5 times as many bugs as you find on any given bug hunt, but 5 times 0 is still 0. OpenBSD may be the same. It's possible to provide services to the Internet and be 100% secure.
I am trolling
granted that the world's weasels are lining up six wide to get the next windoze crack out there and on the SANS list. granted that a cardboard sign being held by the highway reading "hit me, take my money, run and have fun" confers greater security than windows. there are still things that need running, according to corporate characters, that require the MS OS to run them.
Now, the real question. is the sandbox secure in virtual PC / XP running on MacOS X, by any chance? I either have to upgrade a machine with XP-SP2 for the fiancee or get her a Mac with VPC on it, due to some work possibilities.
if the sandbox is secure, life will be cool.
anybody know for sure?
if this is supposed to be a new economy, how come they still want my old fashioned money?
Yeah, sure Windows can have many holes and design errors, but no human is perfect therefore no os is perfect nor its security. How about the Linux kernel vulnerabilites? There have been as much vulnerabilities in the linux kernel this month as windows kernel ones this whole year, but that makes no news.
I just wanted to point out that somebody at usatoday.com has a sense of humor:
2004-12-24-we-three-winholes_x.htm
Three Windows exploits,
Man, I'm getting tired of that song!
One line blog. I hear that they're called Twitters now.
Install Linux and Java
With so many MUAs existing, I am surprised, for the sake of security, that you wouldn't pick one with native security measurements in it! (Such as simply not showing images by default, in this case.)
Oh, did I forget to mention that Thunderbird does that?
Take off every 'ZIG' !!
...Linux and *BSD may be more secure than Windows...
The operative word here is may. Sure, my Linux box is secure, but that is because I have spent hours, no, days, no, months learning about the strengths and weaknesses of the Linux variant I run. So far, I have been fortunate to not have been caught by the holes and exploits that are there that I may not know about or haven't been made public yet. But you know what? I have spent an equal amount of time learning the strengths and weaknesses on my XP Pro box as well, and I have had the same amount of security issues on that machine as well - namely zero. I feel it is worth noting here that both machines have a constant 'net connection and are rarely taken off line.
Any OS that is installed right out of the box will have gaping holes that you could drive a bus through, and let's face it, that's what 90% of the boxes out there are. Sure, the Win boxes will get hit faster because they are the big target right now, but go out and get a store-installed *nix box, plug it in and see how fast it gets rooted.
Bottom line, if you don't know the workings of the system you are running quite well, you will be taken out. And even that is no guarantee.
Give me but one firm spot on which to stand, and I will move the earth.
- Archimedes
How could this be? It must have been a grievous mistake and they're lamenting how such a flaw could have gotten past their impeccable testing & security systems! It probably ruined their Christmas, their reputation is on the line here!
Wait - Microsoft..oh never mind...
Using /S means you just copied system files to your partition, which in effect means you are now running MS-DOS. DOS probably had one of the worst virus records of any platform. Including the Amiga!
I really hate to rain on Timothy's parade, but not only is this story a dupe, it's looking more and more like a hoax. Secunia, no fan of Microsoft, has not even been able to repro any of these on a fully patched SP1 system, much less on an SP2 system. In addition, I tried to repro the last of these on an SP2 system, and could not do so.
Well if you are ready for a good laugh... Check out this story about Google Bombing. The Motley Fool lives up to his name again.
I'm not sure where this information comes from, but some reports think he pulled those numbers out of his ass.
The one vulnerability that does affect SP2 cannot be remotely exploited. So clicking on a link to a .hlp file on web page or email does nothing much. You have to explicitly save the file and then execute it. Check it out yourself here -
...
Not everyone knows or has tools to make .HLP files. So yes that one exploit is worrysome but not much. Just block .HLP files on the mail server for the dumb users who will shoot themselves in the foot no matter what. Also its not like there are tons of sites out there having .HLP files linked in web pages. And even if they are, the user needs to make significant interaction to get exploited. So end result, you are pretty okay on SP2 with sensible users.
http://www.xfocus.net/flashsky/icoExp/ (Do it at your own risk)
That's so much user interaction that its a low risk issue. If you can convince the user to do that then you might as well send him an exe file and tell him to save and execute that. How about sending a gun with instructions - "point at foot and press trigger"
In enterprise settings, where it's actually possible to track such things, that's easier to believe. All the Windows machines are behind the corporate firewall, while the Linux machines are exposed to the world because Linux server easily outnumber Windows servers, at least for world-visible things.
This has nothing to do with home computers, where incompetent Windows users are pitted against equally incompetent Linux users in competition for the title of "most breached OS".
Given that the market value zombie Windows box is about 5 cents, I think we know who's ahead there.
Not that I'm a big fan of Linux security (My Linux box stays behind my OpenBSD firewall.), but comparing it to Windows is pretty funny.
I rarely criticize things I don't care about.
Mod parent up!
I'm glad that no one dared answer - that makes me believe my question was valid.
I am glad the original was moderated down, nothing validates a point better than a worried moderator on slashdot.
The real asnwer is; If it's linux its good, if its anti-linux its bad.
Did anyone even read what these bugs are? I mean it was like "exploit X allows a vicious web site to change the color of a pixel after the user does 22 dumb things in a row" - yep, that's big news for slashdot alright! I really wish someone would come out with a linux bashing site.
OMG!!!!
You mean that SP2 doesn't fix everything?
And here I thought it was suposed to fix all the security flaws in windows.....
some one pinch me, I must be dreaming, this could never happen.
wrong, I'm afraid - how do you know I don't have your qmail vulnerability, that I use daily to sneak into machines? I could care less about a bounty because it let's me get where I want to go, on machines run by people with your "I can't be compromised!" attitude? The same goes for OpenBSD, which of course is always lauded as "the ultimate in security" by linux fanboys. Fascinating stuff. There is NO way to ensure you are 100% secure, and there never will be.
oops - that wasn't your comment I was referring to - forgive me.
I haven't had a virus or worm in AmigaOS or MorphOS yet... Supposedly they exist, but still never had them.
Now it's just like "Meh".
http://www.macinhack.com
To understand Microsoft's abusiveness, compare the Mozilla browser and any Microsoft product, such as Windows XP.
Mozilla is not perfect. Under some conditions it has huge memory leaks. (Yes, I have reported this to Bugzilla.) Under other conditions it will use 70% of CPU power when no new pages are loaded. It doesn't handle big bookmark files well. But a study of Mozilla shows that in many areas it is excellent. Overall, Mozilla is an honest attempt to build the best browser possible. The shortcomings are easily understood as areas that have not yet received sufficient attention.
Microsoft products are different. Windows 2000 was released while Microsoft's own database showed more than 63,000 areas that Microsoft employees said needed attention. When it was released, Windows XP reportedly had more than 100,000 areas that Microsoft employees said needed attention. There seems to be little idealism in the way Microsoft managers lead the development of products. Microsoft programmers are apparently not allowed to finish their work. Much, much more could be said about this, but, basically, I find stupid unnecessary shortcomings everywhere I look in Microsoft products. In Mozilla, there are large areas of continued excellence.
The
Now's the time to come up with grandpa's words: Never buy from a rich salesman.
I'm not sure when it comes to qmail, but the fact that so many audits have been done and none has found any vulnerabilities suggests strongly that there are no vulnerabilities. Anyway, there is a way to ensure you are 100% secure - mathematical proof. It's a lot of work so it's not done that often, but software just does logic and it's possible to prove that it will only do what it's supposed to do, hence no security holes.
I am trolling
Don't go thinking text is safe, there is *no* difference, it's all data.
Data doesn't own boxes, processing it does.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Well, wtf is the program doing processing a document then? Text should be safe, as there is no need for a text document to do things like deleting hard drives or emailing itself to people. Executables and scripts are inherently unsafe, and someone "processing" a script or executable from the internet deserves all they get. But you should be able to "process" a text file without any risk to your computer.
I am trolling
They *should* be able to prcess *any* data.
Your distinction between text and other forms of data is based on a false premise : that text is safe
if you doubt it see this from a few years ago, where Outlook exposed a buffer overflow problem from INETCOMM.DLL when processing PLAIN TEXT emails (as *all* emails are when transmitted).
I think your repsonse demonstrates a lack of understanding on your part. With a buffer overflow the apoplication used doesn't need to provide the high level actions such as file deleting, that payload is delivered as part of the overflow. The overflow overwrites the return address that the subroutine is using, you change this to point to the data you have provided. Thus the machine "returns" its executuon point into the overflowed data. This data can contain any machine code required to perform the actions you would like.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
That is an excellent way to cause a stack overflow, or peak the CPU to 100%.
Feed the need: Digitaladdiction.net
Buffer overflows are one thing. But the fact that it's possible to have viruses as word documents when word is behaving according to specification is something completely different.
I am trolling
is something completely different
so why even mention it ?
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter