3 New Windows Security Problems Found

DotNM writes "USA Today is running a story that outlines three security issues in Microsoft Corporation's popular Windows desktop operating system product. It describes the issues and urges users not to download .hlp files from email attachments. Apparently there are issues, even for a Windows XP system patched with Service Pack Two."

"Issues"?

[John+Hasler]

> Apparently there are issues...

What has become of the word "problem"? "Issue" is marketdroid-speak.

News flash

[SQLz]

....even for a Windows XP system patched with Service Pack Two.

Hey, let me give you all a tip.....even if the future service packs for XP reaches version 10, it will alway be insecure and full of critical issues that are discovered by people other than Microsoft.

At least with Linux, the community usually discovers them first and before the problem is made public there is already a patch available. Now, these poor saps with Windows machines will probably have to wait weeks for a patch. Meanwhile, thier machines are being zombified as I type and turned into spam gateways.

Re:News flash

[skinfitz]

ANYONE can make OSS, release it, and have 10k+ security holes in it.

...and therein lies a weakness. Sure if you take a major project like Apache or MySQL then they will be scrutinised very carefully, however one could also argue that this increases risk as a skilled hax0r could spot a potential exploit in a way they couldn't with closed source (which, I will wager is what happened with Santy). There are (obviously) arguments for and against closed / open source, however if I may remind you of your own comment:

At least with Linux, the community usually discovers them first and before the problem is made public there is already a patch available.

And we compare this to the Santy situation, sure - there was a patch and workaround issued quickly, however 670,000+ sites still got compromised; it doesn't matter how quickly a patch is issued - once a fast spreading worm is in the wild the only thing that is a working defence is good basic security principles, such as you already mentioned, setting correct file permissions. If a worm can cover the planet in 15 minutes you ain't going to be hearing about the exploit and patching your box in that time. We humans are simply too slow. There is no substitute for a skilled admin. As you say, the code is only as good as the coders, and if that code isn't being checked by anyone who is skilled enough to spot these problems and it's just so damn useful (i.e. phpBB) that it becomes popular and therefore gets installed by lots of people who don't apply basic security principles then we have all of the ingredients for a potentially serious problem.

I'm not having a go at you here, I'm merely pointing out that it is unwise to be lulled into a false sense of security just because one uses OSS.

Re:News flash

[SQLz]

The same can be said?? What I said was vulnerabilies are not being found by Microsoft but by crackers or security groups. The vuln with exploit code is then released into the wild, then MS patches days, weeks, even months after the exploit code is out. Name an open source project that waits even a week to patch a critical hole?

With open source, the vuln is usually found by the ones developing the project or a group that has forked the code. The patch and new version is released before the exploit code. So, when an exploit comes out, you have a place to go to get a patch.

These vulnerabilies are STILL not fixed. Its been like 4 or 5 days.

People could still use internet safety education

[VanillaDeath]

...urges users not to download .hlp files from email attachments.

Yet people will continue opening strange attachments.
I hardly blame Microsoft for this with people uneducated enough to open a .hlp file attachment, or any random attachment that reaches their inbox.
Merry Christmas, learn how to use the technology you spend your cash on, etc. Love Wilson.

Re:OMG, an OS with security issues...

[linguae]

Can someone show me the way to an OS with no security issues, please?

Try MS-DOS. No remote root exploits in over 23 years. No new viruses in a decade. No malware. No worms.

Of course, you have other options. You have the classic Mac OS, CP/M, Apple DOS, etc.

My point? Every OS that provides services to the Internet isn't 100% secure. Sure, Linux and *BSD may be more secure than Windows, but Linux and *BSD aren't perfect.

Re:ANI...

[Stile+65]

If you look at the actual vulnerability, the problem is when a frame number in an animated cursor file is set to zero. Therefore, the article is still wrong.

Re:Linux Flaws

[upsidedown_duck]

There is no way to compare flaws in Windows and Linux, and every attempt to do so is misguided. The reason is that the politics behind disclosure for Microsoft is entirely different than for Linux, so there is no way to link them statistically.

From the classic "there is one error for every thousand lines of code in a mature program" logic, a person could estimate how many bugs are present in both code bases and look at the number of published bugs to see who is covering their butts more. I'd guess Microsoft has more to lose from bad PR, so odds are they have internalized most knowledge about bugs.

Re:Surprise, Surprise...

[IdleTime]

You seems to be a bit out of touch with reality....

The averege user have no clue that they should not open attachements. The average user don't read media that warns about not opening attachments. The watch Desparate Housewifes and Biker Build-off and Cops and Americas Funniest Videos.

Don't for one second think that the average user has any clue about what to do or not do in Windows oe any other OS for that matter.

Re:In other Words

[flatface]

Why would anyone -want- a home invasion or rape? If you want it, then it's not invasion or rape.