Slashdot Mirror
3 New Windows Security Problems Found
DotNM writes "USA Today is running a story that outlines three security issues in Microsoft Corporation's popular Windows desktop operating system product. It describes the issues and urges users not to download .hlp files from email attachments. Apparently there are issues, even for a Windows XP system patched with Service Pack Two."
Merry X-Mas from your friends in Redmond! Geez do they even search for flaws on their own?
Millions of grains of sand found!
Smoke me a kipper, I'll be back for breakfast.
"Microsoft Corporation's popular Windows desktop operating system product." /. headline?
What? Is there a minimum number of characters for a
Ha.
According to a report on eWeek.com, one of the three vulnerabilities involves image handling, which has posed problems for Windows and Unix systems in the past. The other two vulnerabilities involve Windows' Help system and its .hlp files, and Windows' ANI (Automatic Number Identification) authentication capabilities.
That's what ANI is in the context of telephone networks. In the context of a Windows system, it's an animated mouse cursor.
Besides, these vulnerabilities were announced yesterday morning on Slashdot!
I claim first use of "Error No. 0B" - or "No. 0B error." It'll be the new ID 10T!
and somehow they dupe the story..
i mean camman, just read back 10 posts and you'll see the exact same story...!
MABASPLOOM!
"A Chinese security group reports..."
.hlp files attached and strongly encouraged to read e-mail in plain-text format to keep malicious images from utilizing LoadImage."
Why does this not inspire confidence?
"Users are urged to block e-mail attachments arriving with
This is new advice? Jeez, now my whole mail paradigm is hosed.
Ignorance is curable, stupid is forever.
Can someone show me the way to an OS with no security issues, please?
/S /Y then reboot. Voilà! No more virus or worm.
Do FORMAT C:
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
...two turtle doves and a partridge in a pear tree!
> Apparently there are issues...
What has become of the word "problem"? "Issue" is marketdroid-speak.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
dupe.
Good Tidings to all, and HO! HO! HO!
Human 1.0 has no known security issues. Isn't always too stable, however. And, like always, it can depend on the administrator.
Apparently there are issues, even for a Windows XP system patched with Service Pack Two.
...
*Gasp* Oh my god! Not SERVICE PACK 2, the horror
Sign up to receive our free Tech e-newsletter and get the latest tech news, Hot Sites & more in your inbox.
E-mail:
Select one: HTML [x] Text [ ]
err....?
Every time new vulnerabilities are announced, they say, "don't do this, don't download that, don't use this or that program/feature/bug". Enough of this has gone on that every program that was of any use in Windows is now unusable for fear of remaining undiscovered holes/patches that didn't take.
;-)
Let's now compile a list of these to give to people in order to convince them to switch to Linux. Meanwhile, so much functionality has been rendered unusable that when the next hole is found, they'll have to tell people not to use Windows at all
Hey, I can dream, can't I?
The difference between spam and poop is that you don't have to dig through septic tanks looking for real food. -- Me
Hey, let me give you all a tip.....even if the future service packs for XP reaches version 10, it will alway be insecure and full of critical issues that are discovered by people other than Microsoft.
At least with Linux, the community usually discovers them first and before the problem is made public there is already a patch available. Now, these poor saps with Windows machines will probably have to wait weeks for a patch. Meanwhile, thier machines are being zombified as I type and turned into spam gateways.
Dupe or not, the emphesized part still brings out the giggles in me.
Not Buzzword 2.0 compliant. Please speak english.
Human 1.0 is a buggy piece of crap. Apparently there's a hard coded uptime limit of somewhere around 16-48 hours, and rebooting takes up to 12 hours, but usually 8.
There are hundreds of DDoS attacks, including something as trivial as a potassium injection attack.
All in all, I can't recommend Human 1.0 for production use yet.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
...urges users not to download .hlp files from email attachments.
.hlp file attachment, or any random attachment that reaches their inbox.
Yet people will continue opening strange attachments.
I hardly blame Microsoft for this with people uneducated enough to open a
Merry Christmas, learn how to use the technology you spend your cash on, etc. Love Wilson.
- Wilson
Actually, models of the human 1.0 that recieved the "Y" chromosome are vulnerable because they will readily accept forbidden fruit packets without verifying the original senders identity. Transmitting such packets via a model of the Human 1.0 bearing only "X" chromosomes ensures 100% deliverability of any packets. This flaw exists because the "Y" model of the Human 1.0 only uses waist-level firmware when interactiong with the "X-only" model.
Even with the daily list of vulnerabilities, viruses, BSOD's, lock-ups, Windows Protection Errors, Ooga-Booga dances to keep the machine running, Windows XP is still the best OS out there! Linux may be stable, virus-free, more secure by design, have tons of free software available, frequent updates, and no restrictions on how many times you install it or where, but it is definitely not ready for the desktop. I mean, it may have more features than Windows, easily connect to just about any type of network service, but really, who can say that it's ready for people to use? So what if it takes under 20 minutes to install a full system with more software than I would ever want to use. Five hours of installation, patching, inserting software cds, installing and updating virus protection, installing effective firewall software, finding device drivers, entering license numbers for an equivalent system in Windows is a small thing compared to what you get with Windows, whatever that means... So what if there are Linux desktops that have not needed rebooting in nearly 2 years, and the only work performed on them was to type "apt-get upgrade dist"? That's just too boring and predictable! What fun is there in that? So what if you can install or upgrade all currently installed software over the internet with one command or by selecting it and clicking install? I'm sorry, but Linux is not ready for the primetime, not "Enterprise" ready. I'm not sure what that means, and frankly I'm not sure anyone else who says that does either, but they are absolutely correct! I can vouch for it.
--dingletec--
Try MS-DOS. No remote root exploits in over 23 years. No new viruses in a decade. No malware. No worms.
Of course, you have other options. You have the classic Mac OS, CP/M, Apple DOS, etc.
My point? Every OS that provides services to the Internet isn't 100% secure. Sure, Linux and *BSD may be more secure than Windows, but Linux and *BSD aren't perfect.
This is old news. If we're going to have articles about security issues with Windows, we might as well just have a static link to Microsoft.com on Slashdot's front page.
Here's one of the permanent security bulletins to put on that static link description: Do NOT open any attachments in Outlook, at all. I mean, this is becoming one of the basic rules like, "Don't touch the stove, little Jimmy.. HOT! Very hot."
Happy Christmas, Harry! Happy Christmas, Ron.
good laugh mpu
SP2 adds NX "protection." While this adds protection against buffer overflows on the stack, it does nothing for overflows on the heap, which can be just as bad. Also, if the return address is simply changed to an address on the heap, code in the heap can be executed. The heap has the executable bit, because of dynamic libraries loaded into the heap.
I mod down pyramid schemes in sigs.
> I hardly blame Microsoft for this with people .hlp file attachment,
> uneducated enough to open a
> or any random attachment that reaches their
> inbox.
Why can you not blame Microsoft for distributing an MUA that executes attachments when they are "clicked" on?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
... in 10 Oracle exploits posted on Bugtraq earlier. It's holiday time anyway, those DBs can wait.[/sarcasm]
of shit pack 2 was what? I guess to just add more ineffective bloat ware to everyones computer.
On one customers laptop (auto update allowed) SP2 changed the language to Boznian. Format re-install, dis-able auto screw up.
SP2 and Norton Internet Security 2003, or 2004 will almost always cause enough conflicts to require a R&R.
Professional Politicians are not the solution, they ARE the problem.
Even before this, I've been wondering if there is an alternative to the MS Help viewer (hh.exe) for CHM files, like xCHM in Linux?
I did get xCHM running under Cygwin but for some reason the images don't show up...
This is a sig. Deal with it.
Have you ever tired to educate such a user?
AnamanFan - Trying to find the Truth, one post at a time.
Accurate, but not accurate enough for my taste.
The post should actually read: -kgj
-kgj
But there's a patch for the uptime limit. It usually comes in the form of 8oz. cans.
But you can fight off the attacker who uses the patassium.
Ain't nothing better than Human 1.0. Perfect? No.
SP2 is not vulnerable to the ANI or LoadImage exploits that the article describes. It is however vulnerable to a variation of the hlp heap overflow exploit.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
You know how on that show Cops, you'll occasionally see some redneck guy being stuffed into a police car? Then, in the background, you can hear his bloodied and bruised other half screaming (usually in a southern accent) 'I love him, don't you take him away!'
This runs through my mind each time another friend of mine replaces his dead Windows box with another. I believe Windows users like to be hit.
There is no way to compare flaws in Windows and Linux, and every attempt to do so is misguided. The reason is that the politics behind disclosure for Microsoft is entirely different than for Linux, so there is no way to link them statistically.
From the classic "there is one error for every thousand lines of code in a mature program" logic, a person could estimate how many bugs are present in both code bases and look at the number of published bugs to see who is covering their butts more. I'd guess Microsoft has more to lose from bad PR, so odds are they have internalized most knowledge about bugs.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
Yeah! Tell me about it. Nice present from Redmond guys. But let me tell you a happy story! Open Source world gave me the nicest Christmas present I could ever imagine! (well.. I had to download some software and compile a few libraries to make it work, but..)
Linux audio community gave me Yamaha DX-7 synthesizer! This is my dream come true, I can now play some great tunes that made this synthesizer one of the most well known synthesizers. This synthesizer was used on U2's Unforgettable Fire and The Joshua Tree albums. This synthesizer was used by these artists: the Crystal Method, Kraftwerk, Underworld, Orbital, BT, Talking Heads, Brian Eno, Tony Banks, Mike Lindup of Level 42, Jan Hammer, Roger Hodgson, Teddy Riley, Brian Eno, T Lavitz of the Dregs, Sir George Martin, Supertramp, Phil Collins, Stevie Wonder, Daryl Hall, Steve Winwood, Scritti Politti, Babyface, Peter-John Vettese, Depeche Mode, D:Ream, Front 242, U2, A-Ha, Enya, The Cure, Astral Projection, Fluke, Kitaro, Vangelis, Elton John, James Horner, Toto, Donald Fagen, Michael McDonald, Chick Corea, Level 42, Queen, Yes, Michael Boddicker, Julian Lennon, Jean-Michel Jarre, Sneaker Pimps, Greg Phillanganes, Stabbing Westward and Herbie Hancock to name a few.
Can you imagine that? And all this for FREE! Thanks to you guys who made that software synthesizer for Linux!
Wanna have it? Here's where to start.
You see, sometimes the best Christmas presents can be free! Happy Christmas and thank you very much, Open Source world!
...a person could estimate how many bugs are present in both code bases and look at the number of published bugs to see who is covering their butts more.
Just to reinforce my point: the above research still could not be used for any serious arguments. There are just too many unknowns.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
hlp files (or rather the engine which handles them) are part of windows. Microsoft has said as much in statements in court under oath. Subversion has never been installed on my (linux) computer, so you can't count it as part of linux. If a program is installed by default on most of the "big seven" distros, or just the majority of linux installs (but how would you ever check?) I suppose you could count it as part of linux, but that's probably rather unfair since those distros are far more functional by default than windows is. Finally, slashdot does tend to post flaws in major OSS. Whenever I've had to do a security upgrade, I've always found the story on /..
I am trolling
A help file should be "safe". Like a text file. Like a html file. People should not *run programs* from strange people over the internet, and I blame no one but the users for all the "run this security patch" type viruses, but people should be able to *view documents* from strange people over the internet. After all, that's the main idea behind the web.
I am trolling
There are hundreds of DDoS attacks, including something as trivial as a potassium injection attack.
I prefer the DDoS: hot female co-workers wearing low-cut V-neck sweaters.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
Three security issues in a short space of time is quite worrying. Compare it to OpenBSD. I would say it's news if something which happens to every os occasionally happens 3 times in quick succession to a particular one, just like it's news if someone has three car crashes in one week.
I am trolling
granted that the world's weasels are lining up six wide to get the next windoze crack out there and on the SANS list. granted that a cardboard sign being held by the highway reading "hit me, take my money, run and have fun" confers greater security than windows. there are still things that need running, according to corporate characters, that require the MS OS to run them.
Now, the real question. is the sandbox secure in virtual PC / XP running on MacOS X, by any chance? I either have to upgrade a machine with XP-SP2 for the fiancee or get her a Mac with VPC on it, due to some work possibilities.
if the sandbox is secure, life will be cool.
anybody know for sure?
if this is supposed to be a new economy, how come they still want my old fashioned money?
I just wanted to point out that somebody at usatoday.com has a sense of humor:
2004-12-24-we-three-winholes_x.htm
Must be doing something right when Bill Gates is the richest man in the world and Microsoft can pay a $600,000 EU fine out of the small change in Steve Ballmers pocket.
You don't get over 90% desktop OS penetration and file formats everyone else is forced to be compatible with unless you're doing something right from a business P.O.V which is, after all what they are - a business.
Conor "You're not married,you haven't got a girlfriend and you've never seen Star Trek? Good Lord!" - Patrick Stewart
Three Windows exploits,
Man, I'm getting tired of that song!
One line blog. I hear that they're called Twitters now.
With so many MUAs existing, I am surprised, for the sake of security, that you wouldn't pick one with native security measurements in it! (Such as simply not showing images by default, in this case.)
Oh, did I forget to mention that Thunderbird does that?
Take off every 'ZIG' !!
I really hate to rain on Timothy's parade, but not only is this story a dupe, it's looking more and more like a hoax. Secunia, no fan of Microsoft, has not even been able to repro any of these on a fully patched SP1 system, much less on an SP2 system. In addition, I tried to repro the last of these on an SP2 system, and could not do so.
Well if you are ready for a good laugh... Check out this story about Google Bombing. The Motley Fool lives up to his name again.
I'm not sure where this information comes from, but some reports think he pulled those numbers out of his ass.
The one vulnerability that does affect SP2 cannot be remotely exploited. So clicking on a link to a .hlp file on web page or email does nothing much. You have to explicitly save the file and then execute it. Check it out yourself here -
...
Not everyone knows or has tools to make .HLP files. So yes that one exploit is worrysome but not much. Just block .HLP files on the mail server for the dumb users who will shoot themselves in the foot no matter what. Also its not like there are tons of sites out there having .HLP files linked in web pages. And even if they are, the user needs to make significant interaction to get exploited. So end result, you are pretty okay on SP2 with sensible users.
http://www.xfocus.net/flashsky/icoExp/ (Do it at your own risk)
That's so much user interaction that its a low risk issue. If you can convince the user to do that then you might as well send him an exe file and tell him to save and execute that. How about sending a gun with instructions - "point at foot and press trigger"
In enterprise settings, where it's actually possible to track such things, that's easier to believe. All the Windows machines are behind the corporate firewall, while the Linux machines are exposed to the world because Linux server easily outnumber Windows servers, at least for world-visible things.
This has nothing to do with home computers, where incompetent Windows users are pitted against equally incompetent Linux users in competition for the title of "most breached OS".
Given that the market value zombie Windows box is about 5 cents, I think we know who's ahead there.
Not that I'm a big fan of Linux security (My Linux box stays behind my OpenBSD firewall.), but comparing it to Windows is pretty funny.
I rarely criticize things I don't care about.
I don't equate amassing wealth is neither a virtue nor a vice.
....
However, the means of attaining it
oops - that wasn't your comment I was referring to - forgive me.
I haven't had a virus or worm in AmigaOS or MorphOS yet... Supposedly they exist, but still never had them.
Now it's just like "Meh".
http://www.macinhack.com
To understand Microsoft's abusiveness, compare the Mozilla browser and any Microsoft product, such as Windows XP.
Mozilla is not perfect. Under some conditions it has huge memory leaks. (Yes, I have reported this to Bugzilla.) Under other conditions it will use 70% of CPU power when no new pages are loaded. It doesn't handle big bookmark files well. But a study of Mozilla shows that in many areas it is excellent. Overall, Mozilla is an honest attempt to build the best browser possible. The shortcomings are easily understood as areas that have not yet received sufficient attention.
Microsoft products are different. Windows 2000 was released while Microsoft's own database showed more than 63,000 areas that Microsoft employees said needed attention. When it was released, Windows XP reportedly had more than 100,000 areas that Microsoft employees said needed attention. There seems to be little idealism in the way Microsoft managers lead the development of products. Microsoft programmers are apparently not allowed to finish their work. Much, much more could be said about this, but, basically, I find stupid unnecessary shortcomings everywhere I look in Microsoft products. In Mozilla, there are large areas of continued excellence.
I'm not sure when it comes to qmail, but the fact that so many audits have been done and none has found any vulnerabilities suggests strongly that there are no vulnerabilities. Anyway, there is a way to ensure you are 100% secure - mathematical proof. It's a lot of work so it's not done that often, but software just does logic and it's possible to prove that it will only do what it's supposed to do, hence no security holes.
I am trolling
Don't go thinking text is safe, there is *no* difference, it's all data.
Data doesn't own boxes, processing it does.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Friends don't buy friends WindowsCE for Christmas.
Or WindowsMobile or whatever the darn thing's called.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Well, wtf is the program doing processing a document then? Text should be safe, as there is no need for a text document to do things like deleting hard drives or emailing itself to people. Executables and scripts are inherently unsafe, and someone "processing" a script or executable from the internet deserves all they get. But you should be able to "process" a text file without any risk to your computer.
I am trolling
They *should* be able to prcess *any* data.
Your distinction between text and other forms of data is based on a false premise : that text is safe
if you doubt it see this from a few years ago, where Outlook exposed a buffer overflow problem from INETCOMM.DLL when processing PLAIN TEXT emails (as *all* emails are when transmitted).
I think your repsonse demonstrates a lack of understanding on your part. With a buffer overflow the apoplication used doesn't need to provide the high level actions such as file deleting, that payload is delivered as part of the overflow. The overflow overwrites the return address that the subroutine is using, you change this to point to the data you have provided. Thus the machine "returns" its executuon point into the overflowed data. This data can contain any machine code required to perform the actions you would like.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
That is an excellent way to cause a stack overflow, or peak the CPU to 100%.
Feed the need: Digitaladdiction.net
Buffer overflows are one thing. But the fact that it's possible to have viruses as word documents when word is behaving according to specification is something completely different.
I am trolling
is something completely different
so why even mention it ?
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter