Slashdot Mirror

← Back to Stories (view on slashdot.org)

Three New Microsoft Bulletins

Posted by michael on from the security-is-priority-one dept.

Jimmy M writes "Microsoft has released three security bulletins for January, which correct vulnerabilities in the handling of Icon and Cursor files, Indexing Services, and HTML Help. Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS. All updates are available from Windows Update."

12 of 224 comments (clear)

  1. Quick? by Anonymous Coward · · Score: 5, Insightful

    The extremely critical exploit was listed on 2004-10-20! It took nearly three months to fix.

    1. Re:Quick? by bonch · · Score: 3, Insightful

      I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes. A lot of people here seem to only get their security news from Slashdot. What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

      LinuxSecurity keeps a running list of daily vulnerability announcements from all the distros. Just click on a distro and be amazed at all the buffer overruns, root exploits, code execution, and more that never get reported on this site.

      "Three New Microsoft Bulletins?" Try 13 new Debian bulletins in the past week. Gentoo has announced 12 since last Sunday alone.

      Why aren't these things announced like Microsoft bulletins are? Because Microsoft articles generate more page hits...which is great for the banner ads. They're using you guys.

      This attitude of the flawless Linux is really, really dangerous, because Linux distros are just as ridden with software holes as Windows systems are accused of being, but you'd never know it if all you did was visit Slashdot...and we all know what a false sense of security leads to...

      Of course, Slashdot shouldn't stop posting about Microsoft vulnerabilities. But snide comments like "security-is-number-one dept." make this place seem like a site of nothing but flamebait for Linux fanboys. There's more to security than just hating Microsoft and ignoring Linux security flaws.

      I know I risk karma for this post, but I'm really shocked at the illogic and immaturity displayed on Slashdot, compared to when it began in the 90s. Laughing about Microsoft bulletins in some weird schadenfreude doesn't make the Linux kernel any less imperfect (see yesterday's article) or its distros (see LinuxSecurity any given day for pages of bulletins all collected together).

    2. Re:Quick? by MarkByers · · Score: 2, Insightful

      You are referring to errors in non-optional non-admin applications in Linux. Gentoo has 7000 packages, but very few of them are required. This fix is for a required, unremovable application which is embedded into the OS and allows a root of a machine simply by visiting a webpage (since like it or not, most Windows users run with admin priveleges). Imagine if a popular website was defaced with an exploit. This is what makes it newsworthy.

      --
      I'll probably be modded down for this...
  2. Nice to know... by bonch · · Score: 2, Insightful

    Nice to know that all software is flawed, because it is made by flawed humans. Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article. Just a friendly reminder before the regularly scheduled Microsoft-bashing...now have at it. :)

  3. Three months is quick? by MarkByers · · Score: 2, Insightful

    Yes nice and quick. Only took nearly three months!

    Release Date: 2004-10-20

    http://secunia.com/advisories/12889/

    --
    I'll probably be modded down for this...
  4. Microsoft's Quick Move by Mr.Ned · · Score: 2, Insightful

    "Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS."

    Michael, are you kidding me? Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

    1. Re:Microsoft's Quick Move by turnage · · Score: 2, Insightful

      Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

      No, Microsoft was notified at the beginning of October and has only now gotten around to being so sure of their fixes that they're comfortable releasing the patches to tens of millions of computers. There's a big difference.

  5. Icons and cursors, oh my! by FirstTimeCaller · · Score: 4, Insightful

    I don't normally stoop to Microsoft Bashing, but security vulnerabilities in icons and cursors?!?!?

    --
    Wanted: witty unique signature. Must be willing to relocate.
  6. Re:XP SP2 by bonch · · Score: 3, Insightful

    Isn't it funny how Linux kernel versions affected are explicity mentioned in Slashdot's articles on the subject? You'd think the fact SP2 fixed the other two vulnerabilities already would have been an important point to state. It's not like SP2 just came out or anything; what is it, over half a year now?

  7. Re:IE: Zones are a broken concept by Anonymous Coward · · Score: 2, Insightful

    Zones are actually a good idea; it's just that Microsoft did them wrong.

    A reasonable analogy for surfing the Internet is sticking your hand into a trough of water. The section of the trough that represents the Internet is murky, full of parasites and fecal material, and has piranhas in it. You can still stick your hand in there, but you put on your shoulder-length rubber glove first, and put on a chainmail glove & sleeve on top of that. Other parts of the trough have clear water suitable for drinking or enema purposes. You can just dunk your face into that water, eyes open and everything. Other parts vary between those two extremes.

    There are two absolutes that fall out of that model. The first is that the regular Internet is, as a whole, the worst part of the trough. It's not just warez.ru that you have to worry about; you have to worry about cnn.com or bbc.co.uk as well. They are equally dangerous. For one example, suppose someone hacked bbc.co.uk and added a malicious script to it? It's somebody else's computer, and so you cannot trust it. The second absolute is that whatever security measures are in place must partition the trough into discrete zones, with no bleeding across boundaries. If someone on a trusted site has a frame to an untrusted site, and the browser doesn't pick up on that, then the security model is busted.

    Microsoft's zone model doesn't work for a number of reasons. They went about it in their usual ``security last'' way, and assumed that every website in the world would fit nicely into only four zones, and that those should come prenamed with deceptive names. If there's a site on my Local Intranet that I don't trust, then Microsoft's zone scheme works against me. Also, even if they're divided into zones, you're still using Microsoft's braindead security options. IE doesn't have a setting to turn off ``Javascript'' by name. It has several radio buttons for ``scripting,'' but I know what Internet technologies exist as well as the Microsoft guys do. Not listing Javascript by name is deceptive. Also, cookies are a large part of Internet security. I've not used IE since version 4, and it doesn't have a dialog to mark which cookies I want to accept and which I don't. I believe that it does have that now, but I don't know if it's considered a part of the security zones. In short, because it's Microsoft's idea of security, you have to double check to make sure that you force it to line up with real world security.

    IE's approach is more akin to how people browse, though. When I'm configuring my browser, I don't start by saying, "I want all of these sites to store cookies, but none others," then say, "I want all of these sites to use Javascript, but none others." You typically arrange things by site, and those typically fall into several good categories (or zones). At the most extreme, you could need a zone for every site you visit, _plus_ a way to extend that zone to cover IP addresses, for some companies who have unnamed servers doing their eCommerce sites.

  8. Re:Application vs. OS by prisoner-of-enigma · · Score: 2, Insightful

    It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

    So, by your logic, if I run Firefox and don't use Outlook, Windows is a great OS to have, eh? You wouldn't know it by the scorn everyone heaps on Windows, but then again this is /., where no good deed of MS goes unignored and no flaw of Linux goes unburied.

    Nobody says you must use the stuff Microsoft gives you. IE can be bypassed without much difficulty, and Outlook is far from the only mail client available for Windows.

    --
    In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
  9. Re:Application vs. OS by Daengbo · · Score: 2, Insightful

    But the point is that you can't bypass it. It's hooked into so many services and programs that a flaw in the IE renderer affects the entire OS. That's dangerous. Firefox doesn't hook to anything. If it did, you'd be in similar danger.

    If I move X into the kernel to gain speed, then move most of the rendering for the screen to xpdf, the xpdf vulnerability becomes a scary thing indeed. I hope that Linux stays as modular as it always has, and I'll sacrifice a little speed for safety. Please don't tell me that I deserve neither!

    --
    Put identity in the browser.