Slashdot Mirror

← Back to Stories (view on slashdot.org)

Three New Microsoft Bulletins

Posted by michael on from the security-is-priority-one dept.

Jimmy M writes "Microsoft has released three security bulletins for January, which correct vulnerabilities in the handling of Icon and Cursor files, Indexing Services, and HTML Help. Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS. All updates are available from Windows Update."

7 of 224 comments (clear)

  1. Also: Malicious Software Removal Tool by Rolan · · Score: 2, Interesting
    They also released the "Malicious Software Removal Tool":
    This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any variants found. You should also use an antivirus product to remove other malicious software that may be present. This tool helps maintain your computer, and its appearance does not indicate that your machine is infected with malicious software. After you run this item, you may have to restart your computer.

    Looks like they're finally getting tired of the most common viruses running rampant.
    --
    - AMW
  2. Spite by FortKnox · · Score: 1, Interesting

    nice to see a quick move from MS

    MS does something good. How many people will still insult this statement just outta spite for MS? How many will reply to me saying I'm out of my mind?

    I'm already a comment wading in the anti-MS sludge. Will people see MS is trying to do the right thing?

    --
    Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
  3. IE: Zones are a broken concept by Tackhead · · Score: 5, Interesting
    Good policy: Deny all, permit selectively.

    Bad policy: Accept all, but let people turn things off.

    Worse policy: Accept all, but let people turn fewer things off depending on four arbitrary "zones" something falls into.

    Worst policy: Make sure the "zones" in question have nothing to do with TCP/IP, netmasks, DNS, or any other networking concept, but make sure they're supported by a proprietary application you've embedded deeply into the OS to facilitate an embrace/extend/extinguish business model.

    Then act all surprised when everyone ends up running at least one of these "zones" (namely the "local" one, which ought to be the most trustworthy) with their proverbial pants down, thereby creating a guaranteed 100% available target for Worm/Spyware/Virus authors.

    Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

    1. Re:IE: Zones are a broken concept by adamruck · · Score: 2, Interesting

      ah but you forget the most important point... useability.

      The goal for whoever came up with zones was probably something along the lines of, "lets make security as easy as humanly possible". Adding options in IE that actually relate to real networking would be out of the question then. Then users would start thinking to themselves, "what does this all do, I dont understand this, im fustrated, I dont like this". Something which microsoft would never permit.

      --
      Selling software wont make you money, selling a service will.
  4. MS05-003 on Win2K by chiagoo · · Score: 3, Interesting

    I find this part of the security bulletin especially interesting:

    "Windows 2000 is not affected by this vulnerability. However the additional security-related change does affect Windows 2000 and we recommend customers install this update."

    The old adage usually goes "if it ain't broke, don't fix it". Why would they ask people to patch something that isn't broken? Does this indicate that they expect to find a similar flaw in the indexing service on Win2K?

  5. Re:Nice to know... by Attitude+Adjuster · · Score: 2, Interesting
    Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article.

    Insightful my ass! This relativist "all views are equally valid" philosophy you've fallen into (along with the main stream media) is complete BS.

    Nothing is perfect, and you should use the right tool for the right job (games == XP, work == Linux for me), for sure, but in terms of security Microsoft's operating systems are fundamentally worse than anything else out there. That doesn't mean that Linux or OSX is perfectly secure, but they're much better than any MS product. Whether you measure it by dollar cost to companies, or number of actual (not theoretical) exploits, MS products are more insecure than any *nix. Don't you even remember the millions of USD damage viruses and worms caused last year on MS systems alone?

    The truth of the matter is that Linux is by default, even without hardening, vastly more secure than XP. And the security gap is increasing, not decreasing.

    If you mean the grsecurity nonsense on ./ yesterday, the only story there is about some big-mouth egotist sounding off and the desperate MS apologists eagerly believing what they want to believe. See this and this .

    In case you were also thinking about the uselib ./ nonsense of Jan 07th (here), Fedora core 2 had the patched kernel available on Jan 03. The public announcement of the problem was after it was fixed and had made it way into distribution updates (unless I'm totally misreading the changelogs). Wasn't the advisory this MS update fixes was released months ago. Bit of a difference perhaps?

  6. Application vs. OS by obsid1an · · Score: 4, Interesting
    You need to make the distinction of application vs OS. With MS, IE is part of the OS. Something that exploits IE also exploits the OS. Now look at the Xpdf flaw you presented:

    An attacker could entice a user to open a specially-crafted PDF file, potentially resulting in the execution of arbitrary code with the rights of the user running the affected utility.

    That is not a linux problem. That is an Xpdf problem. Xpdf is letting the maker of a PDF file gain the rights that the Xpdf program normally has. Now, if this exploit allowed the user to gain root access (assuming the current user is not root) there would be a tad more going on as Xpdf should never have root access.

    Now this isn't to say linux is perfect, but saying that every linux application security bug is the fault of linux isn't true either. However, this really comes down to the design differences between linux and windows. Running linux as root all the time can be just as dangerous as windows.

    It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.