Three New Microsoft Bulletins

Jimmy M writes "Microsoft has released three security bulletins for January, which correct vulnerabilities in the handling of Icon and Cursor files, Indexing Services, and HTML Help. Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS. All updates are available from Windows Update."

Quick?

The extremely critical exploit was listed on 2004-10-20! It took nearly three months to fix.

Re:Quick?

[Jugalator]

On the other hand, Microsoft posted a workaround for the problem 6 days after Secunia discovered the flaw.

Re:Quick?

[lucabrasi999]

Microsoft posted a workaround for the problem 6 days after Secunia discovered the flaw.

For those of you that haven't seen the workaround, here is a link.

Yeah, I know, I know. But it was TOO easy, I couldn't resist....

Re:Quick?

[bonch]

I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes. A lot of people here seem to only get their security news from Slashdot. What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

LinuxSecurity keeps a running list of daily vulnerability announcements from all the distros. Just click on a distro and be amazed at all the buffer overruns, root exploits, code execution, and more that never get reported on this site.

"Three New Microsoft Bulletins?" Try 13 new Debian bulletins in the past week. Gentoo has announced 12 since last Sunday alone.

Why aren't these things announced like Microsoft bulletins are? Because Microsoft articles generate more page hits...which is great for the banner ads. They're using you guys.

This attitude of the flawless Linux is really, really dangerous, because Linux distros are just as ridden with software holes as Windows systems are accused of being, but you'd never know it if all you did was visit Slashdot...and we all know what a false sense of security leads to...

Of course, Slashdot shouldn't stop posting about Microsoft vulnerabilities. But snide comments like "security-is-number-one dept." make this place seem like a site of nothing but flamebait for Linux fanboys. There's more to security than just hating Microsoft and ignoring Linux security flaws.

I know I risk karma for this post, but I'm really shocked at the illogic and immaturity displayed on Slashdot, compared to when it began in the 90s. Laughing about Microsoft bulletins in some weird schadenfreude doesn't make the Linux kernel any less imperfect (see yesterday's article) or its distros (see LinuxSecurity any given day for pages of bulletins all collected together).

Re:Quick?

[MarkByers]

You are referring to errors in non-optional non-admin applications in Linux. Gentoo has 7000 packages, but very few of them are required. This fix is for a required, unremovable application which is embedded into the OS and allows a root of a machine simply by visiting a webpage (since like it or not, most Windows users run with admin priveleges). Imagine if a popular website was defaced with an exploit. This is what makes it newsworthy.

XP SP2

[Rolan]

It should be noted that those with XP SP2 are only affected by MS005-01.

Re:XP SP2

[bonch]

Isn't it funny how Linux kernel versions affected are explicity mentioned in Slashdot's articles on the subject? You'd think the fact SP2 fixed the other two vulnerabilities already would have been an important point to state. It's not like SP2 just came out or anything; what is it, over half a year now?

RCE via Active-X, again

[Lindsay+Lohan]

Microsoft Security Bulletin MS05-001 addresses the cross-domain vulerability with their HTML Help Active-X control. Microsoft mentions that it's "newly" discovered, but see the proof-of-concept at Security Focus--posted into BugTraq almost a month ago.

Incidentally, if you're one of those rare Windows users running IE in restricted (ESC) mode, your vulnerability is mitigated... suprise, suprise.

What I find more interesting..

[MrP-(at+work)]

It would also seem microsoft released "Malicious Software Removal Tool" on WindowsUpdate

It finds and fixes some common worms.. They plan on releasing a new version every second Tuesday of each month, and each new version will continue to clean worms from the previous versions.

Wonder what the antivirus companies think about this

Re:What I find more interesting..

[dewke]

I think this sums it up nicely.

Nice to know...

[bonch]

Nice to know that all software is flawed, because it is made by flawed humans. Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article. Just a friendly reminder before the regularly scheduled Microsoft-bashing...now have at it. :)

Re:Nice to know...

[Attitude+Adjuster]

Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article.

Insightful my ass! This relativist "all views are equally valid" philosophy you've fallen into (along with the main stream media) is complete BS.

Nothing is perfect, and you should use the right tool for the right job (games == XP, work == Linux for me), for sure, but in terms of security Microsoft's operating systems are fundamentally worse than anything else out there. That doesn't mean that Linux or OSX is perfectly secure, but they're much better than any MS product. Whether you measure it by dollar cost to companies, or number of actual (not theoretical) exploits, MS products are more insecure than any *nix. Don't you even remember the millions of USD damage viruses and worms caused last year on MS systems alone?

The truth of the matter is that Linux is by default, even without hardening, vastly more secure than XP. And the security gap is increasing, not decreasing.

If you mean the grsecurity nonsense on ./ yesterday, the only story there is about some big-mouth egotist sounding off and the desperate MS apologists eagerly believing what they want to believe. See this and this .

In case you were also thinking about the uselib ./ nonsense of Jan 07th (here), Fedora core 2 had the patched kernel available on Jan 03. The public announcement of the problem was after it was fixed and had made it way into distribution updates (unless I'm totally misreading the changelogs). Wasn't the advisory this MS update fixes was released months ago. Bit of a difference perhaps?

Three months is quick?

[MarkByers]

Yes nice and quick. Only took nearly three months!

Release Date: 2004-10-20

http://secunia.com/advisories/12889/

Microsoft's Quick Move

[Mr.Ned]

"Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS."

Michael, are you kidding me? Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

Re:Microsoft's Quick Move

[turnage]

Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

No, Microsoft was notified at the beginning of October and has only now gotten around to being so sure of their fixes that they're comfortable releasing the patches to tens of millions of computers. There's a big difference.

More information...

[MrP-(at+work)]

This page has more technical information about the tool.

Also: Malicious Software Removal Tool

[Rolan]

They also released the "Malicious Software Removal Tool":

This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any variants found. You should also use an antivirus product to remove other malicious software that may be present. This tool helps maintain your computer, and its appearance does not indicate that your machine is infected with malicious software. After you run this item, you may have to restart your computer.

Looks like they're finally getting tired of the most common viruses running rampant.

IE: Zones are a broken concept

[Tackhead]

Good policy: Deny all, permit selectively.

Bad policy: Accept all, but let people turn things off.

Worse policy: Accept all, but let people turn fewer things off depending on four arbitrary "zones" something falls into.

Worst policy: Make sure the "zones" in question have nothing to do with TCP/IP, netmasks, DNS, or any other networking concept, but make sure they're supported by a proprietary application you've embedded deeply into the OS to facilitate an embrace/extend/extinguish business model.

Then act all surprised when everyone ends up running at least one of these "zones" (namely the "local" one, which ought to be the most trustworthy) with their proverbial pants down, thereby creating a guaranteed 100% available target for Worm/Spyware/Virus authors.

Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

Re:IE: Zones are a broken concept

[adamruck]

ah but you forget the most important point... useability.

The goal for whoever came up with zones was probably something along the lines of, "lets make security as easy as humanly possible". Adding options in IE that actually relate to real networking would be out of the question then. Then users would start thinking to themselves, "what does this all do, I dont understand this, im fustrated, I dont like this". Something which microsoft would never permit.

Re:IE: Zones are a broken concept

[RobertB-DC]

Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

I heard the last person to implement such a mind-bogglingly dumb Windows "feature" had to marry Bill Gates.

Maybe Bill would take on the developer of the Internet Zones "feature" as a mistress?

Re:IE: Zones are a broken concept

Zones are actually a good idea; it's just that Microsoft did them wrong.

A reasonable analogy for surfing the Internet is sticking your hand into a trough of water. The section of the trough that represents the Internet is murky, full of parasites and fecal material, and has piranhas in it. You can still stick your hand in there, but you put on your shoulder-length rubber glove first, and put on a chainmail glove & sleeve on top of that. Other parts of the trough have clear water suitable for drinking or enema purposes. You can just dunk your face into that water, eyes open and everything. Other parts vary between those two extremes.

There are two absolutes that fall out of that model. The first is that the regular Internet is, as a whole, the worst part of the trough. It's not just warez.ru that you have to worry about; you have to worry about cnn.com or bbc.co.uk as well. They are equally dangerous. For one example, suppose someone hacked bbc.co.uk and added a malicious script to it? It's somebody else's computer, and so you cannot trust it. The second absolute is that whatever security measures are in place must partition the trough into discrete zones, with no bleeding across boundaries. If someone on a trusted site has a frame to an untrusted site, and the browser doesn't pick up on that, then the security model is busted.

Microsoft's zone model doesn't work for a number of reasons. They went about it in their usual ``security last'' way, and assumed that every website in the world would fit nicely into only four zones, and that those should come prenamed with deceptive names. If there's a site on my Local Intranet that I don't trust, then Microsoft's zone scheme works against me. Also, even if they're divided into zones, you're still using Microsoft's braindead security options. IE doesn't have a setting to turn off ``Javascript'' by name. It has several radio buttons for ``scripting,'' but I know what Internet technologies exist as well as the Microsoft guys do. Not listing Javascript by name is deceptive. Also, cookies are a large part of Internet security. I've not used IE since version 4, and it doesn't have a dialog to mark which cookies I want to accept and which I don't. I believe that it does have that now, but I don't know if it's considered a part of the security zones. In short, because it's Microsoft's idea of security, you have to double check to make sure that you force it to line up with real world security.

IE's approach is more akin to how people browse, though. When I'm configuring my browser, I don't start by saying, "I want all of these sites to store cookies, but none others," then say, "I want all of these sites to use Javascript, but none others." You typically arrange things by site, and those typically fall into several good categories (or zones). At the most extreme, you could need a zone for every site you visit, _plus_ a way to extend that zone to cover IP addresses, for some companies who have unnamed servers doing their eCommerce sites.

Re:IE: Zones are a broken concept

[SunFan]

If they started to make security easier, then why didn't they finish the job? That's like putting seat belts in a car but forgetting to bolt the seats to the floor.

Icons and cursors, oh my!

[FirstTimeCaller]

I don't normally stoop to Microsoft Bashing, but security vulnerabilities in icons and cursors?!?!?

Re:Icons and cursors, oh my!

[evilmousse]

hey, don't knock it--security holes in mere font files made xboxen nice and soft-moddable. ^_-

Re:Spite

[RAMMS+EIN]

``How many will reply to me saying I'm out of my mind?''

At least one. The vulnerability was updated on 2004-10-21. That means it existed at least about 3 months before the fix. I don't know about you, but I don't call that quick.

It should read ...

[ph4rmb0y]

Fixes available via Windows Media Player ...

MS05-003 on Win2K

[chiagoo]

I find this part of the security bulletin especially interesting:

"Windows 2000 is not affected by this vulnerability. However the additional security-related change does affect Windows 2000 and we recommend customers install this update."

The old adage usually goes "if it ain't broke, don't fix it". Why would they ask people to patch something that isn't broken? Does this indicate that they expect to find a similar flaw in the indexing service on Win2K?

Some clarifications and important notes

[Jugalator]

First, Secunia released the advisory for Windows security update 890175 (MS05-001) back in 2004-10-20. Secunia linked to a workaround for the flaw 8 days after this, that was posted by Microsoft. Secunia increased the severity rating in 2005-01-07, and 4 days later, Microsoft has now posted an actual fix.

Now, the story, unfortunately for Windows users, and fortunately for e.g. open source evangelists, it seems like there is some things to be aware of if needing to uninstall the fix, for example due to possible problems caused by this fix, which are mentioned here, under the "Known Issues" heading.

In other words, we're talking about one issue that may appear as a direct consequence of installing this (my first link) and another one if you then decide to uninstall this fix (my second link).

Of course, if you aren't subject to the first problem, you don't need to do a thing and you are indeed living in the environment Microsoft was crossing their fingers for that you would be in.

At least

[bonch]

At least it's not in the kernel...

I've seen plenty of weird things in Linux distros, like privilege escalation in MPlayer. MPlayer, a video player! People really need to start paying attention to LinuxSecurity and witness all the monthly vulnerabilities for their distros. They rarely get mentioned on Slashdot (for whatever reason).

Random sampling from Gentoo's advisory list:

Gentoo: HylaFAX hfaxd unauthorized login vulnerability
Date: Tuesday, 11 January 2005
HylaFAX is subject to a vulnerability in its username matching code, potentially allowing remote users to bypass access control lists.

Gentoo: o3read Buffer overflow during file conversion
Date: Tuesday, 11 January 2005
A buffer overflow in o3read allows an attacker to execute arbitrary code by way of a specially crafted XML file.

Gentoo: imlib2 Buffer overflows in image decoding
Date: Tuesday, 11 January 2005
Multiple overflows have been found in the imlib2 library image decoding routines, potentially allowing the execution of arbitrary code.

Gentoo: Kpdf, Koffice More vulnerabilities in included Xpdf

Date: Tuesday, 11 January 2005
KPdf and KOffice both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code if a user is enticed to view a malicious PDF file. ...and these were announced on one day! Notice Slashdot is silent.

Sure, why not?

[Anonymous+Brave+Guy]

Seriously now. How the hell did they work that one in? Security flaws in Icon files.

Perhaps the same way as the widely-used and open source libpng library had a number of vulnerabilities last year? (ref 1, ref 2)

Or the same sort or way the Mozilla XBM vulnerability arose? (ref)

This isn't a new thing, and it's not unique to Microsoft, either.

Re:Nothing is inherently better than the other

[lucabrasi999]

uhhhm you missed his point

Totally OT, but you missed the repliers point. When you disagree with someone, you have at least two options. You could:

1) Submit a post that provides an argument, preferably backed up with some data.
2) You could call the original poster a "chump" (or some other disparaging remark) and use a meaningless comparison as your discussion point.

Guess which of these two options is better?

word grouping?

[martyb]

Hmmm, word grouping makes a difference!

Given reports that the Malicious Software Removal Tool has identified benign programs (e.g. VNC) as infected, maybe BOTH of the following groupings apply!

Is this a:

• a Tool that performs the Removal of Malicious Software?
  i.e. (Malicious Software) (Removal Tool)
  
  OR
  
  
• a Tool that looks around and Maliciously performs the Removal of Software?
  i.e. (Malicious) (Software Removal Tool)

Freudian slip?

Application vs. OS

[obsid1an]

You need to make the distinction of application vs OS. With MS, IE is part of the OS. Something that exploits IE also exploits the OS. Now look at the Xpdf flaw you presented:

An attacker could entice a user to open a specially-crafted PDF file, potentially resulting in the execution of arbitrary code with the rights of the user running the affected utility.

That is not a linux problem. That is an Xpdf problem. Xpdf is letting the maker of a PDF file gain the rights that the Xpdf program normally has. Now, if this exploit allowed the user to gain root access (assuming the current user is not root) there would be a tad more going on as Xpdf should never have root access.

Now this isn't to say linux is perfect, but saying that every linux application security bug is the fault of linux isn't true either. However, this really comes down to the design differences between linux and windows. Running linux as root all the time can be just as dangerous as windows.

It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

Re:Application vs. OS

[prisoner-of-enigma]

It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

So, by your logic, if I run Firefox and don't use Outlook, Windows is a great OS to have, eh? You wouldn't know it by the scorn everyone heaps on Windows, but then again this is /., where no good deed of MS goes unignored and no flaw of Linux goes unburied.

Nobody says you must use the stuff Microsoft gives you. IE can be bypassed without much difficulty, and Outlook is far from the only mail client available for Windows.

Re:Application vs. OS

[Daengbo]

But the point is that you can't bypass it. It's hooked into so many services and programs that a flaw in the IE renderer affects the entire OS. That's dangerous. Firefox doesn't hook to anything. If it did, you'd be in similar danger.

If I move X into the kernel to gain speed, then move most of the rendering for the screen to xpdf, the xpdf vulnerability becomes a scary thing indeed. I hope that Linux stays as modular as it always has, and I'll sacrifice a little speed for safety. Please don't tell me that I deserve neither!

Re:Beware of favicons...

[zerblat]

neither has a way to block the display of these icons.

Actually, in Firefox, set browser.chrome.favicons and browser.chrome.site_icons to false, and you shouldn't see any favicons.

Re:Good, now they can start work on the one from 2

[psyon1]

This plugin is part of Visual Studio version 6. However, since the plugin is digitally signed by Microsoft, it may be silently installed through Internet Explorer by any website. The user doesnt have to have Visual Studio installed, they only have to visit a page using the control. And like it states, the control is digitally signed, so its supposed to be safe, right? "Always allow content from Microsoft.com" is one of the funniest things Ive ever seen on computers.