Slashdot Mirror

← Back to Stories (view on slashdot.org)

Three New Microsoft Bulletins

Posted by michael on from the security-is-priority-one dept.

Jimmy M writes "Microsoft has released three security bulletins for January, which correct vulnerabilities in the handling of Icon and Cursor files, Indexing Services, and HTML Help. Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS. All updates are available from Windows Update."

17 of 224 comments (clear)

  1. Quick? by Anonymous Coward · · Score: 5, Insightful

    The extremely critical exploit was listed on 2004-10-20! It took nearly three months to fix.

    1. Re:Quick? by lucabrasi999 · · Score: 4, Funny
      Microsoft posted a workaround for the problem 6 days after Secunia discovered the flaw.

      For those of you that haven't seen the workaround, here is a link.

      Yeah, I know, I know. But it was TOO easy, I couldn't resist....

    2. Re:Quick? by bonch · · Score: 3, Insightful

      I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes. A lot of people here seem to only get their security news from Slashdot. What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

      LinuxSecurity keeps a running list of daily vulnerability announcements from all the distros. Just click on a distro and be amazed at all the buffer overruns, root exploits, code execution, and more that never get reported on this site.

      "Three New Microsoft Bulletins?" Try 13 new Debian bulletins in the past week. Gentoo has announced 12 since last Sunday alone.

      Why aren't these things announced like Microsoft bulletins are? Because Microsoft articles generate more page hits...which is great for the banner ads. They're using you guys.

      This attitude of the flawless Linux is really, really dangerous, because Linux distros are just as ridden with software holes as Windows systems are accused of being, but you'd never know it if all you did was visit Slashdot...and we all know what a false sense of security leads to...

      Of course, Slashdot shouldn't stop posting about Microsoft vulnerabilities. But snide comments like "security-is-number-one dept." make this place seem like a site of nothing but flamebait for Linux fanboys. There's more to security than just hating Microsoft and ignoring Linux security flaws.

      I know I risk karma for this post, but I'm really shocked at the illogic and immaturity displayed on Slashdot, compared to when it began in the 90s. Laughing about Microsoft bulletins in some weird schadenfreude doesn't make the Linux kernel any less imperfect (see yesterday's article) or its distros (see LinuxSecurity any given day for pages of bulletins all collected together).

  2. XP SP2 by Rolan · · Score: 4, Informative

    It should be noted that those with XP SP2 are only affected by MS005-01.

    --
    - AMW
    1. Re:XP SP2 by bonch · · Score: 3, Insightful

      Isn't it funny how Linux kernel versions affected are explicity mentioned in Slashdot's articles on the subject? You'd think the fact SP2 fixed the other two vulnerabilities already would have been an important point to state. It's not like SP2 just came out or anything; what is it, over half a year now?

  3. What I find more interesting.. by MrP-(at+work) · · Score: 5, Informative

    It would also seem microsoft released "Malicious Software Removal Tool" on WindowsUpdate

    It finds and fixes some common worms.. They plan on releasing a new version every second Tuesday of each month, and each new version will continue to clean worms from the previous versions.

    Wonder what the antivirus companies think about this

    --
    [an error occurred while processing this directive]
    1. Re:What I find more interesting.. by dewke · · Score: 4, Informative

      I think this sums it up nicely.

      --
      Oderint dum metuant
  4. More information... by MrP-(at+work) · · Score: 4, Informative

    This page has more technical information about the tool.

    --
    [an error occurred while processing this directive]
  5. IE: Zones are a broken concept by Tackhead · · Score: 5, Interesting
    Good policy: Deny all, permit selectively.

    Bad policy: Accept all, but let people turn things off.

    Worse policy: Accept all, but let people turn fewer things off depending on four arbitrary "zones" something falls into.

    Worst policy: Make sure the "zones" in question have nothing to do with TCP/IP, netmasks, DNS, or any other networking concept, but make sure they're supported by a proprietary application you've embedded deeply into the OS to facilitate an embrace/extend/extinguish business model.

    Then act all surprised when everyone ends up running at least one of these "zones" (namely the "local" one, which ought to be the most trustworthy) with their proverbial pants down, thereby creating a guaranteed 100% available target for Worm/Spyware/Virus authors.

    Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

  6. Icons and cursors, oh my! by FirstTimeCaller · · Score: 4, Insightful

    I don't normally stoop to Microsoft Bashing, but security vulnerabilities in icons and cursors?!?!?

    --
    Wanted: witty unique signature. Must be willing to relocate.
  7. Re:Spite by RAMMS+EIN · · Score: 4, Informative

    ``How many will reply to me saying I'm out of my mind?''

    At least one. The vulnerability was updated on 2004-10-21. That means it existed at least about 3 months before the fix. I don't know about you, but I don't call that quick.

    --
    Please correct me if I got my facts wrong.
  8. It should read ... by ph4rmb0y · · Score: 3, Funny

    Fixes available via Windows Media Player ...

  9. MS05-003 on Win2K by chiagoo · · Score: 3, Interesting

    I find this part of the security bulletin especially interesting:

    "Windows 2000 is not affected by this vulnerability. However the additional security-related change does affect Windows 2000 and we recommend customers install this update."

    The old adage usually goes "if it ain't broke, don't fix it". Why would they ask people to patch something that isn't broken? Does this indicate that they expect to find a similar flaw in the indexing service on Win2K?

  10. Some clarifications and important notes by Jugalator · · Score: 5, Informative

    First, Secunia released the advisory for Windows security update 890175 (MS05-001) back in 2004-10-20. Secunia linked to a workaround for the flaw 8 days after this, that was posted by Microsoft. Secunia increased the severity rating in 2005-01-07, and 4 days later, Microsoft has now posted an actual fix.

    Now, the story, unfortunately for Windows users, and fortunately for e.g. open source evangelists, it seems like there is some things to be aware of if needing to uninstall the fix, for example due to possible problems caused by this fix, which are mentioned here, under the "Known Issues" heading.

    In other words, we're talking about one issue that may appear as a direct consequence of installing this (my first link) and another one if you then decide to uninstall this fix (my second link).

    Of course, if you aren't subject to the first problem, you don't need to do a thing and you are indeed living in the environment Microsoft was crossing their fingers for that you would be in.

    --
    Beware: In C++, your friends can see your privates!
  11. Sure, why not? by Anonymous+Brave+Guy · · Score: 3, Informative
    Seriously now. How the hell did they work that one in? Security flaws in Icon files.

    Perhaps the same way as the widely-used and open source libpng library had a number of vulnerabilities last year? (ref 1, ref 2)

    Or the same sort or way the Mozilla XBM vulnerability arose? (ref)

    This isn't a new thing, and it's not unique to Microsoft, either.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  12. Re:Nothing is inherently better than the other by lucabrasi999 · · Score: 3, Funny
    uhhhm you missed his point

    Totally OT, but you missed the repliers point. When you disagree with someone, you have at least two options. You could:

    1) Submit a post that provides an argument, preferably backed up with some data.
    2) You could call the original poster a "chump" (or some other disparaging remark) and use a meaningless comparison as your discussion point.

    Guess which of these two options is better?

  13. Application vs. OS by obsid1an · · Score: 4, Interesting
    You need to make the distinction of application vs OS. With MS, IE is part of the OS. Something that exploits IE also exploits the OS. Now look at the Xpdf flaw you presented:

    An attacker could entice a user to open a specially-crafted PDF file, potentially resulting in the execution of arbitrary code with the rights of the user running the affected utility.

    That is not a linux problem. That is an Xpdf problem. Xpdf is letting the maker of a PDF file gain the rights that the Xpdf program normally has. Now, if this exploit allowed the user to gain root access (assuming the current user is not root) there would be a tad more going on as Xpdf should never have root access.

    Now this isn't to say linux is perfect, but saying that every linux application security bug is the fault of linux isn't true either. However, this really comes down to the design differences between linux and windows. Running linux as root all the time can be just as dangerous as windows.

    It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.