Slashdot Mirror

← Back to Stories (view on slashdot.org)

13 New Windows Security Vunerabilities

Posted by CowboyNeal on from the focused-on-security dept.

Petree writes "Microsoft has given advance notice that on February 8th, they will be releasing patches for 13 vunerabilities. Happily a day later they'll have a nice little webcast so answer questions about the vunerabilities. Windows users, don't forget to run WindowsUpdate first thing Monday morning."

9 of 410 comments (clear)

  1. Booooring... by Majorachre · · Score: 4, Insightful

    Another day another vulnerability. This is getting old. What's the point in continually reporting this drivel? We all know MS has their issues - but frankly I'm getting tired of all the wasted space on /.
    You're preaching to the choir!!

    1. Re:Booooring... by Malc · · Score: 3, Insightful

      Another day, another anti-Microsoft zealot on /.

      Here are some recent security announcements from one of Linux's more reliable and secure distros:

      04/02/2005
      [DSA 667-1] New PostgreSQL packages fix arbitrary library loading
      *[DSA 667-1] New squid packages fix several vulnerabilities
      *[DSA 666-1] New Python2.2 packages fix unauthorised XML-RPC internals access

      02/02/2005
      [DSA 664-1] New cpio packages fix insecure file permissions

      01/02/2005
      *[DSA 663-1] New prozilla packages fix arbitrary code execution
      *[DSA 662-1] New squirrelmail package fixes several vulnerabilities

      27/01/2005
      [DSA 661-1] New f2c packages fix insecure temporary files

      26/01/2005
      [DSA 660-1] New kdebase packages fix authentication bypass
      *[DSA 659-1] New libpam-radius-auth packages fix several vulnerabilities

      25/01/2005
      [DSA 658-1] New libdbi-perl packages fix insecure temporary file
      (*)[DSA 657-1] New xine-lib packages fix arbitrary code execution
      *[DSA 656-1] New vdr packages fix insecure file access
      [DSA 655-1] New zhcon packages fix unauthorised file access

      Do I need to go on? That's an average of more than 1 a day.

      * = remote exploit
      (*) = can be turned in to a remote exploit

      One of those is potential remote exploit just watching DVDs! If you want to pick an OS or vendor apart, it's easy to do it to any of them. I'm not defending Microsoft, but they're far from unique. Of course, with the examples I've cited, I'm sure there will be many people who would like to quibble and try and make it seem less of an issue... if they'd been Microsoft exploits quite the opposite would occur. It's so dull and childish.

    2. Re:Booooring... by Espectr0 · · Score: 4, Insightful

      Here are some recent security announcements from one of Linux's more reliable and secure distros:

      How many of those vulnerabilities are actually tied to the OS?

      Zero.

      How many of the windows vulnerabilities are tied to the OS?

      Mostly all of them.

      So do you want to count for example bsplayer's bugs so we can have a fair comparison against xine bugs?

      --
      Open Source Java Web Forum with LDAP authentication
    3. Re:Booooring... by damiam · · Score: 4, Insightful
      Any end users of Linux have to face the security flaws whether or not they're part of the OS.

      No, they don't. 99% of Linux end users don't run postgresql, zhcon, vdr, libdbi-perl, or most of the other packages the grandparent listed. It's fair to compare flaws in GNOME/KDE, Firefox, X, and the kernel to flaws in Windows. If you want, you can compare OO.o to Office and perl/python/Mono to .NET. But you can't compare the entire Debian archive (which takes 7 CDs to hold just the stable version) to the base release of MS Windows.

      --
      It's hard to be religious when certain people are never incinerated by bolts of lightning.
  2. Is this sort of thing still interesting to /. by Chess_the_cat · · Score: 4, Insightful

    I mean this is how the process works for any OS. Name the OS or system that doesn't require patches? I just don't see the point of this submission except to imply a Nelson-esque "Ha-Ha" where one isn't required. I run a dual-boot system and surprise, surprise, Linux likes to download fixes as well. In short: Who cares? Next stories: You may have a new e-mail in your inbox: Better check. Or how about: Make sure your version of Quicktime is current.

    --
    Support the First Amendment. Read at -1
  3. PC Benchwarming by bigskank · · Score: 4, Insightful

    "Windows users, don't forget to run WindowsUpdate first thing Monday morning."

    Not just to rag on MS, but I will NOT be running my PC monday morning. Given microsoft's less-than-stellar history of patch releases (Service Pack 2 still gives me night terrors), I'll wait at least a week or so to see what problems these patches create.

    It's unfortunate that many PC users (including myself) would rather risk having their PCs zombified or their data erased for a while longer instead of installing the latest MS patch. For me, past experience has shown me it's less of a risk to just sit it out for a while and see what new holes these patches open.

  4. Re:Lots of vulnerabilities? by diegocgteleline.es · · Score: 3, Insightful

    debian woody has like 8000 packages.

    Windows XP is a OS, graphical environment, msn messenger, wordpad, a few crappy games, some services...let's be good and say they've 1000 packages of software(they don't)

    13/1000= 0.13 vulnerabilities per package

    47/8000=0.005

    "So you zealous fucker, which platform is more secure?"

  5. Safe Surfering by Mybrid · · Score: 3, Insightful
    It is trivial to run Microsoft without anit-virus software or anti-adware software safely.

    Let's call this safe surfing.

    The answer is to surf the web as user "Guest".

    There are a lot of things to be said about this but the most important is that Microsoft doesn't care about security because they don't educate this or default to this.

    As a computer consultant every day I get asked about safe computing. My answer on windows is this:

    1. Don't use Microsoft Express or Outlook at home. Instead use web email clients like Yahoo.
    2. Don't click on email links. Instead, cut-copy-paste the text of the displayed link into a new browser window.
    3. Log out as your account and log in as Guest whenever you 1.) use Windows Media Player or 2.) or 2.) surf unfamiliar web sites.

    People squawk about having to log out and log in as a different user. I tell them safe computing is no different than safe sex. You need to take responsibility. You need to decide how important being safe is to you.

    By enabling the Guest account and suring the web as guest, virus and adware can't install software, touch the registry, or write to anywhere on the disk other than the account folder for Guest. If the Guest account ever gets corrupted just delete it and create a new one.

    However, unlike with Unix, Windows is a hostile environment for mixing users.

    On Unix its easy. Just enable "sudo". Your default security mode is one of no access, user mode. You have to make a conscience choice to run with sudo.

    It is very unsatisying to run as "Guest" in Windows and then "Run As" a secure user and hardly anyone does it. It's almost futile to install software as an user on Windows other than someone with admin privileges. Almost every major software vendor's install willl fail unless admin privileges are used. By contrast, no such barrier exists in Unix. The "--prefix" option to most software will allow you to run from your home directory. And it's not always just the big things, but little things too. Unix uses the "~/username" shortcut to easily afford copying files between accounts.

    It is possible even in today's Microsoft environment to guarantee yourself the impact of a virus or adware can be contained to a sandbox, Guest user account.

    The fact that Microsoft doesn't make "RunAs Guest" the default security model as does Unix is something that Microsoft should be held accountable for.

    But the reality is Microsoft just doesn't care about security. The only care enough to give it lip service.

  6. Re:"Run WindowsUpdate first thing Monday morning" by macosxaddict · · Score: 3, Insightful

    Any operating system where updating the web browser is a "major update" is fundamentally flawed.