Slashdot Mirror
13 New Windows Security Vunerabilities
Petree writes "Microsoft has given advance notice that on February 8th, they will be releasing patches for 13 vunerabilities. Happily a day later they'll have a nice little webcast so answer questions about the vunerabilities. Windows users, don't forget to run WindowsUpdate first thing Monday morning."
And then again on Tuesday when the actual updates come out.
Another day another vulnerability. This is getting old. What's the point in continually reporting this drivel? We all know MS has their issues - but frankly I'm getting tired of all the wasted space on /.
You're preaching to the choir!!
Can't they roll them into one cumulative security update?
And I just got done updating three or four ZEN images. I can't wait for the hundred times I'll be asked next week "can I click OK on the update thing or is that spyware?".
The summary is wrong, and this is pointing out that fact. Running Windows Update on Monday won't get you anything since the updates come out on TUESDAY, aka the 8TH.
13... the unlucky number. They must be BAD security risks for a change ;)
http://www.sandstorming.com
Come on Slashdot, at least they are actively fixing their shit. You all bad mouth them for not fixing stuff fast enough, and then when they announce they are releasing a patch you try to find some way to bad mouth them for that?
We're all bored of hearing how much people hate MS here...we KNOW you don't like them. Just leave it at that, and instead of reading and posting 600 replies here about how they suck, have some sort of intelligent conversation instead.
I mean this is how the process works for any OS. Name the OS or system that doesn't require patches? I just don't see the point of this submission except to imply a Nelson-esque "Ha-Ha" where one isn't required. I run a dual-boot system and surprise, surprise, Linux likes to download fixes as well. In short: Who cares? Next stories: You may have a new e-mail in your inbox: Better check. Or how about: Make sure your version of Quicktime is current.
Support the First Amendment. Read at -1
Some of us actually use Automatic Update Agent, that downloads and installs the patches. No need for manual updates anymore.
Running Windows Update on Monday will not help, someone please -1 the original article.
Windows users, don't forget to run WindowsUpdate first thing Monday morning.
These days, Windows users don't need to "run" Windows Update to grab security updates; the Windows service do that job, so they don't have to remember to do anything special on Tuesday. However, you need to actively visit windowsupdate.microsoft.com if you need other stuff than security updates.
Beware: In C++, your friends can see your privates!
For those who are more knowledgeable...are we in the regime of Microsoft's Trusted Computing? I know Microsoft will continue to spew out info emphasizing a renewed effort in secure computer environments.
Is this relevant if you have SP2 installed?
There's more included than OS fixes, so probably.
Beware: In C++, your friends can see your privates!
Microsoft releases updates for Windows XP every second Tuesday of the month, Windows users should be aware of that, as there always is something fixed.
I shot the sheriff
May be he is refering to Feb' 8th 2010.
"Windows users, don't forget to run WindowsUpdate first thing Monday morning."
Not just to rag on MS, but I will NOT be running my PC monday morning. Given microsoft's less-than-stellar history of patch releases (Service Pack 2 still gives me night terrors), I'll wait at least a week or so to see what problems these patches create.
It's unfortunate that many PC users (including myself) would rather risk having their PCs zombified or their data erased for a while longer instead of installing the latest MS patch. For me, past experience has shown me it's less of a risk to just sit it out for a while and see what new holes these patches open.
10 Print New Awesome Mac Product 20 Print New Windows Security Problem 30 Goto 10
Crushing my karma one post at a time.
I'm not that much into windows, but this windows-update thingy seems like a great idea. My only question is - why don't they just release the patches once they're done? I mean - setting a specific date is like a release plan; we don't release just yet, but we estimate that we're ready on monday with it all.
Especially security patches should be released immediately when they're done. Distributing the releases would probably also take some load of the servers. Or am I missing something about windows update?
e-mail, browsers, and half a dozen minesweeper imitations all exist on platforms other than Windows.
And yes, they are equally simple to use. It's just that you've never ventured out at all. (but then I guess you did post as a coward...)
Cheers.
Now accepting PayPal donations!
1) It's Tuesday not Monday; afternoon rather than morning as they seem to release about noon time PST.
2) This is a repeat.
scott
If you haven't done it already, go to microsoft.com and search for antispyware. Install Microsoft AntiSpyware (beta). You'd be surprised how many trojans and spyware it will find on your "secure" Windows boxen.
Microsoft didn't write it. It's GIANT AntiSpyware with a new label. It may think some of your legitimate apps are spyware, like VNC, but it usually marks them as ignore by default anyway. It's great if you forgot they were there or someone else installed them without your knowledge.
A programmer is a machine for converting coffee into code.
1. We are tired of all of the waits for the patches. The hackers know MS releases on a specific day of the month and time their releases for max effect.
2. These patch only the holes that we are told about. how many others are there that we don't know about until MS lets the world know?
3. I admin a home network (6 machines) and the Linux boxes are the easiest to admin. The MS machines tend to break S/ware (A/V & firewalls) on these upgrades and it takes me a while to fix them.
Panic now, beat the rush!
If only there was an operating system without thousands of undiscovered security holes...
Of course! AmigaOS!
... and I didn't see much Microsoft bashing in the original article.
Okay, who's not releasing patches for all the undiscovered Linux vulnerabilities? Oooooh, vast, incompetent menace! Switch to something else, quick.
One word describes a system, nearly ANY system more recent than an Atari ST or C-64, that isn't regularly patched: "0wn3d"
Bash bash bash. You guys are boring.
Any sufficiently advanced technology is insufficiently documented.
To have a "trusted computing" environment as they want it, we need hardware to ensure that software is what it says it is.
Usually it involves having key (as in RSA) locked down in a temper-proof hardware chip, and the computer use that key to assert that the software it is about to run is indeed signed by and for that key. For example, a Linux kernel could be signed by such a key, and at boot time the system would validate it and if it passes, we can assume that it is not compromised by a virus or something. The kernel would then have the job to verify the rest of the programs it wants to run.
Of course the safety of such systems relies on the chips containing the keys. Any attempts to get them out of there would trigger them to self-destruct.
There is a project around working on an IBM card like that to provide a virtual currency, but i can't find the link right now. It basically runs an open source package, and the card can verify that it not modified. (I would like the link if anyone knows) It allows anyone to check the source code and see for themselves that it contains no backdoor.
Like any powerful technology, it can be used to do very good things(tm), and very bad things(tm).
While you're patching your lovely Windows box and doing the reboot parade, why not switch over to your Mac Mini and catch up on some Ruby tutorials? =)
Some Windows users (like myself) shut off the "Automatic update" service (along with many others) in order to have less system resources used (and less vulnerabilities) while doing what really matters...surfing for porn! Although I can understand the disgust with constantly hearing about patches, there are some people who might not hear about them any other way.
So I'm stupid because you don't agree with what Microsoft do?
Jeez, don't shoot the messenger, I'm just telling you how it works.
Auto-update is dangerous to stability!
So, did I say it was always good for stability anywhere? Calm down.
Beware: In C++, your friends can see your privates!
When using Windows you should always be behind a firewall
When shouldn't you be behind a firewall? With the exception of say, a WebTV, ALL operating systems should be behind a firewall.
Mac included.
Given that there are a couple of known vulnerabilities in XP even with SP2 installed (with DEP and IE), we can only hope that it is relevant if you have SP2 installed. However, given that the DEP vulnerability is quite recent I suspect that Microsoft might bump that patch until next month at least to allow for more testing. Just hope that a real cracker doesn't give the script kiddies a new toy to play with in the meantime...
UNIX? They're not even circumcised! Savages!
Clearly, you have keen insight and abilities that are unappreciated by your current employer. Perhaps you should look for a job where there are systems more in tune with your unique view of the IT universe.
# Windows XP Media Center Edition may unexpectedly crash while being shown before large audiences.
# User may 'hijack' Internet Explorer settings, this update will reset your Internet Explorer start page and search settings to the new and improved MSN Search.
# Fixes vulnerability that allows users to view old Teen-Beat photographs that may contain images that could shock your system!
What disadvantage do the corporate users have if Microsoft releases the patches today. The corporate folks can still install the patches on Monday --- or any day they choose. Assuming the patches are ready, I see no reason not to make them available on the web for anyone eager to patch their systems.
-- john
There's various methods for updating office, some that appear to require the user to have admin privs, keeping a local copy of office install source on the computer at all times, etc, etc...
It's all a mess if you have various versions of office out there... :-(
Just out of curiosity why should I put my Mac behind a firewall?
Yeah, my network of 5 windows machines never has any troubles. Of course that's because everyone here is smart enough not to download spyware infested crap from the internet. We have AVG running on every machine and that keeps us virus free. And yes, I have a router as firewall, and SP2 on every box.
If your Windows machines are broken, it's not Windows fault IMHO, it's mostly user issues. I do agree that Windows makes it easy to install bad software, but Linux can also be totally runined by installing bad software (at least when you know as little as I do). So if you want to have a solid Windows box, learn how to manage it. Don't let your 9-year old install stuff and you should be ok.
2) It's not 13 patchs for windows. As the article could not state any clearer it's:
3) Read before you submit.
- AMW
IE always seems to be the weak point, or the HTML subsystem... Even if it isn't, I've got instructions on removing several subsystems from Windows that will make it more secure.
Check out my page on Windows patches, I think it's a convincing argument to rip all of this stuff out of Windows. Just download the files, drag-drop-replace, burn, and install.
XP subsystem removal software here.
My main question is, can I install these security patches without haveing SP2 installed? I still refuse to install SP2 due to some of the things MSFT implemented into the patch.
Of course, the editor doesnt actually mean it, its just a taunt. This stupid "my patches vs your patches" game is ridiculous and further cements slashdot as a "teen hangout" than anything resembling a tech site.
Not to mention running an update on most linux distros demands a serious amount of patching.
If slashdot would stop taunting for two minutes, they would realize that MS has a policy of patching on the first tuesday of each month and once auto-updates are enabled this becomes a non-issue.
Its getting old, really. If MS patches or doesnt patch, its going to be a slashdot item with the typical trolls coming out from under their bridges.
According to secunia the web browser I'm using has 5 non-patched critical security holes. Guess what, I'm not using IE. Has this been a slashdot item yet? If not why? Where are mozilla's tuesday patches? Oh right, we have a double standard for them and just wait for release 1.1 without saying a word.
Linux vulnerablities reports appear at about the same frequency as Windows ones.
But where Linux vulnerablities are reported one per report, with Windows you get a 3-15 bundles with Windows... Maybe this kind of tactic, you hear about Linux problems at least as often as about Windows, so it leaves you with impression they are the same level...
When was the last time Linux developers shipped 13 different vulnerablity patches at once?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Nah, the poster's just on the other side of the Date Line. Monday's the 8th over there.
I turn all automatic updates off since that disaster. This patched user32.dll and after application, my 2003 box does a continous reboot. Removing the patch fails to restore functionality.I had to retore from a drive image to get back running. I'm running 2003 as a desktop, so I don't fit the average testing profile, but it is unacceptable to have a patch completely depants my workstation.
The people that actually keep up with these updates are the same people that use McCaffee and that enable encryption on their WIFI routers; they are the slightly-savvy citizens of the Microsoft community, and are a minority--and are probably already protected from these exploits beforehand, by some third-party software somewhere. While everyone else, that doesn't have the time or know-how to protect their PCs are the ones getting hurt the worst by these vulnerabilities. I think updates should be forced by this Operating System, kind of like how AOL back in the 90's wouldn't let you sign off a session and release your modem till you had downloaded their damn updates (which I am--even till today-- convinced were ad-packs).
Because people think that their experiences with Windows apply universally to all OSes.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
I run one of my Linux boxes directly on the 'net, and have never had any trouble. It only exposes SSH to the world and I can't run IE on it, so (wonder of wonders) it has never been compromised.
.... it was compromised in under 30 seconds.
The last time I put an XP box on the 'net without firewall protection (my firewall was malfunctioning and I needed to get some information off the web)
So I agree that Windows users should never have their computer connected to the 'net without being protected by a firewall. Everyone else is optional but recommended for extra protection.
Micro$oft? Get a life fucker.
Set it to auto update so you don't have to worry about it.
Come on guys, how hard could spelling "Vulnerabilities" correctly be?
a.) the last time I checked, 9+1+1+1+1 = ...wait for it... 13
b.) these are only for machines running Windows.
Therefore, 13 new Windows security vulnerabilities.
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
Cute. Except that when you install Debian, you're installing over 500 additional apps. 51 bug fixes for 500+ apps isn't that bad to be honest. 13 bug fixes for Windows, Internet explorer, Media Player and Office is atrocious. Especially when you consider that Microsoft take on average 1-2 months to fix a single bug.
Sunday you're Thinking Different, Monday you're a huge tool, paying too much and waiting to think like everyone else.
The real problem with windows is that every 2-3 years they come out with a new version and have to go through all this crap all over again. Just when they've fixed most of the bugs, they come out with a new version, get everyone to upgrade, and we're back to the beginning. Windows 98 runs just about everything. And at this point most of the bugs have been patched. I knew guys that were still using windows 95 osr2 in 2000 because it was one of the most stable and streamlined systems available.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Yeah rigt... wonderful...
Last time I tried that some of our mission critical applications went dead...
Since M$ system is so "well integrated" any update to allmost any component could sabotage something else... and some of those bloody security updates can't be uninstalled...
Yes, shocking.
:)
Maybe this is a sign.
Pretty Pictures!
How is this different/more important or whatever than redhat over 100 errata updates in 1 month. It is very hard to justify using redhat to management when you constantly have to apply patches. I will admit windows is no better and they probably should have several hundred a month but how can one say redhat is any better???
You can suppress what I'm saying, but not the reality of what I said.
That's a key difference.
Amen, preach it!
The early bird may get the worm, but the second mouse gets the cheese!
Unless this gets hammered on repeatedly, people will forget, and/or you will fail to educate newer users. Yes, this is /., but even this community suffers from human foibles. Count me amongst those who are satisfied with the status quo, here.
in one swift stroke and get on enjoying your life instead of reading boring documents about fixing problems someone else created.
debian woody has like 8000 packages.
Windows XP is a OS, graphical environment, msn messenger, wordpad, a few crappy games, some services...let's be good and say they've 1000 packages of software(they don't)
13/1000= 0.13 vulnerabilities per package
47/8000=0.005
"So you zealous fucker, which platform is more secure?"
Let's call this safe surfing.
The answer is to surf the web as user "Guest".
There are a lot of things to be said about this but the most important is that Microsoft doesn't care about security because they don't educate this or default to this.
As a computer consultant every day I get asked about safe computing. My answer on windows is this:
People squawk about having to log out and log in as a different user. I tell them safe computing is no different than safe sex. You need to take responsibility. You need to decide how important being safe is to you.
By enabling the Guest account and suring the web as guest, virus and adware can't install software, touch the registry, or write to anywhere on the disk other than the account folder for Guest. If the Guest account ever gets corrupted just delete it and create a new one.
However, unlike with Unix, Windows is a hostile environment for mixing users.
On Unix its easy. Just enable "sudo". Your default security mode is one of no access, user mode. You have to make a conscience choice to run with sudo.
It is very unsatisying to run as "Guest" in Windows and then "Run As" a secure user and hardly anyone does it. It's almost futile to install software as an user on Windows other than someone with admin privileges. Almost every major software vendor's install willl fail unless admin privileges are used. By contrast, no such barrier exists in Unix. The "--prefix" option to most software will allow you to run from your home directory. And it's not always just the big things, but little things too. Unix uses the "~/username" shortcut to easily afford copying files between accounts.
It is possible even in today's Microsoft environment to guarantee yourself the impact of a virus or adware can be contained to a sandbox, Guest user account.
The fact that Microsoft doesn't make "RunAs Guest" the default security model as does Unix is something that Microsoft should be held accountable for.
But the reality is Microsoft just doesn't care about security. The only care enough to give it lip service.
And get all the patches prior to next week's on first. That way, you'll be adding 13 instead of 45 patches next week.
They say the mind is the first thing to
Sometimes people tends to be addictive to things they hate. At least I am one of them. There are some ads that I hate so much that whenever they are aired on TV, I will rush to watch them, and then curse about their stupidity. I feel some slashdotters also have this phobia, which, after cursing MS for whatever they do, makes them feel good about themselves.
It were the original words from the anonymous coward ;)
...Is the one patching the Windows Calendar, making Feb. 8 2005 a Monday, so this article will be correct starting on Tuesday.
Saskboy's blog is good. 9 out of 10 dentists agree.
"Windows users, don't forget to run WindowsUpdate first thing Monday morning."
I think he meant to say:
Install Linux first thing Monday morning...
I say: Why wait? Use the weekend wisely...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Who said I wasn't biased against Microsoft? However, what I said was true. And I didn't slander.
...and how many of these have been used for an successfull attack ?
Noone is saying that bugs dosen't exist in Linux (or any other OS)... we are just saying that they are usually fixed before they are exploited... where M$ often denies a bug's existence until it has been exploited...
Excuse moi... but my KCalc sez 13/1000=0.013 and 47/1000=0.047
...and NO I'm NOT a M$ fanatic...
Therefore, 13 new Windows security vulnerabilities.
.Net framework installed, so that makes 10 updates only for me.
Nope. I don't have SharePoint, MSOffice or the
BG and SB of MSFT will then tell the DHS, WSJ and FOX: "It was a DDOS by the UNL33T H4X04Z and smelly OS / FOSS / GNU hippies^Hterrorists."
The only ones who will believe it are Maureen O'Gara, The Yankee Group, and Gartner.
Everyone else will go back to playing FreeCell.
When I used to do individual windows updates, I would just install them all, and leave the "You must reboot" dialogs sitting behind the other windows, piling up until I'm done... then I'd hit reboot on one of them and the machine would reboot.
This saved several craploads of time. }:)
-Z
There is a warning posted on the Windows Update site that future XP updates may require SP1 or higher.
It is great to see MS providing updates for various software. Now, my concern is that they will not break anything. :)
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
i feel pretty safe with ipfw
This ought to be interesting if SP2 is affected.
While I agree it is a great tool, it needs a few tweaks to be great... Unfortunately, MS doesn't want this to be too good because SMS still costs a lot of money to buy... This is why it doesn't apply Office patches, (the one exception being the critical update for Office XP users running XP sp2) or even anything besides critical and security patches.
An install log might be a nice option too... Of course, once it has been up and running through a couple patch cycles you find it to be pretty much a cake-walk... setup would have been simpler with a log I can enable/disable when I needed to, though.
Who did what now?
Instead you could be rebooting until Easter. Such convenience. (-:
Got time? Spend some of it coding or testing
Microsoft persist in asserting that MSIE is part of the OS, so I see nothing wrong with counting its vulnerabilities as part of the OS's. What's sauce for the goose is sauce for the gander, after all. And their dotNYET implementation is even more tightly bound to the OS than their "I-do-colour-management-on-images-with-no-ICC*" browser.
For a more realistic comparison, pick one browser, one email client, one database, one MTA, one webserver, one nameserver, one office suite, one media player, one proxy for Linux and compare just those.
I usually use Konqueror, KMail, PostgreSQL, PostFix, Apache2, BIND, OpenOffice, MPlayer and Squid. In Linux land, the web-server and name-server in particular are not noted for their security, yet I can run both of them chrooted (BIND is set to do this by default), which is not possible with IIS or MS-Proxy.
Filter your terrible Linux stats through those, and you'll get something like a reasonable comparison of a fully loaded MS machine (server and workstation in one) versus a typical Linux machine (ditto).
The machine I'm facing saw four vulnerabilities in the time-slice touted by the GPP, two of them remote or remoteable, and that's unusually bad. Harking back to the distribution running on this machine I count 9 vulnerabilities in that package set (plus CUPS and X11, which are kinda-sorta built in to Windoze in a limited way) since last year, an average of one every four days. Most of those 9 are extremely difficult to exploit and several of them are "dupes" in that they're several packages recompiled to close a vulnerability in a common library, so three for four reports might really be one vulnerability. December was also very heavy with 14 fixes; November is more typical and saw 5, of which 3 were one (libXpm) vulnerability and one was a DoS rather than an intrusion.
Got time? Spend some of it coding or testing
Who recently fixed one remote root vulnerability which was over a year old. Sorry, their security reporting system is so opaque I'm having trouble re-finding the link for you.
Got time? Spend some of it coding or testing
Microsoft Security Vulnerabilities is prime for its own dedicated section at slashdot. The number of stories certainly warrants it.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
So if Windows users dont use SharePoint Services, Microsoft Office ( open office instead ) , Dont use Windows Media Player ( Use Media Player Classic) , and MSN Messenger ( Use Gaim or Miranda opensource programs instead )
...
Then would it really be Critical update ???
My guess , probly not
Swap to open source today and feel the difference !
Dont ask , Just Google IT : http://www.google.com
There's nothing wrong with running Windows Update every 2 months. Hell, I run apt-get a lot more than that. That's just part of running ANY Internet connected OS. The only problem is that Windows STILL isn't secure enough, even if you run Update regularly.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
How is it that all 13 patches are magically ready on the same day? Are they not withholding them when they could have released the patches earlier, as they were developed?
Karma: It's all a bunch of tree-huggin' hippy crap!
At least they report these things open and loud, and the fixes are soon availabe. It's actually kind a funny that Linux community pay so much attention to Windows vulnerabilities, so people kind a know about them more and are using Windows Update more often :D
Why doesnt Linux vulnerabilities get so much attention althought they exists and there are many of, even home users whos pc's get 0wn3d while online?
(patching FC2 at the moment.. again.. )
...doesn't mean it actually is easier.
Got time? Spend some of it coding or testing
Nahh. They're actually going to cut Windows Update access to any known pirated copies of Windows, then in the webcast later they'll tell everyone exactly how to use these exploits. Bastards.