Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases Eight Security Updates

Posted by CowboyNeal on from the locking-down dept.

Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll. Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too. Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."

26 of 344 comments (clear)

  1. WS2K3 SP1 by koh · · Score: 4, Informative

    Windows Server 2003 SP1 is also available. Apparently it's a kind of XP SP2 but for Server 2003. With the firewall, security center, IE "enhanced security", spyware removal tool that doesn't run, etc.

    I just hope it doesn't break as many apps...

    --
    Karma cannot be described by words alone.
    1. Re:WS2K3 SP1 by LurkerXXX · · Score: 2, Informative

      Read up on bugtrack. Apparently Dell OpenManage software has bad issues with it (fixed in version 4.4 that they *just* released, if I recall)

    2. Re:WS2K3 SP1 by Kimos · · Score: 5, Informative

      I've been applying 2k3 SP1 to servers at my office all week. MS did a good job of designing the patch so that it adds lots of security lockdowns without limiting applications. They add the firewall but it defaults to off for upgrades. The only part that seems scary is the stronger authentication for DCOM. It's secure, but has potential to break some apps. Details on SP1 here.

      Five servers so far, and all of them have worked after the update. I'm far from a MS fan, but I have no problem admitting when they've done a good job...

    3. Re:WS2K3 SP1 by koh · · Score: 4, Informative

      After 1 day of use :

      IIS (HTTP, FTP) works (after tweaking the firewall of course), at least for the minimal use I have of it.

      Exceed works too after registering it with the firewall.

      IE's "enhanced security" makes it _really_ paranoid, but I use it only for updates so I couldn't care less (had to add Office Update to the trusted sites though).

      IMHO the real thing here is to check how in-house developped server components will behave under SP1... since we don't have that many customers using it, bug reports won't come until a few weeks I hope.

      --
      Karma cannot be described by words alone.
    4. Re:WS2K3 SP1 by koh · · Score: 4, Informative

      (Incidentally, I'm in favor of really paranoid IE settings, but since by using it you're implicitly trusting MS, the Office update site could probably have been automatically added to that list. I think that's why the gp noted it.)

      Indeed.

      Amusingly, I tried the Acid2 Test on IE with "enhanced security" turned on and it warned me the page may not render correctly because it "required an ActiveX control" that "was being blocked".

      An ActiveX control ? On the Acid test page ? Turns out the page contains 3 <object> tags used to check cascaded content... Of course we all know an <object> tag always is an ActiveX control, do we ?

      That's what I meant by "paranoid" :)

      --
      Karma cannot be described by words alone.
  2. Unscientific Results So Far... by ScentCone · · Score: 4, Informative

    I've applied these to about 15 servers this morning - boxes running IIS, SQL, Exchange, and so far nothing has blown up. What really gets me is the bandwidth they must be putting into the distribution. The 8 or so MB that the servers are downloading is coming across much more quickly than I've seen it in the past. Could just be an abberation, but usually the feeding frenzy is pretty intense.

    --
    Don't disappoint your bird dog. Go to the range.
  3. Patches by johndou1 · · Score: 5, Informative

    Auto update applied the patched and then I could not boot.

    Had to run chkdsk, then it came back to life.

    1. Re:Patches by saddino · · Score: 4, Informative

      Same here. On restart I went into some funky graphics mode (looked like a crash on an old C64) alternating between a light blue screen, a light green screen and some multicolored vertical lines. This is a brand new machines with XP Pro and basically only Visual Studio installed.

      I almost had a heart attack because I didn't back up code I wrote last night (dumb to apply updates without backing up, yes I know).

      A hard reboot fixed it for me, but I'm still a little nervous.

  4. The Big Three by Rhaythe · · Score: 4, Informative

    The most worrisome are (from least to most)
    MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.
    Remotely Exploitable. Good potential for the next superworm.
    IP Validation Vulnerability (CAN-2005-0048 ) - "Incomplete validation of IP Network Packets" is how Microsoft describes this vulnerability.

    MS05-021 - Vulnerability in Exchange Server Could Allow Remote Code Execution.
    Remotely Exploitable Buffer Overflow
    Exchange Server Vulnerability (CAN-2005-0560) - The service fails to handle SMTP extended verb requests. On Exchange 2000, if an attacker connects to an SMTP port (unauthenticated users will work) and issues a specially crafted extended verb request, this would allow an attacker to run the code of their choice as the SMTP service runs as Local System.

    MS05-020: Cumulative Security Update for Internet Explorer (890923)
    Remotely exploitable.

    All three problems fixed would require a user to browse a malicious website or click on a link... but then there is a HIGH probability that THAT will happen. Again proof of concept exploit code has been released for this flaw.

  5. Re:Critical Updates Plus Bonus Junk by Neopoleon · · Score: 5, Informative

    An update to BITS is critical because it's part of the mechanism that should be keeping your average user's Windows machine clean by downloading updates in the background without disturbing their usual browsing activities (it uses opportune moments to grab chunks of updates - once all the pieces are down, it lets you know).

    One of the reasons we have so many problems with security vulnerabilities is that users don't make use of Automatic Updates, and they wind up running unpatched systems for days... weeks... months... ...years.

    Sometimes there's a good reason for this, but I suspect that, more often than not, it's a lack of understanding about *why* Automatic Windows Updates is important.

    So, in that context, although I can see why you might not think it's an important update, BITS is actually something you want updated with everything else unless you're *really* on top of patching your system manually.

    --
    - Rory [Microsoft Employee] | Free dirt: neopoleon.com
  6. Re:One wonders... by Nevo · · Score: 4, Informative

    Read the bulletins. Each security bulletin has a section in which Microsoft says whether or not the vulnerability was publicly reported, and whether or not Microsoft was aware of public exploits at the time the bulletin was published. My understanding is that none of this month's vulnerabilities were publicly known. Granted, you won't know how long Microsoft knew of the hole (which is useless information), but you'll know if it was a zero-day exploit (which is marginally more useful information).

  7. Re:Critical Updates Plus Bonus Junk by MSFanBoi · · Score: 2, Informative

    Because Microsoft is changing the distribution method for WindowsUpdate very shortly. Microsoft Update. Google it.

  8. Re:Thank you MS! by xocp · · Score: 5, Informative

    Not to mention, I appreciated that Microsoft thanks those that reported the vulnerabilities:

    Mark Dowd and Ben Layer of ISS X-Force for reporting the Exchange Server Vulnerability (CAN-2005-0560).

    Alex Li for reporting the Word vulnerability (CAN-2005-0558).

    Hongzhen Zhou for reporting the MSN Messenger Vulnerability (CAN-2005-0562).

    Song Liu, Hongzhen Zhou, and Neel Mehta of ISS X-Force for reporting the IP Validation Vulnerability (CAN-2005-0048).

    Fernando Gont of Argentina's Universidad Tecnologica Nacional/Facultad Regional Haedo, for working with us responsibly on the ICMP Connection Reset Vulnerability (CAN-2004-0790) and the ICMP Path MTU Vulnerability (CAN-2004-1060).

    Qualys for reporting the ICMP Path MTU Vulnerability (CAN-2004-1060).

    Berend-Jan Wever working with iDEFENSE for reporting the DHTML Object Memory Corruption Vulnerability (CAN-2005-0553).

    3APA3A and axle@bytefall working with iDEFENSE for reporting the URL Parsing Memory Corruption Vulnerability (CAN-2005-0554).

    Andres Tarasco of SIA Group for reporting the Content Advisor Memory Corruption Vulnerability (CAN-2005-0555).

    iDEFENSE for reporting the Windows Shell Vulnerability (CAN-2005-0063).

    Kostya Kortchinsky with CERT RENATER for reporting the Message Queuing Vulnerability (CAN-2005-0059).

    John Heasman with Next Generation Security Software Ltd. for reporting the Font Vulnerability (CAN-2005-0060).

    Sanjeev Radhakrishnan, Amit Joshi, and Ananta Iyengar with GreenBorder Technologies for reporting the Windows Kernel Vulnerability (CAN-2005-0061).

    David Fritz working with iDEFENSE for reporting the CSRSS Vulnerability (CAN-2005-0551).

  9. Worse than you think... by tweakt · · Score: 3, Informative
    All three problems fixed would require a user to browse a malicious website or click on a link... but then there is a HIGH probability that THAT will happen. Again proof of concept exploit code has been released for this flaw.
    Wrong. Based on those summaries, I'd say the first two are exploitable by the attacking system connecting TO the target. No action is required by the victim. Only the third I would guess involves web-related malware.
  10. Re:And of course.... by Anonymous Coward · · Score: 1, Informative

    As far as I know, Windows Update requires ActiveX support in the browser, so IE is the only browser that will work.

    --
    Jonathan the Nerd (user 98459)
    (Posted anonymously because I'm using an unencrypted wireless network, and I'm not going to transmit my password in the clear.)

  11. Re:maybe it's me ... by tehshen · · Score: 2, Informative

    If you want the red flashing ! thing on the panel to go away, right click -> Configuration -> remove from panel. Then you can do yum updates when you want without being distracted.

    I've found that with the update manager you always have to say yes to wanted updates, not no to unwanted ones. The ignore list seems to not do anything, though.

    --
    Guy asked me for a quarter for a cup of coffee. So I bit him.
  12. Re:One wonders... by Malc · · Score: 2, Informative

    You are aware that normally Windows' exploits only occur after the security hole has been announced, right?

  13. Re:maybe it's me ... by LnxAddct · · Score: 5, Informative

    Keep in mind that the Fedora update utility is updating up to 10,000 applications, not just core system software like MS's update utility, so expect some increased complexity (although once you set up your ignore list, its usually just as easy as clicking "select all", click next, click next, all done and updated). Using the ignore funtionality works great for me under FC3 so I'm not too sure what you are referring to as far as problems go. Maybe if you supply more information someone can help you, or go to #fedora on irc.freenode.net and someone there is always willing to help. On a side note, if you are a noob you most likely dont want to be disabling any updates. Fedora by default puts new kernels on your ignore list but other then that, updating is usually a good thing (If you used something like debian testing or unstable prior to fedora I can see the basis for your paranoia as I still have one server left running debian testing and updating breaks it monthly at a minimum, but the situation is completely different in fedora and I have yet to see anything similar happen).
    Regards,
    Steve

  14. MS update KB891711 Rerelease for Windows 98 & by antdude · · Score: 2, Informative

    Read Broadband Reports security forum thread about this. It appears the rerelease patch fixed the blue screen problems, proxy, etc.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  15. Re:So... by rpozz · · Score: 3, Informative

    There have definitely been articles relating to OpenSSH et all, and getting exactly the same amount of critism.

    Note that "Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)" is pretty damn serious though.

  16. MS05-019 breaks raw socket sends (again!) by Eyeball97 · · Score: 5, Informative

    It seems MS are determined to have XP users disabled from using raw sockets - in itself not such a bad idea for 99.9% of XP users but those of you who avoided SP2 (or disabled firewall/ICS atfer installing it to get round this problem) please note - it's back! and there's no known way do disable it (yet).

  17. Re:There goes my day... by limabone · · Score: 2, Informative

    I am installing patches on 250+ systems right now while I read slashdot. Try using SUS server or GFI Languard (which is what I am using). This thing pays for itself easily in the first month if you are doing 300+ systems by hand like your message says.

  18. Exploits by Anonymous Coward · · Score: 2, Informative

    As part of my job I've been tracking exploits for these as they pop up on the usual lists and public exploit archives. So far there's an instant root shell using a single HTML file opened in IE; ditto for "windows shell remote code execution"; and a couple for Access (tho' I don't believe those were actually part of the Patch Tuesday frenzy.) Fun times! Who's running the book on whether someone will wormify one of these? My betting is NOT; I think MS have managed to do just enough to get back ahead of the skiddies (well, worm-author skiddies anyway) for the next few months at least. XPSP2 is taking all the fun out of incident response ;)

  19. Not quite. by SatanicPuppy · · Score: 3, Informative

    Explorer is part of the operating system, remember? So explorer exploits count as OS exploits, especially because a lot of the explorer exploits are arbitrary code execution exploits, which are beyond critical.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  20. Re:Not that big of a deal for desktop users by kybred · · Score: 2, Informative
    If you have XP Service Pack 2, and are behind a router, the ICMP vulernability is a non-issue. Your router responds to pings, not your computer.

    You do know that ICMP is more than just pings, right?

    http://www.ietf.org/internet-drafts/draft-gont-tcp m-icmp-attacks-03.txt

    kybred

  21. Install SP2 by km790816 · · Score: 2, Informative

    Take a look at Microsoft Security Bulletin MS05-019.

    If you are running SP2, none of the flaws is considered worse that "moderate".

    1) The criticality of a fix depends on the OS. A critical bug is Win2k may be only moderate in XPSP2, but it's always advertised as just "critical".

    2) This is good proof that (at least my Microsoft's analysis of criticality) XPSP2 does improve security dramatically, even in the face of defects.

    --
    A speech...