Slashdot Mirror
Microsoft Releases Eight Security Updates
Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll.
Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too.
Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."
Auto update applied the patched and then I could not boot.
Had to run chkdsk, then it came back to life.
An update to BITS is critical because it's part of the mechanism that should be keeping your average user's Windows machine clean by downloading updates in the background without disturbing their usual browsing activities (it uses opportune moments to grab chunks of updates - once all the pieces are down, it lets you know).
...years.
One of the reasons we have so many problems with security vulnerabilities is that users don't make use of Automatic Updates, and they wind up running unpatched systems for days... weeks... months...
Sometimes there's a good reason for this, but I suspect that, more often than not, it's a lack of understanding about *why* Automatic Windows Updates is important.
So, in that context, although I can see why you might not think it's an important update, BITS is actually something you want updated with everything else unless you're *really* on top of patching your system manually.
- Rory [Microsoft Employee] | Free dirt: neopoleon.com
I've been applying 2k3 SP1 to servers at my office all week. MS did a good job of designing the patch so that it adds lots of security lockdowns without limiting applications. They add the firewall but it defaults to off for upgrades. The only part that seems scary is the stronger authentication for DCOM. It's secure, but has potential to break some apps. Details on SP1 here.
Five servers so far, and all of them have worked after the update. I'm far from a MS fan, but I have no problem admitting when they've done a good job...
Not to mention, I appreciated that Microsoft thanks those that reported the vulnerabilities:
Mark Dowd and Ben Layer of ISS X-Force for reporting the Exchange Server Vulnerability (CAN-2005-0560).
Alex Li for reporting the Word vulnerability (CAN-2005-0558).
Hongzhen Zhou for reporting the MSN Messenger Vulnerability (CAN-2005-0562).
Song Liu, Hongzhen Zhou, and Neel Mehta of ISS X-Force for reporting the IP Validation Vulnerability (CAN-2005-0048).
Fernando Gont of Argentina's Universidad Tecnologica Nacional/Facultad Regional Haedo, for working with us responsibly on the ICMP Connection Reset Vulnerability (CAN-2004-0790) and the ICMP Path MTU Vulnerability (CAN-2004-1060).
Qualys for reporting the ICMP Path MTU Vulnerability (CAN-2004-1060).
Berend-Jan Wever working with iDEFENSE for reporting the DHTML Object Memory Corruption Vulnerability (CAN-2005-0553).
3APA3A and axle@bytefall working with iDEFENSE for reporting the URL Parsing Memory Corruption Vulnerability (CAN-2005-0554).
Andres Tarasco of SIA Group for reporting the Content Advisor Memory Corruption Vulnerability (CAN-2005-0555).
iDEFENSE for reporting the Windows Shell Vulnerability (CAN-2005-0063).
Kostya Kortchinsky with CERT RENATER for reporting the Message Queuing Vulnerability (CAN-2005-0059).
John Heasman with Next Generation Security Software Ltd. for reporting the Font Vulnerability (CAN-2005-0060).
Sanjeev Radhakrishnan, Amit Joshi, and Ananta Iyengar with GreenBorder Technologies for reporting the Windows Kernel Vulnerability (CAN-2005-0061).
David Fritz working with iDEFENSE for reporting the CSRSS Vulnerability (CAN-2005-0551).
Keep in mind that the Fedora update utility is updating up to 10,000 applications, not just core system software like MS's update utility, so expect some increased complexity (although once you set up your ignore list, its usually just as easy as clicking "select all", click next, click next, all done and updated). Using the ignore funtionality works great for me under FC3 so I'm not too sure what you are referring to as far as problems go. Maybe if you supply more information someone can help you, or go to #fedora on irc.freenode.net and someone there is always willing to help. On a side note, if you are a noob you most likely dont want to be disabling any updates. Fedora by default puts new kernels on your ignore list but other then that, updating is usually a good thing (If you used something like debian testing or unstable prior to fedora I can see the basis for your paranoia as I still have one server left running debian testing and updating breaks it monthly at a minimum, but the situation is completely different in fedora and I have yet to see anything similar happen).
Regards,
Steve
It seems MS are determined to have XP users disabled from using raw sockets - in itself not such a bad idea for 99.9% of XP users but those of you who avoided SP2 (or disabled firewall/ICS atfer installing it to get round this problem) please note - it's back! and there's no known way do disable it (yet).