Slashdot Mirror
Microsoft Releases Eight Security Updates
Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll.
Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too.
Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."
This is not the first time when there was something to fix at Shell32.dll
yep, and like every operating system - it won't be the last...
And yet they are less vague than the ones which have recently come out of OpenBSD. That's scary.
..just how long these security holes have existed? It's a nifty trick to publish security holes only after patching them. Makes you look good, except in the eyes of those whose PC has already been "pwned" because of said holes...
Right.
Every OS releases security patches. MS might need more than others, but the ALL need them.
Security is a process, not an endpoint.
I don't know if I'm feeling safer or less safe after seeing these patches.
Scenario 1)
Yay!!! There are now fewer security holes.
Scenario 2)
Oh noo!!! If they still are finding problems of this type then there must be many many more.
Are you a scenario type 1 or type 2 guy?
The Internet is full. Go Away!!!
pirated/illegal copy (whatever THAT means
What do you mean? Are you seriously saying you don't know the difference between legit software you are entitled to use, and software that you downloaded and/or cracked from various backchannel methods?
Are you for real?
Can we expect a news article every month blasting Microsoft for releasing security updates? Christ, where are the news articles when updates come out for other OS's? Or is it only a bad thing when Microsoft does it?
I never understood why Microsoft released "critical updates" only every month. If they're critical, you're supposed to release a patch as soon as you hear about them. 48 hours is already too much, and a month represents a century in the IT universe...
Its not called "March Madness" for nothing! :)
I would be interested to compare how many operating systems updates were released for Solaris, AIX, HP-UX, and Linux over the past two months... without getting into an argument over impact/criticality, I'm willing to bet there's been more than 8 fixes for each of those OSes in that timeframe.
John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
or else you are SOL
That should read, "or else you are too cheap to buy your operating system, or too dumb to use one that you're allowed to license for free."
You're not SOL when you're stolen thing can't be upgraded, you're exactly where you deserve to be.
Don't disappoint your bird dog. Go to the range.
People don't want to be updating every five minutes. Every patch goes through a complete testing cycling at some businesses, which is very expensive. This lowers the time and expense by restricting it to once a month. Furthermore, if the security hole hasn't been publicly announced, there isn't normally something exploiting it. I think this is a matter of risk management - maybe they will get burnt by this one day, but experience has shown that this approach is acceptable.
I don't think a real comparison will even come though...
There is *one* OS exploit here.
The others exploits target Exchange and Internet Explorer
It becomes so much harder when you try to look at Linux, GNU utils, and then the FOSS services and applications.
(and then you've got distribution specific exploits)
The closest realistic comparison I can get, is to ask those not-so-desirable aquaintences, which one's are faster and easier to exploit. Everybody else has agendas or ties to one party or another, as it affects their income.
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
Maybe it wasn't such a bad idea after all... or maybe users are learning how to be halfway competent?
-Rob
Marriage doesn't have to suck!
No (or at least not to the same scale).
The firewall added by SP2 significantly reduces the threat profile, especially for those people connected to the net bare. Even if a lot of local services are vulnerable, it's less of a threat if external probes can't reach them.
I don't know where or how I got it stuck in my head that WindowsXP SP2 was supposed to have fundamentally changed something about the way code ran... maybe it was just a dream. But I thought some of those critical components of the OS had gone through intensive scrutiny and all that when they were compiling updates to build SP2. But, again, I must have been dreaming since these new ones have managed to stick around.
I applied these yesterday and my fax software suddenly lost DLLs that were required for it to function. I haven't been able to determine %100 if there is a connection, but in my mind, that was the only major change to the system preceding the discovery of the problem.
Weird weird weird...
You misunderstood. /. wants everything. Especially because different people want different things...)
They quite literally want to build a automatic cake making machine so they can have lots of cake while they're eating their cake : )
They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power. They want this machine to be completely secure while allowing random applications to do whatever necessary to squeeze their hardware. They want it to use an OS that is unpopular enough instill geek pride but is somehow the primary development platform of all cool games.
Oh, and it should be Free as in speech, Free as in beer, and produced by a trusted public company that somehow makes money off this without doing anything that would make them unloved.
And they want cute little penguins to somehow get them laid by actual women, generally without them having to go anywhere they might actually meet women.
I'm not saying any of these individual goals are bad ideas, I'm just saying you can't always have everything you want.
(Incidentally, I'm in favor of really paranoid IE settings, but since by using it you're implicitly trusting MS, the Office update site could probably have been automatically added to that list. I think that's why the gp noted it.)
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Why wait a month? Because their patching system blows. They didn't learn lessons learned decades ago about how to patch core components and kernel services and now we live with this every day (or month as the case maybe).
Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.
It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.
The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.
First, you have to carefully define exactly which software is part of the operating system. Windows includes almost no software out of the box, so security problems in widely-used Windows programs aren't considered to be OS vulnerabilities. On the other hand, Linux distributions tend to install lots and lots of extra software in addition to the base OS, and a vulnerability in any one of these extra packages is reported as a vulnerability in the distribution. For example, Debian had 11 security advisories for March 2005 (see http://www.debian.org/security/2005/), but none of them (with the possible exception of netkit-telnet and netkit-telnet-ssl) can really be considered problems with the OS. So you can't just compare the number of reported security problems in each OS, because the two numbers have vastly different scope.
- If you have XP Service Pack 2, and are behind a router, the ICMP vulernability is a non-issue. Your router responds to pings, not your computer.
- If you use Mozilla Firefox, the IE vulnerability is a non-issue as well.
- The Exchange vulnerability is a non-issue for desktop users.
- If you use MSN messanger, update. I don't.
- If you open other peoples word documents, update. I use Abiword, or let google translate them to html.
-DanPeople don't want to be updating every five minutes.
Microsoft don't force these updates on people. If they release the patches when they are ready, you can still only update once a month if you want to.
Furthermore, if the security hole hasn't been publicly announced, there isn't normally something exploiting it.
I think you mean "if the security hole hasn't been publically announced, people have no clue whether there are things exploiting it or not."
Or do you think that black hats make formal announcements when they discoever vulnerabilities?
I think this is a matter of risk management
Indeed it is. By releasing patches on a regular basis rather than when the patches are finished, Microsoft force their customers to go from a known, quantifiable risk (the cost of testing and patching) to a completely unknown risk (the possibility of being compromised, unknown severity).
So yes, it's a matter of risk management - Microsoft are taking away your ability to manage your risks effectively.
Patches for Fedora are regular bug fixes for the 10,000+ Linux packages available. These Windows critial updates are fixes for vunerablilities in the operating system itself, which could be compromised by 'hackers' out there. Totally different from those updates you are installing with Fedora. This is crazy b/c huge holes in Windows are found on a monthly basis. This is not true for any other OS.
First, you have to carefully define exactly which software is part of the operating system. Windows includes almost no software out of the box, so security problems in widely-used Windows programs aren't considered to be OS vulnerabilities.
well, even the Slashdot blurb clearly lists many applications as included in this MS fixlist even if you debate the browser status (Word, Exchange, MSN Messenger (separate download app, != Windows Messenger)). Of the critical ones actually only one is OS (TCP/IP), two if you count IE.
We all know that they have had their issues with security in the past. But over the last three years they have taken some great strides to improve it.
I applaud them for doing their own proactive penetration testing on their software, as well as enlisting the help third-party companies to do the same. This is far better than the "we'll see what happens" approach of years past. By doing this proactive approach it cuts down on zero-day exploits (granted their still will be a few), teaches them to learn from their mistakes and well as provide the education to the software dev community on those mistakes.
So, instead of ranting and complaining about these patches, I think people should take a moment to reflect and see the bigger picture of what's being accomplished here.
"It's not rocket science, Smithers! It's only brain surgery!" --Mr. Burns