Slashdot Mirror
Microsoft Releases Eight Security Updates
Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll.
Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too.
Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."
Phew and here I was thinking hell had frozen over in March and Microsoft wouldn't have any new security updates. Thanks for reassuring me Microsoft. You had me nervous.
-Teiresias
This is not the first time when there was something to fix at Shell32.dll
yep, and like every operating system - it won't be the last...
Thanks, Bill.
Mens et Manus
And yet they are less vague than the ones which have recently come out of OpenBSD. That's scary.
Windows Server 2003 SP1 is also available. Apparently it's a kind of XP SP2 but for Server 2003. With the firewall, security center, IE "enhanced security", spyware removal tool that doesn't run, etc.
I just hope it doesn't break as many apps...
Karma cannot be described by words alone.
Huh? These are patches, not new features being added.
:(
Technically, they are feautures being removed. Microsoft should pay us to install them.
I've applied these to about 15 servers this morning - boxes running IIS, SQL, Exchange, and so far nothing has blown up. What really gets me is the bandwidth they must be putting into the distribution. The 8 or so MB that the servers are downloading is coming across much more quickly than I've seen it in the past. Could just be an abberation, but usually the feeding frenzy is pretty intense.
Don't disappoint your bird dog. Go to the range.
... but after using the "windows update" utility in XP and 2000/2003 server for some time, and being a newbie to fedora (new servers in my home lab), i find the MS utilities muuuuuch easier to use than the fedora update manager. once i say no to an update, that choice stays "no" ... i have to always say no to unwanted updates in fedora (even tho they're on my ignore list). am i a feeble n00b, or could the linux distros learn a thing or two from MSFT?
nothing worth possessing isn't possessed. or something.
Glad I don't do "Auto Install"...hidden way at the bottom of the list of things Windows wanted to update was...
Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)
Download size: 694 KB, 1 minute
This software updates the Background Intelligent Transfer Service (BITS) to v2.0 and updates WinHTTP. These updates help ensure an optimal download experience with new versions of Automatic Updates, Windows Update, and other programs that rely on BITS to transfer files using idle network bandwidth.
How is this critical?
..just how long these security holes have existed? It's a nifty trick to publish security holes only after patching them. Makes you look good, except in the eyes of those whose PC has already been "pwned" because of said holes...
Auto update applied the patched and then I could not boot.
Had to run chkdsk, then it came back to life.
The most worrisome are (from least to most)
MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.
Remotely Exploitable. Good potential for the next superworm.
IP Validation Vulnerability (CAN-2005-0048 ) - "Incomplete validation of IP Network Packets" is how Microsoft describes this vulnerability.
MS05-021 - Vulnerability in Exchange Server Could Allow Remote Code Execution.
Remotely Exploitable Buffer Overflow
Exchange Server Vulnerability (CAN-2005-0560) - The service fails to handle SMTP extended verb requests. On Exchange 2000, if an attacker connects to an SMTP port (unauthenticated users will work) and issues a specially crafted extended verb request, this would allow an attacker to run the code of their choice as the SMTP service runs as Local System.
MS05-020: Cumulative Security Update for Internet Explorer (890923)
Remotely exploitable.
All three problems fixed would require a user to browse a malicious website or click on a link... but then there is a HIGH probability that THAT will happen. Again proof of concept exploit code has been released for this flaw.
I would like to thank MS for being so diligent in protecting the everyday computer user from malicious attacks from evil-doers. Keep the patches coming!
One man's Funny is another man's Offtopic.
I don't know if I'm feeling safer or less safe after seeing these patches.
Scenario 1)
Yay!!! There are now fewer security holes.
Scenario 2)
Oh noo!!! If they still are finding problems of this type then there must be many many more.
Are you a scenario type 1 or type 2 guy?
The Internet is full. Go Away!!!
pirated/illegal copy (whatever THAT means
What do you mean? Are you seriously saying you don't know the difference between legit software you are entitled to use, and software that you downloaded and/or cracked from various backchannel methods?
Are you for real?
That way I can be the first to break something. It's no fun having a solution already up on Google.
Can we expect a news article every month blasting Microsoft for releasing security updates? Christ, where are the news articles when updates come out for other OS's? Or is it only a bad thing when Microsoft does it?
At least they're not calling MSN Messenger an important update anymore :)
It's all fun & games until someone loses the game.
I never understood why Microsoft released "critical updates" only every month. If they're critical, you're supposed to release a patch as soon as you hear about them. 48 hours is already too much, and a month represents a century in the IT universe...
I just went to update Win2003 SP1 and all they offered was the Windows Malicious Software Removal Tool - April 2005. I'm disappointed at missing my patch fix for this month :-(
or else you are SOL
That should read, "or else you are too cheap to buy your operating system, or too dumb to use one that you're allowed to license for free."
You're not SOL when you're stolen thing can't be upgraded, you're exactly where you deserve to be.
Don't disappoint your bird dog. Go to the range.
last night, i got a popup message saying "updates were applied to your system and it will be rebooted in 5 minutes" - i tried to kill that process but it kept respawning. is that related to these patches? weird, i thought i had autoupdate disabled..
--
http://unk1911.blogspot.com
People don't want to be updating every five minutes. Every patch goes through a complete testing cycling at some businesses, which is very expensive. This lowers the time and expense by restricting it to once a month. Furthermore, if the security hole hasn't been publicly announced, there isn't normally something exploiting it. I think this is a matter of risk management - maybe they will get burnt by this one day, but experience has shown that this approach is acceptable.
Read Broadband Reports security forum thread about this. It appears the rerelease patch fixed the blue screen problems, proxy, etc.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Hmm, Microsoft security updates. Must be the 2nd Tuesday of the month.
I don't even use MS products and I know about their update schedule, yet every 2nd Tuesday of the month
Maybe it wasn't such a bad idea after all... or maybe users are learning how to be halfway competent?
-Rob
Marriage doesn't have to suck!
No (or at least not to the same scale).
The firewall added by SP2 significantly reduces the threat profile, especially for those people connected to the net bare. Even if a lot of local services are vulnerable, it's less of a threat if external probes can't reach them.
I don't know where or how I got it stuck in my head that WindowsXP SP2 was supposed to have fundamentally changed something about the way code ran... maybe it was just a dream. But I thought some of those critical components of the OS had gone through intensive scrutiny and all that when they were compiling updates to build SP2. But, again, I must have been dreaming since these new ones have managed to stick around.
I applied these yesterday and my fax software suddenly lost DLLs that were required for it to function. I haven't been able to determine %100 if there is a connection, but in my mind, that was the only major change to the system preceding the discovery of the problem.
Weird weird weird...
Why wait a month? Because their patching system blows. They didn't learn lessons learned decades ago about how to patch core components and kernel services and now we live with this every day (or month as the case maybe).
Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.
It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.
The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.
It seems MS are determined to have XP users disabled from using raw sockets - in itself not such a bad idea for 99.9% of XP users but those of you who avoided SP2 (or disabled firewall/ICS atfer installing it to get round this problem) please note - it's back! and there's no known way do disable it (yet).
Why is this news at all ?
Patches up
I have mod points and I am not afraid to use them
I am installing patches on 250+ systems right now while I read slashdot. Try using SUS server or GFI Languard (which is what I am using). This thing pays for itself easily in the first month if you are doing 300+ systems by hand like your message says.
- If you have XP Service Pack 2, and are behind a router, the ICMP vulernability is a non-issue. Your router responds to pings, not your computer.
- If you use Mozilla Firefox, the IE vulnerability is a non-issue as well.
- The Exchange vulnerability is a non-issue for desktop users.
- If you use MSN messanger, update. I don't.
- If you open other peoples word documents, update. I use Abiword, or let google translate them to html.
-DanPeople don't want to be updating every five minutes.
Microsoft don't force these updates on people. If they release the patches when they are ready, you can still only update once a month if you want to.
Furthermore, if the security hole hasn't been publicly announced, there isn't normally something exploiting it.
I think you mean "if the security hole hasn't been publically announced, people have no clue whether there are things exploiting it or not."
Or do you think that black hats make formal announcements when they discoever vulnerabilities?
I think this is a matter of risk management
Indeed it is. By releasing patches on a regular basis rather than when the patches are finished, Microsoft force their customers to go from a known, quantifiable risk (the cost of testing and patching) to a completely unknown risk (the possibility of being compromised, unknown severity).
So yes, it's a matter of risk management - Microsoft are taking away your ability to manage your risks effectively.
Then don't patch it. Nobody's forcing you to, since you can just not go to the Windows Update site, and can turn off Automatic Updates. :).
Just don't be surprised if things break later
Patching systems is a fact of life, under any operating system under the sun.
As part of my job I've been tracking exploits for these as they pop up on the usual lists and public exploit archives. So far there's an instant root shell using a single HTML file opened in IE; ditto for "windows shell remote code execution"; and a couple for Access (tho' I don't believe those were actually part of the Patch Tuesday frenzy.) Fun times! Who's running the book on whether someone will wormify one of these? My betting is NOT; I think MS have managed to do just enough to get back ahead of the skiddies (well, worm-author skiddies anyway) for the next few months at least. XPSP2 is taking all the fun out of incident response ;)
"Microsoft Releases Eight Security Updates" - And twentyfour new ones! Yay!
In the Soviet Union, signatures writes you!
Explorer is part of the operating system, remember? So explorer exploits count as OS exploits, especially because a lot of the explorer exploits are arbitrary code execution exploits, which are beyond critical.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Take a look at Microsoft Security Bulletin MS05-019.
If you are running SP2, none of the flaws is considered worse that "moderate".
1) The criticality of a fix depends on the OS. A critical bug is Win2k may be only moderate in XPSP2, but it's always advertised as just "critical".
2) This is good proof that (at least my Microsoft's analysis of criticality) XPSP2 does improve security dramatically, even in the face of defects.
A speech...