Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases Eight Security Updates

Posted by CowboyNeal on from the locking-down dept.

Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll. Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too. Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."

40 of 344 comments (clear)

  1. Phew! by teiresias · · Score: 4, Funny

    Phew and here I was thinking hell had frozen over in March and Microsoft wouldn't have any new security updates. Thanks for reassuring me Microsoft. You had me nervous.

    --
    -Teiresias
    1. Re:Phew! by Anonymous Coward · · Score: 4, Insightful
      I would be interested to compare how many operating systems updates were released for Solaris, AIX, HP-UX, and Linux over the past two months...

      First, you have to carefully define exactly which software is part of the operating system. Windows includes almost no software out of the box, so security problems in widely-used Windows programs aren't considered to be OS vulnerabilities. On the other hand, Linux distributions tend to install lots and lots of extra software in addition to the base OS, and a vulnerability in any one of these extra packages is reported as a vulnerability in the distribution. For example, Debian had 11 security advisories for March 2005 (see http://www.debian.org/security/2005/), but none of them (with the possible exception of netkit-telnet and netkit-telnet-ssl) can really be considered problems with the OS. So you can't just compare the number of reported security problems in each OS, because the two numbers have vastly different scope.

    2. Re:Phew! by Laura_DilDio · · Score: 5, Funny

      No, this just evidence that Microsoft takes security seriously -- more seriously, in fact, than that pinko-commie-bastard operating system you all feel so drawn towards.

      Also, I'll have you pigs know that I'm leaving my duties at the Yankee Group. I've accepted a position serving Lord William at Microsoft. I'm to be his new Groom of the Stool

      Love,
      Laura

  2. yep - move on by nighty5 · · Score: 4, Insightful

    This is not the first time when there was something to fix at Shell32.dll

    yep, and like every operating system - it won't be the last...

  3. Woohoo! by djinn2020 · · Score: 4, Funny
    Yay, Microsoft Windows XP is now completely invulnerable

    Thanks, Bill.

    --
    Mens et Manus
    1. Re:Woohoo! by LurkerXXX · · Score: 4, Insightful
      Are you trying to say whatever OS you use is?

      Right.

      Every OS releases security patches. MS might need more than others, but the ALL need them.

      Security is a process, not an endpoint.

    2. Re:Woohoo! by 0x461FAB0BD7D2 · · Score: 5, Funny

      Contrarily, a punchline is an endpoint, and not a process.

  4. More updates by nenolod · · Score: 5, Insightful

    And yet they are less vague than the ones which have recently come out of OpenBSD. That's scary.

  5. WS2K3 SP1 by koh · · Score: 4, Informative

    Windows Server 2003 SP1 is also available. Apparently it's a kind of XP SP2 but for Server 2003. With the firewall, security center, IE "enhanced security", spyware removal tool that doesn't run, etc.

    I just hope it doesn't break as many apps...

    --
    Karma cannot be described by words alone.
    1. Re:WS2K3 SP1 by Kimos · · Score: 5, Informative

      I've been applying 2k3 SP1 to servers at my office all week. MS did a good job of designing the patch so that it adds lots of security lockdowns without limiting applications. They add the firewall but it defaults to off for upgrades. The only part that seems scary is the stronger authentication for DCOM. It's secure, but has potential to break some apps. Details on SP1 here.

      Five servers so far, and all of them have worked after the update. I'm far from a MS fan, but I have no problem admitting when they've done a good job...

    2. Re:WS2K3 SP1 by koh · · Score: 4, Informative

      After 1 day of use :

      IIS (HTTP, FTP) works (after tweaking the firewall of course), at least for the minimal use I have of it.

      Exceed works too after registering it with the firewall.

      IE's "enhanced security" makes it _really_ paranoid, but I use it only for updates so I couldn't care less (had to add Office Update to the trusted sites though).

      IMHO the real thing here is to check how in-house developped server components will behave under SP1... since we don't have that many customers using it, bug reports won't come until a few weeks I hope.

      --
      Karma cannot be described by words alone.
    3. Re:WS2K3 SP1 by ookaze · · Score: 4, Interesting

      Five servers so far, and all of them have worked after the update. I'm far from a MS fan, but I have no problem admitting when they've done a good job.

      The scary thing is that this fact is worthy of a post, and is informative.
      Patches that do not break anything should be the rule, not the exception.

    4. Re:WS2K3 SP1 by arete · · Score: 5, Insightful

      You misunderstood. /. wants everything. Especially because different people want different things...)

      They quite literally want to build a automatic cake making machine so they can have lots of cake while they're eating their cake : )

      They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power. They want this machine to be completely secure while allowing random applications to do whatever necessary to squeeze their hardware. They want it to use an OS that is unpopular enough instill geek pride but is somehow the primary development platform of all cool games.

      Oh, and it should be Free as in speech, Free as in beer, and produced by a trusted public company that somehow makes money off this without doing anything that would make them unloved.

      And they want cute little penguins to somehow get them laid by actual women, generally without them having to go anywhere they might actually meet women.

      I'm not saying any of these individual goals are bad ideas, I'm just saying you can't always have everything you want.

      (Incidentally, I'm in favor of really paranoid IE settings, but since by using it you're implicitly trusting MS, the Office update site could probably have been automatically added to that list. I think that's why the gp noted it.)

      --
      Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
    5. Re:WS2K3 SP1 by arete · · Score: 4, Funny

      (to the parent - not the gp, who is me : )

      if it were up to me, I'd mod up your post before mine - that was witty AND concise.

      Naturally, I try to write something funny, and I get insightful. The only time I can remember getting a funny mod was when I complained about only getting insightful mods - like this - which is a pretty perfect example of something that shouldn't be modded funny, so it was one of my least deserving moments.

      *sigh*

      What's worse is I was proud of it anyway ; )

      --
      Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
    6. Re:WS2K3 SP1 by mopslik · · Score: 5, Funny

      They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power.

      Now that's not true at all. I want my machine to generate power, which I can then use to run the cake machine.

    7. Re:WS2K3 SP1 by koh · · Score: 4, Informative

      (Incidentally, I'm in favor of really paranoid IE settings, but since by using it you're implicitly trusting MS, the Office update site could probably have been automatically added to that list. I think that's why the gp noted it.)

      Indeed.

      Amusingly, I tried the Acid2 Test on IE with "enhanced security" turned on and it warned me the page may not render correctly because it "required an ActiveX control" that "was being blocked".

      An ActiveX control ? On the Acid test page ? Turns out the page contains 3 <object> tags used to check cascaded content... Of course we all know an <object> tag always is an ActiveX control, do we ?

      That's what I meant by "paranoid" :)

      --
      Karma cannot be described by words alone.
  6. Re:I wonder . . . by Anonymous Coward · · Score: 5, Funny

    Huh? These are patches, not new features being added.

    Technically, they are feautures being removed. Microsoft should pay us to install them. :(

  7. Unscientific Results So Far... by ScentCone · · Score: 4, Informative

    I've applied these to about 15 servers this morning - boxes running IIS, SQL, Exchange, and so far nothing has blown up. What really gets me is the bandwidth they must be putting into the distribution. The 8 or so MB that the servers are downloading is coming across much more quickly than I've seen it in the past. Could just be an abberation, but usually the feeding frenzy is pretty intense.

    --
    Don't disappoint your bird dog. Go to the range.
  8. maybe it's me ... by icebrrrg · · Score: 5, Interesting

    ... but after using the "windows update" utility in XP and 2000/2003 server for some time, and being a newbie to fedora (new servers in my home lab), i find the MS utilities muuuuuch easier to use than the fedora update manager. once i say no to an update, that choice stays "no" ... i have to always say no to unwanted updates in fedora (even tho they're on my ignore list). am i a feeble n00b, or could the linux distros learn a thing or two from MSFT?

    --
    nothing worth possessing isn't possessed. or something.
    1. Re:maybe it's me ... by LnxAddct · · Score: 5, Informative

      Keep in mind that the Fedora update utility is updating up to 10,000 applications, not just core system software like MS's update utility, so expect some increased complexity (although once you set up your ignore list, its usually just as easy as clicking "select all", click next, click next, all done and updated). Using the ignore funtionality works great for me under FC3 so I'm not too sure what you are referring to as far as problems go. Maybe if you supply more information someone can help you, or go to #fedora on irc.freenode.net and someone there is always willing to help. On a side note, if you are a noob you most likely dont want to be disabling any updates. Fedora by default puts new kernels on your ignore list but other then that, updating is usually a good thing (If you used something like debian testing or unstable prior to fedora I can see the basis for your paranoia as I still have one server left running debian testing and updating breaks it monthly at a minimum, but the situation is completely different in fedora and I have yet to see anything similar happen).
      Regards,
      Steve

  9. Critical Updates Plus Bonus Junk by pycnanthemum · · Score: 5, Interesting

    Glad I don't do "Auto Install"...hidden way at the bottom of the list of things Windows wanted to update was...

    Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)
    Download size: 694 KB, 1 minute
    This software updates the Background Intelligent Transfer Service (BITS) to v2.0 and updates WinHTTP. These updates help ensure an optimal download experience with new versions of Automatic Updates, Windows Update, and other programs that rely on BITS to transfer files using idle network bandwidth.

    How is this critical?

    1. Re:Critical Updates Plus Bonus Junk by Neopoleon · · Score: 5, Informative

      An update to BITS is critical because it's part of the mechanism that should be keeping your average user's Windows machine clean by downloading updates in the background without disturbing their usual browsing activities (it uses opportune moments to grab chunks of updates - once all the pieces are down, it lets you know).

      One of the reasons we have so many problems with security vulnerabilities is that users don't make use of Automatic Updates, and they wind up running unpatched systems for days... weeks... months... ...years.

      Sometimes there's a good reason for this, but I suspect that, more often than not, it's a lack of understanding about *why* Automatic Windows Updates is important.

      So, in that context, although I can see why you might not think it's an important update, BITS is actually something you want updated with everything else unless you're *really* on top of patching your system manually.

      --
      - Rory [Microsoft Employee] | Free dirt: neopoleon.com
    2. Re:Critical Updates Plus Bonus Junk by stinerman · · Score: 4, Interesting

      If I'm not mistaken, it allows the auto-update feature to only use idle bandwidth when downloading new updates.

      This is good for Joe User who is trying to surf on a 56k modem while downloading 10MB of updates. ISPs probably got calls of "the internet being slow", likely due to auto-update running while they were trying to surf.

      Is it critical? No. Helpful? Probably.

  10. One wonders... by Moggie68 · · Score: 4, Insightful

    ..just how long these security holes have existed? It's a nifty trick to publish security holes only after patching them. Makes you look good, except in the eyes of those whose PC has already been "pwned" because of said holes...

    1. Re:One wonders... by Nevo · · Score: 4, Informative

      Read the bulletins. Each security bulletin has a section in which Microsoft says whether or not the vulnerability was publicly reported, and whether or not Microsoft was aware of public exploits at the time the bulletin was published. My understanding is that none of this month's vulnerabilities were publicly known. Granted, you won't know how long Microsoft knew of the hole (which is useless information), but you'll know if it was a zero-day exploit (which is marginally more useful information).

    2. Re:One wonders... by Neopoleon · · Score: 5, Insightful

      You have to keep things in perspective - Windows isn't open source, so publishing the vulnerabilities ahead of time, in many cases, wouldn't actually do much good.

      As you know, with OSS, announcing a vulnerability is like a call to arms, getting devs out of bed and coding fixes. With a closed source product, it's like saying "Cooooooooooooome 'n get it!"

      If users could plug these holes with their fingers, then telling them would help. As things are, though, this is probably the safer way to do it for our product.

      --
      - Rory [Microsoft Employee] | Free dirt: neopoleon.com
  11. Patches by johndou1 · · Score: 5, Informative

    Auto update applied the patched and then I could not boot.

    Had to run chkdsk, then it came back to life.

    1. Re:Patches by saddino · · Score: 4, Informative

      Same here. On restart I went into some funky graphics mode (looked like a crash on an old C64) alternating between a light blue screen, a light green screen and some multicolored vertical lines. This is a brand new machines with XP Pro and basically only Visual Studio installed.

      I almost had a heart attack because I didn't back up code I wrote last night (dumb to apply updates without backing up, yes I know).

      A hard reboot fixed it for me, but I'm still a little nervous.

  12. The Big Three by Rhaythe · · Score: 4, Informative

    The most worrisome are (from least to most)
    MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.
    Remotely Exploitable. Good potential for the next superworm.
    IP Validation Vulnerability (CAN-2005-0048 ) - "Incomplete validation of IP Network Packets" is how Microsoft describes this vulnerability.

    MS05-021 - Vulnerability in Exchange Server Could Allow Remote Code Execution.
    Remotely Exploitable Buffer Overflow
    Exchange Server Vulnerability (CAN-2005-0560) - The service fails to handle SMTP extended verb requests. On Exchange 2000, if an attacker connects to an SMTP port (unauthenticated users will work) and issues a specially crafted extended verb request, this would allow an attacker to run the code of their choice as the SMTP service runs as Local System.

    MS05-020: Cumulative Security Update for Internet Explorer (890923)
    Remotely exploitable.

    All three problems fixed would require a user to browse a malicious website or click on a link... but then there is a HIGH probability that THAT will happen. Again proof of concept exploit code has been released for this flaw.

  13. Feel safer now? by 3770 · · Score: 4, Insightful

    I don't know if I'm feeling safer or less safe after seeing these patches.

    Scenario 1)
    Yay!!! There are now fewer security holes.

    Scenario 2)
    Oh noo!!! If they still are finding problems of this type then there must be many many more.

    Are you a scenario type 1 or type 2 guy?

    --
    The Internet is full. Go Away!!!
  14. Re:Thank you MS! by xocp · · Score: 5, Informative

    Not to mention, I appreciated that Microsoft thanks those that reported the vulnerabilities:

    Mark Dowd and Ben Layer of ISS X-Force for reporting the Exchange Server Vulnerability (CAN-2005-0560).

    Alex Li for reporting the Word vulnerability (CAN-2005-0558).

    Hongzhen Zhou for reporting the MSN Messenger Vulnerability (CAN-2005-0562).

    Song Liu, Hongzhen Zhou, and Neel Mehta of ISS X-Force for reporting the IP Validation Vulnerability (CAN-2005-0048).

    Fernando Gont of Argentina's Universidad Tecnologica Nacional/Facultad Regional Haedo, for working with us responsibly on the ICMP Connection Reset Vulnerability (CAN-2004-0790) and the ICMP Path MTU Vulnerability (CAN-2004-1060).

    Qualys for reporting the ICMP Path MTU Vulnerability (CAN-2004-1060).

    Berend-Jan Wever working with iDEFENSE for reporting the DHTML Object Memory Corruption Vulnerability (CAN-2005-0553).

    3APA3A and axle@bytefall working with iDEFENSE for reporting the URL Parsing Memory Corruption Vulnerability (CAN-2005-0554).

    Andres Tarasco of SIA Group for reporting the Content Advisor Memory Corruption Vulnerability (CAN-2005-0555).

    iDEFENSE for reporting the Windows Shell Vulnerability (CAN-2005-0063).

    Kostya Kortchinsky with CERT RENATER for reporting the Message Queuing Vulnerability (CAN-2005-0059).

    John Heasman with Next Generation Security Software Ltd. for reporting the Font Vulnerability (CAN-2005-0060).

    Sanjeev Radhakrishnan, Amit Joshi, and Ananta Iyengar with GreenBorder Technologies for reporting the Windows Kernel Vulnerability (CAN-2005-0061).

    David Fritz working with iDEFENSE for reporting the CSRSS Vulnerability (CAN-2005-0551).

  15. I always download updates ASAP by Anonymous Coward · · Score: 4, Funny

    That way I can be the first to break something. It's no fun having a solution already up on Google.

  16. So... by bl4nk · · Score: 5, Insightful

    Can we expect a news article every month blasting Microsoft for releasing security updates? Christ, where are the news articles when updates come out for other OS's? Or is it only a bad thing when Microsoft does it?

  17. "Critical" patches every month. Sure, we can wait! by TheStick · · Score: 5, Insightful

    I never understood why Microsoft released "critical updates" only every month. If they're critical, you're supposed to release a patch as soon as you hear about them. 48 hours is already too much, and a month represents a century in the IT universe...

  18. silent install by unk1911 · · Score: 4, Interesting

    last night, i got a popup message saying "updates were applied to your system and it will be rebooted in 5 minutes" - i tried to kill that process but it kept respawning. is that related to these patches? weird, i thought i had autoupdate disabled..

    --
    http://unk1911.blogspot.com

    1. Re:silent install by mr_z_beeblebrox · · Score: 4, Funny

      is that related to these patches? weird, i thought i had autoupdate disabled.

      Nope. That was me, sorry.

  19. Re:Will there be another spate of worms? by lpangelrob2 · · Score: 4, Insightful
    No... in fact, after all the flak that was thrown in the uproar over when MS starting saying, "We're not announcing security leaks until we've patched them," I don't recall hearing anything about self-propogating, bandwidth-sucking worms anymore. Heck, not even anything like Melissa or "I love you" lately. No zero-day exploits. Nothing.

    Maybe it wasn't such a bad idea after all... or maybe users are learning how to be halfway competent?

    --
    -Rob
    Marriage doesn't have to suck!
  20. Because MS "Painted Themselves Into A Corner" by EXTomar · · Score: 5, Insightful

    Why wait a month? Because their patching system blows. They didn't learn lessons learned decades ago about how to patch core components and kernel services and now we live with this every day (or month as the case maybe).

    Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.

    It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.

    The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.

  21. MS05-019 breaks raw socket sends (again!) by Eyeball97 · · Score: 5, Informative

    It seems MS are determined to have XP users disabled from using raw sockets - in itself not such a bad idea for 99.9% of XP users but those of you who avoided SP2 (or disabled firewall/ICS atfer installing it to get round this problem) please note - it's back! and there's no known way do disable it (yet).

  22. Re:So, My Fedora Core 3 Install just got 30+ by bach37 · · Score: 4, Insightful

    Patches for Fedora are regular bug fixes for the 10,000+ Linux packages available. These Windows critial updates are fixes for vunerablilities in the operating system itself, which could be compromised by 'hackers' out there. Totally different from those updates you are installing with Fedora. This is crazy b/c huge holes in Windows are found on a monthly basis. This is not true for any other OS.