Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases Eight Security Updates

Posted by CowboyNeal on from the locking-down dept.

Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll. Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too. Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."

18 of 344 comments (clear)

  1. More updates by nenolod · · Score: 5, Insightful

    And yet they are less vague than the ones which have recently come out of OpenBSD. That's scary.

  2. Re:I wonder . . . by Anonymous Coward · · Score: 5, Funny

    Huh? These are patches, not new features being added.

    Technically, they are feautures being removed. Microsoft should pay us to install them. :(

  3. maybe it's me ... by icebrrrg · · Score: 5, Interesting

    ... but after using the "windows update" utility in XP and 2000/2003 server for some time, and being a newbie to fedora (new servers in my home lab), i find the MS utilities muuuuuch easier to use than the fedora update manager. once i say no to an update, that choice stays "no" ... i have to always say no to unwanted updates in fedora (even tho they're on my ignore list). am i a feeble n00b, or could the linux distros learn a thing or two from MSFT?

    --
    nothing worth possessing isn't possessed. or something.
    1. Re:maybe it's me ... by LnxAddct · · Score: 5, Informative

      Keep in mind that the Fedora update utility is updating up to 10,000 applications, not just core system software like MS's update utility, so expect some increased complexity (although once you set up your ignore list, its usually just as easy as clicking "select all", click next, click next, all done and updated). Using the ignore funtionality works great for me under FC3 so I'm not too sure what you are referring to as far as problems go. Maybe if you supply more information someone can help you, or go to #fedora on irc.freenode.net and someone there is always willing to help. On a side note, if you are a noob you most likely dont want to be disabling any updates. Fedora by default puts new kernels on your ignore list but other then that, updating is usually a good thing (If you used something like debian testing or unstable prior to fedora I can see the basis for your paranoia as I still have one server left running debian testing and updating breaks it monthly at a minimum, but the situation is completely different in fedora and I have yet to see anything similar happen).
      Regards,
      Steve

  4. Critical Updates Plus Bonus Junk by pycnanthemum · · Score: 5, Interesting

    Glad I don't do "Auto Install"...hidden way at the bottom of the list of things Windows wanted to update was...

    Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)
    Download size: 694 KB, 1 minute
    This software updates the Background Intelligent Transfer Service (BITS) to v2.0 and updates WinHTTP. These updates help ensure an optimal download experience with new versions of Automatic Updates, Windows Update, and other programs that rely on BITS to transfer files using idle network bandwidth.

    How is this critical?

    1. Re:Critical Updates Plus Bonus Junk by Neopoleon · · Score: 5, Informative

      An update to BITS is critical because it's part of the mechanism that should be keeping your average user's Windows machine clean by downloading updates in the background without disturbing their usual browsing activities (it uses opportune moments to grab chunks of updates - once all the pieces are down, it lets you know).

      One of the reasons we have so many problems with security vulnerabilities is that users don't make use of Automatic Updates, and they wind up running unpatched systems for days... weeks... months... ...years.

      Sometimes there's a good reason for this, but I suspect that, more often than not, it's a lack of understanding about *why* Automatic Windows Updates is important.

      So, in that context, although I can see why you might not think it's an important update, BITS is actually something you want updated with everything else unless you're *really* on top of patching your system manually.

      --
      - Rory [Microsoft Employee] | Free dirt: neopoleon.com
  5. Patches by johndou1 · · Score: 5, Informative

    Auto update applied the patched and then I could not boot.

    Had to run chkdsk, then it came back to life.

  6. Re:Woohoo! by 0x461FAB0BD7D2 · · Score: 5, Funny

    Contrarily, a punchline is an endpoint, and not a process.

  7. Re:WS2K3 SP1 by Kimos · · Score: 5, Informative

    I've been applying 2k3 SP1 to servers at my office all week. MS did a good job of designing the patch so that it adds lots of security lockdowns without limiting applications. They add the firewall but it defaults to off for upgrades. The only part that seems scary is the stronger authentication for DCOM. It's secure, but has potential to break some apps. Details on SP1 here.

    Five servers so far, and all of them have worked after the update. I'm far from a MS fan, but I have no problem admitting when they've done a good job...

  8. Re:Thank you MS! by xocp · · Score: 5, Informative

    Not to mention, I appreciated that Microsoft thanks those that reported the vulnerabilities:

    Mark Dowd and Ben Layer of ISS X-Force for reporting the Exchange Server Vulnerability (CAN-2005-0560).

    Alex Li for reporting the Word vulnerability (CAN-2005-0558).

    Hongzhen Zhou for reporting the MSN Messenger Vulnerability (CAN-2005-0562).

    Song Liu, Hongzhen Zhou, and Neel Mehta of ISS X-Force for reporting the IP Validation Vulnerability (CAN-2005-0048).

    Fernando Gont of Argentina's Universidad Tecnologica Nacional/Facultad Regional Haedo, for working with us responsibly on the ICMP Connection Reset Vulnerability (CAN-2004-0790) and the ICMP Path MTU Vulnerability (CAN-2004-1060).

    Qualys for reporting the ICMP Path MTU Vulnerability (CAN-2004-1060).

    Berend-Jan Wever working with iDEFENSE for reporting the DHTML Object Memory Corruption Vulnerability (CAN-2005-0553).

    3APA3A and axle@bytefall working with iDEFENSE for reporting the URL Parsing Memory Corruption Vulnerability (CAN-2005-0554).

    Andres Tarasco of SIA Group for reporting the Content Advisor Memory Corruption Vulnerability (CAN-2005-0555).

    iDEFENSE for reporting the Windows Shell Vulnerability (CAN-2005-0063).

    Kostya Kortchinsky with CERT RENATER for reporting the Message Queuing Vulnerability (CAN-2005-0059).

    John Heasman with Next Generation Security Software Ltd. for reporting the Font Vulnerability (CAN-2005-0060).

    Sanjeev Radhakrishnan, Amit Joshi, and Ananta Iyengar with GreenBorder Technologies for reporting the Windows Kernel Vulnerability (CAN-2005-0061).

    David Fritz working with iDEFENSE for reporting the CSRSS Vulnerability (CAN-2005-0551).

  9. So... by bl4nk · · Score: 5, Insightful

    Can we expect a news article every month blasting Microsoft for releasing security updates? Christ, where are the news articles when updates come out for other OS's? Or is it only a bad thing when Microsoft does it?

  10. Re:One wonders... by Neopoleon · · Score: 5, Insightful

    You have to keep things in perspective - Windows isn't open source, so publishing the vulnerabilities ahead of time, in many cases, wouldn't actually do much good.

    As you know, with OSS, announcing a vulnerability is like a call to arms, getting devs out of bed and coding fixes. With a closed source product, it's like saying "Cooooooooooooome 'n get it!"

    If users could plug these holes with their fingers, then telling them would help. As things are, though, this is probably the safer way to do it for our product.

    --
    - Rory [Microsoft Employee] | Free dirt: neopoleon.com
  11. "Critical" patches every month. Sure, we can wait! by TheStick · · Score: 5, Insightful

    I never understood why Microsoft released "critical updates" only every month. If they're critical, you're supposed to release a patch as soon as you hear about them. 48 hours is already too much, and a month represents a century in the IT universe...

  12. Re:WS2K3 SP1 by arete · · Score: 5, Insightful

    You misunderstood. /. wants everything. Especially because different people want different things...)

    They quite literally want to build a automatic cake making machine so they can have lots of cake while they're eating their cake : )

    They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power. They want this machine to be completely secure while allowing random applications to do whatever necessary to squeeze their hardware. They want it to use an OS that is unpopular enough instill geek pride but is somehow the primary development platform of all cool games.

    Oh, and it should be Free as in speech, Free as in beer, and produced by a trusted public company that somehow makes money off this without doing anything that would make them unloved.

    And they want cute little penguins to somehow get them laid by actual women, generally without them having to go anywhere they might actually meet women.

    I'm not saying any of these individual goals are bad ideas, I'm just saying you can't always have everything you want.

    (Incidentally, I'm in favor of really paranoid IE settings, but since by using it you're implicitly trusting MS, the Office update site could probably have been automatically added to that list. I think that's why the gp noted it.)

    --
    Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
  13. Because MS "Painted Themselves Into A Corner" by EXTomar · · Score: 5, Insightful

    Why wait a month? Because their patching system blows. They didn't learn lessons learned decades ago about how to patch core components and kernel services and now we live with this every day (or month as the case maybe).

    Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.

    It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.

    The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.

  14. MS05-019 breaks raw socket sends (again!) by Eyeball97 · · Score: 5, Informative

    It seems MS are determined to have XP users disabled from using raw sockets - in itself not such a bad idea for 99.9% of XP users but those of you who avoided SP2 (or disabled firewall/ICS atfer installing it to get round this problem) please note - it's back! and there's no known way do disable it (yet).

  15. Re:WS2K3 SP1 by mopslik · · Score: 5, Funny

    They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power.

    Now that's not true at all. I want my machine to generate power, which I can then use to run the cake machine.

  16. Re:Phew! by Laura_DilDio · · Score: 5, Funny

    No, this just evidence that Microsoft takes security seriously -- more seriously, in fact, than that pinko-commie-bastard operating system you all feel so drawn towards.

    Also, I'll have you pigs know that I'm leaving my duties at the Yankee Group. I've accepted a position serving Lord William at Microsoft. I'm to be his new Groom of the Stool

    Love,
    Laura