Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Patch Train Leaves the Station

Posted by CmdrTaco on from the a-whole-lotta-security-going-on dept.

per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."

17 of 361 comments (clear)

  1. Before you gloat too much by callipygian-showsyst · · Score: 4, Informative
    ...Slashdot seemed to have missed this doozy from less than a month ago.

    http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml

    --
    Best Buy can have you arrested
  2. WSUS by XorNand · · Score: 2, Informative

    For those admins who tend to a small MS shop and don't have the need for an expensive patch management solution, WSUS was released last week to replace the lame SUS (Software Update Services). I had to disable SUS due to some GPO issues, so I'm looking forward to checking out WSUS. And with this round of patches, it seems like the ideal time to test.

    --
    Entrepreneur : (noun), French for "unemployed"
  3. Re:IE PNGs by swilde23 · · Score: 5, Informative
    That's mostly true... but you can mangle your way around it...

    http://blogs.msdn.com/dmassy/archive/2004/08/05/20 9428.aspx

    Believe me, I would rather just use a different browser (one has security holes of its own. As much as the creators of firefox would like to believe they have the perfect browser, any major piece of software is going to have bugs.

    The smart developers call these bugs... features :)

    The truth is though, most people don't know about anything other then ie. Why else would it show up with more then 80% of the hits on the websites we run. People don't like change. They like ie because it works out of the box with Windows. No extra installing, no "scary" configurations, no extra work on their part. If you want to convince people not to use ie, don't post messages on /. discussing the various security holes involved with png images. Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet. Maybe then they'll start to think a little about what they are doing.

    --
    There are 10 types of people in the world. Those that understand this sig, and those that beat up people who do.
  4. Re:Reminds me of the JPG buffer overflow by Cally · · Score: 4, Informative
    Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?

    As a matter of fact, these and other forthcoming issues with various OSes graphic parsing and rendering libraries result from a sustained attempt to break them with fuzzing techniques by researchers at the Finish University of Uola (or Oula. I forget). This is the same group that ripped apart many vendors' implementations of SNMP a few years ago, and ASN.1 a year or two after that. Big thanks to them for proactive efforts to improve security...

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  5. Re:Sure glad I don't have to do this crap by callipygian-showsyst · · Score: 1, Informative
    Uh uh! You're in big trouble!

    You'd better go here and install the Fedora updates (three in the last month)!

    --
    Best Buy can have you arrested
  6. Re:IE PNGs by theborg1of4 · · Score: 5, Informative

    I'm not sure if I understand your use of the word "barely". IE supports PNG as per the W3C recommendation, including binary transparency. IE doesn't support optional alpha channel transparency:

    http://www.w3.org/Graphics/PNG/

    From the first paragraph:

    "Indexed-color, grayscale, and truecolor images are supported, plus an optional alpha channel for transparency."

    While it would be nice if they supported the optional features, it's actually the developers who continue to use alpha channel transparency PNG that are deviating from the W3C recommendation.

  7. Re:Reminds me of the JPG buffer overflow by Anonymous Coward · · Score: 5, Informative

    ...the Finish University of Uola...

    You probably meant the Finnish university of Oulu.

  8. Re:Large size crash by leaping_laughter · · Score: 2, Informative

    It's not for large image size; it's a problem with libpng's processing eTRNS structures, used to handle transparency.

    The folks at libpng fixed the problem months (a year?) ago; I rolled the fix into our application's PNG handling with nary a hiccup.

    Oh, and to save anyone else dealing with PNGs the weight gain and hair loss I experienced, there is NO support for pre-multiplied alpha channels in the library. Sigh.

  9. Possible problem with this update by trtmrt · · Score: 2, Informative

    I just installed the latest update for windows 2000 on my wife's computer and it hosed the installation. I assume it included these latest patches. Has anybody had a similar experience? I am getting a "SYSTEMced corrupt or missing" error which google tells me has to do with registry problems.

    1. Re:Possible problem with this update by neil.pearce · · Score: 2, Informative

      The "ced" part of the error message is chaff from some previously display text that has been overwritten.

      You will probably have to reduce the size of the system hive, using regedt32.

      Could Not Start Because the Following File Is Missing or Corrupt: \Winnt\System32\Config\Systemced

  10. Video Problems caused by the Critical Update by Anonymous Coward · · Score: 2, Informative

    I'm surprised no one has yet mentioned the problem one of these "critical updates" is causing on Dell Optiplex GX280 computers. I had two systems on my LAN mistakenly configured with "automatic updates" that had serious problems after one of these updates was installed. The user complained that they would turn on the computer and after about 10 seconds (before they could even finish logging on) their monitor would turn off. I first thought it was a monitor problem, but changing monitors didn't resolve the issue, so I called Dell Corporate/Gov't. Tech Support. Before I even got through the menus to a live body, there was a message on the line suggesting that if you were having video problems on Optiplex systems after installing the Critical Update, you should re-boot the system in VGA mode and change the default resolution to 800 X 600. Apparently, one of these updates re-sets default resolution to a range that cannot be supported with the built-in video hardware on the Optiplex.

    Once you re-boot in a low resolution, you can then re-set the default resolution to something more acceptable (say, 1024 X 768 or something similar) and you're golden, but I have seen nothing in the press about this bug (that took me well over an hour to puzzle out on both affected computers).

    My other systems are configured for SMS control, so patches aren't rolled out before testing, but these were set up to Auto Update (which Microsoft recommends for everyone, despite problems such as this). Otherwise, this could have been a major headache yesterday.

  11. Re:Patches don't solve the problem on new installs by Dynamoo · · Score: 3, Informative
    Yup: Windows XP: Surviving the First Day from the SANS institute covers this problem.

    The key thing, as others have said, is to enable the software firewall and make sure that file and print sharing is disabled. A second CD with SP2 and a decent firewall like ZoneAlarm is usually enough too.

    --
    Never email donotemail@WeAreSpammers.com
  12. Re:the problem isn't what it appears to be by Anonymous Coward · · Score: 1, Informative

    To be fair, C++ provides some very nice facilities for automatic memory management like the standard containers (vector, in particular) and strings.

    SH

  13. IE PNG Support by gnurob · · Score: 2, Informative

    ...exists due to the way the browser does not handle PNG files. The web would be a beautiful place if content creators could depend on complete PNG support. This problem has been around for over 8 years! IE blows.

  14. Dell support - MS Critical Update video issue by markdowling · · Score: 2, Informative

    Dell Support Page

  15. Re:Patches don't solve the problem on new installs by essdodson · · Score: 2, Informative

    Yes, the rest of the world slipstreams service pack 2, installs without a network connection, enables XP firewall before hopping on the Internet, then downloads whatever other patches are available.

    --
    scott
  16. Re:IE PNGs by Anonymous Coward · · Score: 2, Informative

    To the best of my knowledge this is not the case. 24-bit color seems to be supported, but if an alpha channel is present it is blended with either the PNG's background color (an optional property of PNG images, which is normally not used at all) or, if no background color is present, with a light blue (almost white) color.

    This page contains a PNG transparency test that comes in handy for figuring out exactly how IE handles different PNG types. It's theoretically useful for other browsers as well, of course, however I believe that all other modern graphical browsers now have full PNG support.