Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Patch Train Leaves the Station

Posted by CmdrTaco on from the a-whole-lotta-security-going-on dept.

per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."

11 of 361 comments (clear)

  1. IE PNGs by Enigma_Man · · Score: 4, Insightful

    That's hilarious, because IE barely supports PNGs at all, but they apparently are vulnerable to them nonetheless. If you don't know of the png problem, they just don't display the colors right and/or won't do transparencies right at all.

    -Jesse

    --
    Nothing says "unprofessional job" like wrinkles in your duct tape.
    1. Re:IE PNGs by Anonymous Coward · · Score: 5, Insightful

      The alpha channel is optinal in the PNG file format, _not_ in the PNG recommendation itself. The browser still has to be able to handle PNGs with alpha channels to be fully compliant with PNG pictures, even though users might choose not to supply an alpha channel with their picture.

  2. Reminds me of the JPG buffer overflow by Nos. · · Score: 5, Insightful

    After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not.

    1. Re:Reminds me of the JPG buffer overflow by Michalson · · Score: 3, Insightful

      After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not. Would you apply the same logic/I'm cool because I bash Microsoft stupidity to Mozilla/Firefox?

      For example in 2002 an arbitrary code execution vulerability was found in Mozilla's PNG code (155222). That obviously set off people searching for other image vulnerabilities, which resulted in them finding Mozilla's GIF decoder was also a flawed, allowing for arbitrary code execution (157989). By your logic once that initial alarm goes out the code should be checked and all bugs will be found; if bugs are still present in that module (or in Microsoft's case, in a completely seperate but similar one) then it represents a huge failure by the organization. Now since open source projects have tens of thousands of eyes to check source code once a flaw has been found, I'd assume it applies equally to Mozilla. Lets test that theory.

      Fast forward to 2004, and the PNG library still has arbitrary code vulnerabilities (251381). Given that people knew as earlier as 2002 that there had been PNG vulnerabilities, WHY did they not find this one until 2 years later.

      Fast forward to 2005, and this time it's the GIF code. Now we already knew the GIF library had problems 3 years ago, yet somehow an arbitrary code execution flaw, which existed from the very beginning of the Mozilla project (1998), is found (mfsa2005-30). This dangerous exploit has been sitting in open source code for 7 years. 3 years ago attention was brought to that very module for the very same kind of exploit. And yet it wasn't found until just a few months ago. By the logic of Nos, the Mozilla Foundation, and everyone who has checked the code, are morons. Or perhaps Nos has some doublethink to get himself out of the Microsoft bashing to make himself cool hole he dug himself.

  3. Re:Forgive my ignorance by Tarcastil · · Score: 4, Insightful

    You do realize the Linux kernel is heavily dependent upon patches.

  4. Re:PNG??? by LO0G · · Score: 3, Insightful

    The same way that a remote execution overflow was in libXPM.

    Google integer overflow vulnerability for more information.

  5. Venture to guess? by AyeRoxor! · · Score: 3, Insightful

    exists due to the way the browser handles PNG (Portable Network Graphics) files."

    Hmm... Buffer overflow maybe?

    Buffer overflow is an amateur mistake. Check your god damn code.

    /frustrated by lazy programmers

  6. Re:Sure glad I don't have to do this crap by ssj_195 · · Score: 3, Insightful
    What an appalling display of "toeing the slashdot party line", and putrid arrogance and condescension, as well. Whoever modded this transparent tripe up should be ashamed of themselves.

    The amount of "CPU time" "Windows users" spend patching holes is a few minutes every month. And get off your high horse, here: while Linux distros provide updates for a more comprehensive range of apps, it's also the case they you have to download far more (in terms of raw megabytes) far more often. I'm willing to bet right now that, timing from the release of FC3, FC3 has required more and bigger updates than Windows.

    I'll never forget the time, earlier this year in fact, when Mandrake provided a security "update" for the kernel (you may remember the much-publicized priviledge escalation vulnerability around the end of last year). This "patch" consisted of the whole kernel source (maybe 40MBs of it) which you would have to manually compile and install (no nice binary rpm, here). With this one single update, Mandrake users have exceeded the "CPU time" required for a few months of Windows updates. And let's not forget the hefty kdelibs security updates, which basically amounts to downloading the whole of kdelibs again, since none of the distros seem to provide diff-style patching. The same with Firefox (8MB on Linux...?).

    Also, while we are free from worms and viruses here, note that there is nothing innate to Linux that precludes phishing and spoofing attacks.

    Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.
    Ugh.
  7. Re:To bad by HiredMan · · Score: 4, Insightful

    Yeah he's an idiot. How dare he criticize a program that's buggy. It's frozen from development and it's replacement will ship in 2 years or so, Stupid. So what if they never, ever fixed the PNG display pipeline since IE 6 shipped. Why should graphics display correctly - it's not like the web is a graphics medium, right?

    Vendors should never, ever roll back changes into older versions of their software they force you to use. Tabbed browsing, correct graphics display, CSS support will all be available someday so shut yer piehole! All you'll have to do is upgrade your entire system to get these features. And it's not like anyone else has managed to get that stuff working on the same platform, right? Right? Well, maybe some one has but they must have more programming resources than MS, no doubt...

    =tkk

    --
    Bill Gates - Creationist?!?
  8. the problem isn't what it appears to be by cahiha · · Score: 3, Insightful

    If you look at Macintosh, BSD, and Linux distributions, they also have regular security updates, with many similar vulnerabilities.

    There are really two problems here, one true of all major OSes right now, and the other one true of proprietary systems.

    The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.

    The second problem is that Microsoft and Apple only update their own applications; users are saddled with downloading updates for other software by hand. If all these bugs exist in IE, you can be similar bugs exist in Photoshop, Office, and many other apps that aren't automatically updated.

  9. Re:Patches don't solve the problem on new installs by wiggys · · Score: 4, Insightful

    Yes.

    1) Switch on the built-in firewall before you connect to the internet. It's very basic but it does the job, I've been running an unpatched XP system with nothing more than the built-in firewall for months now with no problems.

    2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

    3) Slipstream SP2 into your XP install. Personally I'm staying away from SP2 but use it if you must.

    4) Put a copy of Zone Alarm on your "XP Install Disc 2", along with the the many useful bits of freeware available at www.grc.com

    5) Download, burn and learn how to use Knoppix.

    6) ????

    7) Profit!

    --

    Sorry, but my karma just ran over your dogma.