MS Patch Train Leaves the Station

per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."

Large size crash

Does this fix the crash with large streched images?
ie width=9999999 height=999999 in an

Re:Large size crash

[leaping_laughter]

It's not for large image size; it's a problem with libpng's processing eTRNS structures, used to handle transparency.

The folks at libpng fixed the problem months (a year?) ago; I rolled the fix into our application's PNG handling with nary a hiccup.

Oh, and to save anyone else dealing with PNGs the weight gain and hair loss I experienced, there is NO support for pre-multiplied alpha channels in the library. Sigh.

Re:Large size crash

[someone1234]

Hopefully the large size vulnerability will be treated in this century too.

Re:Large size crash

[Rufus88]

Does this fix the crash with large streched images?
ie width=9999999 height=999999 in an

Apparently, even talking about the problem crashes this guy's browser.

IE PNGs

[Enigma_Man]

That's hilarious, because IE barely supports PNGs at all, but they apparently are vulnerable to them nonetheless. If you don't know of the png problem, they just don't display the colors right and/or won't do transparencies right at all.

-Jesse

Re:IE PNGs

[RaffiRai]

Transparencies appear grey in IE.

Re:IE PNGs

[swilde23]

That's mostly true... but you can mangle your way around it...

http://blogs.msdn.com/dmassy/archive/2004/08/05/20 9428.aspx

Believe me, I would rather just use a different browser (one has security holes of its own. As much as the creators of firefox would like to believe they have the perfect browser, any major piece of software is going to have bugs.

The smart developers call these bugs... features :)

The truth is though, most people don't know about anything other then ie. Why else would it show up with more then 80% of the hits on the websites we run. People don't like change. They like ie because it works out of the box with Windows. No extra installing, no "scary" configurations, no extra work on their part. If you want to convince people not to use ie, don't post messages on /. discussing the various security holes involved with png images. Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet. Maybe then they'll start to think a little about what they are doing.

Re:IE PNGs

Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet.

Yeah, that's good thinking! It's hard to believe Steve Ballmer is in charge of Microsoft, and not you!

Re:IE PNGs

[Frank+T.+Lofaro+Jr.]

How are you going to download a browser if you don't already have a browser?

Don't say FTP.

Re:IE PNGs

[packetl0ss]

ISP's regularly ship Internet Explorer on their "Setup" CDs, so why can't they also ship alternative web browsers such as Firefox or Opera on those same CDs?

Re:IE PNGs

[smittyoneeach]

1. Install one of the various scripting languages with an HTTP library, write download script.
2. ????
3. Profit.

It's a /. tradition, don't you know?

Re:IE PNGs

[theborg1of4]

I'm not sure if I understand your use of the word "barely". IE supports PNG as per the W3C recommendation, including binary transparency. IE doesn't support optional alpha channel transparency:

http://www.w3.org/Graphics/PNG/

From the first paragraph:

"Indexed-color, grayscale, and truecolor images are supported, plus an optional alpha channel for transparency."

While it would be nice if they supported the optional features, it's actually the developers who continue to use alpha channel transparency PNG that are deviating from the W3C recommendation.

Re:IE PNGs

[Frank+T.+Lofaro+Jr.]

I thought Bill Gates was in charge ultimately.

Re:IE PNGs

The alpha channel is optinal in the PNG file format, _not_ in the PNG recommendation itself. The browser still has to be able to handle PNGs with alpha channels to be fully compliant with PNG pictures, even though users might choose not to supply an alpha channel with their picture.

Re:IE PNGs

[Mad+Merlin]

Because everyone knows that your TCP/IP stack is useless without a browser.

Re:IE PNGs

[mbbac]

I think you're reading that wrong. The alpha channel is an optional part of any PNG image. I'm pretty sure they're not saying that browsers should only support alpha transparency if they feel like it.

Re:IE PNGs

[say]

wget, then.

Re:IE PNGs

[Enigma_Man]

I believe they also only support 256 (or some other low value) different colors in PNGs. I know that PNGs look totally low-resolution in IE, but not in FF, last time I checked (a while ago, admittedly, but when was the last time IE was updated?).

-Jesse

Re:IE PNGs

[LurkerXXX]

What's the incentive? It's one more thing for their tech support people to have to support.

Re:IE PNGs

[N3Roaster]

You can't seriously rely on ISPs for this sort of thing. Back when it took some work to use the Internet (client software did not come with most home computers, neither did modems) my first ISP wanted to email the settings I should use to connect. They wanted to send that email to the account they were setting up.

Re:IE PNGs

[springbox]

IE blends the pixels with alpha full opacity onto the saved background color, which seems that a lot of editors save to that boring grey. The GIMP can set it to whatever, though.

Re:IE PNGs

[theAtomicFireball]

wget http://download.mozilla.org/?product=firefox-1.0.4 &os=win&lang=en-US

Oh... wait. Windows doesn't have wget, does it. How about

curl http://download.mozilla.org/?product=firefox-1.0.4 &os=win&lang=en-US > firefox.exe

Hmmm, that won't work, either, will it? Guess you should have chosen a different OS.

Re:IE PNGs

[packetl0ss]

I guess I was with a rare ISP that actually did offer Netscape on their setup CDs (although one has to browse the CD to find it) and assumed other ISPs could easily do the same.

Re:IE PNGs

To the best of my knowledge this is not the case. 24-bit color seems to be supported, but if an alpha channel is present it is blended with either the PNG's background color (an optional property of PNG images, which is normally not used at all) or, if no background color is present, with a light blue (almost white) color.

This page contains a PNG transparency test that comes in handy for figuring out exactly how IE handles different PNG types. It's theoretically useful for other browsers as well, of course, however I believe that all other modern graphical browsers now have full PNG support.

Re:IE PNGs

[N3Roaster]

Other ISPs can easily do the same, but these days there's really no excuse for an ISP to need a setup CD so unless the ISP is big enough that it can sell advertising on those setup CDs (oh, yes, you really do need to use this disc. It will fill your browser bookmarks with links to great sites, set up your home page to a site that can sell you lots of things, and add 15 new desktop items! Who wouldn't want that?), there's no real incentive to provide a Useful Software disc. Some might even reasonably fear that doing such a thing would increase service calls. (I'm trying to use this program you gave me called Gopher, but I can't seem to figure it out.) Of course, my story was from before you could count on computers having a CD-ROM drive (some did, lots didn't) so a Useful Software disc would have been something like a floppy with Mosaic on it and maybe an FTP client and an email program. I think it was safe to assume that anybody who was interested in Internet access would be purchasing a book that would come with such a disk.

To finish my story from before, they did eventually fax the software settings to me.

Re:IE PNGs

[saleenS281]

thank you for reminding us of all that is wrong with the linux community.

Re:IE PNGs

[SolusSD]

people may not like change, but people WILL change under certain circumstance. How do you think microsoft went from having virtually none of the browser market to almost all of it in just a coupole of years? Exposure. If you show someone something new, and they like it better than what they're used to, they will switch. Worked on my very computer unsavvy family. ;)

Re:IE PNGs

[GloomE]

Actually, I regularly find cases where 256 colour PNG is smaller than GIF.
Given that the resulting images are identical I think it pays check both formats and use whatever ends up smaller.

Re:IE PNGs

[pipingguy]

Go out and convince MS to stop packaging it with their os

That reminds me...why don't we see Redmond-based slashdotter activists dressed-up as bugs, viruses and wearing unlocked door-type costumes protesting near the MS headquarters? Surely that would make the TV news.

Well, OK, maybe not. But it sure would be funny.

Re:IE PNGs

[scdeimos]

While it would be nice if they supported the optional features, it's actually the developers who continue to use alpha channel transparency PNG that are deviating from the W3C recommendation.

By "Developers" I'm assuming you mean "Web Developers." "Software Developers" (implementors) of the PNG stream format are generating non-compliant crud if they can't read/write the "optional" alpha channel.

It seems that you have incorrectly interpreted the Abstract of the specification. I might direct you to the actual specification itself where in 15.2.3 Conformance of PNG Decoders it says:

e. All types of PNG images (indexed-colour, truecolour, greyscale, truecolour with alpha, and greyscale with alpha) are processed. For example, decoders which are part of viewers running on indexed-colour display hardware shall reduce truecolour images to indexed format for viewing.

So yes, it is optional for an alpha channel to appear in a PNG data stream (a graphic artist may not want to use an alpha channel on his latest piece of "art") but if there is one present in the stream then it *must* be handled by the software reading it. It's optional as to whether that software actually does anything meaningful with it (a given display device may not support it), but a best-effort is expected.

Forgive my ignorance

[J+Barnes]

but is there an obvious point where software become more patch then content?

Lately I envision all Microsoft products as lumbering stay-puff marshmallow men, ambulating labored steps inside a comical suit of band-aids.

Re:Forgive my ignorance

[Tarcastil]

You do realize the Linux kernel is heavily dependent upon patches.

Re:Forgive my ignorance

[MountainMan101]

Yes. Perhaps the GP poster meant binary patches. The patches to the Linux kernel are just the way the kernel evolves. The MS patches are fixes applied after it has been built.

Re:Forgive my ignorance

[xtracto]

What is the difference?

Microsoft has the source code, they just make the improvements, rebuild the files and perform DIFFs.

Personally I think its better to apply a binary patch than to have to recompile a kernel just to upgrade it from x.x.11 to x.x.12

Anyway, patches are not wrong, God! if MS software has an unpatched bug it is his fault and it is bad, then if he releases a patch it is also bad because his software is patched.

This is not a patch as the normal dictionary word define it, software patches are used to modify the behaviour of the software. It is like when you changed the breaks from your bycicle from the pedal brake to the hands brake.

Re:Forgive my ignorance

[ajs318]

Personally I think its better to apply a binary patch than to have to recompile a kernel just to upgrade it from x.x.11 to x.x.12

Then you might want to check out this really cool game I wrote. I've compiled it for you already, so you won't have to muck about compiling it yourself or anything .....

Re:Forgive my ignorance

[PakProtector]

You know what? Most of us don't mind paying real money for things that have real worth. I payed fifty dollars for Neverwinter Nights when it came out, while my roommate had a 'free' copy the same day.

I will gladly pay money for something I like to make sure that the people who make it will make more. That's how the market economy works. If something has real value, it's only logical to compensate the persons who made it.

Which is entirely why I have never paid for Windows.

Re:Forgive my ignorance

[AtariAmarok]

"Lately I envision all Microsoft products as lumbering stay-puff marshmallow men"

That explains why Bill Gates just stepped on my church.

Re:Forgive my ignorance

[MartinG]

In software the term "patch" really means something closer to "change" It typically removes something and replaces it with something else. (but sometimes only removes and sometimes only adds)

It is not like a patch you apply to your trousers when they have a hole in them.

When you buy a new lamp for your home or throw away a worn out rug, think of it as patching your house.

Re:Forgive my ignorance

[bokmann]

These two comments make it sound as if 'patches' applied to software are somewhat analogous to those things your mother would iron on your clothes when your knee would bust through. They are nothing of the sort.

When a 'patch' is applied to software, it simply replaces what was there before and integrates seamlessly - think more 'weave' than patch... Imagine if you were writing a term paper with a group of people, and someone said 'hey... replace the 4th paragraph on page 5 with this new paragraph I'm sending you'. If you replaced the paragraphs, someone reading the paper later would have no idea the removed paragraph even existed, let alone that your paper had been 'patched'.

Re:Forgive my ignorance

[RoadkillBunny]

Patched don't have to be in the sence that you rip your pants and use ductape to patch it up. They can be just nice updates. For example, someone hacks the linux kernel so it works 20% faster and the code 30% cleaner and sends a patch to the mailing list. It is still a patch even though it makes the code nicer and not look like a overpuffed mushmellow man.

Re:Forgive my ignorance

[Neil+Watson]

What you say is true. However, I can download the latest Linux kernel with all its patches and installed it with only one reboot and no addtional vulnerable Internet time.

Windows comes with an older kernel that requires mutliple reboots and Internet downloads while still in a vulnerable state. While it true that I could probaly download all the patches prior it is still far more tedious than a single trip to ftp.kernel.org.

Re:Forgive my ignorance

[punkass]

And you didn't get pissed? I mean, nobody steps on a church in MY town.

Re:Forgive my ignorance

[LiquidCoooled]

This is not a patch as the normal dictionary word define it, software patches are used to modify the behaviour of the software. It is like when you changed the breaks from your bycicle from the pedal brake to the hands brake.

errrrrrrr no.

From http://dictionary.reference.com/search?q=patch :

Computer Science. A piece of code added to software in order to fix a bug, especially as a temporary correction between two releases.

Thats one of the many things it says, but I patch my jeans up if they get ripped, or I apply a patch to my sons inner tube on his bike, I use a small piece of something to repair another.
A patch is used to repair broken functionality.

It most certainly doesn't imply adding new functionality.

Re:Forgive my ignorance

[Psiren]

If something has real value, it's only logical to compensate the persons who made it.

Which is entirely why I have never paid for Windows.


Ah, so Windows has no real value. Can I assume you're running your copy of Neverwinter Nights on something other than Windows then?

Re:Forgive my ignorance

[mph]

but is there an obvious point where software become more patch then content?

Maybe when you change the name of the software to indicate that's the case?

Re:Forgive my ignorance

[Lucractius]

While This is true its not entirely true since MS now ship XP with SP2 integrated by default on new CDs and Pre installs. So While yes there is a fair amount of "vunerable time" while getting the patches up to date. They HAVE made the Major modifications to the system (SP1 and now SP2) part of the "New" System installs in the same way a "new" version of whatever linux distro you use will have the latest Patches applied to its programs. Microsoft arent ingnoring this. They just cant do it as fast or as easily as Linux and BSD and other open oses can. the User base is to large and often not savy enough to deal with the process so it takes a great deal of effort to make the system "idiot proof" even if its not perfect.

Re:Forgive my ignorance

[vettemph]

>I payed fifty dollars for Neverwinter Nights when it came out, while my roommate had a 'free' copy the same day.

So is it his turn to pay next time? :)

Re:Forgive my ignorance

[I'm+Don+Giovanni]

You misunderstood the parent's point. Which is that patches are used to *replace* bad code rather than add new code on top of bad code. So if the original size of an app is M and over time 1000 "patches" of size cumulative size N are applied, the size of the app is not (necessarily and nor even likely) M+N. This was to answer the original "point" regarding when an app becomes more "patch" than "content". It's a nonsensical question because the "patch" replaces bad "content" with new "content" rather than adding new code on top of bad "content" in such a way that the bad content remains in place.

Re:Forgive my ignorance

[agraupe]

Linux or FreeBSD, which both can run NWN without WineX. I'm guessing, anyway.

Re:Forgive my ignorance

[clrscr]

Who ever marked this post as "funny" needs to change it to "ignorant" or maybe "blinded by bias caused by hype and a need to fit in with other nerds" I mean seriously, how can you be this stupid? If Windows had no value then you wouldn't need it at all. And because we live in a "market economy" as you so pointed out the price of windows is dictated by the demand from the consumer. If Windows had no value no one would buy it and if no one bought it Microsoft would go out of business. Who is the richest man in the US again? Remind me. You are the same as those fools who try to convince them selves that downloading pirated music should be legal.

Re:Forgive my ignorance

[TCM]

May I suggest that you get a freaking clue about programming, patches and.. uh.. the general things about those weird computer boxes?

The second and last paragraph are complete bullshit.

I can only assume you are, in a weird way, trying to troll or something.

Re:Forgive my ignorance

[FictionPimp]

I run my copy of neverwinter on linux. Works great :-) One of these days more game makers are going to take a que from bioware, epic, and id and make more native linux games.

Re:Forgive my ignorance

[kokoloko]

I don't buy the logic that if I like something, I'm obliged to support the person who made it. For example, should I send the NY Times money becasue I like to read their paper on-line?I beleive that the onus is on the person trying to make a profit from a service, not on the consumer, to make sure that it is in fact profitable.

Nevertheless, if you're going to ascribe to that logic, at least please be consistent. If Windows is good enough for use, and what I want to use must be supported by me, therefore it must be good enough to pay for. Right? Isn't Windows just as necessary to running Neverwinter Nights as the Neverwinter Nights discs themselves?

Re:Forgive my ignorance

[bornyesterday]

The metaphysics of software design: 1) you have a piece of software 2) every month you replace one section of code with another piece of code to repair it; a different section each time 3) when you've replaced every piece of code, is it still the same piece of software?

Re:Forgive my ignorance

[91degrees]

Apparently the name was suggested without realising the pun. Those that saw the pun liked it, so the name stuck.

Re:Forgive my ignorance

[PakProtector]

What makes you think I'm the person who owns the computer the copy of Windows is on?

And their is no hipocracy in reading the New York Times On-line for free. They are giving it away online for free. If they value it (in electronic form) as worthless, then I should not have to exchange anything of worth to view it.

Re:Forgive my ignorance

[mixmasterjake]

A software patch is not the same as, say, a patch for your jeans where you add a completely new piece of material to cover up a hole.

A software patch just means that some part of the code was updated & they are providing you with only the minimum amount of files that need to be updated on your computer instead of the full application. It doesn't mean that new code was added "on top" of previous code. The update would hopefully be an improvement to the code, but it could also be a crappy work-around as you suggest. Since the source is closed, we really have no idea what the code change actually entails.

Re:Forgive my ignorance

[scottv67]

Maybe when you change the name of the software to indicate that's the case?

Or maybe the old boat anchor Patchworks, err I mean, Pathworks on VMS:

http://h71000.www7.hp.com/pathworks/

Back in the day, patches for Pathworks came out as quickly as you could install them. I took great pleasure in pronouncing the software's name as "Patchworks", especially when talking to people who worked for Digital.

Re:Forgive my ignorance

[RetroGeek]

When a 'patch' is applied to software, it simply replaces what was there before and integrates seamlessly

The original use came from punched paper tape. To fix a piece of bad code, you would cut the paper tape, then insert the fixed code using sticky tape. A patch.

Then a few years later, you would start the program, then directly manipulate RAM to insert fixed code. A patch.

Now we entirely replace a file, and call it a patch.

Re:Forgive my ignorance

[J+Barnes]

ahh, finally someone gets what my blundering mind was attempting to express.

Thanks bornyesterday. I'd mod you up if I could.

Re:Forgive my ignorance

[caluml]

Linux kernel patches are not mainly for security updates. They are to add extra functionality, and features, and develop the software more, not merely trying to keep the existing software working. (Obviously, some patches are for security.)

Re:Forgive my ignorance

[Delphiki]

There wasn't when it came out, which is when this guy apparently bought it..

M$ still pwnz Linuts

Why not just release a patch that uninstalls IE?

Re:M$ still pwnz Linuts

[rocket97]

OMGWTFBBQ!1!!1111!! lol lol lol rofl rofl lol lol lol j00 4r3 73h 1337!!11!!oneoneone!!!11!


Dude get a clue and come up with something original... that was old the first time I read it on here.

Re:M$ still pwnz Linuts

[Spy+der+Mann]

Why not just release a patch that uninstalls IE?

Actually, the malware removal software from Microsoft did remove IE. But they "fixed" that "problem" a day later :(

Re:M$ still pwnz Linuts

[dhakbar]

And I present to you "Jorkapp," Exhibit A - definitive proof that Slashdotters' brains do not possess the capacity for humor.

Re:M$ still pwnz Linuts

[PsychoSid]

That's so funny. I guess they must have found a cure for death Mr. B Hicks.

Reminds me of the JPG buffer overflow

[Nos.]

After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not.

Re:Reminds me of the JPG buffer overflow

[Junior+J.+Junior+III]

Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?

Re:Reminds me of the JPG buffer overflow

[Cally]

Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?

As a matter of fact, these and other forthcoming issues with various OSes graphic parsing and rendering libraries result from a sustained attempt to break them with fuzzing techniques by researchers at the Finish University of Uola (or Oula. I forget). This is the same group that ripped apart many vendors' implementations of SNMP a few years ago, and ASN.1 a year or two after that. Big thanks to them for proactive efforts to improve security...

Re:Reminds me of the JPG buffer overflow

[swv3752]

I figured like how they discover all thier other flaws. Someone else tells them about it. I mean really, some "security reseacher" develops a "proof of concept" and sends it to MS. then they blackmail MS to release a patch in x amount time as they will release the "proof of concept" to the wild.

Re:Reminds me of the JPG buffer overflow

[CABAN]

SANS.ORG [http://isc.sans.org/diary.php?date=2005-06-14] is reporting that these patches might restore program access defaults.

Re:Reminds me of the JPG buffer overflow

...the Finish University of Uola...

You probably meant the Finnish university of Oulu.

Re:Reminds me of the JPG buffer overflow

[Michalson]

After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not. Would you apply the same logic/I'm cool because I bash Microsoft stupidity to Mozilla/Firefox?

For example in 2002 an arbitrary code execution vulerability was found in Mozilla's PNG code (155222). That obviously set off people searching for other image vulnerabilities, which resulted in them finding Mozilla's GIF decoder was also a flawed, allowing for arbitrary code execution (157989). By your logic once that initial alarm goes out the code should be checked and all bugs will be found; if bugs are still present in that module (or in Microsoft's case, in a completely seperate but similar one) then it represents a huge failure by the organization. Now since open source projects have tens of thousands of eyes to check source code once a flaw has been found, I'd assume it applies equally to Mozilla. Lets test that theory.

Fast forward to 2004, and the PNG library still has arbitrary code vulnerabilities (251381). Given that people knew as earlier as 2002 that there had been PNG vulnerabilities, WHY did they not find this one until 2 years later.

Fast forward to 2005, and this time it's the GIF code. Now we already knew the GIF library had problems 3 years ago, yet somehow an arbitrary code execution flaw, which existed from the very beginning of the Mozilla project (1998), is found (mfsa2005-30). This dangerous exploit has been sitting in open source code for 7 years. 3 years ago attention was brought to that very module for the very same kind of exploit. And yet it wasn't found until just a few months ago. By the logic of Nos, the Mozilla Foundation, and everyone who has checked the code, are morons. Or perhaps Nos has some doublethink to get himself out of the Microsoft bashing to make himself cool hole he dug himself.

Re:Reminds me of the JPG buffer overflow

[Nos.]

Hmmm, I never once mentioned Microsoft. Never once called anyone a moron. Lets look at what I was saying. I said if you found a vulnerability in a specific library, would you not tend to check similar libraries for similar flaws?

I have written a lot of PHP/MySQL applications. Someone pointed out a flaw in one of my earlier ones with an unchecked bit of user input that could have resulted in an SQL injection type attack. At the time, I didn't have a standard class for handling DB interactivty, so I fixed the flaw in the application where it was found, and proceeded to go through all my other apps and look for the same or similar flaws.

To me, that is the logical thing to do. Apparently for some its either not a logical next step, or is not a priority.

Re:Reminds me of the JPG buffer overflow

[Keeper]

You just implied moronity, and given that the article is about MS the reference to MS is implicit.

You've also proceeded to miss the entire point, being that you CAN check for similar problems in the code, but not catch them. If the many eyes theory of open source development doesn't catch it, manual examination of code isn't an effective tool to combat all problems of this nature.

Re:Reminds me of the JPG buffer overflow

[I'm+Don+Giovanni]

LOL
I don't know what's funnier, the degree to which you were thoroughly owned or your sad attempt to spin your way out if it. LOL

Re:Reminds me of the JPG buffer overflow

[SeaFox]

After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems?

Nah, that sounds like some sort of proactive security initative.

Re:Reminds me of the JPG buffer overflow

[TheOtherChimeraTwin]

No, he had it right the first time. Uola is a famous finishing school.

Re:Reminds me of the JPG buffer overflow

[Perren]

After a certain number of vowels, does it even matter anymore?

You can't possibly pronounce it anyways.

Re:Reminds me of the JPG buffer overflow

[fred+fleenblat]

>> After the jpg incident, wouldn't you tend to
>> look at the code handling other image formats
>> for similar problems? Guess not.

I remember when it used to be common practice to not just fix a bug, but to fix the entire class of bugs to which it belonged.

Something weird happened with project management and bug-tracking software somewhere down the line that removed the incentive to fix more than one bug at a time. I suspect that this is the root of a lot of software quality problems.

Re:Reminds me of the JPG buffer overflow

[Cally]

That's the very one. Thanks!

PNG???

Okay, I'm not familiar with IE's internals. But I still cannot understand how you'd introduce a remote execution vulnerability into "get PNG bits, arrange bits for display system" unless you were *trying* for that. Yeah, I know you have to allocate memory for the PNG, and I understand the problem probably comes from an overflow of that, but still, it makes me wonder just how badly written this stuff must be.

Re:PNG???

[LO0G]

The same way that a remote execution overflow was in libXPM.

Google integer overflow vulnerability for more information.

New Microsoft Security Update

[PyWiz]

Microsoft has released a free security update to Windows users today: Service Pack Linux. Service Pack Linux includes a fix for all IE vulnerabilities, as well as flaws in Outlook and Office. IIS users will be happy to know that Service Pack Linux will fix many problems with Microsoft's premier web server package as well. Service Pack Linux is considered the most comprehensive security fix in Windows history. Users should get it now at http://distrowatch.org/

Re:New Microsoft Security Update

[Carl_Cne]

http://www.mslinux.org/

Re:New Microsoft Security Update

[walgurf]

When Linux offers the same support for and number of games as Windoze, I'll switch. I guarantee if not for DirectX, Win would have half the non-corporate users that it has.

Re:New Microsoft Security Update

[James_Aguilar]

You mean so they can experience the joy of having to edit text configuration files in order to get even their onboard NIC to work? Hmmm . . . no thanks . . . good thing we can turn Windows update off. Viruses are a risk of lossiness, Linux is a reality of the same.

Re:New Microsoft Security Update

[RoadkillBunny]

Someone should make a scam email that says Microsoft has that updateand send it to all people. I wonder how many would click it...

Re:New Microsoft Security Update

[sud_crow]

Actually, they will have the joy of choosing to edit the config files by hand (text files editing) or use one of the several GUI tools most distros now include (Mandriva Control Center, SUSE YaST, RedHats one --dont know the name-- or even KDE and Gnome control panels). Good thing we can turn GUIs off.

Before you gloat too much

[callipygian-showsyst]

...Slashdot seemed to have missed this doozy from less than a month ago.

http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml

Re:Before you gloat too much

[RaffiRai]

For those who don't want to read, that's 10 vulnerabilities, 1 privledge escalation, 6 remote executions including buffer overflows, and one bluetooth attack.

Probably should have covered this on Slashdot.. patched or not, which I don't know, as it doesn't affect ones about Microsoft.

Re:Before you gloat too much

[callipygian-showsyst]

For those who don't want to read, that's 10 vulnerabilities, 1 privledge escalation, 6 remote executions including buffer overflows, and one bluetooth attack.

Thanks for the summary. And that's my point! The Apple "true believers" have been led to think that there's some *radically different* in the design of their beloved operating system that makes it immune to these things. There isn't! It's the same crap!

Re:Before you gloat too much

[Timesprout]

I think you have confused the word 'missed' with 'conveniently ignored'.

Re:Before you gloat too much

[MynockGuano]

My friend Mark said that he saw a zealot totally format C: some kid just because the kid opened up Windows.

Re:Before you gloat too much

[Frank+T.+Lofaro+Jr.]

Bizarre, that page talking about Apple vulnerabilities having a Department of Homeland Security logo on it.

Like anything important to homeland security would be on a Mac.

Heck, I wouldn't even trust HOME security to a Mac.

To bad

[MemoryDragon]

I thought they might have fixed the png transparency bug, which was reported to them eight years ago... but no... just a buffer overflow.

Re:To bad

[MemoryDragon]

I know about that, but this problem was reported 8 years ago! Another thing is the half broken CSS1 and the totally broken CSS2

Re:To bad

[HiredMan]

Yeah he's an idiot. How dare he criticize a program that's buggy. It's frozen from development and it's replacement will ship in 2 years or so, Stupid. So what if they never, ever fixed the PNG display pipeline since IE 6 shipped. Why should graphics display correctly - it's not like the web is a graphics medium, right?

Vendors should never, ever roll back changes into older versions of their software they force you to use. Tabbed browsing, correct graphics display, CSS support will all be available someday so shut yer piehole! All you'll have to do is upgrade your entire system to get these features. And it's not like anyone else has managed to get that stuff working on the same platform, right? Right? Well, maybe some one has but they must have more programming resources than MS, no doubt...

=tkk

Re:To bad

[Spy+der+Mann]

which was reported to them eight years ago... but no... just a buffer overflow.

I imagine the microsoft engineers wearing anti-infection outfits (with masks and everything) and large instruments.
---
"Ok there's the creature..." (imagine some sort of alien spider, but with more guts and everything)
"Be careful guys, we don't want to break it, just remove the insecure splinter from it"
"Man, this is disgusting. I wouldn't touch that with a 20 foot pole"
"OK, splinter removed! Close the cage, quickly!"

TSHHHHHHHHHHHH

(Guys remove their masks)
"Man, that was the scariest moment in my life! Why do we keep handling code like this?"
"Shut up, the boss' coming right there!"
(Bill Gates approaches)
"Hey guys, what's up! Did you fix that vulnerability?"
"Yes, sir!" (everybody puts up a blatant smile)
'I'm switching to Firefox', thinks one of them.
---

WSUS

[XorNand]

For those admins who tend to a small MS shop and don't have the need for an expensive patch management solution, WSUS was released last week to replace the lame SUS (Software Update Services). I had to disable SUS due to some GPO issues, so I'm looking forward to checking out WSUS. And with this round of patches, it seems like the ideal time to test.

Re:WSUS

[CoffeeJedi]

yeah, i just got the WSUS migration notice on the SUS control panel, i'll probably do that next week

SUS does its job, but i'm hoping for alot more control over patch management, its a very inelegant solution.

Re:WSUS

[RaboKrabekian]

We've started using WSUS in a ~1000 workstation environment and it's fantastic. There are a few quirks you have to iron out, especially if you've been using non sysprep'd ghost images on all your workstations. It's all manageable, though, and once set up it's a really powerful (and free) tool.

Re:WSUS

[fdiskne1]

I've been testing WSUS and I'm rather impressed. If you have a Windows environment with up to a couple of thousand workstations, I'd have no problem with recommending this. This is what SUS should have been in the first place. SUS allowed you to point machines at the SUS server to download patches and schedule them for install by way of GPO. That was the limit to patch management for SUS. With WSUS, you can assign the machines to groups and assign patches to those groups. This allows you to install only the patches you want on only the machines you want to install them on. Depending on the number of groups you need to create, this could be a bear to initially set up, but once that part is done, you can roll out a new patch to a test group, then if no problems occur, roll them out to the rest of the organzation according to the schedule you decide on. It also provides reporting. Imagine if a new virus came out that takes advantage of one particular vulnerability (not social engineering). You can bring up that patch and look at all machines and whether it is installed or not or even if its not needed. Or you can look at them machine by machine and see their patch status.

I know. It's still not as secure as an all Linux environment. But, I'm curious. Does Linux have anything comparable? I honestly don't know and I'd appreciate it if anyone could let me know.

Re:WSUS

[lucidvein]

Maybe ZenWorks, offers more than patch management...
http://linux.slashdot.org/article.pl?sid=05/03/13/ 1233251&tid=223&tid=163&tid=164&tid=106

Re:WSUS

[rikkards]

Out of curiousity, why would you not sysprep your ghost images? THe only reason I could see is if you are making separate images for each workstation and you want to keep the same name etc.

Re:WSUS

[arkhan_jg]

I have to admit, I've been running the wsus beta for a month or so, and it's a lot better than SUS.

Basically, you point the workstations at the server with a GPO or registry patch as before, but the server setup is much improved.

Machines are listed by name, and you can assign them to manually assigned groups on the server, or flag the group they should use on the machine itself.

You can approve individual patches by group, or individually if you wish, and can list the known applied patches and due patches by machine, as well as pull out other basic info like motherboard id, mac address, and windows version.

The nicest bits for me are:
- That you can see at a glance how long since machines last reported their status, which can help identify an unreported dead or problematic machine in a large lab, and very out of date ones are flagged
- reports listing what machines still need updates, or indeed what patches are still to be rolled out
- whether there's unapproved updates that need attention; you can auto-approve different grades of patch if you so wish.
- properly handles superceded patches
- you can spot when a machine clone hasn't been reassigned it's correct name as the old one stops checking for updates, and you get a new machine with the 'wrong' random name.

As a school, we don't have a large budget for patch/machine management so WSUS adds some much needed patch management to our hand-rolled pxe clone system (based on pxe linux boot + partimage)

The only really annoying things are the windows 2000 server, ms-sql server or sqlde minimum requirements, and of course IE for management. I tend to just vnc into the server and run IE from there, as it's simpler than wine on my gentoo workstation.

Re:WSUS

[arkhan_jg]

I know. It's still not as secure as an all Linux environment. But, I'm curious. Does Linux have anything comparable? I honestly don't know and I'd appreciate it if anyone could let me know.

There's zenworks from novell/suse, and redhat network used to work somewhat similar for their enterprise distro - not used redhat for years though.

Still, with windows on the desktop, WSUS is definitely a big step forward, and a real improvement from SUS or just auto-update.

Re:WSUS

[jakupovic]

Redhat network aka RHN does exactly what you describe. You can assign machines to groups which can then be updated individually. It seems to work well enough. And then if you're a big company something > 50 servers you can have your own RHN, just like SUS/WSUS.

The NSA

Never needed MSFT to put in a "backdoor" for them, specifically. Christ, they just needed the source-code so they could use all the ones there were already there.

Re:The NSA

[Deviant+Q]

Why would they need the source code? If they're far enough ahead of us in cryptography, I'm sure they're light years ahead in finding Microsoft vulnerabilities.

I can see it now...

"Agent Jones, those people over at CERT found another one on our list... looks like it was #314159... well, check it off; nobody's figured out #271828 yet, so we'll just keep using that..."

Re:Sure glad I don't have to do this crap

[Foolomon]

Your problem is that you listen to Kim Commando in the first place. :P

Patch Patch

[sheepoo]

Any new on latest FireFox vulnerabilites? Have they been patched?

Re:Patch Patch

[NinjaFarmer]

Blasphemy! FireFox has no vulnerabilities and will never need to be patched! It has perfect security and all the features a user will ever need! It is perfect! The M$ FUD machine spreads evil rumors about "vulnerabilities" and "patches" in FireFox! We must not believe them!

What's a linux?

[J+Barnes]

Sorry, I don't use linux and I openly profess my general ignorance.

That obviously makes me a minority around here. Twice over, in fact.

Re:Sure glad I don't have to do this crap

[callipygian-showsyst]

Uh uh! You're in big trouble!

You'd better go here and install the Fedora updates (three in the last month)!

Re:Microsoft... again

[LegendOfLink]

You know, you DON'T HAVE TO UPDATE. I haven't updated my XP box for almost a year now. I'm still running SP1 and no anti-virus (I know how to use the TASKLIST command). Guess what, I have no problems, save for the occasional crash due to Photoshop being a bitch. The difference between my unpatched Windows not getting spyware/viruses is that I'm not a dumbass and try to download Buddy Handjob Bar or whatever it's called. That, and I use FireFox, which has NEVER failed me.

Venture to guess?

[AyeRoxor!]

exists due to the way the browser handles PNG (Portable Network Graphics) files."

Hmm... Buffer overflow maybe?

Buffer overflow is an amateur mistake. Check your god damn code.

/frustrated by lazy programmers

Re:Venture to guess?

[Joe+Decker]

Check your god damn code

Using an interjection when you mean a adjectival phrase is an amateur mistake. Check your God-damned grammar.

Re:Venture to guess?

[a_greer2005]

I remember my C++ classes in High School, if our code had a buffer overrun, it was a letter grade (or more) off for sloppiness and error potential, we would also be told that it was unprofessional. Needless to say I made the buffer overflow mistake ONCE, not again.

mod the parent as high as possible because he is dead on!

Re:Venture to guess?

[bheer]

Given that everything from the Linux kernel to SSH to Apache to Firefox has had buffer overruns, I'd be wary of describing their authors as 'unprofessional'.

Rather, buffer overflows are trivial to avoid in class assignments (and indeed, small projects). It's when the project grows larger, gets split into multiple program units and gets multiple authors that you really start scratching the surface of industrial strength development (something the armchair developers on /. have never really experienced).

To top it all, code that is 'safe' can often be made 'unsafe' by running it under circumstances the authors never intended: there's a whole class of overflow attacks that use code/data injection to crack even supposedly secure programs (and no, not even Java/C# is safe from this).

Re:Venture to guess?

[Joe+Decker]

Well played, AC. :)

My point stands, though. In very large projects, it's easy for mistakes to slip through. Arbitrarily large projects will suffer some fraction of errors. The solution to this is not assuming that all software developers are lazy and ignorant (although some certainly are), instead, the solution is in better proecesses, testing, and tools.

Re:Venture to guess?

[Knightfall]

Funniest.

Grammar-Nazi Post.

EVER.

Re:Venture to guess?

[Just+Some+Guy]

a adjectival

You were so close - so very, very close...

Re:Venture to guess?

[poot_rootbeer]

Buffer overflow is an amateur mistake. Check your god damn code.

But they used the "Check god damn code" menu option in MS Visual C Studio, and it didn't return any critical errors!

(Mere "warnings" don't count)

Re:Venture to guess?

[Krenath]

I think it inadvertently proves yet another point as well:

If people who've in most cases been using a language since shortly after birth still can't get all the details right when using it,

1. How do you expect them to get all the details right in a language that
   1. ...they've only been speaking for a relatively small percentage of their lives, and
   2. ...wasn't even created for humans to communicate natively in.
   3. ...they haven't been formally trained in for at least a half-dozen years
2. How do you expect them to respond to criticism of their use of a programming language when they've proven that their typical response to criticism of their native language consists of things like:
   1. "Shut up, grammar/spelling/punctuation nazi!"
   2. "You can still understand me! Who cares!?"
   3. "I meant to do it that way because I'm a 1337 h4xx0r!"
   4. "STFU, n00b"

So, in conclusion, <sarcasm><irony>"STFU, buffer overrun nazis!"</irony></sarcasm>

I do feel that attention to detail in one is reflected in the other and that overall quality will improve in neither until people start to care and it becomes less socially acceptable to make the mistake in the first place than to be the one to point the mistake out, in code or otherwise.

Re:Venture to guess?

[Joe+Decker]

I do feel that attention to detail in one is reflected in the other and that overall quality will improve in neither until people start to care and it becomes less socially acceptable to make the mistake in the first place than to be the one to point the mistake out, in code or otherwise.

In my experience, you've got it backwards. Before I became a photographer I did embedded software for 20 years, shipping over 100M units and often having the final signature to begin fabricating my code into masked ROM. What I found was that overemphasis on "blame" instead of "results" was counterproductive. I seem to recall a discussion by Knuth on the point, but lack a citation.

Where you and I agree is on the idea that caring about the quality of ones code matters. It matters enormously, I've had the opportunity to primarily work with engineers who really do want to ship good, quality product. In the environments I've worked in, the occasional snarking at a bug has been counterproductive. It makes programmers defensive about their code, rather than being open to review and criticism, and thereby reduces the quality of the final product. Your experience may vary.

Re:Venture to guess?

[value_added]

Using an interjection when you mean a adjectival phrase is an amateur mistake.

I am impressed. More correctly, however, it's a participial phrase

Re:Venture to guess?

[darkmeridian]

a adjectival

Hey, look! The Emperor is wearing no pants!

Re:Venture to guess?

[Joe+Decker]

Yep. :)

Re:Venture to guess?

[That's+Unpossible!]

Using an interjection when you mean a adjectival phrase is an amateur mistake. Check your God-damned grammar.

Oh, the pain, the pain of it all.

Re:Venture to guess?

[bheer]

> All programming is small projects

In an ideal world. In the real world people leave, new people join, managers still want stuff done yesterday. Now, this happens in the auto industry too, but there they have the laws of physics giving them a reality check everyday. In the software business, any combination of new hardware, new configurations and new business environments may invalidate your older assumptions. Now how will you ensure that imperfect humans pass on their knowledge _exactly_ in the face of such change?

> as long as software can ignore all the product liability laws

Well, the software for the space shuttle is built to some pretty exacting standards (and still has bugs, but that's beside the point) but most customers are not ready to either pay for that kind of quality or wait for that kind of time.

Re:Venture to guess?

[Joe+Decker]

I know, I know. :)

Re:Venture to guess?

[GSloop]

This is the "because we can" outcome.

If you can get away with crap, you will.

Clearly, the ramifications from writing bad/buggy software are not enough to prevent it. If the risks were high enough - that you'd lose your job, your company would be sued into the ground - etc - then we'd see software that was really high quality.

For those that would rebut me, read Mark Minasi's "Software conspiriacy" - he's right on the money.

When users value and demand high quality software, then we'll get it. (And have a legal system that allows the buyer to hold the seller responsible.) Until then we'll get empty promises, ridden hard and put away wet.

Cheers,
Greg

Re:Venture to guess?

[Joe+Decker]

Read the rest of my thread, I appreciate deeply your colorful demonstration of my actual point.

Re:Venture to guess?

[Joe+Decker]

Yup, I did. :/

Re:Venture to guess?

[eraserewind]

If you need to check your code for buffer overflows you are using the wrong language.

Re:Venture to guess?

[Decker-Mage]

It's the multiple author part that gets most projects into trouble. When I'm working solo, bugs are not a problem. I practice software engineering not software development. After thirty years, no one has ever found a bug in my software and I do not write trivial applications. Heck, I don't even trust the OS to give me the correct date/time, I always do a sanity check. My code runs slower, sure, but it runs in defensive mode in every module and every function. Every input and output is checked. Similarly, I make extensive use of state machines to prevent misuse/abuse, intentional or not. No injection attacks here, thank ye.

In electrical/electronic engineering I do the same thing with fuses, capacitors, impedance matching circuits, etc. When will we in the software community wrap our head around the notion of coupling, limiters, and protection? Ditto my other fields of engineering. Can you say nuclear? I thought you could. Meltdowns are soooo messy.

Now bring some other people into the mix and it begins to become fun as I'm having to teach them proper engineering techniques, mathematical proofs, and all the other tools that are in my arsenal. Fortunately I love to teach, but it does get old after a while. Real old.

I'll probably never give up writing software, or teaching, and have three projects on the burner right now. But you'll never see me working on enterprise apps with a team until they put the science back into the computer science and take the hacking out. And yes, I can hack with the best of them too, and have for thirty five years, but not on production code.

Re:Sure glad I don't have to do this crap

[ChrisF79]

The Kim Commando show? Seriously, that show sounds like they put a phone in a mental institution and let the patients phone in. Please don't use that as your proxy.

Patches don't solve the problem on new installs

[Whafro]

It's happened to me twice now...

I'll install a vanilla copy of XP Pro onto a system, and within minutes of hooking the machine up to the network, it has become infected with a virus, basically requiring a reinstallation immediately.

My normal mode of installation is:

- Install XP
- Two IE windows open:
- One downloads Firefox
- The other goes to Windows Update and starts downloading patches.
- Download everything else using firefox, including drivers, etc.

But apparently Windows Update isn't a fast enough method to get the machine patched, and the machine is compromised before the appropriate patches are finished being applied.

I've made a "XP Install Disc 2" for myself, which has the full SP2 installer file, Firefox, Avast, Spybot, and Adaware on it, that I then install while the box is still offline. It seems that SP2 does well enough at plugging exploits that the system then has enough time to download the other patches normally without becoming compromised.

Does anyone have a better solution?

Re:Patches don't solve the problem on new installs

[Eric_Cartman_South_P]

Try getting a hold of $40 and buy yourself a Linksys firewall. That would give you a TON of time to upgrade a naked box. (hehe, I just said naked box).

Re:Patches don't solve the problem on new installs

[almostmanda]

You could slipstream SP2 onto your install CD (search google for directions), so you don't have to race against time trying to get it installed before your machine is pwned. It'll just install with XP. Upon installing, if you're really paranoid, you could put a second firewall on your machine, like Kerio or Zone Alarm. After that, get updates and install antivirus and antispyware.

Re:Patches don't solve the problem on new installs

[pstreck]

use a better firewall. i run devil linux on a dedicated machine and use it as a router/firewall and never have a problem. on the other hand as soon as my younger brother takes his computer back to the dorm it gets infected... it's all whats on your network. cable users seem to be worse off due to the lan you are on with your infected neighbors.

Re:Patches don't solve the problem on new installs

[wiggys]

Yes.

1) Switch on the built-in firewall before you connect to the internet. It's very basic but it does the job, I've been running an unpatched XP system with nothing more than the built-in firewall for months now with no problems.

2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

3) Slipstream SP2 into your XP install. Personally I'm staying away from SP2 but use it if you must.

4) Put a copy of Zone Alarm on your "XP Install Disc 2", along with the the many useful bits of freeware available at www.grc.com

5) Download, burn and learn how to use Knoppix.

6) ????

7) Profit!

Re:Patches don't solve the problem on new installs

[SomeGuyFromCA]

> 2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

and remember to turn off upnp. otherwise, the following happens:

<spiritual descendant of back orifice> hey router, this is a upnp request: forward 31337 to this computer, please!
<router> will do, and you have a good day!
<sdobo> oh, i will...

Re:Patches don't solve the problem on new installs

[varmittang]

After the patch is download though Windows Update, and it starts the install, disconnect the wire from the back of the computer so it can't be attacked will its updating. Then reboot, and wait for it to be in the booting up before plugging it back in. I say unplug because when just disabling the network card in windows and you end up rebooting before enabling it, I have had some problems with some computer just not wanting to fully reboot because the disabled nic card.

Re:Patches don't solve the problem on new installs

[raptorjb007]

Everytime I hear of poeple who cannot handle SP2, or are still running windows98, just confirm more and more to me that you dislike windows not because of its quality, but because you just don't know how to operate it. I think some of you jumped on the anti-microsoft bandwagon so long that you avoided microsoft to the point where you lost touch with the operating system. Sort of like us anti-apple poeple who think OSX is the stinko because, well, we just don't use it enough to understand its finite details. My suggestion is to stop complaining about MS windows problems and start trying to find solutions rather than blaming microsoft. You would be surprised at how much you can do with windows, I promise.

Re:Patches don't solve the problem on new installs

[Dynamoo]

Yup: Windows XP: Surviving the First Day from the SANS institute covers this problem.

The key thing, as others have said, is to enable the software firewall and make sure that file and print sharing is disabled. A second CD with SP2 and a decent firewall like ZoneAlarm is usually enough too.

Re:Patches don't solve the problem on new installs

[wiggys]

Err, I don't like SP2 because I've personally witnessed it fuck up 2 PCs to the extent that they wouldn't even boot.

We had to use System Restore to go back. I don't have the time to find out what it is about the computers SP2 doesn't like. The service pack should just work. If there's something it doesnt like then we should have had a warning saying "Cannot install SP2 until you remove foo/bar"

Secondly, on the many machines I admin which do run SP2 okay, performance is definitely slower with SP2 installed.

As for your other moronic comments:

OSX is a far better OS than Windows (stability, security, ease of use, performance and general overall cleverness). And I don't own, nor have I ever owned, an Apple computer.

Windows 98 is faster and more secure than Windows XP. It's also has fewer features and is more unstable. Oh, and it doesn't look as pretty, if that's your bag. Maybe people are still running 98 because their computers are not fast enough to run XP? Or maybe they just use it because they have it, it works, and they can't afford £250 to buy Windows XP Professional for no good reason.

According to PC World Business here in the UK, a copy of XP Pro will set you back £210+VAT, whereas you can buy a brand new NEC PC, 256mb RAM, 40gig h/d, LAN, keyboard but no monitor WITH a copy of XP Home for £199+VAT.

Does that make any sense to you?

While I'm at it, go and look how much a full retail copy of MS Office costs these days. How does £350 sound?

The latest version of Knoppix runs from CD, and if you burn it to a CDRW you can even save your settings onto CD as you use it. It includes an OS, Open Office 2 Beta (excellent IMO), not to mention shitloads of free apps.

I like Windows and I tolerate MS Office but I do not think they justify the insanely high prices MS charges for them.

Re:Patches don't solve the problem on new installs

[Spy+der+Mann]

I've made a "XP Install Disc 2" for myself, which has the full SP2 installer file, Firefox, Avast, Spybot, and Adaware on it, that I then install while the box is still offline...

Does anyone have a better solution?

Are you kidding me? I install all SP2's from CD.

Re:Patches don't solve the problem on new installs

[essdodson]

Yes, the rest of the world slipstreams service pack 2, installs without a network connection, enables XP firewall before hopping on the Internet, then downloads whatever other patches are available.

Re:Patches don't solve the problem on new installs

[dhazard]

Just unplug the box from the internet, just make sure you have the SP2 CD and I always have handy my so called 'start up CD' it has everything from GFX drivers, spyware tools, virus removers and browsers. Just install SP2, firefox, AV App, Firewall App (Zone Alarm is good for both) and some simple spyware tools and your pretty much in the green, hook up to the Cat5 patch cable in your RJ45 link and bam... Start downloading what comes aftr SP2.

Re:Patches don't solve the problem on new installs

[pinchhazard]

I like the cheerful naivete of the router.

<router> hey, xp box at 192.168.0.101. special delivery guys!
<windows> excellent. bring it into the labyrinth.

Re:Patches don't solve the problem on new installs

[Blakey+Rat]

Zone Alarm sucks. Compatibility issues, GUI from hell...

Use Sygate Personal Firewall. Equally free. Much fewer compatibility problems. Much better GUI.

Re:Patches don't solve the problem on new installs

[SocietyoftheFist]

Yeah, do it behind a nat'd network with a firewall. I've never been infected during setup and patching.

Re:Patches don't solve the problem on new installs

[crabpeople]

" Err, I don't like SP2 because I've personally witnessed it fuck up 2 PCs to the extent that they wouldn't even boot."

if you properly clean the PC this isnt an issue. you cant just hold back peoples security updates because you dont know how to go into safe mode and disinfect a PC.

Maybe its because you have safe mode on. The first thing i do before i do any sort of virus spyware removal is turn off safe mode!! i have never seen safe mode do anything useful ever. if you know enough that you can go back and restore points, you know enough not to have your PC infected in the first place. for the rest of the world it just eats up gobs of diskspace and cultures spyware.

for what its worth i wont touch XP at all on my own system. 2k all the way. that is, if you want some semblance of stability/reliability.

Re:Patches don't solve the problem on new installs

[Xibby]

Out of the ~200 Windows XP machines I manage, I've only seen SP2 "uck up a PC to the extent that it wouldn't even boot." once, and that was because the user power cycled the machine durring the installation because the machine was unresponsive.

From what I've gathered, Service Pack 2 is prone to really messing up a windows installation where there is lots of spyware/adware/whatever installed.

Re:Patches don't solve the problem on new installs

[Tim+C]

I like Windows and I tolerate MS Office but I do not think they justify the insanely high prices MS charges for them.

You don't even know what expensive means when it comes to software. I routinely (as in, every day) use software costing in excess of £1.5k, and have personally installed, configured and developed against software costing in excess of £100k. That's not bespoke software either, that's off the shelf stuff. Hell, I have about £10k worth of software sat in my desk drawer at work.

Re:Patches don't solve the problem on new installs

[Mattsson]

SP2 is a *huge* patch, so if youve got lots of software already installed problems are bound to show up. I had to reinstall my computer after SP2 due to really strange bugs.
But as for slipstreaming it onto an installation cd or installing it right after installing xp, that has never produced any problems for me.
And regarding slower performance. What would you rather have? A more secure computer or a slightly faster computer?

Security Update for Windows XP (KB666)

[circletimessquare]

A humor security issue has been identified that could allow a Slashbot to remotely compromise your sense of humor about Windows patches and bore you to death. You can help protect your sense of humor by installing this update from Microsoft. After you install this item, slashdot.org will resolve to 127.0.0.1 .

How to Uninstall

Read all comments rated as funny under a story about Windows Update on slashdot.org and your sense of humor will be successfully uninstalled.

Help and support

http://omgmstehsux0rs.slashdot.org/

Re:Security Update for Windows XP (KB666)

[bobcave]

Tiger, tiger burning bright. In the forest of the night.

Re:Witty Headlines

[ehaggis]

MS releases a patch and it's news?

Re:Sure glad I don't have to do this crap

[ssj_195]

What an appalling display of "toeing the slashdot party line", and putrid arrogance and condescension, as well. Whoever modded this transparent tripe up should be ashamed of themselves.

The amount of "CPU time" "Windows users" spend patching holes is a few minutes every month. And get off your high horse, here: while Linux distros provide updates for a more comprehensive range of apps, it's also the case they you have to download far more (in terms of raw megabytes) far more often. I'm willing to bet right now that, timing from the release of FC3, FC3 has required more and bigger updates than Windows.

I'll never forget the time, earlier this year in fact, when Mandrake provided a security "update" for the kernel (you may remember the much-publicized priviledge escalation vulnerability around the end of last year). This "patch" consisted of the whole kernel source (maybe 40MBs of it) which you would have to manually compile and install (no nice binary rpm, here). With this one single update, Mandrake users have exceeded the "CPU time" required for a few months of Windows updates. And let's not forget the hefty kdelibs security updates, which basically amounts to downloading the whole of kdelibs again, since none of the distros seem to provide diff-style patching. The same with Firefox (8MB on Linux...?).

Also, while we are free from worms and viruses here, note that there is nothing innate to Linux that precludes phishing and spoofing attacks.

Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.

Ugh.

Re:Sure glad I don't have to do this crap

[a_greer2005]

Kim Kommando is not a person that I would trust or even listen to because she recomends the worst products, misses the obvious, free fixes for common problems in favor of the pricey ones. and she calles herself the "digital goddes"?? She is a bratty know it all

Want good tech radio? listen to Leo Lapporte on KFI on the weekends

this is one

[suezz]

train I don't ride anymore - thank goodness.
goodbye billy and steve - have fun with your os. glad you are thinking about security.

Re:Sure glad I don't have to do this crap

[cortana]

> And, do I need to remind you about stability issues with Debian Sarge?

Yes. No problems here...

Few Points

[ilyanep]

1. Why is it news when MS releases a patch? It happens every week.

2. First a JPG problem, then a PNG problem, so what's next? A GIF and a BMP problem? Or are we moving onto video formats next?

Re:Few Points

[MynockGuano]

In future news, Microsoft has released a patch to correct a remote code-execution vulnerability that exists due to the way the browser handles ASCII art.

Re:Few Points

[ettlz]

Why is it news when MS releases a patch?

How else would I know when I have to boot Windows again?

Re:Few Points

[pe1chl]

It happens every week.

Those were the days.... now it happens once a month.

Re:Few Points

[prshaw]

>> How else would I know when I have to boot Windows again?

And I remember the days when people said you had to reboot multiple times a day.

Now we need reminders to reboot.

Re:Few Points

[ettlz]

Now hang on, who said anything about rebooting?

the problem isn't what it appears to be

[cahiha]

If you look at Macintosh, BSD, and Linux distributions, they also have regular security updates, with many similar vulnerabilities.

There are really two problems here, one true of all major OSes right now, and the other one true of proprietary systems.

The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.

The second problem is that Microsoft and Apple only update their own applications; users are saddled with downloading updates for other software by hand. If all these bugs exist in IE, you can be similar bugs exist in Photoshop, Office, and many other apps that aren't automatically updated.

Re:the problem isn't what it appears to be

To be fair, C++ provides some very nice facilities for automatic memory management like the standard containers (vector, in particular) and strings.

SH

Re:the problem isn't what it appears to be

[mabu]

The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.

Bad programming is bad programming. You can write vulnerable code in ANY language.

Take some responsibility for things instead of blaming everything on the environment.

Windows is badly designed and badly implemented. These same people, designing the same type of system in a different language would likely create the same problems.

Re:the problem isn't what it appears to be

[cahiha]

Bad programming is bad programming. You can write vulnerable code in ANY language.

There are people who know about safety and security. They know that it's all about risk and probabilities.

And then there are people like you, people who believe erroneously that safety and security is a black-and-white issue.

Windows is badly designed and badly implemented.

Yes, and do you know what kind of people create those bad designs and implementations? It's people like you: people who simply do not understand safety and security.

Thanks for illustrating the problem.

All aboard!

[AtariAmarok]

"MS Patch Train Leaves the Station"

Otherwise known as the Bugwarts Express. To find the boarding platform, run your luggage cart full tilt into that blue screen.

Completely untrue

[Azureflare]

WTF? Compile from source??

I use mandrake, I have since 9.0. I have _never_ had to compile the kernel from source. You urpmi the source from the command line. The mcc interface will NOT install the kernel automatically. You have to do it manually.

In older distributions, you would simply type urpmi kernel (or whichever of the other kernel's you're using, like enterprise, etc.). In the recent mandriva releases, you have to type urpmi kernel-2.6

Obviously you haven't been using linux often... Where did you get the impression that you "had" to compile it from the source package?

Re:Completely untrue

[ssj_195]

This was my experience; I searched through with the GUI tools for an actual binary, but couldn't find it anywhere...? Perhaps it was named oddly, but I couldn't find anything but the kernel source itself. If I'm wrong on this, I apologise. It seemed odd at the time (as I knew that e.g. Ubuntu gave kernel binaries), but I was buggered if I could find the damn thing!

Re:Completely untrue

[Azureflare]

Yeah, sorry if I came across as being rash, I really wish I could edit slashdot posts... My title could have been changed. I actually do agree with a lot of what your post said. Windows management isn't as bad as people on slashdot make it out to be.

Anyway, I'm not saying the kernel issue on mandrake/mandriva is easily apparent to ordinary users. At first I was confused too.

I haven't actually done it recently, but AFAIK you can't upgrade the kernel using the GUI tools. I think you might be able to type in the specific package name and get the listing, but that's a PITA.

If you haven't already, install bash-completion from the gui. You'll have to restart your sessions but it makes using urpmi from the commandline a WHOLE lot easier.

Then fire up your favorite terminal (Eterm or konsole or something), and su to root and then type urpmi kernel- and then hit Tab. It'll show you a bunch of potential names (there are a lot). Fill out the one you want (i.e. if just the stock 2.6 kernel, type urpmi kernel-2.6 and hit tab).

I'd also recommend firing up xchat and heading to #lfd or #mandriva on irc.freenode.net... if you have any problems there are friendly people there to help you :)

HTH, and again I'm sorry if I came across as being mean. I'm at work so I'm moving quickly :D

Re:Completely untrue

[ssj_195]

HTH, and again I'm sorry if I came across as being mean. I'm at work so I'm moving quickly :D

It's all good, dude :)

I haven't actually done it recently, but AFAIK you can't upgrade the kernel using the GUI tools

Ah, that would explain a lot.

Oddly enough, this one stumbling block is the thing that put me off Mandrake (onto Gentoo of all things! But I'll wipe that soon and replace it with Kubuntu, like I have with my laptop). Other aspects were the fact that downloading the updates to repository listings sucked up a *huge* amount of bandwidth - one of them (main? updates? I forget which) was a 20MB download, whenever something changed (which was admittedly rare). Kubuntu is much more sane - it must do diff-style repository listing updates, so it looks like I can update all my repositories very quickly and with very little bandwidth - which is a good thing as I intend to replace my mum's Mandrake install with Kubuntu at some point, and she is on 56k.

Anyway, on the whole I did like Mandrake a lot (it was my first distro) but niggles like this put me off, and I'll probably stick with Kubuntu, from now on :)

Re:Completely untrue

[Azureflare]

Yeah, Kubuntu is really promising (based off of debian). Also regarding the size of the updates, you can make it really small by using synthesis.hdlist.cz rather than the hdlist.cz. The one you're downloading (hdlist.cz) has all the descriptions for the packages, which does take a long time to download. The synthesis.hdlist.cz is much more sane, and is rarely over a megabyte in size. I only use synthesis.hdlist.cz, since I don't really need descriptions for packages.

Re:Sure glad I don't have to do this crap

[X_Bones]

Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.

Or maybe you're just a pretentious holier-than-thou asshole who doesn't realize that some of us use Windows because that's what our products are delivered on, or we need a piece of legacy software to do our work, or our kids have Windows-only games, or we've never heard of Linux so we don't know there's alternatives to Microsoft, or our bank requires IE, or any of the other thousand and one reasons some people use it.

There's no need to assume we're all idiots, you know.

PS. phishing and spoofing are platform-agnostic. Without the right knowledge, your grandma would get owned by PayPal scammers no matter if she ran Windows or Warty (or anything else, for that matter).

How are we going to do transparency now?!?

[dJOEK]

We can't go back to gif, can we? ;-)

Re:Sure glad I don't have to do this crap

[ch-chuck]

Currently getting FC4 to install, but, actually I mainly practice safe networking with a Linksys router/firewall at work and an OpenBSD gateway at home. The point is I like to use a computer for computing and getting work done. When I was a Windows admin several years ago it was a daily/weekly event for employees to come running in worried about the latest vuln. attack they heard on the news - I can completely do without all that static and distraction, it just seems to come with the "Windows culture", which came from their long standing practice of releasing not ready for prime-time software and then patching it later in the field, because it's legal to do so and they could get away with it.

Re:Microsoft... again

Also, when you have sex, you DON'T HAVE TO USE CONDOMS. I haven't used condoms of my box for almost a year now. I'm still running high and no aids-virus. Guess what, I have no problems, save for the occasional clash due to girlfriend being a bitch. The difference between my unprotected sex not getting aids/viruses is that I'm not a dumbass and try to have sex with everybody in Bars or whatever it's called. That, and I use a fidel girlfriend, which has NEVER cheated me.

Paaaaatch Train!

[Thanatopsis]

It's the Paaaaaaaaaatch Train! The longest running update progam in computer history. Now with your host Steve Ballmer!

Re:Paaaaatch Train!

[ral315]

And now let's hear that great 1977 Barry White hit:

Developers, Developers, DEVELOPERS!

Re:Microsoft... again

[henrywood]

The sad thing is that you probably don't know whether your PC is infected or not (and it most probably is). It's dumasses like you that make life so difficult for sysadmins who have to battle the attacks from zombie PCs.

MS cant win

If MS doesnot patch you all say "MS wont patch their crappy stuff"

if they do patch, you all say "Wow, it must suck really bad to have to patch it"

As if Linux doesn't require constant patching either, hypocrites

Re:MS cant win

[vettemph]

But we always say MS sucks. What is hypocritical about that?

Re:Microsoft... again

[MSTCrow5429]

I'm still running SP1 and no anti-virus...

...my unpatched Windows not getting spyware/viruses...

Without actually using AV software, you'd verify this how? Don't pretend that the tasklist command from the CLI (just a text version of the Task Manager) is going to save your ass. Most viri don't tend to show up in such a perfunctory fashion. I'd be willing to bet your box is in alot worse shape than you think it is. Don't be like those guys who have sex with random people wihtout protection because they have a false sense of immunity from what affects everyone else. Your Windows isn't special.

Re:Microsoft... again

[Slashcrap]

I'm still running SP1 and no anti-virus (I know how to use the TASKLIST command).

I suggest you Google for "Rootkit".

You may also wish to Google for "Over confident" or "has it coming".

Hope this helps.

Re:Sure glad I don't have to do this crap

[roystgnr]

I mainly practice safe networking with a Linksys router/firewall at work and an OpenBSD gateway at home.

Does your firewall block outgoing HTTP connections and incoming email? If not, then it's not going to help against attacks like this PNG bug which are propagated through user-pulled data rather than attacker-pushed port connections. Such attacks exist for Linux, too. There is no such thing as "safe networking", and the only way to come close is to keep every connected computer up to date. I think Fedora still comes with up2date searching for updates in the background and displaying the results on a panel icon. Unless you use something else for security updates you ought to be clicking on that every time it finds something new.

Need people be reminded?

[suitepotato]

This is all partly as a result of the way the PC platform itself works, it's merely that Windows has got so much compound crap in its code that these things are bound to happen. As Linux distros continue to grow and mutate and people ignore the old idea of the smallest kernel possible, we're going to see more buffer overflow errors on Linux. If BSD had the same kind of useage rates as Linux, we'd see a similar trend there. Mac OSX is taking off, we're going to see evolutionary crap in its genetic structure as it were.

Tearing Windows present design platform down to the smallest parts and scrubbing and rebuilding would probably put back the release of XP's successor to 2016. Let's hope some people are listening on the Linux and OSX sides and get it in their heads to keep their code lean and healthy and well tested.

Re:Need people be reminded?

[jonadab]

> Tearing Windows present design platform down to the smallest parts and
> scrubbing and rebuilding would probably put back the release of XP's
> successor to 2016.

And this is different from the current situation *how*, exactly? ;-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Possible problem with this update

[trtmrt]

I just installed the latest update for windows 2000 on my wife's computer and it hosed the installation. I assume it included these latest patches. Has anybody had a similar experience? I am getting a "SYSTEMced corrupt or missing" error which google tells me has to do with registry problems.

Re:Possible problem with this update

[neil.pearce]

The "ced" part of the error message is chaff from some previously display text that has been overwritten.

You will probably have to reduce the size of the system hive, using regedt32.

Could Not Start Because the Following File Is Missing or Corrupt: \Winnt\System32\Config\Systemced

Re:Witty Headlines

[Cat_Byte]

apparently so. Maybe the moderators should realize that we get a little icon that pops up telling us it is there hours before the story even gets posted. Just imagine if we had a slashdot story for every *nix patch as well. We would be nothing but patchdot.org. I'm sick of these and the stories about how something is 1 yr older.

Re:Microsoft... again

[henrywood]

Your naivity would be amusing if it wasn't such a pain to those of us who have a job to do. Are you sure you're old enough to be using a computer?

Re:Sure glad I don't have to do this crap

[ch-chuck]

That's right, there is no absolutely, guarenteed, bullet-proof 'safe networking' - but there is SAFER and RISKIER, and I feel much more comfortable with the level of risk in this box than exists with any M$ft product. Are there vulnerabilities on this box? Most certainly. Have there been any incidents? No, zero, none, nada. Am I going to chew my fingernails off and live in a perpetual state of paranoid anxiety worrying about potential exploitz? Nope.

Video Problems caused by the Critical Update

I'm surprised no one has yet mentioned the problem one of these "critical updates" is causing on Dell Optiplex GX280 computers. I had two systems on my LAN mistakenly configured with "automatic updates" that had serious problems after one of these updates was installed. The user complained that they would turn on the computer and after about 10 seconds (before they could even finish logging on) their monitor would turn off. I first thought it was a monitor problem, but changing monitors didn't resolve the issue, so I called Dell Corporate/Gov't. Tech Support. Before I even got through the menus to a live body, there was a message on the line suggesting that if you were having video problems on Optiplex systems after installing the Critical Update, you should re-boot the system in VGA mode and change the default resolution to 800 X 600. Apparently, one of these updates re-sets default resolution to a range that cannot be supported with the built-in video hardware on the Optiplex.

Once you re-boot in a low resolution, you can then re-set the default resolution to something more acceptable (say, 1024 X 768 or something similar) and you're golden, but I have seen nothing in the press about this bug (that took me well over an hour to puzzle out on both affected computers).

My other systems are configured for SMS control, so patches aren't rolled out before testing, but these were set up to Auto Update (which Microsoft recommends for everyone, despite problems such as this). Otherwise, this could have been a major headache yesterday.

Re:Video Problems caused by the Critical Update

[Nevo]

This sounds like a problem not caused by an OS update,but by a driver update. OEMs can publish driver updates through Windows Update.

That's far more likely than one of the OS updates causing the problem.

Re:Video Problems caused by the Critical Update

[pe1chl]

NEVER install the MS-distributed driver updates on a Dell PC!
Get them from the Dell site.
I had similar problems with a GX-270 a while ago.

Re:Microsoft... again

[joebagodonuts]

He forgot to say that it's not on a network :)

Re:Sure glad I don't have to do this crap

[erikkemperman]

Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.

Ugh.

I would agree this is an awkward way of putting it -- but stressing the different usage-patterns of your typical engineer vs your typical joe 6p is in itself a valid point, I would say. There is a point where insisting things being in some respect "equal" is self-defeating.

Recognizing a difference does not necessarily invalidate one or the other "variant," in fact it often allows the best to emerge in each.

I guess what I mean is that, though perhaps poorly worded, my GP actually just pointed out the different usage patterns, but perhaps was not actually saying that computing the "joe 6p way" is inferior somehow. Just different, is all.

Re:Microsoft... again

[freeweed]

Well, seeing as there's no 100% foolproof method of determining this anyway (your AV could be out of date, or just behind like some vendors seem to be, or you could have a new virus no one else has seen yet)...

It's pretty easy to not get a virus in Windows. How? Well, there are 3 basic ways you get infected:

1. Listening network ports with compromisable services. Solution: install a NAT'ing router with firewall. Paranoid solution: install Zonealarm or one of the dozen other competing offerings as well. Have fun remotely exploiting my machine when you can't connect to it.

2. Opening infected executables. Solution: only install software from trusted sources. Paranoid solution: only use what the standard install comes with. Believe it or not, not everyone installs 50 pieces of extraneous software. On my last remaining Windows box, I think Winamp and a Citrix client for work is about it. These installers have long since been checked for viruses and are installed from known, good, read-only media. Good luck infecting me there.

3. IE, Outlook, or other network-aware application exploits. Solution: turn off activeX, javascript. Paranoid solution: don't use these apps at all. Find small, niche apps that have never been exploited - yes, these do exist.

This growing attitude of "if you don't run AV software, you're probably infected" is disturbing. Viruses and worms don't just magically appear out of nowhere, they come in through known, predictable routes. Close those routes, and you prevent infection. Well, until virus writers become so sophisticated that they can fake out a TCP/IP stack entirely - in which case they can probably fool your AV software as well.

Re:Sure glad I don't have to do this crap

[ssj_195]

Possibly - God knows I'm always putting my foot in my mouth whenever I go off on one of my rants :) One of the perils of a communication medium where all of the usual verbal cues and body language are removed, I guess...

Re:Sure glad I don't have to do this crap

[Crudely_Indecent]

"...putrid arrogance and condescension..."

Sad little man. The previous poster wasn't calling you a sheep, but I will. Sure, you can run Windows because it 'Just sucks...err....works out of the box' and be constantly on your guard against the mentioned spyware, malware, trojans, viruses, etc. The plain fact is that OSS bugs and security flaws are generally less damaging, less frequent and resolved faster than the flaws in MS products.

You completely failed to mention Gentoo when trying to rip Linux. My updates can be several hundred MB in size, but I don't mind. It is the price I gladly pay for software that 'just works, and works the same every time.' For 20+ Linux systems and servers, I download a new source package once. Centralized NFS distfiles directory prevents me from wasting valuable time downloading the same update on every machine. Do I need to mention how Windows handles this situation? There are obvious advantages to using Linux (as well as other FOSS) that many MS evangalists REFUSE to see.

"I beg you to come unto me, brothers and sisters. I have seen the light and I can lead you to your salvation or possibly your doom...."

Weren't we talking about PNG on IE before? Someone mentioned the transparency issue in a different thread, which can be resolved with this code:
<img src="blank.gif" style="width: 100px; height: 100px; filter:
progid:DXImageTransform.Microsoft.AlphaIm ageLoader (src='image.png', sizingMethod='scale')" />

You may want to implement browser specific insertion of that code...it totally doesn't work in anything but IE

Word!

Re:Can't do it...

[MemoryDragon]

That is not the point, the pont is, that Microsoft never rolled out a workable PNG solution although the bug has been reported first, around 8 years ago. Even worse, the IE5 on the MAC does PNGs properly!

Re:Sure glad I don't have to do this crap

[Some+Bitch]

none of the distros seem to provide diff-style patching.

Suse 9.3 does, as I'm on dialup it's a godsend.

As it's now GPL I wish other distro makers would look closer at YAST, it's by far the best config etc tool I've seen.

Re:Sure glad I don't have to do this crap

[ettlz]

We have our own here in the UK, only we call it a "Carol Vorderman".

IE PNG Support

[gnurob]

...exists due to the way the browser does not handle PNG files. The web would be a beautiful place if content creators could depend on complete PNG support. This problem has been around for over 8 years! IE blows.

Re:Sure glad I don't have to do this crap

[ssj_195]

That's cool - does anyone else? I'm surprised it's not much more prevalent in non-source based distros, as I know that in at least Debian, every .deb contains a manifest of all files that will be installed by the .deb, and I think a md5 of each one, too. It strikes me that it should be easy to create a "dummy" deb that verifies that the old version has not been tweaked and, if not, simply replaces just the necessary files with fresh copies.

Dell support - MS Critical Update video issue

[markdowling]

Dell Support Page

Re:Witty Headlines

[niteskunk]

Just because you used Firefox doesn't mean you shouldn't update your IE... It's not like the update will harm anything on your PC, so why leave the vulnerabilities open in the first place?

So nice

[Leroy_Brown242]

I have to say it was really nice to wake up this morning and have my system ready to reboot after it installed the patches.

Hands off security.

Yummy.

eweek already slashdotted

[jan.blaha]

www.eweek.com is not responding, I can't even read the article...

Is there a mirror somewhere?

IE7

[DigitlDud]

I'm using IE7 which has full PNG support amoung other things I'm not talking about.

^Bump^

[TubeSteak]

Viruses and worms don't just magically appear out of nowhere, they come in through known, predictable routes.

Thank You

Our home network is NATed and WinXP SP2 isn't mandatory.
The biggest problem is the occasional spyware infestation. And even that doesn't happen very often anymore. Decent ad-blocking software filters out most of the crud.

I run a virus scan every now and then just to be sure the various programs I've downloaded are clean, but I haven't checked in weeks and honestly I'm not worried.

I'm moving the household over to FireFox (love adblock and greasemonkey) but even with that, I'm the only one who visits shady warez sites.

Viruses are reaching a level of sophistication where most people won't even know they're installed (even if you've got a fancy scanner) because they hook in at the kernel level or use some sneaky pete masking techniques.

Don't believe the hype

YES

[spongman]

Does anyone have a better solution?

Turn on the firewall you fool!

Re:Sure glad I don't have to do this crap

Whoever modded this transparent tripe up should be ashamed of themselves.

Obviously not using IE though, it doesn't support transparent tripe.

Re:Can't do it...

[HiredMan]

but they can't just go and change the way their browser treats content any time they feel like it.

So your basic argument is that because flaws in IE6 have stunted web development to this point fixing it would cause chaos and should be avoided. Continuity of error over correct implementation of standards simply for order's sake.

I can't think of a better argument for ending IE domination or the web or an illustration of the ill effects of monopoly.

=tkk

what seems to be everyones problem??

[Cutting_Crew]

i have WIn XP Pro at home and never have i had a virus, malware, etc etc, no spur of the moment reboots, no bluescreens. i have cable internet so the computer is on 24/7. i maybe have to reboot once a month for new windows updates but thats about it.

Re:Wow. You'd think they'd get all these

[I'm+Don+Giovanni]

"It's crap like this that makes me wonder at the possibility of Apple eating Microsoft's lunch on the OS front."

That's interesting considering that Mac OSX also has security updates released regularly.

http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml
US-CERT, 2005-05-16: "Apple Mac OS X is affected by multiple vulnerabilities" describes the ten vulnerabilities addressed in Apple's most recent security update for Panther (Apple Security Update 2005-005, released last month http://docs.info.apple.com/article.html?artnum=301 528). The flaws include a healthy number of buffer overflows and integer overflows.

IE Patch

[logic+hack]

I believe a third party patch is available for that.

Safari & widgets

[Luthair]

http://macuser.pcpro.co.uk/news/72440/tiger-widget -vulnerability-highlighted.html

Meanwhile, at Bugwarts

[AtariAmarok]

Meanwhile at Bugwarts, it looks like Steve Ballmer needs to shave. See him here. He has an inordinate fondness for worms, trojans, virii and other perilous beasties, and this has gotten him in trouble from those few on the staff concerned about security.

"Screwts! Screwts! Screwts!"

SMB vulnerability

[Glamdrlng]

I'm expecting this to be exploited by a Blaster/Sasser type worm. Time to go on Terry Tate mode looking for users with laptops...

Re:Sure glad I don't have to do this crap

[vjsd1]

+1
I agree. Patching windows is far more comfortable than patching linux.

The linux zealots are absurd regarding the PNG issue: buffer overflow in linux libpng was discovered a little while ago - exact same problem. Linux is just as vulnerable to buffer overflows as windows (until all distros use add execshield by default).

The linux zealots need only enter the following in google:
site:http://www.cert.org/advisories/ linux
And they'll get quite a few results.

I use suse, and patching is much easier than with other distros, but still nowhere as comfortable as windows.

Why wait for patches

[MECC]

Would it kill MS to release patches when the vulnerability is fixed, rather than waiting for some magic 'patch release day'?

Re:Why wait for patches

[pe1chl]

The "critical" fix for IE was compiled on April, 28.
Go figure...

Re:Why wait for patches

[dwlovell]

They used to do exactly that and they got pummeled by companies complaining that they couldn't regularly test and release patches to their machines on a days notice, so they specifically asked for a monthly patch release schedule unless an exploit was already in the wild.

You might say that they could just release the patch and let the company deal with their own schedule, but the crackers out there reverse engineer the patches to create exploits as soon as they are released.

This is just another example of how Microsoft is screwed either way. If they release on a schedule, people like you complain that they wait to release patches, if they release right away, the paying corporate customers complain they can't keep up implementing the patches.

So its either you, or the corporations paying maintenance contracts, who do you think wins the lose-lose decision for Microsoft?

-David

Re:Why wait for patches

[jonadab]

They used to do that, but too many whiney corporate PHBs (who on average understand security just about well enough to think using their mothers' maiden names as passwords is clever and secure) complained about how inconvenient it was to have those updates coming out whenever they were ready and how much their corporations needed a predictable schedule for software security updates, in order to allow patch integration to be scheduled in advance around meetings and vacations and thereby promote holistic synergy in their workflow-equilibrium organizational strata and integration team dynamics.

Re:Microsoft... again

[Avohir]

The illusion of security... I bet you dont use a firewall either. Part of my job is cleaning malware off of computers, and about 75% of them say "but I'm so careful! I never download anything I dont trust completely, and I use firefox!" Unfortunately, if you dont have an AV, you're playing with fire. Tell me you use a sandboxing setup and have a clear understanding of your registry, and use a top of the line firewall, and I might believe you've got a clean system

Same holes reported in earlier article?

[ArielMT]

Does Tuesday's patchfest include the Several Critical MSIE Flaws Uncovered on May 15? Or has Microsoft finally fixed IE bugs faster than Mozilla fixes Firefox bugs contrary to what I argued last month?

Re:Microsoft... again

[soliptic]

Well said.

I'm also running XP w/o service packs: I did install the RPC patch because at that time I was on dial up, so didn't have a router to help out. But other than that, Windows update is switched off and I've given SP2 a wide berth... Yet staying virus/crapware free has been very simple: don't be a retard. Don't use networked software which is widely renowned for being swiss cheese (Outlook (Express), IE), and don't run britney_nude.exe. If you're not a total dunce, it's incredibly easy to stay clean in Windows.

If you are a total dunce, you can bet you'd be able to hose a linux system as well. And don't give me that utter, utter bullshite about how "linux is properly multi-user so only your home directory could be affected". WTF? Do you think I care about OS files, which I can reinstall easily anyway? Or do you think I care about MY data, MY music, MY writing, MY photographs, MY code, which (if you lack up-to-date backups) are simply irreplacable?

Don't get me wrong, I fully accept that MS's security track record is dismal, and they make it far easier than it should be to install crapware. That doesn't really change the fact that it's perfectly possible to stay clean in XP with nothing more than a $50 router and a lick of common sense, nor the fact that it's perfectly possible to screw up a *nix / OSX / whatever box just as badly as XP given an equivalent level of naivety and stupidity from the user.

Monthly update

[beerman2k]

Are we going to do this every month?

Re:Witty Headlines

[Bedouin+X]

It's not like the update will harm anything on your PC

*gasping for air*

Man, I needed that laugh. Thanks!

ObMonkees

[sharkey]

Take the Patch Train to Crashville
And I'll meet you at the station.

Virus Down, Malware Up

[EXTomar]

I don't see C/C++ as being the problem. It is more that the security hurdles in Windows makes it impossible to run efficiently in anything but a privilaged account. This allows malware of all sorts to take advantage of vectors not found on other Operating Systems. Opening an email could infect your system if done in a privilaged account. Reading a web page could infect your system if done in a privilaged account. Browsing the local network resources can infect your system... So on and so on.

You'd have to be a zelot fanboy to recognize that any Operating System is a complex software system. Complex software systems are prone to bugs and as pointed out every one of them receive regular updates to patch problems. The problem with Windows is not the bugs but the way they handle them which makes the entire process of correcting flaws painful. Today I've been chasing people to reboot after installing the patches (thankfully I can force the patch install remotely) their system because I know 90% of them won't reboot their machines. I tried once before to reboot in the early mornings but I got an earful from multiple people who didn't save and left things open.

Windows is not only hard to patch in the enterprise, its hard enough to work with that people won't close applicatons! Talk about a double whammy.

Re:Virus Down, Malware Up

[cahiha]

True, Windows has additional problems above and beyond its extensive use of C/C++. But every buffer overflow or related exploit in it is directly attributable to the use of C/C++.

Re:Virus Down, Malware Up

[jonadab]

> Windows is not only hard to patch in the enterprise, its hard enough to
> work with that people won't close applicatons! Talk about a double whammy.

Umm, not wanting to close applications isn't a Windows problem. It has to do with not wanting to lose your place. Leaving things open is like bookmarking your page when you're reading a book: it makes it easy to pick up where you left off. If WinXP users are leaving windows open overnight, this is a sign mostly that XP is, unlike Win9x, stable enough that it is practical to leave it running for more than a day without reboot. This is not a flaw.

I haven't minimized, much less closed, this web browser window in *months*, and I'm not on a Windows system. (I'm on Mandrake, with the Gnome UI, as it happens. This is neither here nor there.)

Windows has enough troubles of its own; there's no need to blame it for things that first of all aren't (or shouldn't be) problems and second aren't its fault even if they were.

The real problem that you're running up against is that Windows needs to be rebooted to get certain kinds of updates (err, most of them) applied. That, and a thirty-year-old class of bug called "buffer overruns" that are mostly a symptom of doing virtually all development in an unsafe, bit-fiddly programming language with unchecked bounds on data types that don't autopromote, don't have intelligent container structure, aren't garbage collected, ...

The other poster is absolutely correct: C and C++ and their ilk don't have sane semantics for application development. It's one thing using them for inherently low-level stuff, such as kernels and device drivers and boot loaders, but writing whole application suites in them, with the level of complexity of current software, is nuts. There's a new buffer overrun on CERT every single week, usually several of them, and while Windows seems to get more than its fair share, there are *entirely* too many of them on other platforms as well.

As far as the "privileged account" thing, you're assuming that a privileged account is necessary in order to do dammage. It's not. Sure, a privileged account is needed in order to do the kind of dammage that necessitates an OS reinstall, but frankly, that's not the really bad kind of dammage anyway. A privileged account is *not* needed (on any platform) for any of the following actions:

* Wipe out the entire contents of the user's home directory. This is MUCH worse than rendering the OS unbootable, because you can't recover the user's data from the OS install CD.
* Arrange to run whenever the user logs in. (This is theoretically not the same as arranging to run whenever the computer is turned on, but in practice, on virtually all desktop-grade systems, it is the same.)
* Look through the user's address book, documents, browser cache, and other data for privacy-sensitive information and send it back, over the internet, to the attacker.

On some platforms it's also possible to log the user's keystrokes without a privileged account. (Not sure if that's possible on WinXP, but then again, on WinXP, it's possible to *get* privileges you don't naturally have, up to and including LocalSystem, due to certain design flaws in the Win32 API. Google "shatter attack". That's just a privilege-escalation attack, but it's a privilege-escalation attack that can't be fixed without breaking backward compatibility for all apps, so it's going to be around for a while.)

In short, an unprivileged account, while it's not a bad idea, does not really afford any reasonable level of protection. If you're relying on that to prevent Bad Things from happening, you could run into trouble.

Now, running untrusted stuff in a *different* unprivileged account from the one where you keep your data, that's another thing, especially if your home directory isn't world-readable. Just for example, anything that listens for connections from the internet should be run in its own dedicated account that doesn't

Re:Microsoft... again

[toddestan]

The sad thing is that you probably don't know whether your PC is infected or not (and it most probably is). It's dumasses like you that make life so difficult for sysadmins who have to battle the attacks from zombie PCs.

And how do you know that your computer is not infected?

Re:Wow. You'd think they'd get all these

[jayloden]

I was thinking at first that I agree with you, but then, how many holes have been found in sendmail since its inception. You'd think with armies of open source programmers and decades of time, they'd get this thing nailed down. Evidently not that easy, or maybe the fundamental design is just flawed and the only real solution is a ground-up recode (enter postfix or exim or qmail type stuff?)

I don't presume to know it all, and I'm not pointing any fingers, it just seems to me like Microsoft is a victim of it's own legacy code and bad design. They designed windows as a single user, trusted system and then tacked on multi-user ability and unsurprisingly, have had problem after problem with untrusted code and exploits, etc. In much the same way, Linux and Unix apps even as old as sendmail can be a victim of a bad design decision (setuid binaries, too many weak points in the chain, etc)

I'm not exactly defending Microsoft, but it's not a problem unique to them, either.

-Jay

Re:Microsoft... again

[LegendOfLink]

I know I'm NOT INFECTED because I'm a system admin, you asswad.

Run->CMD->tasklist

I know each and every legit process and those that aren't.

Re:Microsoft... again

[LegendOfLink]

You're an idiot. Why don't you stick to being an "MS-only-AOL-user" and leave the computing to the real programmers, mmkay?

Re:Microsoft... again

[henrywood]

If real programmers think it's OK to run Windows without patching or a virus checker I think that I'll stick to being a sysadmin.

Re:Microsoft... again

[henrywood]

I agree that it's difficult to know for sure. So I run behind a NATed router, run anti-virus software, keep scrupulously up-to-date with security patches, and use a firewall to block all incoming ports and all outgoing ports that I don't use.

You're right that I can't be absolutely sure but it's a lot safer bet than the idiot whose running without patching or anti-virus.

The disturbing trend

[Gary+W.+Longsine]

This growing attitude of "if you don't run AV software, you're probably infected" is disturbing. Viruses and worms don't just magically appear out of nowhere, they come in through known, predictable routes. Close those routes, and you prevent infection.

You're right, as far as you go.

The problem is that's pretty hard to defend against those things. Home users don't know how. Corporate network administrators have hundreds of interlocking "business requirements" that prevent them from shutting the door to "critical services" like SMB file sharing between PC systems.

Worms get into corporate networks through a variety of means, borrowing techniques from viruses and mass emailer viruses, as well as adware and spyware. Some of those holes are impossible to block on a typical corporate network. Take the Internet Explorer holes in corporations that have spent the last several years deploying "internet based applications" that only function correctly with Internet Explorer, for example. Can't block 'em. Might take months to patch 'em if you have tens of thousands of PC systems.

Once a worm gets into a network by exploiting a single system through a mundane virus or adware-only hole like this, it's likely to find a wormable exploit on many other systems. Once a worm is inside, the soft candy center of the corporate network is difficult to defend from a worm with conventional techniques, which are typically perimeter defense in nature.

Even worse, some of my clients have reported that they have, out of tens of thousands of users, at least several who seem to get their PC infected over and over and over. They suspect that this is a "coffee break effect". The users learned that if they double-click on the occasional malicious attachment that leaks through the antivirus email filter at the gateway, and the one on their PC, they get the afternoon off because their PC is taken offline by the network admin staff.

So AntiVirus really is part of the layered defense required for "closing those routes" in the modern age for most companies and home users.

By the way, the observed incidents supporting the "coffee break effect" are the worms and viruses that successfully exploit the patch gap or the definition gap. Most of the time that users double-click to unzip, type in the password and then double-click to execute a malicious attachment, they are thwarted by the AntiVirus system.

Re:Witty Headlines

[niteskunk]

Maybe I've been lucky, but none of the critical updates I've applied have screwed up my system, heh. Neither did this one. ...It's still funny how IE craps the bed when it tries to render a transparent PNG, though (post-update).

Watch out for this one

[temple]

This set of patches destroyed the registry for me on a XP SP1 machine. End result was a blue screen just before the login screen appeared. YMMV, but I spent a good part of this evening fixing said machine.

Re:Watch out for this one

[pe1chl]

The nice thing is that this can happen with any program that you install. Maybe an OS fix is riskier than average, but you need to be prepared in any case.

Re:Watch out for this one

[chawly]

But did you read the instructions ? Apart the usual "get Linux, it just works hype, and you get this right out of the box, and you heard it here first" You did read the instructions, you did, didn't you ?