MS Patch Train Leaves the Station

per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."

Large size crash

Does this fix the crash with large streched images?
ie width=9999999 height=999999 in an

Re:Large size crash

[leaping_laughter]

It's not for large image size; it's a problem with libpng's processing eTRNS structures, used to handle transparency.

The folks at libpng fixed the problem months (a year?) ago; I rolled the fix into our application's PNG handling with nary a hiccup.

Oh, and to save anyone else dealing with PNGs the weight gain and hair loss I experienced, there is NO support for pre-multiplied alpha channels in the library. Sigh.

IE PNGs

[Enigma_Man]

That's hilarious, because IE barely supports PNGs at all, but they apparently are vulnerable to them nonetheless. If you don't know of the png problem, they just don't display the colors right and/or won't do transparencies right at all.

-Jesse

Re:IE PNGs

[RaffiRai]

Transparencies appear grey in IE.

Re:IE PNGs

[swilde23]

That's mostly true... but you can mangle your way around it...

http://blogs.msdn.com/dmassy/archive/2004/08/05/20 9428.aspx

Believe me, I would rather just use a different browser (one has security holes of its own. As much as the creators of firefox would like to believe they have the perfect browser, any major piece of software is going to have bugs.

The smart developers call these bugs... features :)

The truth is though, most people don't know about anything other then ie. Why else would it show up with more then 80% of the hits on the websites we run. People don't like change. They like ie because it works out of the box with Windows. No extra installing, no "scary" configurations, no extra work on their part. If you want to convince people not to use ie, don't post messages on /. discussing the various security holes involved with png images. Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet. Maybe then they'll start to think a little about what they are doing.

Re:IE PNGs

[theborg1of4]

I'm not sure if I understand your use of the word "barely". IE supports PNG as per the W3C recommendation, including binary transparency. IE doesn't support optional alpha channel transparency:

http://www.w3.org/Graphics/PNG/

From the first paragraph:

"Indexed-color, grayscale, and truecolor images are supported, plus an optional alpha channel for transparency."

While it would be nice if they supported the optional features, it's actually the developers who continue to use alpha channel transparency PNG that are deviating from the W3C recommendation.

Re:IE PNGs

The alpha channel is optinal in the PNG file format, _not_ in the PNG recommendation itself. The browser still has to be able to handle PNGs with alpha channels to be fully compliant with PNG pictures, even though users might choose not to supply an alpha channel with their picture.

Re:IE PNGs

[LurkerXXX]

What's the incentive? It's one more thing for their tech support people to have to support.

Re:IE PNGs

To the best of my knowledge this is not the case. 24-bit color seems to be supported, but if an alpha channel is present it is blended with either the PNG's background color (an optional property of PNG images, which is normally not used at all) or, if no background color is present, with a light blue (almost white) color.

This page contains a PNG transparency test that comes in handy for figuring out exactly how IE handles different PNG types. It's theoretically useful for other browsers as well, of course, however I believe that all other modern graphical browsers now have full PNG support.

Forgive my ignorance

[J+Barnes]

but is there an obvious point where software become more patch then content?

Lately I envision all Microsoft products as lumbering stay-puff marshmallow men, ambulating labored steps inside a comical suit of band-aids.

Re:Forgive my ignorance

[Tarcastil]

You do realize the Linux kernel is heavily dependent upon patches.

Re:Forgive my ignorance

[PakProtector]

You know what? Most of us don't mind paying real money for things that have real worth. I payed fifty dollars for Neverwinter Nights when it came out, while my roommate had a 'free' copy the same day.

I will gladly pay money for something I like to make sure that the people who make it will make more. That's how the market economy works. If something has real value, it's only logical to compensate the persons who made it.

Which is entirely why I have never paid for Windows.

Re:Forgive my ignorance

[mph]

but is there an obvious point where software become more patch then content?

Maybe when you change the name of the software to indicate that's the case?

Re:Forgive my ignorance

[vettemph]

>I payed fifty dollars for Neverwinter Nights when it came out, while my roommate had a 'free' copy the same day.

So is it his turn to pay next time? :)

M$ still pwnz Linuts

Why not just release a patch that uninstalls IE?

Reminds me of the JPG buffer overflow

[Nos.]

After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not.

Re:Reminds me of the JPG buffer overflow

[Cally]

Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?

As a matter of fact, these and other forthcoming issues with various OSes graphic parsing and rendering libraries result from a sustained attempt to break them with fuzzing techniques by researchers at the Finish University of Uola (or Oula. I forget). This is the same group that ripped apart many vendors' implementations of SNMP a few years ago, and ASN.1 a year or two after that. Big thanks to them for proactive efforts to improve security...

Re:Reminds me of the JPG buffer overflow

...the Finish University of Uola...

You probably meant the Finnish university of Oulu.

Re:Reminds me of the JPG buffer overflow

[Michalson]

After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not. Would you apply the same logic/I'm cool because I bash Microsoft stupidity to Mozilla/Firefox?

For example in 2002 an arbitrary code execution vulerability was found in Mozilla's PNG code (155222). That obviously set off people searching for other image vulnerabilities, which resulted in them finding Mozilla's GIF decoder was also a flawed, allowing for arbitrary code execution (157989). By your logic once that initial alarm goes out the code should be checked and all bugs will be found; if bugs are still present in that module (or in Microsoft's case, in a completely seperate but similar one) then it represents a huge failure by the organization. Now since open source projects have tens of thousands of eyes to check source code once a flaw has been found, I'd assume it applies equally to Mozilla. Lets test that theory.

Fast forward to 2004, and the PNG library still has arbitrary code vulnerabilities (251381). Given that people knew as earlier as 2002 that there had been PNG vulnerabilities, WHY did they not find this one until 2 years later.

Fast forward to 2005, and this time it's the GIF code. Now we already knew the GIF library had problems 3 years ago, yet somehow an arbitrary code execution flaw, which existed from the very beginning of the Mozilla project (1998), is found (mfsa2005-30). This dangerous exploit has been sitting in open source code for 7 years. 3 years ago attention was brought to that very module for the very same kind of exploit. And yet it wasn't found until just a few months ago. By the logic of Nos, the Mozilla Foundation, and everyone who has checked the code, are morons. Or perhaps Nos has some doublethink to get himself out of the Microsoft bashing to make himself cool hole he dug himself.

Re:Reminds me of the JPG buffer overflow

[SeaFox]

After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems?

Nah, that sounds like some sort of proactive security initative.

New Microsoft Security Update

[PyWiz]

Microsoft has released a free security update to Windows users today: Service Pack Linux. Service Pack Linux includes a fix for all IE vulnerabilities, as well as flaws in Outlook and Office. IIS users will be happy to know that Service Pack Linux will fix many problems with Microsoft's premier web server package as well. Service Pack Linux is considered the most comprehensive security fix in Windows history. Users should get it now at http://distrowatch.org/

Before you gloat too much

[callipygian-showsyst]

...Slashdot seemed to have missed this doozy from less than a month ago.

http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml

To bad

[MemoryDragon]

I thought they might have fixed the png transparency bug, which was reported to them eight years ago... but no... just a buffer overflow.

Re:To bad

[HiredMan]

Yeah he's an idiot. How dare he criticize a program that's buggy. It's frozen from development and it's replacement will ship in 2 years or so, Stupid. So what if they never, ever fixed the PNG display pipeline since IE 6 shipped. Why should graphics display correctly - it's not like the web is a graphics medium, right?

Vendors should never, ever roll back changes into older versions of their software they force you to use. Tabbed browsing, correct graphics display, CSS support will all be available someday so shut yer piehole! All you'll have to do is upgrade your entire system to get these features. And it's not like anyone else has managed to get that stuff working on the same platform, right? Right? Well, maybe some one has but they must have more programming resources than MS, no doubt...

=tkk

Re:To bad

[Spy+der+Mann]

which was reported to them eight years ago... but no... just a buffer overflow.

I imagine the microsoft engineers wearing anti-infection outfits (with masks and everything) and large instruments.
---
"Ok there's the creature..." (imagine some sort of alien spider, but with more guts and everything)
"Be careful guys, we don't want to break it, just remove the insecure splinter from it"
"Man, this is disgusting. I wouldn't touch that with a 20 foot pole"
"OK, splinter removed! Close the cage, quickly!"

TSHHHHHHHHHHHH

(Guys remove their masks)
"Man, that was the scariest moment in my life! Why do we keep handling code like this?"
"Shut up, the boss' coming right there!"
(Bill Gates approaches)
"Hey guys, what's up! Did you fix that vulnerability?"
"Yes, sir!" (everybody puts up a blatant smile)
'I'm switching to Firefox', thinks one of them.
---

Re:PNG???

[LO0G]

The same way that a remote execution overflow was in libXPM.

Google integer overflow vulnerability for more information.

WSUS

[XorNand]

For those admins who tend to a small MS shop and don't have the need for an expensive patch management solution, WSUS was released last week to replace the lame SUS (Software Update Services). I had to disable SUS due to some GPO issues, so I'm looking forward to checking out WSUS. And with this round of patches, it seems like the ideal time to test.

The NSA

Never needed MSFT to put in a "backdoor" for them, specifically. Christ, they just needed the source-code so they could use all the ones there were already there.

Venture to guess?

[AyeRoxor!]

exists due to the way the browser handles PNG (Portable Network Graphics) files."

Hmm... Buffer overflow maybe?

Buffer overflow is an amateur mistake. Check your god damn code.

/frustrated by lazy programmers

Re:Venture to guess?

[Joe+Decker]

Check your god damn code

Using an interjection when you mean a adjectival phrase is an amateur mistake. Check your God-damned grammar.

Re:Venture to guess?

[bheer]

Given that everything from the Linux kernel to SSH to Apache to Firefox has had buffer overruns, I'd be wary of describing their authors as 'unprofessional'.

Rather, buffer overflows are trivial to avoid in class assignments (and indeed, small projects). It's when the project grows larger, gets split into multiple program units and gets multiple authors that you really start scratching the surface of industrial strength development (something the armchair developers on /. have never really experienced).

To top it all, code that is 'safe' can often be made 'unsafe' by running it under circumstances the authors never intended: there's a whole class of overflow attacks that use code/data injection to crack even supposedly secure programs (and no, not even Java/C# is safe from this).

Re:Venture to guess?

[Knightfall]

Funniest.

Grammar-Nazi Post.

EVER.

Re:Venture to guess?

[Krenath]

I think it inadvertently proves yet another point as well:

If people who've in most cases been using a language since shortly after birth still can't get all the details right when using it,

1. How do you expect them to get all the details right in a language that
   1. ...they've only been speaking for a relatively small percentage of their lives, and
   2. ...wasn't even created for humans to communicate natively in.
   3. ...they haven't been formally trained in for at least a half-dozen years
2. How do you expect them to respond to criticism of their use of a programming language when they've proven that their typical response to criticism of their native language consists of things like:
   1. "Shut up, grammar/spelling/punctuation nazi!"
   2. "You can still understand me! Who cares!?"
   3. "I meant to do it that way because I'm a 1337 h4xx0r!"
   4. "STFU, n00b"

So, in conclusion, <sarcasm><irony>"STFU, buffer overrun nazis!"</irony></sarcasm>

I do feel that attention to detail in one is reflected in the other and that overall quality will improve in neither until people start to care and it becomes less socially acceptable to make the mistake in the first place than to be the one to point the mistake out, in code or otherwise.

Re:Venture to guess?

[Joe+Decker]

I do feel that attention to detail in one is reflected in the other and that overall quality will improve in neither until people start to care and it becomes less socially acceptable to make the mistake in the first place than to be the one to point the mistake out, in code or otherwise.

In my experience, you've got it backwards. Before I became a photographer I did embedded software for 20 years, shipping over 100M units and often having the final signature to begin fabricating my code into masked ROM. What I found was that overemphasis on "blame" instead of "results" was counterproductive. I seem to recall a discussion by Knuth on the point, but lack a citation.

Where you and I agree is on the idea that caring about the quality of ones code matters. It matters enormously, I've had the opportunity to primarily work with engineers who really do want to ship good, quality product. In the environments I've worked in, the occasional snarking at a bug has been counterproductive. It makes programmers defensive about their code, rather than being open to review and criticism, and thereby reduces the quality of the final product. Your experience may vary.

Patches don't solve the problem on new installs

[Whafro]

It's happened to me twice now...

I'll install a vanilla copy of XP Pro onto a system, and within minutes of hooking the machine up to the network, it has become infected with a virus, basically requiring a reinstallation immediately.

My normal mode of installation is:

- Install XP
- Two IE windows open:
- One downloads Firefox
- The other goes to Windows Update and starts downloading patches.
- Download everything else using firefox, including drivers, etc.

But apparently Windows Update isn't a fast enough method to get the machine patched, and the machine is compromised before the appropriate patches are finished being applied.

I've made a "XP Install Disc 2" for myself, which has the full SP2 installer file, Firefox, Avast, Spybot, and Adaware on it, that I then install while the box is still offline. It seems that SP2 does well enough at plugging exploits that the system then has enough time to download the other patches normally without becoming compromised.

Does anyone have a better solution?

Re:Patches don't solve the problem on new installs

[wiggys]

Yes.

1) Switch on the built-in firewall before you connect to the internet. It's very basic but it does the job, I've been running an unpatched XP system with nothing more than the built-in firewall for months now with no problems.

2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

3) Slipstream SP2 into your XP install. Personally I'm staying away from SP2 but use it if you must.

4) Put a copy of Zone Alarm on your "XP Install Disc 2", along with the the many useful bits of freeware available at www.grc.com

5) Download, burn and learn how to use Knoppix.

6) ????

7) Profit!

Re:Patches don't solve the problem on new installs

[SomeGuyFromCA]

> 2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

and remember to turn off upnp. otherwise, the following happens:

<spiritual descendant of back orifice> hey router, this is a upnp request: forward 31337 to this computer, please!
<router> will do, and you have a good day!
<sdobo> oh, i will...

Re:Patches don't solve the problem on new installs

[Dynamoo]

Yup: Windows XP: Surviving the First Day from the SANS institute covers this problem.

The key thing, as others have said, is to enable the software firewall and make sure that file and print sharing is disabled. A second CD with SP2 and a decent firewall like ZoneAlarm is usually enough too.

Re:Patches don't solve the problem on new installs

[wiggys]

Err, I don't like SP2 because I've personally witnessed it fuck up 2 PCs to the extent that they wouldn't even boot.

We had to use System Restore to go back. I don't have the time to find out what it is about the computers SP2 doesn't like. The service pack should just work. If there's something it doesnt like then we should have had a warning saying "Cannot install SP2 until you remove foo/bar"

Secondly, on the many machines I admin which do run SP2 okay, performance is definitely slower with SP2 installed.

As for your other moronic comments:

OSX is a far better OS than Windows (stability, security, ease of use, performance and general overall cleverness). And I don't own, nor have I ever owned, an Apple computer.

Windows 98 is faster and more secure than Windows XP. It's also has fewer features and is more unstable. Oh, and it doesn't look as pretty, if that's your bag. Maybe people are still running 98 because their computers are not fast enough to run XP? Or maybe they just use it because they have it, it works, and they can't afford £250 to buy Windows XP Professional for no good reason.

According to PC World Business here in the UK, a copy of XP Pro will set you back £210+VAT, whereas you can buy a brand new NEC PC, 256mb RAM, 40gig h/d, LAN, keyboard but no monitor WITH a copy of XP Home for £199+VAT.

Does that make any sense to you?

While I'm at it, go and look how much a full retail copy of MS Office costs these days. How does £350 sound?

The latest version of Knoppix runs from CD, and if you burn it to a CDRW you can even save your settings onto CD as you use it. It includes an OS, Open Office 2 Beta (excellent IMO), not to mention shitloads of free apps.

I like Windows and I tolerate MS Office but I do not think they justify the insanely high prices MS charges for them.

Re:Patches don't solve the problem on new installs

[essdodson]

Yes, the rest of the world slipstreams service pack 2, installs without a network connection, enables XP firewall before hopping on the Internet, then downloads whatever other patches are available.

Security Update for Windows XP (KB666)

[circletimessquare]

A humor security issue has been identified that could allow a Slashbot to remotely compromise your sense of humor about Windows patches and bore you to death. You can help protect your sense of humor by installing this update from Microsoft. After you install this item, slashdot.org will resolve to 127.0.0.1 .

How to Uninstall

Read all comments rated as funny under a story about Windows Update on slashdot.org and your sense of humor will be successfully uninstalled.

Help and support

http://omgmstehsux0rs.slashdot.org/

Re:Sure glad I don't have to do this crap

[ssj_195]

What an appalling display of "toeing the slashdot party line", and putrid arrogance and condescension, as well. Whoever modded this transparent tripe up should be ashamed of themselves.

The amount of "CPU time" "Windows users" spend patching holes is a few minutes every month. And get off your high horse, here: while Linux distros provide updates for a more comprehensive range of apps, it's also the case they you have to download far more (in terms of raw megabytes) far more often. I'm willing to bet right now that, timing from the release of FC3, FC3 has required more and bigger updates than Windows.

I'll never forget the time, earlier this year in fact, when Mandrake provided a security "update" for the kernel (you may remember the much-publicized priviledge escalation vulnerability around the end of last year). This "patch" consisted of the whole kernel source (maybe 40MBs of it) which you would have to manually compile and install (no nice binary rpm, here). With this one single update, Mandrake users have exceeded the "CPU time" required for a few months of Windows updates. And let's not forget the hefty kdelibs security updates, which basically amounts to downloading the whole of kdelibs again, since none of the distros seem to provide diff-style patching. The same with Firefox (8MB on Linux...?).

Also, while we are free from worms and viruses here, note that there is nothing innate to Linux that precludes phishing and spoofing attacks.

Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.

Ugh.

the problem isn't what it appears to be

[cahiha]

If you look at Macintosh, BSD, and Linux distributions, they also have regular security updates, with many similar vulnerabilities.

There are really two problems here, one true of all major OSes right now, and the other one true of proprietary systems.

The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.

The second problem is that Microsoft and Apple only update their own applications; users are saddled with downloading updates for other software by hand. If all these bugs exist in IE, you can be similar bugs exist in Photoshop, Office, and many other apps that aren't automatically updated.

All aboard!

[AtariAmarok]

"MS Patch Train Leaves the Station"

Otherwise known as the Bugwarts Express. To find the boarding platform, run your luggage cart full tilt into that blue screen.

Re:Sure glad I don't have to do this crap

[ch-chuck]

Currently getting FC4 to install, but, actually I mainly practice safe networking with a Linksys router/firewall at work and an OpenBSD gateway at home. The point is I like to use a computer for computing and getting work done. When I was a Windows admin several years ago it was a daily/weekly event for employees to come running in worried about the latest vuln. attack they heard on the news - I can completely do without all that static and distraction, it just seems to come with the "Windows culture", which came from their long standing practice of releasing not ready for prime-time software and then patching it later in the field, because it's legal to do so and they could get away with it.

Re:Microsoft... again

Also, when you have sex, you DON'T HAVE TO USE CONDOMS. I haven't used condoms of my box for almost a year now. I'm still running high and no aids-virus. Guess what, I have no problems, save for the occasional clash due to girlfriend being a bitch. The difference between my unprotected sex not getting aids/viruses is that I'm not a dumbass and try to have sex with everybody in Bars or whatever it's called. That, and I use a fidel girlfriend, which has NEVER cheated me.

MS cant win

If MS doesnot patch you all say "MS wont patch their crappy stuff"

if they do patch, you all say "Wow, it must suck really bad to have to patch it"

As if Linux doesn't require constant patching either, hypocrites

Re:Microsoft... again

[MSTCrow5429]

I'm still running SP1 and no anti-virus...

...my unpatched Windows not getting spyware/viruses...

Without actually using AV software, you'd verify this how? Don't pretend that the tasklist command from the CLI (just a text version of the Task Manager) is going to save your ass. Most viri don't tend to show up in such a perfunctory fashion. I'd be willing to bet your box is in alot worse shape than you think it is. Don't be like those guys who have sex with random people wihtout protection because they have a false sense of immunity from what affects everyone else. Your Windows isn't special.

Re:Sure glad I don't have to do this crap

[roystgnr]

I mainly practice safe networking with a Linksys router/firewall at work and an OpenBSD gateway at home.

Does your firewall block outgoing HTTP connections and incoming email? If not, then it's not going to help against attacks like this PNG bug which are propagated through user-pulled data rather than attacker-pushed port connections. Such attacks exist for Linux, too. There is no such thing as "safe networking", and the only way to come close is to keep every connected computer up to date. I think Fedora still comes with up2date searching for updates in the background and displaying the results on a panel icon. Unless you use something else for security updates you ought to be clicking on that every time it finds something new.

Need people be reminded?

[suitepotato]

This is all partly as a result of the way the PC platform itself works, it's merely that Windows has got so much compound crap in its code that these things are bound to happen. As Linux distros continue to grow and mutate and people ignore the old idea of the smallest kernel possible, we're going to see more buffer overflow errors on Linux. If BSD had the same kind of useage rates as Linux, we'd see a similar trend there. Mac OSX is taking off, we're going to see evolutionary crap in its genetic structure as it were.

Tearing Windows present design platform down to the smallest parts and scrubbing and rebuilding would probably put back the release of XP's successor to 2016. Let's hope some people are listening on the Linux and OSX sides and get it in their heads to keep their code lean and healthy and well tested.

Possible problem with this update

[trtmrt]

I just installed the latest update for windows 2000 on my wife's computer and it hosed the installation. I assume it included these latest patches. Has anybody had a similar experience? I am getting a "SYSTEMced corrupt or missing" error which google tells me has to do with registry problems.

Re:Possible problem with this update

[neil.pearce]

The "ced" part of the error message is chaff from some previously display text that has been overwritten.

You will probably have to reduce the size of the system hive, using regedt32.

Could Not Start Because the Following File Is Missing or Corrupt: \Winnt\System32\Config\Systemced

Video Problems caused by the Critical Update

I'm surprised no one has yet mentioned the problem one of these "critical updates" is causing on Dell Optiplex GX280 computers. I had two systems on my LAN mistakenly configured with "automatic updates" that had serious problems after one of these updates was installed. The user complained that they would turn on the computer and after about 10 seconds (before they could even finish logging on) their monitor would turn off. I first thought it was a monitor problem, but changing monitors didn't resolve the issue, so I called Dell Corporate/Gov't. Tech Support. Before I even got through the menus to a live body, there was a message on the line suggesting that if you were having video problems on Optiplex systems after installing the Critical Update, you should re-boot the system in VGA mode and change the default resolution to 800 X 600. Apparently, one of these updates re-sets default resolution to a range that cannot be supported with the built-in video hardware on the Optiplex.

Once you re-boot in a low resolution, you can then re-set the default resolution to something more acceptable (say, 1024 X 768 or something similar) and you're golden, but I have seen nothing in the press about this bug (that took me well over an hour to puzzle out on both affected computers).

My other systems are configured for SMS control, so patches aren't rolled out before testing, but these were set up to Auto Update (which Microsoft recommends for everyone, despite problems such as this). Otherwise, this could have been a major headache yesterday.

Re:Microsoft... again

[freeweed]

Well, seeing as there's no 100% foolproof method of determining this anyway (your AV could be out of date, or just behind like some vendors seem to be, or you could have a new virus no one else has seen yet)...

It's pretty easy to not get a virus in Windows. How? Well, there are 3 basic ways you get infected:

1. Listening network ports with compromisable services. Solution: install a NAT'ing router with firewall. Paranoid solution: install Zonealarm or one of the dozen other competing offerings as well. Have fun remotely exploiting my machine when you can't connect to it.

2. Opening infected executables. Solution: only install software from trusted sources. Paranoid solution: only use what the standard install comes with. Believe it or not, not everyone installs 50 pieces of extraneous software. On my last remaining Windows box, I think Winamp and a Citrix client for work is about it. These installers have long since been checked for viruses and are installed from known, good, read-only media. Good luck infecting me there.

3. IE, Outlook, or other network-aware application exploits. Solution: turn off activeX, javascript. Paranoid solution: don't use these apps at all. Find small, niche apps that have never been exploited - yes, these do exist.

This growing attitude of "if you don't run AV software, you're probably infected" is disturbing. Viruses and worms don't just magically appear out of nowhere, they come in through known, predictable routes. Close those routes, and you prevent infection. Well, until virus writers become so sophisticated that they can fake out a TCP/IP stack entirely - in which case they can probably fool your AV software as well.

IE PNG Support

[gnurob]

...exists due to the way the browser does not handle PNG files. The web would be a beautiful place if content creators could depend on complete PNG support. This problem has been around for over 8 years! IE blows.

Dell support - MS Critical Update video issue

[markdowling]

Dell Support Page

Re:Sure glad I don't have to do this crap

Whoever modded this transparent tripe up should be ashamed of themselves.

Obviously not using IE though, it doesn't support transparent tripe.

Virus Down, Malware Up

[EXTomar]

I don't see C/C++ as being the problem. It is more that the security hurdles in Windows makes it impossible to run efficiently in anything but a privilaged account. This allows malware of all sorts to take advantage of vectors not found on other Operating Systems. Opening an email could infect your system if done in a privilaged account. Reading a web page could infect your system if done in a privilaged account. Browsing the local network resources can infect your system... So on and so on.

You'd have to be a zelot fanboy to recognize that any Operating System is a complex software system. Complex software systems are prone to bugs and as pointed out every one of them receive regular updates to patch problems. The problem with Windows is not the bugs but the way they handle them which makes the entire process of correcting flaws painful. Today I've been chasing people to reboot after installing the patches (thankfully I can force the patch install remotely) their system because I know 90% of them won't reboot their machines. I tried once before to reboot in the early mornings but I got an earful from multiple people who didn't save and left things open.

Windows is not only hard to patch in the enterprise, its hard enough to work with that people won't close applicatons! Talk about a double whammy.

Re:Wow. You'd think they'd get all these

[jayloden]

I was thinking at first that I agree with you, but then, how many holes have been found in sendmail since its inception. You'd think with armies of open source programmers and decades of time, they'd get this thing nailed down. Evidently not that easy, or maybe the fundamental design is just flawed and the only real solution is a ground-up recode (enter postfix or exim or qmail type stuff?)

I don't presume to know it all, and I'm not pointing any fingers, it just seems to me like Microsoft is a victim of it's own legacy code and bad design. They designed windows as a single user, trusted system and then tacked on multi-user ability and unsurprisingly, have had problem after problem with untrusted code and exploits, etc. In much the same way, Linux and Unix apps even as old as sendmail can be a victim of a bad design decision (setuid binaries, too many weak points in the chain, etc)

I'm not exactly defending Microsoft, but it's not a problem unique to them, either.

-Jay

The disturbing trend

[Gary+W.+Longsine]

This growing attitude of "if you don't run AV software, you're probably infected" is disturbing. Viruses and worms don't just magically appear out of nowhere, they come in through known, predictable routes. Close those routes, and you prevent infection.

You're right, as far as you go.

The problem is that's pretty hard to defend against those things. Home users don't know how. Corporate network administrators have hundreds of interlocking "business requirements" that prevent them from shutting the door to "critical services" like SMB file sharing between PC systems.

Worms get into corporate networks through a variety of means, borrowing techniques from viruses and mass emailer viruses, as well as adware and spyware. Some of those holes are impossible to block on a typical corporate network. Take the Internet Explorer holes in corporations that have spent the last several years deploying "internet based applications" that only function correctly with Internet Explorer, for example. Can't block 'em. Might take months to patch 'em if you have tens of thousands of PC systems.

Once a worm gets into a network by exploiting a single system through a mundane virus or adware-only hole like this, it's likely to find a wormable exploit on many other systems. Once a worm is inside, the soft candy center of the corporate network is difficult to defend from a worm with conventional techniques, which are typically perimeter defense in nature.

Even worse, some of my clients have reported that they have, out of tens of thousands of users, at least several who seem to get their PC infected over and over and over. They suspect that this is a "coffee break effect". The users learned that if they double-click on the occasional malicious attachment that leaks through the antivirus email filter at the gateway, and the one on their PC, they get the afternoon off because their PC is taken offline by the network admin staff.

So AntiVirus really is part of the layered defense required for "closing those routes" in the modern age for most companies and home users.

By the way, the observed incidents supporting the "coffee break effect" are the worms and viruses that successfully exploit the patch gap or the definition gap. Most of the time that users double-click to unzip, type in the password and then double-click to execute a malicious attachment, they are thwarted by the AntiVirus system.