Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Patch Train Leaves the Station

Posted by CmdrTaco on from the a-whole-lotta-security-going-on dept.

per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."

28 of 361 comments (clear)

  1. Large size crash by Anonymous Coward · · Score: 5, Interesting

    Does this fix the crash with large streched images?
    ie width=9999999 height=999999 in an

  2. IE PNGs by Enigma_Man · · Score: 4, Insightful

    That's hilarious, because IE barely supports PNGs at all, but they apparently are vulnerable to them nonetheless. If you don't know of the png problem, they just don't display the colors right and/or won't do transparencies right at all.

    -Jesse

    --
    Nothing says "unprofessional job" like wrinkles in your duct tape.
    1. Re:IE PNGs by swilde23 · · Score: 5, Informative
      That's mostly true... but you can mangle your way around it...

      http://blogs.msdn.com/dmassy/archive/2004/08/05/20 9428.aspx

      Believe me, I would rather just use a different browser (one has security holes of its own. As much as the creators of firefox would like to believe they have the perfect browser, any major piece of software is going to have bugs.

      The smart developers call these bugs... features :)

      The truth is though, most people don't know about anything other then ie. Why else would it show up with more then 80% of the hits on the websites we run. People don't like change. They like ie because it works out of the box with Windows. No extra installing, no "scary" configurations, no extra work on their part. If you want to convince people not to use ie, don't post messages on /. discussing the various security holes involved with png images. Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet. Maybe then they'll start to think a little about what they are doing.

      --
      There are 10 types of people in the world. Those that understand this sig, and those that beat up people who do.
    2. Re:IE PNGs by theborg1of4 · · Score: 5, Informative

      I'm not sure if I understand your use of the word "barely". IE supports PNG as per the W3C recommendation, including binary transparency. IE doesn't support optional alpha channel transparency:

      http://www.w3.org/Graphics/PNG/

      From the first paragraph:

      "Indexed-color, grayscale, and truecolor images are supported, plus an optional alpha channel for transparency."

      While it would be nice if they supported the optional features, it's actually the developers who continue to use alpha channel transparency PNG that are deviating from the W3C recommendation.

    3. Re:IE PNGs by Anonymous Coward · · Score: 5, Insightful

      The alpha channel is optinal in the PNG file format, _not_ in the PNG recommendation itself. The browser still has to be able to handle PNGs with alpha channels to be fully compliant with PNG pictures, even though users might choose not to supply an alpha channel with their picture.

  3. Forgive my ignorance by J+Barnes · · Score: 4, Funny

    but is there an obvious point where software become more patch then content?

    Lately I envision all Microsoft products as lumbering stay-puff marshmallow men, ambulating labored steps inside a comical suit of band-aids.

    --
    :::: the insomniac's digest
    1. Re:Forgive my ignorance by Tarcastil · · Score: 4, Insightful

      You do realize the Linux kernel is heavily dependent upon patches.

    2. Re:Forgive my ignorance by mph · · Score: 3, Funny
      but is there an obvious point where software become more patch then content?
      Maybe when you change the name of the software to indicate that's the case?
  4. M$ still pwnz Linuts by Anonymous Coward · · Score: 3, Funny

    Why not just release a patch that uninstalls IE?

  5. Reminds me of the JPG buffer overflow by Nos. · · Score: 5, Insightful

    After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not.

    1. Re:Reminds me of the JPG buffer overflow by Cally · · Score: 4, Informative
      Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?

      As a matter of fact, these and other forthcoming issues with various OSes graphic parsing and rendering libraries result from a sustained attempt to break them with fuzzing techniques by researchers at the Finish University of Uola (or Oula. I forget). This is the same group that ripped apart many vendors' implementations of SNMP a few years ago, and ASN.1 a year or two after that. Big thanks to them for proactive efforts to improve security...

      --
      "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
    2. Re:Reminds me of the JPG buffer overflow by Anonymous Coward · · Score: 5, Informative

      ...the Finish University of Uola...

      You probably meant the Finnish university of Oulu.

    3. Re:Reminds me of the JPG buffer overflow by Michalson · · Score: 3, Insightful

      After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not. Would you apply the same logic/I'm cool because I bash Microsoft stupidity to Mozilla/Firefox?

      For example in 2002 an arbitrary code execution vulerability was found in Mozilla's PNG code (155222). That obviously set off people searching for other image vulnerabilities, which resulted in them finding Mozilla's GIF decoder was also a flawed, allowing for arbitrary code execution (157989). By your logic once that initial alarm goes out the code should be checked and all bugs will be found; if bugs are still present in that module (or in Microsoft's case, in a completely seperate but similar one) then it represents a huge failure by the organization. Now since open source projects have tens of thousands of eyes to check source code once a flaw has been found, I'd assume it applies equally to Mozilla. Lets test that theory.

      Fast forward to 2004, and the PNG library still has arbitrary code vulnerabilities (251381). Given that people knew as earlier as 2002 that there had been PNG vulnerabilities, WHY did they not find this one until 2 years later.

      Fast forward to 2005, and this time it's the GIF code. Now we already knew the GIF library had problems 3 years ago, yet somehow an arbitrary code execution flaw, which existed from the very beginning of the Mozilla project (1998), is found (mfsa2005-30). This dangerous exploit has been sitting in open source code for 7 years. 3 years ago attention was brought to that very module for the very same kind of exploit. And yet it wasn't found until just a few months ago. By the logic of Nos, the Mozilla Foundation, and everyone who has checked the code, are morons. Or perhaps Nos has some doublethink to get himself out of the Microsoft bashing to make himself cool hole he dug himself.

  6. New Microsoft Security Update by PyWiz · · Score: 3, Funny

    Microsoft has released a free security update to Windows users today: Service Pack Linux. Service Pack Linux includes a fix for all IE vulnerabilities, as well as flaws in Outlook and Office. IIS users will be happy to know that Service Pack Linux will fix many problems with Microsoft's premier web server package as well. Service Pack Linux is considered the most comprehensive security fix in Windows history. Users should get it now at http://distrowatch.org/

    --
    -py
  7. Before you gloat too much by callipygian-showsyst · · Score: 4, Informative
    ...Slashdot seemed to have missed this doozy from less than a month ago.

    http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml

    --
    Best Buy can have you arrested
  8. Re:PNG??? by LO0G · · Score: 3, Insightful

    The same way that a remote execution overflow was in libXPM.

    Google integer overflow vulnerability for more information.

  9. The NSA by Anonymous Coward · · Score: 4, Funny

    Never needed MSFT to put in a "backdoor" for them, specifically. Christ, they just needed the source-code so they could use all the ones there were already there.

  10. Venture to guess? by AyeRoxor! · · Score: 3, Insightful

    exists due to the way the browser handles PNG (Portable Network Graphics) files."

    Hmm... Buffer overflow maybe?

    Buffer overflow is an amateur mistake. Check your god damn code.

    /frustrated by lazy programmers

    1. Re:Venture to guess? by Joe+Decker · · Score: 5, Funny
      Check your god damn code

      Using an interjection when you mean a adjectival phrase is an amateur mistake. Check your God-damned grammar.

      --
      I'm a nature photographer.
    2. Re:Venture to guess? by Knightfall · · Score: 3, Funny

      Funniest.

      Grammar-Nazi Post.

      EVER.

      --


      Knightfall
  11. Re:Sure glad I don't have to do this crap by ssj_195 · · Score: 3, Insightful
    What an appalling display of "toeing the slashdot party line", and putrid arrogance and condescension, as well. Whoever modded this transparent tripe up should be ashamed of themselves.

    The amount of "CPU time" "Windows users" spend patching holes is a few minutes every month. And get off your high horse, here: while Linux distros provide updates for a more comprehensive range of apps, it's also the case they you have to download far more (in terms of raw megabytes) far more often. I'm willing to bet right now that, timing from the release of FC3, FC3 has required more and bigger updates than Windows.

    I'll never forget the time, earlier this year in fact, when Mandrake provided a security "update" for the kernel (you may remember the much-publicized priviledge escalation vulnerability around the end of last year). This "patch" consisted of the whole kernel source (maybe 40MBs of it) which you would have to manually compile and install (no nice binary rpm, here). With this one single update, Mandrake users have exceeded the "CPU time" required for a few months of Windows updates. And let's not forget the hefty kdelibs security updates, which basically amounts to downloading the whole of kdelibs again, since none of the distros seem to provide diff-style patching. The same with Firefox (8MB on Linux...?).

    Also, while we are free from worms and viruses here, note that there is nothing innate to Linux that precludes phishing and spoofing attacks.

    Maybe as an engineer who uses computers to actually accomplish something I just have a different point of view.
    Ugh.
  12. Re:To bad by HiredMan · · Score: 4, Insightful

    Yeah he's an idiot. How dare he criticize a program that's buggy. It's frozen from development and it's replacement will ship in 2 years or so, Stupid. So what if they never, ever fixed the PNG display pipeline since IE 6 shipped. Why should graphics display correctly - it's not like the web is a graphics medium, right?

    Vendors should never, ever roll back changes into older versions of their software they force you to use. Tabbed browsing, correct graphics display, CSS support will all be available someday so shut yer piehole! All you'll have to do is upgrade your entire system to get these features. And it's not like anyone else has managed to get that stuff working on the same platform, right? Right? Well, maybe some one has but they must have more programming resources than MS, no doubt...

    =tkk

    --
    Bill Gates - Creationist?!?
  13. the problem isn't what it appears to be by cahiha · · Score: 3, Insightful

    If you look at Macintosh, BSD, and Linux distributions, they also have regular security updates, with many similar vulnerabilities.

    There are really two problems here, one true of all major OSes right now, and the other one true of proprietary systems.

    The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.

    The second problem is that Microsoft and Apple only update their own applications; users are saddled with downloading updates for other software by hand. If all these bugs exist in IE, you can be similar bugs exist in Photoshop, Office, and many other apps that aren't automatically updated.

  14. All aboard! by AtariAmarok · · Score: 5, Funny
    "MS Patch Train Leaves the Station"

    Otherwise known as the Bugwarts Express. To find the boarding platform, run your luggage cart full tilt into that blue screen.

    --
    Don't blame Durga. I voted for Centauri.
  15. Re:Patches don't solve the problem on new installs by wiggys · · Score: 4, Insightful

    Yes.

    1) Switch on the built-in firewall before you connect to the internet. It's very basic but it does the job, I've been running an unpatched XP system with nothing more than the built-in firewall for months now with no problems.

    2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

    3) Slipstream SP2 into your XP install. Personally I'm staying away from SP2 but use it if you must.

    4) Put a copy of Zone Alarm on your "XP Install Disc 2", along with the the many useful bits of freeware available at www.grc.com

    5) Download, burn and learn how to use Knoppix.

    6) ????

    7) Profit!

    --

    Sorry, but my karma just ran over your dogma.

  16. Re:Patches don't solve the problem on new installs by SomeGuyFromCA · · Score: 3, Funny

    > 2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

    and remember to turn off upnp. otherwise, the following happens:

    <spiritual descendant of back orifice> hey router, this is a upnp request: forward 31337 to this computer, please!
    <router> will do, and you have a good day!
    <sdobo> oh, i will...

    --
    if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
  17. Need people be reminded? by suitepotato · · Score: 4, Interesting

    This is all partly as a result of the way the PC platform itself works, it's merely that Windows has got so much compound crap in its code that these things are bound to happen. As Linux distros continue to grow and mutate and people ignore the old idea of the smallest kernel possible, we're going to see more buffer overflow errors on Linux. If BSD had the same kind of useage rates as Linux, we'd see a similar trend there. Mac OSX is taking off, we're going to see evolutionary crap in its genetic structure as it were.

    Tearing Windows present design platform down to the smallest parts and scrubbing and rebuilding would probably put back the release of XP's successor to 2016. Let's hope some people are listening on the Linux and OSX sides and get it in their heads to keep their code lean and healthy and well tested.

    --
    If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
  18. Re:Patches don't solve the problem on new installs by Dynamoo · · Score: 3, Informative
    Yup: Windows XP: Surviving the First Day from the SANS institute covers this problem.

    The key thing, as others have said, is to enable the software firewall and make sure that file and print sharing is disabled. A second CD with SP2 and a decent firewall like ZoneAlarm is usually enough too.

    --
    Never email donotemail@WeAreSpammers.com