Flurry of Security Patches

yggy writes "It's been a hectic day on the security patching front. Microsoft's bulletins for July include patches for three critical vulnerabilities on the same day that Mozilla releases new security updates for Firefox and Thunderbird. Not to be left behind, Apple fixed two Tiger flaws while Oracle issued a critical database server update." (See these separate stories on today's release of Firefox 1.0.5 and the 10.4.2 update from Apple, too.)

Open source

[sanmarcos]

Has proven to be excellent in releasing security updates. For those who criticize it, heres proof.

Re:Open source

[Tanmi-Daiow]

apple is hardly 'open source'.

Re:Open source

Perhaps you should read the page you linked to. They've been patched for a while already. Look under "Immune Systems:"...

Re:Open source

[pintomp3]

when microsoft releases security updates, it's cuz the software is crap. when others do it, it's cuz the software rocks. no double standards here. maybe it's like when girls get naked. if she's good looking, makes it better. if your she's bad looking, much worse. microsoft may be bloated, but needs love just like everyone else.

Re:Open source

[fimbulvetr]

Thank you.

Let the "osx==freebsd" posts begin!

Re:Open source

[Rosco+P.+Coltrane]

It's called doublethink. That's because Microsoft is Big Brother you see...

Re:Open source

Uhm, no. It's actually called double standards. However, you can link to Wikipedia as much as you like trying to prove that wrong, but in the end, you're just going to look like a clown.

Re:Open source

[techno-vampire]

Microsoft releases security updates on a regular schedule, rather than as soon as they're created. For all we know, these new patches may have been sitting on the servers at Redmond for over a month before being announced. Not so with Open Source. When a patch is needed, it's developed, tested and released. No waiting for the next scheduled patch release like Microsoft does.

Re:Open source

[NoGuffCheck]

I dont like defending M$, but at least they have "updates" rather than creating a whole new version like Firefox 1.05. Its about time this was fixed, dont you think?

Re:Open source

[pintomp3]

the release schedule was something they moved to because of demand. they were releasing them frequently and randomly. now IT admins can plan for the patches. i believe they still release outside of the schedule if it's something that can't wait. so bash them for releasing them right away, or bash them for responding to demand and using a schedule. damned by /. if u do, damned by /. if u don't. well, at least if your m$. didn't oracle move to something like this too?

Re:Open source

[StonedRat]

I believe this will be the case from firefox 1.1

Re:Open source

[MadMidnightBomber]

I'd just like to point out that the Firefox patch is evidence that the Open Source process quickly clears up vulnerabilities.

The Microsoft patches however, are evidence that the closed source business model produces insecure software.

Just wanted to clear that up.

Re:Open source

[greenhybrid]

Barely matters on Mac OS X :) You really just replace one directory (that looks like a single file for all practical purposes) and that's it. Gotta love the switch!

Re:Open source

[ars+matica]

you didnt clear up anything except the fact that you are blinded by your prejudices. insecure software is insecure software, regardless of the business model. this slashdot story is proof.

Re:Open source

[bigman2003]

Most of the exploits are written AFTER the patches come out. Most exploit writers just look at the patch, see what it fixes, and then figure out the vulnerability. So the patches don't really need to be released immediately. (This is the practical reality, of course there are others who find this plan to be horrible, but it works for me.)

I really like this once a month patch cycle. I get an idea that maybe they plan the patches a little better, and test them more.

Maybe EA should have done that with Battlefield 2, instead of trying to rush a patch out.

Re:Open source

[gordgekko]

I'll believe it when my open source web browser tells me I have security updates. I just used Firefox's check for updates feature and tells me there are none.

Re:Open source

[man_of_mr_e]

You think so? Check out the patch list for FF 1.05

http://www.mozilla.org/projects/security/known-vul nerabilities.html#Firefox

12 vulnerabilities in this patch, the oldest was created in APRIL! And it's marked as high severity.

The newest we don't know, because Mozilla is keeping it hidden until July 20th, but if you take the Bugzilla report number, and add one to it you can get the bug that was created directly after it, and that was created in MAY!

So yes, Mozilla DOES sit on critical bugs for months.

Re:Open source

[man_of_mr_e]

Out of curisity, what do you consider "quickly"?

http://www.mozilla.org/projects/security/known-vul nerabilities.html#Firefox

Let's look at the most recent vulnerability there, MFSA-2005-56. Unfortunately, the details are being hidden until July 20th. However, we can see the Bugzilla report numbers. The first, 294795, won't let me view it. But if we view 294796, the bug created right after we see it was created on May 19th. Nearly 2 months ago.

Is 2 months "quickly"?

You seem to be blindly making assumptions without bothering to check the facts.

This is NOT evidence that Open Source fixes bugs quickly. If anything, it proves that just like Closed source, they can keep the bugs quiet and sit on them as long as they like.

Re:Open source

[koreaman]

/me throws a copy of 1984 at the AC

Re:Open source

[aussie_a]

/me throws a copy of 1984 at the AC

Hello. 1948 called. It wants it's book back.

Re:Open source

[koreaman]

WTF does the openness of the code have to do with when patches are released?

Re:Open source

[dicepackage]

O yeah, I have a link that will prove you wrong.

Re:Open source

[techno-vampire]

WTF does the openness of the code have to do with when patches are released?

I never said there had to be a relationship. However, most open source developers tend to release important patches as soon as they're tested, to keep their project safe.

Re:Open source

[InsideTheAsylum]

I think it's more of giving a grace period to allow people to update -- in fact, I'm still using 1.0.2.. Ouch.

Re:Open source

[Charles+W+Griswold]

So yes, Mozilla DOES sit on critical bugs for months.

Good grief, you're kidding? What a bunch of lazy bastards. When they get a bug report, they should verify it, find the code responsible, fix the code, verify the fix, keep tweaking the code until it passes all of the tests, rebuild the entire code base, and release the fixed version of Mozilla THE DAY AFTER THEY GET THE BUG REPORT!!!

</sarcasm>

In case you hadn't guessed, these things take a bit of time.

Re:Open source

[koreaman]

Why wouldn't closed-source developers want to do the same thing?

Re:Open source

To Apple, "open source" is a one-way street. They can take other people's work, but beyond that is where they draw the line.

Of course some moronic organization can claim to be able to "certify" any bone-headed corporate license as "open source." This is why I prefer the term "free." Not because I'm a huge Stallman fanatic, but because the OSI people are just a bunch of stupid sell-outs.

Re:Open source

The grammar Nazis called. They want that apostrophe back.

http://www.stormloader.com/garyes/its.html

Re:Open source

OSS needs love. MS needs money, not love.
MS is a bitch, you pay them, and you have the right to pretend something.

Re:Open source

[I+confirm+I'm+not+a]

I'll believe it when my open source web browser tells me I have security updates. I just used Firefox's check for updates feature and tells me there are none.

Aye, I just got that as well. I'm thinking in my case it's my locale: en-gb - there isn't a "British English" version yet. Could it be a locale issue with you, too?

(For the curious, I'm holding off on the upgrade, partly because I want to support localisation efforts, and partly because I'm a big feartie ;-)

Re:Open source

[MullerMn]

What's the air conditioner ever done to you?

Re:Open source

2 months? Generally accepted practice for responsive fixes to coordinated secret ("responsible", as MS and others style it) disclosure varies from 1-60 days, so 2 months could be "quickly" by some definitions.

The Mozilla team do need a more responsive security framework. It's a big project and it's a lot to handle. But they are trying; and, I might add, on a small budget, on an often volunteer or ex-developer-basis. Opera have their fair share of vulns, particularly after the damn-near rewrite of Presto (v7), but they respond and fix very quickly and I have to congratulate them on that.

MS, on the other hand... Firefox's 2 months is better than IE's 2 years!

Have a look at eEye's upcoming some time, and talk to Mark about this. MS are emphatically NOT trying, unless it threatens to become a PR issue for them.

Windows Update v6 and Microsoft Update actually fail to flag open vulnerabilities on some computers - a very serious regression, but it was pushed out the door anyway.

MS don't care at all about local exploits unless they're actively exploited and showcased by big names in the VX scene either before or after public disclosure (#VDM).

Currently, the oldest security-related bug that MS knows about remains unfixed after 4 years. It's a remotely-exploitable integer overflow in mshtml's parsing, and a similar bug is in shdocvw as well, and that's all I'll reveal publically in the hope that one of these days those idiots actually decide to take notice. If it hits 5 years and it's still unfixed, F-D and Bugtraq will hear about it.

They don't even reply to email except with form letters. They don't keep the researcher in the loop about what's going on. It sometimes takes phone calls, and digging out personal email addresses of team members, to get something done.

MS have a *long* rep of simply burying or ignoring security vulnerabilities if they think they can get away with it. They started to care when it became a PR issue, but that's why they have been paying lip service to it, not actually because they care about timely fixes. It's ridiculous to expect MS to take longer than 7 days to turnaround a fix to any security vulnerability. They have the resources, and if they really treated these things seriously, the patchsets would be once a week, and they would be willing to divert attention from all teams to pitch in with testing of particularly intractable patches. It really should be a company priority for them, and it's disappointingly not.

But hey, I'm just a security researcher, not a businessman - what would I know?

Re:Open source

So you're saying Microsoft is a fat chick?

Re:Open source

> Has proven to be excellent in releasing security updates. For those who criticize it, heres proof.

Really? So where is the corresponding update to Mozilla?

Re:Open source

[techno-vampire]

Why wouldn't closed-source developers want to do the same thing?

That's a good question. Some do, some don't. However, most of the people we hear about doing it are Open Source. Maybe that's because there are more people out there with the code helping to get the patches written.

Re:Open source

[gordgekko]

No I use the U.S. English version. And since I originally posted here, I have yet to see the "Updates Available" pop-up. Very impressive.

Meanwhile, Windows XP was patched not long after the patches were released.

Re:Open source

[typical]

Is 2 months "quickly"?

For testing a patch to an extremely widely-used consumer app? Sure, that's not an unreasonable amount of time.

Frankly, if for every security vulnerability reported to Microsoft, there was a prompt response followed by a well-tested patch in eight weeks (and we'll be generous and use the oldest bug, as you did), most of us would be *estatic*.

We'd all like more speed, but if a given hole is not actively being exploited or only being exploited on a small scale, releasing a bad patch can cause more damage than it's worth. If this was...well, I guess there aren't really any worms that target Firefox, but if there were, a sort of Code Red for Firefox, where a massive outbreak is spreading, I'd predict that it's a pretty safe statement to say that the Firefox team wouldn't hold onto the patch to bundle into the next bugfix release -- there'd be a patch out as soon as they could finish it.

Tomorrow

[mfloy]

So today we have a bunch of new patches, which means tomorrow we will have all the exploits being developed and released. The major problem with patches is they often are not installed by end users, and that is the bread and butter of zombie botnets.

Re:Tomorrow

[Parham]

Luckily Windows has tried to stop this from happening as much as possible by downloading the patches in the background, and then asking you to install, and bugging you to install until you do. What I'm actually waiting for is, seeing what NEW security problems these new security fixes make. This recent article in the games section comes to mind amongst other things.

Re:Tomorrow

Would you preffer to let your users hide in an alley, bent over w/ their pants down and yet have no idea they're being screwed?

Re:Tomorrow

[fimbulvetr]

There were probably exploits for most of these well before the patches were written.

Re:Tomorrow

[mfloy]

What i've always worried about is a well planned attack that sends fake patches that actually cause more security nightmares or currupt the OS.

Re:Tomorrow

[JoeMerchant]

Microsoft's point exactly - please turn on automatic updates so your computer doesn't become somebody else's zombie...

Re:Tomorrow

[Charles+W+Griswold]

Wow. That brought an interesting mental image to mind. :-.

I was going to say "I don't know. Are the users good looking?" but (in the name of good taste) decided not to.

Re:Tomorrow

[Tim+C]

More than that, Windows gently reminds you at appropriate times that you really ought to have patches download and install themselves automatically. ("At appropriate times" means on the Windows Update site, and in the Security Centre)

Now, you may argue that that's a bad idea, you should always know what's being installed on your machine and what it might break, etc, and I'd agree. The flip side of that though is that anything that increases the likelihood of home users installing security updates has got to be a Good Thing.

[It's been 4 minutes since you last successfully posted a comment

Editors, can we *please* get this fixed?]

Re:Tomorrow

[Ugly+American]

According to this, people are already exploiting the JView profiler bug and have been playing around with ways to exploit the color management module bug.

Re:Tomorrow

Yeah, it bugs you to install the updates, but as a tech at my university, I saw at least 50% of people (students/staff/faculty) that ignored the pestering of the automatic update service and had a couple dozen security updates not installed if I clicked on the "install updates" tag.

Re:Tomorrow

[rocca]

Now, you may argue that that's a bad idea, you should always know what's being installed on your machine and what it might break, etc, and I'd agree.

I used to agree, but computers have become an appliance for most people. My mother needs to understand OS updates about as much as learning how the circuit boards in her freezer work.

What we need is for people to start using underpriviledged accounts on their OS's for their day-to-day activities. Maybe root and administrator accounts should prompt a series of skill-testing questions before allowing access. :-)

And don't forget...

[Afecks]

...the zlib bug

Re:And don't forget...

[slummy]

Seems kind of fishy to me that Microsoft released a "Color Module" security update right after the zlib vulnerability is released. Hey, at least they're not THAT obvious about "borrowing code".

This is a new one...

You managed to dupe two stories at the same time!

Re:This is a new one...

[Foolomon]

Slashdot is affected by the newly released Win32.DupBot trojan that was installed through a backdoor created by Ken Thompson.

KRB5 vulnerability too

[ikewillis]

http://www.frsirt.com/english/advisories/2005/1066

FrSIRT Advisory : FrSIRT/ADV-2005-1066
CVE Reference : CAN-2005-1174 - CAN-2005-1175 - CAN-2005-1689
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-07-12

* Technical Description *

Multiple vulnerabilities were identified in MIT Kerberos, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service.

The first issue occurs in the MIT krb5 Key Distribution Center (KDC) implementation when processing specially crafted TCP/UDP requests, which could be exploited by an unauthenticated attacker to cause a denial of service or execute arbitrary code on the KDC host.

The second vulnerability is due to a double-free error in the "krb5_recvauth()" function, which could be exploited by an unauthenticated remote attacker to execute arbitrary code in the context of a program calling the vulnerable function (this includes the kpropd program which typically runs on slave Key Distribution Center hosts).

* Affected Products *

MIT Kerberos 5 version 1.4.1 (krb5-1.4.1) and prior

* Solution *

Upgrade to krb5-1.4.2 release :
http://web.mit.edu/kerberos/dist/index.html

Or apply patches :
http://web.mit.edu/kerberos/advisories/2005-002-pa tch_1.4.1.txt
http://web.mit.edu/kerberos/advisories/2005-003-pa tch_1.4.1.txt

* References *

http://www.frsirt.com/english/advisories/2005/1066
http://web.mit.edu/kerberos/advisories/MITKRB5-SA- 2005-002-kdc.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA- 2005-003-recvauth.txt

* Credits *

Vulnerabilities reported by Daniel Wachdorf and Magnus Hagander

Non-security fixes in Firefox 1.0.5

[Adam9]

Here's some good info that colfer from this MozillaZine thread dug up:

1.0.5 is mainly a security fix, but I have seen a bunch of non-security fixes creep in also, such as removing the default checkbox "yes" for "make firefox my home page." This looks like a big cleanup for the 1.0.x branch, before 1.1 takes over.

I don't know about the security fixes, besides the medium-risk frame/window spoofing thing (with 1.0.4, you should not open untrusted sites at the same time as sensitive sites...). Here are the non-security fixes (non-security as it seems to me) checked in since 1.0.4:

https://bugzilla.mozilla.org/show_bug.cgi?id=28373 0
"Save As" dialog tries to overwrite link/shortcut (.lnk) file instead of opening the directory/folder

https://bugzilla.mozilla.org/show_bug.cgi?id=29521 0
Tab title different from window title on initial load at gmail

https://bugzilla.mozilla.org/show_bug.cgi?id=28377 7
Right arrow key after selecting autocomplete result no longer uses selected item

https://bugzilla.mozilla.org/show_bug.cgi?id=29123 2
update installer packages should offer unchecked check box for setting start page

https://bugzilla.mozilla.org/show_bug.cgi?id=29106 4
Helper app dialog incomplete for non-nsStandardURL types

https://bugzilla.mozilla.org/show_bug.cgi?id=26553 6
(64-bit only issue)

https://bugzilla.mozilla.org/show_bug.cgi?id=24563 1
Crash loading (particular) .ico file

https://bugzilla.mozilla.org/show_bug.cgi?id=14181 8
Table with large rowspans and colspans hangs the browser

https://bugzilla.mozilla.org/show_bug.cgi?id=28800 6
Drag image across browser windows --> crash

https://bugzilla.mozilla.org/show_bug.cgi?id=29505 2
Obscure Javascript crash

https://bugzilla.mozilla.org/show_bug.cgi?id=29627 0
Default user agent problem (AIX platform only)

https://bugzilla.mozilla.org/show_bug.cgi?id=28081 3
Crash on OS/2 platform

https://bugzilla.mozilla.org/show_bug.cgi?id=29377 8
bookmarks toolbar missing in 2nd opened window, links in second window possibly cause crash

Re:Non-security fixes in Firefox 1.0.5

[CyricZ]

Links to the Mozilla Project's Bugzilla installation from Slashdot are disabled, you know.

Re:Non-security fixes in Firefox 1.0.5

[Adam9]

Slashdot linkified them for me; I just copy and pasted the info.

Re:Non-security fixes in Firefox 1.0.5

[CyricZ]

Well, then. You are innocent of all charges.

Re:Non-security fixes in Firefox 1.0.5

[Jeff+DeMaagd]

One issue that bugged me is that Firefox for OS X hasn't supported the feature where middle clicking a link opens that link in a new tab. It is still not fixed in 1.0.5, whereas it has been in the nightly builds since February. The nightlies have done OK, but has had some occasional issues.

Re:Non-security fixes in Firefox 1.0.5

[mab]

Right Click "open link in new window" works:)

Re:Non-security fixes in Firefox 1.0.5

[WarmNoodles]

Hey, (Observation)
Notice how neither the description nor the linked pages in the list you attached used the descriptors "Crash", or "hang" nor no negative security connotation at all.
If these are security updates why are the details missing why is it dumbed down? Why don't they say the truth?

Like, "An unchecked buffer in feature XYZ, allows remote unauthenticated access as root resulting in the un audited compromise of the system".

This would be closer to the weak yet more accurate Microsoft descriptions.

I don't believe the average Linux user is any more a security professional or security literate than the average Microsoft user.

Re:Non-security fixes in Firefox 1.0.5

[OneTwoThreeFourFive]

That doesn't work for me. Right-clicking any of the bugzilla links and opening in a new tab or a new window gets the error, "Sorry, links to Bugzilla from Slashdot are disabled." While copying the same URL and pasting it into a new window or a new tab doesn't get that error.

Re:Non-security fixes in Firefox 1.0.5

[Adam9]

Take note of the post subject, "Non-security fixes in Firefox 1.0.5."

Re:Non-security fixes in Firefox 1.0.5

[WarmNoodles]

Clarity re-established. Thanks Adam!

Re:Non-security fixes in Firefox 1.0.5

[zoney_ie]

Annoying that they don't have the latest updates available for the regional versions at the same time. And British English (as used by much of the world outside the US/Canada) is a whopping huge regional version.

On the flipside, it's nice that there are so many regional versions now. I now have Firefox in Irish (Gaelic) at home, along with Microsoft's/Irish Govt's recent project of Windows XP Irish LIP.

Re:Non-security fixes in Firefox 1.0.5

I think most of us on OSX have just accepted the fact that firefox sucks on a Mac. I could go on and on about the bugs, but there seems to be little to no effort to fix the problems... because they continue to persist!

Firefox STILL cannot focus on any form field that does not allow for text input.

Re:Non-security fixes in Firefox 1.0.5

[Fredden]

Webdeveloper: Ctrl+Shift+T -> Disable -> Disable Referrer Logging

Re:New patch strategy for MS?

[Kimos]

Actually, it's the other day around. This is Microsoft Tuesday, patch day for them every month. It's the F/OSS world that is releasing patches at the same time as MS.

But wait...

But wait, Firefox has security holes? And OS X too? But from the comments on slashdot, I was under the impression only Microsoft had security flaws...

Oh, I think I understand now. Only windows sucks when it has security holes and Open Source programs don't suck when they have security holes because they're better than closed source and the patch came out fast... or something. Gotcha.

Microsoft sucks because they release software that needs security patches. Linux rulez!

Re:But wait...

When Microsoft releases patches, it proves that their software is a buggy pile trash that has all kinds of problems that NEVER should've been included in the first place.

When the OSS projects release patches, it proves that their coders take security very seriously, and are dedicated to making the best software possible.

It's very simple - you must be new here.

Re:But wait...

Wow, a windows fanboy that can't accept that his operating system is total crap...

Big suprise

Re:But wait...

[gnarlin]

Dear microsoft employee, please stop trolling slashdot when you should be working on those security patches.
Thanks.

Re:But wait...

I've got an experiment for you, slashbot. Place two computer side by side, one running windows (you may have to head over to torrentspy for this one, cheapskate), one running Linux (or some other communist operating system). Attach identical peripherals to each of them. You can use anything: sound card, modem, tv-tuner. Observe what happens.

Microsoft: installs drivers, possibly contacting windows update to download the most current drivers
Linux: Laughs in your pasty fucking face. Emasculates you by turning your hard earned hardware in to a mere decoration.

Re:But wait...

[aussersterne]

No, Microsoft sucks because their products are simplistic, underpowered and unsophisticated compared to Unix, and thus your productivity is 80% lower when using Windows, and you continually see things that you could do in two commands in Unix that will require either 40,000 clicks or asking IT to purchase entire additional software site licenses in your office's Windows environemnt, yet YOUR BOSS MAKES YOU USE WINDOWS ANYWAY.

Linux is cool because of -(all of the above), and because my home computer runs it and I'm cool. :-p

Re:But wait...

[Caledai]

Nah - its not that Microsoft sucks because the release patches.

Neither does OS suck because they release patches.

Its because microsoft takes so long to release patches for certain vulnerabilities that have been documents - even up to half a year before..

And that the continue to promote products that have been proven to be seriously flawed, and release new versions without those flaws fixed.

There is a difference between releasing a product, and then patching it - and releasing a product knowing it needs patches before its released.

I gotta admit - look how much testing the do on the patches they do release. Service Pack 2 anyone?

Re:But wait...

I gotta admit - look how much testing the do on the patches they do release. Service Pack 2 anyone?

I thought that was funny too, they usually test their patches waaaaaaaaaay after they release them.

Re:But wait...

[Dr.PO'd]

Meanwhile in the real world:

Microsoft: Go to nVidia website to get the latest Forceware drivers for Video Card. Download driver for Windows XP. Install Driver by double clicking icon. Restart computer. Total time, 5 minutes

Linux: Go to nVidia website to get the latest Forceware drivers for Video Card. Download Driver for Linux. Now, install time.

Forced to install a driver program on my own I have been reduced to a weeping wreak. How, I curse, could I possibly figure out how to type:

"sh NVIDIA-Linux-x86-1.0-7667-pkg1.run -q"

and then type:

"sax2 -m 0=nvidia"

In that little box thingy with the flashing cursor type thing.

Or I guess I could just use SuSE's YaST automatic update feature to do it for me I was lazy. Total time, 5 minutes.

Re:But wait...

You're not reading the same Slashdot as the rest of us, there are plenty of Linux/Firefox critics here. You also make the fatal mistake of confusing the Linux OS with the applications that run on it, which proves you're a shill.

thank goodness....

....that msft waited until the end of day to release the patches. Every time they release during the day it boggs down the network, to the point of really hindering productivity, its especially crappy when they release in the morning, because then its usually bad all day.

Re:thank goodness....

[IANAAC]

Are you talking about desktops or servers?

If you're talking about desktops, #1) Do you allow unattended updates? (Shame on you if you do!) #2) If not, how is tomorrow morning going to be any different that any other morning release? Wait, that wouldn't be a problem, since you only test patches on limited machines first.

Re:thank goodness....

[EvilStein]

If you have enough machines, roll out Microsoft SUS. Eliminates that whole problem right there. Just push the updates across the LAN. :-)

Waiting until the END of the day can be a bad thing because people that come in early and leave early are going to miss the updates, and they'll end up installing them tomorrow morning anyway.

I'm going to assume that you don't plan out/inform users of updates. ;)

Re:thank goodness....

I'm talking about the network in belly of the beast itself... meaning on redmond campus... when they push 'em out in the morning [Pacific time] your productivity is screwed... this last batch of patch tuesday they waited until EOD which helps a lot

Re:New patch strategy for MS?

[ScrewMaster]

No, it's probably a strategy. Well, even if it is a coincidence this time, it will likely become "strategy" the next time around. And it will be all your fault for mentioning it and given them even more bad ideas (as if they needed any.)

Hmm.....time to go to Windows Update.....

[compmanio36]

......and see all the non-existant updates I have to download. Seriously, people talk about all the updates to download, but I never can find them. Although I do have to say Firefox updates wonderfully.

However, despite not updating my Windows install for months, I still have yet to be infected with one virus, spyware/adware program, or have my machine hacked. Maybe it has more to do with the fact that I browse the Internet with care, rather than update with every stupid patch M$ puts out, that creates more problems to be patched later on. If people would just learn some basic browsing habits, there would be less zombie-boxes and "Win32:Netsky" emails in my inbox.

Re:Hmm.....time to go to Windows Update.....

[Kimos]

However, despite not updating my Windows install for months, I still have yet to be infected with one virus, spyware/adware program, or have my machine hacked. Maybe it has more to do with the fact that I browse the Internet with care, rather than update with every stupid patch M$ puts out ...

I don't think it's fair to say that you're too smart to get viruses/malware like everything else, it's probably a few other factors that you take for granted. Using Firefox is one of them. You have the major Windows patches so that protects you from most of it right there. Think of the MSBLAST traffic that's still out there, meaning that each of those machines is still pre-SP2. Also, being behind a router/NAT/firewall helps (again, I'm assuming). A good number of zombie machines are the direct to DSL or cable modem kind of one computer households.

Re:Hmm.....time to go to Windows Update.....

[compmanio36]

Don't get me wrong, I didn't mean to say that I was too smart to ever get a virus. And I am connected directly to my cable modem, although I am running Zone Alarm. Again, this goes back to browsing habits, because making sure you are protected while on the web is a part of that. Unless you want to be a cyber-equivalent of a hermit, and only go to Yahoo, or your ISP's home page (neither of these are guaranteed to be 100% safe either), you will, sooner or later, run into a nasty script, or a bad ActiveX (for those that insist on running IE). The question is, are you prepared to deal with that when it happens? I can't tell you how many times I have sat and watched someone click "Yes" on anything that popped on the screen to get it to go away. People aren't realizing that their actions are allowing these nasty things into their PCs. And the fact that either: 1)They don't have a antivirus, firewall, antispyware, etc or 2)it has been broken somehow, and they just don't care, cause they can still get to their warez sites and their porn hubs. If people read 2% of what they click on and made sure they were a little protected before wandering out into the big scary internet, the internet wouldn't BE so big and scary.

Re:Hmm.....time to go to Windows Update.....

[Versatile+Dinosaur]

Amen!

Re:Hmm.....time to go to Windows Update.....

Yeah right..

You might have automatic updates turned on if you dont find any updates.
If not then you really should check your computer for virii..

Re:Hmm.....time to go to Windows Update.....

A lot of DSL modems now have NAT by default, meaning you're given a 192.168.x.x IP address even if you connect directly to the DSL modem. You can turn this off from the modem's configuration, but turning it on by default was probably the smartest thing these DSL providers have done, especially when one considers the growth in semi-affordable broadband (usually in the form of DSL).

Re:Hmm.....time to go to Windows Update.....

[RAMMS+EIN]

Look, the point is not that someone with good computer skills can run Windows without problems. The point is that running Windows requires that you have an understanding of computer security, but most of its users don't have that. People use computers to get work done, they don't want to and shouldn't have to think at every step they take "is this a good idea or will my system be compromised now."

The fact to the matter is that Microsoft products are so insecure that you need to learn a whole set of rules about what to do and what not to do to use them securely, while at the same time they are being viewed as easier to use than competing products, especially for people who are not computer experts. The truth is that it's much easier for a non-expert to use a Linux or OS X system securely - getting the work done is about just as easy, but keeping secure doesn't require nearly as much effort or knowledge as on Windows.

Having said that, simply putting a Windows box behind a firewall will go a long way to cure problems, and a competent sysadmin should be able to keep the software and virus definitions up to date. Alas, many companies seem not to have competent sysadmins, and home PCs are still a problem - even the current PC generation often only knows how to use the system, but doesn't know or care about keeping it secure.

I commend Microsoft for forcing Windows Update down unsuspecting users' throats. That's an important step forward. Now if they would also fix all the security holes in a timely manner, Microsoft software might actually become the easyest to use. However, as it stands, almost any alternative is easier to use.

Re:Hmm.....time to go to Windows Update.....

[j0217995]

Ok so you are saying that someone without computer skills can run any form of *nix or *bsd? I doubt that.

I would rather bet money on someone w/o a lot technical skills keeping their Windows box up and connected to the internet then having the same person connect a *nix box to the internet and make sure everything was working.

Good luck getting grandma to connect w/o help from you to "AOL" which is also known to her as the Internet.

Re:Hmm.....time to go to Windows Update.....

[holiggan]

"Hey, I only take my car out to go to the mall, so I don't know what's this fuss about trafic accidents" Altough you are right about the right/safe browsing habits, Microsoft must patch their systems, so reduce the risk to the people that don't have those habits... Like an airbag. I don't need an airbag to drive to the mall (if I go slowly) but I might need one if, if something unexpected (or deliberate) happens.

Re:Hmm.....time to go to Windows Update.....

[RAMMS+EIN]

``Ok so you are saying that someone without computer skills can run any form of *nix or *bsd? I doubt that.''

Maybe not any setup you can think of, but the ones I've seen most people use are every bit as easy or difficult to run as Windows or OS X.

``I would rather bet money on someone w/o a lot technical skills keeping their Windows box up and connected to the internet then having the same person connect a *nix box to the internet and make sure everything was working.''

Now you're comparing apples and oranges. You're talking about keeping a working Windows setup working, and getting a *nix setup working from scratch. Most people can keep their Windows boxen in a state they think is ok...it could have viruses and spyware, crash once in a while and be horribly slow, but it will work. This requires no maintenance.

A *nix box, once set up, will behave better if it receives no maintenance. I'm sure you have heard people say that they installed whatever *nix on their box, and after that they never looked at it and it kept working. This is what I meant.

Even if you take into account what it takes to get the machine connected in the first place, *nix is not more difficult. Often, all that is required is running a DHCP client, which is done automatically at boot time by most *nixen and modern Windows versions. In other cases (e.g. PPP, PPPoE), some configuration is required, and the steps are mostly the same on *nix and Windows. Sure, the icon might be in a different place, and the form may be a bit different, but the same is true between Windows versions, OS X, and classic Mac OS. Most people who are not computer-savvy wouldn't do this themselves on either Windows or *nix; they would let someone else do it for them.

As far as the initial installation is concerned, Windows and OS X have the edge here, as they come pre-installed. But if you look at how easy systems are to install themselves, there again isn't much difference between current systems. Of course, you can always find a Linux distro that is arcanely difficult to install, but there are also those that are easier to install than Windows, or even OS X.

While I'm at it, I might as well comment that software installation works a whole lot better on good Linux distros than it works on Windows or OS X. Windows, to the best of my knowledge, is still plagued by programs that install things in wrong places, or have faulty uninstall options. OS X doesn't have a unified installer system. Some programs use the Installer, others are application folders that you drag to your hard drive, yet others come with fink or somesuch. In all cases, you have to search the web to find software, and dependencies are typically not handled (usually this means you end up having them shipped with every application). In Debian systems, things can be as simple as opening up Synaptic, finding the package you want, and installing it. Dependencies are automatically added as needed. Removing software is just as easy, as is updating. Everything runs through a unified interface, and nearly everything is available there. And that's where the real advantage is: updates, not just for the OS, but for all the software, all come through one standard place. And if you are too lazy to install them yourself, you can automate it. No more manual maintenance required.

Re:Hmm.....time to go to Windows Update.....

[bach37]

What's your ip?

Re:Hmm.....time to go to Windows Update.....

Taking this a step further...

How could users be trained to find virus's, trojans, worms, evil scripts without a virus scanner? Who will teach them what process's should run? What files are SUPPOSED to be on a drive?

Lately every box that I have seen was infected by something I physically found in the registry, in a dll file or multiple files in multiple directories. All easilly deletable if you know what files windows is supposed to have. And what it isn't. This gets highly complex when you add programs.

I find myself asking people, do you use X?
no? I'm removing it then. AOL is especially bullshit when deleting unknown files. I just cleaned an AOL box. It bitched cause I deleted the fucking shareware install directory for winamp and other cruft. (The box has a fully regged winamp)

Too much automatic shit. Auto update, TSR this TSR that. wtf... it's bullshit. I hate these programs that do that. Five minutes to mount my "tools" DVD/CD to clean a box. 1.6GHz that's just stupid. Automount CD turned on.

I see why for old grandma. But fuckin come on.
Are people this retarded? Get fucking rid of AOL and put grandma on a box behind a firewall. What the fuck are they teaching kids in schools about computers? How to type and that's it?! They ought to be forced to install their fucking system.

The fancy virus scanners drag even a high end 3.2GHz machine to a crawl at critical times. Like a video render can get a digital glitch. It's bullshit.

I don't run one because of the real time protection is just too much. When I do run em, and forget I have it installed, I find I spend about 5 minutes killing process's right durring the time I need to publish that webpage, or send that email or find that concert date.

In fact ctr-alt-del process killing is one of the best fucking things a zombie could learn. Take the time and LEARN what process's should be running. Make a fucking list if you can't memorize it.

Even without a scanner, you can be virus free!!!!!!!!!!!!!!

If I do run one, I get a free one, and after ALL files (including archives) are scanned I uninstall it. Encrypted PE files can be a pain in the ass but so can rm -rf /fucked/file.exe knock even that crap out. So what If you screw up that god damn crappy freeware app. Stay out of your /Sony /Adobe/Plugins and your set. Better yet uninstall that shit. You don't need it. You only need a few tools anyway. Back up that fucking directory that has 31 days worth of installing on it.

The only tools I ever use to find and remove bad stuff is mc (midnight commander - free) and regedit, procview, apm.

I get virus's all the time. I collect them.

Seems unlike back in the bbs days when destroying a box was the goal, now they just want porn dialers, email spammers, and zombie boxes for general mayhem. So they're not killing your data, they're stealing it. In that respect virus's have become less destructive.

On the other hand any virus on a slow machine is destructive to my time. I can't stand how slow those machines are. I have 350Mhz that are faster than those fucking COW (you know the company) 1.6Ghz boxes. How do people live like that?

I have a fucking 75Mhz box, a 386 16Mhz box running DOS and they're faster!

They're all fucking harmless when archived/zipped up. You too can collect them.

After seeing microsoft get their DNS hacked.
remmeber "hacked by chineese" ??

I don't use windows update.
I use technet.

I only patch what I have one at a time.
I wait until 24 hours after the day of release looking for publically posted problems.

I also firewall off ALL WINDOWS machines with linux and fbsd.

There's that FUCKING MICROSOFT RESTORE BUTTON. . .

hahaha dude way to bring all the viri back!

That was quick!

My fucking family is stupid. I hate it. I bet yours is too.

Re:Hmm.....time to go to Windows Update.....

127.0.0.1

Go ahead, you know you want to......

Re:Tomorrow -- NOT

[RedLeg]

Look at the calendar.

Blackhat / DEFCON is at the end of the month in Vegas. This is the scheduled patch release day (at least for MS) before the event.

The vendors have more than likely been notified by the "researchers" who discovered the issues, and are releasing their fixes on a coordinated schedule.

WindowsUpdate freezes PC

[solprovider]

The last set of patches from WindowsUpdate:
- Security Update for Windows 98 (KB891711)
- Security Update for Windows 98 (KB888113)
- Security Update for Windows 98 (KB896358)
- Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB883939)
freeze MS Windows 98SE when older versions of ZoneAlarm start. Uninstalling the old version and installing the lastest ZoneAlarm works.

The problem is most people have ZoneAlarm set to start at boot, and do not know how to bypass ZoneAlarm to get the computer booted so they can fix it.

My guess is since Microsoft is selling its own personal firewall, they will take every opportunity to hurt ZoneAlarm. Or they just wanted to generate PC sales from all those people whose computers are now "broken". Hey, they should have paid for newer versions of Windows many times since Windows98SE was released.

I can't wait to install today's patches!

Re:WindowsUpdate freezes PC

[superpulpsicle]

I think M$ are best buddies with Norton firewall. Speaking of which, always detect Slashdot as an intruder everytime I post something here?! WTF is Slashdot really hacking my computer?

Re:WindowsUpdate freezes PC

[compmanio36]

No, I have Zone Alarm and had Black ICE, neither one beeped at me whenever I have come to /.

Microsoft and Norton just don't like all of us bashing them all the time ;)

Re:WindowsUpdate freezes PC

[kayak334]

Shouldn't that read, "ZoneAlarm on Win98 freezes PC?"

Re:WindowsUpdate freezes PC

[jpkunst]

WTF is Slashdot really hacking my computer?

I noticed that every time after I post something on /. I get a line like this in my web server log:

slashdot.org - - [23/Jun/2005:21:58:59 +0200] "GET http://ask.slashdot.org/ok.txt HTTP/1.0" 404 200 "-" "libwww-perl/5.803"

No idea what it is supposed to accomplish, but I assume that that is what your firewall is complaining about.

(Note: slashcode converted the URL above into a link, obviously the logfile entry is just a plaintext URL.)

JP

Re:WindowsUpdate freezes PC

[Ponzicar]

Most of the people still running windows 98 are not computer literate enough to be using a firewall anyway, I'd imagine.

Re:WindowsUpdate freezes PC

This is utter crap.

I recently worked an issue at Microsoft where we found ONE instance of an update causing problems with older versions of ZoneAlarm.

And that user didn't even call Microsoft for help. We found a public forum post from the user, and WE contacted HIM to offer assistance in determining the cause of the problem. (By then he'd already upgraded Zone Alarm.)

If you really think that Microsoft goes out of its way to cause incompatiblities with older versions of thrid-party software, your conspiracy theory lobe is working overtime.

It's hard enough to patch an OS and not break things. Suggesting that Microsoft deliberately introduces incompatibilities with 3rd party software for the sole purpose of encouraging customers to switch to Microsoft software is just ridiculous.

Now, I do recognize that sometimes updates do break appcompat. However, the VAST majority of the time, it's due to the software vendor writing code that takes advantage of undocumented features that the updates have changed. (Do you know why those features are undocumented? It's because the OS team knows they might change in the future. And to head of the accusations that are sure to follow, in the consent decree Microsoft has agreed that only the Windows team is allowed to use undocumented Windows API's, so that Microsoft apps can't enjoy an unfair advantage. Microsoft takes that seriously and I've seen products die in development because they relied on API's they weren't allowed to use.) In most cases where the update causes appcompat and it's not the vendor's fault, MS fixes the problem.

Re:WindowsUpdate freezes PC

[holiggan]

Microsoft doesn't sell any firewall. There is a firewall in XP, but that's it. At least for now.

Re:WindowsUpdate freezes PC

[br0ck]

This was discussed and answered a few days ago by 'afidel', "I asked rob and he said they check for DDoS's whenever someone try's to post anonymously from an address...".

Re:WindowsUpdate freezes PC

[solprovider]

Thanks for confirming someone else had the same issue. (I was not the person contacted.)

I do not think Microsoft goes out of its way to cause incompatiblities with older versions of third-party software. I am not even surprised that an OS security patch caused problems for a security add-on product. It was the severity of the result (a non-booting PC) that caused me to post about it.

Re:WindowsUpdate freezes PC

[superpulpsicle]

WTF I don't even post anonymously.

Re:WindowsUpdate freezes PC

Checking for open proxy.

Re:WindowsUpdate freezes PC

[afidel]

Yep, it's broken, but Rob doesn't care. Since the system reduces the amount of bot crap coming from compromised hosts he thinks it's acceptable to portscan you every time you post a comment. Personally I find it annoying and offensive, but not enough so to stop posting to slashdot.

Re:Firefox

[audacity242]

Before you go using the (rather bad) logic that OSS is bad because of the issuance of a high risk patch, you might want to look at how many high risk patches Microsoft has released compared to the Firefox people.

-Jenn

Well bugger, my bug isn't fixed...

[ChrisKnight]

After taking to Apple tech support about my X11 problem, and having them refuse to help, I guess I'll just have to follow the MS support path and re-install the OS.

The sysadmin mantra lives on: All operating systems suck, they just suck differently.

-Chris

Re:Well bugger, my bug isn't fixed...

Blasphemer! Steve Jobs will slash your tires and take back his Bondi Blue iMac! YOU ARE NOT WORTHY!!!!

Re:Well bugger, my bug isn't fixed...

[ChrisKnight]

So I have been told. I was almost hung from the roof of the building when I walked into work the other day with my shiny new 17" PowerBook G4 that I had just purchased and on which I had already painted a big red BOFH logo. :)

-Chris

Re:Well bugger, my bug isn't fixed...

[the+way,+what're+you]

I can select text in this xterm window, go to Edit/Copy and when I go back to Edit the Paste option is greyed out. Nothing made it to the buffer when I did my Copy.

It's not intuitive, but when you selected the text in the xterm window, it was automatically copied to the X11 clipboard -- no need to do Edit->Copy. So, to paste it into another X11 app, you can use a middle click (cmd-click in my XDarwin prefs), or shift-insert (this is a trick, I have Enter mapped to Insert via xmodmap :).

It starts to get hairier when you mix copy/pastes between OS X and XDarwin.

Re:Well bugger, my bug isn't fixed...

[cortana]

Not quite. There are actually two clipboards (I think "selections" is the correct term). The one accessed by selecting an object (the "primary selection") is independent of the one that is accessed by choosing Cut/Copy from a menu (the "clipboard selection").

Once one internalises this information, it becomes clear that many clipboard related problems that people have with X11 are caused by poorly written apps that fail to follow the conventions on the use of the Primary and Clipboard selections.

http://freedesktop.org/wiki/Standards_2fclipboards _2dspec has a more detailed explanation.

Re:New patch strategy for MS?

[Keeper]

Given that Microsoft always releases its patches on the 2nd Tuesday of the month (nicknamed "patch Tuesday"), I'd say it isn't a new stratedgy. Or at the very least, it isn't a new Microsoft stratedgy ... :p

Mac OS X 10.4.2

[MyDixieWrecked]

best feature update for OSX:

With this update, you can use Safari to log in to MyAccount on cingular.com.

now I don't have to fire up firefox just to pay my cell phone bill.

w00t!

Better solution:

[Some+Random+Username]

Upgrade to Heimdal.

Re:Better solution:

[Cajal]

Why on earth would you want to use Heimdal?

Re:Better solution:

[Some+Random+Username]

Compare their security records, its pretty obvious why I'd want to use the one that doesn't have constant exploits from sloppy and careless programming.

Wait...?

[mister_llah]

"freeze MS Windows 98SE when older versions of ZoneAlarm start. Uninstalling the old version and installing the lastest ZoneAlarm works."

--- this is with older versions of Zone Alarm, if reinstalling Zone Alarm fixes the problem... why would this be some ploy of Microsoft to hurt Zone Alarm?

Windows 98 isn't exactly new, either, I really doubt they would (if they chose an 'attack' of this sort) ... to do it with Win98... (since most people who would care would already be running something else)

===

Perhaps I am missing something, feel free to tell me what I am missing if I am, I like to have a clue sometimes ;)

Re:That'll teach you to trust Apple.

[ChrisKnight]

Ah yes, the wisdom of the AC...

If I was 'in my right mind' I'd be living in Fiji taking tourists on scuba tours of the soft corals. Since I'm not, I stay in SF and buy shiny toys; and I maintian the right to bitch about them if they don't work as expected. And I've got the balls to do it with a real login account.

-Chris

Re:New patch strategy for MS?

you have to be the biggest dumb shit in this entire earth.

Microsoft has been releasing patches on Microsoft Tuesday for a LONG time... It would be the other way around... before you bash a company, pull your head out of your ass and get the facts

Re:Firefox

[drclaw007]

Of course it would have nothing to do with the fact that one of these pieces of software is a (comparitively simple) web browser, while the other is an OS which users expect to run on some dodgy p3 which has been gathering dust in a corner for the last 6 years or so and has millions of lines of code to debug :)

I hope...

[Bad+to+the+Ben]

they continue making progress with the bug fixes. For me, FF is feature packed enough. I'd prefer to see some more work on the update facilities and performance when running on Linux (fix the RAM usage and crashes please). I like FF because it's light, I don't want more bloatware. The FF team need to remember that we can switch back to IE, or to Opera or something else, just as easily as we switched to FF. Many FF users aren't in it to snub MS (they're both free browsers, it's not like they lose money), they're using it cause it's a safer, more stable product. The second that changes, I and many like me go elsewhere.

Re:I hope...

[emandres]

they're both free browsers, it's not like they lose money

IE is free, as long as you don't consider your soul to be of much worth...

Re:I hope...

[darkmeridian]

I am running the 1.1+ nightlies and I have to say that it is not bloatware. I do not know why, but it does run faster--in terms of load time and rendering. I do not remember any features that they've added in 1.1 that isn't cosmetic, such as rejiggering the control panel. So wait for 1.1 final to be released. You will be quite glad with that product.

Re:I hope...

[Bad+to+the+Ben]

Thanks for the tip, sounds like something to look forward to. I might give the nightlies a go and do a bit of beta testing.

I guess if I want stability I should give them some feedback.

Re:I hope...

[texroot]

You said it. The crashes are really annoying.

One other thing that I've also noticed: I love tabbed browsing but hate opening a new tab and having every page that I've tabbed be frozen until the page that is opening finishes.

Better threading would really be nice.

Re:Firefox

[Slashcrunch]

Anyone that claims open source is entirely free of bugs is dreaming and/or misinformed.

The beautiful part is the speed at which critical bugs in OSS are corrected after being discovered.

Re:Firefox

Most important, how many already widely known high risk issues Microsoft has yet to patch.

Change to Windows Update

[fontkick]

One of the things I noticed last week was that Windows Update... had been updated. It's now a new stylized webpage and it works a little differently - in that, it doesn't. My Windows 2000 Pro machine refuses to install anything that's been downloaded with the "new" Windows update. They refer you to the help section if installation fails, and after trying all of the help suggestions I just gave up, nothing worked.

The only thing that does work (for me anyway)is the old URL: http://v4.windowsupdate.microsoft.com/catalog/en/d efault.asp

No telling how long we have until Microsoft disables it and forces everyone over to a new system that doesn't work. I've always liked, or at least tolerated Windows and I've never understood why everyone here *hates* Microsoft. Now I get it. Hopefully someone will find the above url useful if they have problems.

Re:Change to Windows Update

[drsmithy]

No telling how long we have until Microsoft disables it and forces everyone over to a new system that doesn't work.

Have you bothered to tell them it doesn't work for you ?

Re:Change to Windows Update

[unity]

He'd probably want to have a legit copy of windows to do that...

Re:Change to Windows Update

[sconeu]

Interesting. That link shows Win2K Pro SP5 as a supported OS.

Does anyone measure patch time

[WarmNoodles]

I would be curious all things being equal, how long todays patches will take to completely saturate the base of patchable machines.

Including all of thousands of machines based on odd ball linux distros and all windows machines.
Not the time to make the patch, but the time it takes for the vulnerability to be reasonably remediated.

Any one know?

Safari now FAILS "Acid test"

[Hao+Wu]

It used to pass, but no longer. Try it:

The Second Acid Test

Re:Safari now FAILS "Acid test"

That crashes my browser, you insensitive clod!

Re:Safari now FAILS "Acid test"

[Kyro]

It only passes if you use a nightly. A shipped release has never passed the acid 2 test.

Re:Safari now FAILS "Acid test"

[mr_tap]

It only passes if you use a nightly. For those that aren't aware, you can build your own or download Safari on Acid

Re:New patch strategy for MS?

[datafr0g]

Strategy???

Dude! It's just that time of the month!
Computers are just like chicks... well, they are for us Mac owners anyway.... prrrrrrrr - sexy.

:)

This just proves, once again...

[xigxag]

that the Amiga is the most secure platform out there.

Re:This just proves, once again...

[BiggerIsBetter]

I dunno. My ZX81 never got pwn3d either...

Re:This just proves, once again...

[learn+fast]

there is no security through obscurity!

Re:This just proves, once again...

[I+confirm+I'm+not+a]

This just proves, once again... that the Amiga is the most secure platform out there.

Hah! Only until Contiki gets h4><0r3d!

;-)

/slinks off to h4><0r an 8-bit browser...

Re:This just proves, once again...

[m50d]

Nah, OS/2's got you beat. When did you last see a patch for OS/2? People said it was massively over-designed, but it's paying off.

Oooooh! Button!

[jd]

If you can afford to live in the SF area, can you buy the rest of us some shiny toys? The computer I'm using is painfully slow, and if SGI goes under, there may well be Altix bricks on eBay for a decent price...

Re:Oooooh! Button!

[Thumpnugget]

If you can afford to live in the SF area, can you buy the rest of us some shiny toys?

Methinks you are underestimating the amount of money it takes to actually live in the SF area and have anything left over for buying shiny toys.

Yuck :-(

[iamdrscience]

Security patches do not taste as good in my Flurry as oreos and peanut butter cup pieces do.

HE WAS BEING SARCASTIC

just wanted to clear that up for you.

Fx 1.0.5 fixes and NoScript

Among the other fixes, Firefox 1.0.5 contains a patch to CAPS (Configurable Access Policies) that finally eliminates crashes reported by users of the NoScript extension. This should make Firefox users even more safe: its "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality"...

Excellent, it works!

[Futurepower(R)]

Thank you very much. The new Windows Update doesn't work with one of my computers. The link you posted works fine, and I would rather put all the patches on a hard disk, anyway.

Microsoft Internet Explorer is one of the most buggy software packages I've ever seen. Windows Update isn't as buggy, but it's trying.

Security is definitely not one of Microsoft's priorities, unless the priority is to have the most vulnerabilities.

WRONG ITS DOS!

MY DOS System has NEVER been exploited!

So why doesn't

my firefox (so 2 speak) show that there are critical updates available?

Re:So why doesn't

[julesh]

Dunno. Mine has a little green icon in the top right corner, and if I mouseover it, it says "Update(s) available". I'll admit it would be nice if it informed me they were critical...

Re:So why doesn't

[ppz003]

If it's a critical update, the update arrow in FF will be red.

Re:So why doesn't

[whitehatlurker]

Not only is the throbber button grey on the FF I've got, I can't even get FF 1.04 to acknowledge that there is an update during an explicit check. Quote:
No updates found
Firefox was not able to find any available updates

Back to manual updates ...

Mod Parent Troll

[Frankie70]

It says something bad about Open Source. That's
just not acceptable here.

Opera is being left in the dust!

Microsoft releases patches for IE, Mozilla foundation releases patches for Firefox, why isn't Opera patching their browser?!

Oh yeah, 0 unpatched vulnerabilities.

Re:Opera is being left in the dust!

[morgajel]

seems like any time anyone mentioned FF, safari or IE some AC feels the need to mention Opera.

for cripes sakes, NO ONE CARES. Please, can't you just go one conversation without being the snobby nerd? it just isn't needed and you really turn people off to that option because they don't want to be associated with you.

Opera is a great browser, sure. I'll give them that. they've been really innovative- ok, I'm cool with that. but PLEASE shut up and quit mentioning it whenever you can, and stop being a snob about it. it's sad and the infighting in the alternative brower crowd makes you look really ameteur.

(former Opera user)

((apologies to the mods for an offtopic rant))

Re:Opera is being left in the dust!

Shut up, asshat. I'm trying to read real content here.

Re:Opera is being left in the dust!

[Nintendork]

Because nobody bothers wasting their time finding vulnerabilities for a browser with such a miniscule market share. Where's the fame and fortune in that?

-Lucas

Re:Opera is being left in the dust!

Or maybe because Opera actually fixes any found vulnerabilities quickly instead of talking about the cathedral and the bazaar and claiming to be secure.

Don't Forget MS Office!

[MrNonchalant]

There was also a high priority update for Microsoft Office in addition to the 3 OS patches. Nothing critical, just updated spam definitions.

Quote:
Update for Outlook 2003 Junk Email Filter (KB895658)
This update provides the Junk E-mail Filter in Microsoft Office Outlook 2003 with a more current definition of which e-mail messages should be considered junk e-mail. This update was released in July 2005.

I'm using the new Microsoft Update (as opposed to Windows and Office separately) and so should you. And yes, according to their FAQ it adds Office to Windows automatic update.

Link: http://update.microsoft.com/

Re:Don't Forget MS Office!

[initialE]

For me it always took me to the windows update site until I went to http://update.microsoft.com/microsoftupdate once.

Ah, choices.

[Lost+Found]

Today, I sigh in pleasure as I type this message in KDE Konqueror. Glad my browser isn't vulerable to a kitchen full of exotic security holes; taste of the week style.

Oracle Unbreakable

[Donny+Smith]

Oracle Unbearable, perhaps.

They probably have the worst security track record among major databases and yet they get no /. trashing whatsoever. Interesting.

It isn't a bug, you just don't get X

Which isn't surprising, X is a mess.

It is done with the selecting and middle clicking that others mention. Other X11 apps do it differently. Why do all apps do it differently? Because the mantra for X is "possibility, not policy". And some apps really take that to heart.

The Copy and Paste items in the Mac menus aren't really useful in X11, because the functions that would implement those are not implemented in all apps, and even those are are in do the functionality with different key sequences.

updated Windows Malicious Software Removal tool

[pe1chl]

The company also updated its Windows Malicious Software Removal tool to add detections for variants of Wootbot, Optix, Optixpro, Hacty (also known as YYTHAC), and Prustiu (also known as Delf.FN). ... and to reflect its intent to buy Claria, distributor of malicious software like Dashbar and Gator, by removing the detections for their products.

Thanks timothy!

Thanks timothy for posting a summary of the last two articles posted. Both of which were posted by you even.

Microsoft sucks because it sucks...

[OwlWhacker]

I can't ever remember anybody saying that "only Microsoft had security flaws". If you were under this impression, this is more likely to be down to a misunderstanding, or some angry pro-Microsoft type trying to give Linux users a bad name.

The point is that Microsoft has vulnerabilities which are usually exploited swiftly. They're usually quite nasty. They're usually in the most popular (bloated) Microsoft software packages. Finally, there's a good chance that patches could cause just as much damage as an exploit. This is what makes people shake their heads about Microsoft security.

Added to this, Microsoft has been working extremely hard - or so we're led to believe, even to the detriment of it's beloved Longhorn - and has spent millions on security. Maybe there have been improvements, but it's still coming out with plenty of nasties after years of this.

And after saying that Windows has better security than Linux, Microsoft is now copying Unix/Linux administration rights. This seems to suggest that Microsoft doesn't see an end to the plague, and that perhaps Linux holds an upper hand in security after all. Not only that, but this is going to make it easier for people to switch to a Linux desktop, after getting used to having to log in as root on Windows for particular reasons.

software patches

[chrisranjana.com]

It is good that software gets patched often enough to keep it stable enough.

Re:New patch strategy for MS?

[shadowlost]

BTVS lives on... The only windows box in my house is named Dawn. Works well with my naming convention. I also still get to say: "It's tuesday, Dawn must be in trouble again."

Thoughtful Analysis!

[Infonaut]

Quit drinking the koolaid, dipshit.
Hey, how'd you know I was drinking Kool-Aid?! Damn, you're a jeenyus!

No sysadmin in his right mind runs OSX.
Brilliant! Can't wait for more! I can tell this is gonna be a fact-filled, detailed primer on what to do right. Give me the straight dope, dude. I'm waiting for it.

Unless he doesn't want *real* support.
Ah, yes. I get it. What you mean is that if you buy Apple products, you won't get *real* support. I don't know what that means or who does provide *real* support, but I guess that's because I'm a dipshit. Damn! I hate when that happens!

Or performance.
I thought Apple hardware was sexy, but I guess it doesn't really "put out" the way other hardware does. I don't need factual comparisons. You're teaching me a lot here. I can't wait to read the next kernel of wisdom.

Or security.
Yeah, OS X is a fucking sieve! If it's not trojan horses it's Mail.app viruses and malware. Every zombie machine out there is running OS X. It's a plague on us all. Fucking Apple!

Or configurability.
I never thought about that, but you're so right. That one configuration fits all XServe sucks major goat ass.

Or standards.
You said it, buddy! I wish Apple would get with the program. I mean, I can run WebStar on OS 8, but why don't they wake up and smell the coffee? It's 1996, and the world is changing. If Apple doesn't wake up, this World Wide Web thing is going to really catch them off guard.

Or a real journaling file system.
That's like *real* support, right? You must mean that HFS+ isn't *real*. I think I'm starting to understand, but you're so brilliant you may have to slow down so I can catch up.

Or real hardware.
Ah, I'm on to you now, you clever sysad, you! This is another one of those "it's not *real*" things. It looks like the hardware is there, doing its job, but it's actually not.

Thanks for clearing this all up, AC. I really learned a lot, and am looking forward to more comments from you. It's going to be tough to read them all though, because you sure are prolific!

Is it me....

[DeathByDuke]

or are Tuesdays becoming a International patching day? World of Warcraft also patched up Tuesday too...

Patch Patch Patch Patch Bake Beans and Patch

[pklong]

Patch Patch Patch Patch. Lovely Patch! Wonderful Patch!

Answers

[solprovider]

I should have been more specific. By "old version of ZoneAlarm", I meant the latest download on Nov 20, 2004: version 5.5.062. The current version downloaded on July 10 is 5.5.094.

I do not know if ZoneLabs fixed something to beat MS, or whether the uninstall/reinstall fixed whatever WindowsUpdate ruined. It won't matter to anyone who's computer is broken by WindowsUpdate.

Win98SE is the best OS produced by MS. Add ZoneAlarm, Mozilla, OpenOffice, and some smarts in the user, and you have a rather secure computer. I do not like MS's later versions. WinME was an abortion. Win2K could not run older programs or use older drivers. WinXP cannot be made secure; MS has been patching at least monthly since it released, and every month they find several new flaws. Win98SE does not like more than 512MB RAM; WinXP does not like less than 2GB RAM. I have no metrics, but after replacing WinXP with Win98SE on may computers, every user has said their computer runs between 4 and 10 times faster. The only programs that I am aware run on WinXP, but not Win98, are SpiderSolitaire and a database server; I am almost certain they would work if they did not check the OS during launch.

IMO, people who care, but must have a MS OS, use Win98SE. Older is not necessarily worse. How many servers were still running RH6 when the main trunk was renamed Fedora. I worked on a RH7.2 production server last week; some of the software is not certified on later versions, and the company will not take a chance upgrading.

=== Answering the other responses:
ZoneAlarm beats Norton in every security groups tests. Search for some reviews from your favorite secuirty website.

Most of the people still running windows 98 are not computer literate enough to be using a firewall
Most of the people still running Win98 are doing so deliberately. The ignorant are running the WinXP that came with their new computer, along with spyware and other malware they picked up from close contact with the zillion other computers on the Internet.

Shouldn't that read, "ZoneAlarm on Win98 freezes PC?"
ZoneAlarm worked great for years. It was WindowsUpdate that broke my PC. If a mechanic installs a new starter and the engine won't start, you don't blame the spark plugs, even if installing new plugs makes it work.

Re:Answers

[squidguy]

I hope you aren't serious, except that Win98 (aka Wintendo) was good for games and the home user before broadband...it has no place in the Corporate environment. Features like NTFS and kerberos (neither of which are natively supported on Win9x) do help security. Most of us realize that in the home environment you aren't likely to find kerberos, but by and large, the W2K & XP kernels are NOT based on WinX and are more secure. So neither platform is immune to a dedicated haxor coming across an unfirewalled and unpatched home setup on a broadband connection... and don't start on *Nix because the average remaining Wintendo user probably uses AOL and is scared to death of Linux (if they even understand what it is). Ok, so they could go by a Macintosh, but...

Re: Answers

[solprovider]

Win98 (aka Wintendo) was good for games and the home user before broadband...it has no place in the Corporate environment.
Agreed, but I feel the same about WinXP.

Features like NTFS and kerberos (neither of which are natively supported on Win9x) do help security.
If you are stuck with MSWindows on laptops, NTFS is required for hard drive security in case of theft. I was talking about desktops, but you have a good point.

(I try to forget laptops exist unless a project includes them. I must have a full-size keyboard and a large monitor to be productive. HP's zd series are the only laptops I like, and there weren't drivers for any *nix for them when I last checked.)

the W2K & XP kernels are NOT based on WinX and are more secure.
MS said WinXP is more secure than Win9x, but it seems like WinXP was their gift to malmare writers. I read metrics that WinXP had tied Win9x for number of computers around 2003, but even as Win9x lost its crown and XP SP2 was old news, WinXP was responsible for most of the virus news.

There are no Windows98 patches in this week's batch. My WindowsUpdate history lists 10 patches for Win98SE since this PC was installed in 2003. None of them were a "cumulative" patch like SP2, although "Second Edition" might be comparable, so start there. How many patches have there been for WindowsXP SP2? (I do not know and am interested. Would someone using WinXP SP2 check their WindowsUpdate history and report back?)

Re: Answers

[squidguy]

There are no Windows98 patches in this week's batch. My WindowsUpdate history lists 10 patches for Win98SE since this PC was installed in 2003. There are no Win98 patches this week because Microsoft has desupported it. Clearly this is one area where OSS is advantageous but how many devs are actively engaged in patching FC1, for example? This is merely a guess but I imaging most have moved on to supporting FC4. At least it is relatively "free" to upgrade.

Mod Parent Informative

[WillerZ]

Useful rules for all new users should be highlighted...

Re:That'll teach you to trust Apple.

HAHAHAHAAAAAAAAAAAAA!

No, seriously...you have balls because you signed in? On Slashdot?

Faggot.

A response straight from the book!

You've done what many other Microsoft zealots do.

It is written:

Typical Microsoft Zealot behavior - #83:

"Whilst communicating to the Microsoft Zealot concerning the lacking security within Microsoft software, such an individual may offer a whining response, noting the complexity of installing software packages in Linux.

This is an unwilling admittance that Microsoft software is severely lacking where security is concerned. Although software installation presents no risk, it is widely understood that installing software on Linux presents a problem, and rhetorting along this line is usually the only response such an individual can conceive."

Re:New patch strategy for MS?

[OrangeSpyderMan]

This is Microsoft Tuesday

Perhaps they should make that Microsoft Tuesday (TM) like Microsoft Windows (TM), Microsoft Office (TM) etc :-)

Eh, end of the day?

[Henk+Poley]

How do you define 'end of the day' on a planet?

Re:Eh, end of the day?

[nizo]

I always go by 5PM GMT as the end of the day. That would be 11am local time, which is probably why my boss looks at me funny when I am saying I am going home for the day.

Is taunting the Apple fanboys legal?

Hilarious responses, I'll have to keep a lookout for more posts, they beat the +Funnys into a cocked hat.

All corporate support sucks rocks, yes, even $15,000 per year Sun or Oracle platinum support. But sorry, not Apple, you must not criticize Apple about anything, didn't you know that? :-)))

Re:Firefox

[MyLongNickName]

Yup. But here's the problem: Firefox has built its reputation on "We are secure. Microsoft is not" The more incidents like this one, the less differentiation between Firefox and Microsoft.

But ofcourse, the mods "flamebait" the granparent which had a very valid point.

As gp pointed out, people become zealots so easily.

Reboot - then it works

[GAATTC]

I had the same problem, and rather than waste a bunch of time figuring it out I rebooted my machine. Suprise suprise - it update started working. Kind of old school, but not suprising.

MS Office

[ccharles]

MS also released a security update for Office.

A response straight from the manual!

I was referring to specifically to hardware.

I know from first hand experience that Opera (like alot but not all Linux software) is as easy to install on Linux as it is on Windows.

What does the typical Linux zealot do when confronted with unpleasent facts on slashdot?

Typical Linux Zealot behavior - #0.1.12

"Whilst replying to an unflatering post about Linux, which frequently refer to a lack of user friendlyness for obvious reasons, the zealot will often completely misrepresent the contents of the post he is replying to.

In other words, he will build a straw man, paint its face pasty white, and feel great about being able to outsmart his new strawman friend. Rhetorting along this line is usually the only response such an individual can conceive."

Think again

[sykjoke]

I ran a BBC b connected to prestel for years without getting a single worm, virus or trojan.

Got what they asked for?

[RhettLivingston]

Sysadmins pressed MS into the strategy of releasing bug fixes on a scheduled monthly basis so that they wouldn't have to be dealing with them continuously through the month. It only makes sense for everyone else to use the same day for the same reason.

Maybe this will increase the rate of application of other patches. People will essentially be reminded of the day when the MS patches automatically arrive and come to know that that is the day that they should check for patches on all of their other products that don't use such a clean patching system.

Thunderbird update is on Wednesday

According to the ComputerWorld article, the Thunderbird update (version 1.0.5) will not be released until Wednesday.

I check Windows Update and see this ..

[Udderdude]

"A security issue has been identified in the Color Management Module that could allow an attacker to compromise your Microsoft Windows-based system and gain control over it. "

Leave it to Microsoft to leave a vunerability in something to do with color management. Jesus.

Interesting...

[BlueCollarCamel]

Yesterday I waited for FireFox to do it's automatic update thing to no avail.

I decide to go to Options->Advanced and do a manual Check for Update, which returned nothing.

Why has Mozilla abandoned me??!?

And no, I am not currently running 1.0.5

Re:Interesting...

No auto-update for Firefox? Same thing has happened to me, and I've tried it on three different machines. (I'm running v1.0.4.)

Re:Interesting...

At the risk of posting a `me too' post -- me too.

(Slashdot requires me to wait longer between clicking `reply' and clicking `submit'. Sorry if this time-critical information does not reach you promptly.)

auto updating w/o download?

[bach37]

Anyone know when the auto-updating of Firefox is due to come? Rather than having to go to a mirror and download a new release?

Re:Firefox

[audacity242]

Sure, the Microsoft updates are quite often OS-updates. But of the three I downloaded and installed this morning, at least one was specifically for IE (didn't check the other two). I see way more critical/high risk updates coming from Microsoft for IE than I do for Firefox.

-Jenn