Flurry of Security Patches

yggy writes "It's been a hectic day on the security patching front. Microsoft's bulletins for July include patches for three critical vulnerabilities on the same day that Mozilla releases new security updates for Firefox and Thunderbird. Not to be left behind, Apple fixed two Tiger flaws while Oracle issued a critical database server update." (See these separate stories on today's release of Firefox 1.0.5 and the 10.4.2 update from Apple, too.)

Tomorrow

[mfloy]

So today we have a bunch of new patches, which means tomorrow we will have all the exploits being developed and released. The major problem with patches is they often are not installed by end users, and that is the bread and butter of zombie botnets.

Re:Tomorrow

[Parham]

Luckily Windows has tried to stop this from happening as much as possible by downloading the patches in the background, and then asking you to install, and bugging you to install until you do. What I'm actually waiting for is, seeing what NEW security problems these new security fixes make. This recent article in the games section comes to mind amongst other things.

Re:Tomorrow

[mfloy]

What i've always worried about is a well planned attack that sends fake patches that actually cause more security nightmares or currupt the OS.

Re:Tomorrow

[Charles+W+Griswold]

Wow. That brought an interesting mental image to mind. :-.

I was going to say "I don't know. Are the users good looking?" but (in the name of good taste) decided not to.

Re:Tomorrow

[Tim+C]

More than that, Windows gently reminds you at appropriate times that you really ought to have patches download and install themselves automatically. ("At appropriate times" means on the Windows Update site, and in the Security Centre)

Now, you may argue that that's a bad idea, you should always know what's being installed on your machine and what it might break, etc, and I'd agree. The flip side of that though is that anything that increases the likelihood of home users installing security updates has got to be a Good Thing.

[It's been 4 minutes since you last successfully posted a comment

Editors, can we *please* get this fixed?]

And don't forget...

[Afecks]

...the zlib bug

KRB5 vulnerability too

[ikewillis]

http://www.frsirt.com/english/advisories/2005/1066

FrSIRT Advisory : FrSIRT/ADV-2005-1066
CVE Reference : CAN-2005-1174 - CAN-2005-1175 - CAN-2005-1689
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-07-12

* Technical Description *

Multiple vulnerabilities were identified in MIT Kerberos, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service.

The first issue occurs in the MIT krb5 Key Distribution Center (KDC) implementation when processing specially crafted TCP/UDP requests, which could be exploited by an unauthenticated attacker to cause a denial of service or execute arbitrary code on the KDC host.

The second vulnerability is due to a double-free error in the "krb5_recvauth()" function, which could be exploited by an unauthenticated remote attacker to execute arbitrary code in the context of a program calling the vulnerable function (this includes the kpropd program which typically runs on slave Key Distribution Center hosts).

* Affected Products *

MIT Kerberos 5 version 1.4.1 (krb5-1.4.1) and prior

* Solution *

Upgrade to krb5-1.4.2 release :
http://web.mit.edu/kerberos/dist/index.html

Or apply patches :
http://web.mit.edu/kerberos/advisories/2005-002-pa tch_1.4.1.txt
http://web.mit.edu/kerberos/advisories/2005-003-pa tch_1.4.1.txt

* References *

http://www.frsirt.com/english/advisories/2005/1066
http://web.mit.edu/kerberos/advisories/MITKRB5-SA- 2005-002-kdc.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA- 2005-003-recvauth.txt

* Credits *

Vulnerabilities reported by Daniel Wachdorf and Magnus Hagander

Non-security fixes in Firefox 1.0.5

[Adam9]

Here's some good info that colfer from this MozillaZine thread dug up:

1.0.5 is mainly a security fix, but I have seen a bunch of non-security fixes creep in also, such as removing the default checkbox "yes" for "make firefox my home page." This looks like a big cleanup for the 1.0.x branch, before 1.1 takes over.

I don't know about the security fixes, besides the medium-risk frame/window spoofing thing (with 1.0.4, you should not open untrusted sites at the same time as sensitive sites...). Here are the non-security fixes (non-security as it seems to me) checked in since 1.0.4:

https://bugzilla.mozilla.org/show_bug.cgi?id=28373 0
"Save As" dialog tries to overwrite link/shortcut (.lnk) file instead of opening the directory/folder

https://bugzilla.mozilla.org/show_bug.cgi?id=29521 0
Tab title different from window title on initial load at gmail

https://bugzilla.mozilla.org/show_bug.cgi?id=28377 7
Right arrow key after selecting autocomplete result no longer uses selected item

https://bugzilla.mozilla.org/show_bug.cgi?id=29123 2
update installer packages should offer unchecked check box for setting start page

https://bugzilla.mozilla.org/show_bug.cgi?id=29106 4
Helper app dialog incomplete for non-nsStandardURL types

https://bugzilla.mozilla.org/show_bug.cgi?id=26553 6
(64-bit only issue)

https://bugzilla.mozilla.org/show_bug.cgi?id=24563 1
Crash loading (particular) .ico file

https://bugzilla.mozilla.org/show_bug.cgi?id=14181 8
Table with large rowspans and colspans hangs the browser

https://bugzilla.mozilla.org/show_bug.cgi?id=28800 6
Drag image across browser windows --> crash

https://bugzilla.mozilla.org/show_bug.cgi?id=29505 2
Obscure Javascript crash

https://bugzilla.mozilla.org/show_bug.cgi?id=29627 0
Default user agent problem (AIX platform only)

https://bugzilla.mozilla.org/show_bug.cgi?id=28081 3
Crash on OS/2 platform

https://bugzilla.mozilla.org/show_bug.cgi?id=29377 8
bookmarks toolbar missing in 2nd opened window, links in second window possibly cause crash

Re:Non-security fixes in Firefox 1.0.5

[CyricZ]

Links to the Mozilla Project's Bugzilla installation from Slashdot are disabled, you know.

Re:Non-security fixes in Firefox 1.0.5

[Adam9]

Slashdot linkified them for me; I just copy and pasted the info.

Re:Non-security fixes in Firefox 1.0.5

[CyricZ]

Well, then. You are innocent of all charges.

Re:Non-security fixes in Firefox 1.0.5

[mab]

Right Click "open link in new window" works:)

Re:New patch strategy for MS?

[Kimos]

Actually, it's the other day around. This is Microsoft Tuesday, patch day for them every month. It's the F/OSS world that is releasing patches at the same time as MS.

But wait...

But wait, Firefox has security holes? And OS X too? But from the comments on slashdot, I was under the impression only Microsoft had security flaws...

Oh, I think I understand now. Only windows sucks when it has security holes and Open Source programs don't suck when they have security holes because they're better than closed source and the patch came out fast... or something. Gotcha.

Microsoft sucks because they release software that needs security patches. Linux rulez!

Re:But wait...

[Caledai]

Nah - its not that Microsoft sucks because the release patches.

Neither does OS suck because they release patches.

Its because microsoft takes so long to release patches for certain vulnerabilities that have been documents - even up to half a year before..

And that the continue to promote products that have been proven to be seriously flawed, and release new versions without those flaws fixed.

There is a difference between releasing a product, and then patching it - and releasing a product knowing it needs patches before its released.

I gotta admit - look how much testing the do on the patches they do release. Service Pack 2 anyone?

thank goodness....

....that msft waited until the end of day to release the patches. Every time they release during the day it boggs down the network, to the point of really hindering productivity, its especially crappy when they release in the morning, because then its usually bad all day.

Hmm.....time to go to Windows Update.....

[compmanio36]

......and see all the non-existant updates I have to download. Seriously, people talk about all the updates to download, but I never can find them. Although I do have to say Firefox updates wonderfully.

However, despite not updating my Windows install for months, I still have yet to be infected with one virus, spyware/adware program, or have my machine hacked. Maybe it has more to do with the fact that I browse the Internet with care, rather than update with every stupid patch M$ puts out, that creates more problems to be patched later on. If people would just learn some basic browsing habits, there would be less zombie-boxes and "Win32:Netsky" emails in my inbox.

Re:Hmm.....time to go to Windows Update.....

[Kimos]

However, despite not updating my Windows install for months, I still have yet to be infected with one virus, spyware/adware program, or have my machine hacked. Maybe it has more to do with the fact that I browse the Internet with care, rather than update with every stupid patch M$ puts out ...

I don't think it's fair to say that you're too smart to get viruses/malware like everything else, it's probably a few other factors that you take for granted. Using Firefox is one of them. You have the major Windows patches so that protects you from most of it right there. Think of the MSBLAST traffic that's still out there, meaning that each of those machines is still pre-SP2. Also, being behind a router/NAT/firewall helps (again, I'm assuming). A good number of zombie machines are the direct to DSL or cable modem kind of one computer households.

Re:Hmm.....time to go to Windows Update.....

[RAMMS+EIN]

Look, the point is not that someone with good computer skills can run Windows without problems. The point is that running Windows requires that you have an understanding of computer security, but most of its users don't have that. People use computers to get work done, they don't want to and shouldn't have to think at every step they take "is this a good idea or will my system be compromised now."

The fact to the matter is that Microsoft products are so insecure that you need to learn a whole set of rules about what to do and what not to do to use them securely, while at the same time they are being viewed as easier to use than competing products, especially for people who are not computer experts. The truth is that it's much easier for a non-expert to use a Linux or OS X system securely - getting the work done is about just as easy, but keeping secure doesn't require nearly as much effort or knowledge as on Windows.

Having said that, simply putting a Windows box behind a firewall will go a long way to cure problems, and a competent sysadmin should be able to keep the software and virus definitions up to date. Alas, many companies seem not to have competent sysadmins, and home PCs are still a problem - even the current PC generation often only knows how to use the system, but doesn't know or care about keeping it secure.

I commend Microsoft for forcing Windows Update down unsuspecting users' throats. That's an important step forward. Now if they would also fix all the security holes in a timely manner, Microsoft software might actually become the easyest to use. However, as it stands, almost any alternative is easier to use.

Re:Hmm.....time to go to Windows Update.....

[j0217995]

Ok so you are saying that someone without computer skills can run any form of *nix or *bsd? I doubt that.

I would rather bet money on someone w/o a lot technical skills keeping their Windows box up and connected to the internet then having the same person connect a *nix box to the internet and make sure everything was working.

Good luck getting grandma to connect w/o help from you to "AOL" which is also known to her as the Internet.

Re:Open source

[Tanmi-Daiow]

apple is hardly 'open source'.

Re:Tomorrow -- NOT

[RedLeg]

Look at the calendar.

Blackhat / DEFCON is at the end of the month in Vegas. This is the scheduled patch release day (at least for MS) before the event.

The vendors have more than likely been notified by the "researchers" who discovered the issues, and are releasing their fixes on a coordinated schedule.

WindowsUpdate freezes PC

[solprovider]

The last set of patches from WindowsUpdate:
- Security Update for Windows 98 (KB891711)
- Security Update for Windows 98 (KB888113)
- Security Update for Windows 98 (KB896358)
- Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB883939)
freeze MS Windows 98SE when older versions of ZoneAlarm start. Uninstalling the old version and installing the lastest ZoneAlarm works.

The problem is most people have ZoneAlarm set to start at boot, and do not know how to bypass ZoneAlarm to get the computer booted so they can fix it.

My guess is since Microsoft is selling its own personal firewall, they will take every opportunity to hurt ZoneAlarm. Or they just wanted to generate PC sales from all those people whose computers are now "broken". Hey, they should have paid for newer versions of Windows many times since Windows98SE was released.

I can't wait to install today's patches!

Re:WindowsUpdate freezes PC

[kayak334]

Shouldn't that read, "ZoneAlarm on Win98 freezes PC?"

Re:WindowsUpdate freezes PC

[jpkunst]

WTF is Slashdot really hacking my computer?

I noticed that every time after I post something on /. I get a line like this in my web server log:

slashdot.org - - [23/Jun/2005:21:58:59 +0200] "GET http://ask.slashdot.org/ok.txt HTTP/1.0" 404 200 "-" "libwww-perl/5.803"

No idea what it is supposed to accomplish, but I assume that that is what your firewall is complaining about.

(Note: slashcode converted the URL above into a link, obviously the logfile entry is just a plaintext URL.)

JP

Re:Open source

[pintomp3]

when microsoft releases security updates, it's cuz the software is crap. when others do it, it's cuz the software rocks. no double standards here. maybe it's like when girls get naked. if she's good looking, makes it better. if your she's bad looking, much worse. microsoft may be bloated, but needs love just like everyone else.

Well bugger, my bug isn't fixed...

[ChrisKnight]

After taking to Apple tech support about my X11 problem, and having them refuse to help, I guess I'll just have to follow the MS support path and re-install the OS.

The sysadmin mantra lives on: All operating systems suck, they just suck differently.

-Chris

Re:Well bugger, my bug isn't fixed...

Blasphemer! Steve Jobs will slash your tires and take back his Bondi Blue iMac! YOU ARE NOT WORTHY!!!!

Re:Open source

[Rosco+P.+Coltrane]

It's called doublethink. That's because Microsoft is Big Brother you see...

Re:That'll teach you to trust Apple.

[ChrisKnight]

Ah yes, the wisdom of the AC...

If I was 'in my right mind' I'd be living in Fiji taking tourists on scuba tours of the soft corals. Since I'm not, I stay in SF and buy shiny toys; and I maintian the right to bitch about them if they don't work as expected. And I've got the balls to do it with a real login account.

-Chris

Re:Firefox

[drclaw007]

Of course it would have nothing to do with the fact that one of these pieces of software is a (comparitively simple) web browser, while the other is an OS which users expect to run on some dodgy p3 which has been gathering dust in a corner for the last 6 years or so and has millions of lines of code to debug :)

I hope...

[Bad+to+the+Ben]

they continue making progress with the bug fixes. For me, FF is feature packed enough. I'd prefer to see some more work on the update facilities and performance when running on Linux (fix the RAM usage and crashes please). I like FF because it's light, I don't want more bloatware. The FF team need to remember that we can switch back to IE, or to Opera or something else, just as easily as we switched to FF. Many FF users aren't in it to snub MS (they're both free browsers, it's not like they lose money), they're using it cause it's a safer, more stable product. The second that changes, I and many like me go elsewhere.

Re:Open source

[techno-vampire]

Microsoft releases security updates on a regular schedule, rather than as soon as they're created. For all we know, these new patches may have been sitting on the servers at Redmond for over a month before being announced. Not so with Open Source. When a patch is needed, it's developed, tested and released. No waiting for the next scheduled patch release like Microsoft does.

Re:Firefox

[Slashcrunch]

Anyone that claims open source is entirely free of bugs is dreaming and/or misinformed.

The beautiful part is the speed at which critical bugs in OSS are corrected after being discovered.

Change to Windows Update

[fontkick]

One of the things I noticed last week was that Windows Update... had been updated. It's now a new stylized webpage and it works a little differently - in that, it doesn't. My Windows 2000 Pro machine refuses to install anything that's been downloaded with the "new" Windows update. They refer you to the help section if installation fails, and after trying all of the help suggestions I just gave up, nothing worked.

The only thing that does work (for me anyway)is the old URL: http://v4.windowsupdate.microsoft.com/catalog/en/d efault.asp

No telling how long we have until Microsoft disables it and forces everyone over to a new system that doesn't work. I've always liked, or at least tolerated Windows and I've never understood why everyone here *hates* Microsoft. Now I get it. Hopefully someone will find the above url useful if they have problems.

Re:Open source

[NoGuffCheck]

I dont like defending M$, but at least they have "updates" rather than creating a whole new version like Firefox 1.05. Its about time this was fixed, dont you think?

Re:Open source

[StonedRat]

I believe this will be the case from firefox 1.1

This just proves, once again...

[xigxag]

that the Amiga is the most secure platform out there.

Re:This just proves, once again...

[learn+fast]

there is no security through obscurity!

Re:Open source

[bigman2003]

Most of the exploits are written AFTER the patches come out. Most exploit writers just look at the patch, see what it fixes, and then figure out the vulnerability. So the patches don't really need to be released immediately. (This is the practical reality, of course there are others who find this plan to be horrible, but it works for me.)

I really like this once a month patch cycle. I get an idea that maybe they plan the patches a little better, and test them more.

Maybe EA should have done that with Battlefield 2, instead of trying to rush a patch out.

Re:Open source

[gordgekko]

I'll believe it when my open source web browser tells me I have security updates. I just used Firefox's check for updates feature and tells me there are none.

Re:Open source

[man_of_mr_e]

You think so? Check out the patch list for FF 1.05

http://www.mozilla.org/projects/security/known-vul nerabilities.html#Firefox

12 vulnerabilities in this patch, the oldest was created in APRIL! And it's marked as high severity.

The newest we don't know, because Mozilla is keeping it hidden until July 20th, but if you take the Bugzilla report number, and add one to it you can get the bug that was created directly after it, and that was created in MAY!

So yes, Mozilla DOES sit on critical bugs for months.

Re:Open source

[man_of_mr_e]

Out of curisity, what do you consider "quickly"?

http://www.mozilla.org/projects/security/known-vul nerabilities.html#Firefox

Let's look at the most recent vulnerability there, MFSA-2005-56. Unfortunately, the details are being hidden until July 20th. However, we can see the Bugzilla report numbers. The first, 294795, won't let me view it. But if we view 294796, the bug created right after we see it was created on May 19th. Nearly 2 months ago.

Is 2 months "quickly"?

You seem to be blindly making assumptions without bothering to check the facts.

This is NOT evidence that Open Source fixes bugs quickly. If anything, it proves that just like Closed source, they can keep the bugs quiet and sit on them as long as they like.

Fx 1.0.5 fixes and NoScript

Among the other fixes, Firefox 1.0.5 contains a patch to CAPS (Configurable Access Policies) that finally eliminates crashes reported by users of the NoScript extension. This should make Firefox users even more safe: its "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality"...

Re:Open source

[aussie_a]

/me throws a copy of 1984 at the AC

Hello. 1948 called. It wants it's book back.

Re:Safari now FAILS "Acid test"

[Kyro]

It only passes if you use a nightly. A shipped release has never passed the acid 2 test.

Don't Forget MS Office!

[MrNonchalant]

There was also a high priority update for Microsoft Office in addition to the 3 OS patches. Nothing critical, just updated spam definitions.

Quote:
Update for Outlook 2003 Junk Email Filter (KB895658)
This update provides the Junk E-mail Filter in Microsoft Office Outlook 2003 with a more current definition of which e-mail messages should be considered junk e-mail. This update was released in July 2005.

I'm using the new Microsoft Update (as opposed to Windows and Office separately) and so should you. And yes, according to their FAQ it adds Office to Windows automatic update.

Link: http://update.microsoft.com/

Re:Open source

[Charles+W+Griswold]

So yes, Mozilla DOES sit on critical bugs for months.

Good grief, you're kidding? What a bunch of lazy bastards. When they get a bug report, they should verify it, find the code responsible, fix the code, verify the fix, keep tweaking the code until it passes all of the tests, rebuild the entire code base, and release the fixed version of Mozilla THE DAY AFTER THEY GET THE BUG REPORT!!!

</sarcasm>

In case you hadn't guessed, these things take a bit of time.

Ah, choices.

[Lost+Found]

Today, I sigh in pleasure as I type this message in KDE Konqueror. Glad my browser isn't vulerable to a kitchen full of exotic security holes; taste of the week style.

Oracle Unbreakable

[Donny+Smith]

Oracle Unbearable, perhaps.

They probably have the worst security track record among major databases and yet they get no /. trashing whatsoever. Interesting.

Microsoft sucks because it sucks...

[OwlWhacker]

I can't ever remember anybody saying that "only Microsoft had security flaws". If you were under this impression, this is more likely to be down to a misunderstanding, or some angry pro-Microsoft type trying to give Linux users a bad name.

The point is that Microsoft has vulnerabilities which are usually exploited swiftly. They're usually quite nasty. They're usually in the most popular (bloated) Microsoft software packages. Finally, there's a good chance that patches could cause just as much damage as an exploit. This is what makes people shake their heads about Microsoft security.

Added to this, Microsoft has been working extremely hard - or so we're led to believe, even to the detriment of it's beloved Longhorn - and has spent millions on security. Maybe there have been improvements, but it's still coming out with plenty of nasties after years of this.

And after saying that Windows has better security than Linux, Microsoft is now copying Unix/Linux administration rights. This seems to suggest that Microsoft doesn't see an end to the plague, and that perhaps Linux holds an upper hand in security after all. Not only that, but this is going to make it easier for people to switch to a Linux desktop, after getting used to having to log in as root on Windows for particular reasons.

Thoughtful Analysis!

[Infonaut]

Quit drinking the koolaid, dipshit.
Hey, how'd you know I was drinking Kool-Aid?! Damn, you're a jeenyus!

No sysadmin in his right mind runs OSX.
Brilliant! Can't wait for more! I can tell this is gonna be a fact-filled, detailed primer on what to do right. Give me the straight dope, dude. I'm waiting for it.

Unless he doesn't want *real* support.
Ah, yes. I get it. What you mean is that if you buy Apple products, you won't get *real* support. I don't know what that means or who does provide *real* support, but I guess that's because I'm a dipshit. Damn! I hate when that happens!

Or performance.
I thought Apple hardware was sexy, but I guess it doesn't really "put out" the way other hardware does. I don't need factual comparisons. You're teaching me a lot here. I can't wait to read the next kernel of wisdom.

Or security.
Yeah, OS X is a fucking sieve! If it's not trojan horses it's Mail.app viruses and malware. Every zombie machine out there is running OS X. It's a plague on us all. Fucking Apple!

Or configurability.
I never thought about that, but you're so right. That one configuration fits all XServe sucks major goat ass.

Or standards.
You said it, buddy! I wish Apple would get with the program. I mean, I can run WebStar on OS 8, but why don't they wake up and smell the coffee? It's 1996, and the world is changing. If Apple doesn't wake up, this World Wide Web thing is going to really catch them off guard.

Or a real journaling file system.
That's like *real* support, right? You must mean that HFS+ isn't *real*. I think I'm starting to understand, but you're so brilliant you may have to slow down so I can catch up.

Or real hardware.
Ah, I'm on to you now, you clever sysad, you! This is another one of those "it's not *real*" things. It looks like the hardware is there, doing its job, but it's actually not.

Thanks for clearing this all up, AC. I really learned a lot, and am looking forward to more comments from you. It's going to be tough to read them all though, because you sure are prolific!