Slashdot Mirror
Microsoft Patches 19 Flaws, 6 in Vista
Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"
Hm...I guess they leveraged the active synergies to stop the probes but the active hardening failed on the SuperHyperVista3000 edition.
Oh wait, you did expect real security instead of buzzwords?
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
When are we going to start seeing regular Slashdot postings outlining Linux or other free software security patch releases in the same accusatory tone that the monthly Microsoft security bulletin releases bring? No, I'm not trolling, but I'm getting sick of the clear bias Slashdot editors (and most readers) have when it comes to matters of Microsoft.
(I can feel my karma slipping away, but I couldn't take it anymore).
So now Vista is perfect! Great, thanks for the good news.
Jobs must have hacked CAPICON
I used Microsoft Update to download and install the new patches last night. Lo and behold, upon reboot, Mozilla Firefox was no longer my default browser. It appears one of the new patches resets Internet Explorer as the default browser. Easy enough to fix, but why would a patch change a system's default browser in the first place?
If there were almost 20 critical vulnerabilities patched for Linux in one month, I think that would be pretty significant news too. The fact that it has never happened is more to do with the either the lack of market share of Linux, or else the bias of the programmers putting more errors into Windows than Linux. Either way, not Slashdot's fault.
:)
Nice +5 troll post though! I will probably save that one so I can use it when I feel like trolling. Hope you don't mind.
I'll probably be modded down for this...
I just did a yum remove Vista ... I'm going to Disney!
Infiltrated dot Net
What's up with the cumulative IE 7 update being 34,70 MB?
It is bigger than the x64 bit version!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Uh...
Did they even QA this thing? The size is huge and now it also stole the default browser setting.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
So, who's had there boxen killed by this round?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
MS throws out a bunch of patches every month, and have been at it for years. It must be a regular event by now, right?
Is that some sort of dig?
When Microsoft releases "critical" patches like this, one of the primary motivations for users, home and business alike to apply the patches is fear of loss of data if their computer falls victim to one of the new exploits. To "help" users keep their systems up to date, Microsoft has provided the Automatic Update tool. Formerly this tool would insistently prompt the user to reboot once updates had been installed. Recently, however, the tool has taken to rebooting computers of its own volition if it is unable to elicit a user response to its prompting within 5 minutes. What's the big deal? Well, lets say you have just typed up a nice email but want to add a couple more points to it before sending it off, but you have to walk away from the computer for a while. (coffee break, etc.) And when you come back 6 minutes later you find that Windows has terminated all your open programs, lost your email, rebooted, and is now happily chiding away to itself in a little speech bubble about some new updates having been installed. Well, that's fine - install your damn updates, but either do it without destroying my work or wait until I give you permission!
(yes, I lost an email I was writing last night because of this and I'm still a bit sore...)
GET
You'd think sending these GETS to every single web site visited would be unnecessary (since IE can tell if it's connected to IIS, and only IIS is going to have cltreq.asp installed).
I'm guessing they didn't fix that one?
Here, this is probably the article you had in mind:
"Microsoft has just released seven dominance advisories -- all rated critical -- with dominance enhancements for at least 19 dominance threats affecting the world's premier and most popular Windows(R) operating system, the widely deployed superior Office productivity suite and the most dominant Internet Explorer browser. Six of the 19 dominance threats affect Microsoft's latest and most exciting offering, the Windows Vista Operating System. 'There are dominance enhancements for 7 different domination points that could otherwise lead to unplanned code execution in the most popular word processor of all times Word, the most powerful spreadsheet application Excel and of course spectacular Office. Users of Microsoft Exchange the kick-ass central hub of Information Technology are also urged to pay attention to all of the critical bulletins, which cover 4 different dominance features. A cumulative IE dominance update addresses six potentially cool features. There are the six that apply to the dominant IE 7 on the hugely popular Windows Vista Operating System. The last bulletin in this month's batch apples to the widely acclaimed CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system dominance violations.'"
What I want to know is why they keep changing my default browser with updates. That really irks me and doesn't seem right. My computer had downloaded, installed, and rebooted updates last night for me to find an update message when I logged in. I open up firefox to do my morning necessities, and sure enough .. "is not your default browser, would you like to ..".
Argh!
Ok, here's what's bugging me: 6 out of 19 holes are still present in Vista. That means that, in developing Vista, they removed at least 13 holes. My question: was that an accident? If those 13 holes were identified as critical vulnerabilities during Vista development and fixed, then they should have been patched in XP too. If they were accidentally fixed by more broad changes in Vista, then I guess you can see that as good, but it still calls into question MS's ability to audit code.
On the other hand, if the rewritten portions of Vista removed 70% of the critical holes, that's pretty good. They might have been working on the right modules.
You have just been raped by our new improved IE7. Look out for more exciting features with IE 8
>Switching to Firefox
Wait...hang on..I may have something in the back
Windows Incrediblizer patch for IE7.
>Whatever...wait..Firefox is no longer default
You have just been raped by our new improved and patched IE7. Look out for more exciting features with IE 8
>Remove IE7
Wait...wait...Deleting Firefox. Installing back orifice..
>Aghhhhhhhhhhhhhh!
Actually, the summary was incorrect regarding Vista: at least one of the vulnerabilities in question ("Uninitialized Memory Corruption Vulnerability CVE-2007-0944") is not present in Vista, and contrary to the summary's implication, only two out of the Vista vulnerabilities (CVE-2007-0945 and CVE-2007-2221) are rated critical.
Not, of course, that this excuses MS in any way (two is still two too many), but the summary was still rather misleading.
What's purple and commutes? An Abelian grape.
So yesterday the little popup comes up and tells me there are updates to my (PHB's) Operating System available. I let it download & install them, and the final dialog box comes up: "You have successfully Updated Your (PHB's) Computer (YAAY!)"
Now it won't go away. The popup comes back up after about 30 seconds to tell me there are updates available for my (PHB's) computer, I've run through the installation about a dozen times, now, and still, there's the little popup, telling me there's an update available for Internet Exploiter 6. (Which I _won't_ use, anyway. Of course I use Firefox.)
So bye bye, automatic updates, since you're now borken enough to nag me to do something which I've already completed.
M$hit#$^&*]!*^%R$^&*@
Why does the author describe them as 'flaws' rather than bugs, or vulnerabilities if they concern security.
I think your current score (+4, Insightful) dispells the myth once and for all of some magic "Slashdot bias" that people continually complain about (and get modded up for). If anything, I'd say there's a clear bias on Slashdot IN FAVOUR OF Microsoft.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Your not really making a point about bias. Everything you said can be true and you could still be biased against the company. All your really stating is the reason you are biased against Microsoft. A more honest answer would be; we think our bias is justified, instead of; they suck, what bias??? In all likelyhood you know your biased but you think making a good point against MS will convince biased readers that any other point you make is true. There's not necessarily anything wrong with being bias against MS. But it is silly for people to pretend they aren't when its so obvious. Now let me tell the dumbest MS joke I can think of so I can get kudos.
Indeed, none of the flaws were in Vista itself. If I'm reading the bulletin correctly, all of the flaws were in IE7, which was developed quite independently of Vista.
One of our developers updated these patches and I am currently rebuilding his box everything from scratch. His system went on a chkdsk after the updates and eventually, BSOD. p!$$3d
"Six of the 19 vulnerabilities affect Windows Vista"
So ??? How is this relevant to anyone ? Nobody uses Vista !
link
Slashdot is kind of like Playboy; we aren't here to read the articles.
Hi Over on Groklaw, the article http://www.groklaw.net/article.php?story=200704220 83715451
describes a possible attempt to lock-in users when using the inbuilt Vista burning software. It appears that the inbuilt default is to use a version of UDF file system rather than mastering software and the author cited claims that it is yet another lock-in attempt by Microsoft.
In the WIkipedia article "Criticism of Windows Vista" http://en.wikipedia.org/wiki/Criticism_of_Windows_ Vista, there is an attempt by Microsoft fans to rubbish this fact.
Does anyone know if the 6 Vista vulnerabilities are stopped by protected mode(UAC)? I'm curious if protected mode is working as designed, and the KB article doesn't make a note of this.
So you work for the New AT&T then?
Help stamp out iliturcy.
Only 1 of the 6 bugs that affected Vista was rated "critical". (Critical is typically reserved for bugs that could allow somebody to remotely take over the machine.)
In the case of the one bug that was rated critical, the rating was dependent on several mitigating factors, including that the user running as full admin with UAC turned off. (Obviously not the default configuration.)
Only in that scenario could the machine be compromised, and even then the successful execution of exploit code was unlikely thanks to ASLR and various other security measures. It was far more likely to simply cause a browser crash.
Considering Vista has been out since November of last year, its security record so far as been extremely impressive.
This space intentionally left blank.
Help stamp out iliturcy.
I don't mean to troll and I'm not necessarily disagreeing with you about a bias, but I tend to think of Microsoft vulnerabilities and patches to be more important than the Linux counterpart.
It's not my intention to imply Linux has fewer security bugs/holes/etc, because I haven't done any research in that regard.
What I am saying is that Microsoft dominates the market; so therefore a Microsoft vulnerability and patch are more newsworthy in than a more obscure piece of software, in my book. I'm not talking about "quality" of a vulnerability in terms of criticality, I'm talking about the quantity of systems around the globe that will be affected by articles said 19 "flaws".
Once again, no research here, I realize there are probably many more *nix systems out there than I realize, but if I walk down my street and ask every neighbor what they're running, I can almost assure the majority are running Windows.
With this kind of bait their browser will eventually find the kind of fish it's trolling for: sharks.
Help stamp out iliturcy.
...The number of Windows/Office/Exchange/Outlook/IE/whatever vulnerabilities/patches over time?
That seems the only way to prove or disprove the "this is the most secure version ever" claims that always accompany an upgrade.
And you base that assessment on what, exactly? Can't be historic trends AFAIK.
There is principly no evidence either way.
= Ch =
Insert
that claimed Vista had no bugs rated Critical?
Tell me again how Microsoft security has improved...
Suckers.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
It's clearly calling the world's body of Street Fighter fans a batch of fruits.
See, when one spells CAPCOM that way, they're obviously looking for trouble.
You can hold down the "B" button for continuous firing.
You have listed my fondest dream: To be part of an abusive monopoly that replaced the abusive monopoly that I hated when I was a young college student....*sigh*
You could still get in on the ground floor -- I hear Google is hiring.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This is silly. Things can have hard dependencies on each other without being the same thing. IE7 can run on Windows XP as well as Windows Vista, hence IE7 and Vista are not the same thing. IE7 may be required for various parts of the Vista shell to work, but that doesn't mean that they aren't separate code bases built by separate teams. My server product may require SQL Server, but that doesn't mean that a bug in SQL Server is a bug in my product.
I've had it up to here with Microsoft's automatic restart after a system update. Last night somebody was sending me a 1 GB file via Skype. It was halfway done when I went to bed. In the morning, my computer had restarted. All the transferred data was lost. As soon as I get my wireless card working in Ubuntu, I'm gonna wean off Windows forever.
Even for Slashdot this is getting pretty annoying. Wow, a security hole in a multimedia oriented OS with millions of lines of code that is target #1 for virus makers and hackers. No way!
You could serve the .dll easily enough... somebody will be serving up BackOrifice in an identically named .dll sometime soon, I'd imagine...
.dll objects on the fly.
As for duplicating the functions, you might be able to do it with Apache::ASP or something similar, but you'd have to do some reverse engineering and hope it didn't do any inherently evil ActiveX tricks. Might be more effort than it's worth, given that there are already plenty of discussion board systems that don't require downloading
The patch for IE 6 SP1 fails, but it does so quietly: keeps reappearing in the update list even after it's allegedly been installed. My only recourse was to finally disable and ignore that update to keep it from reappearing. This is the second time this has happened with an IE 6 SP1 update.
Bravo!! This shows how dedicated they are to they're customers by finding and patching security exploits on a monthly basis, wait, did you say Microsoft? I meant to say, this shows how inept they are, how little they care for their customers, etc.
The article submitter needs some reality check. Today IE7 (which is lucky to get 7 critical patch on Vista) is not by any stretch of mind the dominant browser. IE7's use, today, is dwarfed by both IE6 and Firefox.
'Cuz that's all the Windows I got!8-))
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
This wouldn't happen if you were using a good email program. If you're writing an important long email you need a least a local and a network backup... GMail, for example, automagically saves a copy of the email you're writing in the "drafts" folder every 30 seconds or so.
GMail also handles gracefully the 2GB+ of emails I've got... Something I couldn't manage to have Outlook do reliably.
For that matter of course you may as well decide to use an OS on which you decide when it reboots.
The vista patches are all just to disable the one-click activation hacks that are circulating.
I am government man, come from the government. The government has sent me. -- G.I.R.
Last I checked, entering (5+1=) into (only) the Vista calculator was enough to crash it. Not exactly critical, but I wonder whether they've fixed it by now. I did report it.
I worked with a guy who's .plan file was a symlink to /dev/zero. I guess he didn't want to be finger-ed by anybody.
OS X has an actual update application. It checks for updates as scheduled. If it finds them, it stays open, and tells you that there's updates available without stealing the focus. It's obvious, not hidden in the system tray that, on Windows, defaults to auto-hiding icons after a while.
Not to be particularly argumentative, but I have had a few problems with Software Update maintaining the schedule I have set it to; I checked my update settings just after reading this post, and found that the system hadn't checked for necessary software updates in nine days, despite the setting being clearly set to weekly; usually, my system uses a dial-up connection, as it does now, but two days ago, at the week mark in question, the system was connected to a broadband connection and should have been able to initialize the update, but didn't. Despite this, however, I will say that Software Update is very good, though it is imperfect.
That said, I would also like to state that I agree with your opinion that OS X's update process is far superior to Window's Automatic Update. With the Windows update, I am never sure exactly what I'm updating as the descriptions are never particularly clear (they tell you a lot, but you have to know exactly what the issue is about to understand the descriptions), whereas with the Mac OS, the descriptions are short and to the point, requiring no prior knowledge of the issues involved. Secondly, the update process in Windows is almost completely hidden, where as on the Mac, I can monitor the entire process as needed. The Mac OS's options are also more flexible and reasonable than those in Windows -- my options allow me to always check manually, check automatically, but don't download anything, and check automatically and download whatever is necessary, but the system will never automatically install anything until I order it to do so. I agree with a number of posts which have stated that it is absolutely inexcusable for Windows to automatically install anything without first receiving explicit permission from the user, or to reboot without first asking the user's permission.
The only thing gayer than Linux is Linus Torvaldi or whatever his gay name is. Linus... rofl.
I maintain a mixed Linux and Windows network. The Linux boxes run Debian. There are quite often updates to install from the Debian security repository, and there are quite often patches from Windows Update. However, when I update the Debian boxes, I've only ever once needed to reboot the system and that was due to a kernel upgrade. I sometimes need to restart individual services, but this is much faster than a full system reboot.
Microsoft makes matters worse by lumping several fixes together into one patch. When I'm installing Debian updates, I can see what's being patched and thus what I need to restart to load the new version of the code. With Windows, all I see is "After you install this update, you may need to restart your computer." May need to restart?
The practical effect of this is that the updates to the Windows systems are more disruptive than the updates to the Debian systems. With the Debian systems, I can tell what the impact will be before I commit myself to installing the updates, and usually only a small part of the overall service of the system is disrupted. With Windows, invariably a full system restart is needed so I must always run them outside of office hours, which eats into my spare time and costs my company money. Most Debian updates are done without the users even noticing, because I can tell before I run them that none of the services they depend on will be impacted.
It is the fact that Windows updates are far more disruptive and annoying than GNU/Linux updates that causes Windows' updates to get a lot more press.
Come on guys, is it really news every time Microsoft patches a new security flaw in Windows? When are we going to see the weekly Slashdot articles about the Linux security patches?
k ware-security&y=2007
https://rhn.redhat.com/errata/RHSA-2007-0338.html
http://support.novell.com/linux/psdb/bydate.html
http://www.debian.org/security/
http://www.slackware.com/security/list.php?l=slac
Thanks for providing the information on the updates you installed before experiencing the Firefox default browser prompt. We did a thorough investigation and have tracked down the cause of the issue. Before I explain the actual cause, I do want to let you know that we also determined that at no time did Firefox ever stop being the default browser on the machine. It mistakenly thought it was no longer the default and prompted users, but every entry point that triggered the default browser would still launch Firefox.
This issue is actually the result of a change in Firefox (added in Firefox v 2.0.0.2) and how it responds to Office changing a Windows registry key during the updating process. Whenever Office updates, it also verifies that many supporting registry keys are set to expected values (this is the same action that occurs when you use the Detect and Repair functionality in Office). The modification of registry keys during updating has happened throughout the lifecycle of Office 2003, and the Outlook Junk Email Filter delivered via Microsoft Update this month triggered this issue simply because it was the first update of Office since Firefox 2.0.0.2 became available, not because this specific update did anything differently.
On the basis of your report, the Office team has worked with Mozilla and believe theyve arrived at an answer that will address the issue. The Mozilla folks have told us that the change will be in an upcoming version of Firefox, and it is tracked in this bug report on the Mozilla site. Thanks again for bringing this to our attention. Your blog was the trigger of the investigation and were all glad we were able to find the solution so quickly."
Gary Schare
Director, Internet Explorer Product Management at Microsoft
What's purple and commutes? An Abelian grape.