Slashdot Mirror
Microsoft to Release 6 Security Updates Next Week
An anonymous reader wrote in with an article that leads: "Microsoft will release six groups of security patches next week, including three critical updates for Windows and Excel users. The critical updates will fix bugs in many different versions of Microsoft's products including the latest versions of Excel, Windows XP, Vista and Windows Server 2003, Microsoft said."
... at least now we will be safe !
Man bites dog is news. This is not exactly news.
Anyway, now we have an *entire* week to speculate about how this amazing event will turn out, a la iPhone.
This shows the importance of a good NAT firewall. However it'd be interesting to know if the user must click allow on a lot of UAC warnings first to be compromised or it comes through clean since this is supposed to be one of the main benefits of Vista. The UAC works reasonably well for me, it's just annoying when stupid companies like ASUS ship "Vista Ready" cds in the box that have unsigned code that generate a lot of warnings.
"Online criminals have used flaws in Excel and other MSFT Office products in limited attacks"
2nd best line "Typically the attacker will e-mail the victim a maliciously encoded Office attachment."
So - the entire thrust of security boils down to DON'T OPEN ATTACHMENTS YOU ARE NOT EXPECTING, EVEN FROM 'TRUSTED' SOURCES.
Microsoft Patch Release Announcement
(Slashdot Standard Form #97)
Microsoft will release [$COUNT] security patches
[ ] Today
[ ] Tomorrow
[ ] Next Week
[ ] When they goddam say so
Including [$NUMCRITICAL] critical updates for
[ ] Windows
[ ] XP
[ ] 2000
[ ] Server 2000
[ ] Server 2003
[ ] Vista
[ ] Linux (..sorry, just kidding!)
[ ] Word
[ ] Excel
[ ] Access
[ ] PowerPoint
[ ] Bob
[ ] Internet Explorer
[ ] Outlook
[ ] Outlook Express
[ ] Exchange
[ ] DOS 6.22
[ ] All of the above
A spokesperson said "We take a very serious view of or responsibilities to ensure that the Microsoft computing experience is safe and secure for all our valued customers - and these updates show our commitment to that goal"
When what they really meant to say was...
[ ] Fsck, we just found some more stuff we missed during beta testing.
[ ] We never thought someone would try THAT
[ ] Yeah, we were kinda hoping we could keep that one quiet but then some geeky, long-haired nerd had to go and post about it on teh Internets.
AT&ROFLMAO
only if the dog dies.
Does everyone here secretly run Windows systems, or is this another MS-bashing opportunity? Can we have security fixes released for Linux kernel published too please? I think that might be more relevant for the practical purposes this article was no doubt published...
I mean, Christ, it's almost like everyone here hates Microsoft or something!
Wait a minute....
throw new NoSignatureException();
(Slashdot Standard Rely #42)
This doesn't affect me because I run
[] OSX
[] Linux
[] Multix
[] CP/M
init 11 - for when you need that edge.
why is there an article about patches anymore? Everything gets patched... Windows / Linux / OS X / a few hundred thousand applications that run on them.
Slashdot all the news about iPhone and patches that you have ever dreamed of....
I am with Linus on this one.
We'll see the hacks on auction next week!
Profit!!!!
When I start Windows Update it informs me that it needs updating. Attempting to do so leads to a carped update with some error code. In short: Without the "improved" version of the software no more Windows update for me and since getting the "improved" version fails to install in the first place...
This seems to be a known problem for which there doesn't ssem to be a fix yet. And no! Re-installing the OS is not and option since this toasts my Ubuntu partition.
Microsoft is a company that pisses me off more and more on a daily basis. Thank you for listening.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
One of the joys of working for a big company is the splendid way in which a large patch distribution nails network bandwidth and pulls down every machine in the office while it is installed. I'm not sure who's at fault here but they sure ain't the sharpest tool in the box.
Could be because a large portion of Slashdot's readers are sysadmins and chances are that many of them are administrating Windows machines at work?
[ Slashdot Standard Comment #69 ]
See? That's why I run:
[ ] Linux
[ ] Mac OS X
[ ] OpenBSD
[ ] FreeBSD
[ ] NetBSD
[ ] Darwin
[ ] Herd (not yet implemented)
[ ] Windows, but without administrator priveleges
Of course, this wouldn't be a problem if stupid users wouldn't:
[ ] Open attachments
[ ] Click on every popup offering malware
[ ] Install P2P software for Windows
[ ] Surf untrusted sites
[ ] Download 'porn viewers'
[ ] Always click 'Ok' or 'Allow'
[ ] All of the above
This is why people need to run:
[ ] A good NAT hardware firewall
[ ] A good software firewall
[ ] A good antivirus tool
[ ] A good antimalware tool
[ ] Switch to [$FAVORITE_LINUX_DISTRO]
[ ] All of the above
My blog
This just in...
The sun will be rising in the east today and setting in the west. We will continue to cover this breaking news as more details come to light.
is the solution. That way, you can concurrently run Windows in a window on Ubuntu and you can recover the wasted Windows disk partition too, using ntfs-3g. Actually, when using an emulator, Win98se works even better than Expee and since you won't be using any of the internet 'features' of Windows anymore, the vulnerabilities won't affect you, while making backups of Windows becomes a breeze using tar. With Windoze on Qemu, you don't need to bother updating it anymore either - it just keeps on working.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
> ... including ... Vista ...
That's what I thought you said. At least now we know that moving from XP to Vista is not a security upgrade. So much for the oh so secure new OS, I'm sure it's worth every penny I saved not getting it.
I'm thinking about migrating to DOS 6.6. I have no idea how secure it is, but I'm pretty damn sure nobody's trying to exploit it.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
C'mon, post up your standard replies about how we're bashing poor Micro$oft, how every system has gaping holes just like Micro$oft, how if Linux or Mac was king of the hill they would all be as bad off as Micro$oft, and don't forget the 'it's getting better all the time' mantra.
Security is not an issue; I'm not running a virus or spyware scanner here because it steals away precious resources from my music software. Learning Linux is not even an issue; you'd have to convince the corporations making the gear I use to switch.
Or, alternatively, don't use MS Office? o_0 But don't open attachments you are not expecting works too.
which is totally what she said
Whether you need them or not.
There will *always* be security updates. Unfortunately bugs in programs are inherent to how we write programs. Sure- there is plenty people could do-- functional programming approach, better coding practices, et cetera-- but a few more bug fixes just isn't news. hell-- linux and macosx have bug fixes all the time too but they rarely hit slashdots front page.
There, fixed that for ya'.
Also, if you have DOS 6.22 you ought to have Win9Xs, too. At least (ugh) WinME.
And UNIX proper.
I run on beans.
Nerd rage is the funniest rage.
How did this troll ever get insightful?
So why don't we hear about all the Linux security patches?
Yes, Linux is more secure than Windows. We know that.
That doesn't mean that we can rest easy on Linux Security. We must never for a moment think that even with Linux we are ever completely safe. As long as any computer has power to it, it has a security risk, but I'd like to present an alternative way of thinking about it.
Linux must not only be better in security, but better in capability.
I know that design wise, OpenLDAP/Kerberos/Samba/FreeRadius/AFS will produce a far more secure network infrastructure than Active Directory will. But that combination will not produce as capable an infrastructure as the real ADS. The worst security vulnerability Linux could have is the security vulnerability produced when an orginization chooses Active Directory on Windows over Open Directory on Linux.
If you want to change this, contribute to OpenLDAP, to Samba, to FreeRadius, and Kerberos. Lets make Open Directory not only more secure to Active Directory, but outright superior.
Aside from the Windows machines I have to administer at work, I care because I'm a gamer. Like it or not, Linux does not have terrific support for modern gaming. Yes, I know - WINE and Cedega - I've tried them and they just don't do a good enough job. I run Linux at home as my primary machine, but I also have several gaming PCs running Windows.
"Work is the curse of the drinking classes." -Oscar Wilde
This is news is like saying today is Friday is news. In other news today is also the 6th of July and not to mention grocery day. More at 11.
The real point is why is this considered news that needs to be released to /. ?
They have released this quantity of patches before...
Often...
This is like walking outside and exclaiming in surprise, "Look everybody! There's still air out here!!!"
Imagine all your PC's have their own IP address. (Scenario more likely if you have IPV6). You can put a firewall where your NAT used to be, have all the advantages of NAT and none of the disadvantages. NAT is an ugly hack which, by pure coincidence, turns out to have some firewall-ish features.
10 ?"Hello World" life was simple then
So why don't we hear about all the Linux security patches?
Because companies never uses Linux for anything important, so the Linux servers doesn't really have to be patched.
That's right the mascara snake Ah, Trout Mask Replica, that was a great album.
init 11 - for when you need that edge.
"Excel, XP, Vista, Server 2003..."
I know, this shouldn't affect me, but it still boggles my mind (a little) that we need security updates for a SPREADSHEET APPLICATION. An OS? Server software? Sure. But Excel? It's a sad commentary on Microsoft's software that such a thing is necessary.
$nice = $webHosting + $domainNames + $sslCerts
Microsoft update contains a buffer overflow that could allow an attacker to run code of their choice on a user's system. Temporarily fixed by moving to a unsigned long long int addressing space, now supporting up to 1.8e19 updates (note to self, revisit this in three months).
Hmm, so this means we have a free week to use these exploits.
I am no windows programmer, but I always wondered, if you were going to make some malware program, couldn't you map the OK button to cancel and the cancel button to OK? That way if the user tries to press cancel they end up running whatever code you wanted them to. I am probably missing something here because if that was possible it would probably be done already.
This kind of crap will never be news. People who find this information important without a doubt will find it handy, but to the folks here at /. and like sites, it's just feeding a needless fire. Yes, we collectively hate Microsoft. I don't particularly care for them either - but at the same time, -every- OS releases patches, frequently. Some of them may break things. Some of them may fix things. No OS is spared from the same kind of crap that happens to any other OS, so why does everyone have to put MS on the dart board every time they want to patch the OS tons of people use? I'm not sticking up for them by all means- it's tiring to hear, though. I would probably get replies of "then you should leave!" or something witty in retort, but maybe I'm not the only one that feels this way, about MS news in general. It's truly no different than when a patch comes out for our beloved Linux kernel or some far fetched news about an OS X patch is released- it will just become an ass kissing fest instead of a crucification ceremony.
space is pretty cool.
Change is certain; progress is not obligatory.
I just a massive shit this morning.
Really, why is this news? Microsoft software having security vulnerabilities? A patch is going to be released on Patch Tuesday? Wow, what a shock.
Why not just go ahead and say what Ballmer had for lunch.
[] AmigaOS!
And any self-respecting Windows sysadmin will know that next Tuesday is Patch Tuesday and that PT (2nd Tues of every month) is when security updates are always released (except for emergency updates released out of cycle, but those are very rare).
/. to tell you 24 hours after the fact.
So if you're a sysadmin, this is not news--well, at least, this should not be news.
Second, if you're a sysadmin who administers many Windows machines and knowing the number of updates is somewhat important, then you should already know that Microsoft posts announcements about upcoming PT patches a week in advance and you should already know exactly where to see such announcements. You most certainly do not need
Finally, only 2 of the 6 updates apply to WinXP. Others apply to Vista, Office, Publisher, and other products.
... The only Vista bug that I can see in this bulletin is "Moderate", not "Critical". That's because there are multiple levels of protection, kinda like those in OpenBSD and SELinux. Remember, NSA had a say in Vista's design. There is Mandatory Integrity Control (something not widely known, I believe it's separate from UAC and is mostly under-the-hood stuff), Address Space Randomization, buffer guards, low-integrity for IE, reduced privileges for services, nothing can escalate without an in-your-face irritating UAC (Union Aerospace Corporation, anyone?) prompt, and of course, lots of pixie dust I can't talk about. So in case there's a buffer overflow (take the ANI bug for instance) - there are a few layers of mitigation that seem almost unbreakable *AT THIS TIME*. I'm yet to read news about a pwned Vista box. I'm sure it's possible that some clever guy somewhere will write an exploit that dodges all that stuff, but it obviously is taking much, much longer than with any other OS, except, of course, for OpenBSD (kudos there) :) . Of course there will be bugs in legacy code that are still there. But layered security and systematic elimination of bugs work.
Microsoft *did* hire some of the best security experts available lately. And I can say it shows. At least now I feel not very scared to use IE when I have to.
Then of course, everyone loves "Free Games!!!11eleven", mushy-mushy desktop pets, free trial CDs, free money from your late uncle from central Boozemania or whatever. If your user account gets pwned, and your user has access inside the network of your company, you're toast no matter what OS you run.
"Yes, Linux is more secure than Windows. We know that." - by Zombie Ryushu (803103) on Friday July 06, @09:25AM (#19766327)
i ntsCISToolResult84735.jpg
c 5745a8042c4b2d9c2f29c47ed57bd&p=375355#post375355
... & it does NOT account for things like firewalls of ANY kind, or antivirus, but it is STILL a damn good test!
Hmmm, I know OTHERWISE!
You see, I have challenged *NIX users here @ SlashDot repeatedly in this multiplatform test, downloadable in a minute's time & installable in a minute's time as well, & to run the test takes at most, 1 minute as well!
(I would like to see Linux &/or BSD takers on this test, & MOST hopefully, I would like to see SELinux kernel hook addons for MAC (mandatory access control), which is a feature taken after Windows no less in its security, on ACL (access control lists))...
Still, 12 times now? Nobody here, or on other Linux sites has surpassed my score on CIS Tool 1.x, which is downloadable here:
Fact is, I made this challenge 12 times now on slashdot... no takers - plenty of evaders though.
E.G./To Wit:
I have achieved a CIS Tool (The Center for Internet Security) 1.x score of 84.735 of 100, here:
http://img.techpowerup.org/070618/APK14SecurityPo
& THIS IS THE ROADMAP TO ACHIEVE IT (a "how-to" guide for Windows users, since everyone ought to know this stuff today imo, especially today/nowadays):
http://forums.techpowerup.com/showthread.php?s=c8
(CIS Tool 1.x is from the CENTER FOR INTERNET SECURITY & the tool IS multiplatform, & runs on various *NIX derivants (Linux/SELinux kernel hook addons for MAC (Windows-like ACL), Solaris, BSD variants (sorry, no MacOS X version yet, but that's just a clearcut case of MacOS X having less softwares really than Windows does))...
So, bottom-line:
All I can say is, for all the *NIX user's 'bluster' of "Windows is less secure or less securable than (insert *NIX variant here)", it's all F.U.D. & Hooey... pure b.s!
Show me otherwise!
Take your *NIX variants, & beat that score... put your monies where your MOUTHS are!
(... Yes, you can TRY to "undermine/lessen the value" of my using a std.'ized test such as this one, but if you don't beat my score on it? Well... The Linux PENGUIN imo, ought to be a chicken... & the "BSD DEVIL" runs when the Win32 Angel comes around... prove me wrong!)
If you somehow do? Great...!
I mean that, because I would like to discuss your scores + how you achieved them on your *NIX variant, & the test only takes a minute to download/install/run!
I want photo proofs thereof though (I won't accept less than photo proof as I provide, sorry)!
We can ALL grow/gain here, especially HOME USERS of both types of OS (SELinux & OpenBSD/FreeBSD are ones I'd like to see here the most though, because they are touted as the "MOST SECURE" of the *NIX genre, even from Linux folks I challenged, but did not get beaten by in terms of this test's ratings system)...
HOWEVER, like any software? I have spotted "minor errors" the test makes, & I can prove this (from a Windows stdpoint no less, based on registry data &/or use of secpol.msc where it downscores myself, perhaps you NIX nuts can find the same)
Thus, because I KNOW there are tiny errors (3-4 in this program)? I know my actual security rating's higher than my photo (84.735) too, based on that fact...
APK
P.S.=> The point is to compare & discuss this here... care to take a challenge, NIX nuts? apk
Lately, it's been plain old buffer overflows. Something has to read the *.doc file. Reading files is not hard, unless you need to avoid crashing on corrupted documents. (crashing means exploitable)
Microsoft does not have a monopoly on plain old buffer overflows.
Something has to read the *.doc file. Reading files is not hard, unless you need to avoid crashing on corrupted documents. (crashing means exploitable)
Open up an OpenOffice file as a zip file. Look at the XML. Scramble it a bit. Zip it all up again. Watch OpenOffice crash. Write an exploit.
Re-installation is not an option because the restore DVD is totally binary. You can flatten the whole thing or not and I'm not inclined to obtain a dodgy pirate copy for a software I payed for. I downloaded Windizupdate and give it a shot. I should see afte Tuesday.
Anyway, there's really not a lot that Linux can't do for me at this point in time. So I may flatten it in the end, maybe not quite in a way which Microsoft deems desirable.
Anyway, thanks everybody. People stepping in and trying to be helpful is sure one of the powerful things of /. even if you're so frustrated and agonized by the procedure that you're beyond seeking help :)
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
try this
http://windowsupdate.62nds.com/