Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Critical Bug In All Current Windows Versions

Posted by timothy on from the innocent-whistling-sound dept.

Trailrunner7 writes "Microsoft is warning its users about a dangerous flaw in the way that Windows handles certain MHTML operations, which could allow an attacker to run code on vulnerable machines. The bug affects all of the current versions of Windows, from XP up through Windows 7 and Windows Server 2008. Microsoft issued an advisory about the MHTML vulnerability, which has been discussed among security researchers in recent days. There is some exploit code available for the bug, as well. In addition to the advisory, Microsoft has released a FixIt tool, which helps mitigate attacks against the vulnerability in Windows."

37 of 156 comments (clear)

  1. Knowledge Base containing Fixit Link by Nuisance · · Score: 5, Informative

    Would be nice to have seen these in the article...

    http://support.microsoft.com/kb/2501696

    1. Re:Knowledge Base containing Fixit Link by icebike · · Score: 5, Interesting

      Perhaps also useful would be a hint that simply avoiding Internet Explorer would provide all the protection from this bug that is needed.

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:Knowledge Base containing Fixit Link by CastrTroy · · Score: 2, Funny

      I can't think of any serious browser that uses the IE rendering engine. Firefox, Opera, Chrome, and Safari all use their own rendering engines. That covers 99.999% of all browsers in use.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    3. Re:Knowledge Base containing Fixit Link by parlancex · · Score: 2

      Many applications that display embedded HTML would be at risk. Those applications include Steam, MSN Messenger and others, etc.

    4. Re:Knowledge Base containing Fixit Link by EvilIdler · · Score: 2

      Steam uses WebKit now, so no problem there. MS products are of course always at risk while there are vulnerabilities in the IE engine.

    5. Re:Knowledge Base containing Fixit Link by TheLink · · Score: 3, Insightful

      Uh that's all the data most of their users need. Most of their users want a simple "FixIt" (that's how they often get into trouble in the first place, but that's not MS's fault). Most of these users aren't going to even know about this problem though. They'll only get a fix if MS ever releases it in a Windows Update and they have Windows Updates enabled.

      As for the rest of the users who actually care to know more: https://www.microsoft.com/technet/security/advisory/2501696.mspx
      The very few who are that interested can find out even more details themselves.

      So it's inaccurate to say MS doesn't give a shit about this problem.

      --
  2. Investing by cosm · · Score: 4, Funny

    Can I just say that now is probably a good time to invest in the tech industry. Since /. has redesigned the site, I believe productivity levels in the industry will be on the rise due to the number of commenters leaving in droves.

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
    1. Re:Investing by Anonymous Coward · · Score: 5, Funny

      I'd mod you up but moderation is broken on opera

    2. Re:Investing by lowlymarine · · Score: 3, Funny

      Clearly it's just your horribly dated hardware. Everything's fine on my i7-2600k, time to get with the times grandpa!

    3. Re:Investing by artor3 · · Score: 5, Insightful

      And I'd mod you down, but doing so would make my post (and all other child posts) invisible as well. Heck, since you posted as AC, odds are no one will ever know this post was here.

    4. Re:Investing by Culture20 · · Score: 3, Informative

      Assuming you're using the javascripty version of Discussion2
      Take a look at your process list. Your browser is eating at least one of your cores. open a few more /. windows. Feel the burn. My single core machine was dying with just one window open. I had to go back to Discussion1 and flag /. with noscript. http://slashdot.org/users.pl?op=editcomm

    5. Re:Investing by dave562 · · Score: 2

      I would reply to this, but if you were to reply back to me, I would have to drill down through a whole slew of posts to find what you wrote. Where as previously I could just go to http://slashdot.org/~dave562/comments and then click on the comment you replied to. It would bring up a nice, EXPANDED tree view of the discussion thread.

      One step forward, two steps back? Ah hell, who am I kidding. We all know that three steps were taken, but they were all in the same direction.

    6. Re:Investing by Cthefuture · · Score: 2

      Is it just me or does the front page not show the number of comments any more? I really liked that and now it feels weird.

      Any way to turn it back on?

      --
      The ratio of people to cake is too big
    7. Re:Investing by seifried · · Score: 4, Insightful

      I think they've "pulled a Digg"

    8. Re:Investing by WrongSizeGlass · · Score: 2

      Now inline commenting and moderation is fucked up, All they want to do is create a site for "people that use Safari browser".

      I see they finally got my letters! Yay Slashdot!

    9. Re:Investing by icebraining · · Score: 3, Insightful

      Classic version ftw. It doesn't use more than 6-7% of one core (AMD AthlonII X4 620).

      --
      Dilbert RSS feed
    10. Re:Investing by DAldredge · · Score: 4, Funny

      I would mod you up but /. hasn't given me mod points for 3 or 4 years.

    11. Re:Investing by rudy_wayne · · Score: 2

      Why mod me down for Using Opera? It was the ONLY browser in which /. could render properly before the redesign fuck up.

      Now inline commenting and moderation is fucked up, All they want to do is create a site for "people that use Safari browser".

      Slashdot is death, suck it

      Every since the "new design" displaying posts has been fucked up. In Firefox, my normal browser, a small bit of the far left of each post is cut off. Ironically, I decided to try Internet Explorer (v8) and I am writing this reply in IE which displays the "new" Slashdot better than Firefox.

      How interesting.

    12. Re:Investing by Mr.+DOS · · Score: 5, Informative

      Sorry, but the 10 mod points is because you've been singled out (check the question “Why do I have 10 moderator points instead of the usual 5?” under Comments and Moderation), not because of the new design.

    13. Re:Investing by dbIII · · Score: 2

      For one thing I intensely hate how the sidebar on the left obscures a few columns of article and comment text until about 4/5 of the way down the screen on firefox FFS. If they can't get it right for the current firefox on linux (and I'm assuming other platforms) then where does it work? Is this an iPad only site at the moment?

    14. Re:Investing by ikkonoishi · · Score: 4, Funny

      I must be a moderating god because I get mine in chunks of 15. O_o

      Yes. The power! Its going to my head. I am the mod god! Its me!

    15. Re:Investing by uvajed_ekil · · Score: 3, Interesting

      You're right, I'm not seeing the number of comments, either. I liked having it - I knew instantly if there was a big buzz about something, or if taking time to throw in my two cents might matter for a stalled thread.

      --
      This is a hacked account, for which the owner can not be held responsible.
    16. Re:Investing by nmb3000 · · Score: 2

      It's so frustrating how correct you are. I used to enjoy reading comments to a story, but now it's essentially impossible because of how BROKEN the scrolling is (at least in Firefox and IE). Scrolling using the mousewheel is slow as hell and when using the keyboard it's very unresponsive. That and the new style is hard to read and has too much whitespace. I feel like I'm staring at a lightbulb trying to read gray text.

      For me this redesign has just demonstrated why I hate web 2.0. You are held hostage at the whims of moron marketing people and crappy devs like those behind the driving force of this redesign. It serves absolutely no meaningful purpose, is worse than the previous design, and everyone hates it. As you noted, fewer people are commenting, and if it doesn't improve people won't come back.

      Taco - Why can't you wait until you have something that's actually better than the previous version before releasing this crap on us? Or do you not have a dev/staging system in place and this is your way of testing it? Waiting for people to come up with Stylish hacks to fix your useless and broken CSS? Just wondering.

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
    17. Re:Investing by Sponge+Bath · · Score: 2, Insightful

      ./ needs an online FPS called Mod Arena where people with mod points can wager them in virtual combat. The winners can then sculpt discussions in their own Mod God self image. For instance you could mod up all posts about Lord of the Rings as "+1 Super Cheetos Cool" and mod down all Star Wars posts as "-1 Decaying Franchise".

      Oh, yeah. To stay on topic: Windows has security problems.

  3. Re:Which versions by postmortem · · Score: 2

    WTF is a current version of Windows? 3, 95, 98, Me, 2000, XP??

    Versions that are still supported actively, which are Windows XP SP3 and newer.

  4. Re:Which versions by PatPending · · Score: 5, Informative


    Windows XP Service Pack 3
    Windows XP Professional x64 Edition Service Pack 2
    Windows Server 2003 Service Pack 2
    Windows Server 2003 x64 Edition Service Pack 2
    Windows Server 2003 with SP2 for Itanium-based Systems
    Windows Vista Service Pack 1 and Windows Vista Service Pack 2
    Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
    Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
    Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
    Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
    Windows 7 for 32-bit Systems
    Windows 7 for x64-based Systems
    Windows Server 2008 R2 for x64-based Systems**
    Windows Server 2008 R2 for Itanium-based Systems
    Source: http://www.microsoft.com/technet/security/advisory/2501696.mspx
    Appears to apply only to Internet Explorer

    --
    What one fool can do, another can. (Ancient Simian Proverb)
  5. Re:Is it Windows or Internet Explorer? by JSG · · Score: 2

    Try using a search engine with the term MHTML and getting something like this: http://en.wikipedia.org/wiki/MHTML

    On FF you'll need a plugin to "see" MHTML, whatever it is. It seems to be an unholy mix of HTML and MIME and sounds unpleasant and probably a bit unnecessary.

    Cheers
    Jon

  6. Re:uhh by hairyfeet · · Score: 5, Informative

    Hi MR AC! If you would have read TFA or even TFS (I know I know, but I got bored) you would see they provide a link to The MSFT "fix it for me" page for this problem. Just click on "fix it for me" run the fix it, and that's it. Don't even need a reboot.

    I'm sending the link to my customers and family now, and since it makes a restore point before applying it is easy to undo if you need to, although with previous "fix it for me" tweaks that I've run the MSFT patch released later took care of the fix it tweak before applying the patch.

    So I don't really see why you or anyone would complain about this one. They have a quick fix that is so simple your grandma can run it, and released the fix quickly to tide people over until they have worked up a patch. I don't see how they could have done any better on this, as a full patch will take time to test and rightfully so as you wouldn't want MSFT releasing patches that break apps and/or drivers and cause more pain than the bug would you? This is easy, simple to apply, and painless to deploy. I don't see how you can get better and the guy that came up with the "fix it for me" program really deserves a raise and company car, as it really has made these fast released workarounds painless for home users..

    --
    ACs don't waste your time replying, your posts are never seen by me.
  7. Re:Which versions by stoborrobots · · Score: 2

    Appears to apply only to Internet Explorer

    And anything else which uses the MHTML component, which includes many, many applications, including anything which uses the "Windows Help" system...

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
  8. Re:Incorrect Article Title (Headline) by JSG · · Score: 2

    Well Mr six dig, RanDomCapS 'n' punctuationeer extraordinare - who can say?

    Apparently someone called Timothy left their name on the article for all to see.

    This: https://www.microsoft.com/technet/security/advisory/2501696.mspx

    was posted 28 Jan 2011.

    When did you notice the bug? - We'd all love to hear your insights on it.

    Cheers
    Jon

  9. Re:Which versions by Korin43 · · Score: 2

    Ha! And they said I should stop using Windows 98!

  10. Re:uhh by hairyfeet · · Score: 5, Insightful

    What EXACTLY is wrong with system restore? I've found especially with my click happy love to install software customers and relatives having a "quick undo" button comes in damned handy! Now of course system restore is in no way shape or form a substitute for backups, which is why I have them set up with weekly differentials and full backups monthly on USB HDDs, but you can't expect them to run a differential every time they want to try something new.

    And who cares about "gigabytes" of anything anymore? Hell the lowest machines I sell have 500GB HDDs and even the kids P4 hand me downs have 400Gb drives, so why would anybody care? It isn't like huge drives are expensive.

    So I really don't see what the problem is with system restore. For a quick undo button it works just fine, with huge drives worrying about 20-50Gb being reserved for system restore is frankly pointless when everyone has more space than they know what to do with, and when used with a combination of good AV, weekly backups, and a lower risk browser like Firefox or Chrome with ABP it does just what it should do, which is provide a quick way to roll back changes if something goes wrong. So what EXACTLY is so bad about it, because frankly I haven't seen a problem with system restore since XP SP2 came out.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  11. Re:uhh by LordLimecat · · Score: 2, Interesting

    Because its reliability is spotty at best, its a haven for viruses (super-duper-hidden System Volume Information ftw!), and you never know what it will and will not break.

  12. Re:Incorrect Article Title (Headline) by seifried · · Score: 2

    The bug was noticed about 2 weeks ago: http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt

  13. Someone call teh ROFLCOPTER by Crypto+Gnome · · Score: 3

    MSIE just shot itself in the foot.

    MHTML is a microsoft-ism

    If you do not use the worlds-most-villified-browser, and if you have also not explicitly installed a plugin (or otherwise) to enable MHTML support in our *much less sucky* browser, then you are golden.

    --
    Visit CryptoGnome in his home.
  14. Why don't you link to the Microsoft adisory? by Otis_INF · · Score: 2

    Now you link to some blogpost/article on some random site, which only rehashes what Microsoft's own article at teched has to say as well..

    Link to direct advisory:
    https://www.microsoft.com/technet/security/advisory/2501696.mspx

    --
    Never underestimate the relief of true separation of Religion and State.
  15. Re:uhh by hairyfeet · · Score: 2

    Citation please? Because both Comodo (which I prefer for the click happy) and MSE (which I prefer for the "just check their email" types) routinely scan system restore points and will delete them if a bug is detected. And as for system restore breaking anything? I honestly haven't seen any behavior of the sort, both in customers or family, since XP SP2 came out. As a SOP before having them restore from a backup I have them attempt a system restore rollback and frankly as long as there is a point before the error I haven't seen it fail yet, hell with Win 7 you can even run system restore using the DVD if for one reason or another the machine won't boot.

    So unless you've got current citations of some widespread problem I haven't heard about I'm gonna have to say you're going on old info, right up there with "Windows suffers from lots of BSODs" (not unless you have seriously flaky drivers or hardware, and in Win 7 not even then) "ATI drivers suck in Windows" (IME not since AMD bought them, everything after that runs as well as Nvidia) or the classic "All AMDs run too hot" (not since the old Athlon XPs, most of their chips are 95w or below now).

    I'll be the first to admit the first gen system restore sucked and suffered from what you describe, but then again it was on WinME which was a mistake all around. Once XP became the mainstream with SP2 all the AV companies simply added scanning to sysvol which took care of the "restoring a bug" bit, and if you are running a good AV (like those mentioned above) frankly you shouldn't be able to get a bug in the first place without PEBKAC intervention. And also since SP2 the tech around system restore has matured to the point it "just works" and as I said I have clients and family as well as myself on both XP and Windows 7 use it and I've yet to see a problem caused by using system restores.

    Hard drives are big and cheap, it doesn't use CPU unless it is making a restore point which with triples and quads so cheap most of the people I deal with have plenty of cycles to spare and even the kids hand me downs are Pentium duals, and it is certainly quicker and easier to use a system restore than have to restore from a full or differential backup, so what's the problem?

    --
    ACs don't waste your time replying, your posts are never seen by me.