Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Critical Bug In All Current Windows Versions

Posted by timothy on from the innocent-whistling-sound dept.

Trailrunner7 writes "Microsoft is warning its users about a dangerous flaw in the way that Windows handles certain MHTML operations, which could allow an attacker to run code on vulnerable machines. The bug affects all of the current versions of Windows, from XP up through Windows 7 and Windows Server 2008. Microsoft issued an advisory about the MHTML vulnerability, which has been discussed among security researchers in recent days. There is some exploit code available for the bug, as well. In addition to the advisory, Microsoft has released a FixIt tool, which helps mitigate attacks against the vulnerability in Windows."

8 of 156 comments (clear)

  1. Knowledge Base containing Fixit Link by Nuisance · · Score: 5, Informative

    Would be nice to have seen these in the article...

    http://support.microsoft.com/kb/2501696

    1. Re:Knowledge Base containing Fixit Link by icebike · · Score: 5, Interesting

      Perhaps also useful would be a hint that simply avoiding Internet Explorer would provide all the protection from this bug that is needed.

      --
      Sig Battery depleted. Reverting to safe mode.
  2. Re:Investing by Anonymous Coward · · Score: 5, Funny

    I'd mod you up but moderation is broken on opera

  3. Re:Which versions by PatPending · · Score: 5, Informative


    Windows XP Service Pack 3
    Windows XP Professional x64 Edition Service Pack 2
    Windows Server 2003 Service Pack 2
    Windows Server 2003 x64 Edition Service Pack 2
    Windows Server 2003 with SP2 for Itanium-based Systems
    Windows Vista Service Pack 1 and Windows Vista Service Pack 2
    Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
    Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
    Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
    Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
    Windows 7 for 32-bit Systems
    Windows 7 for x64-based Systems
    Windows Server 2008 R2 for x64-based Systems**
    Windows Server 2008 R2 for Itanium-based Systems
    Source: http://www.microsoft.com/technet/security/advisory/2501696.mspx
    Appears to apply only to Internet Explorer

    --
    What one fool can do, another can. (Ancient Simian Proverb)
  4. Re:Investing by artor3 · · Score: 5, Insightful

    And I'd mod you down, but doing so would make my post (and all other child posts) invisible as well. Heck, since you posted as AC, odds are no one will ever know this post was here.

  5. Re:uhh by hairyfeet · · Score: 5, Informative

    Hi MR AC! If you would have read TFA or even TFS (I know I know, but I got bored) you would see they provide a link to The MSFT "fix it for me" page for this problem. Just click on "fix it for me" run the fix it, and that's it. Don't even need a reboot.

    I'm sending the link to my customers and family now, and since it makes a restore point before applying it is easy to undo if you need to, although with previous "fix it for me" tweaks that I've run the MSFT patch released later took care of the fix it tweak before applying the patch.

    So I don't really see why you or anyone would complain about this one. They have a quick fix that is so simple your grandma can run it, and released the fix quickly to tide people over until they have worked up a patch. I don't see how they could have done any better on this, as a full patch will take time to test and rightfully so as you wouldn't want MSFT releasing patches that break apps and/or drivers and cause more pain than the bug would you? This is easy, simple to apply, and painless to deploy. I don't see how you can get better and the guy that came up with the "fix it for me" program really deserves a raise and company car, as it really has made these fast released workarounds painless for home users..

    --
    ACs don't waste your time replying, your posts are never seen by me.
  6. Re:Investing by Mr.+DOS · · Score: 5, Informative

    Sorry, but the 10 mod points is because you've been singled out (check the question “Why do I have 10 moderator points instead of the usual 5?” under Comments and Moderation), not because of the new design.

  7. Re:uhh by hairyfeet · · Score: 5, Insightful

    What EXACTLY is wrong with system restore? I've found especially with my click happy love to install software customers and relatives having a "quick undo" button comes in damned handy! Now of course system restore is in no way shape or form a substitute for backups, which is why I have them set up with weekly differentials and full backups monthly on USB HDDs, but you can't expect them to run a differential every time they want to try something new.

    And who cares about "gigabytes" of anything anymore? Hell the lowest machines I sell have 500GB HDDs and even the kids P4 hand me downs have 400Gb drives, so why would anybody care? It isn't like huge drives are expensive.

    So I really don't see what the problem is with system restore. For a quick undo button it works just fine, with huge drives worrying about 20-50Gb being reserved for system restore is frankly pointless when everyone has more space than they know what to do with, and when used with a combination of good AV, weekly backups, and a lower risk browser like Firefox or Chrome with ABP it does just what it should do, which is provide a quick way to roll back changes if something goes wrong. So what EXACTLY is so bad about it, because frankly I haven't seen a problem with system restore since XP SP2 came out.

    --
    ACs don't waste your time replying, your posts are never seen by me.