13 New Windows Security Vunerabilities 410
Petree writes "Microsoft has given advance notice that on February 8th, they will be releasing patches for 13 vunerabilities. Happily a day later they'll have a nice little webcast so answer questions about the vunerabilities. Windows users, don't forget to run WindowsUpdate first thing Monday morning."
"Run WindowsUpdate first thing Monday morning" (Score:5, Informative)
Redundant? (Score:5, Informative)
Re:Redundant? (Score:2, Funny)
Better yet (Score:2)
Re:"Run WindowsUpdate first thing Monday morning" (Score:3, Funny)
FTFA
By the time you've rebooted (up to 13 times pe
Re:"Run WindowsUpdate first thing Monday morning" (Score:5, Informative)
Re:"Run WindowsUpdate first thing Monday morning" (Score:3, Insightful)
Re:"Run WindowsUpdate first thing Monday morning" (Score:3, Informative)
As the grandparent said, you are either clueless or a troll.
SUS good, not perfect (Score:3, Insightful)
While I agree it is a great tool, it needs a few tweaks to be great... Unfortunately, MS doesn't want this to be too good because SMS still costs a lot of money to buy... This is why it doesn't apply Office patches, (the one exception being the critical update for Office XP users running XP sp2) or even anything besides critical and security patches.
An install log might be a nice option too... Of course, on
Re:"Run WindowsUpdate first thing Monday morning" (Score:3, Insightful)
You know, I've got to agree with the "Run WindowsUpdate first thing Monday morning" - before the new patches are out on Tuesday - because these patches are not just minor. If you had bothered to read Microsoft's announcement, you'd see that Microsoft is devoting twice the webcast time they usually do just to explain them.
If Microsoft is worried, maybe you should be too.
Booooring... (Score:4, Insightful)
You're preaching to the choir!!
Re:Booooring... (Score:2)
Re:Booooring... (Score:3, Funny)
Re:Booooring... (Score:2)
Then again, even repetitive "good news" like this probably makes the day of many a MS-basher...
Re:Booooring... (Score:2)
Re:Booooring... (Score:2)
Re:Booooring... (Score:2)
The part that's newsworthy isn't "another Windows exploit discovered". The part that's newsworthy is that the way Microsoft is handling the issue is a complete about-face from the usual way that they handle it.
Usually, a security hole is discovered by someone who then spends a considerable amount of time advising Microsoft about the vulnerability. Microsoft will then acknowledge receipt and mention something about fixing it some day. In the worst case, Microsoft completely ignores the reporter. One day
Re:Booooring... (Score:3, Interesting)
Are the holes real?
(I mean, I know there are so many holes in windows the swiss cheese manufacturing association is suing)
Since the great unwashed masses are going to buy windows. (They are, trust me) and Microsoft, knowing this, wants to boost sales.
They announce, in this order:
A) We don't support windows 2000, 98, ME, for new vulnerablities, you need XP sp2.
B) We are not going to provide windows updates to non-legal installations of the software.
C) There are now lots and
Re:Booooring... (Score:2)
Re:Booooring... (Score:3, Insightful)
Here are some recent security announcements from one of Linux's more reliable and secure distros:
04/02/2005
[DSA 667-1] New PostgreSQL packages fix arbitrary library loading
*[DSA 667-1] New squid packages fix several vulnerabilities
*[DSA 666-1] New Python2.2 packages fix unauthorised XML-RPC internals access
02/02/2005
[DSA 664-1] New cpio packages fix insecure file permissions
01/02/2005
*[DSA 663-1] New prozilla packages fix arbitrary code execution
*[DSA 662-
Re:Booooring... (Score:5, Insightful)
How many of those vulnerabilities are actually tied to the OS?
Zero.
How many of the windows vulnerabilities are tied to the OS?
Mostly all of them.
So do you want to count for example bsplayer's bugs so we can have a fair comparison against xine bugs?
Re:Booooring... (Score:5, Insightful)
No, they don't. 99% of Linux end users don't run postgresql, zhcon, vdr, libdbi-perl, or most of the other packages the grandparent listed. It's fair to compare flaws in GNOME/KDE, Firefox, X, and the kernel to flaws in Windows. If you want, you can compare OO.o to Office and perl/python/Mono to .NET. But you can't compare the entire Debian archive (which takes 7 CDs to hold just the stable version) to the base release of MS Windows.
Re:Booooring... (Score:4, Interesting)
[DSA 664-1] New cpio packages fix insecure file permissions Annoying, but hardly "critical"
*[DSA 659-1] New libpam-radius-auth packages fix several vulnerabilities
This is actually a mixed bag. rather embarassing, but Deb-specific. more general, indeed.
and even (assuming a KDE desktop):
[DSA 660-1] New kdebase packages fix authentication bypass
The rest are additional packages installed on a per-need basis. You don't argue MSSQL vulnerabilities are Windows vulnerabilities, do you? Or those of the compiler? (f2c indeed - that must be highly critical for home users)
Contrast this with the Windows anouncement where the 10 vulns affecting the OS are rated Critical.
Why? (Score:5, Interesting)
Re:Why? (Score:5, Funny)
Re:Why? (Score:2, Interesting)
1. There are too many (known and unknown) of vunerabilities.
2. Even the known ones are too much to be fixed for various reasons.
Re:Why? (Score:4, Informative)
Re:Why? (Score:3, Interesting)
Unfortunately, most of those I visit don't have broadband, so downloading 200 megs from WU doesn't work.
On the other side of the fence, MacOSX updates always have a Combo version containing ALL previous updates,
Re:Why? (Score:2)
Re:Why? (Score:2)
It would be nice if they released another one this year.
Damnit (Score:2, Funny)
Re:Damnit (Score:2)
*Sorry for bringing that word into it, I just couldn't think of anything more descriptive.
At least they are actively patching... (Score:5, Interesting)
Come on Slashdot, at least they are actively fixing their shit. You all bad mouth them for not fixing stuff fast enough, and then when they announce they are releasing a patch you try to find some way to bad mouth them for that?
We're all bored of hearing how much people hate MS here...we KNOW you don't like them. Just leave it at that, and instead of reading and posting 600 replies here about how they suck, have some sort of intelligent conversation instead.
Re:At least they are actively patching... (Score:3, Insightful)
But as others have said already, do we really need to hear about it every time?
Re:At least they are actively patching... (Score:2)
Perhaps they need to make that idea they had of spending a month just squa
Re:At least they are actively patching... (Score:2)
Re:At least they are actively patching... (Score:2)
If you're telling me there is a bug free version of OS X or Linux anywhere out there, I'd like to see it. Every OS patches, and every OS has bugs. There is no point where fixing errors is going to stop. We WANT them to fix the errors, in fact most people only complain that they don't fix them faster.
For all of those out there saying they have to "go get updates every N months" why not turn on Auto Update? You know how often I go get updates? Never. And yet I am always 100% up-to-date...man that is to
Re:At least they are actively patching... (Score:2)
I hope people will at least be taken aback when we get security fixes for longhorn that we've already had for XP (that is, fixing the problems already patched in XP which weren't fixed or even noticed in the longhorn release). Also if there's a single new (i
Re:At least they are actively patching... (Score:2)
Which does remind me: how does various commercial Linux distributions (Mandrake, SuSE, Linspire, etc.) provide patches for known code vulnerabilties? Do they use a system something akin to Windows Update?
Re:At least they are actively patching... (Score:2)
The thing I find interesting is that during my time in the past as a Linux user the amount of security and bug updates being downloaded was very high compared to the amount of stories listed on Slashdot showing these updates.
Hmm, wonder why that would be.
Re:At least they are actively patching... (Score:3, Informative)
Re:At least they are actively patching... (Score:2, Insightful)
If the burglar broke into my house through a flaw in the design of the lock - a flaw known by the manufacturer - a flaw the manufacturer found more profitable to ignore than fix - a flaw the manufacturer decided not to tell me about and trust me to make my own decisions
Re:At least they are actively patching... (Score:3, Interesting)
Well, Microsoft could take the stance of creating the "bullet proof" OS which allows you to run only the software that comes preinstalled, and only stuff that they have tested and debugged...that's about the only way they could "guarantee" their product to be bug free. (of course even linux users would never claim to be totally bug free)
But you know what? That wouldn't be a very useful machine to anyone. The beauty of an OS is that it can run programs that you install (or even write) after the fact. Yo
Re:At least they are actively patching... (Score:2)
I believe the lock situation is exactly as you described.
Chances are that it is possible for a skilled locksmith to pick the lock on your front door. I'
Re:At least they are actively patching... (Score:4, Interesting)
Now, if I buy a lock that is known to be defective, I don't have a case - I should have known better.
But I can still be annoyed that the lock manufacturer makes garbage locks.
Or I can just use another company's locks. That's the problem with Microsoft, they have so much of the market that many people are stuck using their locks, even when they know they're garbage. Me, I'll stick with Macintosh and Linux.
Re:Mod parent up. (Score:3)
Yeah, my network of 5 windows machines never has any troubles. Of course that's because everyone here is smart enough not to download spyware infested crap from the internet. We have AVG running on every machine and that keeps us virus free. And yes, I have a router as firewall, and SP2 on every box.
If your Windows machines are broken, it's not Windows fault IMHO, it's mostly user issues. I do agree that Windows makes it easy to install bad software, but Linux can also be totally runined by installing
Is this sort of thing still interesting to /. (Score:5, Insightful)
Re:Is this sort of thing still interesting to /. (Score:3, Insightful)
Tomorrow's Slashdot headline:
Um, as you can see the same thing happens to any OS. The difference is that Gentoo does this: 1. write a patch to fix current version so users are safe, then 2. put
They don't need to (Score:5, Informative)
These days, Windows users don't need to "run" Windows Update to grab security updates; the Windows service do that job, so they don't have to remember to do anything special on Tuesday. However, you need to actively visit windowsupdate.microsoft.com if you need other stuff than security updates.
Re:They don't need to (Score:2, Informative)
Re:They don't need to (Score:2)
patch wars (Score:2)
Not to mention running an update on most linux distros demands a serious amount of patching.
If slashdot would stop taunting for two minutes, they would realize that MS has a policy of patching on the first tuesday of each month and once auto-updates are enabled this becomes a non-issue.
Its getting
Re:Please mod parent -1, Stupid (Score:2)
Jeez, don't shoot the messenger, I'm just telling you how it works.
Auto-update is dangerous to stability!
So, did I say it was always good for stability anywhere? Calm down.
Trusted Computing: - (Score:2)
Re:Trusted Computing: - (Score:3, Insightful)
Hm, trusted computing was their initiative with DRM in e.g. Office and WMP, the whole thing about the "Fritz" circuit, Palladium, etc. AFAIK, no WMA or Word Document DRM etc has been exploited, so I can't really see what that has to do with these news.
Trusted computing requires hardware (Score:2)
Usually it involves having key (as in RSA) locked down in a temper-proof hardware chip, and the computer use that key to assert that the software it is about to run is indeed signed by and for that key. For example, a Linux kernel could be signed by such a key, and at boot time the system would validate it and if it passes, we can assume that it is not compromised by a virus or somethin
Every second Tuesday (Score:2, Informative)
PC Benchwarming (Score:4, Insightful)
Not just to rag on MS, but I will NOT be running my PC monday morning. Given microsoft's less-than-stellar history of patch releases (Service Pack 2 still gives me night terrors), I'll wait at least a week or so to see what problems these patches create.
It's unfortunate that many PC users (including myself) would rather risk having their PCs zombified or their data erased for a while longer instead of installing the latest MS patch. For me, past experience has shown me it's less of a risk to just sit it out for a while and see what new holes these patches open.
Re:PC Benchwarming (Score:3)
Re:PC Benchwarming (Score:2)
But for hotfixes, patches, and lesser updates, I've never had a problem personally or with the hundereds of CPUs that come in to the desk [emerson.edu].
Now, I find OS X updates as a whole better to deal with as Apple will milestone their updates. Something I wish Redmond would do more often. But to be honest, I've had some quick OS X updates fail on me more than Windows updates.
Re:PC Benchwarming (Score:2)
Re:PC Benchwarming (Score:2, Interesting)
Not the mention that SP2 works great unless you happen to be running a in house application that was coded in basic back in 1942. Then you will have some problems. I have it running on about 10 workstations and I have had no problems except for once when I rolled back the install and corrupted a file. The only reason we haven't deployed it to all 5000 of o
New Slashdot format (Score:5, Funny)
Re:New Slashdot format (Score:2)
Explain this to a non-windows guy (Score:2)
Especially security patches should be released immediately when they're done. Distributing the releases would probably also take some load of the servers. Or am I missing something about windows update?
Re:Explain this to a non-windows guy (Score:3, Informative)
Re:Allow me to rephrase the question. (Score:2)
Re:Allow me to rephrase the question. (Score:2)
Re:Explain this to a non-windows guy (Score:2)
Re:Explain this to a non-windows guy (Score:4, Informative)
Idiots (Score:3, Informative)
2) This is a repeat.
AntiSpyware (Score:3, Informative)
Microsoft didn't write it. It's GIANT AntiSpyware with a new label. It may think some of your legitimate apps are spyware, like VNC, but it usually marks them as ignore by default anyway. It's great if you forgot they were there or someone else installed them without your knowledge.
Just switch over to your Mac Mini while you reboot (Score:2)
A different perspective (Score:2, Informative)
A couple of the updates (Score:3, Funny)
# User may 'hijack' Internet Explorer settings, this update will reset your Internet Explorer start page and search settings to the new and improved MSN Search.
# Fixes vulnerability that allows users to view old Teen-Beat photographs that may contain images that could shock your system!
Remote update of office (Score:2)
There's various methods for updating office, some that appear to require the user to have admin privs, keeping a local copy of office install source on the computer at all times, etc, etc...
It's all a mess if you have various versions of office out there... :-(
Did You RTFA? (Score:5, Informative)
2) It's not 13 patchs for windows. As the article could not state any clearer it's:
3) Read before you submit.
9+1+1+1+1=? (Score:2)
a.) the last time I checked, 9+1+1+1+1 = ...wait for it... 13
b.) these are only for machines running Windows.
Therefore, 13 new Windows security vulnerabilities.
Re:9+1+1+1+1=? (Score:2)
Making a more secure Windows (Score:3, Informative)
IE always seems to be the weak point, or the HTML subsystem... Even if it isn't, I've got instructions on removing several subsystems [vorck.com] from Windows that will make it more secure.
Check out my page on Windows patches [vorck.com], I think it's a convincing argument to rip all of this stuff out of Windows. Just download the files, drag-drop-replace, burn, and install.
XP subsystem removal software [msfn.org] here.
Curious thing... (Score:2)
But where Linux vulnerablities are reported one per report, with Windows you get a 3-15 bundles with Windows... Maybe this kind of tactic, you hear about Linux problems at least as often as about Windows, so it leaves you with impression they are the same level...
When was the last time Linux developers shipped 13 different vulnerablity patches at once?
The sad reality of this is: (Score:2, Interesting)
Virus writers... (Score:2, Funny)
aspell, anyone? (Score:4, Informative)
The problem with windows is (Score:3, Insightful)
Re:The problem with windows is (Score:5, Interesting)
Everyone is surprised that I run 98 but, especially now, I know the problems that it has and I have systems in place to stop them. I know it crashes a lot but I also know how to fix it. I've never lost a windows 95/98/me installation yet. However, the XP and 2K machines that I support will lock into all sorts of reboot loops and cryptic stop messages that I can nothing about but restore from backup.
The schools I work for were stung big-time by things like Sasser, they were taken completely off-guard and all reached a critical state within a few days when not one of their PC's would stay up for more than a few minutes.
Because of my setup and because of the way that viruses are now only targeting the new vulnerabilities, I'm pretty safe. I've NEVER, repeat NEVER, had a virus on any computer that I own and for many years didn't even bother with an antivirus.
Nowadays, the only reason I have antivirus is so that I can scan emails from people who forward me crap and ask "is this a virus/trojan etc?". Most of the time, it's a yes before I even bother to scan it.
Virus writers are not targetting me, they'd have a very hard time if they did because I'm not stupid.
My IE is up-to-date and never used, because I realised many years ago what a mistake it is to use it. IE is installed purely for Windows Update.
I have people who I support who are still happily running 98, even 95, some of whom are years behind on updates and they don't have a problem because they are educated, firewalled, know what not to do and have established measures in place, have had for years.
Only the 2000/XP computers that I support have problems with such junk because, like Sasser, there was little a user could do to prevent it as it came out of the blue. That's what 98 was like many years ago but we've since established a routine that prevents that.
There is NOTHING WRONG with running an older Windows OS, even an out-of-date, not-updated OS. Sure, I wouldn't use it as a server but then I wouldn't use Windows as a server given half a choice, precisely because of it's many problems.
Windows "automatic update" has screwed up many a machine that I support, and given all sorts of weird problems becuase of it installing crap and hogging internet connections.
Windows 98 works for me, does everything I need to, is blindingly fast (but you don't notice that until you use it after using XP), behind a suitable set of protective measures is as safe as a Windows 2000/XP machine behind the same measures, easy to recover and suffers less problems overall.
Experiment for the adventurous: Get a Windows 3.1 box, install TCP/IP and put it on the net. Wait for it to be compromised. Perform similar action on XP/2K, even with latest updates.
One of my firewalls is still running a Linux 2.0 kernel because it's simple, safe, and works. Old decrepid. Old = tried and tested.
Ask NASA why they won't put a Intel with XP controlling the space shuttle. Now ask them why they would use a Z80 with something like CP/M or Unix.
Safe Surfering (Score:3, Insightful)
Let's call this safe surfing.
The answer is to surf the web as user "Guest".
There are a lot of things to be said about this but the most important is that Microsoft doesn't care about security because they don't educate this or default to this.
As a computer consultant every day I get asked about safe computing. My answer on windows is this:
People squawk about having to log out and log in as a different user. I tell them safe computing is no different than safe sex. You need to take responsibility. You need to decide how important being safe is to you.
By enabling the Guest account and suring the web as guest, virus and adware can't install software, touch the registry, or write to anywhere on the disk other than the account folder for Guest. If the Guest account ever gets corrupted just delete it and create a new one.
However, unlike with Unix, Windows is a hostile environment for mixing users.
On Unix its easy. Just enable "sudo". Your default security mode is one of no access, user mode. You have to make a conscience choice to run with sudo.
It is very unsatisying to run as "Guest" in Windows and then "Run As" a secure user and hardly anyone does it. It's almost futile to install software as an user on Windows other than someone with admin privileges. Almost every major software vendor's install willl fail unless admin privileges are used. By contrast, no such barrier exists in Unix. The "--prefix" option to most software will allow you to run from your home directory. And it's not always just the big things, but little things too. Unix uses the "~/username" shortcut to easily afford copying files between accounts.
It is possible even in today's Microsoft environment to guarantee yourself the impact of a virus or adware can be contained to a sandbox, Guest user account.
The fact that Microsoft doesn't make "RunAs Guest" the default security model as does Unix is something that Microsoft should be held accountable for.
But the reality is Microsoft just doesn't care about security. The only care enough to give it lip service.
Instead of the Following... (Score:5, Funny)
I think he meant to say:
Install Linux first thing Monday morning...
I say: Why wait? Use the weekend wisely...
Re:The obvious XP question (Score:2)
There's more included than OS fixes, so probably.
Re:The obvious XP question (Score:2)
Re:Monday? (Score:2, Funny)
Re:What they are not telling you (Score:2, Insightful)
One word describes a system, nearly ANY system more recent than an Atari ST or C-64, that isn't regularly patched: "0wn3d"
Bash bash bash. You guys are boring.
WOW, Censorship is alive and well here (Score:3, Interesting)
You can suppress what I'm saying, but not the reality of what I said.
Re:You should be behind a firewall anyway. (Score:3, Informative)
When shouldn't you be behind a firewall? With the exception of say, a WebTV, ALL operating systems should be behind a firewall.
Mac included.
Re:You should be behind a firewall anyway. (Score:2)
Re:You should be behind a firewall anyway. (Score:2)
Re:hmmm (Score:2)
Re:Lots of vulnerabilities? (Score:2)
Re:Lots of vulnerabilities? (Score:4, Insightful)
debian woody has like 8000 packages.
Windows XP is a OS, graphical environment, msn messenger, wordpad, a few crappy games, some services...let's be good and say they've 1000 packages of software(they don't)
13/1000= 0.13 vulnerabilities per package
47/8000=0.005
"So you zealous fucker, which platform is more secure?"
been done before, but i can't resist (Score:2)