Forgot your password?
typodupeerror
Security

Another Critical Microsoft Hole 601

Posted by michael
from the your-daily-dose dept.
gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."
This discussion has been archived. No new comments can be posted.

Another Critical Microsoft Hole

Comments Filter:
  • Aaahhhh! (Score:4, Funny)

    by SledgeHBK (148480) <sledgehbk@@@yahoo...com> on Thursday November 21, 2002 @10:48AM (#4722570)
    "can make IE and IIS to run any code in the system"

    Noooooo!

    Minesweeper WON'T stop coming up!

    --This girl at the library the other day
  • by Rebel Patriot (540101) on Thursday November 21, 2002 @10:49AM (#4722574) Journal
    Why doesn't Microsoft wake up and just apply the "mozilla patch"? :^)
    • by leuk_he (194174) on Thursday November 21, 2002 @11:03AM (#4722703) Homepage Journal
      According to the MSTECH bulletin:
      Why isn't it feasible to set the Kill Bit in this case?

      The ActiveX control involved in these vulnerabilities is used in many applications and web pages to access data. Many applications, including third-party applications, contain hard-coded references to it; if the patch set the Kill Bit, the web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the Kill Bit on the old one.


      Conclusion:
      -Microsoft refuses to kill itself.

      how does this relate to: the story Microsoft on Security: We'll Break Your Apps [slashdot.org]

      Hey... linus refused to change the behaviour of kill -9 -1 also
  • by stevens (84346) on Thursday November 21, 2002 @10:49AM (#4722578) Homepage
    ``Don't trust Microsoft'' is just a good security principle in general. Finally they realize it. :-)
    • by nougatmachine (445974) <johndagen@@@netscape...net> on Thursday November 21, 2002 @10:54AM (#4722620) Homepage
      I removed Microsoft from my "trusted publishers" list a long time ago ; )
    • Re:Sound Advice (Score:3, Interesting)

      by ichimunki (194887)
      Let's hope the US Government gets it. There is cause for concern [salon.com] (article titled "Microsoft seeks government partnership").
    • by RyoSaeba (627522) on Thursday November 21, 2002 @11:10AM (#4722781) Journal
      Well yes, but now you run in the horrible paradoxal loop !!
      Suppose MS say that they shouldn't be trusted. Assume you think it's right, so you don't trust'em, so you believe THAT sentence is false ! Therefore MS should be trusted. So of course you must trust'em, and believe they shouldn't trusted... And so on & on !
      Finally their claim is just another way to make your system / brain crash due to stack overflow...
      • Re:Sound Advice (Score:3, Insightful)

        by Violet Null (452694)
        "shouldn't be trusted" != "lies all the time"
      • by DarrylM (170047) on Thursday November 21, 2002 @12:12PM (#4723315) Homepage
        Ahh, It's all coming clear... Microsoft is using A.L.I.C.E. [slashdot.org] now!

        Microsoft1: All things you need to trust are from Microsoft.
        Microsoft2: But all things are not always me need to trust are from Microsoft.
        Microsoft1: Umm. But all things are not always are not always you need to trust are from Microsoft.
        Microsoft2: Interesting. But all things are not always are not always are not always me need to trust are from Microsoft.
        Microsoft1: Interesting. But all things are not always are not always are not always are not always you need to trust are from Microsoft.
        Microsoft2: Huh. But all things are not always are not always are not always are not always are not always me need to trust are from Microsoft.
        Microsoft1: Huh. But all things are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.
        Microsoft2: Umm. But all things are not always are not always are not always are not always are not always are not always are not always me need to trust are from Microsoft.
        Microsoft1: And. But all things are not always are not always are not always are not always are not always are not always are not always are not always you need to trust are from Microsoft.

        etc.

        :-)
    • by Cpt_Corelli (307594) on Thursday November 21, 2002 @11:43AM (#4723054)
      Aberdeen Research Group has this to say about open source and Linux security:

      Open Source and Linux: 2002 Poster Children for Security Problems

      November 12, 2002
      Open source software is now the major source of elevated security vulnerabilities for IT buyers. Security advisories from Cert for the first 10 months of 2002 show that open source and Linux software accounted for more than half of all advisories. The poster child for security glitches is no longer Microsoft; this label now belongs to open source and Linux software suppliers.

      Read more here [aberdeen.com]
      • by derF024 (36585) on Thursday November 21, 2002 @02:00PM (#4724329) Homepage Journal
        Kind of a silly statement, since they're comparing every piece of software that runs on a linux platform to only microsoft applications. what would happen if you compared the "Linux security flaws" to flaws in every single piece of software that ever ran on Windows..

        in addition, i think you'll find that since applications and libraries can be used by 3rd party applications more easily on open source systems, you have more code re-use. thus, 1 vulnerability, such as the one in OpenSSL, turns into 10 when you count in all the packages that use OpenSSL's SSL libraries. since MS closes the ssl libraries that they use with IIS, you'll find that there are probably 10 different ssl implementations on any one MS based system.

        a third point is that this study counts advisories from each vendor regarding the same application as seprate advisories. so you have the following situation:

        1 bug in OpenSSL affects 10 applications that use the OpenSSL libraries. advisories for those 10 applications are reported by 10 different Linux vendors. therefore, 1 bug in a piece of linux software generates 100 vulnerability reports. according to this logic, there are still roughly 100X more bugs in microsoft software alone then there are in every piece of software that is capable of running on Linux based OS's. that number is somewhat inflated, however my points are still valid, this study is turning 1 bug into many and comparing apples to oranges.
  • by og_sh0x (520297) on Thursday November 21, 2002 @10:49AM (#4722580) Homepage
    Hey, good thing that little bird told me to never check the box that says "Always trust content by Microsoft Corporation"
  • This bodes well (Score:5, Insightful)

    by evilpenguin (18720) on Thursday November 21, 2002 @10:50AM (#4722584)
    Doesn't this just make you excited for the prospect of Palladium and a world where all code is digitally signed? I'm tingling all over.

    I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.
  • by T1girl (213375) on Thursday November 21, 2002 @10:50AM (#4722587) Homepage
    Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system.

    Difficult to read this post is, hmmm?
  • by ctid (449118) on Thursday November 21, 2002 @10:51AM (#4722594) Homepage
    This must be the most utterly humiliating admission I have ever read. The fact that it comes in the context of a security problem beggars belief.

  • by henben (578800) on Thursday November 21, 2002 @10:52AM (#4722598)
    Interestingly, that page doesn't render properly in Opera 7 Beta unless you identify as MSIE - when it works fine.
  • More Bias (Score:5, Insightful)

    by OpCode42 (253084) on Thursday November 21, 2002 @10:53AM (#4722604) Homepage
    Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again? Yes, we know thats its not a secure bit of software. It just makes us look like insecure teenagers if we keep bashing it like this.

    *flame retardent jacket on*

    That is all.
    • Re:More Bias (Score:5, Insightful)

      by Seahawk (70898) <tts@im[ ].dk ['age' in gap]> on Thursday November 21, 2002 @10:57AM (#4722651)
      Well - I see your point, an I am oppesed to needless MS bashing as well! The difference between the OSS vulnaribilities and this IE is that the OSS vulnaribilities is fixed rather easy, and Microsofts solution to the problem(Dont trust MS activex controls) just wont help the average user as he has no idea how to not trust Microsoft

      As you say - there are bugs in ALL software - but there are great differences in how quickly those bugs are fixed!
    • by warrior_on_the_edge_ (605123) on Thursday November 21, 2002 @11:00AM (#4722671)
      It just makes us look like insecure teenagers

      Maybe we should apply the SECURE teenager patch I thought I saw somewhere....
    • Re:More Bias (Score:3, Insightful)

      by keyne9 (567528)
      Well, in my household, I will generally only update the secondary computers every month, give or take. More critical patches, I'll update immediately. I do not really consider these updates as bashing, per se, but rather a boon for me.

      I seem to remember a poll that indicated that a significant portion of the /. crowd used or otherwise had installed Windows on at least one machine. I can't see how this woudl be totally irrelevant.

      I can, however, see that the updates are quite one-sided. Is it, perhaps, that less people submit the linux related bugs? or that the editors choose to publish more Microsoft-related ones? I think only they know for sure. Either way, people benefit.
    • Re:More Bias (Score:5, Insightful)

      by platypus (18156) on Thursday November 21, 2002 @11:19AM (#4722855) Homepage
      Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?

      Because samba et.al. use a completely different security philosophy. This shows and proves something that many people have said before, namely that MS' security philosophy based on "trust us, we know better what to do" is flawed. In the light of this news you can only laugh about popups like "Always trust content from microsoft corp.".

      This is also not very encouraging for MS' auto-update feature in XP, and their whole fucking ideas of stuff in their OS's downloading components from the net without asking the user.

      Note that the above is also true for other software publishers, but MS takes the spotlight for various reasons, like their omnipresence and their bullheadedness concerning these problems.
    • Re:More Bias (Score:4, Interesting)

      by SirSlud (67381) on Thursday November 21, 2002 @11:32AM (#4722959) Homepage
      The day my bug-ridden OSS software starts silently self-installing across the web because my box was automagically set up to 'trust' the 1s and 0s, I'll stop making fun of MS.

      Until that day, I'll get my kicks from MS bashing. You've read and heard the things Baller & co have said about Linux (I particularly liked the "Linux is unamerican" comment, hehe) .. you can't honestly think that the Linux crowd is the only group of users that enjoy crass, glib jabs at the competition now, can you?

      So cease thy whining and either bash or don't. No need to pass judgement unless your prepared to accept that the whole world is guilty of the behaviour you are so desperate to eschew.
    • More design flaws (Score:5, Insightful)

      by SgtChaireBourne (457691) on Thursday November 21, 2002 @11:33AM (#4722972) Homepage
      Actually, the bias seems to be pro-Microsoft. If any other project had the same severity and quantity of compromises as MSIE, it would be history.

      What we have here is a clear case of people letting their ideology interfere with their business sense. Ideology / religion seems to be the only reason anyone would not go right over to better products like Opera or Mozilla. The only value MSIE can add, beside keeping the AV and security consultants in gravy, is vendor lock in.

      Microsoft is falling further behind in technology every month. Rather than trying to catch up, they've been trying to hold everyone else back. It's time for them to get out of the way and stop hindering economic growth in the IT sector.

    • Re:More Bias (Score:5, Insightful)

      by Blkdeath (530393) on Thursday November 21, 2002 @11:44AM (#4723056) Homepage
      Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again?
      Yes, Slashdot announced a recent KDE vulnerability [slashdot.org], and security holes affecting a popular open-source RAW TCP stream library [slashdot.org] as well as recent BIND 4 and 8 security vulnerabilities [slashdot.org], and the trojan'ing of a Sendmail distribution [slashdot.org], not to mention the privacy leak in the poster-boy browser for OSS - Mozilla [slashdot.org], and how could we forget the Linux Worm [slashdot.org] that created an "attack network" [slashdot.org]?

      Slashdot reports security vulnerabilities that affect large portions of the userbase. All of the above affect large portions of the OSS world, and IE vulnerabilities affect the vast majority of the workstation userbase (globally!). The difference between OSS and Microsoft security bulletins, however, tends to be that the OSS bulletins are generally followed-up shortly after release with "... and get the patch here, here, and here, and download [updated|backported] versions from your vendor here, here, and here". Only too often do we see updates to Microsoft bulletins that read along the lines of "... and Microsoft is stonewalling [me|us] ... " or "... Microsoft has officially denounced this as invalid ... " or "... Microsoft has accepted the bug report and is working on a solution ... " (which doesn't arrive for six weeks, and does so very silently with little more than yet-another-MS-bulletin and another item in the Windows Update listing).

      The reason Slashdotters 'bash' Microsoft, especially in the face of "yet another IE/IIS critical security vulnerability" is that they're so recurring. The fact that this one happens to be digitally signed by Microsoft themselves, and that the only way to get around the vulnerability is to literally stop trusting Microsoft [microsoft.com] makes it more than hilarious; it's downright embarassing for them. When something embarasses one of the Open Source world's largest nemeses, and the very giant who has its sights set on Linux (primarily) and phasers set to kill, it gives us a warm tingly feeling, and human nature dictates that when this feeling is present, "I Told You So!" is a response that gives us imense amounts of pleasure.

      Speaking of "I Told You So", I have to remember to show this one to our co-op student when he's next in. It'll make for a good practical demonstration of why I told him not to check "Always trust from ... " checkboxes within IE.

  • Question (Score:5, Insightful)

    by zero-one (79216) <<moc.liamg> <ta> <enyapwnoj>> on Thursday November 21, 2002 @10:54AM (#4722615) Homepage
    Why can't IE run in a process with reduced privaliges? Why does IE need the privalages of the current user on NT/2000 when all it does is browse the web?
    • Re:Question (Score:4, Insightful)

      by pVoid (607584) on Thursday November 21, 2002 @11:00AM (#4722673)
      The current user is a perfectly safe security context - unless, you are doing the same stupid thing 98% of bad users out there do: run as admin.

      IIS needs to run as system for a couple of reasons that aren't worth detailing. The issue was the there was no distinction between Local-System, and Network-System as there is now in XP.

    • Re:Question (Score:5, Informative)

      by gmoschin (579009) <giuliano@moschini.org> on Thursday November 21, 2002 @11:48AM (#4723111) Homepage
      Actually, you can.. at least, on Windows XP.. I haven't tried earlier versions.

      Create a shortcut to Internet Explorer.

      Right-click the shortcut, choose "Run As.."

      The option "Current User" and "Protect my computer and data from unauthorized program activity" should be checked.

      Click OK to run Internet Explorer in "secure mode".

      Caveats to running in this mode:
      Your bookmarks or links won't appear, but they'll still be there if you run it in normal mode.
      Other web-based programs may not run correctly.

      You can test to see if it's working by going to Windows Update - if it's secure, you'll see something about having to run Windows Update as an administrator.
  • This is big (Score:5, Insightful)

    by ceswiedler (165311) <chris@swiedler.org> on Thursday November 21, 2002 @10:54AM (#4722616)
    Wow. Some heads must be rolling at Microsoft over this. Recommending that Microsoft be removed from the list of trusted signees? They're certainly not pulling punches on this one. It looks to me like they're placing a higher priority (with the treatment of this bug) on user security than company image. That's a first...

    The reason they're in this mess is the whole "trusted computing" paradigm which they started with this signed-ActiveX stuff and are continuing with Palladium. Perhaps this will make them reconsider. Quis custodiet ipsos custodes: Who watches the watchers?
  • by Anarchofascist (4820) on Thursday November 21, 2002 @10:54AM (#4722622) Homepage Journal
    All you linux freaks should pay attention - here is Microsoft issuing some very timely and correct advice.

    "Don't trust us"
  • by terradyn (242947) on Thursday November 21, 2002 @10:55AM (#4722629) Homepage
    Reproduced for your enjoyment:

    What steps could I follow to prevent the control from being silently re-introduced onto my system?

    The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:

    1. In Internet Explorer, choose Tools, then Internet Options.
    2. Select the Content tab. In the Certificates section of the page, click on Publishers.
    3. In the Certificates dialog, click on the Trusted Publishers tab.
    4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
    5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.
  • by MosesJones (55544) on Thursday November 21, 2002 @10:56AM (#4722642) Homepage

    Today the DOJ announced that they would no longer trust Microsoft and had removed Microsoft from the list of companies it would allow to police themselves. This was done on Microsoft's advice as they felt they could not be trusted not to screw around like they had before.

    "Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"
  • Incredible... (Score:3, Interesting)

    by Pellelelle (133444) on Thursday November 21, 2002 @11:03AM (#4722701) Homepage Journal
    I didn't beleve this was true at first but this is actually what it says in the Security Bulletin:
    --
    What steps could I follow to prevent the control from being silently re-introduced onto my system?
    The simplest way is to make sure you have no trusted publishers, including Microsoft.
    --
  • by oconnorcjo (242077) on Thursday November 21, 2002 @11:03AM (#4722705) Journal
    but I think Microsoft is doing the right thing here. They are in a pickle and they have given a good solution (and one that is embarrasing to them). Of course what they should really do is redesign IE to not run in "root" mode but that is another story. I wish the slashdot editors did not relish so much the foibles of Microsoft in their editorial comments.
    • Ummm, IE doesn't run in root mode. IE runs as whoever you are logged in as. If that's an administrator, well then it has near root powers (root would actually be more analogus to the Local System account) including things like formatting the harddrive. However if you user does not have permissions to do things like htat, neither does IE.

      Most people just use their Windows systems as administrators, doesn't mean it has to be that way. You need administrator privledges to do things like install drivers and some software, but not to run what's already on there.
      • by Waffle Iron (339739) on Thursday November 21, 2002 @11:46AM (#4723090)
        Most people just use their Windows systems as administrators, doesn't mean it has to be that way. You need administrator privledges to do things like install drivers and some software, but not to run what's already on there.

        At least as of Win2K, so many things break when you try to run as non-administrator, it's just not worth it for most people.

  • by analog_line (465182) on Thursday November 21, 2002 @11:03AM (#4722708)
    ...that the only safe place to run a Microsoft browser is on an Apple Computer operating system.
  • WTF ? (Score:5, Insightful)

    by FauxPasIII (75900) on Thursday November 21, 2002 @11:04AM (#4722712)
    How is it that they implemented a cryptographic signature system and don't provide for revocation? Surely somebody's missed something here...
    • Re:WTF ? (Score:3, Interesting)

      by kcurtis (311610)
      Sure they did. I think you did not read the notice, and are the one missing something here...

      From bulletin:
      ===
      Why not revoke the certificate that was used to sign the control?

      The certificate that was used to sign the control is still valid - the problem lies in the control, not the certificate. In addition, a number of controls have been signed using the same certificate, and revoking the certificate would cause all of them to become invalid.
      ===

      Additionally, there is this tidbit, about killing the control w/o revoking the certificate:
      ===
      Will Microsoft eventually set the Kill Bit on this control?

      Yes. Microsoft is developing a new technology that will enable it to set the Kill Bit on the vulnerable version of the control without forcing users to re-author web pages containing references to these controls. When the new technology is available, we will ensure that this fix uses it.
      ===

      Bottom line: they *could* revoke the certificate, but it would screw up other controls that use it.
    • Re:WTF ? (Score:5, Insightful)

      by dbarclay10 (70443) on Thursday November 21, 2002 @11:53AM (#4723162)
      They did. The reason why they refuse to revoke this control is that many sites hard-code the object ID, thus they would stop working.

      While I commend them for suggesting a fairly complete solution (including not trusting Microsoft-signed controls any more), I piss on them for not being willing to revoke the old control simply because some sites would not work.

      Were they to do this, there's no doubt that administrators and programmers everywhere would TRULY understand the issue, and fix their code to not use the hardcoded value. Instead, Microsoft is coddling them, and now we have another hundred thousand zombied machines in DDoS attack-networks.
  • by Mr_Silver (213637) on Thursday November 21, 2002 @11:04AM (#4722713)
    See this comment [slashdot.org] followed by my response [slashdot.org].

    People don't move to something because, firstly it's something different and many people are happy to stick with something comfortable. Secondly many people don't see the point in downloading something that they already have installed ("it works for me, why do I need anything else?" mentality) and finally, for many people they never experience the nasty possible ill-effects of these security alerts.

    Sure, plenty of people were hit by Code Red but it never really affected them. Sure it affected their computer, but as far as their documents were concerned - there was no change.

    Until we see a security alert that does cause damage to personal files and does roam rampant in the wild, the average Joe Blow user doesn't give a toss whether or not there 6 or 6000 security alerts.

  • by Kanagawa (191142) on Thursday November 21, 2002 @11:04AM (#4722723) Homepage
    I'm no M$ fan, but I deal with it at work so I make a point at figuring out how to deal with the problems. Frankly, this isn't a suprise. The most well secured enterprises I've seen allow only internal ActiveX publishers -- ActiveX is just too hard to make safe.

    Looking forward, I recently picked up .NET Framework Security [amazon.com] -- anyway, it seems like Microsoft is at least attempting to solve this particular problem. And, their approach isn't completely idiotic. Really.

    Mobile code that runs in the .NET common language runtime (read: M$ JVM) is controlled by a fairly sophisticated access control system. The default policy in XPsp1 from M$ allows no code from the Internet to execute, at all. Not exactly what I want as a user, but its what I want as an admin...

    Frustratingly, you can't run .NET mobile code without also enabling ActiveX controls. Not sure what the issue there is, but I suspect the CLR loader is some sort of ActiveX control. Anyone know about that?

    Anyway... here's some additional links to M$ references on mobile code:

    Security in .NET: Enforce Code Access Rights... [microsoft.com]
    Security in the .NET Framework [microsoft.com]

    • allow only internal ActiveX publishers

      Does anyone have any reason to allow ActiveX at all? It seems to pretty consistently be a low-benefit recipe for trouble...
    • by goombah99 (560566) on Thursday November 21, 2002 @12:29PM (#4723486)
      From what I have read .NET has a similar design flaw. Where java uses rigorous theorem proving approach to making sure that code cannot exceed its authority, .NET once again trusts code that has been signed rather than attempting to check it. The reason for this apporach I believe is 1) the potential for speed by distirbuting compiled binary rather then VM code 2) the ability to take quick shortcuts, call undumented APIS and the litiny of other very handy but bad programming ideas that make MS what it is.

      So this is news because it blows the doors off the signed executable philosphy and makes the sandbox philosohy of the java VM look like the only viable approach. Notice that the JAVA approach would have avoided both problems. first it would have avoided the buffer overrun problem in the first place since that would be caught by the VM when it examined the code, and second there would be no signed app trustworthyness issue.

  • by peculiarmethod (301094) on Thursday November 21, 2002 @11:06AM (#4722740) Journal
    Doesn't anyone consider this a mysterly convenient way to incourage the masses of windows users who won't drop them to move over to XP? All the news sources highlight that XP isn't vunerable.. yeah.. not with THIS flaw. I wondered how long it would be before they started admitting the really bad flaws in all the other versions to move everyone towards their .net mordern os. hmph

    or maybe I'm just nervous 'cause my coffee just accidently cross bred with a poison-ivy staph-infection vaccine GE plant and was recalled after I drank it

    pm
  • Install MDAC 2.7 (Score:4, Informative)

    by Brazzo (22202) on Thursday November 21, 2002 @11:07AM (#4722749) Homepage
    Yes, there are still bugs with MDAC 2.6; install MDAC 2.7. You'll note at the bottom of the security update that MDAC 2.7 is not affected by this issue.

    Here's a URL for you, even...

    MDAC 2.7 Refresh [microsoft.com]

    Keeping Windows secure is hard, but it's easier if you install the recent components...

    • Re:Install MDAC 2.7 (Score:3, Informative)

      by stefanb (21140)
      Yes, you need to install the patch.

      However, the issue is that even after you've installed the patch, you're still vulnerable, because the vulnerable version will be downloaded and executed as soon as you hit a Web page requesting that version, since it's signed by Microsoft, and most installs trust stuff signed by Microsoft.

      Sheesh, now /.er don't even read the blurb anymore?

  • by virtcert (512973) on Thursday November 21, 2002 @11:07AM (#4722751) Homepage
    According to the MS release, the reason that they can't simply revoke the certificate for the control is that they signed other controls with the same certificate.

    Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?

    It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...
  • by leoboiko (462141) <`moc.liamg' `ta' `okioboel'> on Thursday November 21, 2002 @11:09AM (#4722772) Homepage
    So Microsoft says to not trust them. Ok, I will not trust. But then I don't believe in this request. So I should trust MS. Ok, I'll trust'em. But then the request is true, and I should not trust...
  • by Futurepower(R) (558542) <MJennings.USA@NOT_any_of_THISgmail.com> on Thursday November 21, 2002 @11:10AM (#4722777) Homepage

    While researching the article linked below, I developed the impression that Microsoft has for years allowed its programmers to submit sloppy code. Now bugs are not easily found or fixed because everything is a mess.

    Windows XP Shows the Direction Microsoft is Going [hevanet.com].
  • by bfrog (586355) on Thursday November 21, 2002 @11:11AM (#4722784)
    Here's a theory I've long held regarding the excessive number of buffer overrun security holes in MS software:

    The lack of an snprintf method in the DevStudio standard C lib causes MS developers to use the unbounded sprintf instead, potentially resulting in buffer overruns.

    What do you think?
  • by smitty_one_each (243267) on Thursday November 21, 2002 @11:12AM (#4722790) Homepage Journal
    I'm interested in seeing any other browser that can provide robust, arbitrary plug-in support without a security compromise.
    Security and utility are two contestants in a zero-sum game.
    Which is not to say that <insert browser here> isn't a technically superior product...
  • by KjetilK (186133) <kjetilNO@SPAMkjernsmo.net> on Thursday November 21, 2002 @11:12AM (#4722791) Homepage Journal
    Oh well....

    From MS02-065 [microsoft.com]:

    After emptying the Trusted Publishers list, if I do see a warning saying that a web site or an HTML mail wants to download a control, how can I decide whether to let it proceed?

    The best criterion to use is whether you trust the web site or the sender of the HTML mail. If you don't trust the web site offering the control, cancel the download.

    So, who want to bet that the e-mails we will soon see circulating will have something like:

    From: billg@microsoft.com
    Subject: You can safely trust me

    <html><body> Please read this e-mail carefully and make sure you download the provided control.

    Asking people to decide whether or not they trust somebody based on, uh, well, whatever, that's asking for disaster. People will do that based on what they see in the From-field, most likely...

    Well, admittedly, I haven't touched a windows machine in a long time, so I might be totally off here... :-)

  • by Theodore Logan (139352) on Thursday November 21, 2002 @11:18AM (#4722850)
    Perhaps it's the same exploits mentioned in the linked Slashdot article, and in that case pardon my ignorance. If not, I haven't seen these nine security holes [greymagic.com] talked about at too many places. Why I don't know. They are certainly vicious.

    However, I am getting a little tired at all the MS bashing on Slashdot. It has been said before, but do we really need to have a story posted each time an Outlook/Explorer security breach, no matter how insignificant, is made public?
  • XP is OK! (Score:5, Insightful)

    by kir (583) on Thursday November 21, 2002 @11:19AM (#4722852) Homepage
    You know? Wasn't XP not affected by the last round of IE "your ass is hanging out" vulnerablities? Hmmmm.... interesting?!?!?!
  • by awptic (211411) <`infinite' `at' `complex.com'> on Thursday November 21, 2002 @11:19AM (#4722856)
    If this doesn't affect XP, why can't Microsoft just issue a patch that installs the Windows XP components which aren't vulnerable? And also... why the hell isn't XP vulnerable? maybe they knew about this for a long time...
  • by oktaya (267014) on Thursday November 21, 2002 @11:20AM (#4722863) Homepage
    "The simplest way is to make sure you have no trusted publishers, including Microsoft."

    So OK. If this signed certificates thing was a good idea to begin with, why are they suggesting people remove ALL trusted publishers?

    It's only Microsoft's own certificate that can reintroduce the problem. Why would they advise removing all certificates?

    Is it because they think their users are too stupid to remove Microsoft only? Are they trying to look less bad by making it look like the problem effects all publishers? Or are they simply admitting that this signed certificate thing isn't working?

    Oh, if we can't run anything we want on your system, nobody else should either. pfft.

    oktay
  • by autopr0n (534291) on Thursday November 21, 2002 @11:43AM (#4723051) Homepage Journal
    Why all the focus on microsoft products, I submitted an exploit for opera a month or so ago, and it was rejected.
  • by CodeShark (17400) <ellsworthpc@[ ]oo.com ['yah' in gap]> on Thursday November 21, 2002 @11:53AM (#4723167) Homepage
    'xcuse me -- thought I'd pulled a Rip Van Winkle and woke up just in time for a Malda & Co. April Fools Joke.....Microsoft admitting that that content from Microsoft can't be trusted?

    --note to self--

    Consider buying stock in proposed Hades Ski and Ice Skating resort... it must be getting real cold down there about now, somewhere between slushy and completely frozen over.

  • by geoff lane (93738) on Thursday November 21, 2002 @11:56AM (#4723188)
    For those of us still running Win95 on hardware that cannot support '98 or XP there is no fix for the recent critical IE security problems.

    So, to fix this particular little problem needs a hardware replacement "upgrade" :-(

  • by pixelated77 (472348) on Thursday November 21, 2002 @11:56AM (#4723194)
    Microsoft has warned about a security hole in Notepad. While Microsoft prepares a fix, it advises that we all use EDLIN in the mean time.
  • by insac (623145) on Thursday November 21, 2002 @12:04PM (#4723264)
    (...)
    "The simplest way is to make sure you have no
    trusted publishers, including Microsoft. If you do
    that, any attempt by either a web page or an HTML
    mail to download an ActiveX control will generate a warning message."
    (...)

    We could use this idea also with SPAM. Why use Bayesian filters (that aren't still 100% safe)? We could open every single message and decide if it is SPAM or not. If it is SPAM we can then delete it... it's easy!!

    This message doesn't need a signature
  • by Anonymous Custard (587661) on Thursday November 21, 2002 @12:08PM (#4723291) Homepage Journal
    From the MS Technet article [microsoft.com]:

    Q: Why would an attacker be able to silently re-introduce the old version of the control? Shouldn't there be a warning message?

    A: A warning message is generated anytime there's an error associated with a digital signature (e.g., a bad signature or expired certificate) or the signer isn't trusted. But in this case, the digital signature on the old version of the control is still valid, and the signer is Microsoft - which is a trusted publisher in many cases. Because of this, most users would not see a warning message of any kind if the old control was re-introduced.


    Ha! Microsoft is now providing very well written ammunition to the Anti-DRM movement; this makes me very happy.
  • CNN (Score:4, Interesting)

    by theonetruekeebler (60888) on Thursday November 21, 2002 @01:21PM (#4723971) Homepage Journal
    CNN's headline for the story [cnn.com] is: Microsoft: Yet another security flaw. The story describes it at the 65th alert MS has issued this year and notes that MS has dumbed down its security alerts to the point that the people affected by them (e.g. darned near everybody) can read them.

    I really like that the mainstream press is using "yet another" here. Think about your neighborhood: if somebody down the street gets burglarized, it's a terrible thing, but it's an isolated incident, and in a couple of days, you'll unload the shotgun and soundly again. But when two houses a week get broken into, well, you're gonna start acting like there's a pattern here.

    What will happen when people start treating Microsoft's security lapses like the epidemic they are?

"From there to here, from here to there, funny things are everywhere." -- Dr. Seuss

Working...