Forgot your password?
typodupeerror
Security

Weekly Microsoft Critical Security Issue 518

Posted by CmdrTaco
from the yet-another-choice-hole dept.
An anonymous reader sent in linkage to a zd story discussing the latest Windows Security Patches including an especially nice hole letting Java apps gain total control of your machine and assist you in reclaiming disk space by, say, reformating your drive.
This discussion has been archived. No new comments can be posted.

Weekly Microsoft Critical Security Issue

Comments Filter:
  • by slide-rule (153968) on Thursday April 10, 2003 @02:02PM (#5703571)
    ... that my Java skills can be used for evil, rather than good. ;-)
  • jvm (Score:5, Interesting)

    by AbdullahHaydar (147260) on Thursday April 10, 2003 @02:02PM (#5703575) Homepage
    which virtual machine is it that caused this? The one before or after Microsoft added their own extensions? (which caused the whole MS-Sun lawsuit)
    • Re:jvm (Score:4, Informative)

      by jhouserizer (616566) on Thursday April 10, 2003 @02:04PM (#5703599) Homepage

      It's MICROSOFT'S JAVA IMPLEMENTATION.

      The problem is NOT Java.

      The problem is (and always has been) Micro$oft's purposely broken version of Java.

      • Re:jvm (Score:5, Insightful)

        by fervent_raptus (664099) on Thursday April 10, 2003 @02:17PM (#5703723)
        I doubt Microsoft would intentionally break their over version of Java. Of course they want to make Java look bad, but creating holes in their own version would simply cause people to switch to Sun's version.
        • Excacly how many Windows users (that aren't Java developers) have switched to Sun's version, rather than just turning off all Java support?

          I'd guess the number is very near ZERO.

          • Re:jvm (Score:3, Insightful)

            by Andrewkov (140579)
            My company has an e-commerce site that our customers use to place orders, check stock, pick up invoices, etc. The app has many Java applets, and requires the Sun Java-Runtime, so we install it on all their PC's, so some people are using it!
        • by Ryosen (234440) on Thursday April 10, 2003 @03:54PM (#5704673)
          Microsoft intentionally extended the core API by introducing additional instructions to access the underlying Win32 operating system. Had they done this by providing a separate API, there would not have been any problems.

          Unfortunately, Microsoft chose to take a different approach and introduced new operators into the core byte-code interpreted by the Virtual Machine. As these additional instructions were only valid within Microsoft's version, users were effectively left with no choice but to use the exact VM for which the code was compiled. This decision by Microsoft to modify the base instruction set of the Java language made it impossible to port code from one platform to another, thereby ensuring that users would have to remain on the Windows platform. In fact, Java programs compiled for MS's VM would not even work on the same OS if another vendor's VM was used to run it. This is why some applets wouldn't work with the JVM shipped with Netscape (which was Sun's JVM).

          The instruction set supported by a Java VM is determined and maintained by Sun. In order to implement your own VM, you must agree to a license with Sun stating that you will not modify the core instruction set. In adding direct support for OS access (such as formatting a hard drive), Microsoft violated this license agreement. Microsoft also added their own keywords to the core language (delegate and multicast [sun.com]) which further ensured incompatibility.

          The Java byte code is a single byte in size and, as a result, the Java VM spec supports up to 256 op codes. Not all of them are used, however. Out of those potential 256 opcodes, only 200 valid operators are specified. Opcode 186 is not used, opcode 201 is used for debugging, and codes 254 and 255 are used for trapping and tracing. The remaining opcodes are reserved for future use. Clearly, if a compiler introduces new opcodes, the other compilers won't know about them and won't be able to run programs built with those opcodes. This is in direct violation of the VM specification and is exactly what Microsoft did. This was the basis for the Sun v. Microsoft lawsuit, for which Microsoft was found in willful violation.

          So, it would seem as if Microsoft did intentionally break their own version of Java.

          If you still do not understand how Microsoft did this on purpose, I suggest that you take a look at the Java Virtual Machine Specification [sun.com], as well as a nice book on general compiler theory [amazon.com].
    • RTFA (Score:5, Informative)

      by Dr. Bent (533421) <ben@nOSpAM.int.com> on Thursday April 10, 2003 @02:05PM (#5703613) Homepage
      In the second paragraph:

      The three warnings, all issued on Wednesday, involve the Microsoft Virtual Machine for running Java applets on Windows

      So it's Microsoft's VM implementation...
  • But quickly fixed... (Score:5, Informative)

    by pro-mpd (412123) on Thursday April 10, 2003 @02:02PM (#5703581) Homepage
    OK, so I hate MS for building unsafe software. But this time, I have to give them credit. I woke up this morning to my computer telling me that there was a critial update waiting to be installed, and it was this one. I read about the vulnerability on the web *after* installing the patch, so I am kinda glad that MS shoves updates down my throat.
    • by ManUMan (571203) on Thursday April 10, 2003 @02:08PM (#5703651)

      One can be excited when they patch things this quickly. My real concern is to whether we will see tons of patches for forthcoming software. That is, will all of the talk of more 'secure' computing be just talk.

      I certainly agree that Win 2k, XP, etc. all seem to have more security bugs than you can shake a stick at. Given the problem, the question is can MS make any sort of headway? Can they actually offer a product that will really be stable and secure? My theory is that we will know a lot more about the answer to these questions in six months. If Win 2003 server has 18Mb of patches in the first 6 months then we will know the answer. Personally, I am hoping the start doing better.

      • I certainly agree that Win 2k, XP, etc. all seem to have more security bugs than you can shake a stick at

        Try subscribing to Redhat's automatic update feature. See how many security updates you get then! :-)

        To be fair though, these updates are nearly always for applications, not for the operating system.
        • To be fair though, these updates are nearly always for applications, not for the operating system.
          Do you mean Redhat's updates, or Microsoft's? Because, to be really fair, you have to note that most of the MS security updates aren't part of the OS either.
          • I was talking about Redhat. Other than one MS SQL bug, and a handful of IIS ones, all the Microsoft security problems I've heard of are entirely part of their operating system (this includes the Explorer ones, since MS say its a tightly integrated part of the operating system). If KDE had lots of security vulnerabilities, I'd dump it and use Gnome instead - it's just an application (or a suite of applications). I know there are a lot of Apache, Sendmail, etc, security alerts too, but these products have nev
    • If I woke up this morning and found out that my computer had been speaking with Microsoft in the middle of the night, I'd format the damned thing. That kind of stuff shouldn't be tolerated.

    • by bittmann (118697) on Thursday April 10, 2003 @03:35PM (#5704491) Journal
      Yes, maybe, but...

      Thanks to a long list of overlapping issues, this is going to cause my employer (and a vendor that shall remain nameless to protect the guilty) a bit of a headache--and I doubt that we're alone in the world on this one.

      We are running a Digital Imaging (digital radiology) sytstem that has a web-based server for allowing physicians to review images and interp from "any PC". The viewer itself is Java based...no client required (ahem...vendor speak. Client is downloaded automatically, perhaps? Anyway...) The elimination of the need to manage/install/maintain a client on thousands of different machines was one of the biggest reasons that management chose this particular system/particular vendor.

      Background:

      Here's how the IT assessment of the product went...

      Yay...Java! This will run on any PC! Well, not Mac or Linux, but since we aren't a Mac or Linux shop, this is acceptable (this should have been our first clue).

      Well--make that "any PC running Internet Explorer". Perhaps it's something with a particular DOM. We can live with that. We're running IE on all of our machines, anyway.

      OK--make that "any Windows PC running Internet Explorer, using Microsoft's Virtual Machine. Sun's won't work". WTF? I thought this was JAVA. Let me guess...this was written using MS Visual J++, right?? Anyway, according to our management (who is undoubtedly quoting straight from the vendor), "it's a lot faster this way."

      Ummm--make that "any Windows PC running Internet Explorer, using one of a few versions of Microsoft's Virtual Machine...the most recent ones will *break* the app". Now, where did *that* come from? But sure enough, if an employee gets overly "helpful" and tries to update their system (we still have some 9x systems on the network, and the boss won't let me firewall the Windows Update site), the application breaks. So whatever the vendor did isn't entirely "legal"...the latest VMs "fix" an undocumented feature that they are depending on...

      Final analysis: "This sucks. Either plan on installing their Honest-to-Pete MS-VC++ client on 1,000 PCs or pick another vendor."

      So, yes, management went ahead and bought the package - warts, J++ and all - from the vendor for a goodly sum, over the objections of the IS review committee. Yes, we've fought with said vendor for the last few months, to no avail (yet). No, the vendor (until now) claims that there is no reason to update their code to be fully Java-as-in-Sun compliant (or even Java-as-in-current-Microsoft compliant, for that matter), and that we should basically stop whining and get over it. But perhaps, just perhaps, we can now point to this and say "Look. Your cusomers *are* at risk. We *must* upgrade our JVM...we have no choice. If your software won't run on the resulting platform then it's not performing as indicated, which frees us from the contract and any pending payments coming due. Hint Hint."

      Well, I'm not holding my breath on the vendor updating their code. I am holding my breath about this cycle of Windows Update problems, however. I imagine that the trouble tickets are already starting to come in to our PC support area. "The Radiology viewer doesn't work," they say. "I can't do my job...fix it now!" they demand. Much work to uninstall the new VM. Much work to re-install an older version so they can "do their job". And much sweating while we hope to dodge the bullet of a malicious Java applet through a combination of virus detection software and dumb luck.

      Sometimes, a blind patch via Windows Update isn't the best thing to do, unfortunately.

      Am I blaming Microsoft for building unsafe Operating System software? Well, yes, but I'm also a realist--you can't expect perfection. But what I'm really blaming Microsoft for is their knowing and purposeful design and dissimenation of a Java VM and Java development environment that was built to be incompatible with Sun's Java. I'm also blaming the vendor for helping support Microsof
  • by s20451 (410424) on Thursday April 10, 2003 @02:03PM (#5703583) Journal
    That'll work out great. I just downloaded the RH9 ISOs.
    • A great java bug would cause the infected computer to download the Mandrake iso's and perform the install after the disk format..
      if a virus of this sort were possible, and bandwidth bigger it would be interesting to see a rampant virus of Penguins.

      • if a virus of this sort were possible, and bandwidth bigger it would be interesting to see a rampant virus of Penguins.

        You mean, like in xbill [xbill.org]?

  • It hasn't been too nice for Open Source recently though has it?

    Couple of remote roots in Samba, a local ptrace in the kernel and a few OpenSSL probs to get you on the system initially.

    • And apache DOS, Sendmail holes...Point well taken

      Rus
      • Yeah but you expect holes in Sendmail. And Bind. Announcement of such holes is how I know the open source security auditing is working correctly. If a hole doesn't get announced in one of those two packages within a certain period of time (We're just about up for another Bind one I think) I start getting nervous. It's like all those thousands of people reading over the code all got up and went on vacation.
    • by the_pooh_experience (596177) on Thursday April 10, 2003 @02:51PM (#5704060)
      It hasn't been too nice for Open Source recently though has it?

      It is interesting you say this, and I think this is to blame for a good amount of FUD on both sides.

      First off, anyone thinking there will make an uncrackable system is both naïve and asking for someone to break into their system. No one will make an unbreakable system (and plugged in), it is just that harder systems will take longer to break.

      In this same vein, the nature of a piece of software's security can not be measured only in security updates or patches. You are right, OSS has had cracks recently, but the fact that you know about them and that (most) of them are fixed is reassuring. I would venture to say that something that didn't have patches or updates was simply not worth hacking, or not maintained (i.e. MS has not sent out patches/security updates for Win3.1, but does that mean there are no more problems with it?)

      On the other hand, This believe must be mitigated by the understanding that more vulnerabilites announced are also not necessarily a good thing, and may reflect in shoddy programming.

      This is the double edged sword that we must cut ourselves with. The real "tell" (I believe) is the level of sophistication in (most of) the vulnerabilities. Unfortunately, I know almost nothing, so I leave it up to others to tell me how bad they are. I guess it is a good thing I am not a sysadmin.

  • by Anonymous Coward
    They don't run sendmail! Can you imagine having to keep up with patching Windows AND sendmail?!
  • Hmm... (Score:4, Interesting)

    by Anonymous Coward on Thursday April 10, 2003 @02:03PM (#5703592)
    Doesn't it seem just a little strange that the Java VM, which MS removed from XP until it was forced to reinclude it by court order (still under appeal, I believe), has a critical security hole found?

    The timing seems a little too good to be true...
  • JDK (Score:5, Funny)

    by WPIDalamar (122110) on Thursday April 10, 2003 @02:04PM (#5703598) Homepage

    Good thing Microsoft JRE is so broken, that all exploits ended up not working!

    Write once, debug everwhere.

    • Write once, debug everwhere.

      That's copyrighted by Symantec -- it was the ad tagline for the debugging component of Visual Cafe.
      I don't think they knew how funny it was, but I had it on my cube wall for a time (1998-1999 era)

      --
  • Ok (Score:2, Insightful)

    Ok well Linux users have been hammering on the "Windows is insecure" thing for what -- 6 years now? And Windows' market share is as good as it ever was, perhaps even a bit better. Time to try a new strategy? This one is getting boring!
  • So? Does this mean that they have found Java applets on the web that actually are not intended to be malicious?
  • by pair-a-noyd (594371)
    More *bad* flaws in winblows!!
    Mo money for me! Everytime this happens I go out and patch up my customers. Cha-ching, cha-ching!

    And I always offer and *suggest* that they go with Linux but they are *afraid* of change.
    They would rather live in fear and subserviance than live in security freedom...

    Go figure..
    • ...security freedom...
      Not that I love M$, but it seems that your bashing Micro$haft unjustly. Linux seems to be pumping out even more fixes and patches than old Billy boy's crappy product.

      It seems like for the last month or so I have received at least 2 RedHat erratas a day, and the majority of them are for security reasons.

      For my RedHat email server, there have been 98 updates put out by RedHat and the Linux community. Of those 98, 16 were bug fixes, 4 were enhancements, and 78 were for security c
      • How many have been for the acutal operating system? Like say the kernel or glibc?

        And how many patches were included in the service patches?
      • Linux has millions of people looking through its source code. More than Microsoft could feasibly have. And yet, your post seems to indicate that Windows has about the same amount of fixes (service packs containing multiple fixes) as Linux in the equivalent amount of time. I wonder how many more flaws there are that haven't been discovered yet?

        Microsoft did well in this instance, and perhaps this is the start of their focus on security.

        You'd think though, that with a software company that's as big as Micro
  • Not quite true... (Score:4, Insightful)

    by presroi (657709) <neubau@presroi.de> on Thursday April 10, 2003 @02:05PM (#5703617) Homepage
    I don't agree with the intention of the message. While it is true that this bug allows the execution of commands, it does this only with the rights of the owner of the user account. In Unixian, this is not a remote root exploit.

    Nevertheless, my last sentence becomes quite irrelevant, as Windows user tend to work as $root.

    • In that case you can't fully blame m$, as you wouldn't blame a unix manufacturer if a unix admin was always running root, and a small bug could prove to be disasterous.
  • by purduephotog (218304) <hirschNO@SPAMinorbit.com> on Thursday April 10, 2003 @02:06PM (#5703625) Homepage Journal
    ... I've received about 30 RHN "Security Updates" via email in the last 2 weeks... and their servers are slammed so that I can't download a single one of them.
    Would this be considered Microsoft bashing? Nahhhhh....
    But of course I won't mention that windows Update is free and it worked immediately after I got notice of the patch.
    • RHN "Security Updates"... and their servers are slammed so that I can't download a single one of them.

      Really? I've had no problem whatsoever. up2date seemes to grab them fine for me. Then I can ship them to whichever machine I want to.

      Must be your network...

    • OTOH, you paid for Windows (didn't you? ;)) which includes Windows Update access. If you paid for an RHN subscription, you wouldn't be locked out of RHN via up2date when load is high. You can still log in to your personal RHN page and select/download/install the updates manually, even with the free service.
    • Similar to the other poster: You still can grab all the updates for your affected system directly via the provided links in the RHN Alert mail and load them via rpm -U or whatever you like.
    • Are you so sure that ALL of them are security updates? I see ones that are bugfixes go buy occasionally.
    • And those updates are for what?

      Sure there are _lots_ of vulnerabilities in the Linux distros but look at what they include. A typical Linux distro contains everything a typical desktop and/or server user could want. Most distros contain at least 3 mail servers. How many mail servers ship with Windows? How many serious apps are considered part of Windows? Yet in this case you are comparing one application to an entire distribution! I guarantee that if you plug as many apps into the Windows Update serv
    • Make the next version of Windows available for free download from their servers and let's see how well they hold up.

  • Finally! (Score:2, Funny)

    by Anonymous Coward
    /* sarcasm */

    Finally someone wrote something to get rid of all that spyware thats installed itself on my system! Thank you MS!

  • Help me out here (Score:3, Insightful)

    by The Bungi (221687) <thebungi@gmail.com> on Thursday April 10, 2003 @02:07PM (#5703642) Homepage
    Every time I head on over to SecurityFocus or even some of the Linux sites that aggregate feeds from security sites I see a bunch of Linux and BSD - and all manner of open source software - holes, exploits and vulnerabilities. They apparently get reported and patched with the same speed as the Microsoft (and other platform) security problems. So why isn't there a "Weekly Linux Critical Security Issue" as well?

    Just curious. I mean, if the intent is to inform.

    • From my experience Slashdot is pretty good about posting about any remote root exploit. Not their fault that most windows exploits tend to be of a severe type. [despite the fact that there are far fewer]
    • Yeah, taking a piss at MS in this manner just reduces slashdot's (already dubious) credibility. I've worked with both windows and linux machines in a production online environment and I can say that I've had to scramble to fix security holes for both of them in the last year. The apache chunk vulnerability and one of the recent ssh vulnerabilities really sucked, but that might be just because I've trusted apache+ssh more than I've trusted the windows machine.

      However, despite having to scramble for bugs o
      • With Windows, it's run their patch application and hope it doesn't screw anything up

        You certainly have a point there. I've become very selective in what type of update I apply to my boxes, because of the potential I see for something going belly up when 15 "cumulative patches" are applied at the same time. IMO, Microsoft's solution to this problem is closer to being a problem itself. The "OK, we'll disclose all the bugs and here are all the patches for them" approach doesn't really work. For me, at least.

    • As a matter of fact:

      KDE 3.0.5b and KDE 3.1.1a [kde.org] were announced today to address a Ghostscript-related vulnerability.

    • There's a huge difference between a flaw like this in the VM that microsoft ships that can be used to format your HD by viewing a web site and some bug in a library that can impact maybe a handful of people.

      You have to compare the SEVERITY and NATURE of the bugs. Sure, there are bugs with whatever OS, but as to this level of Severity and of this Nature, you're just wrong, there are not that many with Linux, Apple or Solaris or whatever. Windows takes the cake.

      If you think this is all overblown hogwash,
  • by Anonvmous Coward (589068) on Thursday April 10, 2003 @02:08PM (#5703646)
    Geez guys, why can't you go a day without publishing anti-MS crap! Don't you think that if this were really a problem that people'd be aff.... K(R*AB(*D [NO CARRIER]
    • Not really, anti-MS-crap. This is relevant to you if you are a regular /. reader, because potentially someone could do these.
      1)Write a bit of "malicious code"
      2)Post it on a webpage
      3)Make it as his homepage on /. or add it to his .sig and say "click here for naked chicks"
      4)Wait
      5)Profit???
      Slashdot is widely read (how mnay millions was that) and is largely visited using IE (70% ?). Even if a small percentage is unpatched that is a lot.
  • One of the vulnerabilities in the VM if exploited could allow your hard disk to be formatted. Well, that takes care of that problem.
  • Dilemma. (Score:5, Funny)

    by Anonymous Coward on Thursday April 10, 2003 @02:08PM (#5703654)
    So I now have two options.

    * Let baddies in at their will.
    * Run Windows Update, expose my machine to Msoft, sign away my soul through the patch EULA.

    Help!
    • If you don't want to run Windows Update, or don't want to use Internet Explorer 5+ in order to use Windows Update, here is a list [microsoft.com] of recent security related patches that you can download individually.

      Of course, you should realize that you have already signed your soul over to Microsoft by having Windows on your machine. You might as well close your eyes and agree to the EULA for Windows Update.

  • by Znonymous Coward (615009) on Thursday April 10, 2003 @02:10PM (#5703668) Journal
    From the office of Iraqi Information Minister Mohammed Saeed al-Sahhaf (aka Baghdad Bob):

    "Lies all Lies! The infidel Linux computers are not secure. The coilation will fall in the wake of the mighty secure Microsoft operating system!"

    More at 11.
    • Iraqi Information Minister Mohammed Saeed al-Sahhaf (aka Baghdad Bob)

      I love that guy! He reminds me of a skin-and-bones girl with anorexia asking "....Am I fat...?"

  • by dtolton (162216) on Thursday April 10, 2003 @02:11PM (#5703674) Homepage
    As the main post points out this is pretty much a weekly news release from Microsoft. It's interesting because in some ways I get suprised by the severity of the bugs such as allowing a huge hole in the Java VM, that would allow someone to format your hard drive or a bug in Proxy Server that would allow a single mal-formed packed to max the CPU at 100%. On the other hand I'm suprised Microsoft doesn't have more of these bugs.

    I think this is where the philosophical differences of Open Source Software really make a big difference. Even though OSS still has bugs, the live testing cycle is un-paralleled. However I think the biggest difference boils down to this: there is no one saying we have to have this product out the door by XX date. Rather it becomes stable when it's ready, but you can use the development version if you need or want.

    As the lines of code in software grows and the complexity increases, I think we will see a greater number of more sever bugs in closed source systems. Ultimately I believe this will be one of the critical factors leading to OSS's long term success.
  • Applets, not apps. (Score:4, Informative)

    by vidnet (580068) on Thursday April 10, 2003 @02:11PM (#5703681) Homepage
    Big difference. Apps have total control by default, while applets are supposed to be harmless.
  • by NetCurl (54699) on Thursday April 10, 2003 @02:12PM (#5703688)
    I can honestly say that it baffles me as to why Microsoft continues to hold such a huge stake in most of the computing world. I don't understand why people continue to digest what is carelessly tossed out of Redmond, WA.

    I can understand the need for an array of software unavailable on any other platform (though, what percentage of that software is actually GOOD software?), and the platform standardization issues, maybe even "ease" of use, but honestly, the security and ridiculousness of the MS platform, ideology, and disregard of standards make me sick.

    What is the continuing allure? Do you really not mind running machines that are completely insecure? And how can they not fix their own NT 4.0 code? That's absurd. They pitch this solution for years, and bail when the cost to fix their crap gets too high.

    I'm not trolling, I'm baffled. Someone tell me why this continues?

    • i think people just don't know about computers when it comes down to it. If people buy a home computer, chances are it will come with windows. Then they go to work, and all of the work computers run windows. People don't think there is anything else in existence to run a computer, unless they get a mac. When I go to the grocery store, I have a choice of maxwell house or folgers or eight o'clock, etc. Only recently have people gotten the ability to choose which OS they would like to run.
    • by RobinH (124750)
      I can honestly say that it baffles me as to why Microsoft continues to hold such a huge stake in most of the computing world. I don't understand why people continue to digest what is carelessly tossed out of Redmond, WA.

      Well, let me explain my situation:

      1) I have to use MS Windows at work. We use programs that only have windows versions, such as PLC programming applications. Plus, our customers and suppliers all have MS Word and MS Excel, and say as much as you want about OpenOffice.org being compatibl
    • I thought about this a lot too over the last year or so, and based on my experience, it's simply that despite all of the security risks, most companies aren't losing that much money on lack of security.

      I work for a company that has a good bit of Microsoft, some Sun and some linux deployed. Now, without getting into any religious wars over who's more secure, I'll simply say that the Microsoft servers have been compromised on more than one occassion. The Microsoft servers also got hit very hard by Code Red
  • by jpsst34 (582349) on Thursday April 10, 2003 @02:13PM (#5703701) Journal
    "...and assist you in reclaiming disk space by, say, reformating your drive."

    Well, that takes care of the wicked-long step 1 in uninstalling windows and installing linux! [linuxworld.com]

    That is, of course, if this vulnerability affects the version I'm running - Windows Herpes Edition.

  • Let me save many of us some time:

    "Well here we go again. A gaping security hole in Microsoft [ Operating System ]. This never would have happened if Bill Gates weren't just trying to make more money so he could buy more [ plural noun ] to fill up his mansion in [ place ]

    This is just one more reason why [ circuit court ] should [ verb ] that [ expletive ] company once and for all.

    [ Unix-based operating system ] only had this problem [ number ] in it's entire history, and there was a patch posted in under [ number ] minutes!

    [ Text-based word processor ] rulez! Micr- [ Insulting variation on 'soft' ] is the [ Traditional evil diety ]!"

    -----

  • i'm okay (Score:5, Funny)

    by misterhaan (613272) on Thursday April 10, 2003 @02:14PM (#5703708) Homepage Journal
    see, this is why i print out all of the data on my hard drives in binary every weekend.
  • One more of those bugs which can crash your computer because you viewed a webpage.The irony is that the update link tries to do an update through a webpage.ie you connect to MS website and it checks your computer through IE and does an update.(it does give me a warning though)
    When will microsoft(and others) understand that browsers are http clients and not meant to be used as means of running arbitrary code on a client machine, however secure it might be . The least you can do is to tell the client that co
  • Yes but ... (Score:3, Insightful)

    by Mr_Silver (213637) on Thursday April 10, 2003 @02:19PM (#5703747)
    and assist you in reclaiming disk space by, say, reformating your drive.

    <reality check>

    Until someone actually writes a massivily spreading virus/worm that jumps from Windows PC to Windows PC doing precisely that (formatting hard drives) - people are just going to patch it and not even think about changing OS.

    Hell, most people probably won't even patch it. What doesn't affect them, they don't care about.

    </reality check>

  • by wowbagger (69688) on Thursday April 10, 2003 @02:21PM (#5703764) Homepage Journal
    Well, it is now officially Thursday. Aa I've said before, I think there should be an
    Official
    So
    Happy
    It's
    Thursday for announcing MS holes.

  • "...assist you in reclaiming disk space by, say, reformating your drive." I've been looking for a good disk partitioning tool, and along comes Microsoft to help me out. Anyone know if a Linux port is in the works?
  • My Red Exclamation Mark has been lighting up much more frequently in the past couple months than my Automatic Update Icon.

    Just an observation.
  • ...at least they're down to one a week now.
  • This clearly is a bug of 'Mass Destruction', the only thing a responsible democracy can do is invade Redmond, and pull down Bill Gates statue, Is the 10th infanty div still busy? MM
  • The offending applet would have to set the evil bit in its packets anyway... ;-)
  • on windows boxen. come on, your hard drive can be reformatted by surfing to a web page! is it any wonder that people are so afraid of their machines???? and with the plethora of bugs and twiching that spouts out of Redmond, only a third of the poor L-Users will get a fix.

    is it just me, or does surfing the web on a win box feel like living in some bad neighborhood just trying to avoid the next drive by shooting???

  • The sun implementation in my personal opinion has been much better. Less vulnerabilities discovered/exploited, better performance, better compatibility.

    Why use this MS crap anyway?

    If you have to deal with Windows, at least get a good java implementation.
  • I've had no less than 4 seperate email warnings come from RedHat in the past week about programs that desperately needed to be patched. I guess that big major story slipped through the cracks, huh?
    • Could you go back and check the SEVERITY and NATURE of those bugs? Do any of them let a HD be wiped out just by surfing to a web page?

      You're delluding yourself and you're not employing a correct analysis and comparison of the problems.
  • Not a bug. (Score:2, Funny)

    by motox (312416)
    This is not a bug :

    From CNN, October 25, 2001:

    http://www.cnn.com/2001/TECH/ptech/10/25/xp.lond on .launch/index.html

    "The system promises fewer computer crashes and will allow users to delete data from their hard drive. "

  • Weekly Microsoft Critical Security Issue


    At least Microsoft is on a schedule. I never know when to expect a critical security patch for [favourite Linux distro name here]!
  • I've read this one after reading the one about the Concorde.

    Let me tell you something so that you feel safer: rest assured that the safety-critical systems of airplanes don't run Microsoft Windows (neither do they run Linux).

    Wasn't there a model of US warship that stalled because of Windows problems?
  • by Call Me Black Cloud (616282) on Thursday April 10, 2003 @03:18PM (#5704346)
    Anyone who needs Java, for applets, webstart, applications, should install Java directly from Sun. You'll get the latest and greatest implementation (for Windows anyway) and it will integrate seamlessy with IE so you'll never notice any difference (other than the time to download the damn thing).
  • devil known (Score:3, Funny)

    by spoonyfork (23307) <[moc.liamg] [ta] [krofynoops]> on Thursday April 10, 2003 @04:09PM (#5704809) Journal

    The Virtual Machine (VM) flaw is the most serious, meriting a "critical" rating from Microsoft.

    This jumped off the page at me. Could someone explain the value of Microsoft's merits of their own flaws?

"Mach was the greatest intellectual fraud in the last ten years." "What about X?" "I said `intellectual'." ;login, 9/1990

Working...