New Windows Vulnerability in Help System 576
wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."
Not that big of deal (Score:3, Insightful)
Privilege level (Score:5, Insightful)
start the stopwatch... (Score:5, Insightful)
MS wil fix it i gues (Score:1, Insightful)
Wel, CERT says to disable activex stuff, wel should be easy to fix i gues.
Hope they fix this one soon.
Re:Privilege level (Score:5, Insightful)
Not saying that your comment is wrong, just that for most people, convenience is more important than security.
Re:start the stopwatch... (Score:2, Insightful)
Re:Privilege level (Score:5, Insightful)
So basically, then, that makes it so that if the user gets infected by something, all it can do is destroy that user's personal files, and propogate over the network, as opposed to doing all that AND making the user have to reinstall Windows by mucking with system stuff?
That's nice for administratos--they can clean the machine just by wiping that user, but for the user that is not going to make much difference.
Re:Privilege level (Score:5, Insightful)
That's nice for administratos--they can clean the machine just by wiping that user, but for the user that is not going to make much difference.
Let's see, 1 hour of downtime while we reimage and reconfigure your machine vs. 1 minute to clear out your profile and let me work on pulling your data from a good known back up.
Re:Privilege level (Score:5, Insightful)
Re:Privilege level (Score:2, Insightful)
Re:Privilege level (Score:5, Insightful)
The problem is, not every Windows program out there is written to be aware of the fine-grained security model of Windows NT. In a 'perfect world' every Windows developer would code properly, with security in mind. As it stands, the complex NT security model is just ignored by a lot of people. It might work great in a locked-down corporate environment with a limited-set of software, i.e. where the user isn't allowed to install anything, and the software installed is a narrow well-tested set. It won't ever work in looser environments. Given the lax 'security culture' of Microsoft and it's user base, it's unworkable.
Re:Privilege level (Score:4, Insightful)
Typicall stupid techie answer.
Restricted users have write or modify permission on the critical business files and databases. Which are 8 thousands times more important to the business than your average winnt directory.
Get out of your mom basement.
Re:Privilege level (Score:5, Insightful)
Sure there is some truth in that, but as more and more people don't respect other people's property, keylocks have become a necessity and have to be lived with, no matter the discomfort.
The same is now happening with software security.
This is point in fact... (Score:5, Insightful)
Re:Today? (Score:3, Insightful)
I'd imagine lots of the IT bods that are stil working will have had major work scheduled for this weekend for weeks. Just as well there isn't a patch to be deployed!
Re:I know, I know.. (Score:5, Insightful)
Errors in server-side applications are rapidly fixed by serious system administrators and at the worst they provide attackers a way into unprotected systems. How many computers around the world are currently infected or zombied thanks to holes in any of the programs you cited? Almost zero.
Security holes in client-side applications (MSIE, Outlook, primarily) are a totally different story. These programs are mainly used by people who don't have the capacity to protect their systems. And the results are clear: millions of PCs infected by everything from viruses to worms and spywares, used as platforms to launch DDoS attacks, to send spam, to steal information...
There is a real security problem on the Internet, one that is making a joke of the "information highway", and it's almost entirely caused by vulnerabilities like the one reported here.
Until the market leader realizes that its users need serious protection from the malicious forces who roam the Internet, no amount of criticism is too much. And, if you really want to support and defend Microsoft, you should be adding your voice, because it is this issue - its failure to provide its users with a safe platform - which will be its downfall.
"Microsoft = insecure" is an association that should be sending shivers down the backs of those marketing managers trying to bomb the web with billions of Microsoft adverts.
if you use linux (Score:2, Insightful)
and being afraid is a GOOD thing
it makes you vigilant
there is no system out there that is 100% virus proof
so don't make excuses to lull yourself into a false sense of security
always be vigilant, and you will minimize your risk of being infected
it will never be 0, no matter what os you use, no matter what you do
Re:Privilege level (Score:1, Insightful)
Re:Privilege level (Score:5, Insightful)
Even a user without admin privileges can turn the box into a spam relay (or a DDoS agent), so reducing privileges is only a very partial solution.
Re:Actually, mac users haven't had a virus yet (Score:5, Insightful)
http://www.sophos.com/virusinfo/analyses/index_
Description: Macintosh file virus
666, see Mac/Sevendust-A
ANTI-A, see Mac/ANTI-A
CDEF, see Mac/CDEF
CODE-1, see Mac/CODE-1
CODE-252, see Mac/CODE-252
CODE-9811, see Mac/CODE-9811
ERIC, see Mac/Scores
Garfield, see Mac/MDEF-A
Graphics Accelerator, see Mac/SevenD-Fam
INIT-1984, see Mac/INIT-1984
INIT-29, see Mac/INIT-29
INIT-9403, see Mac/INIT-9403
INIT-M, see Mac/INIT-M
Mac/ANTI-A
Mac/CDEF
Mac/CODE-1
Mac
Mac/CODE-9811
Mac/INIT-1984
Mac/INIT-
Mac/INIT-9403
Mac/INIT-M
Mac/MBDF-A
Mac/MBD
Mac/MDEF-A
Mac/nVIR-A
Mac/nVIR-B
Mac/nVIR-
Mac/Scores
Mac/SevenD-C
Mac/SevenD-D
Mac/S
Mac/Sevendust-A
Mac/Sevendust-B
Mac/S
Mac/T4
Mac/WDEF
Mac/ZUC-A
MBDF-A, see Mac/MBDF-A
MBDF-B, see Mac/MBDF-B
MDEF 666, see Mac/Sevendust-A
MDEF 9806, see Mac/Sevendust-A
MDEF-A, see Mac/MDEF-A
NASA VULT, see Mac/Scores
nVIR-A, see Mac/nVIR-A
nVIR-B, see Mac/nVIR-B
nVIR-Fam, see Mac/nVIR-Fam
San Jose Flu, see Mac/Scores
Scores, see Mac/Scores
SevenD-C, see Mac/SevenD-C
SevenD-D, see Mac/SevenD-D
SevenD-Fam, see Mac/SevenD-Fam
Sevendust-A, see Mac/Sevendust-A
Sevendust-B, see Mac/Sevendust-B
Sevendust-J, see Mac/Sevendust-J
SysX, see Mac/INIT-9403
T4, see Mac/T4
WDEF, see Mac/WDEF
ZUC-A, see Mac/ZUC-A
Re:Administrators: quick fix (Score:2, Insightful)
Re:ie rants (Score:5, Insightful)
Sounds like the lynx browser (or links, w3m, etc) is right up your alley. Lots of other people who share your distaste for browser bloat do. Microsoft doesn't really care too much about those people who say "Ugh, Microsoft IE sucks! Oh, yeah, I still use it though". It's only until people say "IE sucks, that's why I use [whatever] instead" that they'll pay attention.
Funnel your enthusiasm into trying some different browsers that fit your needs. Donate some time or money, maybe, to an open source browser you do like.
At this point, though, a "IE is lame" post doesn't really contribute much to the discussion. Or have I been trolled?
Re:Actually, mac users haven't had a virus yet (Score:5, Insightful)
I remember wiping some of these off of floppies... back when I even owned floppies.
Comment removed (Score:5, Insightful)
Dear Microsoft.. (Score:5, Insightful)
As to browser/plug-in vulnerabilities, it may never be possible to eliminate them all, there are just too many niches for a virus to gain foothold.
MS Fanboys.... (Score:3, Insightful)
Thanks to MS decision to embed IE into everything in WIndows makes Windows a breeding ground fro vulnerabilities.
Re:Use the RUNAS service (Score:2, Insightful)
Joe Sixpack won't use a PC with "Access Denied" (Score:3, Insightful)
The simple Control Panel even hides the management interface to make granular security possible.
The truth is, in order for NT to work in consumer homes, it had to behave just like DOS versions of Windows did.
Joe Sixpack may be computer illiterate, but his dollar is what ultimately fills Microsoft's coffers.
Workaround...? (Score:5, Insightful)
Re:Not the point (Score:5, Insightful)
As for MS statements about exploits, well... everyone knows that's just plain silly. Right now there is an Exchange vulnerability listed on CERT that contains no patch and several known exploits, has been that way since November.
This is yet another occasion to teach everyone how to run as a user in Windows and not as Administrator. Almost everything is negated or at least mitigated when they are just normal users. Sure it could wipe out their own documents, but it couldn't effect any others and certainly couldn't harm the operating system.I see this problem a lot on every platform, generally I think people like to feel in control all the time
Re:MS (Score:2, Insightful)
NOTE: Using an alternate web browser may not mitigate this vulnerability. It may be possible for a web browser other than IE on a Windows system to invoke IE to handle ITS protocol URLs.
Another instance where unbundling and removing IE from a system would be beneficial...
Re:Actually, mac users haven't had a virus yet (Score:5, Insightful)
How many Mac owners have AV software that is up to date?
Spams are using this (Score:3, Insightful)
The other day my boss called me over to check out a suspicious looking email that had made it's way past SpamAssassin. It rendered blank, but looking at the raw message code revealed it was using just this kind of exploit (with a <FORM> to obfuscate what was really happening).
My boss' account has Restricted User privileges, with Eudora as the MUA and Mozilla as the browser, so no panic, but the fact that spammers are already using this is scary.
Re:Actually, mac users haven't had a virus yet (Score:5, Insightful)
How many Mac owners have AV software that is up to date?
Almost none - reason being that all those viruses (virii) mentioned at Sophos (Sophie) are from the 80's (80uses). This is the first 'exploit' on OS X, and it was just mentioned yesterday. What would Anti-Virus for the Mac have mentioned in their definitions last week?
"Virus definitions:
"
Additionally, since all ports are closed by default, and it takes an Administrator password to open any, and it takes an Administrator password to install any applications, and users are not root, there's a limited amount that a virus could do.
-T
Re:Windows has problemss... (Score:3, Insightful)
How do you get [whatever] to work on Windows.
Step 1: Insert the cd and let autorun take over and do everything for you.
If that does not work or you run into problems during game play, follow this 20 step procedure (if one is even available) and hope you eventually get it to work, if you can not get it to work, too fucking bad.
As an owner of a few EA Games, I've been down that road many times.
Re:Dear Microsoft.. (Score:2, Insightful)
(MS Outlook 2003 disables HTML content quite well.)
Re:MS (Score:5, Insightful)
On a side note, KDE does the same thing. I can open a "ms-its://" url to view
Re:In Linux-land... (Score:5, Insightful)
Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it?
Okay, hang on for a moment.
$ ssh moms.computer.net
It'll be done in just a sec, Mom!
Re:MS (Score:5, Insightful)
If they unbundled IE, why the hell wouldn't the help files simply use the designated default browser??
Re:disabling Help And Support service? (Score:4, Insightful)
Yet the parent's post clearly shows that if you actually have to change anything fundamental, such as Services or Registry cleanups, it's a total fucking nightmare.
No wonder Windows admins get nervous, and sometimes run away screaming from changing Exchange configs, secure file sharing across networks, and nearly daily virus updates.
Am I forgetting anything?
Re:MS (Score:2, Insightful)
Konqueror is part of KDE, not part of GNU/Linux. But IE is part of Windows.
Re:Windows has problemss... (Score:1, Insightful)
Zealot: "Oh God, I had to install Quake 3 in Windoze for some lamer friend of mine! God, what a fucking mess! I put in the CD and it took about 3 minutes to copy everything, and then I had to reboot the fucking computer! Jesus Christ! What a retarded operating system!"
I have always wondered about this particular Windows feature: the rebooting.
Why do I need to reboot after installing some silly game?? Clearly there are some kind of "ties" in the window manager that would need to be updated, but a full reboot?? Is that really nescessary or are they just too lazy to clean it up?
Can someone explain this paradox to me?
Re:MS (Score:3, Insightful)
If they "unbundled" IE, they would still ship it with every boxed copy of Windows, and if you wanted Help out of the box, you'd need to install IE. The only way you'd be able to get a completely IE-free system would be from an OEM or a customized install disc.