Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Bug Microsoft

Microsoft Announces Three More Critical Vulnerabilities 486

Posted by michael from the patch-and-wait dept.
weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data. The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.
This discussion has been archived. No new comments can be posted.

Microsoft Announces Three More Critical Vulnerabilities More

Microsoft Announces Three More Critical Vulnerabilities

Comments Filter:

  • Uh-oh (Score:5, Funny)

    by SpiffyMarc ( 590301 ) on Tuesday April 13, 2004 @07:06PM (#8854451)
    Now that the word is out on these, Microsoft is going to have to post a big link to all the articles about that new Mac OS X trojan all over their homepage...

    • Re:Uh-oh (Score:5, Funny)

      by Anonymous Coward on Tuesday April 13, 2004 @07:09PM (#8854501)
      A lot of people joke about Mac vulnerabilties, but the simple fact is that something like that could really wreak havoc somewhere like an art school or large interior design firm.

    • Windows Says: (Score:5, Funny)

      by AvantLegion ( 595806 ) on Tuesday April 13, 2004 @07:31PM (#8854746) Journal
      "Fuck you, Mac. You think you got exploits? You ain't got SHEEIT, son! Go play with your dollies, leave security holes to Daddy."

    • Linux is not 100% secure (Score:5, Insightful)

      by RoLi ( 141856 ) on Tuesday April 13, 2004 @08:00PM (#8855057)
      ... just like a Volvo is not 100% secure. But the Volvo is more secure than a 1960 Yugo.

      So, I'd rather choose the system that while not perfect is pretty good than a crappy system whose vendor chooses to put out press-releases about security instead of actually dealing with the problems.

      As usual, in theory, Windows is great:

      • In theory, everybody uses those super-fine-grained permissions in Windows. (In real life those permissions are so complicated that most ignore them)
      • According to MS-PR theory, Linux is very dangerous because "everybody" can put evil backdoors in. (In real life there has never been a case of a intentinal backdoor in any OSS-project with more than 1 contributor while there have been numerous examples of such backdoors in CSS)
      • In theory and in all total cost of ownership studies, the cost of viruses, worms and security problems on Windows is zero. (In real life millions are paid for virus scanners and much more is lost in productivity)
      • In theory, viruses/trojans/worms are only written for the market-leader platform. (In real life, Apache leads the market and has not had a single worm comparable to Code Red or Nimda)
      • In theory, Microsoft's latest "security initiatives" are a big success. (In real life the biggest epidemies like MS Blaster happened after those initiatives started.)

      In theory, Windows is great. In real life it's a buggy, insecure piece of trash that should be avoided whenever possible.

      • Re:Linux is not 100% secure (Score:5, Insightful)

        by aastanna ( 689180 ) on Wednesday April 14, 2004 @02:01AM (#8857530)
        The way I feel about windows and patches is you're never going to be secure enough to connect a windows box directly to the internet. Outlook and Outlook express aren't secure enough to be used to receive email. IE isn't secure enough to browse random web sites.

        So, if you can afford it, have two computers. Get your email and do your work on a Linux box or a OSX laptop, and save Windows for games, windows development, and those gems of applications you've found that only runs on Windows. Install firefox and use that to browse if you must.

        Always keep your Windows box behind a hardware firewall, that tends to stop most of the remote "I just plugged in my computer and now it has a virus" sort of things. Keep any OSX or Linux boxes behind a firewall too if you can.

        Oh well...rant over...that's my "what people should know about computers before using them" speech. It really doesn't matter how many of these exploits are patched. These were from 2003, and I'm sure there's another dozen waiting in the wings. Just assume your box is insecure and act appropriately.

        Oh, one more thing. I miss the days when you could listen to your computer's hard drive and know what it was doing. If it started up and a odd time you'd know something wasn't right. These days on windows the hard drive seems to randomly grind a way for a second every once and a while...it's...disconcerting. My mac doesn't seem to do that, can't remember if Linux does.

  • More than three (Score:5, Informative)

    by untermensch ( 227534 ) * on Tuesday April 13, 2004 @07:08PM (#8854491)
    Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable. Microsoft has bundled the patches for these into 4 separate downloads - 3 for Windows and 1 for Outlook Express.

    • Re:More than three (Score:5, Informative)

      by Proud like a god ( 656928 ) on Tuesday April 13, 2004 @07:16PM (#8854583) Homepage
      Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
      No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.

      Another reason for home users and gamers to stick with 98SE. Obviously most businesses aren't so lucky. :-S

    • Re:More than three (Score:5, Funny)

      by dj245 ( 732906 ) on Tuesday April 13, 2004 @07:30PM (#8854733) Homepage
      The number of the vulnerablilies shall be 3. 3 shall be the number of the vulnerabilities, the number of the vulnerabilities shall be 3....

      Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable.

      HOLY #*&$*!!! /me patches like mad

      The people who previously expressed the number of vulnerablilies as 3 have been sacked. In a separate sacking, the person responsible for bundling downloads for Windows and Outlook Express separately, thus making even more confusion, has also been sacked.

      The person responsible for not defining all remotely exploitable vulnerablilies as critical has also been sacked.

      As this is a /. joke, and nobody at microsoft has actually been sacked, the writer of this post has also been sacked, having failed in actually sacking the previously aforementioned sacked.

      • ARTHUR: How do you do, good lady. I am Arthur, King of the Microsoftons. Who's
        castle is that?
        WOMAN: King of the who?
        ARTHUR: The Microsoftons.
        WOMAN: Who are the Microsoftons?
        ARTHUR: Well, we all are. We are all Microsoftons, and I am your king.
        WOMAN: I didn't know we had a king. I thought we were an autonomous
        collective.
        DENNIS: You're fooling yourself. We're living in a dictatorship. A self-
        perpetuating autocracy in which the working classes--
        WOMAN: Oh, there you go, bringing cla

      • Your sig (Score:4, Funny)

        by Vainglorious Coward ( 267452 ) on Tuesday April 13, 2004 @09:34PM (#8855839) Journal

        --

        The number of the modding shall be three, four shall the number of the modding not be, neither shall it be 2...

        5 is right out.

    • Check out www.eeye.com (Score:5, Informative)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Tuesday April 13, 2004 @08:45PM (#8855457)
      http://www.eeye.com/html/Research/Advisories/index .html

      Looks like a whole bunch of those holes were reported to Microsoft by eeye and Microsoft FINALLY got around to patching them.

      Some of them had been reported over 6 months ago.

    • Re:More than three (Score:4, Insightful)

      by jonadab ( 583620 ) on Wednesday April 14, 2004 @09:27AM (#8859011) Homepage Journal
      > There are 20 separate vulnerabilities in Windows and Outlook Express

      No. No, no, no. There is *one* vulnerability in Outlook and Outlook Express,
      one that has been public knowledge for about a decade now and Microsoft has
      thus far made no attempt to fix. The vulnerability is, Outlook and Outlook
      Express deliberately treat untrusted data in ways that untrusted data should
      NEVER be treated under ANY circumstances. Their whole approach to security
      is, instead of the correct this-data-is-untrusted approach, a dain brammaged
      fix-specific-problems approach, wherein the data that ought to be untrusted
      is stopped from doing certain specific things that have been known to cause
      problems in the past but still allowed to do basically anything else.

      There may be 20 separate specific ways this can be exploited, and more will
      be discovered next week, but it's fundamentally *one* issue.

      Executive summary: Outlook and Outlook Express don't *have* security holes;
      they *are* security holes, big fat wide-open ones.

  • Worm Writer's Delight (Score:5, Interesting)

    by Dynamoo ( 527749 ) on Tuesday April 13, 2004 @07:08PM (#8854494) Homepage
    What's frightening is that there are *so* many remote code execution vulnerabilities in this one. At least they're all rolled up into one patch. But this gives so many potential backdoors for a Blaster style worm.

    Here we go again...

  • Honesty is sometime stupid (Score:5, Funny)

    by Assoupis ( 758320 ) on Tuesday April 13, 2004 @07:09PM (#8854511) Homepage
    Microsoft could just send is service pack, and as usual, during installation, printing meanless phrases such as: registering component, building registry, etc...

  • I was wondering about that (Score:5, Interesting)

    by ObviousGuy ( 578567 ) <ObviousGuy@hotmail.com> on Tuesday April 13, 2004 @07:10PM (#8854514) Homepage Journal
    I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage, I have to rely on automatic update to tell me of new patches. For the past couple months there has been nary a one patch, then today a whole handful of them.

    What a surprise. My bandwidth was halved by the invisible download.

    Whoops. Be right back. Install is finished, gotta reboot.
    • I've got IE configured to present itself to websites as Netscape so I can't check the Windows Update webpage

      Why don't you just download Netscape/Opera/FireFox and just use IE for windows update? You should manually be able to control what updates you are doing then.
    • I've got IE configured to present itself to websites as Netscape ...

      Isn't that like putting the "VTEC" and "Type R" badges on a '87 Civic?

  • I continue not caring... (Score:3, Insightful)

    by forkazoo ( 138186 ) <wrosecrans@@@gmail...com> on Tuesday April 13, 2004 @07:10PM (#8854515) Homepage
    I hate to sound like a troll, but I really don't care about all the MS security vulnerabilities. I've cleaned up a bunch of systems in the last week that were all virus and spyware infested, because the user clicked on things they shouldn't have. If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

    We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.

    • Re:I continue not caring... (Score:5, Insightful)

      by omicronish ( 750174 ) on Tuesday April 13, 2004 @07:38PM (#8854831)

      If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.

      The Windows defaults with regards to user privileges are crap, and you are right, these vulnerabilities don't matter when everyone has administrative privileges anyway.

      Requiring a password to install a program would be difficult in Windows, however, since the installation programs are provided by the software, not Windows (unless it's a Windows Installer package, in which case there's full support for requiring Administrator privileges to install applications). Windows really has no way of telling the difference between a normal application and an installer.

      However, what you can do is lock down file permissions. What I did on Windows XP was remove Users write access to the boot drive, Windows directory, Program Files directory, and Documents and Settings (except for the user's profile). Installation programs can still run, but they won't be able to install software to any important location. At worst, the user can install to their profile, but any malicious program becomes a problem only for that user. It's akin to untaring, compiling, and running a program from your home directory on Linux.

      I've heard of bad programs that require Administrator privileges or write access to their Program Files directory, in which case this setup will present problems. Still, it's a problem with the program itself, not a Windows problem, although lax or non-existent installation guidelines may have contributed. I personally think all these permissions should've been defaults years ago.

    • We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.

      Then implement training at your site. At least suggest it. Computers are tools. We don't require people to get socket-wrench certified, or expect (most of) them to take telephone answering lessons. Most people think of computers in the same way.

      Why should we expect users (consumers, customers, grandmas) to know everything about the complex tool that they've been given? Most people use their computer f

  • These has been known about for a LONG time... (Score:5, Informative)

    by tweakt ( 325224 ) * on Tuesday April 13, 2004 @07:10PM (#8854517) Homepage
    These were listed on eEye's page as undisclosed critical vulnerabilities affecting upwards of 300 million systems, along with original discovery date, and time since notification. They typically give 30 days, but last I checked it was 90 and 100+ days late. These are over 6 months old I think.

    Sorry, no link because the site seems to be down/slow... it must be linked to from another announcement posted elsewhere.

  • There's a market for... (Score:3, Interesting)

    by tyrani ( 166937 ) on Tuesday April 13, 2004 @07:11PM (#8854522)
    A good, easy to read, consumer grade local port sniffer / analyzer. How hard would it be to build a frontend that reported on "odd" behavior?
    • A good, easy to read, consumer grade local port sniffer / analyzer. How hard would it be to build a frontend that reported on "odd" behavior?

      There are any number of consumer "intrusion detection systems". They all suffer from the same problem: in order to convince the end-user that they're working, they report every single intrusion-like activity, making them useless for actual security work.

  • Service Pack 2 (Score:5, Interesting)

    by -tji ( 139690 ) on Tuesday April 13, 2004 @07:12PM (#8854539) Journal
    That site with their bulletins also has a link to the XP Service Pack 2 release candidate.. That thing has been in the works for so long. Hopefully it makes some useful improvements in their security.

    It looks like the firewall will basically be a built-in ZoneAlarm, with better inbound abilities, and outbound application controls.

    They also have some buffer overflow protections. Are they good enough to make a difference?

    • Re:Service Pack 2 (Score:3, Informative)

      by PingXao ( 153057 )
      Just last night I was rummaging around the MS Windows XP security newsgoup. The new SP2 ICF firewall will NOT challenge outgoing communications. The rules you can set up with it generally apply only to incoming connections. If an application tries to establish a listening port ICF will challenge that, but outgoing connections aren't controlled.

  • OE exploit? (Score:2, Interesting)

    by xpl_the_myst ( 612106 )
    What I don't understand about the OE exploit is that it basically results from running HTML code in something called a Local Security Zone of IE. Isn't that a vulnerability in IE itsel? That's what I can make out from the article itself :

    An attacker would have to entice users to read a maliciously-crafted HTML e-mail message or use IE to surf to a malicious Web site to grab control of the PC ...

  • Is Microsoft just stupid? (Score:3, Interesting)

    by bigattichouse ( 527527 ) on Tuesday April 13, 2004 @07:16PM (#8854578) Homepage
    1) patch the OS, since no one can see it, with a bit of code to "simulate" a buffer overrun... in actuality it reports back to MS home office the IP address of the affected machine. Call it a "straw man" flaw
    2) release a patch for other problems and have this new item go with the patch
    3) release a "known flaw".. await for the first few reports of the flaw
    4) show up at the butthead's house with a few large baseball bats
    5)??
    6) profit!

  • Windows update server is running kind of slowly (Score:5, Funny)

    by Igottapoop ( 762294 ) on Tuesday April 13, 2004 @07:18PM (#8854597)
    I think we /.ed microsoft!!

  • Won't announcing vulnerabilities cause exploits? (Score:5, Interesting)

    by David Hume ( 200499 ) on Tuesday April 13, 2004 @07:18PM (#8854600) Homepage


    Won't announcing the vulnerabilities cause them to be expoited? [computerworld.com]?

    Shouldn't Microsoft as a result slow down the security patch cycle [slashdot.org]?

  • I'm sick of seeing security articles for laymen talking about the CONSEQUENCES of vulnerabilities. There are really only a few kinds of bugs, and of those kinds, 90% are "Stack Overflow" and another 9% are "Privilege Escalation", and pretty much everything else fits into that 1%.

    So what im saying is, we dont need to sensationalize stack overflow bugs because, they're as old as time more or less.

    • Re:New Rule (Score:5, Informative)

      by shaitand ( 626655 ) * on Tuesday April 13, 2004 @08:15PM (#8855196) Journal
      I think your numbers are a bit screwed, I suppose if your looking at computing in general your probably a bit exaggerated but the concept is right.

      However when looking at microsoft vulnerabilities it's a different story, they are extremely varied generally because they are due to a lack of consideration when coding and extremely poor structure and design. For instance, Active X, it's a security flaw, 90% of the sub-flaws reported in it are there because the flaw itself, is poorly designed (hence why it's a flaw) rather than fix the problem (a redesign or elimination of activeX) they create a patchwork changing this or that detail of how it functions.

  • Windows Update is getting a bit slow. Can someone set up a mirror? The link at this page [thenetw0rk.com] doesn't seem to be working.

  • Do these announcements of security patches not alert hackers and virus authors to capitalize on them? It's alerting criminals to the exact vulnerabilities.

    You can bet that it's likely the majority of Windows users have failed to install this patch (and many other patches)

    Look at Blaster. Even after the patch was announced and distributed, the worm was still able to infect millions of machines.
    • If no one reports the exploits, M$ simply won't fix them. They have no incentive to unless there is a public backlash. Even still, they would just settle out of court. :-) I think we should coin a new phrase. Whenever someone is clearly in the wrong, and just settles out of court...we should call it M S'ing (em ess ing)

      Sort of like BSing.

  • first post

    in soviet russia critical vulnerabilities announce Microsoft!

    1. Announce critical vulnerability
    2. ??
    3. Profit

    if people used linux/oss this wouldnt happen
    - oh sure, just because slashdot doesnt report linux vulnerabilities!

    natalie portman naked and vulnerable?

    can someone point me to a mirror the site is down?

    can someone point me to an open source version of this?

    this wouldnt happen if it was ogg based.

  • Starting To Respect Microsoft (Score:3, Insightful)

    by nathanh ( 1214 ) on Tuesday April 13, 2004 @07:34PM (#8854786) Homepage

    It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting. I remember a time when the bugs wouldn't get announced until the exploit was already wreaking havoc. Now it seems the bugs get reported and patched before there are any exploits. That's very professional; they can't be perfect but they can be responsible.

    I have a lot of respect for that.

    • Re:Starting To Respect Microsoft (Score:5, Insightful)

      by Tough Love ( 215404 ) on Tuesday April 13, 2004 @11:02PM (#8856509)
      "It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting."

      That's because you're gullible. A bunch of these vulnerabilities have been known for months and Microsoft hasn't announced them. Maybe so they can argue that Microsoft has the shortest time from vulnerability announcement to patch availablity, like they tried to say last week.

      Starting to be honest, huh, looks like more of the same to me.

  • oh the irony! (Score:5, Funny)

    by BinaryJono ( 546830 ) on Tuesday April 13, 2004 @07:36PM (#8854812)
    seeing the microsoft security ad (http://m2.doubleclick.net/viewad/930640/MRS03141_ ityouwe_728x90_anima.gif) at the top of the page while reading this article was just too much...

  • Just exactly how does this happen. (Score:4, Interesting)

    by Talinom ( 243100 ) on Tuesday April 13, 2004 @07:45PM (#8854897) Homepage Journal
    This isn't a troll. This is an honest question.

    How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability? I read just about every week or so about "Application X" or "OS Y" having a security issue and a deeper understanding of what is going on is a good thing to help judge the threat of the warning. It will also help reduce the FUD factor a little bit. If an example (current or outdated) could be given showing HOW the security of a system is compromised that would also be beneficial.

    • Re:Just exactly how does this happen. (Score:5, Informative)

      by cpghost ( 719344 ) on Tuesday April 13, 2004 @08:10PM (#8855157) Homepage

      Try "Smashing the Stack for Fun and Profit", Phrack [phrack.org] 49, Art. 14. It's a nice introductory tutorial to the common class of buffer overruns.

    • Re:Just exactly how does this happen. (Score:5, Informative)

      by hobuddy ( 253368 ) on Tuesday April 13, 2004 @08:49PM (#8855493)

      How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability?

      Of course there's an infinite number of ways to write a vulnerable program, but the most common is to run afoul of a buffer overflow. A buffer overflow is a relatively simple flaw, but it's an easy mistake to make in C and C++ because those languages give economy of computational resources precedence over every other consideration, including security and stability.

      There's an illustrated and fairly concise introduction to buffer overflows at LinuxJournal [linuxjournal.com].

  • Sp2 Beta (Score:3, Interesting)

    by OneArmedMan ( 606657 ) on Tuesday April 13, 2004 @07:51PM (#8854957)
    I have Win XP sp2 on my work machine here ( dont ask )

    and i just did a windows update then .. and behold for there were no critical Windows updates to be found anywhere ..

    so either MS is broken ( heh ) or MS knew about these problems a looooooong time ago and already had the patches in SP2, cause i have been running this SP2 beta for at least 3 or 3 weeks now...

  • wait wait wait... anyone else here suspect this? (Score:3, Insightful)

    by ShadowRage ( 678728 ) on Tuesday April 13, 2004 @07:51PM (#8854965) Homepage Journal
    that the fact microsoft is suddnely letting people know more about this, saying they'll up security, etc think it's a sham so when longhorn comes out on a palladium DRM locked system, and it's announced it's more secure than ever, people will flock to that, or at least, what they hope?

  • Windows Update in Firefox (Score:5, Interesting)

    by Faizdog ( 243703 ) on Tuesday April 13, 2004 @07:53PM (#8854979)
    Well,
    After the Nth spyware that infected IE, about 10 days ago I finally had enough of it and switched to Firefox. Haven't looked back since, Firefox rocks.

    So after I read this /. story, went to the Windows Update website, and lo and behold, it only works with IE. I can go to the Microsoft Download Center if I use another browser besides IE, but I actually like the way Windows update works, scanning my computer and giving me options for what I can install.

    Looked through the Firefox FAQs, couldn't find any mention of this. Anyone have another suggestion, or should I use IE for updates and Firefox for everything else?

  • Mirror (Score:5, Funny)

    by KalvinB ( 205500 ) on Tuesday April 13, 2004 @08:09PM (#8855145) Homepage
    since Microsoft's Windows Update page is getting really bogged down you can download the patches from this Mirror [redhat.com].

    Ben

  • SP5? (Score:5, Interesting)

    by TimTheFoolMan ( 656432 ) on Tuesday April 13, 2004 @09:04PM (#8855611) Homepage Journal
    Hmmm... in the details for Security Bulletin MS04-011, they list the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update s\Windows 2000\
    SP5\KB835732\Filelist
    Looks like we've now seen the first light of SP5.

    Tim

  • Freedom of choice is important for security. (Score:3, Insightful)

    by master_p ( 608214 ) on Wednesday April 14, 2004 @04:43AM (#8858007)
    If Internet Explorer was not part of the O/S distribution, it would be easier to uninstall it and install something better, like Opera or Mozilla Firefox (or make an option during O/S installation). The same goes for Outlook and Outlook Express.

    Now that IE and Outlook is bundled with Windows, most people don't care to install anything different, resulting in many compromized machines.

Slashdot Top Deals

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Close