Forgot your password?
typodupeerror
Security Microsoft IT

Microsoft Releases Eight Security Updates 344

Posted by CowboyNeal
from the locking-down dept.
Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll. Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too. Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."
This discussion has been archived. No new comments can be posted.

Microsoft Releases Eight Security Updates

Comments Filter:
  • Phew! (Score:4, Funny)

    by teiresias (101481) on Wednesday April 13, 2005 @10:19AM (#12222905)
    Phew and here I was thinking hell had frozen over in March and Microsoft wouldn't have any new security updates. Thanks for reassuring me Microsoft. You had me nervous.
    • Re:Phew! (Score:3, Insightful)

      by Ubergrendle (531719)
      Its not called "March Madness" for nothing! :)

      I would be interested to compare how many operating systems updates were released for Solaris, AIX, HP-UX, and Linux over the past two months... without getting into an argument over impact/criticality, I'm willing to bet there's been more than 8 fixes for each of those OSes in that timeframe.
      • Re:Phew! (Score:2, Insightful)

        by fostware (551290)
        I don't think a real comparison will even come though...

        There is *one* OS exploit here.
        The others exploits target Exchange and Internet Explorer
        It becomes so much harder when you try to look at Linux, GNU utils, and then the FOSS services and applications.
        (and then you've got distribution specific exploits)

        The closest realistic comparison I can get, is to ask those not-so-desirable aquaintences, which one's are faster and easier to exploit. Everybody else has agendas or ties to one party or another, as i
      • Re:Phew! (Score:4, Insightful)

        by Anonymous Coward on Wednesday April 13, 2005 @11:10AM (#12223357)
        I would be interested to compare how many operating systems updates were released for Solaris, AIX, HP-UX, and Linux over the past two months...

        First, you have to carefully define exactly which software is part of the operating system. Windows includes almost no software out of the box, so security problems in widely-used Windows programs aren't considered to be OS vulnerabilities. On the other hand, Linux distributions tend to install lots and lots of extra software in addition to the base OS, and a vulnerability in any one of these extra packages is reported as a vulnerability in the distribution. For example, Debian had 11 security advisories for March 2005 (see http://www.debian.org/security/2005/ [debian.org]), but none of them (with the possible exception of netkit-telnet and netkit-telnet-ssl) can really be considered problems with the OS. So you can't just compare the number of reported security problems in each OS, because the two numbers have vastly different scope.

    • Re:Phew! (Score:5, Funny)

      by Laura_DilDio (874259) on Wednesday April 13, 2005 @12:10PM (#12224030)
      No, this just evidence that Microsoft takes security seriously -- more seriously, in fact, than that pinko-commie-bastard operating system you all feel so drawn towards.

      Also, I'll have you pigs know that I'm leaving my duties at the Yankee Group. I've accepted a position serving Lord William at Microsoft. I'm to be his new Groom of the Stool [channel4.com]

      Love,
      Laura
    • Re:Phew! (Score:3, Insightful)

      by BrainSurgeon (875819)
      We all know that they have had their issues with security in the past. But over the last three years they have taken some great strides to improve it.

      I applaud them for doing their own proactive penetration testing on their software, as well as enlisting the help third-party companies to do the same. This is far better than the "we'll see what happens" approach of years past. By doing this proactive approach it cuts down on zero-day exploits (granted their still will be a few), teaches them to learn fro
  • yep - move on (Score:4, Insightful)

    by nighty5 (615965) on Wednesday April 13, 2005 @10:20AM (#12222908)
    This is not the first time when there was something to fix at Shell32.dll

    yep, and like every operating system - it won't be the last...
  • Woohoo! (Score:4, Funny)

    by djinn2020 (874365) on Wednesday April 13, 2005 @10:20AM (#12222917) Journal
    Yay, Microsoft Windows XP is now completely invulnerable

    Thanks, Bill.

  • More updates (Score:5, Insightful)

    by nenolod (546272) <nenolod&gmail,com> on Wednesday April 13, 2005 @10:21AM (#12222922) Homepage
    And yet they are less vague than the ones which have recently come out of OpenBSD [openbsd.org]. That's scary.
  • WS2K3 SP1 (Score:5, Informative)

    by koh (124962) on Wednesday April 13, 2005 @10:21AM (#12222925) Journal
    Windows Server 2003 SP1 is also available. Apparently it's a kind of XP SP2 but for Server 2003. With the firewall, security center, IE "enhanced security", spyware removal tool that doesn't run, etc.

    I just hope it doesn't break as many apps...

    • I just hope it doesn't break as many apps...

      I hear that...I'n in the unenviable position of testing this SP to see if it works or not...has anyone had any negative experiences with this Service Pack? Any feedback would be greatly appreciated.

      Thanks,
      • Re:WS2K3 SP1 (Score:3, Informative)

        by LurkerXXX (667952)
        Read up on bugtrack. Apparently Dell OpenManage software has bad issues with it (fixed in version 4.4 that they *just* released, if I recall)
      • Re:WS2K3 SP1 (Score:5, Informative)

        by koh (124962) on Wednesday April 13, 2005 @10:36AM (#12223050) Journal
        After 1 day of use :

        IIS (HTTP, FTP) works (after tweaking the firewall of course), at least for the minimal use I have of it.

        Exceed works too after registering it with the firewall.

        IE's "enhanced security" makes it _really_ paranoid, but I use it only for updates so I couldn't care less (had to add Office Update to the trusted sites though).

        IMHO the real thing here is to check how in-house developped server components will behave under SP1... since we don't have that many customers using it, bug reports won't come until a few weeks I hope.

        • IE's "enhanced security" makes it _really_ paranoid, but I use it only for updates so I couldn't care less (had to add Office Update to the trusted sites though).

          Isn't this what the Slashdot crowd wanted?

          • Re:WS2K3 SP1 (Score:5, Insightful)

            by arete (170676) <areteslashdot2 AT xig DOT net> on Wednesday April 13, 2005 @11:06AM (#12223307) Homepage
            You misunderstood. /. wants everything. Especially because different people want different things...)

            They quite literally want to build a automatic cake making machine so they can have lots of cake while they're eating their cake : )

            They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power. They want this machine to be completely secure while allowing random applications to do whatever necessary to squeeze their hardware. They want it to use an OS that is unpopular enough instill geek pride but is somehow the primary development platform of all cool games.

            Oh, and it should be Free as in speech, Free as in beer, and produced by a trusted public company that somehow makes money off this without doing anything that would make them unloved.

            And they want cute little penguins to somehow get them laid by actual women, generally without them having to go anywhere they might actually meet women.

            I'm not saying any of these individual goals are bad ideas, I'm just saying you can't always have everything you want.

            (Incidentally, I'm in favor of really paranoid IE settings, but since by using it you're implicitly trusting MS, the Office update site could probably have been automatically added to that list. I think that's why the gp noted it.)

            • by mopslik (688435) on Wednesday April 13, 2005 @11:28AM (#12223553)

              They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power.

              Now that's not true at all. I want my machine to generate power, which I can then use to run the cake machine.

            • Re:WS2K3 SP1 (Score:5, Informative)

              by koh (124962) on Wednesday April 13, 2005 @11:33AM (#12223606) Journal
              (Incidentally, I'm in favor of really paranoid IE settings, but since by using it you're implicitly trusting MS, the Office update site could probably have been automatically added to that list. I think that's why the gp noted it.)

              Indeed.

              Amusingly, I tried the Acid2 Test [webstandards.org] on IE with "enhanced security" turned on and it warned me the page may not render correctly because it "required an ActiveX control" that "was being blocked".

              An ActiveX control ? On the Acid test page ? Turns out the page contains 3 <object> tags used to check cascaded content... Of course we all know an <object> tag always is an ActiveX control, do we ?

              That's what I meant by "paranoid" :)
    • Re:WS2K3 SP1 (Score:5, Informative)

      by Kimos (859729) <kimos,slashdot&gmail,com> on Wednesday April 13, 2005 @10:33AM (#12223017) Homepage
      I've been applying 2k3 SP1 to servers at my office all week. MS did a good job of designing the patch so that it adds lots of security lockdowns without limiting applications. They add the firewall but it defaults to off for upgrades. The only part that seems scary is the stronger authentication for DCOM. It's secure, but has potential to break some apps. Details on SP1 here [microsoft.com].

      Five servers so far, and all of them have worked after the update. I'm far from a MS fan, but I have no problem admitting when they've done a good job...
      • Re:WS2K3 SP1 (Score:5, Interesting)

        by ookaze (227977) <ookaze AT mail DOT ookaze DOT fr> on Wednesday April 13, 2005 @10:55AM (#12223211) Homepage
        Five servers so far, and all of them have worked after the update. I'm far from a MS fan, but I have no problem admitting when they've done a good job.

        The scary thing is that this fact is worthy of a post, and is informative.
        Patches that do not break anything should be the rule, not the exception.

        • The scary thing is that this fact is worthy of a post, and is informative. Patches that do not break anything should be the rule, not the exception.

          You'd think. You'd hope. But it's not to be.

          Realistically, there are too many nonlinear interactions between the universe of Windows applications and the OS for even Microsoft, with all its resources, to test exhaustively. [I know, clean interface design would cure or substantially reduce those side effects, but there's too much water under the bridge now.]

  • by ScentCone (795499) on Wednesday April 13, 2005 @10:23AM (#12222938)
    I've applied these to about 15 servers this morning - boxes running IIS, SQL, Exchange, and so far nothing has blown up. What really gets me is the bandwidth they must be putting into the distribution. The 8 or so MB that the servers are downloading is coming across much more quickly than I've seen it in the past. Could just be an abberation, but usually the feeding frenzy is pretty intense.
  • maybe it's me ... (Score:5, Interesting)

    by icebrrrg (123867) on Wednesday April 13, 2005 @10:24AM (#12222944) Homepage
    ... but after using the "windows update" utility in XP and 2000/2003 server for some time, and being a newbie to fedora (new servers in my home lab), i find the MS utilities muuuuuch easier to use than the fedora update manager. once i say no to an update, that choice stays "no" ... i have to always say no to unwanted updates in fedora (even tho they're on my ignore list). am i a feeble n00b, or could the linux distros learn a thing or two from MSFT?
    • Only problem I have with updates in windows is that if you choose to "Restart later" after installing the updates, it will pop up every 15 mins or so asking if you want to restart now (as well as having a yellow shield in the task bar). Not much of a big deal, just irritating when you know you'll restart the machine later anyway so theres no point in restarting it now.
      • Well it does have a point - if the updates you've just installed don't work or break your system in some way, it's best to find that out sooner rather than later when you've no time to fix them.

        The Red Hat update manager mentions this, but doesn't enforce it: "Hey, you just installed a new kernel! Please try it out to see if it works!".
        • Oh yeah it definatly has a point, but it kind of loses it's point after the fifth or sixth time it's came up, especially when it's a patch for WMP (why does it need to restart anyway? It should just be an isolated application). Anyway on the bright side my XP SP2 machine hasn't asked me to restart yet!
      • There have been some patches were if you do not reboot immediately, the box will start behaving erratically at best. This can occur because some files are immediately replaced, and others queued for later replacement as they are locked open.

        ostiguy
      • I've never seen that before.
      • More annoying than that is that if you just leave it (say, overnight), it'll helpfully reboot for you anyway! Isn't that a nice thing that they do? No idea how it deals with unsaved documents or whatnot, but I know it plays havoc on servers when this happens on w2k3 if you're not expecting it (more from the admin side than the actual server, generally admins don't expect their servers to randomly reboot without being explicitly told to, and no, I wasn't the admin :)
    • Re:maybe it's me ... (Score:3, Informative)

      by tehshen (794722)
      If you want the red flashing ! thing on the panel to go away, right click -> Configuration -> remove from panel. Then you can do yum updates when you want without being distracted.

      I've found that with the update manager you always have to say yes to wanted updates, not no to unwanted ones. The ignore list seems to not do anything, though.
    • Re:maybe it's me ... (Score:5, Informative)

      by LnxAddct (679316) <sgk25@drexel.edu> on Wednesday April 13, 2005 @10:46AM (#12223131)
      Keep in mind that the Fedora update utility is updating up to 10,000 applications, not just core system software like MS's update utility, so expect some increased complexity (although once you set up your ignore list, its usually just as easy as clicking "select all", click next, click next, all done and updated). Using the ignore funtionality works great for me under FC3 so I'm not too sure what you are referring to as far as problems go. Maybe if you supply more information someone can help you, or go to #fedora on irc.freenode.net and someone there is always willing to help. On a side note, if you are a noob you most likely dont want to be disabling any updates. Fedora by default puts new kernels on your ignore list but other then that, updating is usually a good thing (If you used something like debian testing or unstable prior to fedora I can see the basis for your paranoia as I still have one server left running debian testing and updating breaks it monthly at a minimum, but the situation is completely different in fedora and I have yet to see anything similar happen).
      Regards,
      Steve
      • Yeah, I install the new kernels when they come out...just got 2.6.11-1.14_FC3, and now I have to reinstall NTFS support :(
        • Kernel modules and kernel bundling and updates are one thing that I don't like in fedora. Also I think the grand-parent meant that if you add a package to ignore list in the applet, this action does not appear in the system-wide ignore list fo updates.
    • To do an "nightly update" on a Fedora machine you do this:

      % yum -y update

      Works great, scales well (throttled by network bandwidth). I don't even have to be there to do it. A regular user can continue to use the machine happily. If it requires a reboot then that can be done much later unless flakiness arrises. The point is it doesn't interrupt my work nor the user's work.

      To do a "nightly update" on Windows you have to:

      - Go physically find the machine if you have no deployment tools or remote desktop.
  • by pycnanthemum (175351) on Wednesday April 13, 2005 @10:24AM (#12222947) Homepage Journal
    Glad I don't do "Auto Install"...hidden way at the bottom of the list of things Windows wanted to update was...

    Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)
    Download size: 694 KB, 1 minute
    This software updates the Background Intelligent Transfer Service (BITS) to v2.0 and updates WinHTTP. These updates help ensure an optimal download experience with new versions of Automatic Updates, Windows Update, and other programs that rely on BITS to transfer files using idle network bandwidth.

    How is this critical?
    • by Neopoleon (874543) on Wednesday April 13, 2005 @10:32AM (#12223007) Homepage
      An update to BITS is critical because it's part of the mechanism that should be keeping your average user's Windows machine clean by downloading updates in the background without disturbing their usual browsing activities (it uses opportune moments to grab chunks of updates - once all the pieces are down, it lets you know).

      One of the reasons we have so many problems with security vulnerabilities is that users don't make use of Automatic Updates, and they wind up running unpatched systems for days... weeks... months... ...years.

      Sometimes there's a good reason for this, but I suspect that, more often than not, it's a lack of understanding about *why* Automatic Windows Updates is important.

      So, in that context, although I can see why you might not think it's an important update, BITS is actually something you want updated with everything else unless you're *really* on top of patching your system manually.
    • Because Microsoft is changing the distribution method for WindowsUpdate very shortly. Microsoft Update. Google it.
    • If I'm not mistaken, it allows the auto-update feature to only use idle bandwidth when downloading new updates.

      This is good for Joe User who is trying to surf on a 56k modem while downloading 10MB of updates. ISPs probably got calls of "the internet being slow", likely due to auto-update running while they were trying to surf.

      Is it critical? No. Helpful? Probably.
      • If I'm not mistaken, it allows the auto-update feature to only use idle bandwidth when downloading new updates.

        This is good for Joe User who is trying to surf on a 56k modem while downloading 10MB of updates. ISPs probably got calls of "the internet being slow", likely due to auto-update running while they were trying to surf.

        Is it critical? No. Helpful? Probably.

        So, theoretically, while attempting to attack Joe User's new machine, you could simultaneously DoS him so that his machine doesn't have any

    • BITS is the download component of windows update...

      It's also used for software deployment in corporate offices.

      It's also Needed for SP2... Judging by the fact you said no to this, I only have 1 question: What is your IP? :)
  • One wonders... (Score:4, Insightful)

    by Moggie68 (614870) on Wednesday April 13, 2005 @10:26AM (#12222958)
    ..just how long these security holes have existed? It's a nifty trick to publish security holes only after patching them. Makes you look good, except in the eyes of those whose PC has already been "pwned" because of said holes...
    • Re:One wonders... (Score:5, Informative)

      by Nevo (690791) on Wednesday April 13, 2005 @10:33AM (#12223013)
      Read the bulletins. Each security bulletin has a section in which Microsoft says whether or not the vulnerability was publicly reported, and whether or not Microsoft was aware of public exploits at the time the bulletin was published. My understanding is that none of this month's vulnerabilities were publicly known. Granted, you won't know how long Microsoft knew of the hole (which is useless information), but you'll know if it was a zero-day exploit (which is marginally more useful information).
    • Re:One wonders... (Score:5, Insightful)

      by Neopoleon (874543) on Wednesday April 13, 2005 @10:37AM (#12223051) Homepage
      You have to keep things in perspective - Windows isn't open source, so publishing the vulnerabilities ahead of time, in many cases, wouldn't actually do much good.

      As you know, with OSS, announcing a vulnerability is like a call to arms, getting devs out of bed and coding fixes. With a closed source product, it's like saying "Cooooooooooooome 'n get it!"

      If users could plug these holes with their fingers, then telling them would help. As things are, though, this is probably the safer way to do it for our product.
      • Re:One wonders... (Score:2, Insightful)

        by freshman_a (136603)
        While I see your point...

        I'd rather MS publish vulnerabilities ahead of time. 2 of the servers I maintain run Windows Server. If they are vulnerable, I'd like to know about it, even if MS hasn't released a fix. At least if I know about it, I can monitor traffic more closely on those servers or do something to at least help those servers from being "pwned". I'd rather spend my time playing defense instead of wondering whether or not my servers are vulnerable and if so, why?

        I think if MS kept people mor
        • Re:One wonders... (Score:3, Insightful)

          by LurkerXXX (667952)
          I understand your reasoning, but I disagree with your point.

          Posting an expolit with no patch is a dream come true for the script-kiddies, spammers, zombie-makers of the world. They will jump on it in a heartbeat.

          While you may diligently monitor your severs for the new potential exploint (even though there may be nothing you can do to avoid it except switch the service to a non-MS box temporarily), most wouldn't.

          There are a LOT of windows servers out there admin'd by folks who think they know what the

    • Re:One wonders... (Score:3, Informative)

      by Malc (1751)
      You are aware that normally Windows' exploits only occur after the security hole has been announced, right?
    • Re:One wonders... (Score:2, Interesting)

      by curufinwe741 (854270)
      Keep in mind the fact that Windows XP consists of roughly 45 million lines of code. Considering this, I think it puts into perspective what a gargantuan task testing and patching truly is, and gives me a little more understanding of holes in the OS.
  • Patches (Score:5, Informative)

    by johndou1 (471942) * on Wednesday April 13, 2005 @10:26AM (#12222963) Homepage
    Auto update applied the patched and then I could not boot.

    Had to run chkdsk, then it came back to life.

    • Re:Patches (Score:5, Informative)

      by saddino (183491) on Wednesday April 13, 2005 @10:31AM (#12223003)
      Same here. On restart I went into some funky graphics mode (looked like a crash on an old C64) alternating between a light blue screen, a light green screen and some multicolored vertical lines. This is a brand new machines with XP Pro and basically only Visual Studio installed.

      I almost had a heart attack because I didn't back up code I wrote last night (dumb to apply updates without backing up, yes I know).

      A hard reboot fixed it for me, but I'm still a little nervous.
    • I had that too on one of the 3 XP boxes I updated.

      Though everything seemed fine after chkdsk did its thing.
  • The Big Three (Score:4, Informative)

    by Rhaythe (868600) on Wednesday April 13, 2005 @10:26AM (#12222966) Journal
    The most worrisome are (from least to most)
    MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.
    Remotely Exploitable. Good potential for the next superworm.
    IP Validation Vulnerability (CAN-2005-0048 ) - "Incomplete validation of IP Network Packets" is how Microsoft describes this vulnerability.

    MS05-021 - Vulnerability in Exchange Server Could Allow Remote Code Execution.
    Remotely Exploitable Buffer Overflow
    Exchange Server Vulnerability (CAN-2005-0560) - The service fails to handle SMTP extended verb requests. On Exchange 2000, if an attacker connects to an SMTP port (unauthenticated users will work) and issues a specially crafted extended verb request, this would allow an attacker to run the code of their choice as the SMTP service runs as Local System.

    MS05-020: Cumulative Security Update for Internet Explorer (890923)
    Remotely exploitable.

    All three problems fixed would require a user to browse a malicious website or click on a link... but then there is a HIGH probability that THAT will happen. Again proof of concept exploit code has been released for this flaw.
    • by tweakt (325224) * on Wednesday April 13, 2005 @10:40AM (#12223082) Homepage
      All three problems fixed would require a user to browse a malicious website or click on a link... but then there is a HIGH probability that THAT will happen. Again proof of concept exploit code has been released for this flaw.
      Wrong. Based on those summaries, I'd say the first two are exploitable by the attacking system connecting TO the target. No action is required by the victim. Only the third I would guess involves web-related malware.
  • by Reignking (832642) on Wednesday April 13, 2005 @10:28AM (#12222976) Journal
    I would like to thank MS for being so diligent in protecting the everyday computer user from malicious attacks from evil-doers. Keep the patches coming!
    • Re:Thank you MS! (Score:5, Informative)

      by xocp (575023) on Wednesday April 13, 2005 @10:34AM (#12223030)
      Not to mention, I appreciated that Microsoft thanks those that reported the vulnerabilities:

      Mark Dowd and Ben Layer of ISS X-Force for reporting the Exchange Server Vulnerability (CAN-2005-0560).

      Alex Li for reporting the Word vulnerability (CAN-2005-0558).

      Hongzhen Zhou for reporting the MSN Messenger Vulnerability (CAN-2005-0562).

      Song Liu, Hongzhen Zhou, and Neel Mehta of ISS X-Force for reporting the IP Validation Vulnerability (CAN-2005-0048).

      Fernando Gont of Argentina's Universidad Tecnologica Nacional/Facultad Regional Haedo, for working with us responsibly on the ICMP Connection Reset Vulnerability (CAN-2004-0790) and the ICMP Path MTU Vulnerability (CAN-2004-1060).

      Qualys for reporting the ICMP Path MTU Vulnerability (CAN-2004-1060).

      Berend-Jan Wever working with iDEFENSE for reporting the DHTML Object Memory Corruption Vulnerability (CAN-2005-0553).

      3APA3A and axle@bytefall working with iDEFENSE for reporting the URL Parsing Memory Corruption Vulnerability (CAN-2005-0554).

      Andres Tarasco of SIA Group for reporting the Content Advisor Memory Corruption Vulnerability (CAN-2005-0555).

      iDEFENSE for reporting the Windows Shell Vulnerability (CAN-2005-0063).

      Kostya Kortchinsky with CERT RENATER for reporting the Message Queuing Vulnerability (CAN-2005-0059).

      John Heasman with Next Generation Security Software Ltd. for reporting the Font Vulnerability (CAN-2005-0060).

      Sanjeev Radhakrishnan, Amit Joshi, and Ananta Iyengar with GreenBorder Technologies for reporting the Windows Kernel Vulnerability (CAN-2005-0061).

      David Fritz working with iDEFENSE for reporting the CSRSS Vulnerability (CAN-2005-0551).
  • Feel safer now? (Score:5, Insightful)

    by 3770 (560838) on Wednesday April 13, 2005 @10:33AM (#12223021) Homepage
    I don't know if I'm feeling safer or less safe after seeing these patches.

    Scenario 1)
    Yay!!! There are now fewer security holes.

    Scenario 2)
    Oh noo!!! If they still are finding problems of this type then there must be many many more.

    Are you a scenario type 1 or type 2 guy?

    • Re:Feel safer now? (Score:3, Insightful)

      by mccalli (323026)
      Are you a scenario type 1 or type 2 guy?

      Yes. The two scenarios aren't mutually exclusive.

      Cheers,
      Ian
      (who is actually a scenario 3 type of guy - when will the first patches for Tiger come out...?)

    • Normally these are phrased as:

      Scenario 1)
      Yay!!! Finding these holes in [open-source project] shows that with enough eyes, all bugs are shallow!

      Scenario 2)
      These vulnerabilities in [proprietary product] are proof of the superiority of open-source.

      There's also a rarer Scenario 3 where the Microsoft hole is the result of their use of an open-source codebase or library. At that point, all bets are off.
  • by Anonymous Coward on Wednesday April 13, 2005 @10:34AM (#12223031)
    That way I can be the first to break something. It's no fun having a solution already up on Google.
  • So... (Score:5, Insightful)

    by bl4nk (607569) on Wednesday April 13, 2005 @10:35AM (#12223037)
    Can we expect a news article every month blasting Microsoft for releasing security updates? Christ, where are the news articles when updates come out for other OS's? Or is it only a bad thing when Microsoft does it?
    • Re:So... (Score:2, Interesting)

      by sagekoala06 (786349)
      I always seem to have at least one windows box at home ... and quite frankly I'm glad slashdot gives me the heads up for updates. Its because of this that i was able to completly avoid the whole sasser etc aound of worms on my machine. I see the heads up, and in a few weeks i see the havoc that they unleashed on the net. then i have to go to my girlfriends place and fix her machine because she doesn't read slashdot and god only knows she isn't going to listen to me!
    • Re:So... (Score:3, Insightful)

      by Rudeboy777 (214749)
      I recall a few examples of front page attention for Firefox releases that address security problems. Same for the occasional security issue in Sendmail or MySQL or Samba or the kernel, or ...
    • Re:So... (Score:2, Insightful)

      by Anonymous Coward
      I think you're exactly right. Others OSs have problems and get updated all the time. Whenever a vulnerability comes out that Microsoft hasn't issued a patch for, people bitch because they're neglecting their customers. Whenever Microsoft releases a patch, people bash them for security problems. However, when a vulnerability in the linux kernel comes around, then people still bash Microsoft. I don't know why people care so much, but it's getting to be childish.
    • Re:So... (Score:4, Informative)

      by rpozz (249652) on Wednesday April 13, 2005 @11:09AM (#12223347)
      There have definitely been articles relating to OpenSSH et all, and getting exactly the same amount of critism.

      Note that "Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)" is pretty damn serious though.
    • Can we expect a news article every month blasting Microsoft for releasing security updates? Christ, where are the news articles when updates come out for other OS's? Or is it only a bad thing when Microsoft does it?

      You must be new here ....

  • by TheStick (847894) on Wednesday April 13, 2005 @10:37AM (#12223057)
    I never understood why Microsoft released "critical updates" only every month. If they're critical, you're supposed to release a patch as soon as you hear about them. 48 hours is already too much, and a month represents a century in the IT universe...
    • by Malc (1751) on Wednesday April 13, 2005 @10:49AM (#12223169)
      People don't want to be updating every five minutes. Every patch goes through a complete testing cycling at some businesses, which is very expensive. This lowers the time and expense by restricting it to once a month. Furthermore, if the security hole hasn't been publicly announced, there isn't normally something exploiting it. I think this is a matter of risk management - maybe they will get burnt by this one day, but experience has shown that this approach is acceptable.
    • by EXTomar (78739) on Wednesday April 13, 2005 @11:07AM (#12223320)
      Why wait a month? Because their patching system blows. They didn't learn lessons learned decades ago about how to patch core components and kernel services and now we live with this every day (or month as the case maybe).

      Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.

      It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.

      The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.
  • by BladeMelbourne (518866) on Wednesday April 13, 2005 @10:40AM (#12223081)
    I just went to update Win2003 SP1 and all they offered was the Windows Malicious Software Removal Tool - April 2005. I'm disappointed at missing my patch fix for this month :-(
  • silent install (Score:4, Interesting)

    by unk1911 (250141) on Wednesday April 13, 2005 @10:41AM (#12223096) Homepage
    last night, i got a popup message saying "updates were applied to your system and it will be rebooted in 5 minutes" - i tried to kill that process but it kept respawning. is that related to these patches? weird, i thought i had autoupdate disabled..

    --
    http://unk1911.blogspot.com [blogspot.com]
  • by antdude (79039) on Wednesday April 13, 2005 @10:53AM (#12223196) Homepage Journal
    Read Broadband Reports security forum thread [broadbandreports.com] about this. It appears the rerelease patch fixed the blue screen problems, proxy, etc.
  • by hackstraw (262471) * on Wednesday April 13, 2005 @10:55AM (#12223210)

    Hmm, Microsoft security updates. Must be the 2nd Tuesday of the month.

    I don't even use MS products and I know about their update schedule, yet every 2nd Tuesday of the month /. puts up and article about it.
  • I spent several hours yesterday cleaning viruses and spyware off of my mom's laptop, then installing patches, SP2, and AVG Antivirus. Now I have to go patch it some more?
  • by erroneus (253617) on Wednesday April 13, 2005 @11:05AM (#12223303) Homepage
    I don't know where or how I got it stuck in my head that WindowsXP SP2 was supposed to have fundamentally changed something about the way code ran... maybe it was just a dream. But I thought some of those critical components of the OS had gone through intensive scrutiny and all that when they were compiling updates to build SP2. But, again, I must have been dreaming since these new ones have managed to stick around.

    I applied these yesterday and my fax software suddenly lost DLLs that were required for it to function. I haven't been able to determine %100 if there is a connection, but in my mind, that was the only major change to the system preceding the discovery of the problem.

    Weird weird weird...
  • by Eyeball97 (816684) on Wednesday April 13, 2005 @11:13AM (#12223395)
    It seems MS are determined to have XP users disabled from using raw sockets - in itself not such a bad idea for 99.9% of XP users but those of you who avoided SP2 (or disabled firewall/ICS atfer installing it to get round this problem) please note - it's back! and there's no known way do disable it (yet).
  • by MerlynEmrys67 (583469) on Wednesday April 13, 2005 @11:20AM (#12223467)
    Why is this news at all ?
    Patches up
    • by bach37 (602070) on Wednesday April 13, 2005 @12:43PM (#12224349)
      Patches for Fedora are regular bug fixes for the 10,000+ Linux packages available. These Windows critial updates are fixes for vunerablilities in the operating system itself, which could be compromised by 'hackers' out there. Totally different from those updates you are installing with Fedora. This is crazy b/c huge holes in Windows are found on a monthly basis. This is not true for any other OS.
  • Install SP2 (Score:3, Informative)

    by km790816 (78280) <wqhq3gx02&sneakemail,com> on Wednesday April 13, 2005 @02:11PM (#12225425)
    Take a look at Microsoft Security Bulletin MS05-019.

    If you are running SP2, none of the flaws is considered worse that "moderate".

    1) The criticality of a fix depends on the OS. A critical bug is Win2k may be only moderate in XPSP2, but it's always advertised as just "critical".

    2) This is good proof that (at least my Microsoft's analysis of criticality) XPSP2 does improve security dramatically, even in the face of defects.

I've never been canoeing before, but I imagine there must be just a few simple heuristics you have to remember... Yes, don't fall out, and don't hit rocks.

Working...