Microsoft Releases Eight Security Updates 344
Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll.
Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too.
Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."
yep - move on (Score:4, Insightful)
yep, and like every operating system - it won't be the last...
More updates (Score:5, Insightful)
One wonders... (Score:4, Insightful)
Re:Woohoo! (Score:5, Insightful)
Right.
Every OS releases security patches. MS might need more than others, but the ALL need them.
Security is a process, not an endpoint.
Feel safer now? (Score:5, Insightful)
Scenario 1)
Yay!!! There are now fewer security holes.
Scenario 2)
Oh noo!!! If they still are finding problems of this type then there must be many many more.
Are you a scenario type 1 or type 2 guy?
Comment removed (Score:4, Insightful)
So... (Score:5, Insightful)
Re:One wonders... (Score:5, Insightful)
As you know, with OSS, announcing a vulnerability is like a call to arms, getting devs out of bed and coding fixes. With a closed source product, it's like saying "Cooooooooooooome 'n get it!"
If users could plug these holes with their fingers, then telling them would help. As things are, though, this is probably the safer way to do it for our product.
"Critical" patches every month. Sure, we can wait! (Score:5, Insightful)
Re:Phew! (Score:3, Insightful)
I would be interested to compare how many operating systems updates were released for Solaris, AIX, HP-UX, and Linux over the past two months... without getting into an argument over impact/criticality, I'm willing to bet there's been more than 8 fixes for each of those OSes in that timeframe.
Re:And of course.... (Score:3, Insightful)
That should read, "or else you are too cheap to buy your operating system, or too dumb to use one that you're allowed to license for free."
You're not SOL when you're stolen thing can't be upgraded, you're exactly where you deserve to be.
Re:Feel safer now? (Score:3, Insightful)
Yes. The two scenarios aren't mutually exclusive.
Cheers,
Ian
(who is actually a scenario 3 type of guy - when will the first patches for Tiger come out...?)
Re:"Critical" patches every month. Sure, we can wa (Score:4, Insightful)
Re:So... (Score:3, Insightful)
Re:So... (Score:2, Insightful)
Re:Phew! (Score:2, Insightful)
There is *one* OS exploit here.
The others exploits target Exchange and Internet Explorer
It becomes so much harder when you try to look at Linux, GNU utils, and then the FOSS services and applications.
(and then you've got distribution specific exploits)
The closest realistic comparison I can get, is to ask those not-so-desirable aquaintences, which one's are faster and easier to exploit. Everybody else has agendas or ties to one party or another, as it affects their income.
Re:Will there be another spate of worms? (Score:5, Insightful)
Maybe it wasn't such a bad idea after all... or maybe users are learning how to be halfway competent?
Re:Will there be another spate of worms? (Score:2, Insightful)
The firewall added by SP2 significantly reduces the threat profile, especially for those people connected to the net bare. Even if a lot of local services are vulnerable, it's less of a threat if external probes can't reach them.
WinXPsp2 isn't revolutionary at all then? (Score:4, Insightful)
I applied these yesterday and my fax software suddenly lost DLLs that were required for it to function. I haven't been able to determine %100 if there is a connection, but in my mind, that was the only major change to the system preceding the discovery of the problem.
Weird weird weird...
Re:WS2K3 SP1 (Score:5, Insightful)
They quite literally want to build a automatic cake making machine so they can have lots of cake while they're eating their cake : )
They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power. They want this machine to be completely secure while allowing random applications to do whatever necessary to squeeze their hardware. They want it to use an OS that is unpopular enough instill geek pride but is somehow the primary development platform of all cool games.
Oh, and it should be Free as in speech, Free as in beer, and produced by a trusted public company that somehow makes money off this without doing anything that would make them unloved.
And they want cute little penguins to somehow get them laid by actual women, generally without them having to go anywhere they might actually meet women.
I'm not saying any of these individual goals are bad ideas, I'm just saying you can't always have everything you want.
(Incidentally, I'm in favor of really paranoid IE settings, but since by using it you're implicitly trusting MS, the Office update site could probably have been automatically added to that list. I think that's why the gp noted it.)
Because MS "Painted Themselves Into A Corner" (Score:5, Insightful)
Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.
It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.
The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.
Re:Phew! (Score:4, Insightful)
First, you have to carefully define exactly which software is part of the operating system. Windows includes almost no software out of the box, so security problems in widely-used Windows programs aren't considered to be OS vulnerabilities. On the other hand, Linux distributions tend to install lots and lots of extra software in addition to the base OS, and a vulnerability in any one of these extra packages is reported as a vulnerability in the distribution. For example, Debian had 11 security advisories for March 2005 (see http://www.debian.org/security/2005/ [debian.org]), but none of them (with the possible exception of netkit-telnet and netkit-telnet-ssl) can really be considered problems with the OS. So you can't just compare the number of reported security problems in each OS, because the two numbers have vastly different scope.
Re:One wonders... (Score:2, Insightful)
I'd rather MS publish vulnerabilities ahead of time. 2 of the servers I maintain run Windows Server. If they are vulnerable, I'd like to know about it, even if MS hasn't released a fix. At least if I know about it, I can monitor traffic more closely on those servers or do something to at least help those servers from being "pwned". I'd rather spend my time playing defense instead of wondering whether or not my servers are vulnerable and if so, why?
I think if MS kept people more informed of vulnerabilities and released fixes when the vulnerabilites were found, as opposed to not announcing them and hoping no one discovers them until the next monthly security update, it would greatly help their image in terms of security.
But that's just my 2 cents...
Not that big of a deal for desktop users (Score:2, Insightful)
- If you have XP Service Pack 2, and are behind a router, the ICMP vulernability is a non-issue. Your router responds to pings, not your computer.
- If you use Mozilla Firefox, the IE vulnerability is a non-issue as well.
- The Exchange vulnerability is a non-issue for desktop users.
- If you use MSN messanger, update. I don't.
- If you open other peoples word documents, update. I use Abiword, or let google translate them to html.
-DanRe:One wonders... (Score:3, Insightful)
Posting an expolit with no patch is a dream come true for the script-kiddies, spammers, zombie-makers of the world. They will jump on it in a heartbeat.
While you may diligently monitor your severs for the new potential exploint (even though there may be nothing you can do to avoid it except switch the service to a non-MS box temporarily), most wouldn't.
There are a LOT of windows servers out there admin'd by folks who think they know what they are doing, but are really not that good, and there are a LOT of other windows servers out there that were set up once, the admin/consulting-company/whatever left with instructions for the local folks to run windows update regularly or set to download and install updates automatically.
Those boxes will be owned in no time. Bad for them, and bad for all the internet traffic they will generate. And we are talking about servers here, not all the random desktop/workstation machines that also will get hit by exploits. that would be much much worse.
MS knows the customer base. Most of it is fairly clueless. Although the well monitored machines (the vast minority) might be ok, the vast majority of their customers would probably take it in the shorts. Very very bad for MS's security image. Hence they don't report the holes till they have a patch ready to roll out. A much better thing for the internet overall.
Re:"Critical" patches every month. Sure, we can wa (Score:2, Insightful)
People don't want to be updating every five minutes.
Microsoft don't force these updates on people. If they release the patches when they are ready, you can still only update once a month if you want to.
Furthermore, if the security hole hasn't been publicly announced, there isn't normally something exploiting it.
I think you mean "if the security hole hasn't been publically announced, people have no clue whether there are things exploiting it or not."
Or do you think that black hats make formal announcements when they discoever vulnerabilities?
I think this is a matter of risk management
Indeed it is. By releasing patches on a regular basis rather than when the patches are finished, Microsoft force their customers to go from a known, quantifiable risk (the cost of testing and patching) to a completely unknown risk (the possibility of being compromised, unknown severity).
So yes, it's a matter of risk management - Microsoft are taking away your ability to manage your risks effectively.
Re:So, My Fedora Core 3 Install just got 30+ (Score:5, Insightful)
Re:Phew! (Score:1, Insightful)
well, even the Slashdot blurb clearly lists many applications as included in this MS fixlist even if you debate the browser status (Word, Exchange, MSN Messenger (separate download app, != Windows Messenger)). Of the critical ones actually only one is OS (TCP/IP), two if you count IE.
Re:Phew! (Score:3, Insightful)
I applaud them for doing their own proactive penetration testing on their software, as well as enlisting the help third-party companies to do the same. This is far better than the "we'll see what happens" approach of years past. By doing this proactive approach it cuts down on zero-day exploits (granted their still will be a few), teaches them to learn from their mistakes and well as provide the education to the software dev community on those mistakes.
So, instead of ranting and complaining about these patches, I think people should take a moment to reflect and see the bigger picture of what's being accomplished here.