Microsoft Patches 19 Flaws, 6 in Vista 307
Cheesy Balogna writes "Microsoft has just released seven advisories — all rated critical — with patches for at least 19 vulnerabilities affecting the Windows operating system, the widely deployed Office productivity suite and the dominant Internet Explorer browser. Six of the 19 vulnerabilities affect Windows Vista. 'There are patches for 7 different vulnerabilities that could lead to code execution attacks against Word, Excel and Office. Users of Microsoft Exchange are also urged to pay attention to one of the critical bulletins, which cover 4 different flaws. A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista. The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks.'"
Re:Linux patches? (Score:3, Interesting)
Changes Default Browser (Score:5, Interesting)
20 critical Linux vulnaribilities in one month? (Score:2, Interesting)
Nice +5 troll post though! I will probably save that one so I can use it when I feel like trolling. Hope you don't mind.
Cumulative IE 7 update 34,70 MB?? (Score:5, Interesting)
It is bigger than the x64 bit version!
Re:Linux patches? (Score:2, Interesting)
Update also makes IE 7 the default browser (Score:4, Interesting)
Did they even QA this thing? The size is huge and now it also stole the default browser setting.
Re:Linux patches? (Score:3, Interesting)
Although I do believe that MS made some good improvements to security in Vista it would seem that it's actual performance falls short of their claims. My bias comes from a real desire for security. As an IT guy who administers Windows and Linux boxes I'm interested in stories concerning both. But I think it's fair to state that MS's track record on security warrants a lot more security then Linux.
Cure the disease and lose the patient (Score:5, Interesting)
(yes, I lost an email I was writing last night because of this and I'm still a bit sore...)
Did they fix the cltreq.asp query nonsense? (Score:5, Interesting)
GET
You'd think sending these GETS to every single web site visited would be unnecessary (since IE can tell if it's connected to IIS, and only IIS is going to have cltreq.asp installed).
I'm guessing they didn't fix that one?
Re:Linux patches? (Score:2, Interesting)
So no, we don't see 100 preemptive individual patch stories for various linux builds on here every day.
Re:Linux patches? (Score:1, Interesting)
- The first line of that is misleading. It should read "19 vulnerabilities affecting either the Windows operating system, the widely deployed Office productivity suite or the dominant Internet Explorer browser". What's been written is probably grammatically acceptable but it leads the reader to believe that the 19 vulnerabilities affect all of those programs. They do not.
- The unnecessary use of "widely deployed [...] productivity suite" and "the dominant [..] browser"? Why add that in there if it's not to try and make a statement? They don't add anything of relevance or meaning so why have it? The article is about security advisories and is posted on ZDNet/Slashdot, does the article writer/submitter think that anyone reading this won't know what MS Office and Internet Explorer are?
- "A cumulative IE update addresses six potentially dangerous bugs. There are the six that apply to IE 7 on Windows Vista.
Well that doesn't read very well at all, but it could be taken as talking about 6 or 12 bugs. There are 6.
- "The last bulletin in this month's batch apples to CAPICOM (Cryptographic API Component Object Model) and could also put users at risk of complete system hijack attacks."
"Complete system hijack attacks"? I'm sorry did I walk into a Hollywood movie? It's a remote code execution flaw. Serious for sure, but this isn't being submitted to The Sun. Slashdot and ZDNet are technical sites, stick to the terminology and leave the dramatisations out of it.
Maybe I've read too much into it. Maybe the article writer just didn't write it very well (the summary is lifted straight from the article). Perhaps if I hadn't read the article I would've been less likely to question the submitter/authors intent. Once you've read the article I think it seems a lot clearer though, but again perhaps that's just me being over-sensitive after reading the last bunch of anti-MS zealots in the "IE dev criticises bank site security" article. Whatever the case of this particular article, I think you'd be hard pressed to deny that most
Re:Why didn't they find these holes earlier? (Score:2, Interesting)
Re:Did they fix the cltreq.asp query nonsense? (Score:4, Interesting)
Which is more of a threat? (Score:2, Interesting)
I don't mean to troll and I'm not necessarily disagreeing with you about a bias, but I tend to think of Microsoft vulnerabilities and patches to be more important than the Linux counterpart.
It's not my intention to imply Linux has fewer security bugs/holes/etc, because I haven't done any research in that regard.
What I am saying is that Microsoft dominates the market; so therefore a Microsoft vulnerability and patch are more newsworthy in than a more obscure piece of software, in my book. I'm not talking about "quality" of a vulnerability in terms of criticality, I'm talking about the quantity of systems around the globe that will be affected by articles said 19 "flaws".
Once again, no research here, I realize there are probably many more *nix systems out there than I realize, but if I walk down my street and ask every neighbor what they're running, I can almost assure the majority are running Windows.
Re:Linux patches? (Score:5, Interesting)
Take a well known game, say, a first person shooter based in WW-II. Fairly good game, kinda fun. Let's say it's released witha BIG following, and several expansions are released for it. Now imagine, that since it's initial release, it has had a vulnerability just hiding, waiting to be discovered. It is discovered, by a couple of gamers just having fun. Say there's a voting system (for kicks, map change, etc.). Let's say people use this voting system all the time to talk to people who are still alive, because it displays the vote in yellow text to everyone. Some ingenious players discover that if your vote is for a map change, and you manually enter the command and name via console something like:
callvote change_map "Shotgunner camping in the vent!!"
It's been a while so forgive the syntax if it's wrong. In any case, these intrepid gamer friends are having fun, and annoying each other with vote requests that mean nothing, and just fill the screen with yellow text (repeating gibberish to flood the screen so the player can't see). Let's say during this, both game clients crash. Hmm, well that sucks. So you go back to having fun, the server is running on an actual server in the garage so it's no biggy. Same thing happens again. The clients just crash immediately after a vote is called that is an absurd length. Hmmmm.. You get another friend involved, they join, they also crash. Interesting. Then you crash 2 clients, and have the 3rd join immediately after to see people running in place, stuck in doors, etc. Server is still running just fine. Clients however, have crashed. Now intensely curious, you start digging, and find the exact point at which is goes from "Annoying Spam Vote" to Buffer Overflow.
Now through various methods you discover that this vulnerability is definitely client specific. The server is totally unaffected. The server simply hands everything off to the clienhts, which don't know what to make of it, stuff is outside the buffer, client craps all over itself. Now someone malicious enough could take that, and create something that would quite literally be capable of hijacking any machine the game client was running on, and the only thing the user would notice MIGHT be a game crash (hell if you do it right you might be able to do it without the game itself crashing), which happens occasionally anyway, so it's ignored. Now let's say you notify the producer of this Entertainingly Amazing game, and exchange a few emails with them. 4 patches later it still isn't fixed. Several expansions later it still is not fixed.
Unacceptable. Absolutely unacceptable. And this happens throughout the industry. THAT is why security problems, are as much of a thorn in our side as they are.
*flips two coins onto the table, returns the soapbox to it's upright and locked position, and returns to her regularly scheduled nonsense*
Re:Linux patches? (Score:2, Interesting)
Unfortunately, when you're a college student among fellow geeks, word gets around that you not only USE Vista, but paid for and ENJOY it. This semester, I've had a couple of Linux fanboys (I hate using that word) railing me on what a bad OS Vista is.
Invariably, they bring up how annoying UAC is...and they don't seem to make the connection that it's just. like. sudo. On the off chance that they DO, in comes the snipe about how MS stole the idea from Linux (and stole the idea of a pretty desktop from OSX).
Maybe it's because we all said *random OS* was better than Windows because of those things? If you were in charge of the 800-pound gorilla, and the chimps next to him were getting too smart, wouldn't you teach him some new tricks?
I'm probably rambling by this point, but regarding the story's bias...you've got to admit, "flaw" is significantly more loaded (and less accurate) than "vulnerability".
System restart (Score:3, Interesting)
Re:Linux patches? (Score:3, Interesting)
When are we going to start seeing regular Slashdot postings outlining Linux or other free software security patch releases in the same accusatory tone that the monthly Microsoft security bulletin releases bring? No, I'm not trolling, but I'm getting sick of the clear bias Slashdot editors (and most readers) have when it comes to matters of Microsoft.
No one's going to see this, and if they do it'll get modded down. But I'll feel better when I'm done.
You, sir, are a liar.
You complain about an accusatory tone, and when pressed to provide evidence, you admit that this advisory is actually perfectly neutral in its tone.
It makes me sick to see this kind of perverse logic through which one's critical faculties can be so twisted that even to make observations of fact and to draw logical, rational conclusions from them (e.g. Microsoft's security sucks) is somehow morally wrong.
Well I for one reserve the right to shit on whoever damn well deserves it. When Ubuntu releases a kernel patch that breaks an entire class of processor, or breaks X for a large number of their clients, I call them stupid. When Netscape broke the HTML standards and went cowboying around the Web with their 'Best Viewed With Netscape' logos, I shat on them as well. When WordPerfect made a perfect clusterfuck out of what was once the best piece of office software in the business, I castigated them for it, too.
But no company in the history of computing has ever been so deserving of our derision as Microsoft. Their business practices have caused me headaches and lost hours beyond count. In 2003-4 I did a rough estimate of the amount of time I lost to virus/trojan/spyware infested desktops. It was between 30 and 40% of my time. I moved all my clients to non-Microsoft applications for anything that touched the Internet, and my support time devoted to malware dropped to between 5 and 10%.
So when Microsoft releases 19 critical patches, do I consider it news? Damn straight. Am I inclined to be skeptical about these patches, to wonder what they're not telling me, what 'hidden treasures' might be included? Yes, and when I find that they disable my supported settings and re-enable that clusterfuck of a web browser IE for no good reason, do I get pissed off? Yes, I do.
And now you want me to cut MS some slack, because of bias? Let me tell you something, sonny Jim: Microsoft has earned this bias the hard way. I worked professionally on MS OSes for 9 long years before I finally gave up on them. If you can't see the purpose of critical appraisal and rational reaction, if you simply want to sit around the IT campfire singing Kumbaya and be nice even when somebody shits in your food, go ahead. But you and your astroturfing colleagues can leave me the hell out of it.
Working in IT is all about having a critical eye, and knowing when someone is trying to sell you code that more resembles a flaming bag of shit than anything else. It's obvious to me that you haven't yet mastered that art. So with all due respect, kindly sit down, shut up and learn to reason before you start shooting your mouth off again.
HTH HAND.