Microsoft Announces Three More Critical Vulnerabilities 486
weekendwarrior1980 writes "Microsoft warned that three 'critical'-rated flaws in the Windows operating system and other programs could allow hackers to sneak into personal computers and snoop on sensitive data.
The flaws could allow attackers to break into PCs running Windows in several ways and then use the system to run malicious programs and steal or delete key data. These latest security flaws affect the latest versions of Windows, including Windows NT 4.0, Windows 98, Windows 2000 , Windows XP, as well as software for networked computers such as Windows NT Server and Windows Server 2003." Their bulletins are available for these vulnerabilities. Techweb has a pretty good summary.
Uh-oh (Score:5, Funny)
Re:Uh-oh (Score:5, Funny)
Re:Uh-oh (Score:4, Funny)
Re:Uh-oh (Score:4, Funny)
And this is bad because ... ?
Yours sincerely,
Dan Dierdorf
Host of Straight Eye for the Queer Guy
Windows Says: (Score:5, Funny)
Linux is not 100% secure (Score:5, Insightful)
So, I'd rather choose the system that while not perfect is pretty good than a crappy system whose vendor chooses to put out press-releases about security instead of actually dealing with the problems.
As usual, in theory, Windows is great:
In theory, Windows is great. In real life it's a buggy, insecure piece of trash that should be avoided whenever possible.
Re:Linux is not 100% secure (Score:5, Insightful)
So, if you can afford it, have two computers. Get your email and do your work on a Linux box or a OSX laptop, and save Windows for games, windows development, and those gems of applications you've found that only runs on Windows. Install firefox and use that to browse if you must.
Always keep your Windows box behind a hardware firewall, that tends to stop most of the remote "I just plugged in my computer and now it has a virus" sort of things. Keep any OSX or Linux boxes behind a firewall too if you can.
Oh well...rant over...that's my "what people should know about computers before using them" speech. It really doesn't matter how many of these exploits are patched. These were from 2003, and I'm sure there's another dozen waiting in the wings. Just assume your box is insecure and act appropriately.
Oh, one more thing. I miss the days when you could listen to your computer's hard drive and know what it was doing. If it started up and a odd time you'd know something wasn't right. These days on windows the hard drive seems to randomly grind a way for a second every once and a while...it's...disconcerting. My mac doesn't seem to do that, can't remember if Linux does.
Re:1960 Yugo (Score:3, Funny)
Oh? When's the last time you got mugged by someone who was driving a car?
You know, (Score:5, Insightful)
Comment removed (Score:5, Funny)
Comment removed (Score:4, Informative)
Re:You know, (Score:4, Interesting)
I mean, do the l33t|sts just give up trying to get a valid user account?
What about the disgruntled employee who wants to waste some time by destroying his own PC?
Simon.
Re:You know, (Score:5, Insightful)
For remote exploits, root or otherwise, it only takes one numbnut to code a self-propagating exploit and anyone and everyone is in the firing line.
Re: (Score:3, Insightful)
Re:You know, (Score:4, Insightful)
Exactly. A lot of good that firewall does when your coworkers click on an email attachment that sails right through the firewall.
Re:Meanwhile... (Score:5, Interesting)
Re:has anyone tried updating windows without using (Score:4, Informative)
Re:has anyone tried updating windows without using (Score:3, Interesting)
More than three (Score:5, Informative)
Re:More than three (Score:5, Informative)
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition.
Another reason for home users and gamers to stick with 98SE. Obviously most businesses aren't so lucky.
Re:More than three (Score:2, Informative)
Of course MS04-013 [microsoft.com] is about Outlook Express so you may still be vulnerable on these OSs.
Re:More than three (Score:5, Funny)
Actually, according to the article there aren't just three vulnerablilies. There are 20 separate vulnerabilities in Windows and Outlook Express, 8 of which are critical, and 16 of which are remotely exploitable.
HOLY #*&$*!!! /me patches like mad
The people who previously expressed the number of vulnerablilies as 3 have been sacked. In a separate sacking, the person responsible for bundling downloads for Windows and Outlook Express separately, thus making even more confusion, has also been sacked.
The person responsible for not defining all remotely exploitable vulnerablilies as critical has also been sacked.
As this is a /. joke, and nobody at microsoft has actually been sacked, the writer of this post has also been sacked, having failed in actually sacking the previously aforementioned sacked.
Re:More than three (Score:3, Funny)
castle is that?
WOMAN: King of the who?
ARTHUR: The Microsoftons.
WOMAN: Who are the Microsoftons?
ARTHUR: Well, we all are. We are all Microsoftons, and I am your king.
WOMAN: I didn't know we had a king. I thought we were an autonomous
collective.
DENNIS: You're fooling yourself. We're living in a dictatorship. A self-
perpetuating autocracy in which the working classes--
WOMAN: Oh, there you go, bringing cla
Your sig (Score:4, Funny)
--
The number of the modding shall be three, four shall the number of the modding not be, neither shall it be 2...
5 is right out.
Check out www.eeye.com (Score:5, Informative)
Looks like a whole bunch of those holes were reported to Microsoft by eeye and Microsoft FINALLY got around to patching them.
Some of them had been reported over 6 months ago.
Re:More than three (Score:4, Insightful)
No. No, no, no. There is *one* vulnerability in Outlook and Outlook Express,
one that has been public knowledge for about a decade now and Microsoft has
thus far made no attempt to fix. The vulnerability is, Outlook and Outlook
Express deliberately treat untrusted data in ways that untrusted data should
NEVER be treated under ANY circumstances. Their whole approach to security
is, instead of the correct this-data-is-untrusted approach, a dain brammaged
fix-specific-problems approach, wherein the data that ought to be untrusted
is stopped from doing certain specific things that have been known to cause
problems in the past but still allowed to do basically anything else.
There may be 20 separate specific ways this can be exploited, and more will
be discovered next week, but it's fundamentally *one* issue.
Executive summary: Outlook and Outlook Express don't *have* security holes;
they *are* security holes, big fat wide-open ones.
Worm Writer's Delight (Score:5, Interesting)
Here we go again...
Re:Worm Writer's Delight (Score:5, Funny)
Evacuate? In our moment of triumph? You underestimate their chances.
Re:Worm Writer's Delight (Score:5, Informative)
Re:Worm Writer's Delight (Score:5, Funny)
The Worm is already out there (Score:3, Interesting)
Anyway, today a worm completly took over my universities network.
We are the CS-Departement, we know what were doing (well, we still dont use Linux, I'm trying to convince them but
It spreads by a file called ascdl.exe through a remotely exploitable vulnerability. Nobody knows about this Virus (neither Symmantec, nor Google) and it spreads fast. When we delete the file, it is back a few minutes later. So I guess it may use one of these new exploits.
BTW,
Honesty is sometime stupid (Score:5, Funny)
Re:Honesty is sometime stupid (Score:5, Funny)
I was wondering about that (Score:5, Interesting)
What a surprise. My bandwidth was halved by the invisible download.
Whoops. Be right back. Install is finished, gotta reboot.
Re:I was wondering about that (Score:2, Insightful)
Why don't you just download Netscape/Opera/FireFox and just use IE for windows update? You should manually be able to control what updates you are doing then.
Re:I was wondering about that (Score:3, Funny)
Isn't that like putting the "VTEC" and "Type R" badges on a '87 Civic?
I continue not caring... (Score:3, Insightful)
We need internet licenses. Nobody without a geek code should be granted an IP address. It's that simple.
Re:I continue not caring... (Score:5, Insightful)
If Microsoft required a prompt for the root password whenever a program tried to install itself, similar to what OS X and many Linux apps do, it would make all the actual security vulnerabilities matter much more.
The Windows defaults with regards to user privileges are crap, and you are right, these vulnerabilities don't matter when everyone has administrative privileges anyway.
Requiring a password to install a program would be difficult in Windows, however, since the installation programs are provided by the software, not Windows (unless it's a Windows Installer package, in which case there's full support for requiring Administrator privileges to install applications). Windows really has no way of telling the difference between a normal application and an installer.
However, what you can do is lock down file permissions. What I did on Windows XP was remove Users write access to the boot drive, Windows directory, Program Files directory, and Documents and Settings (except for the user's profile). Installation programs can still run, but they won't be able to install software to any important location. At worst, the user can install to their profile, but any malicious program becomes a problem only for that user. It's akin to untaring, compiling, and running a program from your home directory on Linux.
I've heard of bad programs that require Administrator privileges or write access to their Program Files directory, in which case this setup will present problems. Still, it's a problem with the program itself, not a Windows problem, although lax or non-existent installation guidelines may have contributed. I personally think all these permissions should've been defaults years ago.
Re:I continue not caring... (Score:3, Informative)
Then implement training at your site. At least suggest it. Computers are tools. We don't require people to get socket-wrench certified, or expect (most of) them to take telephone answering lessons. Most people think of computers in the same way.
Why should we expect users (consumers, customers, grandmas) to know everything about the complex tool that they've been given? Most people use their computer f
Re:I continue not caring... (Score:4, Insightful)
These has been known about for a LONG time... (Score:5, Informative)
Sorry, no link because the site seems to be down/slow... it must be linked to from another announcement posted elsewhere.
Free karma... (Score:5, Informative)
There's a market for... (Score:3, Interesting)
Re:There's a market for... (Score:2)
There are any number of consumer "intrusion detection systems". They all suffer from the same problem: in order to convince the end-user that they're working, they report every single intrusion-like activity, making them useless for actual security work.
Service Pack 2 (Score:5, Interesting)
It looks like the firewall will basically be a built-in ZoneAlarm, with better inbound abilities, and outbound application controls.
They also have some buffer overflow protections. Are they good enough to make a difference?
Re:Service Pack 2 (Score:3, Informative)
OE exploit? (Score:2, Interesting)
An attacker would have to entice users to read a maliciously-crafted HTML e-mail message or use IE to surf to a malicious Web site to grab control of the PC ...
Is Microsoft just stupid? (Score:3, Interesting)
2) release a patch for other problems and have this new item go with the patch
3) release a "known flaw".. await for the first few reports of the flaw
4) show up at the butthead's house with a few large baseball bats
5)??
6) profit!
Windows update server is running kind of slowly (Score:5, Funny)
Re:Windows update server is running kind of slowly (Score:2)
Dream on... Windows Update was pretty much hosed over an hour ago. (Which was about 30 minutes after I got the e-mail from our hosting service about the latest update.)
Won't announcing vulnerabilities cause exploits? (Score:5, Interesting)
Won't announcing the vulnerabilities cause them to be expoited? [computerworld.com]?
Shouldn't Microsoft as a result slow down the security patch cycle [slashdot.org]?
New Rule (Score:2)
So what im saying is, we dont need to sensationalize stack overflow bugs because, they're as old as time more or less.
Re:New Rule (Score:5, Informative)
However when looking at microsoft vulnerabilities it's a different story, they are extremely varied generally because they are due to a lack of consideration when coding and extremely poor structure and design. For instance, Active X, it's a security flaw, 90% of the sub-flaws reported in it are there because the flaw itself, is poorly designed (hence why it's a flaw) rather than fix the problem (a redesign or elimination of activeX) they create a patchwork changing this or that detail of how it functions.
Slashdotted (Score:2)
Windows Update is getting a bit slow. Can someone set up a mirror? The link at this page [thenetw0rk.com] doesn't seem to be working.
Re:Slashdotted (Score:4, Funny)
Announcements = Security Risk? (Score:2)
You can bet that it's likely the majority of Windows users have failed to install this patch (and many other patches)
Look at Blaster. Even after the patch was announced and distributed, the worm was still able to infect millions of machines.
No reporting, major problems. (Score:3, Funny)
Sort of like BSing.
put it on the list (Score:2, Funny)
in soviet russia critical vulnerabilities announce Microsoft!
1. Announce critical vulnerability
2. ??
3. Profit
if people used linux/oss this wouldnt happen
- oh sure, just because slashdot doesnt report linux vulnerabilities!
natalie portman naked and vulnerable?
can someone point me to a mirror the site is down?
can someone point me to an open source version of this?
this wouldnt happen if it was ogg based.
Starting To Respect Microsoft (Score:3, Insightful)
It's not good that they're having so many publicly visible flaws, but I'm really impressed that Microsoft is starting to be honest and forthcoming in their reporting. I remember a time when the bugs wouldn't get announced until the exploit was already wreaking havoc. Now it seems the bugs get reported and patched before there are any exploits. That's very professional; they can't be perfect but they can be responsible.
I have a lot of respect for that.
Re:Starting To Respect Microsoft (Score:5, Insightful)
That's because you're gullible. A bunch of these vulnerabilities have been known for months and Microsoft hasn't announced them. Maybe so they can argue that Microsoft has the shortest time from vulnerability announcement to patch availablity, like they tried to say last week.
Starting to be honest, huh, looks like more of the same to me.
Re:Kind of like this? (Score:3, Informative)
oh the irony! (Score:5, Funny)
Just exactly how does this happen. (Score:4, Interesting)
How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability? I read just about every week or so about "Application X" or "OS Y" having a security issue and a deeper understanding of what is going on is a good thing to help judge the threat of the warning. It will also help reduce the FUD factor a little bit. If an example (current or outdated) could be given showing HOW the security of a system is compromised that would also be beneficial.
Re:Just exactly how does this happen. (Score:5, Informative)
Try "Smashing the Stack for Fun and Profit", Phrack [phrack.org] 49, Art. 14. It's a nice introductory tutorial to the common class of buffer overruns.
Re:Just exactly how does this happen. (Score:5, Informative)
How does a critical vulnerability happen? Seriously. Is there a URL someone can provide or a good description that shows what it takes to make an OS or application with a vulnerability?
Of course there's an infinite number of ways to write a vulnerable program, but the most common is to run afoul of a buffer overflow. A buffer overflow is a relatively simple flaw, but it's an easy mistake to make in C and C++ because those languages give economy of computational resources precedence over every other consideration, including security and stability.
There's an illustrated and fairly concise introduction to buffer overflows at LinuxJournal [linuxjournal.com].
Sp2 Beta (Score:3, Interesting)
and i just did a windows update then
so either MS is broken ( heh ) or MS knew about these problems a looooooong time ago and already had the patches in SP2, cause i have been running this SP2 beta for at least 3 or 3 weeks now...
Re:Sp2 Beta (Score:5, Interesting)
wait wait wait... anyone else here suspect this? (Score:3, Insightful)
Windows Update in Firefox (Score:5, Interesting)
After the Nth spyware that infected IE, about 10 days ago I finally had enough of it and switched to Firefox. Haven't looked back since, Firefox rocks.
So after I read this
Looked through the Firefox FAQs, couldn't find any mention of this. Anyone have another suggestion, or should I use IE for updates and Firefox for everything else?
Re:Windows Update in Firefox (Score:5, Interesting)
One of the things that makes Firefox more secure is that it is just an application, it cannot install software for you. One of the things that makes Windows Update work is that IE can install software for you.
Windows Update is the main reason IE is still on my Win2K desktop computer.
steveha
Re:Windows Update in Firefox (Score:5, Informative)
Mirror (Score:5, Funny)
Ben
SP5? (Score:5, Interesting)
Tim
Freedom of choice is important for security. (Score:3, Insightful)
Now that IE and Outlook is bundled with Windows, most people don't care to install anything different, resulting in many compromized machines.
Re:oh no! (Score:2)
Sorry to burst your bubble, guys (Score:4, Informative)
Re:In other news (Score:2)
Great... "Here comes the worms again..."
Any idea if these exploits were discovered from the Microsoft's leaked code... or if they were discovered out in the wild?
AC
Re:In other news (Score:2)
Re:In other news (Score:5, Funny)
That's 'cause most of us are secretly using Windows ;)
That's actually true (Score:5, Insightful)
Re:That's actually true (Score:5, Interesting)
Although with the level of pro-MS posting and moderating on a dramatic increase over the past year, I wouldn't be surprised if we have a lot of IE users here now.
(Quick! To get some instant karma, talk about some obscure SSH/apache/whatever exploit that wouldn't affect anyone using Linux as a *desktop* system and is only applicable to a service that isn't run by default on any major distro, and claim that Linux is as insecure as Windows! Then whine about Slashdot's "bias" towards Linux to make sure you keep getting modded up!)
Re:That's actually true (Score:5, Insightful)
Re:That's actually true (obligatory spoofing ref) (Score:3, Funny)
user-agent "Mozilla/4.0 (compatible; MSIE 9.01; Windows NT Sucks)"
Re:That's actually true (Score:3, Insightful)
That can easily sway the numbers.
Re:In other news (Score:5, Informative)
Oh, and application bugs are not "Linux" bugs. Linux refers to the kernel and kernel alone. Unlike on a Microsoft product, where they make Outlook/IE the default for everything and unremovable, hence being part of the OS and countable as an OS exploit, the same is not true of Linux systems.
Re:In other news (Score:4, Insightful)
Even on Linux, it is possible for a simple bugfix to take down an entire system.
XFree86 drivers can do this.
Kernel updates can do this.
Third party kernel driver updates can do this.
Hell, a bug / exploit in kdm could make your machine remotely vulnerable, or a simple bug could cause your machine to stop allowing logins (and don't tell me that you can Ctrl-Alt-F1 and login. That doesn't apply to end users)
I saw a problem on a friend's machine where his PAM config got trashed after an update. Guess what, his machine stopped asking for passwords on IMAPS, POP3S and ssh. If a simple misconfiguration can cause that, so can a code bug. That's no different then Windows.
All software has bugs, and those bugs can either be harmless annoyances, or critical problems. Linux can have them just as easily as Windows. Linux/UNIX software releases patches faster because they don't have complicated software development cycles (QA checks, usability, legal, etc) that has to happen before the release.
Re:Yay! (Score:2, Insightful)
Idiot.
Re:I've noticed (Score:5, Insightful)
there are misinformed people who don't understand the issues with the bugs reported in linux who then fan the flames about "holes in linux" as if they are of the same level of problem as these weekly holes in windows.
a theoretical overflow on a linux server running openssh is a lot different than a open hole that runs executable attachments
as a windows user, you should spend your time patching windows, not reading news.com
Re:I've noticed (Score:5, Insightful)
news.com is a real news site, so they post real news. I am surprised anyone resports vulnerabilities in MS Windows as news. The only reason to report these is so people know to update again, and to poke fun at the joke that is Microsoft's quality control. Real news would be if they go for an extended period of time without a vulnerability!
For Linux on the other hand it is an event when there is a vulnerability reported.
Go here for what you need (Score:4, Informative)
Yes, you are right--these things never appear on Slashdot except when there are major kernel exploits. To be honest, I've noticed lately a dissident tide in Slashdot, where people are a little weary of the anti-Microsoft spin. Nothing wrong with posting about Windows vulnerabilities, of course, but you do have to view the context with which it's posted--an OSDN-owned website that posts pro-Linux articles and just so happens never to mention Linux security advisories. But a user-run executable will become front page news as a new "Microsoft Worm."
I've just noticed more people annoyed by it lately, even the partyline pro-OSS guys. Simplistic agendas shouldn't be something to embrace on a site that is touted as the epicenter for geek tech news on the Internet. I guess my sig reflects that I've become one of those people as well who feels the need to balance out the spin going on...
Re:Go here for what you need (Score:5, Interesting)
All the others where denial of service vulnerabilities or elevation of privileges problems, which in case of the kernel are of course a bad thing and which have been reported on Slashdot several times.
So in the last year, I had exactly ZERO vulnerabilities that would represent an immedieate danger to my Linux boxes (elevation of privileges is bad, but not an immediate danger for me because I don't run any mass-user hosts) and in the meantime the Windows-world had MS-Slammer, MS-Blaster and many, many other problems.
If you want to stick your head into the sand, do so, but please don't think that you are smart doing so or that anybody else has got a "party line".
Re:Go here for what you need (Score:3, Funny)
I agree that there is an too much of an anti-microsoft slant on Slashdot. Windows is a secure, reliable *##buffer overflow##* platform. It will only become more @@#-ha ha ha ha-#@@ secure as time passes, and trusted %$@-I 0wn3r j00-@$% computing will become a reality. I myself have run Windows %$%-I'm s0 133t-$%$ with little problems for years. I too think this is way overblo@@@@NO CARRIER
Like hell that's insightful (Score:5, Informative)
Open [slashdot.org] source [slashdot.org] vulnerabilities [slashdot.org] and [slashdot.org] incidents [slashdot.org] get [slashdot.org] reported [slashdot.org] all [slashdot.org] the [slashdot.org] freaking [slashdot.org] time [slashdot.org] on [slashdot.org] Slashdot [slashdot.org].
Re:Windows Critical Vulnerabilities (Score:5, Funny)
Are you kidding??
They need to finish perfecting 95 first, then start to get 98/SE/ME done, then get 2000 out of beta, then try and desperately lockdown XP.
Seriously, MS operating systems never get finished. . .
They simply get discarded.
Actually.. (Score:2, Informative)
..Microsoft recently (last Fall I think) changed their critical update release schedule to coincide with the second Tuesday of each month to supposedly take some of the workload off of the sysadmins. Thus, today is the day.
However, as a sysadmin I still have mixed feelings about this. If something is a critical vulnerability, I think a patch needs to be released as soon as it becomes available. At the same time, it's a real pain in the butt to have to go around to hundreds of computers to make sure aut
Re:i believe i speak for us all when i say (Score:2)
I hate all of you (Score:5, Funny)
So, "We only use Linux" cries the slashdot crowd...
Then why the hell is windowsupdate.microsoft.com slashdoted? You bastards.
mod parent +funny! (Score:2, Funny)
Re:This is why microsoft are insecure (Score:5, Informative)
If and when there's an actual exploit in the wild for a given vulnerability then they'll release the patch immediately, just like they've done before.
Whoever modded you "Insightful" should have used the "-1, Another Stupid Conspiracy Theory" mod instead.
Re:Meh. (Score:4, Insightful)
Anyway, if the malware turns around and decides to trash your PC instead, what are you going to do then? Won't look so smug, that's for sure, especially if you've not backed your important stuff up recently.
I've got a NAT/firewall attached to my broadband at home, but I still run Norton Antivirus, and practice safe hex. You need to keep your grey matter up to date as well, you know...
-MT.