Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Operating Systems Software Windows Bug IT

Four New Unpatched Windows Vulnerabilities 273

peeon writes "Right before Christmas, four new Windows NT/2k/XP vulnerabilities were posted to the Bugtraq list. This story discusses two of the vulnerabilities in the LoadImage function (buffer overflow) and Windows Help program (heap overflow), but the Chinese company discovered two more exploits in the parsing of a specially crafted ANI file (causes DoS). A Bugtraq posting has more details."
This discussion has been archived. No new comments can be posted.

Four New Unpatched Windows Vulnerabilities

Comments Filter:
  • YAWN (Score:5, Funny)

    by tarunthegreat2 ( 761545 ) on Friday December 24, 2004 @09:06AM (#11175901)
    Hmmm, so windows has bugs in it. Surprise surprise. Merry Christmas everyone. In Soviet Russia, Windows Exploits you...oh wait...
  • Forced Upgrade. (Score:5, Interesting)

    by datadriven ( 699893 ) on Friday December 24, 2004 @09:08AM (#11175906) Homepage
    Windows NT
    Windows 2000 SP0
    Windows 2000 SP1
    Windows 2000 SP2
    Windows 2000 SP3
    Windows 2000 SP4
    Windows XP SP0
    Windows XP SP1
    Windows 2003
    Not vulnerable:
    Windows XP SP2

    They'll do anything to get you to upgrade.
    • Funny you should mention that, my father still uses Windows 98 and netscape 3, and never runs into any problems. So much for progress eh?
    • Re:Forced Upgrade. (Score:2, Interesting)

      by mtenhagen ( 450608 )
      Just wait until longhorn comes out. Then XP SP2 will have some exploits aswell. This is just a microsoft consipracy to make us upgrade. Dont believe the people who claim microsoft developers spend more time on new features then on creating good code.

      • Re:Forced Upgrade. (Score:4, Insightful)

        by DrEvil ( 99432 ) on Friday December 24, 2004 @09:51AM (#11176053)
        It has to be a conspiracy. Anyone who claims that this might be a consequence of the year-long security push for SP2 and that a high-level fix made during this push might prevent certain classes of bugs from being exploitable is clearly evil and has been exposed to too much software engineering. I'd suspect such a person of spreading facts instead of FUD.
        • Re:Forced Upgrade. (Score:2, Informative)

          by Mystic0 ( 807930 )
          Okay, so Service Pack 2 has some nice security enhancements. But it also has a lot of other stuff that some people may not want. Why do you think they decided to release such a large update in a large batch? Because it allows them to quietly force extra features on you. These tag alongs are allowed to slip by unnoticed in the midst of more important security updates. I would appreciate it if MS would take a more modular approach. For example, they could say, "Click here to download a security update f
    • Re:Forced Upgrade. (Score:5, Insightful)

      by bryanp ( 160522 ) on Friday December 24, 2004 @09:58AM (#11176080)
      a) Nobody's forcing you to upgrade. I still haven't had Steve Ballmer show up on my doorstep with an Uzi yet.

      b) The list you give is mostly patches. There are four base OS' on that list and 6 patches, all of which are free.

      c) If it bothers you, feel free to run an unpatched OS of your choice, whether it be Windows, MacOS or one of the many *nix variants.

      • a) Nobody's forcing you to upgrade. I still haven't had Steve Ballmer show up on my doorstep with an Uzi yet

        Uzi is fine. But when he shows you his monkey dance then you know youre in deep trouble.

        Especially when he sits on you afterwards.

      • Very true... let me weigh in with my experience running an unpatched OpenBSD box.

        "Only one remote hole in the default install, in more than 8 years!"

        That didn't go ++ when the OpenSSH hole gave some hacker access to my machine remotely. Or was the number fixed after the default install doesn't open any ports?

        Either way, it's misleading. Not that I don't *like* OpenBSD, it's just upsetting that they're not more open about it being just as vulnerable unpatched as any OS is.
        • Re:Forced Upgrade. (Score:2, Informative)

          by Evangelion ( 2145 )

          Umm, yeah it did. Before the OpenSSH hole, it was at zero.

          (Speaking as someone who was rooted while trying to install the patches to that version...)
      • Your statement is untrue. "Forced" means coercion, which you interpret can only be delivered through violence (an Uzi) but is not a true definition.

        Your narrow definition of forced is plain wrong.

        Try this new software.. it's called a dictionary:
        forced [reference.com]. Come back when you finish your homework. Other suggested reading. [reference.com]
      • That's only while he's preparing you. The XP SP2 vulnerabilities will be ones which make your monitor explode, then in Longhorn we'll start seeing ones where an attacker can pull an uzi on you.
    • Not vulnerable:
      Windows XP SP2

      You must be wrong: the slahsdot title clearly states that the vulns are unpatched, so SP2 has to be exploitable too.

    • Now that it takes less than 5 minutes connected to the Internet for a Windows box to be hijacked, I have gone back to dual-booting Linux with Windows 98 SE.

      A lot of Windows viruses simply won't run on it.

      All I need is Office, so it's good enough.
  • a time when many companies and home users are least prepared to deal with the problems.

    Looks like I know what i'll be doing over the Xmas holiday. If not fixing the problem at work if it becomes a problem, but fixing the problem with my family as well.

    But I guess this is only a problem if some genius releases a virus containing the exploit ....
  • by maharg ( 182366 ) on Friday December 24, 2004 @09:19AM (#11175949) Homepage Journal
    so it's christmas eve 2004, i'm at the in-laws, just spent 3 hours adawaring, spybotting, esspee2ing from a cd burnt on the latest stage 1. go figure.

    30 megs of critical/av signatures to be done over diallup another time

    damn you micro$hite
  • But... (Score:4, Funny)

    by RAMMS+EIN ( 578166 ) on Friday December 24, 2004 @09:32AM (#11175990) Homepage Journal
    Will they allow me to install Linux once i 0wn the machine?
  • by NoMoreNicksLeft ( 516230 ) <john.oyler@c[ ]ast.net ['omc' in gap]> on Friday December 24, 2004 @09:34AM (#11175996) Journal
    Knows where a person could find a pre-compiled, local only 2k/XP administrator access binary? Something that would just open a cmd.exe with the correct privileges, to say, install java on Firefox?

    I'm not a script kiddy, just not patient enough to go through the 3 month process of maybe getting it approved to be installed by IT...
    • I'm not sure if many people have tried it already, but I loaded the exploit page with Firefox.

      Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

      It took a few seconds to load on my p3 600mhz, but it got there just fine.
      • Partially. Firefox with java requires a registry entry, which is my problem. The machine already has java 1.4.x, so in theory, just adding the NS###.dll's to the plugin dir would do the trick. Still not working though.
  • by Skalek ( 843223 ) on Friday December 24, 2004 @09:40AM (#11176016)
    Nothing is more annoying about the holidays then going to visit family and friends and then being sucked into fixing their damn computers While everyone is drinking and having a good time we are the schmucks trying to figure out how to remove that damn proces from windows 98!

    This year I wash my hands of it and am giving them a printout of a tutorial I found that has helped some friends. It is basic, but they do not bother me as much anymore:

    Simple and easy ways to keep your computer safe and secure on the Internet [bleepingcomputer.com]
    • Yeah, I always get stuck doing this too.

      Do people ask plumbers to unclog toilets on holidays? I don't fricken think so!
    • You're lucky. I cherish the moment they want me to fix their PC. That way I don't have to listen to all the other drunken idiots.
    • by museumpeace ( 735109 ) on Friday December 24, 2004 @11:02AM (#11176321) Journal
      I'd suggest either feigning a stroke that has caused you to "forget" everything you ever knew about computers or download the ISO from mepis.org and burn a bunch of live CDs to give out to your clueless friends. My son's old laptop utterly refused to be upgraded to XP and its ME was hosed...it got so bad you couldnt even get a chance to break into the BIOS. I gave him the Mepis CD and just let him fool with it for a while. At breakfast the next morning, he was beaming. He'd figured out how the partion editor worked, wiped the microshit completely off the HD and was enjoying his trip up the KDE learning curve. We have gone from "I think its a doorstop now" to "its a little slow opening files and I think we need to find the right driver for my PCMCIA ethernet card".

      Give those friends and relatives an opportunity to experience winning, to experience being just a little bit competant with a computer and there is a chance that they will be both bothering you less and talking to you more intelligently in the future. But for godsake don't let them leave the room if you have to be in the driver's seat for the repair sessions: make'em bring you a drink and make them listen and describe in their own words each step you take at the keyboard
    • This has been holiday tradition for me since about 1999.. it's nothing new anymore.

      Problem is that people are starting to bring laptops, family members are startin to have kids, and I'm still just one guy who wants to eat too and drink too much and pass out.

    • I know the feeling. When I visited my family back home for a week, I worked on 8 PCs before I left. If you're handing out stuff in lieu of fixing hte computer, you might consider the Ubuntu CD package. Last I checked Ubuntu [ubuntulinux.org] is still shipping free pressed CD packs [ubuntulinux.org]. I just received all 10 of mine yesterday, and they look good. The package includes both a Live CD and an Install CD, with a brief explanation of what each does. I plan to hand the CD out to people I think would be interested in trying something di
    • For French-speaking users, there is also this nice document [sebsauvage.net].
  • Ho Ho Ho (Score:4, Funny)

    by mslinux ( 570958 ) on Friday December 24, 2004 @09:46AM (#11176034)
    Merry Christmas... from all the people at Microsoft. Buffer overflows for everyone this year ;)
  • by Lord Bitman ( 95493 ) on Friday December 24, 2004 @09:50AM (#11176047) Homepage
    remember that test someone did where garbage code was thrown at IE and firefox in order to see how they held up and find things like buffer overflows which could be potentially exploited?
    What ever happened with that? Were the bugs in firefox fixed? I remember that IE did well in that test, but I dont remember any specifics.
    Anyone know?
    • IIRC, those tests were done by a lab closely associated with Microsoft. i.e, MS had already fixed up those problems in IE and deliberately got someone to "discover" how it was better in this one tiny area. Just like the infamous Mindcraft tests all those years ago. I don't know if Mozilla has fixed its code yet.
      • The parent [slashdot.org] is so wrong it is sickening.

        The fuzz tester wasn't written by a lab close to Microsoft.

        It isn't a "tiny" area: Browsers read files that contain HTML. No matter what, corrupt files should not crash a browser.

        The Linux kernel was rewritten after Mindcraft. There was a serious problem in the way signals were handled under high load.

        Mozilla has fixed the three bugs that Zalewski's original posting described. There are still issues in Firefox 1.0 that the tool discloses.
  • Great (Score:3, Interesting)

    by Segosa ( 838329 ) on Friday December 24, 2004 @09:50AM (#11176049)
    Stupid question, but does the LoadImage() one affect images which are viewed in FireFox or Thunderbird?
  • Grr (Score:3, Insightful)

    by Alioth ( 221270 ) <no@spam> on Friday December 24, 2004 @09:51AM (#11176052) Journal
    Why do they have to release this stuff JUST BEFORE we actually get time off? Are they deliberately being bastards to us Bastards who have to herd Redmondware amongst the other less sucky things?

    At least I won't have to spend Christmas removing viruses, trojans and spyware from my Dad's computer. I bought him a Mac. Worth every penny in reduced aggro.

    • I put Linux on my Mum's computer. Works great, everything is supported, no adware/spyware/crapware, no patches required, *peace and quiet*....
  • by Electronik ( 821589 ) on Friday December 24, 2004 @09:54AM (#11176061)
    Silent night, holey night,
    All is calm, all is bright,
    Round yon virgin PC and screen,
    Holey computer, so exploitable and keen,
    Sleep with spyware downloading,
    Sleep with spyware downloading.
  • Is it "the company" or "The Company"?
  • ...does Internet Explorer use any of these functions to load internet images?

    We cal discuss all day about some local API exploit but there is a big difference between a local API bug and a remote bug.

    Does IE use these functions to load images? Or does it handle these kind of primitive formats using his own code? After all, is not that hard to "parse" BMPs and ICOs and it would be much better to handle all file formats inside an internal library, thus avoiding conflicting API methodologies.

    I'm really c
  • by antibryce ( 124264 ) on Friday December 24, 2004 @11:01AM (#11176317)

    It sure is a good thing Microsoft digitally signs everything. Clearly they are lightyears ahead of open-source in terms of security.

  • by killerface ( 573659 ) on Friday December 24, 2004 @11:03AM (#11176330) Homepage
    Twas the morn be for Christmas and all through the cage.
    Not a creature was stirring not even a 10th level mage.
    Then Flash, i look at my bookmarks and what did appear!?
    A story on slashdot spreading with fear.
    "Peril Peril", It screamed with fervor and fight.
    "What shall we do about this vulnerability tonight?"

    It's christmas eve and in the story lay more,
    For this affected Santa and hurt him to the core.
    His Server Used Exchange to give and recieve,
    a malicious cracker got in to make Santa Grieve.

    The clean cut elves said format and reinstall, while the ones with long beards solved it in no time at all.

    "There will be no Christmas this year" Santa Said with dismay.
    The naughty and nice list was lost in the fray.

    And yet with precision and care the elves brought out from back,
    santas new gift! a blade server rack!

    "It runs Linux in fact!" said the elves in unison
    "cron jobs too, back up that old piece of Sh.."
    one interupted "Stop it Sam",

    So christmas would go on with ease and ablitity, that is until santa went on his killing spree.

    The End
  • Take one of your gift cards and go buy yourself a copy of Xandros 3.0 (www.xandros.com). It's a good distro if you're a Wincrip. Superior hardware detection, CrossOver Office which can run some of your "must have" Windows apps.

    At least dual boot, shhez. What does it take for MSFT users before they finally get enough?

    If it gets any worse they're going to have to start including a jar of anal lube with a Windows license. Knowing MSFT they'll try to charge you for it and blame users for not being able

  • How can these exploits be unpatched if SP2 isn't vulnerable? Or do they mean that while the other windows versions are exploitable, SP2 just crashes?
    • Re:Unpatched? (Score:2, Informative)

      by peeon ( 743159 )
      SP2 is vulnerable to the winhlp32.exe Heap Overflow Vulnerability, according to xfocus. Buqtraq posting [securityfocus.com] They dont know if LoadImage is vulnerable in SP2.
  • i wonder... (Score:4, Insightful)

    by hitmark ( 640295 ) on Friday December 24, 2004 @11:42AM (#11176497) Journal
    why in this day and age, 99%-100% of automated exploits still happens to be some kind of overflow. why do we keep thinking that we dont have to check the sizes when moveing data about as its defined by a standard anyways? its like not checking to see if you have room for something in your house or car before buying it at the very least.
    • Go to any Wal-Mart, Target, Best Buy, Home Depot, Lowes, or comparable store on a busy weekend. Count how many people bring out more stuff than they have room for in their car. Be it one large item or just too many small ones, I see this happen all the time.
  • by CTho9305 ( 264265 ) on Friday December 24, 2004 @12:51PM (#11176831) Homepage
    A quick search of the source code [mozilla.org] seems to show that the native OS LoadImage function is only used to set Mozilla icons (system tray, window icons, etc) and the splash screen (and the cck [mozilla.org]). Since none of these images come from untrusted sources*, it seems that the LoadImage hole is not exploitable via Mozilla.

    *without major user intervention, like installing an XPI or messing with the JAR files that make up Mozilla
  • by jamesl ( 106902 ) on Friday December 24, 2004 @12:59PM (#11176868)
    Slashdot has made subtle changes to the definitions of Patched and Unpatched.

    Patched Open Source: A vulnerability has been identified and someone is thinking about fixing it. Because the time between discovery and fix is vanishingly small, there are no unpatched open source vulnerabilities.

    Patched Windows/Proprietary: A patch has been available for not less than 12 months and is installed on not less than 99% of affected systems. It will be several months, if not years, before vulnerabilities fixed by Windows XP SP2 will be considered patched.

  • Microsoft could stick a thumb up your ass, and people would still buy more of it.

    "This thumb is better than ever! It's new easier installation interface and slick operation will make upgrading well worth it. Yet, it is 100% compatible with your old thumb!" (a lie, of course, as the new thumb tries to emulate the old one but breaks the memory management).
  • "Four New Unpatched Windows Vulnerabilities"

    What a load of bull. This article is blatant Microsoft bashing.

    Repeat after me: XP SP2 is not affected

    Since when has "fixed in SP2" been the same as "unpatched"?

As of next Tuesday, C will be flushed in favor of COBOL. Please update your programs.