Microsoft Releases Eight Security Updates 344
Juha-Matti Laurio writes "After a very uncommon break in March Microsoft has just published 8 new security updates. Almost all updates that are a part of the monthly release cycle are rated as 'Critical.' New Windows Shell vulnerability, named as MS05-016 is only 'Important,' but Windows XP Service Pack 2 is affected too, however. This is not the first time when there was something to fix at Shell32.dll.
Vulnerabilities in TCP/IP that could allow remote code execution and denial of service at cumulative bulletin MS05-019 are affecting SP2 too.
Windows Kernel, Exchange, MSN Messenger, Word (Office) and Internet Explorer get their updates as well."
Phew! (Score:4, Funny)
Re:Phew! (Score:3, Insightful)
I would be interested to compare how many operating systems updates were released for Solaris, AIX, HP-UX, and Linux over the past two months... without getting into an argument over impact/criticality, I'm willing to bet there's been more than 8 fixes for each of those OSes in that timeframe.
Re:Phew! (Score:2, Insightful)
There is *one* OS exploit here.
The others exploits target Exchange and Internet Explorer
It becomes so much harder when you try to look at Linux, GNU utils, and then the FOSS services and applications.
(and then you've got distribution specific exploits)
The closest realistic comparison I can get, is to ask those not-so-desirable aquaintences, which one's are faster and easier to exploit. Everybody else has agendas or ties to one party or another, as i
Not quite. (Score:4, Informative)
Re:Phew! (Score:4, Insightful)
First, you have to carefully define exactly which software is part of the operating system. Windows includes almost no software out of the box, so security problems in widely-used Windows programs aren't considered to be OS vulnerabilities. On the other hand, Linux distributions tend to install lots and lots of extra software in addition to the base OS, and a vulnerability in any one of these extra packages is reported as a vulnerability in the distribution. For example, Debian had 11 security advisories for March 2005 (see http://www.debian.org/security/2005/ [debian.org]), but none of them (with the possible exception of netkit-telnet and netkit-telnet-ssl) can really be considered problems with the OS. So you can't just compare the number of reported security problems in each OS, because the two numbers have vastly different scope.
Re:Phew! (Score:5, Funny)
Also, I'll have you pigs know that I'm leaving my duties at the Yankee Group. I've accepted a position serving Lord William at Microsoft. I'm to be his new Groom of the Stool [channel4.com]
Love,
Laura
Re:Phew! (Score:3, Insightful)
I applaud them for doing their own proactive penetration testing on their software, as well as enlisting the help third-party companies to do the same. This is far better than the "we'll see what happens" approach of years past. By doing this proactive approach it cuts down on zero-day exploits (granted their still will be a few), teaches them to learn fro
yep - move on (Score:4, Insightful)
yep, and like every operating system - it won't be the last...
Re:Shell32.dll? (Score:2)
Woohoo! (Score:4, Funny)
Thanks, Bill.
Re:Woohoo! (Score:5, Insightful)
Right.
Every OS releases security patches. MS might need more than others, but the ALL need them.
Security is a process, not an endpoint.
Re:Woohoo! (Score:5, Funny)
Re:Woohoo! (Score:2, Funny)
More updates (Score:5, Insightful)
WS2K3 SP1 (Score:5, Informative)
I just hope it doesn't break as many apps...
Re:WS2K3 SP1 (Score:2)
I hear that...I'n in the unenviable position of testing this SP to see if it works or not...has anyone had any negative experiences with this Service Pack? Any feedback would be greatly appreciated.
Thanks,
Re:WS2K3 SP1 (Score:3, Informative)
Re:WS2K3 SP1 (Score:5, Informative)
IIS (HTTP, FTP) works (after tweaking the firewall of course), at least for the minimal use I have of it.
Exceed works too after registering it with the firewall.
IE's "enhanced security" makes it _really_ paranoid, but I use it only for updates so I couldn't care less (had to add Office Update to the trusted sites though).
IMHO the real thing here is to check how in-house developped server components will behave under SP1... since we don't have that many customers using it, bug reports won't come until a few weeks I hope.
Re:WS2K3 SP1 (Score:2)
Isn't this what the Slashdot crowd wanted?
Re:WS2K3 SP1 (Score:5, Insightful)
They quite literally want to build a automatic cake making machine so they can have lots of cake while they're eating their cake : )
They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power. They want this machine to be completely secure while allowing random applications to do whatever necessary to squeeze their hardware. They want it to use an OS that is unpopular enough instill geek pride but is somehow the primary development platform of all cool games.
Oh, and it should be Free as in speech, Free as in beer, and produced by a trusted public company that somehow makes money off this without doing anything that would make them unloved.
And they want cute little penguins to somehow get them laid by actual women, generally without them having to go anywhere they might actually meet women.
I'm not saying any of these individual goals are bad ideas, I'm just saying you can't always have everything you want.
(Incidentally, I'm in favor of really paranoid IE settings, but since by using it you're implicitly trusting MS, the Office update site could probably have been automatically added to that list. I think that's why the gp noted it.)
Re:WS2K3 SP1 (Score:5, Funny)
They want a blindingly fast machine with a 90 inch display that fits on their keychain and uses no power.
Now that's not true at all. I want my machine to generate power, which I can then use to run the cake machine.
Re:WS2K3 SP1 (Score:5, Informative)
Indeed.
Amusingly, I tried the Acid2 Test [webstandards.org] on IE with "enhanced security" turned on and it warned me the page may not render correctly because it "required an ActiveX control" that "was being blocked".
An ActiveX control ? On the Acid test page ? Turns out the page contains 3 <object> tags used to check cascaded content... Of course we all know an <object> tag always is an ActiveX control, do we ?
That's what I meant by "paranoid"
Re:WS2K3 SP1 (Score:5, Funny)
if it were up to me, I'd mod up your post before mine - that was witty AND concise.
Naturally, I try to write something funny, and I get insightful. The only time I can remember getting a funny mod was when I complained about only getting insightful mods - like this - which is a pretty perfect example of something that shouldn't be modded funny, so it was one of my least deserving moments.
*sigh*
What's worse is I was proud of it anyway ; )
Re:WS2K3 SP1 (Score:5, Informative)
Five servers so far, and all of them have worked after the update. I'm far from a MS fan, but I have no problem admitting when they've done a good job...
Re:WS2K3 SP1 (Score:5, Interesting)
The scary thing is that this fact is worthy of a post, and is informative.
Patches that do not break anything should be the rule, not the exception.
Re:WS2K3 SP1 (Score:2)
The scary thing is that this fact is worthy of a post, and is informative. Patches that do not break anything should be the rule, not the exception.
You'd think. You'd hope. But it's not to be.
Realistically, there are too many nonlinear interactions between the universe of Windows applications and the OS for even Microsoft, with all its resources, to test exhaustively. [I know, clean interface design would cure or substantially reduce those side effects, but there's too much water under the bridge now.]
Unscientific Results So Far... (Score:5, Informative)
Re:Unscientific Results So Far... (Score:2)
Thanks for that vote of confidence in my admin skills. These were 15 machines on 15 different networks under 15 different security and access models, so it's a little academic. Did it all remotely, of course, so it's not like I could run around with a CD or do something on a network share. If this was a major SP, I'd have approached it differently.
FWIW, I do have to visit another datacenter tonight, and hit a dozen machines on the same LA
Re:Unscientific Results So Far... (Score:2)
http://www.microsoft.com/technet/security/prodtech /sus/secmod198.mspx
or
http://www.microsoft.com/windowsserversystem/updat eservices/default.mspx
maybe it's me ... (Score:5, Interesting)
Re:maybe it's me ... (Score:2)
Re:maybe it's me ... (Score:2)
The Red Hat update manager mentions this, but doesn't enforce it: "Hey, you just installed a new kernel! Please try it out to see if it works!".
Re:maybe it's me ... (Score:2)
Re:maybe it's me ... (Score:3, Funny)
Ok it JUST popped up after I typed that for the first time. Spooky.
Re:maybe it's me ... (Score:2)
ostiguy
Re:maybe it's me ... (Score:2)
Re:maybe it's me ... (Score:2)
Re:maybe it's me ... (Score:3, Informative)
I've found that with the update manager you always have to say yes to wanted updates, not no to unwanted ones. The ignore list seems to not do anything, though.
Re:maybe it's me ... (Score:5, Informative)
Regards,
Steve
Re:maybe it's me ... (Score:2)
Re:maybe it's me ... (Score:2)
Um...Are We In The Same Universe? (Score:2)
% yum -y update
Works great, scales well (throttled by network bandwidth). I don't even have to be there to do it. A regular user can continue to use the machine happily. If it requires a reboot then that can be done much later unless flakiness arrises. The point is it doesn't interrupt my work nor the user's work.
To do a "nightly update" on Windows you have to:
- Go physically find the machine if you have no deployment tools or remote desktop.
Re:maybe it's me ... (Score:2)
Windows SP2 will break WinFax host sharing, since the mechanism uses anonymous calls to DCOM, which is no longer allowed.
Re:maybe it's me ... (Score:2)
Re:maybe it's me ... (Score:2)
Critical Updates Plus Bonus Junk (Score:5, Interesting)
Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773)
Download size: 694 KB, 1 minute
This software updates the Background Intelligent Transfer Service (BITS) to v2.0 and updates WinHTTP. These updates help ensure an optimal download experience with new versions of Automatic Updates, Windows Update, and other programs that rely on BITS to transfer files using idle network bandwidth.
How is this critical?
Re:Critical Updates Plus Bonus Junk (Score:5, Informative)
One of the reasons we have so many problems with security vulnerabilities is that users don't make use of Automatic Updates, and they wind up running unpatched systems for days... weeks... months...
Sometimes there's a good reason for this, but I suspect that, more often than not, it's a lack of understanding about *why* Automatic Windows Updates is important.
So, in that context, although I can see why you might not think it's an important update, BITS is actually something you want updated with everything else unless you're *really* on top of patching your system manually.
Re:Critical Updates Plus Bonus Junk (Score:2, Informative)
Re:Critical Updates Plus Bonus Junk (Score:5, Interesting)
This is good for Joe User who is trying to surf on a 56k modem while downloading 10MB of updates. ISPs probably got calls of "the internet being slow", likely due to auto-update running while they were trying to surf.
Is it critical? No. Helpful? Probably.
Re:Critical Updates Plus Bonus Junk (Score:3, Interesting)
This is good for Joe User who is trying to surf on a 56k modem while downloading 10MB of updates. ISPs probably got calls of "the internet being slow", likely due to auto-update running while they were trying to surf.
Is it critical? No. Helpful? Probably.
So, theoretically, while attempting to attack Joe User's new machine, you could simultaneously DoS him so that his machine doesn't have any
Re:Critical Updates Plus Bonus Junk (Score:2, Funny)
It's also used for software deployment in corporate offices.
It's also Needed for SP2... Judging by the fact you said no to this, I only have 1 question: What is your IP?
One wonders... (Score:4, Insightful)
Re:One wonders... (Score:5, Informative)
Re:One wonders... (Score:5, Insightful)
As you know, with OSS, announcing a vulnerability is like a call to arms, getting devs out of bed and coding fixes. With a closed source product, it's like saying "Cooooooooooooome 'n get it!"
If users could plug these holes with their fingers, then telling them would help. As things are, though, this is probably the safer way to do it for our product.
Re:One wonders... (Score:2, Insightful)
I'd rather MS publish vulnerabilities ahead of time. 2 of the servers I maintain run Windows Server. If they are vulnerable, I'd like to know about it, even if MS hasn't released a fix. At least if I know about it, I can monitor traffic more closely on those servers or do something to at least help those servers from being "pwned". I'd rather spend my time playing defense instead of wondering whether or not my servers are vulnerable and if so, why?
I think if MS kept people mor
Re:One wonders... (Score:3, Insightful)
Posting an expolit with no patch is a dream come true for the script-kiddies, spammers, zombie-makers of the world. They will jump on it in a heartbeat.
While you may diligently monitor your severs for the new potential exploint (even though there may be nothing you can do to avoid it except switch the service to a non-MS box temporarily), most wouldn't.
There are a LOT of windows servers out there admin'd by folks who think they know what the
Re:One wonders... (Score:3, Informative)
Re:One wonders... (Score:2, Interesting)
Patches (Score:5, Informative)
Had to run chkdsk, then it came back to life.
Re:Patches (Score:5, Informative)
I almost had a heart attack because I didn't back up code I wrote last night (dumb to apply updates without backing up, yes I know).
A hard reboot fixed it for me, but I'm still a little nervous.
Re:Patches (Score:2)
Though everything seemed fine after chkdsk did its thing.
The Big Three (Score:4, Informative)
MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service.
Remotely Exploitable. Good potential for the next superworm.
IP Validation Vulnerability (CAN-2005-0048 ) - "Incomplete validation of IP Network Packets" is how Microsoft describes this vulnerability.
MS05-021 - Vulnerability in Exchange Server Could Allow Remote Code Execution.
Remotely Exploitable Buffer Overflow
Exchange Server Vulnerability (CAN-2005-0560) - The service fails to handle SMTP extended verb requests. On Exchange 2000, if an attacker connects to an SMTP port (unauthenticated users will work) and issues a specially crafted extended verb request, this would allow an attacker to run the code of their choice as the SMTP service runs as Local System.
MS05-020: Cumulative Security Update for Internet Explorer (890923)
Remotely exploitable.
All three problems fixed would require a user to browse a malicious website or click on a link... but then there is a HIGH probability that THAT will happen. Again proof of concept exploit code has been released for this flaw.
Worse than you think... (Score:4, Informative)
Thank you MS! (Score:3, Funny)
Re:Thank you MS! (Score:5, Informative)
Mark Dowd and Ben Layer of ISS X-Force for reporting the Exchange Server Vulnerability (CAN-2005-0560).
Alex Li for reporting the Word vulnerability (CAN-2005-0558).
Hongzhen Zhou for reporting the MSN Messenger Vulnerability (CAN-2005-0562).
Song Liu, Hongzhen Zhou, and Neel Mehta of ISS X-Force for reporting the IP Validation Vulnerability (CAN-2005-0048).
Fernando Gont of Argentina's Universidad Tecnologica Nacional/Facultad Regional Haedo, for working with us responsibly on the ICMP Connection Reset Vulnerability (CAN-2004-0790) and the ICMP Path MTU Vulnerability (CAN-2004-1060).
Qualys for reporting the ICMP Path MTU Vulnerability (CAN-2004-1060).
Berend-Jan Wever working with iDEFENSE for reporting the DHTML Object Memory Corruption Vulnerability (CAN-2005-0553).
3APA3A and axle@bytefall working with iDEFENSE for reporting the URL Parsing Memory Corruption Vulnerability (CAN-2005-0554).
Andres Tarasco of SIA Group for reporting the Content Advisor Memory Corruption Vulnerability (CAN-2005-0555).
iDEFENSE for reporting the Windows Shell Vulnerability (CAN-2005-0063).
Kostya Kortchinsky with CERT RENATER for reporting the Message Queuing Vulnerability (CAN-2005-0059).
John Heasman with Next Generation Security Software Ltd. for reporting the Font Vulnerability (CAN-2005-0060).
Sanjeev Radhakrishnan, Amit Joshi, and Ananta Iyengar with GreenBorder Technologies for reporting the Windows Kernel Vulnerability (CAN-2005-0061).
David Fritz working with iDEFENSE for reporting the CSRSS Vulnerability (CAN-2005-0551).
Feel safer now? (Score:5, Insightful)
Scenario 1)
Yay!!! There are now fewer security holes.
Scenario 2)
Oh noo!!! If they still are finding problems of this type then there must be many many more.
Are you a scenario type 1 or type 2 guy?
Re:Feel safer now? (Score:3, Insightful)
Yes. The two scenarios aren't mutually exclusive.
Cheers,
Ian
(who is actually a scenario 3 type of guy - when will the first patches for Tiger come out...?)
Re:Feel safer now? (Score:2)
Scenario 1)
Yay!!! Finding these holes in [open-source project] shows that with enough eyes, all bugs are shallow!
Scenario 2)
These vulnerabilities in [proprietary product] are proof of the superiority of open-source.
There's also a rarer Scenario 3 where the Microsoft hole is the result of their use of an open-source codebase or library. At that point, all bets are off.
I always download updates ASAP (Score:4, Funny)
So... (Score:5, Insightful)
Re:So... (Score:2, Interesting)
Re:So... (Score:3, Insightful)
Re:So... (Score:2, Insightful)
Re:So... (Score:4, Informative)
Note that "Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)" is pretty damn serious though.
Are you new? (Score:2)
You must be new here ....
"Critical" patches every month. Sure, we can wait! (Score:5, Insightful)
Re:"Critical" patches every month. Sure, we can wa (Score:4, Insightful)
Because MS "Painted Themselves Into A Corner" (Score:5, Insightful)
Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.
It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.
The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.
Windows 2003 SP1 (Score:3, Funny)
silent install (Score:4, Interesting)
--
http://unk1911.blogspot.com [blogspot.com]
Re:silent install (Score:5, Funny)
Nope. That was me, sorry.
MS update KB891711 Rerelease for Windows 98 & (Score:3, Informative)
Slashdot doubling as a calendar (Score:3, Funny)
Hmm, Microsoft security updates. Must be the 2nd Tuesday of the month.
I don't even use MS products and I know about their update schedule, yet every 2nd Tuesday of the month
Re:Slashdot doubling as a calendar (Score:3, Funny)
(Double-check...)
(Triple-check...)
But it's Wednesday!
Not again! (Score:2)
WinXPsp2 isn't revolutionary at all then? (Score:4, Insightful)
I applied these yesterday and my fax software suddenly lost DLLs that were required for it to function. I haven't been able to determine %100 if there is a connection, but in my mind, that was the only major change to the system preceding the discovery of the problem.
Weird weird weird...
MS05-019 breaks raw socket sends (again!) (Score:5, Informative)
So, My Fedora Core 3 Install just got 30+ (Score:4, Interesting)
Patches up
Re:So, My Fedora Core 3 Install just got 30+ (Score:5, Insightful)
Install SP2 (Score:3, Informative)
If you are running SP2, none of the flaws is considered worse that "moderate".
1) The criticality of a fix depends on the OS. A critical bug is Win2k may be only moderate in XPSP2, but it's always advertised as just "critical".
2) This is good proof that (at least my Microsoft's analysis of criticality) XPSP2 does improve security dramatically, even in the face of defects.
Re:I wonder . . . (Score:2)
Re:I wonder . . . (Score:5, Funny)
Technically, they are feautures being removed. Microsoft should pay us to install them.
Re:I wonder . . . (Score:2, Funny)
Comment removed (Score:4, Insightful)
Re:And of course.... (Score:2)
(I use licensed legal copies myself, but at work I get to repair all kinds of crap, including PCs with warezed OSes. Many of them are quite updateable - depends greatly on which key and which install media was used)
But yeah, MS is tightening the noose...
Re:And of course.... (Score:3, Insightful)
That should read, "or else you are too cheap to buy your operating system, or too dumb to use one that you're allowed to license for free."
You're not SOL when you're stolen thing can't be upgraded, you're exactly where you deserve to be.
Re:Will there be another spate of worms? (Score:5, Insightful)
Maybe it wasn't such a bad idea after all... or maybe users are learning how to be halfway competent?
Re:Will there be another spate of worms? (Score:2, Insightful)
The firewall added by SP2 significantly reduces the threat profile, especially for those people connected to the net bare. Even if a lot of local services are vulnerable, it's less of a threat if external probes can't reach them.
Re:Can pirates download.? (Score:2)
Brace the mainsail! I be downloadin' patches!
Arrrgh.
--
Umm. I don't know. To be honest, the whole 'using Windows' thing became too much of a hassle for me to bother after Windows 2000 SP4.
Re:There goes my day... (Score:2, Informative)