Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Flurry of Security Patches 212

yggy writes "It's been a hectic day on the security patching front. Microsoft's bulletins for July include patches for three critical vulnerabilities on the same day that Mozilla releases new security updates for Firefox and Thunderbird. Not to be left behind, Apple fixed two Tiger flaws while Oracle issued a critical database server update." (See these separate stories on today's release of Firefox 1.0.5 and the 10.4.2 update from Apple, too.)
This discussion has been archived. No new comments can be posted.

Flurry of Security Patches

Comments Filter:
  • Tomorrow (Score:5, Insightful)

    by mfloy ( 899187 ) on Tuesday July 12, 2005 @09:33PM (#13049966) Homepage
    So today we have a bunch of new patches, which means tomorrow we will have all the exploits being developed and released. The major problem with patches is they often are not installed by end users, and that is the bread and butter of zombie botnets.
    • Re:Tomorrow (Score:5, Insightful)

      by Parham ( 892904 ) on Tuesday July 12, 2005 @09:40PM (#13050020)
      Luckily Windows has tried to stop this from happening as much as possible by downloading the patches in the background, and then asking you to install, and bugging you to install until you do. What I'm actually waiting for is, seeing what NEW security problems these new security fixes make. This recent article in the games section [slashdot.org] comes to mind amongst other things.
      • Re:Tomorrow (Score:2, Interesting)

        by mfloy ( 899187 )
        What i've always worried about is a well planned attack that sends fake patches that actually cause more security nightmares or currupt the OS.
      • Re:Tomorrow (Score:4, Insightful)

        by Tim C ( 15259 ) on Wednesday July 13, 2005 @02:30AM (#13051193)
        More than that, Windows gently reminds you at appropriate times that you really ought to have patches download and install themselves automatically. ("At appropriate times" means on the Windows Update site, and in the Security Centre)

        Now, you may argue that that's a bad idea, you should always know what's being installed on your machine and what it might break, etc, and I'd agree. The flip side of that though is that anything that increases the likelihood of home users installing security updates has got to be a Good Thing.

        [It's been 4 minutes since you last successfully posted a comment

        Editors, can we *please* get this fixed?]
    • Re:Tomorrow -- NOT (Score:4, Interesting)

      by RedLeg ( 22564 ) on Tuesday July 12, 2005 @09:50PM (#13050077) Journal
      Look at the calendar.

      Blackhat / DEFCON is at the end of the month in Vegas. This is the scheduled patch release day (at least for MS) before the event.

      The vendors have more than likely been notified by the "researchers" who discovered the issues, and are releasing their fixes on a coordinated schedule.

    • There were probably exploits for most of these well before the patches were written.
  • And don't forget... (Score:5, Informative)

    by Afecks ( 899057 ) on Tuesday July 12, 2005 @09:33PM (#13049969)
    ...the zlib bug [eweek.com]
  • by ikewillis ( 586793 ) on Tuesday July 12, 2005 @09:38PM (#13050003) Homepage
    http://www.frsirt.com/english/advisories/2005/1066 [frsirt.com]

    FrSIRT Advisory : FrSIRT/ADV-2005-1066
    CVE Reference : CAN-2005-1174 - CAN-2005-1175 - CAN-2005-1689
    Rated as : Critical
    Remotely Exploitable : Yes
    Locally Exploitable : Yes
    Release Date : 2005-07-12

    * Technical Description *

    Multiple vulnerabilities were identified in MIT Kerberos, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service.

    The first issue occurs in the MIT krb5 Key Distribution Center (KDC) implementation when processing specially crafted TCP/UDP requests, which could be exploited by an unauthenticated attacker to cause a denial of service or execute arbitrary code on the KDC host.

    The second vulnerability is due to a double-free error in the "krb5_recvauth()" function, which could be exploited by an unauthenticated remote attacker to execute arbitrary code in the context of a program calling the vulnerable function (this includes the kpropd program which typically runs on slave Key Distribution Center hosts).

    * Affected Products *

    MIT Kerberos 5 version 1.4.1 (krb5-1.4.1) and prior

    * Solution *

    Upgrade to krb5-1.4.2 release :
    http://web.mit.edu/kerberos/dist/index.html [mit.edu]

    Or apply patches :
    http://web.mit.edu/kerberos/advisories/2005-002-pa tch_1.4.1.txt [mit.edu]
    http://web.mit.edu/kerberos/advisories/2005-003-pa tch_1.4.1.txt [mit.edu]

    * References *

    http://www.frsirt.com/english/advisories/2005/1066 [frsirt.com]
    http://web.mit.edu/kerberos/advisories/MITKRB5-SA- 2005-002-kdc.txt [mit.edu]
    http://web.mit.edu/kerberos/advisories/MITKRB5-SA- 2005-003-recvauth.txt [mit.edu]

    * Credits *

    Vulnerabilities reported by Daniel Wachdorf and Magnus Hagander
  • by Adam9 ( 93947 ) on Tuesday July 12, 2005 @09:40PM (#13050016) Journal
    Here's some good info that colfer from this MozillaZine thread [mozillazine.org] dug up:

    1.0.5 is mainly a security fix, but I have seen a bunch of non-security fixes creep in also, such as removing the default checkbox "yes" for "make firefox my home page." This looks like a big cleanup for the 1.0.x branch, before 1.1 takes over.

    I don't know about the security fixes, besides the medium-risk frame/window spoofing thing (with 1.0.4, you should not open untrusted sites at the same time as sensitive sites...). Here are the non-security fixes (non-security as it seems to me) checked in since 1.0.4:

    https://bugzilla.mozilla.org/show_bug.cgi?id=28373 0 [mozilla.org]
    "Save As" dialog tries to overwrite link/shortcut (.lnk) file instead of opening the directory/folder

    https://bugzilla.mozilla.org/show_bug.cgi?id=29521 0 [mozilla.org]
    Tab title different from window title on initial load at gmail

    https://bugzilla.mozilla.org/show_bug.cgi?id=28377 7 [mozilla.org]
    Right arrow key after selecting autocomplete result no longer uses selected item

    https://bugzilla.mozilla.org/show_bug.cgi?id=29123 2 [mozilla.org]
    update installer packages should offer unchecked check box for setting start page

    https://bugzilla.mozilla.org/show_bug.cgi?id=29106 4 [mozilla.org]
    Helper app dialog incomplete for non-nsStandardURL types

    https://bugzilla.mozilla.org/show_bug.cgi?id=26553 6 [mozilla.org]
    (64-bit only issue)

    https://bugzilla.mozilla.org/show_bug.cgi?id=24563 1 [mozilla.org]
    Crash loading (particular) .ico file

    https://bugzilla.mozilla.org/show_bug.cgi?id=14181 8 [mozilla.org]
    Table with large rowspans and colspans hangs the browser

    https://bugzilla.mozilla.org/show_bug.cgi?id=28800 6 [mozilla.org]
    Drag image across browser windows --> crash

    https://bugzilla.mozilla.org/show_bug.cgi?id=29505 2 [mozilla.org]
    Obscure Javascript crash

    https://bugzilla.mozilla.org/show_bug.cgi?id=29627 0 [mozilla.org]
    Default user agent problem (AIX platform only)

    https://bugzilla.mozilla.org/show_bug.cgi?id=28081 3 [mozilla.org]
    Crash on OS/2 platform

    https://bugzilla.mozilla.org/show_bug.cgi?id=29377 8 [mozilla.org]
    bookmarks toolbar missing in 2nd opened window, links in second window possibly cause crash
  • But wait... (Score:3, Funny)

    by Anonymous Coward on Tuesday July 12, 2005 @09:42PM (#13050024)
    But wait, Firefox has security holes? And OS X too? But from the comments on slashdot, I was under the impression only Microsoft had security flaws...

    Oh, I think I understand now. Only windows sucks when it has security holes and Open Source programs don't suck when they have security holes because they're better than closed source and the patch came out fast... or something. Gotcha.

    Microsoft sucks because they release software that needs security patches. Linux rulez!
    • Re:But wait... (Score:5, Insightful)

      by Caledai ( 522776 ) on Tuesday July 12, 2005 @10:49PM (#13050375)
      Nah - its not that Microsoft sucks because the release patches.

      Neither does OS suck because they release patches.

      Its because microsoft takes so long to release patches for certain vulnerabilities that have been documents - even up to half a year before..

      And that the continue to promote products that have been proven to be seriously flawed, and release new versions without those flaws fixed.

      There is a difference between releasing a product, and then patching it - and releasing a product knowing it needs patches before its released.

      I gotta admit - look how much testing the do on the patches they do release. Service Pack 2 anyone?
    • I can't ever remember anybody saying that "only Microsoft had security flaws". If you were under this impression, this is more likely to be down to a misunderstanding, or some angry pro-Microsoft type trying to give Linux users a bad name.

      The point is that Microsoft has vulnerabilities which are usually exploited swiftly. They're usually quite nasty. They're usually in the most popular (bloated) Microsoft software packages. Finally, there's a good chance that patches could cause just as much damage as
  • thank goodness.... (Score:3, Interesting)

    by Anonymous Coward on Tuesday July 12, 2005 @09:42PM (#13050028)
    ....that msft waited until the end of day to release the patches. Every time they release during the day it boggs down the network, to the point of really hindering productivity, its especially crappy when they release in the morning, because then its usually bad all day.
    • Are you talking about desktops or servers?

      If you're talking about desktops, #1) Do you allow unattended updates? (Shame on you if you do!) #2) If not, how is tomorrow morning going to be any different that any other morning release? Wait, that wouldn't be a problem, since you only test patches on limited machines first.

    • If you have enough machines, roll out Microsoft SUS. Eliminates that whole problem right there. Just push the updates across the LAN. :-)

      Waiting until the END of the day can be a bad thing because people that come in early and leave early are going to miss the updates, and they'll end up installing them tomorrow morning anyway.

      I'm going to assume that you don't plan out/inform users of updates. ;)
    • How do you define 'end of the day' on a planet?
      • I always go by 5PM GMT as the end of the day. That would be 11am local time, which is probably why my boss looks at me funny when I am saying I am going home for the day.
  • ......and see all the non-existant updates I have to download. Seriously, people talk about all the updates to download, but I never can find them. Although I do have to say Firefox updates wonderfully.

    However, despite not updating my Windows install for months, I still have yet to be infected with one virus, spyware/adware program, or have my machine hacked. Maybe it has more to do with the fact that I browse the Internet with care, rather than update with every stupid patch M$ puts out, that creates
    • However, despite not updating my Windows install for months, I still have yet to be infected with one virus, spyware/adware program, or have my machine hacked. Maybe it has more to do with the fact that I browse the Internet with care, rather than update with every stupid patch M$ puts out ...
      I don't think it's fair to say that you're too smart to get viruses/malware like everything else, it's probably a few other factors that you take for granted. Using Firefox is one of them. You have the major Windows patches so that protects you from most of it right there. Think of the MSBLAST traffic that's still out there, meaning that each of those machines is still pre-SP2. Also, being behind a router/NAT/firewall helps (again, I'm assuming). A good number of zombie machines are the direct to DSL or cable modem kind of one computer households.
    • Look, the point is not that someone with good computer skills can run Windows without problems. The point is that running Windows requires that you have an understanding of computer security, but most of its users don't have that. People use computers to get work done, they don't want to and shouldn't have to think at every step they take "is this a good idea or will my system be compromised now."

      The fact to the matter is that Microsoft products are so insecure that you need to learn a whole set of rules a
      • Ok so you are saying that someone without computer skills can run any form of *nix or *bsd? I doubt that.

        I would rather bet money on someone w/o a lot technical skills keeping their Windows box up and connected to the internet then having the same person connect a *nix box to the internet and make sure everything was working.

        Good luck getting grandma to connect w/o help from you to "AOL" which is also known to her as the Internet.

        • ``Ok so you are saying that someone without computer skills can run any form of *nix or *bsd? I doubt that.''

          Maybe not any setup you can think of, but the ones I've seen most people use are every bit as easy or difficult to run as Windows or OS X.

          ``I would rather bet money on someone w/o a lot technical skills keeping their Windows box up and connected to the internet then having the same person connect a *nix box to the internet and make sure everything was working.''

          Now you're comparing apples and oran
  • by solprovider ( 628033 ) on Tuesday July 12, 2005 @09:50PM (#13050078) Homepage
    The last set of patches from WindowsUpdate:
    - Security Update for Windows 98 (KB891711)
    - Security Update for Windows 98 (KB888113)
    - Security Update for Windows 98 (KB896358)
    - Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB883939)
    freeze MS Windows 98SE when older versions of ZoneAlarm start. Uninstalling the old version and installing the lastest ZoneAlarm works.

    The problem is most people have ZoneAlarm set to start at boot, and do not know how to bypass ZoneAlarm to get the computer booted so they can fix it.

    My guess is since Microsoft is selling its own personal firewall, they will take every opportunity to hurt ZoneAlarm. Or they just wanted to generate PC sales from all those people whose computers are now "broken". Hey, they should have paid for newer versions of Windows many times since Windows98SE was released.

    I can't wait to install today's patches!
    • I think M$ are best buddies with Norton firewall. Speaking of which, always detect Slashdot as an intruder everytime I post something here?! WTF is Slashdot really hacking my computer?

      • by jpkunst ( 612360 ) on Wednesday July 13, 2005 @03:22AM (#13051353)
        WTF is Slashdot really hacking my computer?

        I noticed that every time after I post something on /. I get a line like this in my web server log:

        slashdot.org - - [23/Jun/2005:21:58:59 +0200] "GET http://ask.slashdot.org/ok.txt [slashdot.org] HTTP/1.0" 404 200 "-" "libwww-perl/5.803"

        No idea what it is supposed to accomplish, but I assume that that is what your firewall is complaining about.

        (Note: slashcode converted the URL above into a link, obviously the logfile entry is just a plaintext URL.)

        JP

    • "freeze MS Windows 98SE when older versions of ZoneAlarm start. Uninstalling the old version and installing the lastest ZoneAlarm works."

      --- this is with older versions of Zone Alarm, if reinstalling Zone Alarm fixes the problem... why would this be some ploy of Microsoft to hurt Zone Alarm?

      Windows 98 isn't exactly new, either, I really doubt they would (if they chose an 'attack' of this sort) ... to do it with Win98... (since most people who would care would already be running something else)

      ===

      Perhaps
      • I should have been more specific. By "old version of ZoneAlarm", I meant the latest download on Nov 20, 2004: version 5.5.062. The current version downloaded on July 10 is 5.5.094.

        I do not know if ZoneLabs fixed something to beat MS, or whether the uninstall/reinstall fixed whatever WindowsUpdate ruined. It won't matter to anyone who's computer is broken by WindowsUpdate.

        Win98SE is the best OS produced by MS. Add ZoneAlarm, Mozilla, OpenOffice, and some smarts in the user, and you have a rather secure
    • Shouldn't that read, "ZoneAlarm on Win98 freezes PC?"

  • by ChrisKnight ( 16039 ) on Tuesday July 12, 2005 @09:52PM (#13050087) Homepage
    After taking to Apple tech support about my X11 problem, and having them refuse to help [ghostwheel.com], I guess I'll just have to follow the MS support path and re-install the OS.

    The sysadmin mantra lives on: All operating systems suck, they just suck differently.

    -Chris
    • by Anonymous Coward
      Blasphemer! Steve Jobs will slash your tires and take back his Bondi Blue iMac! YOU ARE NOT WORTHY!!!!
    • I can select text in this xterm window, go to Edit/Copy and when I go back to Edit the Paste option is greyed out. Nothing made it to the buffer when I did my Copy.

      It's not intuitive, but when you selected the text in the xterm window, it was automatically copied to the X11 clipboard -- no need to do Edit->Copy. So, to paste it into another X11 app, you can use a middle click (cmd-click in my XDarwin prefs), or shift-insert (this is a trick, I have Enter mapped to Insert via xmodmap :).

      It star

      • Not quite. There are actually two clipboards (I think "selections" is the correct term). The one accessed by selecting an object (the "primary selection") is independent of the one that is accessed by choosing Cut/Copy from a menu (the "clipboard selection").

        Once one internalises this information, it becomes clear that many clipboard related problems that people have with X11 are caused by poorly written apps that fail to follow the conventions on the use of the Primary and Clipboard selections.

        http://fr [freedesktop.org]
  • best feature update for OSX:

    With this update, you can use Safari to log in to MyAccount on cingular.com.

    now I don't have to fire up firefox just to pay my cell phone bill.

    w00t!
  • I hope... (Score:4, Interesting)

    by Bad to the Ben ( 871357 ) on Tuesday July 12, 2005 @10:25PM (#13050250)
    they continue making progress with the bug fixes. For me, FF is feature packed enough. I'd prefer to see some more work on the update facilities and performance when running on Linux (fix the RAM usage and crashes please). I like FF because it's light, I don't want more bloatware. The FF team need to remember that we can switch back to IE, or to Opera or something else, just as easily as we switched to FF. Many FF users aren't in it to snub MS (they're both free browsers, it's not like they lose money), they're using it cause it's a safer, more stable product. The second that changes, I and many like me go elsewhere.
    • I am running the 1.1+ nightlies and I have to say that it is not bloatware. I do not know why, but it does run faster--in terms of load time and rendering. I do not remember any features that they've added in 1.1 that isn't cosmetic, such as rejiggering the control panel. So wait for 1.1 final to be released. You will be quite glad with that product.
  • by fontkick ( 788075 ) on Tuesday July 12, 2005 @10:34PM (#13050299)
    One of the things I noticed last week was that Windows Update... had been updated. It's now a new stylized webpage and it works a little differently - in that, it doesn't. My Windows 2000 Pro machine refuses to install anything that's been downloaded with the "new" Windows update. They refer you to the help section if installation fails, and after trying all of the help suggestions I just gave up, nothing worked.

    The only thing that does work (for me anyway)is the old URL: http://v4.windowsupdate.microsoft.com/catalog/en/d efault.asp [microsoft.com]

    No telling how long we have until Microsoft disables it and forces everyone over to a new system that doesn't work. I've always liked, or at least tolerated Windows and I've never understood why everyone here *hates* Microsoft. Now I get it. Hopefully someone will find the above url useful if they have problems.

    • Thank you very much. The new Windows Update doesn't work with one of my computers. The link you posted works fine, and I would rather put all the patches on a hard disk, anyway.

      Microsoft Internet Explorer is one of the most buggy software packages I've ever seen. Windows Update isn't as buggy, but it's trying [google.com].

      Security is definitely not one of Microsoft's priorities, unless the priority is to have the most vulnerabilities.
    • No telling how long we have until Microsoft disables it and forces everyone over to a new system that doesn't work.

      Have you bothered to tell them it doesn't work for you ?

    • Interesting. That link shows Win2K Pro SP5 as a supported OS.
  • by xigxag ( 167441 ) on Tuesday July 12, 2005 @10:49PM (#13050371)
    that the Amiga is the most secure platform out there.
  • Security patches do not taste as good in my Flurry as oreos and peanut butter cup pieces do.
  • by Anonymous Coward on Tuesday July 12, 2005 @11:25PM (#13050524)
    Among the other fixes, Firefox 1.0.5 contains a patch to CAPS (Configurable Access Policies) that finally eliminates crashes [noscript.net] reported by users of the NoScript [noscript.net] extension. This should make Firefox users even more safe: its "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality"...
  • by MrNonchalant ( 767683 ) on Wednesday July 13, 2005 @12:58AM (#13050915)
    There was also a high priority update for Microsoft Office in addition to the 3 OS patches. Nothing critical, just updated spam definitions.

    Quote:
    Update for Outlook 2003 Junk Email Filter (KB895658)
    This update provides the Junk E-mail Filter in Microsoft Office Outlook 2003 with a more current definition of which e-mail messages should be considered junk e-mail. This update was released in July 2005.


    I'm using the new Microsoft Update (as opposed to Windows and Office separately) and so should you. And yes, according to their FAQ it adds Office to Windows automatic update.

    Link: http://update.microsoft.com/ [microsoft.com]
  • Today, I sigh in pleasure as I type this message in KDE Konqueror. Glad my browser isn't vulerable to a kitchen full of exotic security holes; taste of the week style.
  • Oracle Unbreakable (Score:2, Interesting)

    by Donny Smith ( 567043 )
    Oracle Unbearable, perhaps.

    They probably have the worst security track record among major databases and yet they get no /. trashing whatsoever. Interesting.
  • The company also updated its Windows Malicious Software Removal tool to add detections for variants of Wootbot, Optix, Optixpro, Hacty (also known as YYTHAC), and Prustiu (also known as Delf.FN). ... and to reflect its intent to buy Claria, distributor of malicious software like Dashbar and Gator, by removing the detections for their products.
  • Patch Patch Patch Patch. Lovely Patch! Wonderful Patch!
  • Sysadmins pressed MS into the strategy of releasing bug fixes on a scheduled monthly basis so that they wouldn't have to be dealing with them continuously through the month. It only makes sense for everyone else to use the same day for the same reason.

    Maybe this will increase the rate of application of other patches. People will essentially be reminded of the day when the MS patches automatically arrive and come to know that that is the day that they should check for patches on all of their other product

We must believe that it is the darkest before the dawn of a beautiful new world. We will see it when we believe it. -- Saul Alinsky

Working...