13 New Windows Security Vunerabilities

Petree writes "Microsoft has given advance notice that on February 8th, they will be releasing patches for 13 vunerabilities. Happily a day later they'll have a nice little webcast so answer questions about the vunerabilities. Windows users, don't forget to run WindowsUpdate first thing Monday morning."

"Run WindowsUpdate first thing Monday morning"

[by Anonymous Coward]

And then again on Tuesday when the actual updates come out.

Redundant?

[by Anonymous Coward]

The summary is wrong, and this is pointing out that fact. Running Windows Update on Monday won't get you anything since the updates come out on TUESDAY, aka the 8TH.

Re:"Run WindowsUpdate first thing Monday morning"

[tomhudson (43916)]

Of course, you'll have to run it again Wednesday, Thursday, and Friday:

FTFA

1. 9 Microsoft Security Bulletins ... Some of these updates will require a restart.
2. 1 Microsoft Security Bulletin ... These updates may or may not require a restart.
3. 1 Microsoft Security Bulletin ... This update will require a restart.
4. 1 Microsoft Security Bulletin ...These updates will require a restart.
5. 1 Microsoft Security Bulletin ... These updates will require a restart.

By the time you've rebooted (up to 13 times pe

Re:"Run WindowsUpdate first thing Monday morning"

[theancient2 (527101)]

It's only necessary to reboot once, not after each update. (The only time you need to reboot more than once is when installing a major update, such as a new version of Internet Explorer.)

Re:"Run WindowsUpdate first thing Monday morning"

[macosxaddict (559557)]

Any operating system where updating the web browser is a "major update" is fundamentally flawed.

Re:"Run WindowsUpdate first thing Monday morning"

[LurkerXXX (667952)]

You must get all your 'knowledge' from google, because it's obvious you have never actually had to install updates on 1000 machines yourself. If you did, you'd find MS has a nice toold called SUS server, that will roll them out to your network for you. No need to 'reboot till valentines day'

As the grandparent said, you are either clueless or a troll.

SUS good, not perfect

[Karl Cocknozzle (514413)]

you'd find MS has a nice toold called SUS server, that will roll them out to your network for you.

While I agree it is a great tool, it needs a few tweaks to be great... Unfortunately, MS doesn't want this to be too good because SMS still costs a lot of money to buy... This is why it doesn't apply Office patches, (the one exception being the critical update for Office XP users running XP sp2) or even anything besides critical and security patches.

An install log might be a nice option too... Of course, on

Re:"Run WindowsUpdate first thing Monday morning"

[tomhudson (43916)]

So, if you DO test them, you're not going to be applying them to everyone Tuesday, are you ...

You know, I've got to agree with the "Run WindowsUpdate first thing Monday morning" - before the new patches are out on Tuesday - because these patches are not just minor. If you had bothered to read Microsoft's announcement, you'd see that Microsoft is devoting twice the webcast time they usually do just to explain them.

If Microsoft is worried, maybe you should be too.

Booooring...

[Majorachre (115493)]

Another day another vulnerability. This is getting old. What's the point in continually reporting this drivel? We all know MS has their issues - but frankly I'm getting tired of all the wasted space on /.
You're preaching to the choir!!

Re:Booooring...

[mw13068 (834804)]

If I recall correctly, the /. tagline is "News for Nerds. Stuff that matters." I believe, despite your objection and concern about the size of the /. article database (i.e. "wasted space") that this article fits the general area of interest. I might suggest that the next time you encounter something that bores you, you don't take the time to read it and comment on it, as that tends to muck up your boredom experience.

Re:Booooring...

[Malc (1751)]

Another day, another anti-Microsoft zealot on /.

Here are some recent security announcements from one of Linux's more reliable and secure distros:

04/02/2005
[DSA 667-1] New PostgreSQL packages fix arbitrary library loading
*[DSA 667-1] New squid packages fix several vulnerabilities
*[DSA 666-1] New Python2.2 packages fix unauthorised XML-RPC internals access

02/02/2005
[DSA 664-1] New cpio packages fix insecure file permissions

01/02/2005
*[DSA 663-1] New prozilla packages fix arbitrary code execution
*[DSA 662-

Re:Booooring...

[Espectr0 (577637)]

Here are some recent security announcements from one of Linux's more reliable and secure distros:

How many of those vulnerabilities are actually tied to the OS?

Zero.

How many of the windows vulnerabilities are tied to the OS?

Mostly all of them.

So do you want to count for example bsplayer's bugs so we can have a fair comparison against xine bugs?

Re:Booooring...

[damiam (409504)]

Any end users of Linux have to face the security flaws whether or not they're part of the OS.

No, they don't. 99% of Linux end users don't run postgresql, zhcon, vdr, libdbi-perl, or most of the other packages the grandparent listed. It's fair to compare flaws in GNOME/KDE, Firefox, X, and the kernel to flaws in Windows. If you want, you can compare OO.o to Office and perl/python/Mono to .NET. But you can't compare the entire Debian archive (which takes 7 CDs to hold just the stable version) to the base release of MS Windows.

Re:Booooring...

[Too Much Noise (755847)]

Attempting to draw sort of a line between "OS" and "irregular tools":

[DSA 664-1] New cpio packages fix insecure file permissions

It has been discovered, that cpio, a program to manage archives of files, creates output files with -O and -F with broken permissions due to a reset zero umask which allows local users to read or overwrite those files.

Annoying, but hardly "critical"

*[DSA 659-1] New libpam-radius-auth packages fix several vulnerabilities
This is actually a mixed bag.

The Debian package accidently installed its configuration file /etc/pam_radius_auth.conf world-readable.

rather embarassing, but Deb-specific.

Leon Juranic discoverd an integer underflow in the mod_auth_radius module for Apache which is also present in libpam-radius-auth.

more general, indeed.

and even (assuming a KDE desktop):
[DSA 660-1] New kdebase packages fix authentication bypass

Raphaël Enrici discovered that the KDE screensaver can crash under certain local circumstances. This can be exploited by an attacker with physical access to the workstation to take over the desktop session.

This problem has been fixed upstream in KDE 3.0.5 and is thereforefixed in the unstable (sid) and testing (sarge) distributions already.

The rest are additional packages installed on a per-need basis. You don't argue MSSQL vulnerabilities are Windows vulnerabilities, do you? Or those of the compiler? (f2c indeed - that must be highly critical for home users)

Contrast this with the Windows anouncement where the 10 vulns affecting the OS are rated Critical.

Re:Booooring...

[chris_mahan (256577)]

What I want to know is this:

Are the holes real?

(I mean, I know there are so many holes in windows the swiss cheese manufacturing association is suing)

Since the great unwashed masses are going to buy windows. (They are, trust me) and Microsoft, knowing this, wants to boost sales.

They announce, in this order:

A) We don't support windows 2000, 98, ME, for new vulnerablities, you need XP sp2.

B) We are not going to provide windows updates to non-legal installations of the software.

C) There are now lots and

Why?

[Sophrosyne (630428)]

Can't they roll them into one cumulative security update?

Re:Why?

[drmaxx (692834)]

they try - it's called Longhorn - they are just soooo many of them...

Re:Why?

[amberp (852278)]

for 2 reasons
1. There are too many (known and unknown) of vunerabilities.
2. Even the known ones are too much to be fixed for various reasons.

Re:Why?

[Zocalo (252965)]

Mostly because not every one might appreciate having to download a huge patch for something they don't have installed. Also because the patches are covering multiple Windows versions, and EDS can tell you all about what happens [theregister.co.uk] when you apply a patch for one Windows varient over another...

Re:Why?

[totoanihilation (782326)]

Every time I visit family, I make it a point to bring all the updates they could possibly need for their computer. (That, and bringing along new versions of firefox). It's a pain trying to figure out which updates they have, and which ones they don't and I end up spending an hour locating them all.
Unfortunately, most of those I visit don't have broadband, so downloading 200 megs from WU doesn't work.

On the other side of the fence, MacOSX updates always have a Combo version containing ALL previous updates,

Damnit

[mao che minh (611166)]

And I just got done updating three or four ZEN images. I can't wait for the hundred times I'll be asked next week "can I click OK on the update thing or is that spyware?".

At least they are actively patching...

[jmcmunn (307798)]

Come on Slashdot, at least they are actively fixing their shit. You all bad mouth them for not fixing stuff fast enough, and then when they announce they are releasing a patch you try to find some way to bad mouth them for that?

We're all bored of hearing how much people hate MS here...we KNOW you don't like them. Just leave it at that, and instead of reading and posting 600 replies here about how they suck, have some sort of intelligent conversation instead.

Re:At least they are actively patching...

[bersl2 (689221)]

Yeah, OK, that's fine.

But as others have said already, do we really need to hear about it every time?

Re:At least they are actively patching...

[Lisandro (799651)]

Seriously. Damned if they do and damned if they don't. I update atleast two or three software packages a day in Gentoo (most of them version revisions with bugfixes) and it's not all over the news.

Re:Mod parent up.

[jmcmunn (307798)]

Yeah, my network of 5 windows machines never has any troubles. Of course that's because everyone here is smart enough not to download spyware infested crap from the internet. We have AVG running on every machine and that keeps us virus free. And yes, I have a router as firewall, and SP2 on every box.

If your Windows machines are broken, it's not Windows fault IMHO, it's mostly user issues. I do agree that Windows makes it easy to install bad software, but Linux can also be totally runined by installing

Re:At least they are actively patching...

[DarkVader (121278)]

Hmm... I think I might even sue the lock manufacturer. If I've bought a new lock that's been advertised to keep the burglar out, and he goes in by breaking the lock, I've even got a case.

Now, if I buy a lock that is known to be defective, I don't have a case - I should have known better.

But I can still be annoyed that the lock manufacturer makes garbage locks.

Or I can just use another company's locks. That's the problem with Microsoft, they have so much of the market that many people are stuck using their locks, even when they know they're garbage. Me, I'll stick with Macintosh and Linux.

Re:At least they are actively patching...

[jmcmunn (307798)]

Well, Microsoft could take the stance of creating the "bullet proof" OS which allows you to run only the software that comes preinstalled, and only stuff that they have tested and debugged...that's about the only way they could "guarantee" their product to be bug free. (of course even linux users would never claim to be totally bug free)

But you know what? That wouldn't be a very useful machine to anyone. The beauty of an OS is that it can run programs that you install (or even write) after the fact. Yo

Is this sort of thing still interesting to /.

[Chess_the_cat (653159)]

I mean this is how the process works for any OS. Name the OS or system that doesn't require patches? I just don't see the point of this submission except to imply a Nelson-esque "Ha-Ha" where one isn't required. I run a dual-boot system and surprise, surprise, Linux likes to download fixes as well. In short: Who cares? Next stories: You may have a new e-mail in your inbox: Better check. Or how about: Make sure your version of Quicktime is current.

Re:Is this sort of thing still interesting to /.

[MooseGuy529 (578473)]

Tomorrow's Slashdot headline:

5 New Linux Security Vulnerabilities

Gentoo has given advance notice that 5 packages have problems and will be updated. Happily within the week they will explain them in the next Gentoo Weekly Newsletter. Gentoo users, don't forget to run 'emerge sync' in 15 minutes when your local Portage mirror is updated.

Um, as you can see the same thing happens to any OS. The difference is that Gentoo does this: 1. write a patch to fix current version so users are safe, then 2. put

They don't need to

[Jugalator (259273)]

Windows users, don't forget to run WindowsUpdate first thing Monday morning.

These days, Windows users don't need to "run" Windows Update to grab security updates; the Windows service do that job, so they don't have to remember to do anything special on Tuesday. However, you need to actively visit windowsupdate.microsoft.com if you need other stuff than security updates.

Trusted Computing: -

[bogaboga (793279)]

For those who are more knowledgeable...are we in the regime of Microsoft's Trusted Computing? I know Microsoft will continue to spew out info emphasizing a renewed effort in secure computer environments.

Re:Trusted Computing: -

[Jugalator (259273)]

For those who are more knowledgeable...are we in the regime of Microsoft's Trusted Computing? I know Microsoft will continue to spew out info emphasizing a renewed effort in secure computer environments.

Hm, trusted computing was their initiative with DRM in e.g. Office and WMP, the whole thing about the "Fritz" circuit, Palladium, etc. AFAIK, no WMA or Word Document DRM etc has been exploited, so I can't really see what that has to do with these news.

PC Benchwarming

[bigskank (748551)]

"Windows users, don't forget to run WindowsUpdate first thing Monday morning."

Not just to rag on MS, but I will NOT be running my PC monday morning. Given microsoft's less-than-stellar history of patch releases (Service Pack 2 still gives me night terrors), I'll wait at least a week or so to see what problems these patches create.

It's unfortunate that many PC users (including myself) would rather risk having their PCs zombified or their data erased for a while longer instead of installing the latest MS patch. For me, past experience has shown me it's less of a risk to just sit it out for a while and see what new holes these patches open.

Re:PC Benchwarming

[essdodson (466448)]

Congratulations, you're the first person I know who has had problems with Service Pack 2.

New Slashdot format

[EaterOfDog (759681)]

10 Print New Awesome Mac Product 20 Print New Windows Security Problem 30 Goto 10

Idiots

[essdodson (466448)]

1) It's Tuesday not Monday; afternoon rather than morning as they seem to release about noon time PST.
2) This is a repeat.

AntiSpyware

[inertia@yahoo.com (156602)]

If you haven't done it already, go to microsoft.com and search for antispyware. Install Microsoft AntiSpyware (beta). You'd be surprised how many trojans and spyware it will find on your "secure" Windows boxen.

Microsoft didn't write it. It's GIANT AntiSpyware with a new label. It may think some of your legitimate apps are spyware, like VNC, but it usually marks them as ignore by default anyway. It's great if you forgot they were there or someone else installed them without your knowledge.

A couple of the updates

[Sophrosyne (630428)]

# Windows XP Media Center Edition may unexpectedly crash while being shown before large audiences.
# User may 'hijack' Internet Explorer settings, this update will reset your Internet Explorer start page and search settings to the new and improved MSN Search.
# Fixes vulnerability that allows users to view old Teen-Beat photographs that may contain images that could shock your system!

Did You RTFA?

[Rolan (20257)]

1) The 8th is TUESDAY and the SECOND TUESDAY of every month is when Microsoft does their patch releases (unless they're so critical they release them out of cycle).
2) It's not 13 patchs for windows. As the article could not state any clearer it's:

9 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart.

1 Microsoft Security Bulletin affecting Microsoft SharePoint Services and Office. The greatest aggregate, maximum severity rating for this security bulletin is Moderate. These updates may or may not require a restart.

1 Microsoft Security Bulletin affecting Microsoft .NET Framework. The greatest aggregate, maximum severity rating for this security bulletin is Important. This update will require a restart.

1 Microsoft Security Bulletin affecting Microsoft Office. The greatest aggregate, maximum severity rating for this security bulletin is Critical. These updates will require a restart.

1 Microsoft Security Bulletin affecting Microsoft Windows, Windows Media Player, and MSN Messenger. The greatest aggregate, maximum severity rating for these security updates is Critical. These updates will require a restart.

3) Read before you submit.

Making a more secure Windows

[The Fifth Man (99745)]

IE always seems to be the weak point, or the HTML subsystem... Even if it isn't, I've got instructions on removing several subsystems [vorck.com] from Windows that will make it more secure.

Check out my page on Windows patches [vorck.com], I think it's a convincing argument to rip all of this stuff out of Windows. Just download the files, drag-drop-replace, burn, and install.

XP subsystem removal software [msfn.org] here.

aspell, anyone?

[kernelistic (160323)]

Come on guys, how hard could spelling "Vulnerabilities" correctly be?

The problem with windows is

[CastrTroy (595695)]

The real problem with windows is that every 2-3 years they come out with a new version and have to go through all this crap all over again. Just when they've fixed most of the bugs, they come out with a new version, get everyone to upgrade, and we're back to the beginning. Windows 98 runs just about everything. And at this point most of the bugs have been patched. I knew guys that were still using windows 95 osr2 in 2000 because it was one of the most stable and streamlined systems available.

Re:The problem with windows is

[ledow (319597)]

I have to agree with CastrTroy here... I run 98SE for the exact reason he has stated. I provide tech support to 6 different schools in my area and I'm having to turn new job offers down because I just don't have enough hours in the week to do them.

Everyone is surprised that I run 98 but, especially now, I know the problems that it has and I have systems in place to stop them. I know it crashes a lot but I also know how to fix it. I've never lost a windows 95/98/me installation yet. However, the XP and 2K machines that I support will lock into all sorts of reboot loops and cryptic stop messages that I can nothing about but restore from backup.

The schools I work for were stung big-time by things like Sasser, they were taken completely off-guard and all reached a critical state within a few days when not one of their PC's would stay up for more than a few minutes.

Because of my setup and because of the way that viruses are now only targeting the new vulnerabilities, I'm pretty safe. I've NEVER, repeat NEVER, had a virus on any computer that I own and for many years didn't even bother with an antivirus.

Nowadays, the only reason I have antivirus is so that I can scan emails from people who forward me crap and ask "is this a virus/trojan etc?". Most of the time, it's a yes before I even bother to scan it.

Virus writers are not targetting me, they'd have a very hard time if they did because I'm not stupid.
My IE is up-to-date and never used, because I realised many years ago what a mistake it is to use it. IE is installed purely for Windows Update.

I have people who I support who are still happily running 98, even 95, some of whom are years behind on updates and they don't have a problem because they are educated, firewalled, know what not to do and have established measures in place, have had for years.

Only the 2000/XP computers that I support have problems with such junk because, like Sasser, there was little a user could do to prevent it as it came out of the blue. That's what 98 was like many years ago but we've since established a routine that prevents that.

There is NOTHING WRONG with running an older Windows OS, even an out-of-date, not-updated OS. Sure, I wouldn't use it as a server but then I wouldn't use Windows as a server given half a choice, precisely because of it's many problems.

Windows "automatic update" has screwed up many a machine that I support, and given all sorts of weird problems becuase of it installing crap and hogging internet connections.

Windows 98 works for me, does everything I need to, is blindingly fast (but you don't notice that until you use it after using XP), behind a suitable set of protective measures is as safe as a Windows 2000/XP machine behind the same measures, easy to recover and suffers less problems overall.

Experiment for the adventurous: Get a Windows 3.1 box, install TCP/IP and put it on the net. Wait for it to be compromised. Perform similar action on XP/2K, even with latest updates.

One of my firewalls is still running a Linux 2.0 kernel because it's simple, safe, and works. Old decrepid. Old = tried and tested.

Ask NASA why they won't put a Intel with XP controlling the space shuttle. Now ask them why they would use a Z80 with something like CP/M or Unix.

Safe Surfering

[Mybrid (410232)]

It is trivial to run Microsoft without anit-virus software or anti-adware software safely.

Let's call this safe surfing.

The answer is to surf the web as user "Guest".

There are a lot of things to be said about this but the most important is that Microsoft doesn't care about security because they don't educate this or default to this.

As a computer consultant every day I get asked about safe computing. My answer on windows is this:

1. Don't use Microsoft Express or Outlook at home. Instead use web email clients like Yahoo.
2. Don't click on email links. Instead, cut-copy-paste the text of the displayed link into a new browser window.
3. Log out as your account and log in as Guest whenever you 1.) use Windows Media Player or 2.) or 2.) surf unfamiliar web sites.

People squawk about having to log out and log in as a different user. I tell them safe computing is no different than safe sex. You need to take responsibility. You need to decide how important being safe is to you.

By enabling the Guest account and suring the web as guest, virus and adware can't install software, touch the registry, or write to anywhere on the disk other than the account folder for Guest. If the Guest account ever gets corrupted just delete it and create a new one.

However, unlike with Unix, Windows is a hostile environment for mixing users.

On Unix its easy. Just enable "sudo". Your default security mode is one of no access, user mode. You have to make a conscience choice to run with sudo.

It is very unsatisying to run as "Guest" in Windows and then "Run As" a secure user and hardly anyone does it. It's almost futile to install software as an user on Windows other than someone with admin privileges. Almost every major software vendor's install willl fail unless admin privileges are used. By contrast, no such barrier exists in Unix. The "--prefix" option to most software will allow you to run from your home directory. And it's not always just the big things, but little things too. Unix uses the "~/username" shortcut to easily afford copying files between accounts.

It is possible even in today's Microsoft environment to guarantee yourself the impact of a virus or adware can be contained to a sandbox, Guest user account.

The fact that Microsoft doesn't make "RunAs Guest" the default security model as does Unix is something that Microsoft should be held accountable for.

But the reality is Microsoft just doesn't care about security. The only care enough to give it lip service.

Instead of the Following...

[Master of Transhuman (597628)]

"Windows users, don't forget to run WindowsUpdate first thing Monday morning."

I think he meant to say:

Install Linux first thing Monday morning...

I say: Why wait? Use the weekend wisely...

Re:Explain this to a non-windows guy

[essdodson (466448)]

Their corperate customers have asked them to schedule updates in this manner unless they absolutely must be pushed out in a hurry. MS previously released weekly on Tuesdays, now due to input from large corperate customers who like to plan downtimes and patches they do it once a month.

Re:Explain this to a non-windows guy

[Emperor Skull (680972)]

Past experience has shown that exploits are developed very quickly after a patch is released. Without advance notice admins can't schedule or plan to deploy updates. I test and approve patches for about 3000 Windows machines. I'm also in Louisiana where this happens to be a 4 day weekend because of Mardi Gras. Had a critical patch been released on Thursday or Friday I probably wouldn't get to even look at it before next Wednesday. If an exploit was released before then, then well my first day back is going to be a real bad day. While the second Tuesday of the Month might not be perfect for everybody, at least we can plan for it. I know I'll remote in and approve the patches for deployment to my test lab sometime on Mardi Gras day (and watch bugtraq and other places to help determine how important it is to deploy these quickly.) ES

Re:You should be behind a firewall anyway.

[Joe U (443617)]

When using Windows you should always be behind a firewall

When shouldn't you be behind a firewall? With the exception of say, a WebTV, ALL operating systems should be behind a firewall.

Mac included.

WOW, Censorship is alive and well here

[FunWithHeadlines (644929)]

Say anything negative against Microsoft nowadays, except in the meekest of manners, and you get modded to oblivion. What I wrote is 100% true, done in a humorous way, and the last sentence is optional but highly recommended. Anyone who doesn't know by now that Windows is the least secure OS out there gets what they deserve.

You can suppress what I'm saying, but not the reality of what I said.

Re:Lots of vulnerabilities?

[diegocgteleline.es (653730)]

debian woody has like 8000 packages.

Windows XP is a OS, graphical environment, msn messenger, wordpad, a few crappy games, some services...let's be good and say they've 1000 packages of software(they don't)

13/1000= 0.13 vulnerabilities per package

47/8000=0.005

"So you zealous fucker, which platform is more secure?"