Microsoft to Release 6 Security Updates Next Week

An anonymous reader wrote in with an article that leads: "Microsoft will release six groups of security patches next week, including three critical updates for Windows and Excel users. The critical updates will fix bugs in many different versions of Microsoft's products including the latest versions of Excel, Windows XP, Vista and Windows Server 2003, Microsoft said."

well thank god

[witte (681163)]

... at least now we will be safe !

Re:

[Bastard of Subhumani (827601)]

Six, eh? That's one fix, two to fix the bugs the first fix introduced, and two more to fix the bugs the last two introduced. The one left over causes several new serious bugs, but on the positive side it adds realistic 3d shading to clippy.

Bring on the news!

[Gription (1006467)]

The real point is why is this considered news that needs to be released to /. ?
They have released this quantity of patches before...
Often...

This is like walking outside and exclaiming in surprise, "Look everybody! There's still air out here!!!"

Re:

[niceone (992278)]

Yes, next week we will all be safe. Best not open any documents or spreadsheets until then though. Tell your boss it's for security reasons.

Hmmmn

[Jaaay (1124197)]

This shows the importance of a good NAT firewall. However it'd be interesting to know if the user must click allow on a lot of UAC warnings first to be compromised or it comes through clean since this is supposed to be one of the main benefits of Vista. The UAC works reasonably well for me, it's just annoying when stupid companies like ASUS ship "Vista Ready" cds in the box that have unsigned code that generate a lot of warnings.

Re:

[KiloByte (825081)]

This shows the importance of a good NAT firewall.

You got that wrong. You meant "the importance of a good firewall". NAT is a bad, bad thing, at least in the usual meaning of that word -- while technically any kind of a box in the middle meddling with sender/receiver fields in a packet is network translation, the typical setup of X machines being shoehorned into 1 IP doesn't have a single benefit, just a lot of downsides.

Re:

[Jaaay (1124197)]

I just figured if I have a bloody hard time configuring and opening ports without problems for legitimate programs on it that trojans and other nasty stuff must have a hard time getting through and sending back data also :)

Re:

[pasamio (737659)]

NAT doesn't stop people sending data back it just stops people directly coming in. Since they can get out they can tunnel a way back in or sit on an IRC server or similar system and wait for commands. There are also techniques like STUN that trick a NAT system into opening a port without actually realising it. Even though you have a hard time getting things to work, people have already thought of this and have no issues working around things ;)

Re:

[somersault (912633)]

"the typical setup of X machines being shoehorned into 1 IP doesn't have a single benefit"

If that were true then it wouldn't be done. If it weren't being done then everyone in an office would need their own public IP to connect to the net? It's a benefit to be able to firewall traffic at one point rather than doing the same checks on every machine as well.

Re:

[KiloByte (825081)]

One word: IPv4.

Re:

[somersault (912633)]

I'm guessing you mean IPv6?

Re:Hmmmn

[Ephemeriis (315124)]

"the typical setup of X machines being shoehorned into 1 IP doesn't have a single benefit"

If that were true then it wouldn't be done. If it weren't being done then everyone in an office would need their own public IP to connect to the net? It's a benefit to be able to firewall traffic at one point rather than doing the same checks on every machine as well.

The benefit is that it allows us to continue using IPv4 with relatively few problems. It allows ISPs to keep from running out of static IP addresses. And that is only a 'benefit' because IPv4 is more-or-less broken at this point.

Just because a PC has a public IP doesn't mean you don't need a firewall or router. It doesn't mean you'd be doing all your firewalling on the individual PCs. You'd still route your traffic through a central box and do your checks there instead of on every machine.

I'm not going to say NAT is completely bad all the time. It's a handy little hack. But that's exactly what it is - a hack to keep IPv4 alive. And doing away with NAT would eliminate a lot of headaches that cramming dozens of PCs into one public IP address has created. Of course...we'd get other headaches in exchange... But nothing is perfect.

Re:

[pasamio (737659)]

Well you can do stateful packet inspection if you want to pay for decent routing gear to make sure everything is doing what it should. In fact there are a whole heap of things that allow you to control a single point and give out public IPs. My university staff network used to have public IPs for some sections because they needed it. The main reason why not everyone gets public IPs is the fact that there simply isn't enough IP addresses in the v4 range to go around, with IPv6 we could easily give everyone a

Re:

[somersault (912633)]

Yeah I was thinking that there wouldn't be enough IPv4 addresses, and it must be cheaper to only have one web facing IP address anyway? I'm not very knowledgeable when it comes to registering public IPs/domain names etc. Yeah NAT isn't the same as firewalling I guess, but they tend to work quite well together :P

Once and for all NAT firewall

[spectrokid (660550)]

Imagine all your PC's have their own IP address. (Scenario more likely if you have IPV6). You can put a firewall where your NAT used to be, have all the advantages of NAT and none of the disadvantages. NAT is an ugly hack which, by pure coincidence, turns out to have some firewall-ish features.

Let's help the subbys and editors with this chore.

[Linker3000 (626634)]

Microsoft Patch Release Announcement
(Slashdot Standard Form #97)

Microsoft will release [$COUNT] security patches

[ ] Today
[ ] Tomorrow
[ ] Next Week
[ ] When they goddam say so

Including [$NUMCRITICAL] critical updates for

[ ] Windows
    [ ] XP
    [ ] 2000
    [ ] Server 2000
    [ ] Server 2003
    [ ] Vista
[ ] Linux (..sorry, just kidding!)
[ ] Word
[ ] Excel
[ ] Access
[ ] PowerPoint
[ ] Bob
[ ] Internet Explorer
[ ] Outlook
[ ] Outlook Express
[ ] Exchange
[ ] DOS 6.22
[ ] All of the above

A spokesperson said "We take a very serious view of or responsibilities to ensure that the Microsoft computing experience is safe and secure for all our valued customers - and these updates show our commitment to that goal"

When what they really meant to say was...

[ ] Fsck, we just found some more stuff we missed during beta testing.
[ ] We never thought someone would try THAT
[ ] Yeah, we were kinda hoping we could keep that one quiet but then some geeky, long-haired nerd had to go and post about it on teh Internets.

Re:Let's help the subbys and editors with this cho

[Silver Sloth (770927)]

(Slashdot Standard Rely #42)
This doesn't affect me because I run

[] OSX
[] Linux
[] Multix
[] CP/M

Re:

[Silver Sloth (770927)]

Lazar beans

That's right the mascara snake

Ah, Trout Mask Replica [wikipedia.org], that was a great album.

Why is this news again?

[Toreo asesino (951231)]

Does everyone here secretly run Windows systems, or is this another MS-bashing opportunity? Can we have security fixes released for Linux kernel published too please? I think that might be more relevant for the practical purposes this article was no doubt published...

I mean, Christ, it's almost like everyone here hates Microsoft or something!

Wait a minute....

Re:

[linal (1116371)]

You got 500 euros? http://www.wslabi.com/wabisabilabi/initPublishedBi d.do [wslabi.com]?

Re:

[Ephemeriis (315124)]

Does everyone here secretly run Windows systems

Secretly? No... But my job forces me to deal with Windows far more than I like. And then there's three Windows gaming systems at home...

I mean, Christ, it's almost like everyone here hates Microsoft or something!

See my above statement. By the time I get home from dealing with buggy Windows machines all day long the last thing I want to do is deal with more Windows issues at home...which is why I'm running Linux for my primary machine. But we're a family of

Re:

[gravis777 (123605)]

Actually, this is useful. I work in Desktop Support at an IT company, and we finally had to turn off Microsoft Updates, as it was crippling us. Of course, the answer would be to use some type of update management solution, but that has not happened yet. Its just good to know ahead of time that users might be experiencing problems.

Of couse, one could argue that Microsoft releases patches just about every Tuesday. Just expect to have higher than average traffic on your helpdesk come Wednesday morning.

I have t

Re:

[Just Some Guy (3352)]

Why is this news again?

Because Vista [slashdot.org] doesn't have security problems.

Ok and...

[svendsen (1029716)]

why is there an article about patches anymore? Everything gets patched... Windows / Linux / OS X / a few hundred thousand applications that run on them.

Slashdot all the news about iPhone and patches that you have ever dreamed of....

This is just great!

[CaptainZapp (182233)]

Time to patch my Laptop (Samsung, XP Pro legally licensed). There's only one problem with that:

When I start Windows Update it informs me that it needs updating. Attempting to do so leads to a carped update with some error code. In short: Without the "improved" version of the software no more Windows update for me and since getting the "improved" version fails to install in the first place...

This seems to be a known problem for which there doesn't ssem to be a fix yet. And no! Re-installing the OS is not and option since this toasts my Ubuntu partition.

Microsoft is a company that pisses me off more and more on a daily basis. Thank you for listening.

VMware or Qemu

[flyingfsck (986395)]

is the solution. That way, you can concurrently run Windows in a window on Ubuntu and you can recover the wasted Windows disk partition too, using ntfs-3g. Actually, when using an emulator, Win98se works even better than Expee and since you won't be using any of the internet 'features' of Windows anymore, the vulnerabilities won't affect you, while making backups of Windows becomes a breeze using tar. With Windoze on Qemu, you don't need to bother updating it anymore either - it just keeps on working.

Re:

[bryan1945 (301828)]

"Above 17 steps...."

This is why I won't deal with Windows at home anymore. Ok, only 5 steps, but that's 4 too many.

Re:

[gardyloo (512791)]

It's a long-shot, but I've actually seen Windiz Updates fix something quite like this, and then the official MS updating worked just fine. Of course, you might just stick with Windiz afterwards :)
http://windizupdate.62nds.com/ [62nds.com]

Re:

[arkhan_jg (618674)]

Turn off automatic updates, reboot and run a manual windows update will usually clear it. If not, you might have a corrupted update catalog or the like - google the error code will usually give you instructions to clear it; there's quite a few different ways to break windows update and all I've come across so far are pretty straightforward to fix. If you get stuck, post the error code here and i'll try and find a guide.

Yes, it pisses me off too, which is why I run windows under vmware these days :)

Re:

[Bacon Bits (926911)]

99% of problems with Windows Update are caused by incomplete download or corrupt catalog data.

Stop the BITS and Automatic Updates services and then delete (or rename) C:\Windows\SoftwareDistribution. Then restart the BITS and Automatic Updates services.

Script:

net stop bits
net stop wuauserv
rmdir /s /q %windir%\SoftwareDistribution
net start wuauserv
net start bits

You should also apply these updates if you haven't before:
http://support.microsoft.com/kb/927891 [microsoft.com]

Installing the WUA 3.0 with the /wuforce switch a

Patch Tuesday = no work for an hour or two

[simong (32944)]

One of the joys of working for a big company is the splendid way in which a large patch distribution nails network bandwidth and pulls down every machine in the office while it is installed. I'm not sure who's at fault here but they sure ain't the sharpest tool in the box.

Re:

[figleaf (672550)]

If that is how it works in your org. Then they should start using WSUS or learn how to use it properly.

Re:

[shird (566377)]

Whos at fault? Your company. They are not using WSUS (http://technet.microsoft.com/en-us/wsus/default.a spx) or something similar. The technology is there, don't blame MS.

Not the sharpest tool in the box.

Re:

[plague3106 (71849)]

Your large company has idiots for IT then. There's no reason not to use WSUS, then you have one server downloading from the internet, and clients pulling from that (or another interal downstream server). And you set it to do so at 3AM when no one is around.

Re:

[PhxBlue (562201)]

I would have to inquire as to why your IT department isn't managing the software updates across the LAN? What are they getting paid for, if not PC configuration management?

Re:

[plague3106 (71849)]

Not true. I deployed WSUS 2.0 a year ago, and it worked fine. I didn't care to use a webpage to manage it, but thankfully they now have an MMC snap-in for v3 instead.

In other news...

[pete.com (741064)]

This just in...

The sun will be rising in the east today and setting in the west. We will continue to cover this breaking news as more details come to light.

Including what's that?

[DynaSoar (714234)]

> ... including ... Vista ...

That's what I thought you said. At least now we know that moving from XP to Vista is not a security upgrade. So much for the oh so secure new OS, I'm sure it's worth every penny I saved not getting it.

I'm thinking about migrating to DOS 6.6. I have no idea how secure it is, but I'm pretty damn sure nobody's trying to exploit it.

Re:

[plague3106 (71849)]

Righhht. So what version of Linux can we expect there to be zero security exploits for it EVER again?

why is this news?

[SolusSD (680489)]

There will *always* be security updates. Unfortunately bugs in programs are inherent to how we write programs. Sure- there is plenty people could do-- functional programming approach, better coding practices, et cetera-- but a few more bug fixes just isn't news. hell-- linux and macosx have bug fixes all the time too but they rarely hit slashdots front page.

To those who have overconfidence about security.

[Zombie Ryushu (803103)]

Yes, Linux is more secure than Windows. We know that.

That doesn't mean that we can rest easy on Linux Security. We must never for a moment think that even with Linux we are ever completely safe. As long as any computer has power to it, it has a security risk, but I'd like to present an alternative way of thinking about it.

Linux must not only be better in security, but better in capability.

I know that design wise, OpenLDAP/Kerberos/Samba/FreeRadius/AFS will produce a far more secure network infrastructure than Active Directory will. But that combination will not produce as capable an infrastructure as the real ADS. The worst security vulnerability Linux could have is the security vulnerability produced when an orginization chooses Active Directory on Windows over Open Directory on Linux.

If you want to change this, contribute to OpenLDAP, to Samba, to FreeRadius, and Kerberos. Lets make Open Directory not only more secure to Active Directory, but outright superior.

Which of these things, doesn't belong here...

[Dekortage (697532)]

"Excel, XP, Vista, Server 2003..."

I know, this shouldn't affect me, but it still boggles my mind (a little) that we need security updates for a SPREADSHEET APPLICATION. An OS? Server software? Sure. But Excel? It's a sad commentary on Microsoft's software that such a thing is necessary.

Re:

[PhxBlue (562201)]

That has nothing to do with Microsoft ...

I'm not so sure I agree. Why does a spreadsheet need to be able to run extensive VBA code?

Why wait?

[Blackknight (25168)]

Hmm, so this means we have a free week to use these exploits.

However...

[DimGeo (694000)]

... The only Vista bug that I can see in this bulletin is "Moderate", not "Critical". That's because there are multiple levels of protection, kinda like those in OpenBSD and SELinux. Remember, NSA had a say in Vista's design. There is Mandatory Integrity Control (something not widely known, I believe it's separate from UAC and is mostly under-the-hood stuff), Address Space Randomization, buffer guards, low-integrity for IE, reduced privileges for services, nothing can escalate without an in-your-face irritating UAC (Union Aerospace Corporation, anyone?) prompt, and of course, lots of pixie dust I can't talk about. So in case there's a buffer overflow (take the ANI bug for instance) - there are a few layers of mitigation that seem almost unbreakable *AT THIS TIME*. I'm yet to read news about a pwned Vista box. I'm sure it's possible that some clever guy somewhere will write an exploit that dodges all that stuff, but it obviously is taking much, much longer than with any other OS, except, of course, for OpenBSD (kudos there) :) . Of course there will be bugs in legacy code that are still there. But layered security and systematic elimination of bugs work.

Microsoft *did* hire some of the best security experts available lately. And I can say it shows. At least now I feel not very scared to use IE when I have to.

Then of course, everyone loves "Free Games!!!11eleven", mushy-mushy desktop pets, free trial CDs, free money from your late uncle from central Boozemania or whatever. If your user account gets pwned, and your user has access inside the network of your company, you're toast no matter what OS you run.

Re:And ...

[MoonFog (586818)]

Could be because a large portion of Slashdot's readers are sysadmins and chances are that many of them are administrating Windows machines at work?

Re:

[plague3106 (71849)]

So why don't we hear about all the Linux security patches?

Re:

[plague3106 (71849)]

How did this troll ever get insightful?

Re:

[Ephemeriis (315124)]

Aside from the Windows machines I have to administer at work, I care because I'm a gamer. Like it or not, Linux does not have terrific support for modern gaming. Yes, I know - WINE and Cedega - I've tried them and they just don't do a good enough job. I run Linux at home as my primary machine, but I also have several gaming PCs running Windows.

Re:Best Line from the Article: re: online criminal

[somersault (912633)]

Or, alternatively, don't use MS Office? o_0 But don't open attachments you are not expecting works too.