Forgot your password?
typodupeerror
Windows Operating Systems Software Microsoft Security

MS Patch Train Leaves the Station 361

Posted by CmdrTaco
from the a-whole-lotta-security-going-on dept.
per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."
This discussion has been archived. No new comments can be posted.

MS Patch Train Leaves the Station

Comments Filter:
  • Large size crash (Score:5, Interesting)

    by Anonymous Coward on Wednesday June 15, 2005 @10:23AM (#12823101)
    Does this fix the crash with large streched images?
    ie width=9999999 height=999999 in an
    • It's not for large image size; it's a problem with libpng's processing eTRNS structures, used to handle transparency.

      The folks at libpng fixed the problem months (a year?) ago; I rolled the fix into our application's PNG handling with nary a hiccup.

      Oh, and to save anyone else dealing with PNGs the weight gain and hair loss I experienced, there is NO support for pre-multiplied alpha channels in the library. Sigh.
  • IE PNGs (Score:5, Insightful)

    by Enigma_Man (756516) on Wednesday June 15, 2005 @10:24AM (#12823111) Homepage
    That's hilarious, because IE barely supports PNGs at all, but they apparently are vulnerable to them nonetheless. If you don't know of the png problem, they just don't display the colors right and/or won't do transparencies right at all.

    -Jesse
    • Re:IE PNGs (Score:2, Insightful)

      by RaffiRai (870648)
      Transparencies appear grey in IE.
    • Re:IE PNGs (Score:5, Informative)

      by theborg1of4 (863815) <stephenjborgNO@SPAMgmail.com> on Wednesday June 15, 2005 @11:04AM (#12823530)
      I'm not sure if I understand your use of the word "barely". IE supports PNG as per the W3C recommendation, including binary transparency. IE doesn't support optional alpha channel transparency:

      http://www.w3.org/Graphics/PNG/ [w3.org]

      From the first paragraph:

      "Indexed-color, grayscale, and truecolor images are supported, plus an optional alpha channel for transparency."

      While it would be nice if they supported the optional features, it's actually the developers who continue to use alpha channel transparency PNG that are deviating from the W3C recommendation.
      • Re:IE PNGs (Score:5, Insightful)

        by Anonymous Coward on Wednesday June 15, 2005 @11:14AM (#12823628)
        The alpha channel is optinal in the PNG file format, _not_ in the PNG recommendation itself. The browser still has to be able to handle PNGs with alpha channels to be fully compliant with PNG pictures, even though users might choose not to supply an alpha channel with their picture.
      • I think you're reading that wrong. The alpha channel is an optional part of any PNG image. I'm pretty sure they're not saying that browsers should only support alpha transparency if they feel like it.
      • I believe they also only support 256 (or some other low value) different colors in PNGs. I know that PNGs look totally low-resolution in IE, but not in FF, last time I checked (a while ago, admittedly, but when was the last time IE was updated?).

        -Jesse
  • by J Barnes (838165) on Wednesday June 15, 2005 @10:24AM (#12823113) Homepage
    but is there an obvious point where software become more patch then content?

    Lately I envision all Microsoft products as lumbering stay-puff marshmallow men, ambulating labored steps inside a comical suit of band-aids.
    • by Tarcastil (832141) on Wednesday June 15, 2005 @10:27AM (#12823143)
      You do realize the Linux kernel is heavily dependent upon patches.
      • Yes. Perhaps the GP poster meant binary patches. The patches to the Linux kernel are just the way the kernel evolves. The MS patches are fixes applied after it has been built.
        • What is the difference?

          Microsoft has the source code, they just make the improvements, rebuild the files and perform DIFFs.

          Personally I think its better to apply a binary patch than to have to recompile a kernel just to upgrade it from x.x.11 to x.x.12

          Anyway, patches are not wrong, God! if MS software has an unpatched bug it is his fault and it is bad, then if he releases a patch it is also bad because his software is patched.

          This is not a patch as the normal dictionary word define it, software patches
      • These two comments make it sound as if 'patches' applied to software are somewhat analogous to those things your mother would iron on your clothes when your knee would bust through. They are nothing of the sort.

        When a 'patch' is applied to software, it simply replaces what was there before and integrates seamlessly - think more 'weave' than patch... Imagine if you were writing a term paper with a group of people, and someone said 'hey... replace the 4th paragraph on page 5 with this new paragraph I'm sen
      • What you say is true. However, I can download the latest Linux kernel with all its patches and installed it with only one reboot and no addtional vulnerable Internet time.

        Windows comes with an older kernel that requires mutliple reboots and Internet downloads while still in a vulnerable state. While it true that I could probaly download all the patches prior it is still far more tedious than a single trip to ftp.kernel.org.

    • In software the term "patch" really means something closer to "change" It typically removes something and replaces it with something else. (but sometimes only removes and sometimes only adds)

      It is not like a patch you apply to your trousers when they have a hole in them.

      When you buy a new lamp for your home or throw away a worn out rug, think of it as patching your house.

    • by mph (7675) <mph@freebsd.org> on Wednesday June 15, 2005 @12:09PM (#12824151)
      but is there an obvious point where software become more patch then content?
      Maybe when you change the name of the software [apache.org] to indicate that's the case?
  • by Anonymous Coward on Wednesday June 15, 2005 @10:24AM (#12823115)
    Why not just release a patch that uninstalls IE?
  • by Nos. (179609) <andrew@theker r s . ca> on Wednesday June 15, 2005 @10:24AM (#12823119) Homepage
    After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not.
    • Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?
      • by Cally (10873) on Wednesday June 15, 2005 @10:40AM (#12823283) Homepage
        Dude, if they hadn't checked, how else would they have realized there was a vulnerability for PNG and then developed a fix for it?

        As a matter of fact, these and other forthcoming issues with various OSes graphic parsing and rendering libraries result from a sustained attempt to break them with fuzzing techniques by researchers at the Finish University of Uola (or Oula. I forget). This is the same group that ripped apart many vendors' implementations of SNMP a few years ago, and ASN.1 a year or two after that. Big thanks to them for proactive efforts to improve security...

      • I figured like how they discover all thier other flaws. Someone else tells them about it. I mean really, some "security reseacher" develops a "proof of concept" and sends it to MS. then they blackmail MS to release a patch in x amount time as they will release the "proof of concept" to the wild.
    • by Michalson (638911) on Wednesday June 15, 2005 @11:24AM (#12823724)
      After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems? Guess not. Would you apply the same logic/I'm cool because I bash Microsoft stupidity to Mozilla/Firefox?

      For example in 2002 an arbitrary code execution vulerability was found in Mozilla's PNG code (155222 [mozilla.org]). That obviously set off people searching for other image vulnerabilities, which resulted in them finding Mozilla's GIF decoder was also a flawed, allowing for arbitrary code execution (157989 [mozilla.org]). By your logic once that initial alarm goes out the code should be checked and all bugs will be found; if bugs are still present in that module (or in Microsoft's case, in a completely seperate but similar one) then it represents a huge failure by the organization. Now since open source projects have tens of thousands of eyes to check source code once a flaw has been found, I'd assume it applies equally to Mozilla. Lets test that theory.

      Fast forward to 2004, and the PNG library still has arbitrary code vulnerabilities (251381 [mozilla.org]). Given that people knew as earlier as 2002 that there had been PNG vulnerabilities, WHY did they not find this one until 2 years later.

      Fast forward to 2005, and this time it's the GIF code. Now we already knew the GIF library had problems 3 years ago, yet somehow an arbitrary code execution flaw, which existed from the very beginning of the Mozilla project (1998), is found (mfsa2005-30 [mozilla.org]). This dangerous exploit has been sitting in open source code for 7 years. 3 years ago attention was brought to that very module for the very same kind of exploit. And yet it wasn't found until just a few months ago. By the logic of Nos [slashdot.org], the Mozilla Foundation, and everyone who has checked the code, are morons. Or perhaps Nos has some doublethink to get himself out of the Microsoft bashing to make himself cool hole he dug himself.
    • After the jpg incident, wouldn't you tend to look at the code handling other image formats for similar problems?

      Nah, that sounds like some sort of proactive security initative.
  • by PyWiz (865118) on Wednesday June 15, 2005 @10:26AM (#12823134)
    Microsoft has released a free security update to Windows users today: Service Pack Linux. Service Pack Linux includes a fix for all IE vulnerabilities, as well as flaws in Outlook and Office. IIS users will be happy to know that Service Pack Linux will fix many problems with Microsoft's premier web server package as well. Service Pack Linux is considered the most comprehensive security fix in Windows history. Users should get it now at http://distrowatch.org/ [distrowatch.org]
  • by callipygian-showsyst (631222) on Wednesday June 15, 2005 @10:28AM (#12823150) Homepage
    ...Slashdot seemed to have missed this doozy from less than a month ago. [us-cert.gov]

    http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml [us-cert.gov]

  • To bad (Score:3, Insightful)

    by MemoryDragon (544441) on Wednesday June 15, 2005 @10:31AM (#12823180)
    I thought they might have fixed the png transparency bug, which was reported to them eight years ago... but no... just a buffer overflow.
    • Re:To bad (Score:3, Funny)

      by Spy der Mann (805235)
      which was reported to them eight years ago... but no... just a buffer overflow.

      I imagine the microsoft engineers wearing anti-infection outfits (with masks and everything) and large instruments.
      ---
      "Ok there's the creature..." (imagine some sort of alien spider, but with more guts and everything)
      "Be careful guys, we don't want to break it, just remove the insecure splinter from it"
      "Man, this is disgusting. I wouldn't touch that with a 20 foot pole"
      "OK, splinter removed! Close the cage, quickly!"

      TSHHHHHHHH
  • WSUS (Score:3, Informative)

    by XorNand (517466) on Wednesday June 15, 2005 @10:32AM (#12823191)
    For those admins who tend to a small MS shop and don't have the need for an expensive patch management solution, WSUS [computerworld.com] was released last week to replace the lame SUS (Software Update Services). I had to disable SUS due to some GPO issues, so I'm looking forward to checking out WSUS. And with this round of patches, it seems like the ideal time to test.
    • yeah, i just got the WSUS migration notice on the SUS control panel, i'll probably do that next week

      SUS does its job, but i'm hoping for alot more control over patch management, its a very inelegant solution.
    • We've started using WSUS in a ~1000 workstation environment and it's fantastic. There are a few quirks you have to iron out, especially if you've been using non sysprep'd ghost images on all your workstations. It's all manageable, though, and once set up it's a really powerful (and free) tool.
    • I've been testing WSUS and I'm rather impressed. If you have a Windows environment with up to a couple of thousand workstations, I'd have no problem with recommending this. This is what SUS should have been in the first place. SUS allowed you to point machines at the SUS server to download patches and schedule them for install by way of GPO. That was the limit to patch management for SUS. With WSUS, you can assign the machines to groups and assign patches to those groups. This allows you to install only the
  • The NSA (Score:4, Funny)

    by Anonymous Coward on Wednesday June 15, 2005 @10:37AM (#12823240)
    Never needed MSFT to put in a "backdoor" for them, specifically. Christ, they just needed the source-code so they could use all the ones there were already there.
  • Venture to guess? (Score:4, Insightful)

    by AyeRoxor! (471669) on Wednesday June 15, 2005 @10:46AM (#12823334) Journal
    exists due to the way the browser handles PNG (Portable Network Graphics) files."

    Hmm... Buffer overflow maybe?

    Buffer overflow is an amateur mistake. Check your god damn code.

    /frustrated by lazy programmers
    • by Joe Decker (3806) on Wednesday June 15, 2005 @11:00AM (#12823490) Homepage
      Check your god damn code

      Using an interjection when you mean a adjectival phrase is an amateur mistake. Check your God-damned grammar.

  • by Whafro (193881) on Wednesday June 15, 2005 @10:50AM (#12823373) Homepage
    It's happened to me twice now...

    I'll install a vanilla copy of XP Pro onto a system, and within minutes of hooking the machine up to the network, it has become infected with a virus, basically requiring a reinstallation immediately.

    My normal mode of installation is:

    - Install XP
    - Two IE windows open:
    - One downloads Firefox
    - The other goes to Windows Update and starts downloading patches.
    - Download everything else using firefox, including drivers, etc.

    But apparently Windows Update isn't a fast enough method to get the machine patched, and the machine is compromised before the appropriate patches are finished being applied.

    I've made a "XP Install Disc 2" for myself, which has the full SP2 installer file, Firefox, Avast, Spybot, and Adaware on it, that I then install while the box is still offline. It seems that SP2 does well enough at plugging exploits that the system then has enough time to download the other patches normally without becoming compromised.

    Does anyone have a better solution?
    • Try getting a hold of $40 and buy yourself a Linksys firewall. That would give you a TON of time to upgrade a naked box. (hehe, I just said naked box).
    • You could slipstream SP2 onto your install CD (search google for directions), so you don't have to race against time trying to get it installed before your machine is pwned. It'll just install with XP. Upon installing, if you're really paranoid, you could put a second firewall on your machine, like Kerio or Zone Alarm. After that, get updates and install antivirus and antispyware.
    • use a better firewall. i run devil linux on a dedicated machine and use it as a router/firewall and never have a problem. on the other hand as soon as my younger brother takes his computer back to the dorm it gets infected... it's all whats on your network. cable users seem to be worse off due to the lan you are on with your infected neighbors.
    • by wiggys (621350) on Wednesday June 15, 2005 @11:02AM (#12823505)
      Yes.

      1) Switch on the built-in firewall before you connect to the internet. It's very basic but it does the job, I've been running an unpatched XP system with nothing more than the built-in firewall for months now with no problems.

      2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

      3) Slipstream SP2 into your XP install. Personally I'm staying away from SP2 but use it if you must.

      4) Put a copy of Zone Alarm on your "XP Install Disc 2", along with the the many useful bits of freeware available at www.grc.com

      5) Download, burn and learn how to use Knoppix.

      6) ????

      7) Profit!
      • by SomeGuyFromCA (197979) on Wednesday June 15, 2005 @11:14AM (#12823621) Journal
        > 2) Buy a router. &pound;25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.

        and remember to turn off upnp. otherwise, the following happens:

        <spiritual descendant of back orifice> hey router, this is a upnp request: forward 31337 to this computer, please!
        <router> will do, and you have a good day!
        <sdobo> oh, i will...
    • by Dynamoo (527749) on Wednesday June 15, 2005 @11:39AM (#12823879) Homepage
      Yup: Windows XP: Surviving the First Day [sans.org] from the SANS institute covers this problem.

      The key thing, as others have said, is to enable the software firewall and make sure that file and print sharing is disabled. A second CD with SP2 and a decent firewall like ZoneAlarm is usually enough too.

    • I've made a "XP Install Disc 2" for myself, which has the full SP2 installer file, Firefox, Avast, Spybot, and Adaware on it, that I then install while the box is still offline...

      Does anyone have a better solution?


      Are you kidding me? I install all SP2's from CD.
    • Yes, the rest of the world slipstreams service pack 2, installs without a network connection, enables XP firewall before hopping on the Internet, then downloads whatever other patches are available.
  • A humor security issue has been identified that could allow a Slashbot to remotely compromise your sense of humor about Windows patches and bore you to death. You can help protect your sense of humor by installing this update from Microsoft. After you install this item, slashdot.org will resolve to 127.0.0.1 .

    How to Uninstall

    Read all comments rated as funny under a story about Windows Update on slashdot.org and your sense of humor will be successfully uninstalled.

    Help and support

    http://omgmstehsux0rs.slashdot.org/ [slashdot.org]
  • by cahiha (873942) on Wednesday June 15, 2005 @11:00AM (#12823481)
    If you look at Macintosh, BSD, and Linux distributions, they also have regular security updates, with many similar vulnerabilities.

    There are really two problems here, one true of all major OSes right now, and the other one true of proprietary systems.

    The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.

    The second problem is that Microsoft and Apple only update their own applications; users are saddled with downloading updates for other software by hand. If all these bugs exist in IE, you can be similar bugs exist in Photoshop, Office, and many other apps that aren't automatically updated.
    • by EXTomar (78739)
      I don't see C/C++ as being the problem. It is more that the security hurdles in Windows makes it impossible to run efficiently in anything but a privilaged account. This allows malware of all sorts to take advantage of vectors not found on other Operating Systems. Opening an email could infect your system if done in a privilaged account. Reading a web page could infect your system if done in a privilaged account. Browsing the local network resources can infect your system... So on and so on.

      You'd hav
  • All aboard! (Score:5, Funny)

    by AtariAmarok (451306) on Wednesday June 15, 2005 @11:00AM (#12823482)
    "MS Patch Train Leaves the Station"

    Otherwise known as the Bugwarts Express. To find the boarding platform, run your luggage cart full tilt into that blue screen.

  • We can't go back to gif, can we? ;-)
  • It's the Paaaaaaaaaatch Train! The longest running update progam in computer history. Now with your host Steve Ballmer!
  • MS cant win (Score:2, Insightful)

    by Anonymous Coward
    If MS doesnot patch you all say "MS wont patch their crappy stuff"

    if they do patch, you all say "Wow, it must suck really bad to have to patch it"

    As if Linux doesn't require constant patching either, hypocrites

  • by suitepotato (863945) on Wednesday June 15, 2005 @11:15AM (#12823640)
    This is all partly as a result of the way the PC platform itself works, it's merely that Windows has got so much compound crap in its code that these things are bound to happen. As Linux distros continue to grow and mutate and people ignore the old idea of the smallest kernel possible, we're going to see more buffer overflow errors on Linux. If BSD had the same kind of useage rates as Linux, we'd see a similar trend there. Mac OSX is taking off, we're going to see evolutionary crap in its genetic structure as it were.

    Tearing Windows present design platform down to the smallest parts and scrubbing and rebuilding would probably put back the release of XP's successor to 2016. Let's hope some people are listening on the Linux and OSX sides and get it in their heads to keep their code lean and healthy and well tested.
  • by trtmrt (638828) on Wednesday June 15, 2005 @11:26AM (#12823751)
    I just installed the latest update for windows 2000 on my wife's computer and it hosed the installation. I assume it included these latest patches. Has anybody had a similar experience? I am getting a "SYSTEMced corrupt or missing" error which google tells me has to do with registry problems.
  • by Anonymous Coward
    I'm surprised no one has yet mentioned the problem one of these "critical updates" is causing on Dell Optiplex GX280 computers. I had two systems on my LAN mistakenly configured with "automatic updates" that had serious problems after one of these updates was installed. The user complained that they would turn on the computer and after about 10 seconds (before they could even finish logging on) their monitor would turn off. I first thought it was a monitor problem, but changing monitors didn't resolve th

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...