MS Patch Train Leaves the Station 361
per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."
IE PNGs (Score:5, Insightful)
-Jesse
Reminds me of the JPG buffer overflow (Score:5, Insightful)
PNG??? (Score:1, Insightful)
Re:IE PNGs (Score:2, Insightful)
Re:Forgive my ignorance (Score:4, Insightful)
To bad (Score:3, Insightful)
Re:PNG??? (Score:4, Insightful)
Google integer overflow vulnerability for more information.
Venture to guess? (Score:4, Insightful)
Hmm... Buffer overflow maybe?
Buffer overflow is an amateur mistake. Check your god damn code.
Re:Sure glad I don't have to do this crap (Score:4, Insightful)
The amount of "CPU time" "Windows users" spend patching holes is a few minutes every month. And get off your high horse, here: while Linux distros provide updates for a more comprehensive range of apps, it's also the case they you have to download far more (in terms of raw megabytes) far more often. I'm willing to bet right now that, timing from the release of FC3, FC3 has required more and bigger updates than Windows.
I'll never forget the time, earlier this year in fact, when Mandrake provided a security "update" for the kernel (you may remember the much-publicized priviledge escalation vulnerability around the end of last year). This "patch" consisted of the whole kernel source (maybe 40MBs of it) which you would have to manually compile and install (no nice binary rpm, here). With this one single update, Mandrake users have exceeded the "CPU time" required for a few months of Windows updates. And let's not forget the hefty kdelibs security updates, which basically amounts to downloading the whole of kdelibs again, since none of the distros seem to provide diff-style patching. The same with Firefox (8MB on Linux...?).
Also, while we are free from worms and viruses here, note that there is nothing innate to Linux that precludes phishing and spoofing attacks.
Ugh.Re:To bad (Score:5, Insightful)
Vendors should never, ever roll back changes into older versions of their software they force you to use. Tabbed browsing, correct graphics display, CSS support will all be available someday so shut yer piehole! All you'll have to do is upgrade your entire system to get these features. And it's not like anyone else has managed to get that stuff working on the same platform, right? Right? Well, maybe some one has but they must have more programming resources than MS, no doubt...
=tkk
the problem isn't what it appears to be (Score:4, Insightful)
There are really two problems here, one true of all major OSes right now, and the other one true of proprietary systems.
The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.
The second problem is that Microsoft and Apple only update their own applications; users are saddled with downloading updates for other software by hand. If all these bugs exist in IE, you can be similar bugs exist in Photoshop, Office, and many other apps that aren't automatically updated.
Re:Patches don't solve the problem on new installs (Score:5, Insightful)
1) Switch on the built-in firewall before you connect to the internet. It's very basic but it does the job, I've been running an unpatched XP system with nothing more than the built-in firewall for months now with no problems.
2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.
3) Slipstream SP2 into your XP install. Personally I'm staying away from SP2 but use it if you must.
4) Put a copy of Zone Alarm on your "XP Install Disc 2", along with the the many useful bits of freeware available at www.grc.com
5) Download, burn and learn how to use Knoppix.
6) ????
7) Profit!
MS cant win (Score:2, Insightful)
if they do patch, you all say "Wow, it must suck really bad to have to patch it"
As if Linux doesn't require constant patching either, hypocrites
Re:Microsoft... again (Score:3, Insightful)
Without actually using AV software, you'd verify this how? Don't pretend that the tasklist command from the CLI (just a text version of the Task Manager) is going to save your ass. Most viri don't tend to show up in such a perfunctory fashion. I'd be willing to bet your box is in alot worse shape than you think it is. Don't be like those guys who have sex with random people wihtout protection because they have a false sense of immunity from what affects everyone else. Your Windows isn't special.
Re:Sure glad I don't have to do this crap (Score:3, Insightful)
Does your firewall block outgoing HTTP connections and incoming email? If not, then it's not going to help against attacks like this PNG bug which are propagated through user-pulled data rather than attacker-pushed port connections. Such attacks exist for Linux, too. There is no such thing as "safe networking", and the only way to come close is to keep every connected computer up to date. I think Fedora still comes with up2date searching for updates in the background and displaying the results on a panel icon. Unless you use something else for security updates you ought to be clicking on that every time it finds something new.
Re:IE PNGs (Score:5, Insightful)
Re:Venture to guess? (Score:2, Insightful)
Rather, buffer overflows are trivial to avoid in class assignments (and indeed, small projects). It's when the project grows larger, gets split into multiple program units and gets multiple authors that you really start scratching the surface of industrial strength development (something the armchair developers on
To top it all, code that is 'safe' can often be made 'unsafe' by running it under circumstances the authors never intended: there's a whole class of overflow attacks that use code/data injection to crack even supposedly secure programs (and no, not even Java/C# is safe from this).
Re:Reminds me of the JPG buffer overflow (Score:4, Insightful)
For example in 2002 an arbitrary code execution vulerability was found in Mozilla's PNG code (155222 [mozilla.org]). That obviously set off people searching for other image vulnerabilities, which resulted in them finding Mozilla's GIF decoder was also a flawed, allowing for arbitrary code execution (157989 [mozilla.org]). By your logic once that initial alarm goes out the code should be checked and all bugs will be found; if bugs are still present in that module (or in Microsoft's case, in a completely seperate but similar one) then it represents a huge failure by the organization. Now since open source projects have tens of thousands of eyes to check source code once a flaw has been found, I'd assume it applies equally to Mozilla. Lets test that theory.
Fast forward to 2004, and the PNG library still has arbitrary code vulnerabilities (251381 [mozilla.org]). Given that people knew as earlier as 2002 that there had been PNG vulnerabilities, WHY did they not find this one until 2 years later.
Fast forward to 2005, and this time it's the GIF code. Now we already knew the GIF library had problems 3 years ago, yet somehow an arbitrary code execution flaw, which existed from the very beginning of the Mozilla project (1998), is found (mfsa2005-30 [mozilla.org]). This dangerous exploit has been sitting in open source code for 7 years. 3 years ago attention was brought to that very module for the very same kind of exploit. And yet it wasn't found until just a few months ago. By the logic of Nos [slashdot.org], the Mozilla Foundation, and everyone who has checked the code, are morons. Or perhaps Nos has some doublethink to get himself out of the Microsoft bashing to make himself cool hole he dug himself.
Re:Microsoft... again (Score:3, Insightful)
It's pretty easy to not get a virus in Windows. How? Well, there are 3 basic ways you get infected:
1. Listening network ports with compromisable services. Solution: install a NAT'ing router with firewall. Paranoid solution: install Zonealarm or one of the dozen other competing offerings as well. Have fun remotely exploiting my machine when you can't connect to it.
2. Opening infected executables. Solution: only install software from trusted sources. Paranoid solution: only use what the standard install comes with. Believe it or not, not everyone installs 50 pieces of extraneous software. On my last remaining Windows box, I think Winamp and a Citrix client for work is about it. These installers have long since been checked for viruses and are installed from known, good, read-only media. Good luck infecting me there.
3. IE, Outlook, or other network-aware application exploits. Solution: turn off activeX, javascript. Paranoid solution: don't use these apps at all. Find small, niche apps that have never been exploited - yes, these do exist.
This growing attitude of "if you don't run AV software, you're probably infected" is disturbing. Viruses and worms don't just magically appear out of nowhere, they come in through known, predictable routes. Close those routes, and you prevent infection. Well, until virus writers become so sophisticated that they can fake out a TCP/IP stack entirely - in which case they can probably fool your AV software as well.
Re:IE PNGs (Score:3, Insightful)
Re:Venture to guess? (Score:2, Insightful)
I think it inadvertently proves yet another point as well:
If people who've in most cases been using a language since shortly after birth still can't get all the details right when using it,
So, in conclusion, <sarcasm><irony>"STFU, buffer overrun nazis!"</irony></sarcasm>
I do feel that attention to detail in one is reflected in the other and that overall quality will improve in neither until people start to care and it becomes less socially acceptable to make the mistake in the first place than to be the one to point the mistake out, in code or otherwise.
Re:Venture to guess? (Score:2, Insightful)
In my experience, you've got it backwards. Before I became a photographer I did embedded software for 20 years, shipping over 100M units and often having the final signature to begin fabricating my code into masked ROM. What I found was that overemphasis on "blame" instead of "results" was counterproductive. I seem to recall a discussion by Knuth on the point, but lack a citation.
Where you and I agree is on the idea that caring about the quality of ones code matters. It matters enormously, I've had the opportunity to primarily work with engineers who really do want to ship good, quality product. In the environments I've worked in, the occasional snarking at a bug has been counterproductive. It makes programmers defensive about their code, rather than being open to review and criticism, and thereby reduces the quality of the final product. Your experience may vary.
Re:Wow. You'd think they'd get all these (Score:3, Insightful)
I don't presume to know it all, and I'm not pointing any fingers, it just seems to me like Microsoft is a victim of it's own legacy code and bad design. They designed windows as a single user, trusted system and then tacked on multi-user ability and unsurprisingly, have had problem after problem with untrusted code and exploits, etc. In much the same way, Linux and Unix apps even as old as sendmail can be a victim of a bad design decision (setuid binaries, too many weak points in the chain, etc)
I'm not exactly defending Microsoft, but it's not a problem unique to them, either.
-Jay
The disturbing trend (Score:3, Insightful)
The problem is that's pretty hard to defend against those things. Home users don't know how. Corporate network administrators have hundreds of interlocking "business requirements" that prevent them from shutting the door to "critical services" like SMB file sharing between PC systems.
Worms get into corporate networks through a variety of means, borrowing techniques from viruses and mass emailer viruses, as well as adware and spyware. Some of those holes are impossible to block on a typical corporate network. Take the Internet Explorer holes in corporations that have spent the last several years deploying "internet based applications" that only function correctly with Internet Explorer, for example. Can't block 'em. Might take months to patch 'em if you have tens of thousands of PC systems.
Once a worm gets into a network by exploiting a single system through a mundane virus or adware-only hole like this, it's likely to find a wormable exploit on many other systems. Once a worm is inside, the soft candy center of the corporate network is difficult to defend from a worm with conventional techniques, which are typically perimeter defense in nature.
Even worse, some of my clients have reported that they have, out of tens of thousands of users, at least several who seem to get their PC infected over and over and over. They suspect that this is a "coffee break effect". The users learned that if they double-click on the occasional malicious attachment that leaks through the antivirus email filter at the gateway, and the one on their PC, they get the afternoon off because their PC is taken offline by the network admin staff.
So AntiVirus really is part of the layered defense required for "closing those routes" in the modern age for most companies and home users.
By the way, the observed incidents supporting the "coffee break effect" are the worms and viruses that successfully exploit the patch gap or the definition gap. Most of the time that users double-click to unzip, type in the password and then double-click to execute a malicious attachment, they are thwarted by the AntiVirus system.