Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Windows Microsoft Security IT

New Critical Bug In All Current Windows Versions 156

Trailrunner7 writes "Microsoft is warning its users about a dangerous flaw in the way that Windows handles certain MHTML operations, which could allow an attacker to run code on vulnerable machines. The bug affects all of the current versions of Windows, from XP up through Windows 7 and Windows Server 2008. Microsoft issued an advisory about the MHTML vulnerability, which has been discussed among security researchers in recent days. There is some exploit code available for the bug, as well. In addition to the advisory, Microsoft has released a FixIt tool, which helps mitigate attacks against the vulnerability in Windows."
This discussion has been archived. No new comments can be posted.

New Critical Bug In All Current Windows Versions

Comments Filter:
  • by Nuisance ( 153513 ) on Friday January 28, 2011 @08:08PM (#35039994)

    Would be nice to have seen these in the article...

    http://support.microsoft.com/kb/2501696 [microsoft.com]

    • by icebike ( 68054 ) on Friday January 28, 2011 @09:05PM (#35040304)

      Perhaps also useful would be a hint that simply avoiding Internet Explorer would provide all the protection from this bug that is needed.

      • No kidding. But hey, Microsoft just wants liability protection. They don't give a shit about actually giving users the data they need to protect themselves if it means tarnishing their image.

        They know you can't replace Windows, but you can easily replace IE, hence it's a "Windows" problem.

      • What about Outlook? Can this exploit be triggered by code embedded in an email?
        • by ais523 ( 1172701 )
          According to Microsoft's security advisory, you can trigger the bug like that but Outlook's security settings are too locked down for it to actually be exploitable there.
  • Investing (Score:5, Funny)

    by cosm ( 1072588 ) <thecosm3@gmai l . c om> on Friday January 28, 2011 @08:10PM (#35040008)
    Can I just say that now is probably a good time to invest in the tech industry. Since /. has redesigned the site, I believe productivity levels in the industry will be on the rise due to the number of commenters leaving in droves.
    • by Anonymous Coward on Friday January 28, 2011 @08:20PM (#35040068)

      I'd mod you up but moderation is broken on opera

      • Re:Investing (Score:5, Insightful)

        by artor3 ( 1344997 ) on Friday January 28, 2011 @08:42PM (#35040184)

        And I'd mod you down, but doing so would make my post (and all other child posts) invisible as well. Heck, since you posted as AC, odds are no one will ever know this post was here.

        • by migla ( 1099771 )

          And I'd mod you sideways if there was that option and if I could see any plusses and/or minuses on the metamod page, so that I could metamod and maybe get some modpoints.

        • On the other hand, just making all posts above -1 visible and plowing on through seems easier now. That's what I'm doing ATM anyway.
      • I'd mod you down for using Opera, but ator3 already mentioned why I can't.
      • by DAldredge ( 2353 ) <SlashdotEmail@GMail.Com> on Friday January 28, 2011 @09:30PM (#35040440) Journal
        I would mod you up but /. hasn't given me mod points for 3 or 4 years.
        • Hang in there Anitsyzgy - I was in the same place then last week - poof - mod points. All week. Now you get 10 of the stupid things.

          Kinda like dingleberies - they hang around and are hard to get rid of. You're probably doing better posting than moderating anyway.
          • For the past year and a half I've been getting mod points as soon as the previous bunch expired. It's bordering on annoying :)

          • Re:Investing (Score:5, Informative)

            by Mr. DOS ( 1276020 ) on Friday January 28, 2011 @11:34PM (#35040926)

            Sorry, but the 10 mod points is because you've been singled out [slashdot.org] (check the question “Why do I have 10 moderator points instead of the usual 5?” under Comments and Moderation), not because of the new design.

            • by ikkonoishi ( 674762 ) on Friday January 28, 2011 @11:54PM (#35041004) Journal

              I must be a moderating god because I get mine in chunks of 15. O_o

              Yes. The power! Its going to my head. I am the mod god! Its me!

              • Re: (Score:3, Insightful)

                by Sponge Bath ( 413667 )

                ./ needs an online FPS called Mod Arena where people with mod points can wager them in virtual combat. The winners can then sculpt discussions in their own Mod God self image. For instance you could mod up all posts about Lord of the Rings as "+1 Super Cheetos Cool" and mod down all Star Wars posts as "-1 Decaying Franchise".

                Oh, yeah. To stay on topic: Windows has security problems.

              • So do I, actually. I wonder what the actual statistics are for mod point allocation?
      • by Maow ( 620678 )

        I'd mod you up but moderation is broken on opera

        I'd mod him up, but reading is broken on Firefox.

      • I'd mod up too, but I am not here any more. Seriously, any change takes a while to get used to, but the new site design is an epic fail of Digg proportions. I have now added an RSS feed to /. on my phone and that's pretty much as far as I get with /. now.
    • I quite like the new site actually, it's clean and seems less buggy then the old one.

      While it had some bugs when it was release, most of them appear to have been fixed.

      The only issues I have with it is the mobile version, text is too small, and quite a few rendering glitches (over-lapping text, title of top post getting clipped).

    • by dave562 ( 969951 )

      I would reply to this, but if you were to reply back to me, I would have to drill down through a whole slew of posts to find what you wrote. Where as previously I could just go to http://slashdot.org/~dave562/comments [slashdot.org] and then click on the comment you replied to. It would bring up a nice, EXPANDED tree view of the discussion thread.

      One step forward, two steps back? Ah hell, who am I kidding. We all know that three steps were taken, but they were all in the same direction.

    • Is it just me or does the front page not show the number of comments any more? I really liked that and now it feels weird.

      Any way to turn it back on?

      • by Anonymous Coward

        I liked that too.

        I also liked the ability to do basic slashdot stuff WITHOUT HAVING TO FUCKING ENABLE JAVASCRIPT!

      • by Anonymous Coward

        People leaving in droves affects comment numbers. Best not to advertise it on the front page :)

      • Re:Investing (Score:4, Interesting)

        by uvajed_ekil ( 914487 ) on Saturday January 29, 2011 @01:59AM (#35041320)
        You're right, I'm not seeing the number of comments, either. I liked having it - I knew instantly if there was a big buzz about something, or if taking time to throw in my two cents might matter for a stalled thread.
      • As I am typing this, it says there have only been 92 comments, so far. I have been wondering where all the comments and replies went. Do I just did not know how properly use the new version of their website to see all of the comments that might possibly really be hidden somewhere there?

        Even when I click on various comments, I am not usually not finding many additional replies hidden beneath that comment. I am only seeing a tiny fraction of the amount of comments and replies that I had normally been seeing o
    • Re:Investing (Score:5, Insightful)

      by seifried ( 12921 ) on Friday January 28, 2011 @09:09PM (#35040328) Homepage
      I think they've "pulled a Digg"
    • Nah. Now people will waste even more time trying to fix the bugs with Stylish hacks like these:

      One-liner contrast:

      #comments .oneline {background: #F5F5F5 !important;}
      #comments .oneline p {color: Black !important;}
      .oneline .commentBody {color: Black !important;}

      Highlighting friends:

      span.friend {
      border-style: groove;
      border-width: 2px;
      background-color: #32CD32;
      }

      span.friend > a:link {
      color: black !important;
      margin-left: 1em !important;
      margin-right: 1em !important;
      }

      • by Tacvek ( 948259 )

        Nice thanks. I actually did better than highlighting friends, and restored the original icons, while ensuring the icons still function as a link.

        In case anybody finds it interesting: https://gist.github.com/801524 [github.com]
        (Sorry about Gist's syntax highlighting making it hard to read, but you can click the raw link for the formatted text.)

        • Very nice. I actually made a mistake: Black should be black. It works, but it's not kosher.

          And after much cursing, I managed to kill the box on the left:

          div.col_1 { display: none !important; }
          section#firehose { margin-left: 0 !important; }
          section#comments { margin-left: 1.5em !important; }

    • by nmb3000 ( 741169 )

      It's so frustrating how correct you are. I used to enjoy reading comments to a story, but now it's essentially impossible because of how BROKEN the scrolling is (at least in Firefox and IE). Scrolling using the mousewheel is slow as hell and when using the keyboard it's very unresponsive. That and the new style is hard to read and has too much whitespace. I feel like I'm staring at a lightbulb trying to read gray text.

      For me this redesign has just demonstrated why I hate web 2.0. You are held hostage a

      • everyone hates it

        I actually kind of like the new design.

        I used to enjoy reading comments to a story, but now it's essentially impossible because of how BROKEN the scrolling is (at least in Firefox and IE). Scrolling using the mousewheel is slow as hell and when using the keyboard it's very unresponsive.

        Scrolls just fine for me in Firefox 3.6.13 (which I use at home) and Firefox 4.0b10 (which I use at work) and IE7/IE8 (also used at work).

        That and the new style is hard to read and has too much whitespace.

        Hadn't really noticed any real change in readability.

        My only real complaint would be seeing replies to my comments. Used to be the email you got provided a link directly to the reply, now you have to drill down through several layers of comments to see what was said. That's genuinely annoying. But not crippling.

  • WTF is a current version of Windows? 3, 95, 98, Me, 2000, XP??

    • WTF is a current version of Windows? 3, 95, 98, Me, 2000, XP??

      Versions that are still supported actively, which are Windows XP SP3 and newer.

    • Re:Which versions (Score:5, Informative)

      by PatPending ( 953482 ) on Friday January 28, 2011 @08:34PM (#35040134)

      Windows XP Service Pack 3
      Windows XP Professional x64 Edition Service Pack 2
      Windows Server 2003 Service Pack 2
      Windows Server 2003 x64 Edition Service Pack 2
      Windows Server 2003 with SP2 for Itanium-based Systems
      Windows Vista Service Pack 1 and Windows Vista Service Pack 2
      Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
      Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
      Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
      Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
      Windows 7 for 32-bit Systems
      Windows 7 for x64-based Systems
      Windows Server 2008 R2 for x64-based Systems**
      Windows Server 2008 R2 for Itanium-based Systems
      Source: http://www.microsoft.com/technet/security/advisory/2501696.mspx [microsoft.com]
      Appears to apply only to Internet Explorer
    • Umm it's right in TFS.

      from XP up through Windows 7 and Windows Server 2008

      • Why should he have to read TFS when there are fools (like me; see my earlier reply and my sig) who post informative replies? ~
    • by 1u3hr ( 530656 )
      It doesn't mean that non-current versions are safe, just that they didn't bother to test them. So just assume it's every version. Or if you don't use IE, no version.
  • I would assume Firefox handles its MHTML itself?

    a

    • by JSG ( 82708 )

      Try using a search engine with the term MHTML and getting something like this: http://en.wikipedia.org/wiki/MHTML [wikipedia.org]

      On FF you'll need a plugin to "see" MHTML, whatever it is. It seems to be an unholy mix of HTML and MIME and sounds unpleasant and probably a bit unnecessary.

      Cheers
      Jon

  • Who writes these Headlines. It's not a NEW bug it's an (possibly) un-noticed OLD bug.

  • It goes so fast that those little buggies just can't get out of the way. Besides, they are drawn to the light.
  • The bug's not new... in multiple editions of Windows; that means it's been around for quite a while.

    Newly discovered, yes, but in the average month there are over 20 serious newly discovered bugs in Windows. And there are millions more where that came from.

    • The bug's not new... in multiple editions of Windows; that means it's been around for quite a while.

      Newly discovered, yes, but in the average month there are over 20 serious newly discovered bugs in Windows. And there are millions more where that came from.

      It's not a bug! It is a FEATURE!!
      Get with the times, man.

  • by Crypto Gnome ( 651401 ) on Saturday January 29, 2011 @02:32AM (#35041432) Homepage Journal
    MSIE just shot itself in the foot.

    MHTML is a microsoft-ism

    If you do not use the worlds-most-villified-browser, and if you have also not explicitly installed a plugin (or otherwise) to enable MHTML support in our *much less sucky* browser, then you are golden.
  • Goddamned monolithic systems... Insecure components breaking entire installations, where the components themselves are not used more than once a year perhaps. Way to go, Microsoft, seems you're religious about all of it.

  • by Otis_INF ( 130595 ) on Saturday January 29, 2011 @06:24AM (#35041854) Homepage

    Now you link to some blogpost/article on some random site, which only rehashes what Microsoft's own article at teched has to say as well..

    Link to direct advisory:
    https://www.microsoft.com/technet/security/advisory/2501696.mspx [microsoft.com]

  • Now we can finally run native code in a mainstream browser?

Someday somebody has got to decide whether the typewriter is the machine, or the person who operates it.

Working...