Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Operating Systems Security Software Windows

Microsoft Issues Five New Security Warnings 576

smelroy writes "Microsoft on Wednesday issued security bulletins for five new software vulnerabilities, including a flaw in Visual Basic for Applications that the company rated as critical. The company has posted patches for each of the flaws on its Web site. Four of the problems affect Microsoft's Office desktop software. You can read the story here and the security bulletins here."
This discussion has been archived. No new comments can be posted.

Microsoft Issues Five New Security Warnings

Comments Filter:
  • deja vu (Score:5, Funny)

    by Anonymous Coward on Thursday September 04, 2003 @09:06AM (#6868373)
    i'm having this funny feeling of deja vu...
  • by greechneb ( 574646 ) on Thursday September 04, 2003 @09:06AM (#6868381) Journal
    The most serious of the flaws could let an attacker execute code from an open Office application.

    Confused me because I couldn't figure out why Microsoft was releasing bug reports for openoffice. (Aside from the obvious conspiracy theory that Microsoft would be trying to make the competition look bad)

  • by feed_those_kitties ( 606289 ) on Thursday September 04, 2003 @09:06AM (#6868382)
    And how long until the entire operating system, and all the Microsoft applications, are all just patches?

    There comes to a point where you just can't patch things anymore, and it's time to start over new. And, hopefully get it right this time!

  • Same old (Score:3, Interesting)

    by L-s-L69 ( 700599 ) on Thursday September 04, 2003 @09:08AM (#6868391)
    Same old sh*t, different day. Other than alerting admins who really should know this is there a reason for having it on the front page?
    • Sure there is. SCO is obviously old news and we need something new to point at and laugh out loud while inwardly we cry because this stuff is pushed onto us from above.
  • critical VBA flaw (Score:5, Insightful)

    by b17bmbr ( 608864 ) on Thursday September 04, 2003 @09:08AM (#6868394)
    wouldn't ANY vba flaw be critical. if i recall correctly, through vba, you can manipulate the entire file system. while it doesn't give you low level access, it has access to every COM object on your system. in fact, weren't the code red and i love you virii (and many others) written in VBA. VBA seems to be such a big reason that businesses can't move away from windows/office. to me, it seems like a reason TO move away from office.
    • by mforbes ( 575538 ) on Thursday September 04, 2003 @09:19AM (#6868539)
      OpenOffice and StarOffice also having built-in scripting languages. Perhaps the risks of buffer overruns aren't as common under those (I don't know, since I lack much experience with those scripting languages), but in all fairness to MS, if OpenOffice were the leading suite & de facto standard, it would also see many attacks. The problem in this case isn't that the flaw exists-- patches are easy enough to apply. It's that with the near-monopoly MS has over hundreds of millions of users, you can always guarantee some large subset of users won't have the patches installed, and thus will be vulnerable to attack.
      • Re:critical VBA flaw (Score:5, Informative)

        by Surak ( 18578 ) * <.surak. .at. .mailblocks.com.> on Thursday September 04, 2003 @09:33AM (#6868674) Homepage Journal
        Speaking as someone who has written full-blown applications in VBA, OOo and StarOffice use StarBasic, which isn't quite the same thing as VBA. VBA is a lot more at the system level and gives you more control over the machine.

      • Re:critical VBA flaw (Score:5, Informative)

        by ScrewMaster ( 602015 ) on Thursday September 04, 2003 @09:56AM (#6868876)
        You might see more, but Microsoft still hasn't grasped the sandbox principle: any code that isn't explicitly trusted should not be allowed to access any data or functionality outside a strictly limited area. It can play all it wants inside that sandbox, but won't be allowed out to do harm. ActiveX and COM are two of the most dangerous Microsoft inventions from a security standpoint, since they don't place enough restrictions on what a remote programmer can do with your machine.
  • by winkydink ( 650484 ) * <sv.dude@gmail.com> on Thursday September 04, 2003 @09:08AM (#6868398) Homepage Journal
    ...without either e-mail from RedHat about a bug or news from MS about one. Lucky me, today I have both.
  • by Anonymous Coward on Thursday September 04, 2003 @09:10AM (#6868421)


    1.SuSE

    2.Red Hat

    3.Mandrake

    4.Debian

    5.Gentoo
  • by Karl Cocknozzle ( 514413 ) <kcocknozzle@hotm ... inus threevowels> on Thursday September 04, 2003 @09:10AM (#6868423) Homepage
    Crap! That means I have to touch every machine in the enterprise--again! Just two weeks after "touching 'em all" (not in the baseball sense) from the last round of worm patches.

    How I long for the old days of Novell... Ah...take me away!
    • by nairnr ( 314138 ) on Thursday September 04, 2003 @09:14AM (#6868477)
      Kinda makes you yearn for thin clients again... Make a few changes that affect all users. It seems to be something that would start making some sense again, with the number of times that systems are affected in a coporate environment, a more centralized server system does have its advantages. It would be interesting if this frequent patch cycle is affecting how people deploy large scale systems.

      Ah, X-servers :-)

    • by nick this ( 22998 ) on Thursday September 04, 2003 @10:15AM (#6869083) Journal


      Sounds like what you are looking for is SUS [microsoft.com]. This will allow you to push security updates to your clients centrally.


      Takes an afternoon to get set up and running, but after that, it runs with minimal intervention. Test your security updates, then authorize them to be distributed by the SUS server, and it takes care of the rest.


      Of course, this assumes that you are running win2k or better on the client side. If not, you are stuck with logon scripting stuff for old machines. Not pretty. If you do have w2k or better, though, this is a huge timesaver. Works pretty good too. Those few that have already discovered it were able to stand on the sidelines, amused, as those who were trying to windows update machines one by one got eaten up by blaster.


      Course, in fairness, there is another product that protects you from these kinds of worms, too... and it's sexy as hell. [apple.com]

      • SUS focuses primarily on Windows Updates and not patches involving Office or other Microsoft server and client applications (since it pulls the updates from the same repository as windowsupdates.microsoft.com).

        Instead, for Office applications, you would just need to update the administrative install points (which I'm doing now) and using a client management system (SMS, LANDesk, Group Policies, what have you) to run a batch file that points to the administrative install point for the version of Office inst
  • by mahdi13 ( 660205 ) <icarus.lnx@gmail.com> on Thursday September 04, 2003 @09:11AM (#6868429) Journal
    I thought Visual Basic was a flaw!
  • office (Score:4, Interesting)

    by cybercuzco ( 100904 ) on Thursday September 04, 2003 @09:11AM (#6868431) Homepage Journal
    I remember in HS I could own any mac in school that had office installed on it. At that time office had a find file program built in with the added "feature" that it could move files around once you found them. The security program on the macs of course disabled apples find file and locked certain folders so you couldnt delete programs. Office bypassed all that. All you had to do was find and move the security programs preference file to the trash and restart the computer. The password would be reset to the default password, which I happened to know (admin:admin is pretty easy) Voila, Office as a hacking tool. And it was a feature of office!
    • Re:office (Score:4, Informative)

      by astrashe ( 7452 ) * on Thursday September 04, 2003 @09:17AM (#6868507) Journal
      I don't think it's fair to blame office for that -- the old macos didn't have real file system permissions, and that's why it was insecure. Locking the finder down was the best they could do, but it just wasn't a realistic solution.

      • A deadbolt on a door isn't a realistic solution to lock a house down but it does serve a good purpose.

        Office circumventing that security method is exactly like installing a doorbell only to find that the front door pops open regardless of whether it is locked or not when you press the doorbell button.

        How does a doorbell and front door relate to this? Neither is adequate security but both were easily circumvented by a third party device that SHOULDN'T interfere. Blame should not be waived just because th
  • by euxneks ( 516538 ) on Thursday September 04, 2003 @09:11AM (#6868441)
    It doesn't make any sense for a company to keep building something that requires a patch every few days. Are they actually making money off of these patches?

    It's just that I've never heard of anything so blatantly broken that is so successful.

    Maybe I'm just angry because some scumware got into my computer system.
    • It's just that I've never heard of anything so blatantly broken that is so successful.

      You are obviously not remembering the "good old days" very well. Every computer system is crummy. Linux is crummy. It's just a matter of how much we are paying for suckness.

      At least Linux us honest about its suckworthyness. You don't see Linus making grand speeches about "Trustworthy" computing, or "Security through fill in the methodology". He and his cadre are out there coding for fun. They will tell you as much. Ma

  • by 192939495969798999 ( 58312 ) <infoNO@SPAMdevinmoore.com> on Thursday September 04, 2003 @09:12AM (#6868451) Homepage Journal
    When we get more like 50 of these a week, then we'll know that they've really gotten serious. Large systems have a lot of holes in them -- especially when no one was plugging the holes for oh, 10 years or so.
  • by EvilTwinSkippy ( 112490 ) <yoda@NosPAM.etoyoc.com> on Thursday September 04, 2003 @09:13AM (#6868461) Homepage Journal
    Trustworth computing at work. Interesting how they have a critical flaw in Office at about the same time they are espousing new lock in features and DRM.

    My tinfoil cap has 2 pennies.

  • Final patch (Score:3, Funny)

    by mcgroarty ( 633843 ) <brian.mcgroarty@nOSpAm.gmail.com> on Thursday September 04, 2003 @09:13AM (#6868468) Homepage
    I'm thinking MS could save a whole lot of time if they'd just get rid of the network and user input drivers!
  • by turgid ( 580780 ) on Thursday September 04, 2003 @09:14AM (#6868470) Journal
    Flaws in Visual BASIC are documented right here [ddj.com]
  • At least the Office updates don't require a reboot. That makes things a bit easier for me.

    *slinks away to update co-workers machines*
  • woohoo! (Score:2, Funny)

    by xao gypsie ( 641755 )
    for all my fellow IT guys (and girls).......PATCHERS, start your engines!!

    xao
  • by Anonymous Coward on Thursday September 04, 2003 @09:17AM (#6868513)
    [29 Aug 2003] DSA-375 node - buffer overflow, format string
    [26 Aug 2003] DSA-374 libpam-smb - buffer overflow
    [26 Aug 2003] DSA-344 unzip - directory traversal (new revision)
    [18 Aug 2003] DSA-364 man-db - buffer overflows, arbitrary command execution (new revision)
    [16 Aug 2003] DSA-373 autorespond - buffer overflow
    [16 Aug 2003] DSA-372 netris - buffer overflow
    [13 Aug 2003] DSA-358 linux-kernel-2.4.18 - several vulnerabilities (new revision)
    [11 Aug 2003] DSA-371 perl - cross-site scripting
    [09 Aug 2003] DSA-361 kdelibs, kdelibs-crypto - several vulnerabilities (new revision)
    [08 Aug 2003] DSA-370 pam-pgsql - format string
    [08 Aug 2003] DSA-369 zblast - buffer overflow
    [08 Aug 2003] DSA-368 xpcd - buffer overflow
    [08 Aug 2003] DSA-367 xtokkaetama - buffer overflow

    Stop calling the kettle black! Fix your own problems. This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!
    • by akiaki007 ( 148804 ) <[aa316] [at] [nyu.edu]> on Thursday September 04, 2003 @09:38AM (#6868727)
      The only one that *truely* affects Debian here is the kernel bugs. Everything else is software and shouldn't be considered that.

      The MS bugs pertain to the MS release software that directly affect the OS and the Office suite. And I would only really consider the VBA and the OS security bulletins here as being that important as that is what affects Windows. So that's 2.

      For debian we have 1. The rest are other software! If I wanted to talk about bugs with every piece of software being used in Windows, then let's do that. But clearly you're not.

      Stop comparing apples to oranges.
    • by The Revolutionary ( 694752 ) on Thursday September 04, 2003 @12:38PM (#6870671) Homepage Journal
      First, realize that these security alerts arise from a set of over 8710 packages. This is an incredibly large base of software, the great majority of which you will not have installed, and certainly not have installed in a production environment.

      Second, did you even bother to read those security alerts or investigate what the packages are? Briefly:

      node: "Amateur Packet Radio Node program"

      libpam-smb: arbitrary code, but no privilege escalation

      unzip: no privilege escalation, no arbitrary code, and who uses it?

      man-db: only if you go against install-time advice and make it setuid

      autorespond: "This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply."

      netris: "A free, networked version of T*tris"

      linux-kernel-2.4.18: most are local only, "STP protocol", or an nfs3 DOS with no arbitrary code or remote root

      perl: yes, "execute arbitrary web script within the context of the generated page"

      kdelibs: konqueror only, client only

      pam-pgsql: arbitrary code, but no privilege escalation

      zblast: "shoot 'em up space game"

      xpcd: local only

      xtokkaetama: local only

      "This stuff wouldn't happen if Debian didn't use out of date software, as most of the flaws mentioned were fixed in the new versions!"

      And this is why I call troll.

      From Debian security FAQ [debian.org]:
      "The most important guideline when making a new package that fixes a security problem is to make as few changes as possible. Our users and developers are relying on the exact behaviour of a release once it is made, so any change we make can possibly break someone's system. This is especially true in case of libraries: make sure you never change the Application Program Interface (API) or Application Binary Interface (ABI), no matter how small the change is.

      This means that moving to a new upstream version is not a good solution, instead the relevant changes should be backported. Generally upstream maintainers are willing to help if needed, if not the Debian security team might be able to help.

      In some cases it is not possible to backport a security fix, for example when large amounts of source code need to be modified or rewritten. If that happens it might be necessary to move to a new upstream version, but this has to be coordinated with the security team beforehand."

  • by Anonymous Coward on Thursday September 04, 2003 @09:18AM (#6868527)


    What's the big deal here? Microsoft finds a flaw, issues the patches, get coverage from slashdot.

    Things that happen all the time with unix/linux OS and apps.

    Don't be mistaken, i ain't pro-Microsoft. I just think that slashdot is often bashing MS products for no reason. Their ideology is bad. The world domination plan is bad. But i'm tired of "hardcore" unix/C fanatics that dismisses .NET without any knowledge of it.

    Whining and moaning everytime they issue a security warning is just plain childish...oh wait this is slashdot
    • by akiaki007 ( 148804 ) <[aa316] [at] [nyu.edu]> on Thursday September 04, 2003 @09:41AM (#6868755)
      I use .Net. And I won't dismiss it. But all the bugs are really annoying. Some seem small. For instance, you can't use customized MenuItems in a ContextMenu in a NotifyIcon. That's quite useful if you think about it. If you want a simple application that runs a lot of other programs and processes in your company, it would make sense to use a NotifyIcon application. But every menu (no images allowed here) looks exactly the same. It would be very helpful to have icons and colours. but you can't. This is just one bug. There are quite a few, even within the compilers.

      I'm not dismissing it completely, but .Net released by MS is still very much a beta. Even at the 1.1 level.
  • Every bit helps (Score:5, Insightful)

    by Doesn't_Comment_Code ( 692510 ) on Thursday September 04, 2003 @09:20AM (#6868543)

    I hope this wins some more business and government contracts for non-Windows based systems.

    Windows is ok for some applications. But this sort of thing (actually a whole month of bad security press) should jar a lot of decision makers to recognize that MS is not the ONLY REAL OS OUT THERE, as there marketing strategy has led all non-tech inclined business execs to beleive.

    The Truth will set you free.
  • by burgburgburg ( 574866 ) <splisken06@nospAm.email.com> on Thursday September 04, 2003 @09:20AM (#6868547)
    Affected platforms include Windows XP, Windows 2000, Windows NT 4.0 Server, and Windows Server 2003.

    Welcome to the family, WS2K3!

  • by Osrin ( 599427 ) on Thursday September 04, 2003 @09:23AM (#6868584) Homepage
    ... but we should really be debating how we get this right on an OSS platform. If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box.

    This is a community of smart people, the race is on to figure out how to best solve this issue for our end users. Microsoft appears to be beating us by requiring far less updates to be applied than a randomly chosed Linux distro.

    We need to think about the process of distribution and application of these patches, if we can get that right then we get a larger percentage of the desktop.

    Today any undereducated end user who is judging security by the number of patches that jumps to a Linux distro because they've "heard" it is more secure will quickly be jumping back to Windows.
    • by pmz ( 462998 ) on Thursday September 04, 2003 @10:24AM (#6869194) Homepage
      Microsoft appears to be beating us by requiring far less updates to be applied than a randomly chosed Linux distro.

      This is a fallacy, as Windows is closed source. Microsoft will fix only those bugs that are either publicly disclosed, mandated by some court case, or, sometimes, actually found internally by their undersized QA staff. So, of course, Microsoft will appear to have fewer patches. Also, have you considered that the maintainers of your randomly-chosen Linux distribution are actually honest and believe offering a patch is better policy than offering none to save face?

      Open Source (open, transparent, honest)
      Microsoft (closed, opaque, lying assholes)

      Gee, who do we choose? Well, I guess we choose Microsoft, because they have fewer patches!

    • by bogie ( 31020 ) on Thursday September 04, 2003 @10:46AM (#6869421) Journal
      "This is a community of smart people, the race is on to figure out how to best solve this issue for our end users. Microsoft appears to be beating us by requiring far less updates to be applied than a randomly chosed Linux distro."

      A) Linux and its associative apps are opensource so your going to find more security flaws due to the nature of opensource. This is a GOOD thing.
      B) The ratio of packages per "average" linux distro vs. say 2k server or 2k3 server is what? 15 to 1? So judging by that fact its surprising that Microsoft continues to have as many problems as they do. When comparing correctly there is no comparison, MS loses hands down.

      "... but we should really be debating how we get this right on an OSS platform. If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box."

      Any admin who actually knows how to use update and secure both linux and windows would say different. With Microsoft patches there is decent chance that the patch will not only not work and require a second patch, but also might hose your system. All those admins who get nailed by worms aren't just lazy. Many of them have been burned by MS patches and choose just not to use them.

      Let's also not forget about huge mega patch service packs that you have to use which are somehow ignored in your "count". Forgot about those huh? How many patches do these monsters hold? Hundreds? At a minimum. And of course nobody's system EVER gets hosed by service packs....

      How about those great new restrictive licensing terms which get forced down your throat just because you want to secure your box?

      Lastly even though 2k3 is better about it, I'll also enjoy not having to reboot my system for a simple patch. Don't you think average downtime should be added into the equation?

      I'll take Red Hat's or any other linux vendors patching system any day of the week thanks.
  • by redtail1 ( 603986 ) on Thursday September 04, 2003 @09:25AM (#6868594)
    Maybe Microsoft has started offering their developers $20 for each security fix...
  • by *weasel ( 174362 ) on Thursday September 04, 2003 @09:27AM (#6868622)
    your box is only as secure as the person administering it.

    and apparently, windows users, left to their own devices don't know, or don't care about keeping up to date on security patches.

    although, when enough of them are willing to just go ahead and doubleclick on any attachment from an unknown sender (msblast), these kinda exploits aren't really even necessary.

    all the tools for a secure windows box are already there.
    (though a security-patch-only windowsupdate flavor would be very helpful).
  • by way2trivial ( 601132 ) on Thursday September 04, 2003 @09:29AM (#6868639) Homepage Journal
    didn't make "our products will not kill customers and burn down buildings" one of it's "top priorities"

    think- where we would be then?
  • by syntap ( 242090 ) on Thursday September 04, 2003 @09:32AM (#6868669)
    I'm in a mixed environment where we have some Dells that came with Small Business Edition (either SR1 or original), and other users who needed Access that we purchased Office 2000 Pro for. Because Microsoft requires the original CD, it really adds to the burden of updating because you have to figure out which friggin' disc to use on each individual station. If they would just let us run the damn patch without the CD verification it would be easier.

    Plus, their order of updates is fux0r3d. They have the spell checker update listed as more recent than SP2, but when I run it I get an error message that the update only runs on SP1 .

    It's bad enough to need so many patches, but there are many basic things like the above that Microsoft could easily improve.
    • by superflippy ( 442879 ) on Thursday September 04, 2003 @10:59AM (#6869617) Homepage Journal
      you have to figure out which friggin' disc to use on each individual station

      It's not just a difference between SBE and Pro. It turns out that all Pros are not created equal. The newer machines here were set up in two batches several months apart. All have Office XP Pro, but we discovered when trying to install the patch that the newer Office CDs are not the same as the older ones. Patches on the newer Office XP Pro require a file called PRORET.MSI on the CD, while the less new Office XP Pro needs a file named PRO.MSI on the CD.

      We figured this out after a frustrating attempt to patch my computer. A CD was in there, but the Office Updater didn't like it. It worked fine when we dug out the exact same CD that was originally used to install Office XP Pro on this computer.
    • Have you tried using the office administration kit? It will allow you to make a scripted install that won't ask for CDs or any of that other annoying crap.

      All of Microsoft's installers and patches these days are MSI packages, which you can use several available tools to make "transform" files that skip all the screens, EULAs, next presses, and CD check crap.

      I believe the office administration kit is available for download from Microsoft's office website somewhere. I'll let a karma whore dig up the link.
  • Honestly... (Score:3, Interesting)

    by flamingnight ( 234353 ) <chris.garaffa@nOSpAM.gmail.com> on Thursday September 04, 2003 @09:38AM (#6868724)
    ...is anyone surprised?
    I'm not even sure this belongs on /. anymore. We know MS writes buggy and vulnerable software.
    Of course, MS isn't the only company to write such buggy software. But before anyone says a word about MS being bashed too much, let's remember that 95% statistic. When a company's software runs on approximately 95% of the world's computers, they have the moral responsibility to ensure its stability before they release it.
    We could always blame sysadmins for being too stupid to check for and install updates, but instead, why don't we just educate people on why they should run Windows Update every week (or sooner).
    I'd think billions of dollars in damages to the economy would be enough to get executives cracking the whip at their IT staff. Then again, I also thought Bush lost the election.
  • by Mad Man ( 166674 ) on Thursday September 04, 2003 @09:44AM (#6868771)
    From personal experience, patches for MS Office require the user to have the CD available.

    In the corporate environment, this usually isn't a problem (except for the different flavors of Office we have floating around: MS Office Professional, MS Office Premium, MS Office Academic version, OEM non-retail version, etc. make it a pain).

    However, home users may have MS Word and MS Excel pre-installed on their systems from the store. But they don't have the Office CD itself.

    How can they apply the necessary MS Office patches and service packs?
  • by gosand ( 234100 ) on Thursday September 04, 2003 @09:51AM (#6868846)
    I just thought of something - what do companies like Dell do? They just sell the stock OS on their systems, right? Everyone always complains that people don't patch their systems, but what if you buy a new machine from Dell? I am sure people don't think "oh man, I have a new system, I need to go out and figure out which patches to install". They fire it up and go. Should OEMs be required to sell systems that are up to date on the OS patches?
  • by Repugnant_Shit ( 263651 ) on Thursday September 04, 2003 @10:08AM (#6869001)
    I develop lots of VBA stuff for our office. But all of our installation disks are 75 miles away at the main office. I have an Office XP Upgrade disk that was used on older here, but my full-blown Dell-installed Office XP won't accept it. So how am I supposed to patch this *critical* bug *immediately*?
  • by Angostura ( 703910 ) on Thursday September 04, 2003 @10:17AM (#6869098)
    a couple of points on this.

    While I've just about managed to educate friends and familly about the need to run Windows Update, WU does not in itself warn of critical security issues - you have to remember to visit Office Update manually... and who is going to do that? No one, in my experience.

    but it gets better - The Office Security updates require you to insert the original CD. This seems a mighty strange move, and not terribly useful for me since the CD is several thousand miles away locked up in a cupboard on the other side of the Atlantic.

    Can anyone explain the warped logic here? I could understand it if the new patches enabled new functionality? but these are security patches.

  • by benploni ( 125649 ) on Thursday September 04, 2003 @10:33AM (#6869280) Journal
    Criticality of this is horribly underrated by Microsoft.

    This is critically important for all Windows MS Office users - "the user must open the attachment" is no protection because most users open attachments to see what they are.

    If the infected Word Perfect document is given a .DOC extension, Word will be invoked directly when the user double-clicks the attachment. Word will automatically recognize and convert the document, and run the hostile code with no further opportunity for the user to stop the virus.

    The vulnerability could also be exploited through a web page, and the user would get no chance to say "No" if ActiveX is enabled.
  • by Mongoose ( 8480 ) on Thursday September 04, 2003 @10:40AM (#6869358) Homepage

    1. Open word
    2. ALT+F11
    3. Key in Shell "cmd.exe", VB_Normal_Focus
    3. F5

    This simple example runs a shell, but you can guess what happens when you can load a kernel debugger or alternative win32 shell and have system access.

    This isn't shocking and I've seen everyone try to remove the DOS subsystem, rename net.exe and disable and even remove cmd.exe/command.com by using filesystem tricks and depending on windows lame application's handling of these tricks.

    Basicly you can't secure a Windows machine in public use -- btw if you have acess to the usb port and a jump drive you can get in without a keyboard and send viri/spam/etc from someone else's machine.

    Window's Office VBA system and IE are the ultimate root kit imho.
  • by rakerman ( 409507 ) on Thursday September 04, 2003 @10:54AM (#6869545) Homepage Journal

    Just a note that in order to be fully covered for MS patches, you have to use BOTH Windows Update [microsoft.com] and Office Update [microsoft.com].

    The Windows Update service (automatic or manual) will not detect or install Office patches.

  • by saintjab ( 668572 ) on Thursday September 04, 2003 @11:19AM (#6869865) Homepage Journal
    I'm sure this will get modded down, or ignored by the moderators all together, as off topic; but I feel it's a good camparison. I have two, relatively similar, workstations. One running Red Hat 9 and the other WinXP. I use RH Up2Date on the Linux bawx and Windows Update on the XP machine religiously. The observation that I have made are pretty amazing. Microsoft releases roughly 4 patches for every 1 that RH releases. The RH packages, other than kernel updates, do not require any reboots; where most of the MS ones do. I've not had a single occurrance of an adverse effect on my Linux machine from any patches, where I have had a miriad of issues with the XP/Office updates (insert CD, permissions issues, BSODs, etc). I'm not at all trying to scream the virtues of Linux and downplay MS, but there are real issues. Not to even mention never having adware, spyware, etc. installed on my RH machine without my knowledge. I'm extremely carefull with all of my machines and I stilled managed to get some IE search bar added to my browser. I removed it quickly with Spybot search and destroy, but it still happened. I think MS needs to take a step back from the cash register and seriously evealuate their tactics and practice where desktops are conncered. That is, if they ever want their update service to be even close to as effective as RH. But thats just my two cents and I'm sure there are a line of people out there to tell me I'm wrong and/or full of crap; but these are real world observations from someone who is completely OS neutral. ..jab
    • Microsoft releases roughly 4 patches for every 1 that RH releases.

      I believe you mistyped because the facts say Redhat issues about 4 patches for every one that Microsoft releases.

      I first noticed this myself last year after having installed Redhat 8.0 and subscribed to the redhat network and witnessed the slew of emails I began receiving warning me to run up2date.

      But thats just my two cents and I'm sure there are a line of people out there to tell me I'm wrong and/or full of crap; but these are real wor
  • blame microsoft! (Score:3, Interesting)

    by Anonymous Coward on Thursday September 04, 2003 @11:27AM (#6869967)
    Okay I see a lot of Microsoft apologists saying that "all software has bugs", "Linux has problems too", "dumb admins need to keep their machines up to date".. etc...

    Let's see:

    Linux written by volunteers and small companies.

    Windows written by a company with tens of billions in the bank.

    Linux used mostly on servers and installed by educated admins.

    Windows used by everyone from grandma to the CEO.

    Linux on a small percentage of servers.

    Windows on 96% of machines (or whatever the figure is). Windows used in ATMs, in medical equipment, by the government, etc., etc. The Microsoft antitrust ruling was typed out on a Windows machine.

    And given their resources, their cash, the number of frickin' PhD's on the payroll, and the fact that the entire world economy depends on Windows crap OS (yes even us folks who use Mac/BSD/Linux are still affected indirectly) .. you gotta ask yourself .. is "similar to Linux" in terms of security problems the BEST they can do?

    They have a huge responsibility, and they have chosen not to meet it. Why? Is it so that the government will pass software quality laws that will place a huge burden on Free software, thus weakining it or killing it off?

    Or is it because people have their heads in the sand and refuse to acknowledge that Microsoft is not worth the time and money any more. That's probably it. People are sitting there constantly patching their Windows boxes and not realizing that, hey, maybe there are alternatives. Microsoft has you all by the nuts.

    Why are you guys making excuses for Microsoft? Microsoft's products should be the most secure on the planet given their resources and abilities.

    I used to think, hey, all computers have problems, but after using software like qmail and OpenBSD, I realized, Microsoft is doing about 1% of what they could do. Even just closing ports and making email attachments not be executable would solve a lot of problems. They need to make their software more secure.

    Instead they come up with Palladium or whatever it's called now, a gigantic complex scheme to solve this problem (and a lot of other imaginary "problems" too). Can't they try some simple stuff first?

    So don't apologize for Microsoft, don't say "well, if Linux was everywhere we'd have the same problems" .. the problem today, right now, is Microsoft. The constant flood of pings to my machine are coming from microsoft machines. The viruses are coming from microsoft machines. When is it going to stop??
  • by w42w42 ( 538630 ) on Thursday September 04, 2003 @11:32AM (#6870016)

    A nice quote [komotv.com] from KOMO [komotv.com], a station in Seattle (next door to Redmond for those that are unfamiliar with the area).

    SEATTLE - Those of you using Mac OS or Linux can relax this time, but those using MS Office on Windows, take note: Microsoft has issued some more security alerts.
  • by Futurepower(R) ( 558542 ) on Thursday September 04, 2003 @11:50AM (#6870193) Homepage

    To patch the security vulnerabilities in Microsoft Word, you have to 1) download the patch, 2) find the original Word CD and put it in the CD drive, 3) run the patch, 4) wait while a lot of processing is done with the CD, and 5) put the CD away again. It seems to me that, since this was a patch for a severe security vulnerability, Microsoft could have skipped the time-consuming 2, 4, and 5 steps. Think how many total hours will be lost throughout the world by users or computer professionals whose time is extremely valuable. The TCO just went up.
    • The MSI installer used for Word is indeed terribly slow.
      I took this opportunity to install Office 2K SP3 plus these two fixes, and it easily eats 10 minutes per PC, to install about 12MB of patches. That could be done in 10 seconds.
  • by cmacb ( 547347 ) on Thursday September 04, 2003 @12:41PM (#6870709) Homepage Journal
    The security threat posed by a particular bug in Windows is "Critical", but this is mitigated by the fact that: "The user must open a document sent to them by an attacker in order for this vulnerability to be exploited.", or "The Microsoft Access Snapshot Viewer is not installed with Microsoft Office by default. ", or "Any information disclosure would be completely random. "

    Well that last one is certainly good to know. If my information is going to be disclosed I'd certainly prefer that it be my random information rather than my much more valuable, um, organized information.

    I'm wondering if there are not a team of "Mitigation Specialists" at Microsoft charged with coming up with these things. I think this is something I could handle pretty well. I think I'll send them a resume.

    Here is a sample of my work:

    Mitigating Factors:

    * User must have not only installed Windows and Office, but actually be using these products for any harm to, or exposer of user data to occur.

    ~*~ Small pets, farm animals, or other domesticated wildlife will not be harmed by the use of these products, even if human user fails to exercise due caution.

    *# Extra-Terrestrial life-forms are completely safe even when in the same room as an operating Windows environment.

    ::=. Use of un-patched Outlook Express has been shown to have no effect on local precipitation nor earthquake activity. We will advise customers of an future change in this situation.

    I really think I could come up with a lot of these. How about you? Do you have a future as a Microsoft Mitigation Specialist?

  • by AbbyNormal ( 216235 ) on Thursday September 04, 2003 @01:17PM (#6871118) Homepage
    I loved the article over at NewScientist (here [newscientist.com])

    A Microsoft spokeswoman told New Scientist the risk was lessened by the fact that exploiting any of the vulnerabilities would require a victim to open a document or carry out some other active task. She added: "We don't know of any worms being created."

    Uh...Open a document? You mean like an email with the attached virus/worm that says: "Here is the document you requested"?

    Sigh...Damage control must be getting lazy or something.
  • by SLot ( 82781 ) on Thursday September 04, 2003 @01:47PM (#6871401) Homepage Journal
    Lovely. They say that Word97 is affected,
    but that OfficeUpdate doesn't support Office97.

    Head on over to the manual download section for
    Office97. NOTHING TO BE FOUND RELATED TO
    THIS in the office section. Under Word alone, the latest
    update is from 2001.

    Gee, go figure. Yet another reason to spend money
    I don't have for a product I don't want.

    Oh, and for all you astroturfers & M$ Fanboys -
    at least when Linux does have a flaw, it doesn't
    require me to spend 400 bucks on an upgrade to a
    later, flawed version.

Your own mileage may vary.

Working...