Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Operating Systems Security Software Windows

Ten Security Bulletins From Microsoft 392

wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."
This discussion has been archived. No new comments can be posted.

Ten Security Bulletins From Microsoft

Comments Filter:
  • My (Score:5, Funny)

    by Rick Zeman ( 15628 ) on Tuesday October 12, 2004 @06:20PM (#10508752)
    ....Win2k patched fine. Another Tuesday Patch roulette over with....
    • Re:My (Score:4, Informative)

      by pbranes ( 565105 ) on Tuesday October 12, 2004 @06:28PM (#10508827)
      Its interesting to note that the most critical patches - those for remote code execution - do not affect Windows XP with Service Pack 2 installed. When Microsoft built SP2, they did a lot of things right. IE has better security, for one. At my corporation, I have pushed out the updates with SUS already, but I am not too worried about this. I have already implemented SP2 across the corporation, and I am much more secure now than I was without SP2. Yeah, I know that security is a process, not a product, but SP2 helps that process a lot.
      • Re:My (Score:5, Insightful)

        by ADRA ( 37398 ) on Tuesday October 12, 2004 @06:30PM (#10508842)
        Wouldn't that imply that they knew about this problem way before Service Pack 2, and their just now getting around to rolling those patches into previous releases?
        • Re:My (Score:5, Insightful)

          by pbranes ( 565105 ) on Tuesday October 12, 2004 @06:33PM (#10508867)
          Not really. It implies that Microsoft changed the security in IE so that it would be much less likely to be vulnerable to certain types of situations. An analagous example is adding the No Execute (NX) code to hardware and software. It doesn't prevent coding mistakes, but it does prevent many ways of exploiting coding mistakes.
          • by ADRA ( 37398 )
            Wouldn't your system require you to have the NX bit on your CPU? If your CPU doesn't implement NX, does that mean your vulnerable? I admit NX does help security, but assuming that the bug is magically fixed by a NX, a harware based solution on new hardware, I don't think even Microsoft's brazen enough to ignore computers that don't have NX.
            • They also support it in software as well, apparently, to some degree. Or so Windows XP tells me.
              • Re:My (Score:3, Informative)

                by Torne ( 78524 )
                No, they don't, unfortunately. XP SP2 only adds NX functionality on AMD64 and Itanium, their marketing material just omits to mention this in order to make it sound more secure ;)
        • Re:My (Score:5, Interesting)

          by jerw134 ( 409531 ) on Tuesday October 12, 2004 @06:36PM (#10508896)
          It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows.
          • by ADRA ( 37398 )
            They we-wrote the OS in .NET CLR??

            "new compiler that basically eliminates any possibility of buffer overflows"

            You're obviously not a programmer if you believe this.
            • Re:My (Score:5, Funny)

              by jerw134 ( 409531 ) on Tuesday October 12, 2004 @06:47PM (#10508989)
              Directly from Microsoft: "core Windows components have been recompiled with the most recent version of our compiler technology, which provides added protection against buffer overruns."

              Source [microsoft.com]
            • Re:My (Score:5, Informative)

              by sploo22 ( 748838 ) <dwahler@gm a i l . c om> on Tuesday October 12, 2004 @07:08PM (#10509169)
              Why not? GCC has had it since 2001. [ibm.com]
            • Re:My (Score:5, Informative)

              by tc ( 93768 ) on Tuesday October 12, 2004 @07:53PM (#10509526)
              It doesn't eliminate all cases, of course, but the /GS compiler flag for Visual C++ does eliminate many of them. In essence, it checks if the return address has been trashed, and throws an exception if it has. Your app still crashes, but that's probably better than being 0wn3d.

              Yes, it is possible to circumvent, and there are of course other kinds of attacks/bugs which this doesn't help with. Nor is it a substitute for actually fixing those buffer overflow problems. However, all that said, it's still a good extra level of defense that does improve the security of the system and apps by substantially mitigating a large class of potential bugs.

          • Re:My (Score:4, Informative)

            by Scorillo47 ( 752445 ) on Wednesday October 13, 2004 @02:08AM (#10511471)
            >>> It would actually mean that Microsoft built the SP2 updates with a new compiler that basically eliminates any possibility of buffer overflows.

            While the new compiler additions detect some buffer overruns/underruns, note that there is no way to get 100% buffer overrun detection with commercial C++ compilers. Usually, these overruns are detected by a variety of methods, like putting canary "values" at the beginning and/or at the end of each of the protected data buffers. These canary values are checked at certain moments of time, usually at the end of the buffer data lieftime - for example for stack-allocated blocks they are checked on routine exit; for heap allocated blocks when the blocks are freed.

            The problem with canaries is that they won't detect memory writes that write directly in other "valid" data buffers. For example thread 1 writing overwriting the contents of some local variables in another stack, manipulated by thread 2.

            There are other techniques, for example checksums for the user-mode data structures (like stack frames, C++ VTABLEs, heap data structures, constant data, etc). But these techniques have limited use too.

            In addition, a malicious piece of code can always workaround the canary/checksum detection. The moment this malicious code has a chance to run in yoru process, all bets are off. It can eventually change the exception trap handlers, etc.

            The only way to get 100% protection from buffer overruns would be to run Java/C#/VB.NET code (with certain restictions of course, for example avoiding unsafe code in C#). That said, you can also avoid buffer overruns to a certain degree in C++ too if you use proper class libraries like STL that perform things like automatic array bound checks, etc.

    • Re:My (Score:3, Insightful)

      by j0217995 ( 597878 )
      Ah, the beauty of Software Update Services... Sync'd w/ windowsupdate.microsoft.com. Test systems checked in first and had no problems. The joy of coming in and seeing the patchs installed when people turn on thier computers in the morning. Yawn, another MS patch done, that was like what 15 minutes of work?
  • I give up (Score:5, Funny)

    by darth_MALL ( 657218 ) on Tuesday October 12, 2004 @06:22PM (#10508766)
    I was just about to write a pro MS defence post to stave off the oncoming attack. I just re-read the article. I quit.
  • by networkBoy ( 774728 ) on Tuesday October 12, 2004 @06:22PM (#10508776) Journal
    So if your user has admin rights (as all at my site do b/c our toolset requires it) then you're screwed if they goto a mal-site. . . . Great.
    -nB
    • by Anonymous Coward

      So if your user has admin rights (as all at my site do b/c our toolset requires it) then you're screwed if they goto a mal-site.

      Your 'toolset' requirements are kinda setting you up for the inevitable don't ya think?

    • Under those conditions you should be evaluating exactly what sites your users need access to and arrange it so that those are the only sites which your proxy or firewall will allow access to.

      We have a client who does this, and they run Linux desktops as well!

      Squid does a remarkably good job of facilitating this sort of strapping down.
  • Insane (Score:2, Interesting)

    Thank you microsoft for vulnerabilities that can take advantage of the so-far-assumed-to-be-safe data files like jpgs and zip files

    txt file vulnerability anyone!?!
  • by 12357bd ( 686909 ) on Tuesday October 12, 2004 @06:23PM (#10508781)

    Ok, Now is a really web enabled experience! :)

  • C&C (Score:5, Funny)

    by schnits0r ( 633893 ) <nathannd@saskte l . n et> on Tuesday October 12, 2004 @06:24PM (#10508791) Homepage Journal
    The recent GDI+ vulnerability

    Good thing I choose to join NOD.


    /rimshot
  • Security is Job 1 (Score:5, Informative)

    by Foofoobar ( 318279 ) on Tuesday October 12, 2004 @06:24PM (#10508792)
    It's nice to know that they have made security such a high priority. Hopefully their next high priority will be 'doing something about it'.
    • Re:Security is Job 1 (Score:2, Informative)

      by Anonymous Coward
      They did. Note that SP2 is not effected for most of the updates. They are most likely backporting fixes in SP2 to older versions of windows.
  • by pawnIII ( 821440 ) on Tuesday October 12, 2004 @06:26PM (#10508804)
    Man, I seriously need to learn Linux asap. If not cause of all the super holes found lately, as for the fact Microsoft doesn't seem to care too much about the user base.
  • by Magickcat ( 768797 ) on Tuesday October 12, 2004 @06:26PM (#10508808)
    I can think of a more comprehensive bulletin:

    1. Internet Explorer (All versions)
    2. Microsoft Office (All versions)
    3. Microsoft Windows OS (All versions)
  • SP2 Isn't Affected (Score:5, Informative)

    by jerw134 ( 409531 ) on Tuesday October 12, 2004 @06:26PM (#10508812)
    Just in case anyone is wondering, SP2 is not affected by any of these vulnerabilities, except for MS04-038 [microsoft.com]. That's the fix for the "drag-and-drop" vulnerability that everyone's been crowing about.
  • OS: Windows XP Professional
    Shell: Litestep ... but mine isn't. :P
  • by JoeLinux ( 20366 ) <joelinux@ g m a i l . c om> on Tuesday October 12, 2004 @06:28PM (#10508823)
    Please select your argument here:
    [ ] MS has these security exploits because it is the biggest OS
    [ ] MS is a steaming pile when it comes to security
    [ ] MS is working on fixing these things, and is doing the responsible thing.
    [ ] 1337! I can't wait to #4x0r!
  • by codepunk ( 167897 ) on Tuesday October 12, 2004 @06:29PM (#10508836)
    Wow now these are guys I can trust!

    Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?

    No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.

    Don't sweat it, a remotely exploitable shell is
    not critical!
    • by vijaya_chandra ( 618284 ) on Tuesday October 12, 2004 @06:46PM (#10508981)
      You must be new here not to realise the thinking behind that

      a) Faq says the patch's not critical
      b) Joe doesn't include this in the critical patches he's downloaded on to his system
      c) boom! the system goes down the next week because of the msplaster virus targetting this vulnerability
      d) Joe's not sure about the reason for the crash and re-installs the OS
      e) (c) again after a week
      f) Joe gets frustrated and contacts MS support ppl, who inform him that the brand new Microsoft Windows XP Professional with Service Pack 2, has everything to avoid such crashes
      g) Joe buys what they say

      windows_xp_sales++

      easy!
    • by AKnightCowboy ( 608632 ) on Tuesday October 12, 2004 @08:20PM (#10509698)
      If you're still running Windows 98 or Windows ME then you really deserve to get burned. Windows XP has been out for years and is patched against this vulnerability. I mean for crying out loud. Red Hat 9 isn't patched against many recent vulnerabilities and that's less than 2 years old, so cut Microsoft some slack for not supporting a 6 year old operating system version. That'd be like expecting Red Hat to still support 6.0.
  • by trolman ( 648780 ) * on Tuesday October 12, 2004 @06:31PM (#10508849) Journal
    That is enough for me and my small company. I am using Open Office [openoffice.org] and Mozilla [mozilla.org]full time now. Adios Bill.
  • 10 Bulletins? (Score:4, Informative)

    by nuclear305 ( 674185 ) * on Tuesday October 12, 2004 @06:32PM (#10508860)
    I must wonder...does this have to do with another story [cnn.com]?
    • by ktakki ( 64573 ) on Tuesday October 12, 2004 @08:22PM (#10509711) Homepage Journal
      MS10-01: Vulnerability in Internet Explorer may cause user to worship other gods.
      MS10-02: Buffer overrun in Graven Image processing.
      MS10-03: Vulnerability in RPC Service may cause the name of the Lord to be taken in vain.
      MS10-04: Vulnerability in Task Scheduler may prevent computer from resting on the Sabbath Day.
      MS10-05: Vulnerability in Windows Shell may allow child process to kill parent process.
      MS10-06: Buffer overrun in DCE Locator Service may cause abnormal program termination.
      MS10-07: Vulnerability in Outlook/Outlook Express may lead to adultery.
      MS10-08: Vulnerability in MSKerberos may allow remote user to steal.
      MS10-09: Vulnerability in Excel may allow workbooks or spreadsheets to bear false witness.
      MS10-10: Vulnerability in Internet Explorer may cause user to covet neighbor's ass.

      k.
  • by LiquidMind ( 150126 ) on Tuesday October 12, 2004 @06:33PM (#10508865)
    and (on my page) a microsoft windows server 2003 advertisement right below this article.

    beautiful. fucking beautiful.
  • Seriously, I hope that Microsoft gets their act together before too long.

    I'm a little worried about the possibility of a "final" windows exploit that quickly and without warning kills every MS box it touches.
    All these vulnerabilities are a bit disheartening.

    Either Microsoft is really combing over their programs for errors or they are in trouble
    Kind of makes me happy that I only rely on free/open source programs
  • by Deorus ( 811828 ) on Tuesday October 12, 2004 @06:38PM (#10508914)
    "The best thing about Microsoft bugs is that there are so many to chose from..."
  • "only" (Score:5, Insightful)

    by Anonymous Coward on Tuesday October 12, 2004 @06:38PM (#10508916)
    The shell vulnerability only allows code execution as the user viewing the malicious web site.

    On most XP installations, the only user is "Administrator".
  • by museumpeace ( 735109 ) on Tuesday October 12, 2004 @06:39PM (#10508920) Journal
    Microsoft is having a bad code day. Shocking! I'm shocked I tell you! Heres one the /. editors passed on back on the 7th. MS seems to have passed on it too.
    About noon EDT,
    InfoWorld got report via Secunia, of a MSWord vulnerability [infoworld.com] that can crash a MSIE browser or any Office app that tries to load a properly poisoned word doc file . It is categorized as a potential DOS attack though it seems more a nuisance than a nightmare. My employer, a large and very security conscious federally funded laboratory used to discourage the use of MSIE and promote Mozilla. Today I find they have completely disabled all older or unpatched MSIE versons for browsing outside the lab firewalls.
  • by RealAlaskan ( 576404 ) on Tuesday October 12, 2004 @06:39PM (#10508921) Homepage Journal
    The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled?

    Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?

    Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website? Aren't you glad the only files that you can infect are the only files that you really care about?

    You bet I'm glad my shell is web-enabled! After all, this Windows box belongs to my employer ... its his time that will be wasted.

    • Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?

      Pity that, but so what? All the attacker has to do is upload a root kit via browser help object, cookie or similar then execute the kit. Who executes the kit should not matter if the kit is made right.

      The thought of the day is, "just another hole in a screen door." Why are people still running Microsoft junk?

    • Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?

      For example ?

      Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website?

      Like that last Firefox bug that wiped out files and data just by trying to download something ?

      Aren't you glad the only files that you can infect are the only files that you really care about?

      Well, it's kinda hard to be able to do anything to your

  • Only one vulnerability affects to SP2. In fact, the XP SP2 (desktop OS, you know) had less vulnerabilities than win 2k3/XPSP1, which shows the huge progress made in the SP2. I don't know how to take this..."good" because SP2 is good, or "bad" because the server OS is more insecure than the desktop OS. In any case, they're porting the work they did in SP2 to win 2003, so we'll see. They've raised the bar with the SP2, IMHO.
  • Lets see (Score:2, Funny)

    by codepunk ( 167897 )
    Nasty hacker crafts email that appears to be from
    microsoft talking about this great new software that can be downloaded from their site. Of course mindless MCSE network admin does not realize it is a phishing attack and clicks to see the greatest new stuff from the redmond lords. Now nasty hacker owns your entire network......priceless
  • LiteStep (Score:4, Informative)

    by PacoCheezdom ( 615361 ) on Tuesday October 12, 2004 @06:47PM (#10508987)
    People like myself that use LiteStep for a shell under Win32 don't have to deal with the memory overhead of a web-enabled shell, or these web-based exploits.

    It's pretty cool and it's open source and stable (unlike Windows sometimes) and has a decent-size user base, eventhough most of the themes are pretty worthless. (Then again, for any themable program, aren't the bulk of the themes crap?)

    Anyhow, people that are stuck using Windows like I am (Lycoris' Tablet PC version of Linux is next to featureless) should give it a try, if nothing else but as a preventative measure against future bugs like this.
  • by The Bungi ( 221687 ) <thebungi@gmail.com> on Tuesday October 12, 2004 @06:52PM (#10509038) Homepage
    From everything in here [linuxsecurity.com] again?

    With the exception of a proof of concept GDI+ exploit posted to USENET, none of these vulnerabilities are known to be exploited.

    The shell and compressed folder vulns require user interaction, just like 99% of all other "worms". As long as your mail application is patched you can't get hooked via email and if you visit "malicious websites" with anything other than Lynx you probably should be shot anyway. Ditto for a decent firewall.

    On the other hand, I wonder why things like these [securityfocus.com] for soem reason never get posted.

    • by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Tuesday October 12, 2004 @07:43PM (#10509452) Homepage Journal
      Three of the holes were for "server" editions of Windows. This means that what the user does is largely irrelevent. If the server gets compromised (and, yes, NNTP and SMTP are listed amongst the systems with holes) then you could very easily end up with hostile code on your machine, no matter how updated it may be.


      As far as Linux is concerned, a properly configured Linux box is relatively secure, even if the applications have holes. This is because you can run most servers under restricted user IDs and/or in chroot-ed environments. This means that someone breaking into a server application can't really go anywhere.


      Linux' main "weakness" (diversity of implementations) is also its great strength on this. A Linux virus won't necessarily work on all Linux machines, because it is going to make assumptions about the nature of that machine which may not hold true. Applications can be configured on installation by the admin, but viruses don't usually get that benefit.


      Finally, Linux has some extensions which make it bullet-proof against many types of attack. Mandatory Access Controls and filesystem ACLs mean that you can have an extremely fine-grained level of control over who can do what. This means that if some server software has a user ID of N, but N only has read permissions on N's files, then compromising the server can't even allow an attacker to modify the files they supposedly own.


      All this means that Linux applications don't need to be that secure. The security is provided. It is helpful if they ARE secure, but it's not essential. With Windows, this isn't the case. The level of security isn't that great, and as more and more is integrated into the kernel, the vulnerabilties within any given application become ever-more dangerous to other parts of the OS.

    • none of these vulnerabilities are known to be exploited.

      That will change.

      On the other hand, I wonder why things like these for soem reason never get posted.

      Actually that did get posted.

      http://it.slashdot.org/article.pl?sid=04/09/04/1 31 4200&tid=172&tid=128&tid=1
  • Remote Vuls (Score:3, Insightful)

    by wastedimage ( 266293 ) on Tuesday October 12, 2004 @06:55PM (#10509066)
    Has anyone else noticed how everything is now classified as remote? For the zip one you have to download the file and then attempt to unzip it. THATS NOT REMOTE. You downloaded it and then got exploited. Its running local context! Its local! Remote for example would be the NNTP. Where a remote user directly exploits you without any user interaction.

    I extend this classification to the GDI vuls. They are downloaded and then rendered by windows. Why should it matter that its not an executable file. From an 3rd party perspective it looks the exect same as someone downloading and running a trojan. It shouldn't matter how clever they are in hiding the execution or downloading of the file, if it runs in local context its LOCAL.

    Fuck i'm so tired of seeing remote vul tacked on to everything.
  • by cortana ( 588495 ) <sam@robots.orRASPg.uk minus berry> on Tuesday October 12, 2004 @07:03PM (#10509133) Homepage
    Updates were unable to be successfully installed

    The following updates were not installed:
    Microsoft .NET Framework 1.1 Service Pack 1
    Cumulative Security Update for Internet Explorer for Windows XP Service Pack 2 (KB834707)

    [Configure automatic updates] [Tough shit]

    Thanks, Microsoft! What the hell am I supposed to do now! Oh well, this particular machine hasn't been installed for almost 1 year, it's about time I reset the cruft factor...
  • DAMN! (Score:5, Funny)

    by AvantLegion ( 595806 ) on Tuesday October 12, 2004 @07:20PM (#10509265) Journal
    Damn! I had 9 in the pool.

    That's what I get for having faith in you, Microsoft!

  • by RealProgrammer ( 723725 ) on Tuesday October 12, 2004 @07:26PM (#10509314) Homepage Journal
    Microsoft saves these up so that
    1. Users only need to patch their boxes once.
    2. Sysadmins only need to frantically patch all of their boxes once.
    3. It looks better if there is one bunch of ten patches on one day than if there are ten announcements of one patch each on ten different days. A lot of these bugs were announced earlier, but the releases are all announced now.
    4. Saves ink on /.
  • I give up (Score:5, Interesting)

    by danharan ( 714822 ) on Tuesday October 12, 2004 @07:33PM (#10509370) Journal
    That does it. I'm switching to Linux- Ubuntu, *noppix- or even *BSD, anything but Windows.

    Installing today's updates, it asked me if I wanted more information about a vulnerability- and proceeded to open a page with Internet Explorer. How many times do I have to tell the computer that Firefox is my default browser? Whose machine is this, anyway?

    With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years). In today's update, it keeps nagging me to reboot.

    And why do I have to sign yet another goddamned EULA to install critical patches?

    There isn't any windows only software I need anymore. OO.org, Firefox, Thunderbird... and now GAIM (which I've gotten used to at work, working on FC1). I'll miss some of the usability features of XP, but I just can't handle it anymore. So long, Windows!
    • by xutopia ( 469129 ) on Tuesday October 12, 2004 @07:37PM (#10509405) Homepage
      actually, parent is my brother(that sentence sounds weird); I just want to make sure his comment is public so he has to carry through with it ;)
    • Re:I give up (Score:5, Informative)

      by Keeper ( 56691 ) on Wednesday October 13, 2004 @02:58AM (#10511647)
      How many times do I have to tell the computer that Firefox is my default browser?

      Once, if Firefox is registered as the default browser correctly. My machine gets it right, why doesn't yours?

      With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years).

      Two options:
      1) Update your AV software to a version that tells the security center when it is up to date.
      2) Select the "I will manage my AV software myself" option, and the security center won't bug you about any AV related details.

      In today's update, it keeps nagging me to reboot.

      Your computer is still vulnerable until you reboot the machine. What's the point of applying the patch if the updated files don't get loaded?

      And why do I have to sign yet another goddamned EULA to install critical patches?

      For the same reason every company requires you to sign a EULA before installing/updating software. If you want a detailed reason, ask the lawyers.
  • by crazyphilman ( 609923 ) on Tuesday October 12, 2004 @07:46PM (#10509480) Journal
    When confronted with a new Microsoft security hole, which seems to one to have existed for a while, possibly leaving his entire organization at risk, one should never react with surprise or horror.

    One must make a FRIEND of the horror.

    Then, one can hear about the security issue, nod sagely with a wan smile, and whisper to the junior IT staff, "But of COURSE there is a hole. This is to be expected, young one. Run and patch, then we'll go to lunch."

    Bonus points for leaning back in one's chair, folding one's hands across one's belly, and sighing loudly before addressing the novice.

  • by allgood2 ( 226994 ) on Tuesday October 12, 2004 @08:15PM (#10509664)
    Actually CNET News.com [com.com] is reporting 22 not 10. That's quite the grouping.
  • Thank Gawd for WinME (Score:3, Interesting)

    by HermanAB ( 661181 ) on Tuesday October 12, 2004 @08:58PM (#10509942)
    Most of these exploits don't apply to WindozeME.

    It is amusing that the much maligned WinME nowadays work better and doesn't suffer from half the problems in XP - "The Most Secure Windows Ever".

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...