Ten Security Bulletins From Microsoft 392
wschalle writes "Microsoft has released 10 "new" security bulletins, including one pertaining to a vulnerability in the Windows Shell, apparently exploitable via the web. The shell vulnerability only allows code execution as the user viewing the malicious web site. Aren't you glad your shell is web-enabled? The recent GDI+ vulnerability is re-released here as well as a vulnerability in zip compression handling."
My (Score:5, Funny)
Re:My (Score:4, Informative)
Re:My (Score:5, Insightful)
Re:My (Score:5, Insightful)
Re:My (Score:2)
Re:My (Score:2)
Re:My (Score:3, Informative)
Re:My (Score:5, Interesting)
Re:My (Score:2)
"new compiler that basically eliminates any possibility of buffer overflows"
You're obviously not a programmer if you believe this.
Re:My (Score:5, Funny)
Source [microsoft.com]
What? (Score:3, Insightful)
So I have no idea what you are talking about and suspect that neither do you.
Re:My (Score:5, Informative)
Re:My (Score:5, Informative)
Yes, it is possible to circumvent, and there are of course other kinds of attacks/bugs which this doesn't help with. Nor is it a substitute for actually fixing those buffer overflow problems. However, all that said, it's still a good extra level of defense that does improve the security of the system and apps by substantially mitigating a large class of potential bugs.
Re:My (Score:4, Informative)
While the new compiler additions detect some buffer overruns/underruns, note that there is no way to get 100% buffer overrun detection with commercial C++ compilers. Usually, these overruns are detected by a variety of methods, like putting canary "values" at the beginning and/or at the end of each of the protected data buffers. These canary values are checked at certain moments of time, usually at the end of the buffer data lieftime - for example for stack-allocated blocks they are checked on routine exit; for heap allocated blocks when the blocks are freed.
The problem with canaries is that they won't detect memory writes that write directly in other "valid" data buffers. For example thread 1 writing overwriting the contents of some local variables in another stack, manipulated by thread 2.
There are other techniques, for example checksums for the user-mode data structures (like stack frames, C++ VTABLEs, heap data structures, constant data, etc). But these techniques have limited use too.
In addition, a malicious piece of code can always workaround the canary/checksum detection. The moment this malicious code has a chance to run in yoru process, all bets are off. It can eventually change the exception trap handlers, etc.
The only way to get 100% protection from buffer overruns would be to run Java/C#/VB.NET code (with certain restictions of course, for example avoiding unsafe code in C#). That said, you can also avoid buffer overruns to a certain degree in C++ too if you use proper class libraries like STL that perform things like automatic array bound checks, etc.
Re:My (Score:3, Insightful)
I give up (Score:5, Funny)
Re:I give up (Score:5, Funny)
All bugs have shells..... (Score:5, Funny)
Sell exploit runs as user (Score:4, Interesting)
-nB
Re:Sell exploit runs as user (Score:3, Insightful)
So if your user has admin rights (as all at my site do b/c our toolset requires it) then you're screwed if they goto a mal-site.
Your 'toolset' requirements are kinda setting you up for the inevitable don't ya think?
Re:Sell exploit runs as user (Score:2)
We have a client who does this, and they run Linux desktops as well!
Squid does a remarkably good job of facilitating this sort of strapping down.
Insane (Score:2, Interesting)
txt file vulnerability anyone!?!
Re:Insane (Score:3, Insightful)
Re:Insane (Score:2)
Re:Insane (Score:2, Informative)
http://www.cert.org/advisories/CA-2002-07.html [cert.org]
You're welcome.
Web enabled Shell (Score:5, Funny)
Ok, Now is a really web enabled experience! :)
C&C (Score:5, Funny)
Good thing I choose to join NOD.
/rimshot
Security is Job 1 (Score:5, Informative)
Re:Security is Job 1 (Score:2, Informative)
another reason to learn linux (Score:3, Insightful)
Re:another reason to learn linux (Score:4, Informative)
2004-09-15
Re:another reason to learn linux (Score:5, Insightful)
Re: (Score:2, Insightful)
Re:another reason to learn linux (Score:3, Funny)
A more accurate bulletin here (Score:5, Funny)
1. Internet Explorer (All versions)
2. Microsoft Office (All versions)
3. Microsoft Windows OS (All versions)
SP2 Isn't Affected (Score:5, Informative)
Re:SP2 Isn't Affected (Score:2)
Actually I am just now running Windows Update on our XP SP2 box - the details of the "cumulative update" show a total of eight vulnerabilities being patched.
http://go.microsoft.com/fwlink/?LinkId=31851 [microsoft.com]
Re:SP2 Isn't Affected (Score:4, Informative)
Maybe YOUR Windows Shell is web enabled.... (Score:2)
Shell: Litestep
Thread-o-matic (Score:5, Funny)
[ ] MS has these security exploits because it is the biggest OS
[ ] MS is a steaming pile when it comes to security
[ ] MS is working on fixing these things, and is doing the responsible thing.
[ ] 1337! I can't wait to #4x0r!
Love this from the remote shell exploit faq (Score:5, Funny)
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?
No. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.
Don't sweat it, a remotely exploitable shell is
not critical!
Re:Love this from the remote shell exploit faq (Score:5, Insightful)
a) Faq says the patch's not critical
b) Joe doesn't include this in the critical patches he's downloaded on to his system
c) boom! the system goes down the next week because of the msplaster virus targetting this vulnerability
d) Joe's not sure about the reason for the crash and re-installs the OS
e) (c) again after a week
f) Joe gets frustrated and contacts MS support ppl, who inform him that the brand new Microsoft Windows XP Professional with Service Pack 2, has everything to avoid such crashes
g) Joe buys what they say
windows_xp_sales++
easy!
Re:Love this from the remote shell exploit faq (Score:4, Insightful)
Re:Love this from the remote shell exploit faq (Score:3, Funny)
Provided that you run PCLite and install the latest version of IE, Firefox and Thunderbird and keep it safe behind a Linux firewall and Samba server...
That is enough for me (Score:3, Interesting)
10 Bulletins? (Score:4, Informative)
Re:10 Bulletins? (Score:5, Funny)
MS10-02: Buffer overrun in Graven Image processing.
MS10-03: Vulnerability in RPC Service may cause the name of the Lord to be taken in vain.
MS10-04: Vulnerability in Task Scheduler may prevent computer from resting on the Sabbath Day.
MS10-05: Vulnerability in Windows Shell may allow child process to kill parent process.
MS10-06: Buffer overrun in DCE Locator Service may cause abnormal program termination.
MS10-07: Vulnerability in Outlook/Outlook Express may lead to adultery.
MS10-08: Vulnerability in MSKerberos may allow remote user to steal.
MS10-09: Vulnerability in Excel may allow workbooks or spreadsheets to bear false witness.
MS10-10: Vulnerability in Internet Explorer may cause user to covet neighbor's ass.
k.
great marketing (Score:5, Funny)
beautiful. fucking beautiful.
This better not be the end (Score:2, Insightful)
I'm a little worried about the possibility of a "final" windows exploit that quickly and without warning kills every MS box it touches.
All these vulnerabilities are a bit disheartening.
Either Microsoft is really combing over their programs for errors or they are in trouble
Kind of makes me happy that I only rely on free/open source programs
Re:This better not be the end (Score:2, Redundant)
Reminds me of something (Score:5, Funny)
"only" (Score:5, Insightful)
On most XP installations, the only user is "Administrator".
Ten holes huh? This list may not be complete (Score:4, Informative)
Aren't you glad you need admin privileges ... (Score:5, Interesting)
Aren't you glad you need admin privileges for day-to-day operations on too many windows boxes?
Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website? Aren't you glad the only files that you can infect are the only files that you really care about?
You bet I'm glad my shell is web-enabled! After all, this Windows box belongs to my employer ... its his time that will be wasted.
does not matter. (Score:2)
Pity that, but so what? All the attacker has to do is upload a root kit via browser help object, cookie or similar then execute the kit. Who executes the kit should not matter if the kit is made right.
The thought of the day is, "just another hole in a screen door." Why are people still running Microsoft junk?
Re:Aren't you glad you need admin privileges ... (Score:3, Interesting)
For example ?
Aren't you glad that even if you can get by without admin privileges, you can still completely hose your own files just be visiting the wrong website?
Like that last Firefox bug that wiped out files and data just by trying to download something ?
Aren't you glad the only files that you can infect are the only files that you really care about?
Well, it's kinda hard to be able to do anything to your
Re:Aren't you glad you need admin privileges ... (Score:5, Insightful)
Here's a better reason that so many computers are plugged: ignorant users that are gullible, believe everything they see on the Internet, and press yes or OK on every dialog box just to get them to go away (without reading them or caring about the content). This is just as possible with Firefox or KDE or any other complex system that people use: you can make resistence to stupidity, but stupidity will always win some battles.
Could Microsoft make the resistance higher? I guess. But then they would have to contend with cries of incompatibility and non-ease of use. It's a precarious balance.
You'd like more security, but you aren't a shareholder of Microsoft; I'm sure the company has done much research that says that invasive security makes users mad and reduces sales Yes, the admin default sucks for security. It is also only a default and so completely avoidable; the fact that users don't avoid it speaks of their ignorance.
If Windows XP automatically logged you on as a non-admin user, most people would be lost; they would have no idea why they can't install their new software. All they see is an ugly dialog box they don't understand and it isn't working. This news would get out, XP would be branded as impossible to use because some dumb columnist couldn't install Quicken 200X, and nobody would buy it. They would still be using 98 or ME with zero local security. Because it's easier than dealing with security hassles. These are the same people who have no idea what the consequences of installing Gator or whatever are, and if you try to tell them about it, they glaze over and continue to do what they always have done.
Re:Aren't you glad you need admin privileges ... (Score:3, Informative)
Regarding your mention of running certain apps using RunAs, PsExec, etc... it doesn't exactly work well. I've said it before and have begun sounding like a busted CD. Multi-user in Windows doesn't really work very well. Include the fact that most developers never take the multi-user environment into consideration.
Here's my example. I will not state a specific app since RunAs works for some, but not most apps out there. Run an app with RunAs. It loads with Admi
Re:Aren't you glad you need admin privileges ... (Score:4, Informative)
On my kids' computer, this includes "Reader Rabbit Baby and Toddler". (Must write directly into video memory or something.) I thought that was pretty neat.
I will look into RunAs, PsExec, SUD, etc. Thanks for the tip.
Only one affects to SP2...and more surprises (Score:2, Insightful)
Lets see (Score:2, Funny)
microsoft talking about this great new software that can be downloaded from their site. Of course mindless MCSE network admin does not realize it is a phishing attack and clicks to see the greatest new stuff from the redmond lords. Now nasty hacker owns your entire network......priceless
LiteStep (Score:4, Informative)
It's pretty cool and it's open source and stable (unlike Windows sometimes) and has a decent-size user base, eventhough most of the themes are pretty worthless. (Then again, for any themable program, aren't the bulk of the themes crap?)
Anyhow, people that are stuck using Windows like I am (Lycoris' Tablet PC version of Linux is next to featureless) should give it a try, if nothing else but as a preventative measure against future bugs like this.
How is this different (Score:5, Interesting)
With the exception of a proof of concept GDI+ exploit posted to USENET, none of these vulnerabilities are known to be exploited.
The shell and compressed folder vulns require user interaction, just like 99% of all other "worms". As long as your mail application is patched you can't get hooked via email and if you visit "malicious websites" with anything other than Lynx you probably should be shot anyway. Ditto for a decent firewall.
On the other hand, I wonder why things like these [securityfocus.com] for soem reason never get posted.
Re:How is this different (Score:5, Insightful)
As far as Linux is concerned, a properly configured Linux box is relatively secure, even if the applications have holes. This is because you can run most servers under restricted user IDs and/or in chroot-ed environments. This means that someone breaking into a server application can't really go anywhere.
Linux' main "weakness" (diversity of implementations) is also its great strength on this. A Linux virus won't necessarily work on all Linux machines, because it is going to make assumptions about the nature of that machine which may not hold true. Applications can be configured on installation by the admin, but viruses don't usually get that benefit.
Finally, Linux has some extensions which make it bullet-proof against many types of attack. Mandatory Access Controls and filesystem ACLs mean that you can have an extremely fine-grained level of control over who can do what. This means that if some server software has a user ID of N, but N only has read permissions on N's files, then compromising the server can't even allow an attacker to modify the files they supposedly own.
All this means that Linux applications don't need to be that secure. The security is provided. It is helpful if they ARE secure, but it's not essential. With Windows, this isn't the case. The level of security isn't that great, and as more and more is integrated into the kernel, the vulnerabilties within any given application become ever-more dangerous to other parts of the OS.
Re:How is this different (Score:3, Informative)
That will change.
On the other hand, I wonder why things like these for soem reason never get posted.
Actually that did get posted.
http://it.slashdot.org/article.pl?sid=04/09/04/
Remote Vuls (Score:3, Insightful)
I extend this classification to the GDI vuls. They are downloaded and then rendered by windows. Why should it matter that its not an executable file. From an 3rd party perspective it looks the exect same as someone downloading and running a trojan. It shouldn't matter how clever they are in hiding the execution or downloading of the file, if it runs in local context its LOCAL.
Fuck i'm so tired of seeing remote vul tacked on to everything.
Gotta love Windows... (Score:3, Funny)
The following updates were not installed:
Microsoft
Cumulative Security Update for Internet Explorer for Windows XP Service Pack 2 (KB834707)
[Configure automatic updates] [Tough shit]
Thanks, Microsoft! What the hell am I supposed to do now! Oh well, this particular machine hasn't been installed for almost 1 year, it's about time I reset the cruft factor...
DAMN! (Score:5, Funny)
That's what I get for having faith in you, Microsoft!
Cumulative bug reporting conspiracy (Score:5, Interesting)
I give up (Score:5, Interesting)
Installing today's updates, it asked me if I wanted more information about a vulnerability- and proceeded to open a page with Internet Explorer. How many times do I have to tell the computer that Firefox is my default browser? Whose machine is this, anyway?
With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years). In today's update, it keeps nagging me to reboot.
And why do I have to sign yet another goddamned EULA to install critical patches?
There isn't any windows only software I need anymore. OO.org, Firefox, Thunderbird... and now GAIM (which I've gotten used to at work, working on FC1). I'll miss some of the usability features of XP, but I just can't handle it anymore. So long, Windows!
mod parent up! (Score:5, Funny)
Re:I give up (Score:5, Informative)
Once, if Firefox is registered as the default browser correctly. My machine gets it right, why doesn't yours?
With SP2, XP has been annoyingly telling me I may not be protected (I run without anti-virus but am locked down regardless and still scan regularly- with no virus or reinstall in 2 years).
Two options:
1) Update your AV software to a version that tells the security center when it is up to date.
2) Select the "I will manage my AV software myself" option, and the security center won't bug you about any AV related details.
In today's update, it keeps nagging me to reboot.
Your computer is still vulnerable until you reboot the machine. What's the point of applying the patch if the updated files don't get loaded?
And why do I have to sign yet another goddamned EULA to install critical patches?
For the same reason every company requires you to sign a EULA before installing/updating software. If you want a detailed reason, ask the lawyers.
Correct reponse to Microsoft security holes (Score:5, Funny)
One must make a FRIEND of the horror.
Then, one can hear about the security issue, nod sagely with a wan smile, and whisper to the junior IT staff, "But of COURSE there is a hole. This is to be expected, young one. Run and patch, then we'll go to lunch."
Bonus points for leaning back in one's chair, folding one's hands across one's belly, and sighing loudly before addressing the novice.
22 not 10 New Security Warnings (Score:3, Informative)
Re:22 not 10 New Security Warnings (Score:3, Informative)
Thank Gawd for WinME (Score:3, Interesting)
It is amusing that the much maligned WinME nowadays work better and doesn't suffer from half the problems in XP - "The Most Secure Windows Ever".
Links or Lynx is NOT the same as.... (Score:2, Informative)
Links or Lynx are both programs that can be called from a Linux Shell. (Command Line Interface)
Bad Troll, no Internet Cookies for you!
Re:Shell enabled depends. (Score:5, Insightful)
Re:Shell enabled depends. (Score:3, Informative)
Well, that's a tautology: if they're vulnerable, they're vulnerable. The point is that vulnerabilities are more likely, and more likely to be serious, in a web enabled shell than a plain web browser.
You see, "web enabled shell" means that the same piece of software is both your web browser and your application launcher. That makes it much ea
Re:Shell enabled depends. (Score:2)
How About Mac OS X [apple.com]?
Finder doesn't play with the WWW at all unless you count it's WebDAV support, and it doesn't ship with Lynx or Links either (much to my dismay)
. I might as well point out that BASH, ZSH, TCSH, are the shell: Lynx is a browser that you launch from the shell.Re:At least with windows (Score:5, Informative)
Re:At least with windows (Score:3)
I don't know about the status of these apps now.
But the last I remember, RH8 had a point and click config applet that's a front-end for iptables.
you want flexibility+power?!? spend an hour reading some good doc about iptables and save days that you might be wasting pointing and clicking else where.
On my system, all new incoming connections (except for ssh from a few servers) are blocked and all outgoing connections are allowed. Am damn sure google can get you tons of simple scripts for a minimal config. Yo
Re:At least with windows (Score:2, Interesting)
With linux, well...tried to configure IPtables lately? I have, and that made me switch back to windows!"
Hmmm
Is that a gap in the market I spot? Is there a need for an Iptables for dummies guide ;-?
Alternatively one could just get the following book : http://www.amazon.com/exec/obidos/tg/detail/-/0596 005695/qid=1097623820/sr=8-1/ref=pd_ka_1/103-30759 69-161 [amazon.com]
Re:At least with windows (Score:2, Informative)
http://www.e3.com.au/firewall/index.php
Re:At least with windows (Score:5, Insightful)
If you are directly connected to the net, then this is a standalone machine, and does not need to have any sockets open, except that which is supposed to be used on the net. Turn off unnecessary services, or switch them to local mode only. AFAIK, there are no vulnerabilities for closed ports.
If you have a LAN, then there is something that separates the LAN from the internet. This should not be your desktop machine.
If you have two machines separately on the net, then you should use ssh tunnels between them. That is more secure than firewalls anyway.
Outgoing connections? May I ask why are you running spyware?
Filtering ICMP? Why would you want to break network standards again. It is because of you the net is a pain to use. I like getting messages that my connection failed instead of waiting for 60 seconds.
People firewall for a simple reason: to have open services inside the network, and not outside. At this point you should be capable enough to either do it yourself, or have a complete solution (although NAT is not a firewall, it behaves as one)
As far as I am concerned there should be no need to run any firewalls on the desktop. In fact it is a sign of poor management, or a patch to a bigger problem (not trusting your own computer).
Is there something I am missing?
Why firewall? Because the world isn't perfect (Score:4, Insightful)
To answer your question, a firewall is for damage control when you don't know (or realize too late) that your machine is not perfectly configured. Some program has some vulnerability, or a trojan, or something. You are right --it SHOULD not be this way; but when it just IS, and the trojan starts spamming people or transmitting your private PGP keys onto IRC, the firewall is there to say, "Hey, waitaminnit, something weird is going on here."
A firewall is like a fireman. You hope that it doesn't have to do anything but sit there.
Re:At least with windows (Score:4, Informative)
1. Security in depth. Multilayered security = A Good Thing. ...and they're not on port 80...!
2. True, there shouldn't be ports we don't know about on user's PC's, but how about when they pop one open without knowing? They can't download or receive numerous file types & their peripherals are disabled, but users will be users. I've seen programs installed that install telnet or tftp servers. A decent personal firewall setup will alert the user *and* log that alert to a central console.
3. Mistakes happen. A nameless colleague quit-out halfway through creating a firewall rule. The default action is to create the rule regardless, so for 20 minutes a bunch of workstations were waaaay more accessible than they should be. Worms were spotted.
4. It's disastrous to think "We've got a firewall, ergo we're secure" (see above). Common example: User sits in internet cafe with laptop, some floppies, usb devices & cd rom. Effectively spreads legs & asks the world to infect him. Next day, brings laptop back & jacks into the LAN. My sturdy firewall is now worth jack. Personal firewalls all round, please.
5. And yes, I do filter ICMP. I'm sorry that you have to wait 60 seconds for your pings or whatever to fail, but I have to ask why were you scanning my LAN? You want me to turn on file&printer sharing too, so you can see what else is going on? It's my LAN, & within it I'll do whatever I can to keep it secure. Guess what - I run some web services....
As far I'm concerned there are valid reasons to run personal firewalls on the desktop.
Hand-in-hand with user education, security policies, patch management and effective anti-virus solutions they provide a robust & proven security benefit.
You're damn right I don't trust my computer. And I won't do until I control all access in and out, and it tells me when something tries to except those rules. Oh, wait! It does. It's my personal firewall.
Re:But how can this be? (Score:5, Informative)
Re:But how can this be? (Score:2)
Re:But how can this be? (Score:2)
It is the most secure version yet, but that's a relative term. Past versions of Windows set the bar so low that just about anything would be the most secure Windows to date. Notice how they didn't say "Most secure OS" or even "Most secure Microsoft OS": the devil is in the details!
My last poop* is the least smelly one to date. It stinks an order of magnitude less than the shit from New Years 1997--that one was bad enough to make a janitor gag--b
Re: (Score:3, Insightful)
Re:News For Nerds?? (Score:2)
Market share?? (Score:5, Insightful)
Because MS is the dominant OS, and many Slashdot readers need to know about these things.
There have been Slashdot articles on Linux bugs, but fewer. Why? Maybe because there are fewer critical bugs. Why? Market share.
Not everything is anti-MS. Some of it is just reality.
desiv
Re:News For Nerds?? (Score:2)
They're just presented in a much, much more positive light.
Re:News For Nerds?? (Score:2)
My friends (other engineering student geeks mind you) make fun of me for being such a linux geek. Using gentoo makes it even worse.
However, I see it as I have less work to do to ma
Re:News For Nerds?? (Score:2)
Re:News For Nerds?? (Score:2)
Re:News For Nerds?? (Score:3, Insightful)
Re:News For Nerds?? (Score:5, Funny)
Re:Windows Shell? (Score:4, Informative)