Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Windows Operating Systems Software Security

Three New Microsoft Bulletins 224

Posted by michael from the security-is-priority-one dept.
Jimmy M writes "Microsoft has released three security bulletins for January, which correct vulnerabilities in the handling of Icon and Cursor files, Indexing Services, and HTML Help. Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS. All updates are available from Windows Update."
This discussion has been archived. No new comments can be posted.

Three New Microsoft Bulletins More

Three New Microsoft Bulletins

Comments Filter:

  • Quick? (Score:5, Insightful)

    by Anonymous Coward on Tuesday January 11, 2005 @05:03PM (#11325995)
    The extremely critical exploit was listed on 2004-10-20! It took nearly three months to fix.

    • Re:Quick? (Score:3, Informative)

      by Jugalator ( 259273 )
      On the other hand, Microsoft posted a workaround for the problem 6 days after Secunia discovered the flaw.

    • Re:Quick? (Score:3, Insightful)

      by bonch ( 38532 )
      I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes. A lot of people here seem to only get their security news from Slashdot. What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

      LinuxSecurity [linuxsecurity.com] keeps a running list of daily

      • What? Attacking Linux Security?!?! Come on moderators! Let's crush this heretic!

        That is a joke. Personally, I agree with him...

      • Application vs. OS (Score:5, Interesting)

        by obsid1an ( 665888 ) <obsidian@@@mchsi...com> on Tuesday January 11, 2005 @06:30PM (#11327292)
        You need to make the distinction of application vs OS. With MS, IE is part of the OS. Something that exploits IE also exploits the OS. Now look at the Xpdf flaw [linuxsecurity.com] you presented:

        An attacker could entice a user to open a specially-crafted PDF file, potentially resulting in the execution of arbitrary code with the rights of the user running the affected utility.

        That is not a linux problem. That is an Xpdf problem. Xpdf is letting the maker of a PDF file gain the rights that the Xpdf program normally has. Now, if this exploit allowed the user to gain root access (assuming the current user is not root) there would be a tad more going on as Xpdf should never have root access.

        Now this isn't to say linux is perfect, but saying that every linux application security bug is the fault of linux isn't true either. However, this really comes down to the design differences between linux and windows. Running linux as root all the time can be just as dangerous as windows.

        It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

        • It is also a problem of monolithic vs. modular programming. Having IE, your window to the internet, being so deeply imbedded into your OS is only asking for problems.

          So, by your logic, if I run Firefox and don't use Outlook, Windows is a great OS to have, eh? You wouldn't know it by the scorn everyone heaps on Windows, but then again this is /., where no good deed of MS goes unignored and no flaw of Linux goes unburied.

          Nobody says you must use the stuff Microsoft gives you. IE can be bypassed without m

          • Re:Application vs. OS (Score:2, Insightful)

            by Daengbo ( 523424 )
            But the point is that you can't bypass it. It's hooked into so many services and programs that a flaw in the IE renderer affects the entire OS. That's dangerous. Firefox doesn't hook to anything. If it did, you'd be in similar danger.

            If I move X into the kernel to gain speed, then move most of the rendering for the screen to xpdf, the xpdf vulnerability becomes a scary thing indeed. I hope that Linux stays as modular as it always has, and I'll sacrifice a little speed for safety. Please don't tell me that
            • But the point is that you can't bypass it.

              Hmmm...what's this [tweakxp.com] then? Or this [sillydog.org]? Or maybe even this [microsoft.com]?

              Aw gosh, I've gone and broke your argument. Hope you kept the receipt.
          • Nope, you have to use IE. It's integrated into the OS so tightly that there's nothing you can do about it. For example, if you use Half Life 2's Steam application, that uses IE quite frequently, and if you install Firefox it wont change engines for displaying the data suddenly. That is a bad example (you can't use the IE shell to browse to non-trustworthy sites), but other examples like in Kazaa you have a fully functioning IE shell operating.

            But anyway, if you actually read the post that he wrote, I
        • With MS, IE is part of the OS

          And you believe everything Ballmer said?

          The phrase "part of the OS" is in the sense of sh is part of Linux distribution. IE code runs in Userland. There is nothing magical about it. IExplorer.exe is jsut a tiny piece of frontend-like program that calls this huge MSHTML library, which many windows applications depend on. And they are all user land applications.

          If you said something about most people run IE as Admin, I would believe you. But that's not really the issue here be

        • Yes, some apps don't run nice when you're not admin, but you don't have to run as admin. Thus any IE exploits would only be running under your credentials, not Localsystem, and thus the risk is the same as xpdf.

      • Re:Quick? (Score:2, Insightful)

        by MarkByers ( 770551 )
        You are referring to errors in non-optional non-admin applications in Linux. Gentoo has 7000 packages, but very few of them are required. This fix is for a required, unremovable application which is embedded into the OS and allows a root of a machine simply by visiting a webpage (since like it or not, most Windows users run with admin priveleges). Imagine if a popular website was defaced with an exploit. This is what makes it newsworthy.
      • I love when Michael posts every little bulletin from Microsoft to make it appear that it's ridden with security holes.
        I love it too.

        What if Windows allowed arbitrary code execution just from viewing a PDF file?
        Actually Windows should allow that too... if you were running the not-latest version of xpdf in Windows somehow.

        The differences are that the xpdf vulnerability was fixed in a day, here we're talking about a issue that took 10 days to work around and 3 months to fix.

        And also xpdf isn't a cruc
      • I'll call bullshit. Here's the evidence [slashdot.org]. Nice troll though and "karma burning" comments seem to be loved by mods.
      • What if Windows allowed arbitrary code execution just from viewing a PDF file? Slashdot would be all over it. And yet, it's one of today's Gentoo vulnerability announcements--Xpdf has a fatal flaw. But such stories get rejected by the editors in favor of more Microsoft.

        Your reasoning is flawed.

        The PDF viewer most people use on Windows (Acrobat^WAdobe Reader) is not a Microsoft app, but is made by Adobe. So if this happened, we would have to blame Adobe, not Microsoft. Many people don't even install a PDF

  • XP SP2 (Score:5, Informative)

    by Rolan ( 20257 ) * on Tuesday January 11, 2005 @05:03PM (#11326003) Homepage Journal
    It should be noted that those with XP SP2 are only affected by MS005-01.

    • Re:XP SP2 (Score:3, Insightful)

      by bonch ( 38532 )
      Isn't it funny how Linux kernel versions affected are explicity mentioned in Slashdot's articles on the subject? You'd think the fact SP2 fixed the other two vulnerabilities already would have been an important point to state. It's not like SP2 just came out or anything; what is it, over half a year now?
  • Microsoft Security Bulletin MS05-001 [microsoft.com] addresses the cross-domain vulerability with their HTML Help Active-X control. Microsoft mentions that it's "newly" discovered, but see the proof-of-concept [securityfocus.com] at Security Focus--posted into BugTraq almost a month ago.

    Incidentally, if you're one of those rare Windows users running IE in restricted (ESC) mode, your vulnerability is mitigated... suprise, suprise.

  • What I find more interesting.. (Score:5, Informative)

    by MrP-(at work) ( 839979 ) on Tuesday January 11, 2005 @05:05PM (#11326031)
    It would also seem microsoft released "Malicious Software Removal Tool [microsoft.com]" on WindowsUpdate

    It finds and fixes some common worms.. They plan on releasing a new version every second Tuesday of each month, and each new version will continue to clean worms from the previous versions.

    Wonder what the antivirus companies think about this

  • Nice to know... (Score:2, Insightful)

    by bonch ( 38532 )
    Nice to know that all software is flawed, because it is made by flawed humans. Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article. Just a friendly reminder before the regularly scheduled Microsoft-bashing...now have at it. :)
    • Have fun with your Yugo chump, nothing is better, Yugo or Lamborghini, so I'll take the Lamborghini, you go prove the concept.
    • When is the last time you saw an "Extremely Critical vulnerability" for linux?
      • January 7th [linux.org]. Ok, maybe not extremely critical, but there are vulnerabilities....
        • "Extremely critical" being what I was trying to emphasise. Even the local kernel exploit , while dangerous, is not "extremely critical"; it can only be exploited by users who already have accounts on the system. I agree wholeheartedly that there are indeed vulnerabilities, but you also have to consider the magnitude.

    • Nothing is inherently better than the other, Linux or Windows. Don't forget yesterday's Linux security article.

      Insightful my ass! This relativist "all views are equally valid" philosophy you've fallen into (along with the main stream media) is complete BS.

      Nothing is perfect, and you should use the right tool for the right job (games == XP, work == Linux for me), for sure, but in terms of security Microsoft's operating systems are fundamentally worse than anything else out there. That doesn't mean that

  • Yes nice and quick. Only took nearly three months!

    Release Date: 2004-10-20

    http://secunia.com/advisories/12889/ [secunia.com]
    • Well the bulletin is really a mistake. So those fixes won't cut it. The 3 real bulletin goes...

      - It's official, our Windows XP IS a vulnerability.
      - It's official, our Internet Explorer IS a vulnerability.
      - It's official, our Windows media player IS a vulnerability.

  • Microsoft's Quick Move (Score:3, Insightful)

    by Mr.Ned ( 79679 ) on Tuesday January 11, 2005 @05:06PM (#11326048)
    "Bulletin MS05-001 (HTML Help) is the Extremely Critical vulnerability (Demonstration) that Secunia warned about last week - nice to see a quick move from MS."

    Michael, are you kidding me? Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

    • Read the advisory and the discussion from last week. Microsoft was notified at the beginning of October and has only now gotten around to fixing it.

      No, Microsoft was notified at the beginning of October and has only now gotten around to being so sure of their fixes that they're comfortable releasing the patches to tens of millions of computers. There's a big difference.

  • ...nice to see a quick move from MS.

    My thoughts exactly. The focus for many on the anti-MS side of things is not the fact that there are vulnerabilities, it's how they are handled. Grats to MS for tackling this one.

  • Also: Malicious Software Removal Tool (Score:3, Interesting)

    by Rolan ( 20257 ) * on Tuesday January 11, 2005 @05:07PM (#11326068) Homepage Journal
    They also released the "Malicious Software Removal Tool":
    This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any variants found. You should also use an antivirus product to remove other malicious software that may be present. This tool helps maintain your computer, and its appearance does not indicate that your machine is infected with malicious software. After you run this item, you may have to restart your computer.

    Looks like they're finally getting tired of the most common viruses running rampant.

  • Spite (Score:2, Interesting)

    by FortKnox ( 169099 )
    nice to see a quick move from MS

    MS does something good. How many people will still insult this statement just outta spite for MS? How many will reply to me saying I'm out of my mind?

    I'm already a comment wading in the anti-MS sludge. Will people see MS is trying to do the right thing?

    • Re:Spite (Score:5, Informative)

      by RAMMS+EIN ( 578166 ) on Tuesday January 11, 2005 @05:17PM (#11326217) Homepage Journal
      ``How many will reply to me saying I'm out of my mind?''

      At least one. The vulnerability was updated on 2004-10-21. That means it existed at least about 3 months before the fix. I don't know about you, but I don't call that quick.
      • Read other comments on this page. MS released a workaround for the flaw 8 days after it was originally posted. At that time, it was not known how critical it was, so MS didn't push a full fix. Now that it is known (Secunia increased the rating 4 days ago), MS has responded quickly.
        • Ok, two things:

          1. Either you take security seriously, or you don't. If you take it seriously, you fix the flaws when you become aware of them; not 3 months later when people increase the rating, because they're running out of options to get you to fix it.

          2. We're talking arbitrary code execution here. There's virtually no limit to the damage this can do. I'd say that warrants a somewhat quicker fix. And this was already known 3 months ago.

          So, basically, I don't agree that they didn't know how serious it
      • If you bothered to read the whole thing, you'd see Secunia didn't find it "extremely dangerous" until just recently itself. Originally, Secunia didn't put this one very high on the totem pole, so neither did Microsoft. There was a workaround in place within days, and only now that Secunia has elevated the problem is there a patch being issued.
    • "nice to see a quick move from MS

      MS does something good. How many people will still insult this statement just outta spite for MS? How many will reply to me saying I'm out of my mind?"

      You _are_ out of your mind. Microsoft was notified in October. Sitting on an "extremely critical security vulnerability" for over three months isn't quick by any definition.

  • IE: Zones are a broken concept (Score:5, Interesting)

    by Tackhead ( 54550 ) on Tuesday January 11, 2005 @05:10PM (#11326113)
    Good policy: Deny all, permit selectively.

    Bad policy: Accept all, but let people turn things off.

    Worse policy: Accept all, but let people turn fewer things off depending on four arbitrary "zones" something falls into.

    Worst policy: Make sure the "zones" in question have nothing to do with TCP/IP, netmasks, DNS, or any other networking concept, but make sure they're supported by a proprietary application you've embedded deeply into the OS to facilitate an embrace/extend/extinguish business model.

    Then act all surprised when everyone ends up running at least one of these "zones" (namely the "local" one, which ought to be the most trustworthy) with their proverbial pants down, thereby creating a guaranteed 100% available target for Worm/Spyware/Virus authors.

    Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

    • ah but you forget the most important point... useability.

      The goal for whoever came up with zones was probably something along the lines of, "lets make security as easy as humanly possible". Adding options in IE that actually relate to real networking would be out of the question then. Then users would start thinking to themselves, "what does this all do, I dont understand this, im fustrated, I dont like this". Something which microsoft would never permit.

    • Can someone please find the creature responsible for "Internet Zones" and beat him to death with a large wooden mallet?

      I heard the last person to implement such a mind-bogglingly dumb Windows "feature" [toastytech.com] had to marry Bill Gates [wikipedia.org].

      Maybe Bill would take on the developer of the Internet Zones "feature" as a mistress?

    • Re:IE: Zones are a broken concept (Score:2, Insightful)

      by Anonymous Coward
      Zones are actually a good idea; it's just that Microsoft did them wrong.

      A reasonable analogy for surfing the Internet is sticking your hand into a trough of water. The section of the trough that represents the Internet is murky, full of parasites and fecal material, and has piranhas in it. You can still stick your hand in there, but you put on your shoulder-length rubber glove first, and put on a chainmail glove & sleeve on top of that. Other parts of the trough have clear water suitable for drink

  • Icons and cursors, oh my! (Score:5, Insightful)

    by FirstTimeCaller ( 521493 ) on Tuesday January 11, 2005 @05:11PM (#11326124)

    I don't normally stoop to Microsoft Bashing, but security vulnerabilities in icons and cursors?!?!?

    • If we're speaking of flaws in graphics files, this one [com.com] was of course not as bad since it wasn't limited to Windows, right? ;-)
    • A few weeks ago there was a "critical update" because one of the dingbats fonts had "unacceptable glyphs" (I'm guessing it was swasticas or inverted pentagrams). It's probably something similar... someone was offended by one of the icons or cursor shapes.
      • Actually, if I recall seeing it right, I believe they removed the jewish 'Star of David' symbol from the wingdings font. I did a comparison once I saw it change some font on one of my two machines.

    • At least (Score:2, Informative)

      by bonch ( 38532 )
      At least it's not in the kernel [slashdot.org]...

      I've seen plenty of weird things in Linux distros, like privilege escalation in MPlayer. MPlayer, a video player! People really need to start paying attention to LinuxSecurity [linuxsecurity.com] and witness all the monthly vulnerabilities for their distros. They rarely get mentioned on Slashdot (for whatever reason).

      Random sampling from Gentoo's advisory list:

      Gentoo: HylaFAX hfaxd unauthorized login vulnerability
      Date: Tuesday, 11 January 2005
      HylaFAX is subject to a vulnerability in its

    • hey, don't knock it--security holes in mere font files made xboxen nice and soft-moddable. ^_-
    • It's mindnumbingly pathetic that Microsoft's kernel actually loads cursor files, let alone gets itself crashed/compromised by them.
  • which correct vulnerabilities in the handling of Icon and Cursor files

    Seriously now. How the hell did they work that one in? Security flaws in Icon files.

    Amazing.

    • Sure, why not? (Score:4, Informative)

      by Anonymous Brave Guy ( 457657 ) on Tuesday January 11, 2005 @05:42PM (#11326605)
      Seriously now. How the hell did they work that one in? Security flaws in Icon files.

      Perhaps the same way as the widely-used and open source libpng library had a number of vulnerabilities last year? (ref 1 [cert.org], ref 2 [libpng.org])

      Or the same sort or way the Mozilla XBM vulnerability arose? (ref [securityfocus.com])

      This isn't a new thing, and it's not unique to Microsoft, either.

  • It should read ... (Score:3, Funny)

    by ph4rmb0y ( 711836 ) on Tuesday January 11, 2005 @05:19PM (#11326251)
    Fixes available via Windows Media Player ...

  • MS05-003 on Win2K (Score:3, Interesting)

    by chiagoo ( 846996 ) on Tuesday January 11, 2005 @05:20PM (#11326255)
    I find this part of the security bulletin especially interesting:

    "Windows 2000 is not affected by this vulnerability. However the additional security-related change does affect Windows 2000 and we recommend customers install this update."

    The old adage usually goes "if it ain't broke, don't fix it". Why would they ask people to patch something that isn't broken? Does this indicate that they expect to find a similar flaw in the indexing service on Win2K?
    • I think they mean the patch changes security policies on win2K without actually patching anything. Which is something they still want happening on as many machines as possible.

  • Some clarifications and important notes (Score:5, Informative)

    by Jugalator ( 259273 ) on Tuesday January 11, 2005 @05:27PM (#11326368) Journal
    First, Secunia released the advisory for Windows security update 890175 (MS05-001) back in 2004-10-20. Secunia linked to a workaround for the flaw 8 days after this, that was posted by Microsoft. Secunia increased the severity rating in 2005-01-07, and 4 days later, Microsoft has now posted an actual fix.

    Now, the story, unfortunately for Windows users, and fortunately for e.g. open source evangelists, it seems like there is some things to be aware of if needing to uninstall the fix, for example due to possible problems caused by this fix [microsoft.com], which are mentioned here [microsoft.com], under the "Known Issues" heading.

    In other words, we're talking about one issue that may appear as a direct consequence of installing this (my first link) and another one if you then decide to uninstall this fix (my second link).

    Of course, if you aren't subject to the first problem, you don't need to do a thing and you are indeed living in the environment Microsoft was crossing their fingers for that you would be in.
  • I had to deal with an Indexing Service security issue last week.

    Seems the guy that handles the website content got upset when Indexer, well, Indexed the website, finding some content that was a little more sensitive then he wanted out there.

    (It's what happens when your contractor migrates your data, then neglects to remove the temp data when the migration is done, I guess.)
  • vulnerabilities in the handling of Icon and Cursor files

    Wow! As tough to beat as that is, I think Apple [slashdot.org] still wins the day.

    Tough call.

    --

    Was it the sheep climbing onto the altar, or the cattle lowing to be slain,
    or the Son of God hanging dead and bloodied on a cross that told me this was a world condemned, but loved and bought with blood.
  • Can anyone think of any replacements for MS HTML Help? Something I can use to read the MSDN docs that isn't slow as hell or full of bugs?

    Thanks in advance...
  • Maybe now they'll find some time to fix the highly critical flaw in IE 5 & 6 [secunia.com] that was reported on 8/14/2003 that allows a malicious web site to execute arbitrary code on the hapless victims machine. Timeliness is next to godliness!
    • This isn't a Windows flaw, it's a Visual Studio flaw.

      Hey, you guys like to say exploits in Linux widgets like XPdf aren't Linux flaws, so it cuts both ways. All bad things seem to be lumped under the heading "Windows," but let a flawed RPM come to light and it's a "that's not Linux" buffet for all.

      Make the same standard apply to both or not at all. Double standards are lies masquerading as virtue.
      • This plugin is part of Visual Studio version 6. However, since the plugin is digitally signed by Microsoft, it may be silently installed through Internet Explorer by any website. The user doesnt have to have Visual Studio installed, they only have to visit a page using the control. And like it states, the control is digitally signed, so its supposed to be safe, right? "Always allow content from Microsoft.com" is one of the funniest things Ive ever seen on computers.

      • Hey, you guys like to say exploits in Linux widgets like XPdf aren't Linux flaws, so it cuts both ways.

        Bullshit. /. has 1000's of readers. Some refer to Linux-the-OS, others refer to Linux-the-kernel. No double-standard, just a variety of opinions. As you'd expect on a discussion site that isn't a lying marketing tool [winsupersite.com].

        ---

        Commercial software bigots - a dying breed.


  • I ran windows update, and got the full package including the Malicious Software Removal Tool.

    During the update, the Steam icon on my desktop flickered.

    Sure enough, steam.exe appears to have been removed, presumably by the aforementioned removal tool.

    Am I the only one out there who's had this happen? (in which case, I'm hallucinationg, and all will be ok by morning)
  • I think all of us should pause for a moment and thank the Gods for XP SP2's security center's automatic download and installation over BITS feature. At least know we know that these updates stand slightly more chance than a snowball in hell of being installed on a friend/neighbours/relatives machine that's been seen to by helpful slashdotters over christmas.

    SP2, well yeah, hardly perfect I know. But you've got to love the fact that (l)users are now forefully made aware of possible(read inevitable) security
  • Many websites include a favicon.ico file in the root directory of the site. This icon is used in favorites to display the site's logo, etc.

    Now, without knowing too much about this vulnerability, it seems possible (likely?) that any Windows app that displays icons would be at risk since the rendering of icons is handled by the OS.

    In theory, Firefox would be as much at risk as IE -- both display favorite icons. And neither has a way to block the display of these icons.

    (The CAN notice is "under review", so

    • Re:Beware of favicons... (Score:3, Informative)

      by zerblat ( 785 )
      neither has a way to block the display of these icons.
      Actually, in Firefox, set browser.chrome.favicons and browser.chrome.site_icons to false, and you shouldn't see any favicons.

  • word grouping? (Score:3, Funny)

    by martyb ( 196687 ) on Tuesday January 11, 2005 @06:20PM (#11327160)

    Hmmm, word grouping makes a difference!

    Given reports that the Malicious Software Removal Tool has identified benign programs (e.g. VNC) as infected, maybe BOTH of the following groupings apply!

    Is this a:

    • a Tool that performs the Removal of Malicious Software?
      i.e. (Malicious Software) (Removal Tool)

      OR

    • a Tool that looks around and Maliciously performs the Removal of Software?
      i.e. (Malicious) (Software Removal Tool)

    Freudian slip?

  • Semi-offtopic, but could anyone recommend a good RSS to follow to alert about vulnerabilities? It doesn't even have to be MS or Linux specific. I tried following CERT, but theirs is behind (they don't even have this posted).

    Thanks,
    Daniel
  • The patches they announce do.

Slashdot Top Deals

HELP!!!! I'm being held prisoner in /usr/games/lib!

Close