MS Patch Train Leaves the Station 361
per1176 writes "Microsoft has released 10 advisories to cover a dozen security vulnerabilities, including a "critical" cumulative update for the Internet Explorer browser. The IE fix corrects a remote code-execution vulnerability that exists due to the way the browser handles PNG (Portable Network Graphics) files."
Large size crash (Score:5, Interesting)
ie width=9999999 height=999999 in an
Re:Large size crash (Score:2, Informative)
The folks at libpng fixed the problem months (a year?) ago; I rolled the fix into our application's PNG handling with nary a hiccup.
Oh, and to save anyone else dealing with PNGs the weight gain and hair loss I experienced, there is NO support for pre-multiplied alpha channels in the library. Sigh.
IE PNGs (Score:5, Insightful)
-Jesse
Re:IE PNGs (Score:2, Insightful)
Re:IE PNGs (Score:5, Informative)
http://blogs.msdn.com/dmassy/archive/2004/08/05/2
Believe me, I would rather just use a different browser (one has security holes of its own. As much as the creators of firefox would like to believe they have the perfect browser, any major piece of software is going to have bugs.
The smart developers call these bugs... features :)
The truth is though, most people don't know about anything other then ie. Why else would it show up with more then 80% of the hits on the websites we run. People don't like change. They like ie because it works out of the box with Windows. No extra installing, no "scary" configurations, no extra work on their part. If you want to convince people not to use ie, don't post messages on /. discussing the various security holes involved with png images. Go out and convince MS to stop packaging it with their os. Make people have to do a little work to get on the internet. Maybe then they'll start to think a little about what they are doing.
Re:IE PNGs (Score:2)
Don't say FTP.
Re:IE PNGs (Score:2)
2. ????
3. Profit.
It's a
Re:IE PNGs (Score:2)
Re:IE PNGs (Score:2)
Re:IE PNGs (Score:3, Insightful)
Re:IE PNGs (Score:2)
Re: (Score:2)
Re:IE PNGs (Score:5, Informative)
http://www.w3.org/Graphics/PNG/ [w3.org]
From the first paragraph:
"Indexed-color, grayscale, and truecolor images are supported, plus an optional alpha channel for transparency."
While it would be nice if they supported the optional features, it's actually the developers who continue to use alpha channel transparency PNG that are deviating from the W3C recommendation.
Re:IE PNGs (Score:5, Insightful)
Re:IE PNGs (Score:2)
Re:IE PNGs (Score:2)
-Jesse
Forgive my ignorance (Score:4, Funny)
Lately I envision all Microsoft products as lumbering stay-puff marshmallow men, ambulating labored steps inside a comical suit of band-aids.
Re:Forgive my ignorance (Score:4, Insightful)
Re:Forgive my ignorance (Score:2)
Re:Forgive my ignorance (Score:2)
Microsoft has the source code, they just make the improvements, rebuild the files and perform DIFFs.
Personally I think its better to apply a binary patch than to have to recompile a kernel just to upgrade it from x.x.11 to x.x.12
Anyway, patches are not wrong, God! if MS software has an unpatched bug it is his fault and it is bad, then if he releases a patch it is also bad because his software is patched.
This is not a patch as the normal dictionary word define it, software patches
Re:Forgive my ignorance (Score:2, Funny)
You know what? Most of us don't mind paying real money for things that have real worth. I payed fifty dollars for Neverwinter Nights when it came out, while my roommate had a 'free' copy the same day.
I will gladly pay money for something I like to make sure that the people who make it will make more. That's how the market economy works. If something has real value, it's only logical to compensate the persons who made it.
Which is entirely why I have never paid for Windows.
Re:Forgive my ignorance (Score:2)
Which is entirely why I have never paid for Windows.
Ah, so Windows has no real value. Can I assume you're running your copy of Neverwinter Nights on something other than Windows then?
Re:Forgive my ignorance (Score:2)
When a 'patch' is applied to software, it simply replaces what was there before and integrates seamlessly - think more 'weave' than patch... Imagine if you were writing a term paper with a group of people, and someone said 'hey... replace the 4th paragraph on page 5 with this new paragraph I'm sen
Re:Forgive my ignorance (Score:2)
Windows comes with an older kernel that requires mutliple reboots and Internet downloads while still in a vulnerable state. While it true that I could probaly download all the patches prior it is still far more tedious than a single trip to ftp.kernel.org.
Re:Forgive my ignorance (Score:2)
It is not like a patch you apply to your trousers when they have a hole in them.
When you buy a new lamp for your home or throw away a worn out rug, think of it as patching your house.
Re:Forgive my ignorance (Score:4, Funny)
Re:Forgive my ignorance (Score:2)
M$ still pwnz Linuts (Score:3, Funny)
Re:M$ still pwnz Linuts (Score:2)
Actually, the malware removal software from Microsoft did remove IE. But they "fixed" that "problem" a day later
Reminds me of the JPG buffer overflow (Score:5, Insightful)
Re:Reminds me of the JPG buffer overflow (Score:2)
Re:Reminds me of the JPG buffer overflow (Score:5, Informative)
As a matter of fact, these and other forthcoming issues with various OSes graphic parsing and rendering libraries result from a sustained attempt to break them with fuzzing techniques by researchers at the Finish University of Uola (or Oula. I forget). This is the same group that ripped apart many vendors' implementations of SNMP a few years ago, and ASN.1 a year or two after that. Big thanks to them for proactive efforts to improve security...
Re:Reminds me of the JPG buffer overflow (Score:5, Informative)
You probably meant the Finnish university of Oulu.
Re:Reminds me of the JPG buffer overflow (Score:2)
Re:Reminds me of the JPG buffer overflow (Score:4, Insightful)
For example in 2002 an arbitrary code execution vulerability was found in Mozilla's PNG code (155222 [mozilla.org]). That obviously set off people searching for other image vulnerabilities, which resulted in them finding Mozilla's GIF decoder was also a flawed, allowing for arbitrary code execution (157989 [mozilla.org]). By your logic once that initial alarm goes out the code should be checked and all bugs will be found; if bugs are still present in that module (or in Microsoft's case, in a completely seperate but similar one) then it represents a huge failure by the organization. Now since open source projects have tens of thousands of eyes to check source code once a flaw has been found, I'd assume it applies equally to Mozilla. Lets test that theory.
Fast forward to 2004, and the PNG library still has arbitrary code vulnerabilities (251381 [mozilla.org]). Given that people knew as earlier as 2002 that there had been PNG vulnerabilities, WHY did they not find this one until 2 years later.
Fast forward to 2005, and this time it's the GIF code. Now we already knew the GIF library had problems 3 years ago, yet somehow an arbitrary code execution flaw, which existed from the very beginning of the Mozilla project (1998), is found (mfsa2005-30 [mozilla.org]). This dangerous exploit has been sitting in open source code for 7 years. 3 years ago attention was brought to that very module for the very same kind of exploit. And yet it wasn't found until just a few months ago. By the logic of Nos [slashdot.org], the Mozilla Foundation, and everyone who has checked the code, are morons. Or perhaps Nos has some doublethink to get himself out of the Microsoft bashing to make himself cool hole he dug himself.
Re:Reminds me of the JPG buffer overflow (Score:3, Funny)
Nah, that sounds like some sort of proactive security initative.
New Microsoft Security Update (Score:3, Funny)
Before you gloat too much (Score:5, Informative)
http://www.us-cert.gov/cas/techalerts/TA05-136A.ht ml [us-cert.gov]
Re:Before you gloat too much (Score:2)
Re:Before you gloat too much (Score:2)
Like anything important to homeland security would be on a Mac.
Heck, I wouldn't even trust HOME security to a Mac.
Re:Before you gloat too much (Score:2)
Thanks for the summary. And that's my point! The Apple "true believers" have been led to think that there's some *radically different* in the design of their beloved operating system that makes it immune to these things. There isn't! It's the same crap!
Re:Before you gloat too much (Score:2)
To bad (Score:3, Insightful)
Re:To bad (Score:3, Funny)
I imagine the microsoft engineers wearing anti-infection outfits (with masks and everything) and large instruments.
---
"Ok there's the creature..." (imagine some sort of alien spider, but with more guts and everything)
"Be careful guys, we don't want to break it, just remove the insecure splinter from it"
"Man, this is disgusting. I wouldn't touch that with a 20 foot pole"
"OK, splinter removed! Close the cage, quickly!"
TSHHHHHHHH
Re:To bad (Score:2)
Re:To bad (Score:5, Insightful)
Vendors should never, ever roll back changes into older versions of their software they force you to use. Tabbed browsing, correct graphics display, CSS support will all be available someday so shut yer piehole! All you'll have to do is upgrade your entire system to get these features. And it's not like anyone else has managed to get that stuff working on the same platform, right? Right? Well, maybe some one has but they must have more programming resources than MS, no doubt...
=tkk
Re:Can't do it... (Score:2)
WSUS (Score:3, Informative)
Re:WSUS (Score:2)
SUS does its job, but i'm hoping for alot more control over patch management, its a very inelegant solution.
Re:WSUS (Score:2)
Re:WSUS (Score:2)
The NSA (Score:4, Funny)
Venture to guess? (Score:4, Insightful)
Hmm... Buffer overflow maybe?
Buffer overflow is an amateur mistake. Check your god damn code.
Re:Venture to guess? (Score:5, Funny)
Using an interjection when you mean a adjectival phrase is an amateur mistake. Check your God-damned grammar.
Re:Venture to guess? (Score:3, Funny)
Grammar-Nazi Post.
EVER.
Re:Venture to guess? (Score:2, Insightful)
Rather, buffer overflows are trivial to avoid in class assignments (and indeed, small projects). It's when the project grows larger, gets split into multiple program units and gets multiple authors that you really start scratching the surface of industrial strength development (something the armchair developers on
To
Patches don't solve the problem on new installs (Score:3, Interesting)
I'll install a vanilla copy of XP Pro onto a system, and within minutes of hooking the machine up to the network, it has become infected with a virus, basically requiring a reinstallation immediately.
My normal mode of installation is:
- Install XP
- Two IE windows open:
- One downloads Firefox
- The other goes to Windows Update and starts downloading patches.
- Download everything else using firefox, including drivers, etc.
But apparently Windows Update isn't a fast enough method to get the machine patched, and the machine is compromised before the appropriate patches are finished being applied.
I've made a "XP Install Disc 2" for myself, which has the full SP2 installer file, Firefox, Avast, Spybot, and Adaware on it, that I then install while the box is still offline. It seems that SP2 does well enough at plugging exploits that the system then has enough time to download the other patches normally without becoming compromised.
Does anyone have a better solution?
Re:Patches don't solve the problem on new installs (Score:2)
Re:Patches don't solve the problem on new installs (Score:2)
Re:Patches don't solve the problem on new installs (Score:2)
Re:Patches don't solve the problem on new installs (Score:5, Insightful)
1) Switch on the built-in firewall before you connect to the internet. It's very basic but it does the job, I've been running an unpatched XP system with nothing more than the built-in firewall for months now with no problems.
2) Buy a router. £25/$40 buys you a piece of hardware which acts like a firewall and blocks all incoming ports, other than ones you solicit, natch.
3) Slipstream SP2 into your XP install. Personally I'm staying away from SP2 but use it if you must.
4) Put a copy of Zone Alarm on your "XP Install Disc 2", along with the the many useful bits of freeware available at www.grc.com
5) Download, burn and learn how to use Knoppix.
6) ????
7) Profit!
Re:Patches don't solve the problem on new installs (Score:4, Funny)
and remember to turn off upnp. otherwise, the following happens:
<spiritual descendant of back orifice> hey router, this is a upnp request: forward 31337 to this computer, please!
<router> will do, and you have a good day!
<sdobo> oh, i will...
Re:Patches don't solve the problem on new installs (Score:3, Interesting)
We had to use System Restore to go back. I don't have the time to find out what it is about the computers SP2 doesn't like. The service pack should just work. If there's something it doesnt like then we should have had a warning saying "Cannot install SP2 until you remove foo/bar"
Secondly, on the many machines I admin which do run SP2 okay, performance is definitely slower with SP2 installed
Re:Patches don't solve the problem on new installs (Score:4, Informative)
The key thing, as others have said, is to enable the software firewall and make sure that file and print sharing is disabled. A second CD with SP2 and a decent firewall like ZoneAlarm is usually enough too.
Re:Patches don't solve the problem on new installs (Score:2)
Does anyone have a better solution?
Are you kidding me? I install all SP2's from CD.
Re:Patches don't solve the problem on new installs (Score:3, Informative)
Security Update for Windows XP (KB666) (Score:3, Funny)
How to Uninstall
Read all comments rated as funny under a story about Windows Update on slashdot.org and your sense of humor will be successfully uninstalled.
Help and support
http://omgmstehsux0rs.slashdot.org/ [slashdot.org]
the problem isn't what it appears to be (Score:4, Insightful)
There are really two problems here, one true of all major OSes right now, and the other one true of proprietary systems.
The first problem is the pervasive use of C and C++, which makes systems unnecessarily prone to buffer overflows and related problems. C and C++ programmers keep saying that they can handle it, but it is obvious that they can't.
The second problem is that Microsoft and Apple only update their own applications; users are saddled with downloading updates for other software by hand. If all these bugs exist in IE, you can be similar bugs exist in Photoshop, Office, and many other apps that aren't automatically updated.
Virus Down, Malware Up (Score:3, Interesting)
You'd hav
All aboard! (Score:5, Funny)
Otherwise known as the Bugwarts Express. To find the boarding platform, run your luggage cart full tilt into that blue screen.
How are we going to do transparency now?!? (Score:2)
Paaaaatch Train! (Score:2)
MS cant win (Score:2, Insightful)
if they do patch, you all say "Wow, it must suck really bad to have to patch it"
As if Linux doesn't require constant patching either, hypocrites
Need people be reminded? (Score:4, Interesting)
Tearing Windows present design platform down to the smallest parts and scrubbing and rebuilding would probably put back the release of XP's successor to 2016. Let's hope some people are listening on the Linux and OSX sides and get it in their heads to keep their code lean and healthy and well tested.
Possible problem with this update (Score:3, Informative)
Re:Possible problem with this update (Score:3, Informative)
You will probably have to reduce the size of the system hive, using regedt32.
Could Not Start Because the Following File Is Missing or Corrupt: \Winnt\System32\Config\Systemced [microsoft.com]
Video Problems caused by the Critical Update (Score:2, Informative)
Re:PNG??? (Score:4, Insightful)
Google integer overflow vulnerability for more information.
Re:Sure glad I don't have to do this crap (Score:2, Informative)
You'd better go here [fedoralegacy.org] and install the Fedora updates (three in the last month)!
Re:Sure glad I don't have to do this crap (Score:2)
Re:Sure glad I don't have to do this crap (Score:3, Insightful)
Does your firewall block outgoing HTTP connections and incoming email? If not, then it's not going to help against attacks like this PNG bug which are propagated through user-pulled data rather than attacker-pushed port connections. Such attacks exist for Linux, too. There is no such thing as "safe networking", and the only way to come close is to keep every connected computer up to date. I think Fe
Re:Sure glad I don't have to do this crap (Score:4, Insightful)
The amount of "CPU time" "Windows users" spend patching holes is a few minutes every month. And get off your high horse, here: while Linux distros provide updates for a more comprehensive range of apps, it's also the case they you have to download far more (in terms of raw megabytes) far more often. I'm willing to bet right now that, timing from the release of FC3, FC3 has required more and bigger updates than Windows.
I'll never forget the time, earlier this year in fact, when Mandrake provided a security "update" for the kernel (you may remember the much-publicized priviledge escalation vulnerability around the end of last year). This "patch" consisted of the whole kernel source (maybe 40MBs of it) which you would have to manually compile and install (no nice binary rpm, here). With this one single update, Mandrake users have exceeded the "CPU time" required for a few months of Windows updates. And let's not forget the hefty kdelibs security updates, which basically amounts to downloading the whole of kdelibs again, since none of the distros seem to provide diff-style patching. The same with Firefox (8MB on Linux...?).
Also, while we are free from worms and viruses here, note that there is nothing innate to Linux that precludes phishing and spoofing attacks.
Ugh.Completely untrue (Score:2)
I use mandrake, I have since 9.0. I have _never_ had to compile the kernel from source. You urpmi the source from the command line. The mcc interface will NOT install the kernel automatically. You have to do it manually.
In older distributions, you would simply type urpmi kernel (or whichever of the other kernel's you're using, like enterprise, etc.). In the recent mandriva releases, you have to type urpmi kernel-2.6
Obviously you haven't been using linux often... Where did
Re:Completely untrue (Score:2)
Re:Completely untrue (Score:2)
Anyway, I'm not saying the kernel issue on mandrake/mandriva is easily apparent to ordinary users. At first I was confused too.
I haven't actually done it recently, but AFAIK you can't upgrade the kernel using the GUI tools. I think you might be able to type i
Re:Completely untrue (Score:2)
It's all good, dude :)
Ah, that would explain a lot.
Oddly enough, this one stumbling block is the thing that put me off Mandrake (onto Gentoo of all things! But I'll wipe that soon and replace it with Kubuntu, like I have with my laptop). Other aspects were the fact that downloading the updates to repository lis
Re:Sure glad I don't have to do this crap (Score:2)
Ugh.
I would agree this is an awkward way of putting it -- but stressing the different usage-patterns of your typical engineer vs your typical joe 6p is in itself a valid point, I would say. There is a point where insisting things being in some respect "equal" is self-defeating.
Recognizing a difference does not necessarily invalidate one or the other "variant," in fact it often allows the be
Re:Sure glad I don't have to do this crap (Score:2)
Re:Sure glad I don't have to do this crap (Score:2)
Sad little man. The previous poster wasn't calling you a sheep, but I will. Sure, you can run Windows because it 'Just sucks...err....works out of the box' and be constantly on your guard against the mentioned spyware, malware, trojans, viruses, etc. The plain fact is that OSS bugs and security flaws are generally less damaging, less frequent and resolved faster than the flaws in MS products.
You completely failed to mention Gentoo when trying to rip Linux. My
Re:Sure glad I don't have to do this crap (Score:2)
none of the distros seem to provide diff-style patching.
Suse 9.3 does, as I'm on dialup it's a godsend.
As it's now GPL I wish other distro makers would look closer at YAST, it's by far the best config etc tool I've seen.
Re:Sure glad I don't have to do this crap (Score:2)
Or maybe you're just a pretentious holier-than-thou asshole who doesn't realize that some of us use Windows because that's what our products are delivered on, or we need a piece of legacy software to do our work, or our kids have Windows-only games, or we've never heard of Linux so we don't know there's alternatives to Microsoft, or our bank requires IE, or any of the other thousand and one reaso
Re:Microsoft... again (Score:2)
Re:Microsoft... again (Score:2, Funny)
Re:Microsoft... again (Score:3, Insightful)
Without actually using AV software, you'd verify this how? Don't pretend that the tasklist command from the CLI (just a text version of the Task Manager) is going to save your ass. Most viri don't tend to show up in such a perfunctory fashion. I'd be willing to bet your box is in alot worse shape than you think it is. Don't be like those guys who have sex with random people wihtout protection because the
Re:Microsoft... again (Score:3, Insightful)
It's pretty easy to not get a virus in Windows. How? Well, there are 3 basic ways you get infected:
1. Listening network ports with compromisable services. Solution: install a NAT'ing router with firewall. Paranoid solution: install Zonealarm or one of the dozen other competing offerings as well. Hav
The disturbing trend (Score:3, Insightful)
You're right, as far as you go.
The problem is that's pretty hard to defend against those things. Home users don't know how. Corporate network administrators have hundreds of interlocking "business requirements" that prevent them from shutting the d
Re:Microsoft... again (Score:2)
Re:Witty Headlines (Score:2)
Re:Few Points (Score:2)
Re:Wow. You'd think they'd get all these (Score:3, Insightful)
I don't presume to know it all, and I'm not pointing any fingers, it just seems to me like Microsoft is a victim of it