Microsoft has released six patches for its Windows operating system today. Three of them are rated critical, one important and two moderate. The three critical ones are related Internet Explorer, Print Spooler and PnP. They all three fix issues where your machine could be taken over completely.
Post a Comment
Member since:
---
The Internet Explorer vulnerabilities (3 of them in one patch) are absolutely awful. First, a buffer overflow in the IE jpeg library; view the wrong image, and you are pwned. Second, some cross-site scripting that could allow remote code execution (yet another reason why multiple zones of trust in one browser is a bad idea). Third, remote code execution via ActiveX controls (as if you needed any more reasons not to use ActiveX). Basic lesson: friends don't let friends use IE.
The spooler flaw is also pretty bad. Basically, if someone could access your printer through Printer and File Sharing (SMB/CIFS), they could take over your machine.
The PnP vuln is not only bad, it is ludicrous. You can send a message over the network and tell the PnP service (which manages USB devices and the like) to execute code for you. Now, why in the name of $DEITY would Microsoft allow a USB daemon to talk to the network???
The Telephony service vulnerability allows you to pwn a machine that runs Microsoft's VOIP services (or to elevate privilege even if no such services are running). That's why you should use Asterisk.
Oh, and a couple of remote DoS and spoofing vulns -- but they are just icing on the cake.
Member since:
---
are we Microsoft's guinea pigs or what? i can't keep track anymore counting the various windows patches and serious security issues and there seems no end to this nightmare. i wonder how many thousands more vulnerabilities are in the windows code base, each of them just waiting to get discovered by some script kiddie. have the users become Microsoft's unpaid bug chasing slaves?
Member since:---
Did anyone notice that you had to download a little program wga*.exe before you could even begin to download the security patches? I remember reading that MS would be checking the authenticity of their user's Windows installations but it's more than a little insulting to all their customers who are honorable and have invested hundreds if not thousands of dollars in their software. They probably feel immune right now because of their near monopoly on the desktop but I truly hope a genuine competitor to Windows will arise, and make them behave with more civility, if not honor.
Member since:
---
Member since:
2005-07-06
ok..... i'm gonna be the fair one...... do i think internet explorer sucks?.... yes. will i ridicule ms for patching security holes..... absolutely not.
look.... i know MS is the company we all love to hate, but at least be fair.... if mozilla, firefox, konqueror, safari, opera.. whatever came out with these patches you would all either be glad that they did or just say..... they were doing their job by finding and patching security holes.
how is this different..... personally it is not the patches i have a problem with.... it is the lack of patches.... the known security exploits MS does not patch
don't rip on anybody for coming out with security patches.... that's ridiculous
Member since:---
The thing about some of these vulnerabilities is that they represent SERIOUS design flaws. As someone said above, why would a USB event handler have network connectivity?
In my opinion, this is the problem with the whole "feel" of Windows; that Microsoft has decided to integrate too much inconsequential functionality.
Member since:
2005-07-06
Member since:
---
Member since:
2005-07-06
Member since:
---
I really do hope it does happen seems to me that we has alot more different and functional computers back in the mid 90's then what we have now.
I wouldnt mind for a change none at all. Took me a week to learn OS9 and OSX, took me a few days for linux/unix variants, took me a few days to get use to the 9x transition to the nt kernel and interface of xp.
So having to learn new commands ways of app execution is always fun.
Member since:
---
As someone else noted, this includes the WGA checker. I'm concerned that this might kill my installation because I lost my original serial number for XP and am using one I found on the net. Anyone use this yet and see if it monkeys with your system in my type of case. I don't want to hassle with finding the original serial card in the basement of boxes of junk I have if it comes to having to reinstall Windows...
Member since:---
>As someone else noted, this includes the WGA checker. I'm concerned that this might kill my installation
The WGA checker doesn't kill your installation it just denies access to Windows Upate and Microsoft Download Center if your copy isn't "Genuine".
The thingy was hacked in the first 24 hours after release (search google if want).
You can also still get updates by using the "Automatic Updates" function (it does no checks).
Still it's annoying as hell do they actually expect people to pay for their trash?
At least with Linux you get what you pay for (i.e. nothing!).
Damn I wish we would live in a better OS world...
Member since:---
So the Warez kiddies in the know get to patch but the ones that are not get hammered by the hacks (if and when they come out). Should be interesting.
What happened to MS letting everyone have security updates to protect the net/etc? Or do they think everyone still has Automatic Updates still turned on?
Member since:---
Member since:
---
I know what I'm getting because I can SEE THE CODE!
Ah yes and I'm sure you understand every single line of it don't you?
How many people want to sort through source code to make sure its secure ? I mean if thats your answer to windows its pathetic at best.
You drive a car made in mid-80s or newer ? Guess what. Its running on proprietary closed source software and it fails your life is in far greater danger than any OS you'll ever run on your computer at home.
Wake up sheeple, you'll install anything that comes from the electronic gates of Mordor.
get a life
Member since:---
Ah yes and I'm sure you understand every single line of it don't you?
LOL, yeah right. This ignorant fuckstain probably couldn't write a shell script that prints 'Hello world' to the screen, yet is content with calling anyone running a closed source OS (including Windows, OSX, Zeta, etc) sheeple. It's too bad that fanatics like this do more harm to open source software than good. Hell, I wouldn't use OSS just so that I wouldn't be mistakenly associated with guys like this. I'd rather be assraped by 'the man' for the rest of my life.
RE[2]: @Anonymous (IP: 143.225.138.---)
Member since:
---
Security
Download Problem Interferes with IE Patch Release
Microsoft is forced to remove "critical" patches for Internet Explorer after the files became corrupted and broke the digital signatures. 2 hours 27 minutes ago
http://www.eweek.com/article2/0,1895,1846419,00.asp
Member since:
2005-07-30
Member since:
---
Member since:
---
Every time after Microsoft releases a new patch they claim "Windows is secure now" until the next couple bugs are found and my or your machine is compromised. This has been going forever and I got so sick and tired of it that I am not playing that game anymore. Microsoft should hire more developers instead of using us users as guinea pigs.
A former Windows user.
Member since:
---
Member since:
---
Is that all you got? (queue canned audience boo noise) Going to call me names next? God I love it when they evade the point and start dragging things down to personal attacks.
You totally missed the point. What good is source code if you or someone else does not understand it ? You want me to believe that anyone off the street can verify that their linux kernel or OSS applications are secure because they have the source ? Sorry dude. Not buying it.
LOL! Jesus Christ man, do you work for M$? Do you know how many people are coding for the FOSS movement?
I am not talking about developers. This is where most people in the OSS crowd start getting confused so I'll try to put it in all caps to make it clear.
NOT EVERYONE WHO USES A COMPUTER IS A PROGRAMMER!
In fact users overwhelm programmers by a large margin. So if your answer to security on windows is that users should look over and validate the source code to their operating system then yes its pathetic at best.
How many complete remote takeover exploits has WinXP suffered from? How many years has it taken to patch a good lot of them? Just recently there has been even more discovered! How many more exist? It's a joke, man, it's a total joke, and people PAY for this shit.
Yep. There are problems. Big ones. I agree completely.
I'm simply saying that advocating that people who use computers look over the source code to their operating system to make sure its "secure" is not an answer for 99% of the computer users out there.
You want to do something about the problem that is windows ? Quit acting like a 15 year old and actually write the code and get involved. Start organizing things and get all of these groups within the community focused. Help to show them a better way and embrace windows users.
Almost no one in the OSS crowd understands the basics of selling an idea or product. DO NOT BASH THE COMPETITION. It will kill ya. Anyone who has experience selling anything knows this.
Calling people sheep and going on and on about how you are high and mighty because you can *see* the source code to your OS is not doing anything productive and it surely does little in the way of actually interesting anyone in Linux.
RE: @Anonymous (IP: 65.254.37.---)
Member since:---
I am a BSD user and no person in the BSD community is interested in "selling' anything - use the system if you are able. If you don't like it, then don't use it. If you are able to "code" then YOU can make the change because the source is open - you don't have to wait like a hopeless lemming for Mickeysoft to fix beta quality crap and charge a high price for it. Secondly I don't see Microsoft as competition - they don't/can't compete with the systems I use.
Or, you can use an open source operating system, with many of the apps you have to choose from still in alpha over at SourceForge 
Member since:---
All the apps I use run without error, without reboot, without horrific patchwork - which, in your world, means more reboots.
Gawd, don't get me started on MS patching and the qualities of MS Office.
Windows is a great system given you have the time - "Mouse has moved, please reboot system for changes to tahe effect."
It would be funny if it weren't almost true!!
Member since:
---
Microsoft Fixes Six Flaws?
I think the jury is out on that statement - don't they have to reissue service packs a few times before it actually fixes more than it breaks - man I crack myself up sometimes...
http://www.eweek.com/article2/0,1895,1844654,00.asp
I should stop, this is way too easy. I almost feel guilty, uh, er, well ok, not really. Anyone see the sick humor here? It's all so true!!
Member since:
---
>>>What happened to MS letting everyone have security updates to protect the net/etc? Or do they think everyone still has Automatic Updates still turned on?
Even without automatic updates, you can still go to www.microsoft.com/security to get the updates manually --- without WGA.
