Microsoft has released four new patches for Windows XP, some important security ones and other basic support items: NET Framework ASP.NET Session State Security Hotfix. Windows Management Instrumentation Cannot Register Permanent Event Consumer with Dynamic Classes: Windows XP Patch. WMI AccessCheck Receives Local Administrator’s SID Platform SDK Redistributable COM+ Java Runtime Support. Get their download links at ActiveWin.
Four New Windows XP Patches
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
till someone finds out they don’t fix anything anyway.. i had a little hope/confidence left in Microsoft.. even after all the lies and deceipt.. but it’s all gone now.. desperately looking for an alternative..
.. kicks out the soapbox .. that’s gotta hurt. Seriously, you can’t have these large complex systems without bugs cropping up here and there. Why isn’t it major news when other operating systems or software vendors make security releases or bug fixes?
My guess is because the other guys simply just fix it and put it in a changelog, and release it with some other new additions that overshadow the bugs. I’m personally greatful that they’re taking the stance of making the bugs/flaws public so people are aware.
You know there’s been some major security flaws in other OS’s recently, it seems almost impossible that linux, freebsd, etc are perfect .. $0.01 to the guy/gal who goes out and finds them. I guess its just more visible since one company is behind it. I bet the linux distributors are glad to have the luxury of not being able to take 100% responsibility for problems in the software included in their distro’s. I realize they all release patches often, but hey, so does MS, and that’s who everyone likes to bash.
So, bearing that in mind, i’d like to take a few moments and count the # of errata emails i’ve received from Red Hat Network Alert.. here’s just a few..
Security Advisory – RHSA-2001:099-06
Summary:
New telnet packages available to fix buffer overflow vulnerabilities
Security Advisory – RHSA-2002:018-10
Summary:
New rsync packages available
Description:
rsync … <snip> … rsync has been found to contain several signed/unsigned bugs in
its I/O functions which are remotely exploitable.
Security Advisory – RHSA-2002:026-39
Summary:
Vulnerability in zlib library
.. and i have about 20 or 30 more that i’m not posting out of respect for the people reading and maintaining this site. As i myself find a 100 line message annoying.
Moral of the story is… Stop getting on the “Ms sucks” soap box, as the stuff your using isn’t any better with regards to bugs/security issues. It’d be one thing if they weren’t fixing them, but i think its obvious that they are.
nivenh
While I don’t really like Windows or MS software or MS’s business practices, I’m glad they release bug fixes. It’s a good thing. Saying MS sucks everytime the release a fix is as stupid as blaming Apple for now allowing you to build your own Mac.
” Why isn’t it major news when other operating systems or software vendors make security releases or bug fixes”
because i can’t think of another operatinf system or non MS proceuct that runs on 90+% of the WORLD’S desltops. thats why its important, because a bug fix from them could effect far more people then a redhat patch(linux has less then 1% of the desktop market and redhat has a fraction of that). Also, have you heard of all the HUGE holes they have had before? outlook has been the cause or the aide to many destructive viruses. so a patch from MS could fix the hole to stop the virus that causes millions in damage.
p.s. No, i am not a troll, nor do i despise MS and love linux, i do not like MS’s practices but i do and like the idea of Linux, but i am not a zealot for or against them.
and that’s all there is to it, you should M$ bash when they mess up not put out an update. ( hint updates fix things)
Gumby, yes it’s true that bug fixes are good, that is if they work, and if they don’t introduce new and more insidious bugs. But you’re incorrect in your dogmatic assumption that “updates fix things”. Updates change things. Some updates do fix things, true. But others only add features. And while the features may benefit the consumer, they could just as easily be there to benefit the vendor instead. In the end, the only way to determine whether an update package is good or bad is to find out what it does (or fails to do).
Mindless blanket endorsements are every bit as wrong as mindless blanket condemnations, and potentially more dangerous. When it comes to security, it’s best to err on the side of paranoia. IMHO it’s perfectly reasonable to ask why there’s a bugfix (if that’s actually what it is). If there’s a bug fix, that means that there must have been a bug. And if the same vendor keeps on committing the same blunders, then maybe it’s time to start looking for another vendor!
As far as Linux goes, dr_sneed no doubt feels very clever, diverting attention away by pointing a finger of blame at Linux. The thing is that we’re not discussing Linux! Furthermore, it doesn’t excuse Windows’ shortcomings!!
But now that it’s on the table, let’s take a closer look. The thing is that none of the stated exploits are part of the OS itself. They’re all contributed applications! You can run a production Linux system without them. In fact, it has become a standard “good practice” to not even use deprecated utilities like telnet. But Windows users can’t just disable things like IE or Windows! Not only do the Windows exploits tend to be far more insidious, they also cannot be guarded against by good administration practices.
I know that there are exceptions, but in general the Windows bugfixes come in response to a problem after the damage has been done. It’s like closing the barn door after the horses have escaped. OTOH, in general the Linux bugfixes are proactive. Rarely do you hear of thousands of compromised Linux systems as a result of any known bug.
So go ahead and point a finger at Linux. People with common sense will see that the Linux way of handling bugfixes works a lot better than the Microsoft way.
This may be somewhat offtopic, but why don’t Microsoft updates ever concentrate on performance enhancements?
i have downloaded significantly more updates/patches (especially security patches) to my xp machine than my other machines because xp is in the long tradition of microsoft releasing buggy software. i am not a microsoft basher. it’s just that simple.
This may be somewhat offtopic, but why don’t Microsoft updates ever concentrate on performance enhancements?
My guess is that to Microsoft, “performance” means more features, not faster operation. So when you see updates that add this and that, it’s all the performance that you’re going to get.
Windows XP is already pretty fast. Of course they could probably find ways to improve it’s performance, but it is not top priority because it already performs very well.
-G
i’m very intrigued as to what you mean, gmlongo. in all of my use, xp lags behind my prev gen 2k machine, even though it’s running on a faster processor. i’m patient enough to get xp performing ok, but i would hardly consider it performing “very well”.
in fact, after all of microsoft’s hype, i’ve got a better word for xp: overrated.
M$ has 40 billion dollars and they can’t release even a relativly secure OS.
OpenBSD has never had a security hole in the default install. Or so i’ve heard.
Hi Speed,
>>I know that there are exceptions, but in general the Windows bugfixes come in response to a problem after the damage has been done.Rarely do you hear of thousands of compromised Linux systems as a result of any known bug.
<<
that is mostly because joe average user does not download patches from windowsupdate.microsoft.com . (or its corporate counterpart). It’s far more easy to compromise and damage a system that is used at ca 90% of all pc’s. so your statement is not valid. there are examples of compromised linux system. (i won’t participate in a discussion about ms monoculture and linux multiculture – but thats were it leads to).Microsoft has reacted by releasing an “alert me when new patch available” program (isn’t that part of xp already?). But I agree MS should spend more time on securing their applications.
>>they[the bugs] also cannot be guarded against by good administration practices. <<
care to explain and give example?
>>But Windows users can’t just disable things like IE or Windows!<<
you can disable IE and you don’t need to disable windows in order to remove most bugs in windows.
>>…all contributed applications! You can run a production Linux system without them<<
depends, for example running linux without openssh is not very useful. have a look how many bugs there were/are in openssh (pre 3.x). btw what good is linux if i remove all parts from it? I don’t see the difference between contributed applications and apps bundled with ms OS’s.
>>OTOH, in general the Linux bugfixes are proactive<<
thats just not true.In general most bugs in linux are fixed reactively, that means corrected after submission of the bug.
>>Windows bugfixes come in response to a problem after the damage has been done.<<
read above why more windows boxes are damaged
>>So go ahead and point a finger at Linux. People with common sense will see that the Linux way of handling bugfixes works a lot better than the Microsoft way.<<
I cannot see the difference between linux and ms products in the way the handle errors. microsoft is in the bad position to generate a lot of noise, when they release fixes. linux bug fixes OTOH are mostly unnoticed in the public. Please state whats bad about the way microsoft handle their bugs? publish it, release bugfix.
>> IMHO it’s perfectly reasonable to ask why there’s a bugfix (if that’s actually what it is). If there’s a bug fix, that means that there must have been a bug. <<
first of all bugs are part of software and no software is without bugs PERIOD. bugfixes are a service to customers. (and yes, if there’s a bugfix there must have been a bug – so obvious it hurts). IMHO opinion its far better to release a buglist and fix the bug then not to do so.
>>And if the same vendor keeps on committing the same blunders, then maybe it’s time to start looking for another vendor!<<
speed, please stop using those comparisons. you really sound like one of those shopping channel guys and it takes much of your credibility.
florian lutz
>>I know that there are exceptions, but in general the Windows bugfixes come in response to a problem after the damage has been done.<<
that is mostly because joe average user does not download patches from windowsupdate.microsoft.com . (or its corporate counterpart).
That’s a really lousy excuse! Microsoft is responsible for fixing what’s broken, period. Circular arguments about users not downloading patches that don’t exist don’t change that responsibility.
It’s far more easy to compromise and damage a system that is used at ca 90% of all pc’s. so your statement is not valid.
That’s a non sequitur. One has nothing to do with the other. You have failed to show how my statement is not valid, if it is. You also haven’t shown how “ease” is connected to “90%”. Looks like faulty logic to me!
there are examples of compromised linux system. (i won’t participate in a discussion about ms monoculture and linux multiculture – but thats were it leads to).
Enough excuses, either you have numbers or you don’t.
Microsoft has reacted by releasing an “alert me when new patch available” program (isn’t that part of xp already?). But I agree MS should spend more time on securing their applications.
But you said earlier that users don’t apply those patches! By your own admission it’s ineffective!
>>they[the bugs] also cannot be guarded against by good administration practices.<<
care to explain and give example?
If it’s part of the operating system, and you need the operating system to run the system, then it’s something that you cannot remove. Things like Universal Plug and Play are built into the Windows operating system. You can’t just stop a service to make it go away. The only way to fix it is to shut down the machine!
you can disable IE and you don’t need to disable windows in order to remove most bugs in windows.
No, you can’t disable IE. You can hide it, but you can’t disable it. Haven’t you paid any attention to the antitrust suit? Microsoft made IE inextricable on purpose.
depends, for example running linux without openssh is not very useful. have a look how many bugs there were/are in openssh (pre 3.x).
Well, if the service that machine provides is SSH, then of course sshd is necessary for the server. But that’s becuase SSH is the [i]application, not part of the operating system.
If you can’t get to a console, and all you use to administer a system is SSH, then you’re a fool. Blame Linux all you like, but it’d be your fault as a lousy administrator.
I don’t see the difference between contributed applications and apps bundled with ms OS’s.
Microsoft is responsible for their own product. The developers of contributed apps are responsible for their work. You don’t see Microsoft supporting Lotus Notes, do you?
>>OTOH, in general the Linux bugfixes are proactive<<
thats just not true.In general most bugs in linux are fixed reactively, that means corrected after submission of the bug.
Now you’re just playing games. Obviously someone has to know about something before they can take action. But Linux patches usually come before any damage is done, which is by definition proactive.
I cannot see the difference between linux and ms products in the way the handle errors. microsoft is in the bad position to generate a lot of noise, when they release fixes. linux bug fixes OTOH are mostly unnoticed in the public. Please state whats bad about the way microsoft handle their bugs? publish it, release bugfix.
Looks like you see it quite well! The noise comes when all of those Windows systems are damaged — that’s big news. You don’t hear the noise about Linux systems because there’s no damage to be reported. The Linux bugfixes are routine. Again it’s Linux == proactive and Windows == reactive. Once more, I’m not claiming that any of this is 100%. But in general it’s true.
bugfixes are a service to customers.
The laws of most countries say something entirely different! Generally it’s the responsibility of the manufacturer of a defective product to repair the defect.
IMHO opinion [sic] its far better to release a buglist and fix the bug then not to do so.
My point exactly! Doing nothing until people start to complain is the wrong way to do it. And yet that’s exactly what Microsoft does!
>>And if the same vendor keeps on committing the same blunders, then maybe it’s time to start looking for another vendor!<<
speed, please stop using those comparisons. you really sound like one of those shopping channel guys and it takes much of your credibility.
First of all, my conclusion made no comparisons, so I’ll ask you to stop attacking me falsely. As for my credibility, you’re free to not purchase my product. But wait! I’m not here selling any product! So why are you attacking me?
This from Wired:
4:46 p.m. June 12, 2002 PDT
WASHINGTON — Microsoft acknowledged a serious flaw Wednesday in its Internet server software that could allow sophisticated hackers to seize control of websites, steal information and use vulnerable computers to attack others online.
…
A researcher with eEye Digital Security, Riley Hassell, found the Web server flaw in mid-April during testing of eEye’s own hacker-defense software, but the discovery was kept closely guarded under an agreement with Microsoft until Wednesday.
http://www.wired.com/news/technology/0,1282,53173,00.html
Speak of the devil — just what I was talking about! In case you can’t do simple math, the difference between mid-April and mid-June is two months. That’s two whole months that Microsoft sat on it, even though they had been notified. No patch, no public notice. Just like I said.
answered in no particular order:
That’s a really lousy excuse! Microsoft is responsible for fixing what’s broken, period. Circular arguments about users not downloading patches that don’t exist don’t change that responsibility.
what should microsoft do in your eyes? they offer patches, same as linux companys. they can’t force people to install them. and no its not lousy. do a portscan (nessus) on your provider subnet, see how many people have win9x with shares enabled. microsoft released a patch eons ago. most people haven’t installed it yet. microsof can’t be held responsible for the way ppl use their stuff. and its not a circular argument.
You also haven’t shown how “ease” is connected to “90%”.
more systems == more likely to find badly administered systems.
fewer systems == less chance to find badly administered systems.
you do not seem to understand that monoculture microsoft is the problem here. if linux would be in the position to own most of the desktop market, you would have more compromised linux system. As bugs would be more likey to be used to damage the system. See opera, now that it is used by so many people, bugs are discovered.
PLEASE state what is wrong about ms way to handle bugfixes.
The Linux bugfixes are routine.
yeah sure 😉
all you use to administer a system is SSH, then you’re a fool.
of course use rshell 😉 , name another tool before calling someone a fool.
I am attacking you cause you seem to go zealot linux, contra MS. just be open minded.
microsoft releases most of their bugfixes within 24h after the complaint about a bug to larger companies.(yes you have to pay alot of many for that). then after the bugfix is tested it’s generally released to the public. i cant see how that is reactive.
The laws of most countries say something entirely different! Generally it’s the responsibility of the manufacturer of a defective product to repair the defect.
(sarcasm) great sue microsoft over msoffice since it is defective as hell, you’d sure make a lot of money. (/sarcasm)
think about it
what should microsoft do in your eyes? they offer patches, same as linux companys [sic].
Not true. My last post debunks that lie. Linux software patches are generally released proactively, whereas Microsoft will not even admit a problem until it becomes a problem and is widely known from other sources.
they can’t force people to install them…
Now you’re just changing the subject. The issue is not about people installing patches, it’s about Microsoft’s continual failure to address major security flaws in its operating systems, voluntarily and on a timely basis.
more systems == more likely to find badly administered systems.
You’re changing the subject again! Before you were talking about “easy to compromise and damage a system”. Deal with that claim first, k?
if linux would be in the position to own most of the desktop market, you would have more compromised linux system. As bugs would be more likey to be used to damage the system.
First of all, you’re only speculating. If your theory is correct, then you would able to show me some Linux exploit numbers, then extrapolate the numbers to compare with Windows’ scale. I don’t see any numbers!
PLEASE state what is wrong about ms way to handle bugfixes.
That’s what I’ve been doing all along! Pay attention!
name another tool before calling someone a fool.
Very well, Webmin. And you are a fool. There, happy?
I am attacking you cause you seem to go zealot linux, contra MS.
That’s a circular definition. If I find faults with Windows, I must be a Linux zealot because Linux zealots are the only people who find faults with Windows.
My advice to you is to concentrate less on names that you can call me, and more about the topic. Specifically why you’re failing to defend your position on this topic.
microsoft releases most of their bugfixes within 24h after the complaint about a bug to larger companies.(yes you have to pay alot of many for that). then after the bugfix is tested it’s generally released to the public. i cant see how that is reactive.
I don’t believe you. I’ve paid a lot of money for Select licensing for my 1500 seat, 100 server shop, and never got an expedited bugfix during that time. The article that I posted above also strongly disputes your claim. And I’ve read stories like that one many times before; it’s not an anomaly.
(sarcasm) great sue microsoft over msoffice since it is defective as hell, you’d sure make a lot of money. (/sarcasm)
And you think that’s a Good Thing?!?
Again, you’re evading the subject. We’re not discussing the ability of large corporations to make lawsuits unprofitable. What we are discussing is Microsoft’s continual evasion of responsibility for their products.
And BTW, I may not get anywhere by suing Microsoft, but I can discontinue use of their products.
Think about it.
we’re led along, carrot and stick, and yet people can’t see the line or the pole. microsoft is shameless, but even more shameless are the blokes who ignore who the real “victims” are here. and it ain’t microsoft.