Home > Privacy, Security > Microsoft warns of a score of security flaws Microsoft warns of a score of security flaws Eugenia Loli 2004-10-12 Privacy, Security 36 Comments Microsoft on Tuesday published 10 software security advisories, warning Windows users and corporate administrators of 22 new flaws that affect the company’s products. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 36 Comments 2004-10-12 9:19 pm Debian had 7 security fixes THIS WEEK. Gentoo had 7 as well. I’m sure over the course of 6 weeks, they would have well over 22 each. I’m not defending Microsoft or anything, I’m a die-hard Gentoo user at home. But, please, let’s be fair. Jason 2004-10-12 9:22 pm How many of these are holes in the OS or IE that affect WinXP SP2 ? 2004-10-12 9:24 pm Seen him at work in another thread. 2004-10-12 9:36 pm Oh well, I still won’t install a firewall or AV on my Windows XP install. Too much hassle to protect my personal photos of my cats and my Nissan Micra. I repeat it again and again: an average user has no need for firewalls and other crap. All my computer-illiterate friends who run Windows have been doing so for years without extra protection software and no one ever had a security and/or virus related problem. Neither have I. And, I’ve never ever met anyone with a problem concerning security in real life. And, I’ve never ever worried too much either. It’s all between the ears. One sheep screaming about insecurity, five minute slater, it’ll be one million. Besides, I’m happy with my BeOS and OS X . It’s a different story for corporations of course. 2004-10-12 9:38 pm Debian had 7 security fixes THIS WEEK. Gentoo had 7 as well. I’m sure over the course of 6 weeks, they would have well over 22 each. I’m not defending Microsoft or anything, I’m a die-hard Gentoo user at home. But, please, let’s be fair. how the hell do you want to compare this things? gentoo and debian are probably the linux distros that have more packages available! we are talking about hundreds of software here! and they release security fixes everytime one of that packages needs it… you are right, LETS BE FAIR 2004-10-12 9:44 pm I still could not figure if you’re a disguised troll, or you just like saying stupid things, refusing real facts when they don’t match your opinions. 2004-10-12 9:49 pm I still could not figure if you’re a disguised troll, or you just like saying stupid things, refusing real facts when they don’t match your opinions. No, I just like relying on my own experience and of that of the people around me I know instead of relying on others on the net telling me that XP will certainly be infected 15 minutes after a clean install and more of that ridicoulous crap. I’m not going to get a cure for a disease I don’t have. 2004-10-12 10:00 pm thom i know you dont use security on windows you’ve told me your self but how do you know you never got a trojan, or a worm? you cant tell without AV software and you cant stop them without a firewall no matter how safely you surf the net. 2004-10-12 10:04 pm Andrew, I do my occasional checkup, and you know, I never find anything… I’m sorry. I just don’t fit in the general picture I guess. 2004-10-12 10:08 pm The most relevant thing is not how many security holes Windows or Linux, or what ever, may or may not have – but how serious those bugs and holes are. In general counting the amount of security holes may make some sense. But remember that there might be 100 small bugs that cause no real harm, and one big security hole that causes bigger harm than all those 100 bugs together. This important point of view is forgotten when people compare the security of operating systems only by the means of quoting some numerical security statistics. 2004-10-12 10:08 pm Less than 15 minutes, actually. I’m looking at my firewall now and I receive an average of 5 rpc hammerings per minute, I guess from wormed windows users. And if you live behind a router, or using an isp that does block some of that trash for you, then you’er a lucky guy. But for most ppl installing and maintainig an unprotected windows xp and keeping it connected to the internet is just impossible. Can’t you just learn enough humilty to understand that if all the world is in uproar because of security problems with XP, virii, malware etc ( and I’m not talking of Linux zaelots here, I’m talking of indipendent consultants and governative organizations ), then it’s not “ridiculous crap”? You sound like a guy from an high school in beverly hills who had his small slice of early sexual discovery with uptight coeds, and thinks AIDS doesnt exist because nobody of his partners had it. But worse, he goes around sayng that safe sex is too much of a hassle, and it’s all “ridiculous crap” Wake up, your neighbourhood is not the world. 2004-10-12 10:18 pm I still won’t install a firewall or AV on my Windows XP install. I repeat it again and again: an average user has no need for firewalls and other crap. Huh? Do you have any idea how many infected Windows PCs there are in the world? Do you have any idea of how many of just those PCs are often used by spammers, or as tools that crackers may use for really serious denial of service attacks (etc.) against third parties? By saying what you say, you are certainly not helping anyone – except the crackers. I do my occasional checkup, and you know, I never find anything… Ahah, so, after all, you do use some AV and maybe other security software too… And maybe you’re also already protected by your service provider by their firewalls, antivirus and anti-spam services? So you must have been just joking before, right..? 2004-10-12 10:21 pm calm down people Thom, I work on windows based computers daily and every one of them has at the very most some spyware. usually a virus or two. But these are computer illiterate people i deal with My windows 2k install has been going over a year. I have gotten ) spyware and only one virus and that was from an effected pc I put on my network without thinking 2004-10-12 10:21 pm I know you’re from Holland and not from Beverly Hills. And I’m not “comparing”. It’s called a metaphore. Then again, I usually read what ppl say, rather then from what country do they write. 2004-10-12 10:24 pm woops, supposed to be ‘gotten 0 spyware’ 2004-10-12 10:32 pm Yeah, imagined that. On my Windows XP install I myself got 0 spyware and 0 virii since 2002, because I know what I’m doing. But for a very long time I used to receive like 15-20 pieces of virus-laden mail per month on my free email accounts, and I can only imagine what would have happened if I had not an AV or the good sense to check and delete mail on the server before download. And I could do nothing against sasser: came back from a vacation, turned it on and boom. The point is that when discussing security of a widespred OS like win XP you have to discuss the average user in the worst case environment. 2004-10-12 10:34 pm an average user has no need for firewalls An avergae user doesn’t know how to do your “occasional security checkups”. He needs good security software to take care of the security. And besides, skilled and expert users who have some intelleigence (and are not e.g. just trolling to keep the focus from the real subject of the article?) do use firewalls and other such security software too. I remember that I did use Windows a long time in the past without any anti-virus and firewall software too. It was a safer time then though. I did manage rather well for a time – until virus/virii – that I believed could not hit my PC – hit me nevertheless… I was a rather skilled user even then. However, the “average user” you, Thom, were talking about, doesn’t know almost a thing about keeping his PC secure by his own means. 2004-10-12 10:40 pm I sort of agree with Thom on this – the average user shouldn’t have to run a firewall. If you buy a car and the roof leaks, you get the holes fixed (or return it to the dealer :-P), you don’t put armour plating all over the roof. A firewall is really overkill for what users actually need. Unfortunately it’s about the only option with Windows now, which is not a nice thing – although the world would be a happier place if everyone was behind NAT for their net connection; it’s piss-easy to set up and practically everything passes you by. 2004-10-12 10:49 pm I sort of agree with Thom on this – the average user shouldn’t have to run a firewall. maybe so – but what he said was that an average user has no need for firewalls… You sort of agree with that?? Actually it is sort of the opposite to what you say: Unfortunately it’s (firewalls) about the only option with Windows now… 2004-10-12 10:56 pm Well, I am a die hard windows user (for me) and have had no problems, but after repeadedly having to fix my grandmothers PC from virus/crapware, i told her she was getting a Mac and went out and bought her one. As far as posing which ones are “serious”…well that depends. Any vulnerability leads to infection in my mind is serious, regardless of what the infection actually does. But I havent been infected by any of these vulnerabilities…so they were not serious to me. As many people fight about, there is the whole issue of what virus’ are written for…the OS that has the majority of the market share (I wont argue this one any further, other that my opinion agrees).Metic brought up the most interesting thing to me. Maybe ISPs should be held responsible for some of this crap floating around. There are gateway appliances that will filter ALL incoming traffic and defend the end user. There are appliances that fingerprint the network, and will quarantine offenders. Shouldnt they be using some of this??? We all know the reasons they are-Politics and kick backs 2004-10-12 11:11 pm “Oh well, I still won’t install a firewall or AV on my Windows XP install. Too much hassle to protect my personal photos of my cats and my Nissan Micra. I repeat it again and again: an average user has no need for firewalls and other crap. All my computer-illiterate friends who run Windows have been doing so for years without extra protection software and no one ever had a security and/or virus related problem. Neither have I. And, I’ve never ever met anyone with a problem concerning security in real life. And, I’ve never ever worried too much either.” Most of us here have never accused you of being the brightest star in the sky, we now will need to extend that to cover your friends as well. One can only hope you don’t teach others to behave this way. I wouldn’t get near the internet without a firewall no matter that the OS involved. Even with natting provided by a router, I still load a software firewall. 2004-10-12 11:35 pm To understand how severe the problem really is and how it affects us all, regardless of our own security solutions and awareness, you should read news articles like this: – Rise of the Botnets: http://www.theregister.co.uk/2004/09/20/rise_of_the_botnets/ “The first half of 2004 saw a huge increase in zombie PCs. Also called bots, their average numbers monitored by security firm Symantec rose between January and June from under 2,000 to more than 30,000 per day – peaking at 75,000 on one day.” – Zombie armies behind cyberscrime sprees: http://news.zdnet.com/2100-1009_22-5392694.html “According to communications firm Energis, online crime appears to be occurring in cyclical patterns related to the creation of botnets–zombie armies of PCs that have been taken control of without the owners’ knowledge.” – ‘Zombie’ PCs caused Web outage, Akamai says: http://news.zdnet.com/2100-1009_22-5236403.html “The attack that blacked out Google, Yahoo and other major Web sites earlier this week involved the use of a “bot net”–a large network of zombified home PCs–Internet infrastructure provider Akamai Technologies said Wednesday.” Alarm growing over bot software: http://news.zdnet.com/2100-1009_22-5202236.html?tag=nl 2004-10-12 11:47 pm Thousands of companies are paying off online extortionists http://news.zdnet.co.uk/internet/security/0,39020375,39169461,00.ht… “Six or seven thousand organisations are paying online extortion demands” “Every online gambling site is paying extortion,” Paller claimed. “Hackers use DDoS [denial-of-service] attacks using botnets to do it. Then they say ‘pay us $40 thousand or we’ll do it again’.” Paller added he was concerned that the same techniques used for extortion — i.e. DDoS attacks — could easily be used to target organisations in the critical national infrastructure (CNI). “Applications breaking after patching is the operating system vendor’s fault,” he said. “They tell developers to build applications on unprotected systems. But the other half of the game is that application vendors should have to test their products on safer systems – you do that with procurement.” 2004-10-12 11:48 pm SP2 only affected by one…in fact the SP2 had *LESS* vulnerabilities than windows 2003 server. This is good news for microsoft, not bad, when they port the good things of the SP2 to windows 2003, they’ll get a quite secure system… 2004-10-13 12:15 am Well, hence “sort of” – I think that users shouldn’t have to run a firewall, not that they shouldn’t – there’s a difference. And I don’t know what these hackers are going to do with pictures of Thom’s Nissan Micra – point and laugh, probably. What they are likely to do is turn his machine into another of the millions of zombies out there. Upon re-reading it, maybe I shouldn’t have mentioned Thom – never met anyone in real life with security problems? I propose a simple research assignment for him: Build a new XP machine (sans SP2). Connect directly to internet via dial-up or ADSL or whatever. Wait 20 minutes…. it’s compromised. There’s a real-life security issue. 2004-10-13 6:38 am I propose a simple research assignment for him: Build a new XP machine (sans SP2). Connect directly to internet via dial-up or ADSL or whatever. Wait 20 minutes…. it’s compromised. There’s a real-life security issue. I just reinstalled XP a few weeks ago– and I did exactly that. It ran for days without updates, firewals and the likes. No problem, you know. Then I installed SP2. Most of us here have never accused you of being the brightest star in the sky, we now will need to extend that to cover your friends as well. First of all, I’d like to know who I’m dealing with, “anonymous”. Secondly, I would like it if you didn’t resort to low-level name calling. Thridly, wo is bright here? The one that has managed to run several computers virusfree for over 13 years, or the one that runs around like a paranoid duck installing tons of security software and still claims the net is unsafe? I can tell you now that I’m a million times more relaxed when I’m behind my PC. You know why? Because I simply don’t care about secuirty! Companies, they should worry. They have important stuff to protect. The average user doesn’t. Well, or he or she keeps the code to his/her bank-account in a “bank.doc”. 2004-10-13 7:00 am Hi, I do tech support and I was talking with a collegue of mine yesterday: he has rebuilt a machine for a friend last week, ’cause for the Nth time it was completely bogged down by viruses and spyware, to the point of not being functional anymore. He reinstalled the OS and (fortunately) installed the AV software before connecting to the net to update the OS. He connected, typed “www.microsoft.com” and bang! First worm hit. Very much less than 15 minutes. It’s more like 15 SECONDS if you are not behind a NATting router… and most people are not. Most people here in italy are still on 56k modems, and the 90% of the others use crappy USB adsl modems ’cause that’s what the ISPs give them by default, and they don’t know better. To wrap it up: I believe you when you say your machine is clean, but you are in a very special case. Your network is already protecting you (and pray your router is not one of those with default maintenance passwords and such). But most people simply connect directly to the maelstrom of virus attacks, so the NEED an AV and FW, otherwise they get infected. It’s as simple as that. 2004-10-13 9:11 am “Most of us here have never accused you of being the brightest star in the sky, we now will need to extend that to cover your friends as well. First of all, I’d like to know who I’m dealing with, “anonymous”. Secondly, I would like it if you didn’t resort to low-level name calling. Thridly, wo is bright here? The one that has managed to run several computers virusfree for over 13 years, or the one that runs around like a paranoid duck installing tons of security software and still claims the net is unsafe? You just plain don’t get it…..Security is the only hope for holding the entire internet together, without it chaos will replace everything as we know it. You’re going to continue to be a dim bulb no matter what, going to argue with anyone that disagrees, and generally present yourself as a complete pain in the ass. One only needs to read OSnews for a week to figure out your are an absolute fruitloop. (no applause please) lol 2004-10-13 9:24 am Hey! Basically it boils down to installing MSBlast and Sasser patches to be completely protected on the open internet (no NAT, firewalls, etc). Oh, and disabling the Server and Workstation services will also help. Other than that – what threats are you talking about? How can anyone break into a machine that doesn’t have any useful services running? 2004-10-13 9:50 am I used to use no firewall under windows until the blaster outspread. I just had an AV and I lived happily as the only user of my computer. After blaster, I finally gave in and installed a firewall. The firewall saved me by the subsequent sasser spread. Sure, my windows is now patched against those two threats and I took care to disable a few services I did not need. But still I perfer keeping the firewall on, just in case a new vulnerability is exploited in the services I _do_ need. Basically I think that simple to use firewalls are worth the hassle. They should be easy to set up for the computer illiterate, but still the concept that you should define who can and cannot access your computers’ services should be a key one, that we should try to propagate to the less tech-savy. Sadly some OSes like windows chose to indulge into dangerous oversimplification, the result being that they never even tried until now to educate their users into local or net security. They had to rush with SP2 because the situation was becoming unsustainable, but there were fundamentally flawed choices (like defaulting home xp to administrative user accounts) that paid in the short term for back-compatibility but is finally showing its other edge. IMO, the way to go is to help the user to know and setup at least a little about his/her computer security. SP2 does something, but probably we’ll need deeper redesign to see revolutionary improvements. 2004-10-13 10:52 am @Thom Holwerda Thom, you’re right about one thing, that the crackers aren’t interested in the pics of your Nissan Micro and your cats on your harddrive. But do you really want to be a national security risk? 😉 So, did you read at all what I wrote above about the risks of running unprotected Windows PCs? (Yes you did, put you just didn’t wat to pay attention to the facts, did you?) It doesn’t matter whether you wouldn’t care if crackers get access to your PC. But it matters to us all a lot if crackers can use your or your friends’ PCs as zombie machines when committing cyber crimes like extortion, spreading spam, cracking passwords of important servers (maybe of the company where you work at, or the government and army that protects your country etc.). According to one of the articles I mentioned: Symantec puts the number of computers compromised with bot software in the hundreds of thousands. Other security experts have put the number in the millions. One of those millions of zombie PCs around the world could very well be your dear unprotected Windows PC (and without you having any clue about it) or belong to some of those friends of yours. An example related to your beloved Nissan Micra: If you live in a northern country and drive your car in winter time when there’s ice and snow, your car should have suitable winter tires. You cannot just trust your good luck and driving skills. Such arrogance and ignorance carried out in real life has killed lots of innocent people. Therefore such acts should be, and are, punished to prevent any more harm from being done. 2004-10-13 4:40 pm I was re-installing XP and MSN on a friends computer and got Sasser from the MSN download site. There was absolutely no chance to get a patch first. It is a shame that the entire MSN software doesn’t come on the CD rather than making you run the program and then download the rest of it. They should modify Windows Update so that it comes with it’s own limited use dial connection just for downloading patches so a brand new user can run that first before actually going out on the internet. 2004-10-13 6:22 pm “Thom, I work on windows based computers daily and every one of them has at the very most some spyware. usually a virus or two” yeah but infected pc’s make good zombies. how would you feel if grandma’s PC was used to hack the DOD or used for spamming. there is liability here, and using antivirus and firewalls or practicing safe hex is needed. it’s a civic duty to keep your PC clean. running BeOS at the moment. wonder how many exploits are in Netpositive? 2004-10-13 6:28 pm some facts: aol, aim, yahoo, and IE have more holes than swiss cheese. this is just the nature of the beast. i’m astounded that SP2 actually proactively stops some of the hypothetical exploits. then longhorn and server 2005/6 will have N^X for stack overflow protection. MS is getting their crap together i must say. i am looking forward to longhorn, and i’m jaded as it gets. 2004-10-14 1:53 am People, you always need a firewall no matter what OS. Think Sasser would have been on 6PM news if everyone had been NAT’ed? 2004-10-14 8:56 am Oh my God another load of serious flaws. Soon it will be patched like a Swiss cheese and be still full of flaws, why does the world standardise on such stuff?