Microsoft has released six patches for its Windows operating system today. Three of them are rated critical, one important and two moderate. The three critical ones are related Internet Explorer, Print Spooler and PnP. They all three fix issues where your machine could be taken over completely.
The Internet Explorer vulnerabilities (3 of them in one patch) are absolutely awful. First, a buffer overflow in the IE jpeg library; view the wrong image, and you are pwned. Second, some cross-site scripting that could allow remote code execution (yet another reason why multiple zones of trust in one browser is a bad idea). Third, remote code execution via ActiveX controls (as if you needed any more reasons not to use ActiveX). Basic lesson: friends don’t let friends use IE.
The spooler flaw is also pretty bad. Basically, if someone could access your printer through Printer and File Sharing (SMB/CIFS), they could take over your machine.
The PnP vuln is not only bad, it is ludicrous. You can send a message over the network and tell the PnP service (which manages USB devices and the like) to execute code for you. Now, why in the name of $DEITY would Microsoft allow a USB daemon to talk to the network???
The Telephony service vulnerability allows you to pwn a machine that runs Microsoft’s VOIP services (or to elevate privilege even if no such services are running). That’s why you should use Asterisk.
Oh, and a couple of remote DoS and spoofing vulns — but they are just icing on the cake.
are we Microsoft’s guinea pigs or what? i can’t keep track anymore counting the various windows patches and serious security issues and there seems no end to this nightmare. i wonder how many thousands more vulnerabilities are in the windows code base, each of them just waiting to get discovered by some script kiddie. have the users become Microsoft’s unpaid bug chasing slaves?
Did anyone notice that you had to download a little program wga*.exe before you could even begin to download the security patches? I remember reading that MS would be checking the authenticity of their user’s Windows installations but it’s more than a little insulting to all their customers who are honorable and have invested hundreds if not thousands of dollars in their software. They probably feel immune right now because of their near monopoly on the desktop but I truly hope a genuine competitor to Windows will arise, and make them behave with more civility, if not honor.
Firefox,Opera,Mozilla,Konkqerror,Safari… anyting but not InternetExploiter.
ok….. i’m gonna be the fair one…… do i think internet explorer sucks?…. yes. will i ridicule ms for patching security holes….. absolutely not.
look…. i know MS is the company we all love to hate, but at least be fair…. if mozilla, firefox, konqueror, safari, opera.. whatever came out with these patches you would all either be glad that they did or just say….. they were doing their job by finding and patching security holes.
how is this different….. personally it is not the patches i have a problem with…. it is the lack of patches…. the known security exploits MS does not patch
don’t rip on anybody for coming out with security patches…. that’s ridiculous
The thing about some of these vulnerabilities is that they represent SERIOUS design flaws. As someone said above, why would a USB event handler have network connectivity?
In my opinion, this is the problem with the whole “feel” of Windows; that Microsoft has decided to integrate too much inconsequential functionality.
that “?” after sucks isn’t supposed to be there and the “W” in will is supposed to be capitolized.
Meh at least they fixed it before I heard anything about it, the only one that sounds really serious to me is the pnp one… and even then a good network setup wouldn’t be vurnable
a successor to the throne will come…. be it linux, bsd, apple, or some other… it will happne, and i believe it will happen in the next 5-8 years
I really do hope it does happen seems to me that we has alot more different and functional computers back in the mid 90’s then what we have now.
I wouldnt mind for a change none at all. Took me a week to learn OS9 and OSX, took me a few days for linux/unix variants, took me a few days to get use to the 9x transition to the nt kernel and interface of xp.
So having to learn new commands ways of app execution is always fun.
As someone else noted, this includes the WGA checker. I’m concerned that this might kill my installation because I lost my original serial number for XP and am using one I found on the net. Anyone use this yet and see if it monkeys with your system in my type of case. I don’t want to hassle with finding the original serial card in the basement of boxes of junk I have if it comes to having to reinstall Windows…
>As someone else noted, this includes the WGA checker. I’m concerned that this might kill my installation
The WGA checker doesn’t kill your installation it just denies access to Windows Upate and Microsoft Download Center if your copy isn’t “Genuine”.
The thingy was hacked in the first 24 hours after release (search google if want).
You can also still get updates by using the “Automatic Updates” function (it does no checks).
Still it’s annoying as hell do they actually expect people to pay for their trash?
At least with Linux you get what you pay for (i.e. nothing!).
Damn I wish we would live in a better OS world…
So the Warez kiddies in the know get to patch but the ones that are not get hammered by the hacks (if and when they come out). Should be interesting.
What happened to MS letting everyone have security updates to protect the net/etc? Or do they think everyone still has Automatic Updates still turned on?
You could always contact Microsoft for a new serial number if you really have “lost” your original.
“They all three fix issues where your machine could be taken over completely.”
Remember folks, a backdoor can only be considered a remote takeover exploit if it’s discovered.
Enjoy running closed OS shit with code you can’t see. It could be doing anything, and yet you blindly trust it to be doing everything okay. It’s like that episode of Little Rascals where one guy was selling an invisible part for a robot. Enjoy your hidden parts, suckers.
Meanwhile I’ll donate my money and time towards free and open source software/operating systems because I know what I’m getting because I can SEE THE CODE!
Wake up sheeple, you’ll install anything that comes from the electronic gates of Mordor.
I know what I’m getting because I can SEE THE CODE!
Ah yes and I’m sure you understand every single line of it don’t you?
How many people want to sort through source code to make sure its secure ? I mean if thats your answer to windows its pathetic at best.
You drive a car made in mid-80s or newer ? Guess what. Its running on proprietary closed source software and it fails your life is in far greater danger than any OS you’ll ever run on your computer at home.
Wake up sheeple, you’ll install anything that comes from the electronic gates of Mordor.
get a life
Ah yes and I’m sure you understand every single line of it don’t you?
LOL, yeah right. This ignorant fuckstain probably couldn’t write a shell script that prints ‘Hello world’ to the screen, yet is content with calling anyone running a closed source OS (including Windows, OSX, Zeta, etc) sheeple. It’s too bad that fanatics like this do more harm to open source software than good. Hell, I wouldn’t use OSS just so that I wouldn’t be mistakenly associated with guys like this. I’d rather be assraped by ‘the man’ for the rest of my life.
“LOL, yeah right. This ignorant fuckstain probably couldn’t write a shell script that prints ‘Hello world’ to the screen,”
Gee, now THAT’S original. Not.
“yet is content with calling anyone running a closed source OS” “sheeple.”
Very content.
“It’s too bad that fanatics like this do more harm to open source software than good.”
Nope. My time and money go to open source software.
“Hell, I wouldn’t use OSS just so that I wouldn’t be mistakenly associated with guys like this.”
Jesus Christ, you’re a riot, do you follow lemmings too by any chance?
“I’d rather be assraped by ‘the man’ for the rest of my life.”
Typical Windows user.
Security
Download Problem Interferes with IE Patch Release
Microsoft is forced to remove “critical” patches for Internet Explorer after the files became corrupted and broke the digital signatures. 2 hours 27 minutes ago
http://www.eweek.com/article2/0,1895,1846419,00.asp
You don’t have to install any patches or look for anything to overcome MS’s stupid WGA. Just go IE addons (activeX objects) and disable WGA check, it worked for me. It just shows that MS doesn’t really fight with piracy, and I am just fine with that.
I hear that the WGA tool works in WINE and even thinks that Wine is “Genuine”… I guess you can use IE6 in Wine on a linux machine just to download the updates for windows machines, then.
Oh, the irony… 🙂
“Ah yes and I’m sure you understand every single line of it don’t you?”
Is that all you got? (queue canned audience boo noise) Going to call me names next? God I love it when they evade the point and start dragging things down to personal attacks.
“How many people want to sort through source code to make sure its secure ?”
LOL! Jesus Christ man, do you work for M$? Do you know how many people are coding for the FOSS movement?
“I mean if thats your answer to windows its pathetic at best.”
Pot, meet kettle.
“You drive a car made in mid-80s or newer ? Guess what. Its running on proprietary closed source software and it fails your life is in far greater danger than any OS you’ll ever run on your computer at home.”
The same old boring and off-topic response from the closed source crowd. Do you pilot a helicopter while wearing clown shoes? If so, blah! Do you run races while hoola hooping? If so, BLAH! Give me a break, you can get into all kinds of cookie cutter comparisons using any object you want but the fact is: closed source = general public can’t see it = insecure.
How many complete remote takeover exploits has WinXP suffered from? How many years has it taken to patch a good lot of them? Just recently there has been even more discovered! How many more exist? It’s a joke, man, it’s a total joke, and people PAY for this shit.
“get a life”
grow up.
Every time after Microsoft releases a new patch they claim “Windows is secure now” until the next couple bugs are found and my or your machine is compromised. This has been going forever and I got so sick and tired of it that I am not playing that game anymore. Microsoft should hire more developers instead of using us users as guinea pigs.
A former Windows user.
I can’t believe companies actually trust their information to proprietary Microseft products. Long live Domain/OS!
Is that all you got? (queue canned audience boo noise) Going to call me names next? God I love it when they evade the point and start dragging things down to personal attacks.
You totally missed the point. What good is source code if you or someone else does not understand it ? You want me to believe that anyone off the street can verify that their linux kernel or OSS applications are secure because they have the source ? Sorry dude. Not buying it.
LOL! Jesus Christ man, do you work for M$? Do you know how many people are coding for the FOSS movement?
I am not talking about developers. This is where most people in the OSS crowd start getting confused so I’ll try to put it in all caps to make it clear.
NOT EVERYONE WHO USES A COMPUTER IS A PROGRAMMER!
In fact users overwhelm programmers by a large margin. So if your answer to security on windows is that users should look over and validate the source code to their operating system then yes its pathetic at best.
How many complete remote takeover exploits has WinXP suffered from? How many years has it taken to patch a good lot of them? Just recently there has been even more discovered! How many more exist? It’s a joke, man, it’s a total joke, and people PAY for this shit.
Yep. There are problems. Big ones. I agree completely.
I’m simply saying that advocating that people who use computers look over the source code to their operating system to make sure its “secure” is not an answer for 99% of the computer users out there.
You want to do something about the problem that is windows ? Quit acting like a 15 year old and actually write the code and get involved. Start organizing things and get all of these groups within the community focused. Help to show them a better way and embrace windows users.
Almost no one in the OSS crowd understands the basics of selling an idea or product. DO NOT BASH THE COMPETITION. It will kill ya. Anyone who has experience selling anything knows this.
Calling people sheep and going on and on about how you are high and mighty because you can *see* the source code to your OS is not doing anything productive and it surely does little in the way of actually interesting anyone in Linux.
“You totally missed the point. What good is source code if you or someone else does not understand it ? You want me to believe that anyone off the street can verify that their linux kernel or OSS applications are secure because they have the source ? Sorry dude. Not buying it.”
Not everyone has to understand it rockhead – it’s you that have missed the point. The important thing is that the code is open for “public peer review”. Not every user who uses open source has to be a “coder” himself.
“You want to do something about the problem that is windows ? Quit acting like a 15 year old and actually write the code and get involved. Start organizing things and get all of these groups within the community focused. Help to show them a better way and embrace windows users.”
He is doing something about it – not using a terrible product that is Windows – it’s a hack – always has been and always will be.
“Almost no one in the OSS crowd understands the basics of selling an idea or product. DO NOT BASH THE COMPETITION. It will kill ya. Anyone who has experience selling anything knows this.”
I am a BSD user and no person in the BSD community is interested in “selling’ anything – use the system if you are able. If you don’t like it, then don’t use it. If you are able to “code” then YOU can make the change because the source is open – you don’t have to wait like a hopeless lemming for Mickeysoft to fix beta quality crap and charge a high price for it. Secondly I don’t see Microsoft as competition – they don’t/can’t compete with the systems I use.
Further, BASH is a shell, but you wouldn’t know anything about that would you? Open source does not refer to Linux – get your terms correct.
I am a BSD user and no person in the BSD community is interested in “selling’ anything – use the system if you are able. If you don’t like it, then don’t use it. If you are able to “code” then YOU can make the change because the source is open – you don’t have to wait like a hopeless lemming for Mickeysoft to fix beta quality crap and charge a high price for it. Secondly I don’t see Microsoft as competition – they don’t/can’t compete with the systems I use.
Or, you can use an open source operating system, with many of the apps you have to choose from still in alpha over at SourceForge
All the apps I use run without error, without reboot, without horrific patchwork – which, in your world, means more reboots.
Gawd, don’t get me started on MS patching and the qualities of MS Office.
Windows is a great system given you have the time – “Mouse has moved, please reboot system for changes to tahe effect.”
It would be funny if it weren’t almost true!!
Microsoft Fixes Six Flaws?
I think the jury is out on that statement – don’t they have to reissue service packs a few times before it actually fixes more than it breaks – man I crack myself up sometimes…
http://www.eweek.com/article2/0,1895,1844654,00.asp
I should stop, this is way too easy. I almost feel guilty, uh, er, well ok, not really. Anyone see the sick humor here? It’s all so true!!
>>>What happened to MS letting everyone have security updates to protect the net/etc? Or do they think everyone still has Automatic Updates still turned on?
Even without automatic updates, you can still go to http://www.microsoft.com/security to get the updates manually — without WGA.