Skip to comments.Microsoft Warns of Critical Windows' Flaw (Windows users alert)
Posted on 02/10/2004 2:37:35 PM PST by gdyniawitawa
SEATTLE/SAN FRANCISCO (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, Research) on Tuesday said a critical flaw in most versions of its flagship Windows operating system could allow attackers to run malicious programs on personal computers.
In its monthly security bulletin, the world's largest software maker warned that Windows NT, Windows 2000, Windows XP and Windows Server 2003 were at risk and offered software updates to fix the flaws, which were given Microsoft's highest severity rating of "critical."
"It does affect all (current) versions of Windows," said Stephen Toulouse, security program manager for Microsoft's Security Response Center. "We're not aware of anyone affected by this at this time."
Marc Maiffret, co-founder of eEye Digital Security, the company that discovered the flaw, criticized Microsoft for taking more than six months to come up with a patch to fix the problem, particularly since the flaw allows an attacker multiple ways to break into a system and could do almost anything they wanted to the system.
"We contacted Microsoft about these vulnerabilities 200 days ago, which is insane," he said. "Even the most secure Windows networks are going to be vulnerable to this flaw, which is very unique."
In response, Toulouse said Microsoft needed to take time to make sure to get the fix right, especially given how pervasive the vulnerability is in the software.
"We wanted to make absolutely sure we were doing as broad an investigation as possible," he said.
Windows users can download the patch for the vulnerability from www.microsoft.com/security.
The obvious steps to take are to run Windows Update and install the patches to fix the vulnerabilities as soon as possible," said Craig Schmugar, a virus research manager at Network Associates Inc.'s (NET.N: Quote, Profile, Research) McAfee anti-virus unit.
The latest fixes for Microsoft's software are unrelated to the latest virus attacks by MyDoom and its variants, Schmugar said.
Microsoft switched to a monthly cycle of releasing security updates in order to make it easier for system administrators to keep their software secure and up to date But the company released a critical update a week ago, ahead of Tuesday's scheduled release, in order to fix a patch in its Explorer Web browser that could make PCs vulnerable to attackers. In addition, Microsoft announced a mid-grade security warning for the latest version of its server products for networked computers.
Two years ago, the Redmond, Washington-based company pledged to make its software products more secure and reliable under an initiative, called Trustworthy Computing, outlined in a companywide memo by Chairman Bill Gates.
But computers running the company's software have been hit by several high-profile attacks, such as the SQL Slammer, Nimda and SoBig attacks.
On Monday, a new worm called "Doomjuice," an offshoot of the MyDoom worm, emerged, which used personal computers compromised by the original MyDoom worm to attack and slow down parts of Microsoft's Web site, according to security experts.
The MyDoom worm, as well as its variant MyDoom.B, were designed to entice e-mail recipients to click open an attachment, which then installed malicious software on a personal computer. The worms then instructed infected PCs to flood the Web sites of the SCO Group Inc. (SCOX.O: Quote, Profile, Research) and Microsoft in an effort to shut them down
Microsoft didn't update their browser for three months, finally patching it last week despite known issues. But at least they have agreed to service 98SE a few more years, the security problems are never ending.
Same here, even the number of years. So long as you take reasonable care -- not opening unknown attachments, etc. -- and if you don't share a LAN with doofuses, you're fine.
It must be terrible to go through life so fearful. I suppose you also believe in gun control.
Here's a clue: anyone who has a virus scanner and turnd on the built in firewall in Windows XP and loads the recommended updates will never get these bugs. All of the recent infestations have hit people who refused to update.
Adwar is a different issue. You actually have to have the sense to say no to offers of free stuff.
Well, I know one school faculty you can eliminate from the "good sense" category, then. I spent part of the afternoon hooking some scan converters up to the computers and televisions in a couple of classrooms this afternoon. And oh my God were they the most bug-infested things I've ever seen - Xupiter toolbars and Comet Cursors and Gatorware everywhere, on every single machine I saw there. I literally felt dirty just touching the things to plug a VGA cable in. I didn't have the heart to tell the IT guy there that his computers were more full of holes than a shotgunned Swiss cheese...
An operating system no longer supported by Microsoft.
Microsoft agreed to support 98SE for another two years:
Cool. I'll dust off my VIC-20 and join you...
Yes it's good news, I like 98SE and was very pleased to hear they'll be keeping up support for it.
Why aren't any viruses being written for the Mac now?
Maybe because Macs aren't vulnerable to viruses?
Oh, that's a good way to get their attention while you protest... send them money but otherwise shun them.
I don't think it's gonna solve anything...
Sorry, no cigar. These "exploits" were LAN only and required that a hostile server exists on the LAN. This is so unlikely a scenario that it is almost beyond the realms of possibility. The exploit was easily fixed by merely turning one default setting from "on" to "off." It did not even require a patch.
Later release CDs of OSX shipped with the default "off."
I kinda like "venerable" better. It brought to mind legions of geezers executing malware willy-nilly... gazing at their monitors through magnifying glasses.
However, even if a user on a Mac launched a malicious program, it still could not access the core system files. 99.99% of Mac users operate their computers in a mode (Administrator or lower) that does not have sufficient access to modify system files (which requires Root access) while 99.9 percent of Windows users are natively running in PC Administrator mode which is the equivalent to Root.
How many platforms determine whether a file is executable based solely on its name?
Saw this thing earlier today. I'm sure everyone appreciates good testing of patches, but six months does seem a bit long....
Well, I was wondering where you were. Welcome.
Shall I resurrect your indignation when Apple allowed (in your words) that"critical" system flaw to continue for about 5 weeks before patching it and compare those 35 days to Microsoft's 200 (28 weeks)?
Several times, and several posters, you have been pointed to articles written by experts in Computer and Network security that have enumerated the superiority of the Macintosh platform over Windows for security and you still sing the same song.
Bush, the insecurities of Mac OS-X are the insecurities of UNIX, one of the most secure operating systems in the world.
Let's talk "venerable" shall we?
Windows in its variations has a history of about 19 years counting from its inception incarnation as a DOS shell named "Interface Manager" renamed to d Windows 1.0 before its release in 1985. As a true OPERATING SYSTEM, we should really only give it 9 years when it was no longer really a DOS shell with the introduction of Windows 95 (although it still needed DOS to even get started). Of course, THAT version is not related the current XP version because that line of Windows was a dead end. Windows XP is based on Windows 2000 (year 2000, age 4) which in turn was based on Windows NT (March 1994, age 10). Over these ten years a comparatively small number of Microsoft Engineers have been overseeing the development and security of Windows 2000 - XP.
On the UNIX (1969, age 35) side, we have an unbroken (although many branched) development since 1969 with legions of developers modifying and improving the code. More people by at least an order of magnitude have looked at the UNIX code and tested and improved its security. Number of years of development = 10.
So, on one side we have the Microsoft OS... maintained by one company, a small group of developers responsible for its proprietary code... and on the other side we have an open-source multi-developer OS... developed by thousands of people working to improve the utility and security of UNIX. Number of years of development = 35.
Which do you think might be more secure?
Let's see what a computer security expert has to say about Linux, OSX, and Microsoft Windows, shall we?
'There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread - most were confined to the laboratory.'
So there are far fewer viruses for Mac OS X and Linux. It's true that those two operating systems do not have monopoly numbers, though in some industries they have substantial numbers of users. But even if Linux becomes the dominant desktop computing platform, and Mac OS X continues its growth in businesses and homes, these Unix-based OS's will never experience all of the problems we're seeing now with email-borne viruses and worms in the Microsoft world. Why?"
". . . Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email! Don't believe me? Take a look at Microsoft Security Bulletins MS99-032, MS00-043, MS01-015, MS01-020, MS02-068, or MS03-023, for instance. Notice that's at least one for the last five years. And though Microsoft's latest versions of Outlook block most executable attachments by default, it's still possible to override those protections."
"This sort of social engineering, so easy to accomplish in Windows, requires far more steps and far greater effort on the part of the Linux user. Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can't just execute attachments, but they will still have to go through the steps. . .
"due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it. So the above steps now become the following: read, save, become root, give executable permissions, run. The more steps, the less likely a virus infection becomes, and certainly the less likely a catastrophically spreading virus becomes. And since Linux users are taught from the get-go to never run as root, and since Mac OS X doesn't even allow users to use the root account unless they first enable the option, it's obvious the likelihood of email-driven viruses and worms lessens on those platforms.
Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior. Windows XP, supposed Microsoft's most secure desktop operating system, automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer. . . "
". . . Even if the OS has been set up correctly, with an Administrator account and a non-privileged user account, things are still not copasetic. On a Windows system, programs installed by a non-Administrative user can still add DLLs and other system files that can be run at a level of permission that damages the system itself. Even worse, the collection of files on a Windows system - the operating system, the applications, and the user data - can't be kept apart from each other. Things are intermingled to a degree that makes it unlikely that they will ever be satisfactorily sorted out in any sensibly secure fashion."
"Security is, as we all know, a process, not a product. So when you use Linux (Or UNIX, or OS-X - Swordmaker), you're not using a perfectly safe OS. There is no such thing. But Linux and Mac OS X establish a more secure footing than Microsoft Windows, one that makes it far harder for viruses to take hold in the first place, but if one does take hold, harder to damage the system, but if one succeeds in damaging the system, harder to spread to other machines and repeat the process. When it comes to email-borne viruses and worms, Linux may not be completely immune - after all, nothing is immune to human gullibility and stupidity - but it is much more resistant. To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. I know which one I'll trust. How about you?
Me, I chose UNIX based Macintosh OS-X.3 Panther.
I really like this quote:
To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it.
It is inclusive of OS-X. By the way, the Macintosh virii referred to are Macintosh Classic viruses, affecting OS-9.2.2 and below, not OS-X. OS-X would be susceptible to the Unix virii.
The ACTUAL portion of the post above including the link to the article as originally written (except for a omitted quotation mark):
Let's see what a computer security expert has to say about Linux, OSX, and Microsoft Windows, shall we?
Linux vs. Windows Viruses
by Scott Granneman, SecurityFocus,
The Register (UK).
June 10, 2003.
That's the link to the entire article. Here are some quotations from the article:
"To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it, writes SecurityFocus columnist Scott Granneman."
"According to Dr. Nic Peeling and Dr Julian Satchell's Analysis of the Impact of Open Source Software . . .
Odd, they built within the last year or so, an Apple store in an upscale mall here in Indy. Seems to be doing a good business. Strange, for a product nobody uses or cares about.
Gee, and here I thought you cared. . . sniff. ;)
Nobody uses Macs...
You're probably right, there are only about 10,000,000 of us nobodies out here... including:
President George W. Bush
G. Gordon Liddy
Paul MacCready - Gossamer Condor and Mac!
Burt Rutan - Aeronautical Engineer and builder of the globe cirlcing Voyager plane (which runs on a Powerbook)
Buzz Aldrin - "the Mac is outta this world!"
Fleetwood Mac - Well, with a name like that you think they'd use a PC???
Peter Jackson - a "Ring"ing endorsement
Mario Puzo - "Make an offer you can't resist... use a Mac!"
Gerry Spence -Constitutional attorney with a pony-tail and a Mac.
The Flying Karamazov Brothers - Macs really help us juggle our files?
Katie Kouric (Choke)
Michael Jackson - uses it to try on new faces?
Tom Brocaw (Urk)
Dr. Murray Gell-Mann - Nobel Laureate Physics
Dr. Roger Guillemin, M.D., Ph.D, Nobel Laureate in Medicine and Physiology
Dr. Donald Glaser - Nobel laureate Physics
Michael Crichton - definetly someone who knows futuristic.
Gabriel Garcia Marquez, Nobel Laureate Literature
The Late Dr. Timothy Leary - "What a trip!"
Leonard Nimoy - "Macs live long and prosper!"
William Gibson - 'Cyberspace' was created on a Mac!
Bob Dole - It didn't help him keep Clinton out of office...
Stephen Sondheim - Sweeney Todd made him do it!
The Grateful Dead
Al Gore - Ex VP and statue
Martha Stewart - but only to do insider trading?
The Late Seymour Cray - yes, THAT Cray... as in supercomputer.
Sir Roger Banister - "I'd run a mile for a Mac!"
Francis Ford Coppola
Malcolm Forbes, Jr.
Bill Gates!!! - Yup!
Scott Adams - "Dilbert"
Gray Davis - as I "recall"
Jim Cameron - a "titanicc" user
All real nobodies.
Most of us adult Mac users utilize our computers to be productive... not play games. Look at that list. Do you see anyone on there that you would suspect spent their time playing the latest and greatest 3D graphic kill-the-bad-guy game or even FreeCell for that matter or do you see a list of people who work hard and get the job done?
Mac users are interested in productivity, not time wasting. That is why we selected a computer that promotes productivity rather than impedes it!
Bush, you were the one claiming "nobody" and I just invalidated your argument. Being wrong doesn't mean you have to be crude.
Bush, I have always been interested in the most productive computer I can own. So far, Windows has failed to impress me in that area.
I make MONEY with my computers when I am not 'wasting time' surfing FreeRepublic... and I have five Windows computers around here. Two running XP, one running 2000, one still on 95 and another on 98. I still perfer to use a Macintosh. These computers are here so I can run copies of my clients' vertical software on machines similar to the ones in their businesses. I occasionally need to run their software so I can advise accurately over the phone on processes where they are having problems.
I can be much more productive on my G5 Macintosh on other things I use my computer for than any of those other machines... and that is what counts for me. At any one time, I have between 20 and 25 business clients that depend on me to keep their computers and networks running and secure. Four or Five of those businesses operate on Macintoshes... and the level of complaint and problems from them is extremely low. About the only time they need me is for upgrades or advice on some area of their software they don't use too often.
I regret I cannot say the same about the PC using businesses. The PCs businesses experience "downtime" about 10 -15 times more often than the Macs. When they are down, they are down longer. All of this impacts productivity. Since my Mac clients were moved to OS-X, downtime has been non-existent at their businesses due to computers.
In the real world, people want their computers to enhance their ability to make money. Playing games is nice... but it is not what pays the bills.