Posted on 01/11/2005 1:44:14 PM PST by Eagle9
Microsoft on Tuesday released the year's first three security patches to Windows, including two it called "Critical," but did not patch all the vulnerabilities that have surfaced in the last several months.
"These are exactly what we expected this month, a couple of patches against threats that are 'wormable'," said Mike Murray, the director of research at nCircle, the vulnerability management vendor whose flagship product is IP360.
The first critical flaw is in Windows Server 2003, and in Windows 98, Me, 2000, and XP, including Service Pack 2, the security update that Microsoft rolled out last October. The ancient Windows NT 4.0 is also affected if Internet Explorer 6.0 SP1 has been installed.
A bug in the HTML Help ActiveX control can be exploited by hackers to gain complete control of a compromised PC, said Microsoft, most likely by creating a malicious Web site, then enticing users into viewing that page with e-mail come-ons. Microsoft's HTML Help ActiveX is designed to let Web site designers add site-specific help information to their pages.
The bulletin, dubbed MS05-001, also offered up a long list of possible work-arounds for users who can't patch immediately, but noted that exploits of this vulnerability are already circulating, and urged users to patch pronto.
Another critical vulnerability, spelled out in the MS05-002 bulletin, affects Windows 98, Me, NT, 2000, XP, and Windows Server 2003, and concerns how those operating systems handle cursors, animated cursors, and icons. A determined hacker, said Microsoft, could create a malicious Web site or send e-mail with specially-crafted cursors or icons that would in turn cause the computer to execute the attacker's choice of code or simply crash.
Although the bug has been made public and proof-of-concept code has been spotted on hacker sites, Microsoft claimed that it had no evidence of any actual exploits in the wild. Still, it recommended that users apply the patches immediately.
The third bulletin, labeled MS05-003, is rated by Microsoft as only "Important" in its four-step scale.
"This one was a bit of a surprise," said nCircle's Murray. "Index Server hasn't been a target in the past. It's not enabled by default, and because of that it's almost a waste of time for hackers."
Windows 2000, XP (but not SP2), and Windows Server 2003 are at risk, said Microsoft, because the Indexing Service can be used to gain complete control of a PC. Formerly known as Index Server, the service's original function was to index the content of Internet Information Services (IIS) Web servers, but it's now also used to create indexed catalogs of file systems.
"This could be dangerous in a targeted attack," said Murray directed against a specific company, "but it's not something that will end up as a widespread exploit like MSBlast or Slammer."
Some of the more recent vulnerabilities in Microsoft's products, particularly its Internet Explorer browser, were not included in this month's cycle of patches Murray stepped up to defend Microsoft. "There were some [unpatched] vulnerabilities released publicly, but the [patch] development cycle takes time. There's no way Microsoft has had time to fix these things yet."
Among the disclosed vulnerabilities that weren't patched were a bug in IE's LoadImage API and a long-standing flaw in how IE handles drag-and-dropped objects.
"It takes a month or two to test patches and get them into the products," said Murray. "I expect we'll see [fixes for] these in February."
Tuesday's patches can be obtained through the usual channels: the Windows Update service or direct download from the Microsoft Web site.
First three? We're only 11 days into the year! At this rate, we're setting ourselves up for 100 vulnerabilities this year.
Seems like the discovery of Windows flaws NEVER ends. Will it EVER be safe to put your identity/credit card/bank acct. info on your computer using THIS O/S?
It absolutely astonishes me that they presume to promote anti-virus software, when their products need so many patches, you'd think they were making hillbilly blue jeans.
They were waiting for download and install when I got home to the very-fast machine; tomorrow, they'll be at work waiting for me to open-up the super-fast machine in my office.
I still think that Apple/Mac/Linux moles work at MS, building this stuff into the Win O/S, on purpose. </saracasm>
THANKS.
Malicious Trojan infects Windows Media Player
This one may only be a problem if you have installed the latest security fixes from Microsoft incorporated in Service Pack 2.....
I don't see any mention of that flaw.
The Drag-and-Drop/Cut-and-Paste issue corrective action was posted long ago. The fix that allows you to use those two functions again in the Internet zone is what has not been released yet.
MS04-038 cumulative Security Update for Internet Explorer
or,
Disable the Drag and Drop or copy and paste files option in the Internet and Intranet Web content zones. For business domains, this can be done in Group policy.
BTTT for later
I have a lap top and a desktop. we have a dial up modem, DSL is not available at our number yet. But, I can take my laptop down town to an internet cafe adn connect at real high speeds.
All that said, here is my question, how can I down load the windows updates to my CD burner druive insteaqd of my c drive so that I can put it in the desktop and safe a ton of time?
Thanks,
Jake
By the way, where would I find the fixes, updates and patches on my harddrive?
Go to the Microsoft Download Center - near the bottom is a list of categories for download - select the Windows (Security and Updates). Save them where you can find them later.
http://www.microsoft.com/downloads
By the way, where would I find the fixes, updates and patches on my hard-drive?
I don't know the answer to either question. I think a lot of people would like to know, so I highlighted your questions, in hopes of someone posting an answer.
However there are legions who think the latest patch will help them (even though they have downloaded several patches in a row that are supposed to fix prior patches that were supposed to fix previous patches .....ad nauseum). I'd not be surprised if such people useAOL as well. LOL.
No problem - ask any time, everyone else does!
MSFT tries to fix prior attempts to fix prior attempts to fix a fix (or maybe, just maybe,these are new bugs).
LOL. My personal conspiracy vein runs something like this. I think MSFT plugs in the flaws and bugs on purpose so that they can have people continuously upgrade to 'new' versions. And that they know how to make Windows tighter than a Romanian nun, but decide not to so that when the 'new and amazing' LongHorn OS comes out people 'upgrade' to it.
As i said, this is my conspiratory assessment, but i would not be surprised if it was 100% true. (P.S: I am also pretty sure that B. Gates would never use anything as flaw-ridden as Windows, outlook or IE. And since he would never use a competing OS, mail service or browser one has to assume that what he uses is a version of Windows XP that has been streamlined. As in i think that the commercially available versions have amazingly great engineered obsolescence -plus a plethora of flaws- and Bill Gates uses an in-house version that does not have all the flaws. Again, this is just me mulling on the stuff, but i know there is no way Gates would be using the stuff as it currently is.)
I also think MSFT could make the current windows even better TODAY than the LongHorn OS coming out in a couple of years from now.
Have windows scan for updates
Note the # of the recommended update e.g. KB84342
Go to MS downloads & search for above #, &save to disk.
By the way, where would I find the fixes, updates and patches on my hard-drive?
Windows update page will tell you if you select that option.
Else, they're listed in add/remove programs & C:\wind.. >>uninstall
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.