Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Microsoft Warns of Critical Windows' Flaw (Windows users alert)
Reuters ^ | Tue February 10, 2004 04:09 PM ET | By Reed Stevenson and Elinor Mills Abreu

Posted on 02/10/2004 2:37:35 PM PST by gdyniawitawa

SEATTLE/SAN FRANCISCO (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile, Research) on Tuesday said a critical flaw in most versions of its flagship Windows operating system could allow attackers to run malicious programs on personal computers.

In its monthly security bulletin, the world's largest software maker warned that Windows NT, Windows 2000, Windows XP and Windows Server 2003 were at risk and offered software updates to fix the flaws, which were given Microsoft's highest severity rating of "critical."

"It does affect all (current) versions of Windows," said Stephen Toulouse, security program manager for Microsoft's Security Response Center. "We're not aware of anyone affected by this at this time."

Marc Maiffret, co-founder of eEye Digital Security, the company that discovered the flaw, criticized Microsoft for taking more than six months to come up with a patch to fix the problem, particularly since the flaw allows an attacker multiple ways to break into a system and could do almost anything they wanted to the system.

"We contacted Microsoft about these vulnerabilities 200 days ago, which is insane," he said. "Even the most secure Windows networks are going to be vulnerable to this flaw, which is very unique."

In response, Toulouse said Microsoft needed to take time to make sure to get the fix right, especially given how pervasive the vulnerability is in the software.

"We wanted to make absolutely sure we were doing as broad an investigation as possible," he said.

Windows users can download the patch for the vulnerability from www.microsoft.com/security.

The obvious steps to take are to run Windows Update and install the patches to fix the vulnerabilities as soon as possible," said Craig Schmugar, a virus research manager at Network Associates Inc.'s (NET.N: Quote, Profile, Research) McAfee anti-virus unit.

The latest fixes for Microsoft's software are unrelated to the latest virus attacks by MyDoom and its variants, Schmugar said.

Microsoft switched to a monthly cycle of releasing security updates in order to make it easier for system administrators to keep their software secure and up to date But the company released a critical update a week ago, ahead of Tuesday's scheduled release, in order to fix a patch in its Explorer Web browser that could make PCs vulnerable to attackers. In addition, Microsoft announced a mid-grade security warning for the latest version of its server products for networked computers.

Two years ago, the Redmond, Washington-based company pledged to make its software products more secure and reliable under an initiative, called Trustworthy Computing, outlined in a companywide memo by Chairman Bill Gates.

But computers running the company's software have been hit by several high-profile attacks, such as the SQL Slammer, Nimda and SoBig attacks.

On Monday, a new worm called "Doomjuice," an offshoot of the MyDoom worm, emerged, which used personal computers compromised by the original MyDoom worm to attack and slow down parts of Microsoft's Web site, according to security experts.

The MyDoom worm, as well as its variant MyDoom.B, were designed to entice e-mail recipients to click open an attachment, which then installed malicious software on a personal computer. The worms then instructed infected PCs to flood the Web sites of the SCO Group Inc. (SCOX.O: Quote, Profile, Research) and Microsoft in an effort to shut them down


TOPICS: Announcements; Front Page News; Miscellaneous; Technical
KEYWORDS: lowquality; microsoft; nosecurity; windowsos
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-71 next last
To: Reaganwuzthebest
Thanks for the link. I had not seen that MS had backed down. I know that they did release one patch after the announced termination date, but at the time they gave some explanation that they knew about the problem and were working on it before the cutoff date.

I'll upgrade operating systems when I get new computers. Until then, I'll keep running WIN98 and 95 because the old machines just can't handle the newer operating systems.
21 posted on 02/10/2004 7:09:23 PM PST by PAR35
[ Post Reply | Private Reply | To 19 | View Replies]

To: PAR35
Until then, I'll keep running WIN98 and 95 because the old machines just can't handle the newer operating systems.

Yes it's good news, I like 98SE and was very pleased to hear they'll be keeping up support for it.

22 posted on 02/10/2004 7:25:57 PM PST by Reaganwuzthebest
[ Post Reply | Private Reply | To 21 | View Replies]

To: DB
If Macintosh ruled, all the viruses would be written for the Mac instead...

Why aren't any viruses being written for the Mac now?

Maybe because Macs aren't vulnerable to viruses?

23 posted on 02/10/2004 7:59:59 PM PST by TechJunkYard
[ Post Reply | Private Reply | To 8 | View Replies]

To: Astronaut
"It wouldn't do any good to write viruses for OS X. No Active X to transmit them. Ports are not open by default the way Windows does. Mac OS X is more secure by design; the myth that there are no viruses for Macintosh because no one bothers is pure Microsoft generated myth."

The myth is that you know what you're talking about.

You don't need active X to transmit virus', worms, etc on PCs, Mac's or whatever computer.

And as far as those "default" Mac settings:

http://www.freerepublic.com/focus/f-news/1029572/posts

http://www.freerepublic.com/focus/f-news/1012349/posts

At 5% market share it would be hard to get a Mac virus to propagate by the shear difficulty in finding one to spread it to in a sea of PCs. That is your saving grace whether you know it or not.
24 posted on 02/10/2004 8:03:14 PM PST by DB (©)
[ Post Reply | Private Reply | To 18 | View Replies]

To: AIC
It will be hard for me to ever trust Microsoft again... I'll buy their programs but I will not visit their site...

Oh, that's a good way to get their attention while you protest... send them money but otherwise shun them.

I don't think it's gonna solve anything...

25 posted on 02/10/2004 8:03:46 PM PST by TechJunkYard
[ Post Reply | Private Reply | To 14 | View Replies]

To: TechJunkYard
Any computer that can exchange data is venerable to viruses.

Most successful viruses running around today like MyDoom were executable attachments that people opened. Any machine that will execute the executable is venerable. It didn’t matter if all the ports were closed, firewalls were in place or anything else to do with the operating system. If the user chooses to run the attachment the machine has been compromised right then and there. MyDoom didn’t use active X, it didn’t use VB scripting, it used native code to the computer and a venerable user. Venerable users aren’t unique to PCs.
26 posted on 02/10/2004 8:58:01 PM PST by DB (©)
[ Post Reply | Private Reply | To 23 | View Replies]

To: TechJunkYard
Make that "vulnerable"...

27 posted on 02/10/2004 9:00:30 PM PST by DB (©)
[ Post Reply | Private Reply | To 23 | View Replies]

To: general_re
Hi, General,

I wonder where Bush2000 is.
28 posted on 02/10/2004 9:02:30 PM PST by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: DB
And as far as those "default" Mac settings:

Sorry, no cigar. These "exploits" were LAN only and required that a hostile server exists on the LAN. This is so unlikely a scenario that it is almost beyond the realms of possibility. The exploit was easily fixed by merely turning one default setting from "on" to "off." It did not even require a patch.

Later release CDs of OSX shipped with the default "off."

29 posted on 02/10/2004 9:09:00 PM PST by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 24 | View Replies]

To: gdyniawitawa
bttt
30 posted on 02/10/2004 9:16:18 PM PST by cibco (Xin Loi... Saddam)
[ Post Reply | Private Reply | To 4 | View Replies]

To: DB
Make that "vulnerable"...

I kinda like "venerable" better. It brought to mind legions of geezers executing malware willy-nilly... gazing at their monitors through magnifying glasses.

However, even if a user on a Mac launched a malicious program, it still could not access the core system files. 99.99% of Mac users operate their computers in a mode (Administrator or lower) that does not have sufficient access to modify system files (which requires Root access) while 99.9 percent of Windows users are natively running in PC Administrator mode which is the equivalent to Root.

31 posted on 02/10/2004 9:20:47 PM PST by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 27 | View Replies]

To: DB
Any machine that will execute the executable is venerable.

How many platforms determine whether a file is executable based solely on its name?

32 posted on 02/10/2004 9:23:17 PM PST by TechJunkYard
[ Post Reply | Private Reply | To 26 | View Replies]

To: Swordmaker
Sorry, no cigar. These "exploits" were LAN only ...blah, blah, blah

From "not vulnerable" to "well, it is vulnerable but..." The fact remains that you simply don't have enough market share to justify virus writers targeting your little OS.
33 posted on 02/10/2004 9:39:27 PM PST by Bush2000
[ Post Reply | Private Reply | To 29 | View Replies]

To: Swordmaker
Couldn't say.

Saw this thing earlier today. I'm sure everyone appreciates good testing of patches, but six months does seem a bit long....

34 posted on 02/10/2004 10:31:43 PM PST by general_re (Remember that what's inside of you doesn't matter because nobody can see it.)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Bush2000
From "not vulnerable" to "well, it is vulnerable but..." The fact remains that you simply don't have enough market share to justify virus writers targeting your little OS.

Well, I was wondering where you were. Welcome.

Shall I resurrect your indignation when Apple allowed (in your words) that"critical" system flaw to continue for about 5 weeks before patching it and compare those 35 days to Microsoft's 200 (28 weeks)?

Several times, and several posters, you have been pointed to articles written by experts in Computer and Network security that have enumerated the superiority of the Macintosh platform over Windows for security and you still sing the same song.

Bush, the insecurities of Mac OS-X are the insecurities of UNIX, one of the most secure operating systems in the world.

Let's talk "venerable" shall we?

Windows in its variations has a history of about 19 years counting from its inception incarnation as a DOS shell named "Interface Manager" renamed to d Windows 1.0 before its release in 1985. As a true OPERATING SYSTEM, we should really only give it 9 years when it was no longer really a DOS shell with the introduction of Windows 95 (although it still needed DOS to even get started). Of course, THAT version is not related the current XP version because that line of Windows was a dead end. Windows XP is based on Windows 2000 (year 2000, age 4) which in turn was based on Windows NT (March 1994, age 10). Over these ten years a comparatively small number of Microsoft Engineers have been overseeing the development and security of Windows 2000 - XP.

On the UNIX (1969, age 35) side, we have an unbroken (although many branched) development since 1969 with legions of developers modifying and improving the code. More people by at least an order of magnitude have looked at the UNIX code and tested and improved its security. Number of years of development = 10.

So, on one side we have the Microsoft OS... maintained by one company, a small group of developers responsible for its proprietary code... and on the other side we have an open-source multi-developer OS... developed by thousands of people working to improve the utility and security of UNIX. Number of years of development = 35.

Which do you think might be more secure?

Let's see what a computer security expert has to say about Linux, OSX, and Microsoft Windows, shall we?

"According to Dr. Nic Peeling and Dr Julian Satchell's Analysis of the Impact of Open Source Software . . .

'There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the Unix or Linux viruses became widespread - most were confined to the laboratory.'

So there are far fewer viruses for Mac OS X and Linux. It's true that those two operating systems do not have monopoly numbers, though in some industries they have substantial numbers of users. But even if Linux becomes the dominant desktop computing platform, and Mac OS X continues its growth in businesses and homes, these Unix-based OS's will never experience all of the problems we're seeing now with email-borne viruses and worms in the Microsoft world. Why?"

". . . Microsoft's email software is able to infect a user's computer when they do something as innocuous as read an email! Don't believe me? Take a look at Microsoft Security Bulletins MS99-032, MS00-043, MS01-015, MS01-020, MS02-068, or MS03-023, for instance. Notice that's at least one for the last five years. And though Microsoft's latest versions of Outlook block most executable attachments by default, it's still possible to override those protections."

"This sort of social engineering, so easy to accomplish in Windows, requires far more steps and far greater effort on the part of the Linux user. Instead of just reading an email (... just reading an email?!?), a Linux user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. Even as less sophisticated users begin to migrate to Linux, they may not understand exactly why they can't just execute attachments, but they will still have to go through the steps. . .

"due to the strong separation between normal users and the privileged root user, our Linux user would have to be running as root to really do any damage to the system. He could damage his /home directory, but that's about it. So the above steps now become the following: read, save, become root, give executable permissions, run. The more steps, the less likely a virus infection becomes, and certainly the less likely a catastrophically spreading virus becomes. And since Linux users are taught from the get-go to never run as root, and since Mac OS X doesn't even allow users to use the root account unless they first enable the option, it's obvious the likelihood of email-driven viruses and worms lessens on those platforms.

Unfortunately, running as root (or Administrator) is common in the Windows world. In fact, Microsoft is still engaging in this risky behavior. Windows XP, supposed Microsoft's most secure desktop operating system, automatically makes the first named user of the system an Administrator, with the power to do anything he wants to the computer. . . "

". . . Even if the OS has been set up correctly, with an Administrator account and a non-privileged user account, things are still not copasetic. On a Windows system, programs installed by a non-Administrative user can still add DLLs and other system files that can be run at a level of permission that damages the system itself. Even worse, the collection of files on a Windows system - the operating system, the applications, and the user data - can't be kept apart from each other. Things are intermingled to a degree that makes it unlikely that they will ever be satisfactorily sorted out in any sensibly secure fashion."

and finally:

"Security is, as we all know, a process, not a product. So when you use Linux (Or UNIX, or OS-X - Swordmaker), you're not using a perfectly safe OS. There is no such thing. But Linux and Mac OS X establish a more secure footing than Microsoft Windows, one that makes it far harder for viruses to take hold in the first place, but if one does take hold, harder to damage the system, but if one succeeds in damaging the system, harder to spread to other machines and repeat the process. When it comes to email-borne viruses and worms, Linux may not be completely immune - after all, nothing is immune to human gullibility and stupidity - but it is much more resistant. To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. I know which one I'll trust. How about you?

Me, I chose UNIX based Macintosh OS-X.3 Panther.

35 posted on 02/10/2004 10:48:34 PM PST by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 33 | View Replies]

To: Bush2000
Oops, link broken. Here is the correct link:

Linux vs. Windows Viruses"

I really like this quote:

To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it.

It is inclusive of OS-X. By the way, the Macintosh virii referred to are Macintosh Classic viruses, affecting OS-9.2.2 and below, not OS-X. OS-X would be susceptible to the Unix virii.

36 posted on 02/10/2004 10:54:38 PM PST by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 33 | View Replies]

To: Swordmaker
It's really amazing what leaving out a single quotation mark in HTML can do.

The ACTUAL portion of the post above including the link to the article as originally written (except for a omitted quotation mark):

Let's see what a computer security expert has to say about Linux, OSX, and Microsoft Windows, shall we?

Linux vs. Windows Viruses
by Scott Granneman, SecurityFocus,
The Register (UK).
June 10, 2003.

That's the link to the entire article. Here are some quotations from the article:

"To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it, writes SecurityFocus columnist Scott Granneman."

"According to Dr. Nic Peeling and Dr Julian Satchell's Analysis of the Impact of Open Source Software . . .

37 posted on 02/10/2004 11:05:27 PM PST by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 36 | View Replies]

To: Swordmaker
Shall I resurrect your indignation when Apple allowed (in your words) that"critical" system flaw to continue for about 5 weeks before patching it and compare those 35 days to Microsoft's 200 (28 weeks)?

Wouldn't make any difference. Nobody uses Macs; hence, nobody really cares.
38 posted on 02/10/2004 11:18:05 PM PST by Bush2000
[ Post Reply | Private Reply | To 35 | View Replies]

To: Bush2000
Nobody uses Macs; hence, nobody really cares.

Odd, they built within the last year or so, an Apple store in an upscale mall here in Indy. Seems to be doing a good business. Strange, for a product nobody uses or cares about.

39 posted on 02/10/2004 11:40:19 PM PST by AFreeBird (your mileage may vary)
[ Post Reply | Private Reply | To 38 | View Replies]

To: AFreeBird
Odd, they built within the last year or so, an Apple store in an upscale mall here in Indy. Seems to be doing a good business. Strange, for a product nobody uses or cares about. Apple has been relegated to a bit player in the desktop computer market.
40 posted on 02/10/2004 11:47:35 PM PST by Bush2000
[ Post Reply | Private Reply | To 39 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-71 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson