Microsoft Issues Security Warnings for Windows, Outlook And Content Management

InternetWeek.com ^

[Paul Atreides]

NTFS wasn't the reason. To be honest, I don't know what caused the modem situation. I just didn't like the NTFS option because it was irreversible concerning the OS.

[Capt. Tom]

Whatever you do, DO NOT have XP convert your hard drive to NTFS format. If it does, the OS cannot be uninstalled and the only way to undo the NTFS format is to have the drive reformatted

I asked my computer friend to translate this for me and here is his answer. - Tom

This sentence is out of context. What were they talking about? NTFS is a drive format only supported by WinNT, Win2000 and WinXP. Win95 98 ME can't deal with it.

If one was to upgrade a Win98 system to WinXP you wouldn't convert your hard drive. If you did a clean install of XP you would want NTFS. About the only time one wouldn't use NTFS is if you have a hard drive with multiple partitions and multiple operating systems. If one of the bootable operating systems was for example Win98 it would not be able to read the data in a WinXP NTFS partition.

This probably confuses you more, ask me over coffee.

[HairOfTheDog]

Microsoft has posted detailed security bulletins and patches for the Windows security flaw, as well as the Outlook and Content Management holes.

As well as notified me that these fixes were available... and I promptly fixed it.... Thanks!

[Paul Atreides]

Here's the deal:

I had my system built almost three years ago. At the time, I was using Win98. I supplied the new hard drive and had them install it when they built the system. Shortly after, I upgraded to ME. Then, shortly after XP came out, I upgraded to XP, but never told the install to convert the hard drive to NTFS.

[Bush2000]

• Microsoft Locator - Not really an issue. Everybody should be running a firewall.
  
  
• Content Management - How many people actually run this? A thimbleful?
  
  
• Outlook - Marginal scenario at best. Not a default configuration: 99.99% of all users aren't affected.
  
  ... if you really want to complain about bugs, chew on this really serious vulnerability: Open-source defect reaches deep

[TechJunkYard]

if you really want to complain about bugs, chew on this really serious vulnerability...

YeahRight... how many average users (even average Linux users) even know what CVS is? OTOH, everybody knows about Lookout Outlook.

[Sweet_Sunflower29]

Ditto that.

So far I like XP much more then I did Win98.

:)

[Bush2000]

YeahRight... how many average users (even average Linux users) even know what CVS is? OTOH, everybody knows about Outlook.

You missed the point. People don't have to know about CVS in order to be affected by its bugs. The MS bugs cited in this article affect practically nobody. But the CVS bugs potentially affect every open source user because the use of CVS is so pervasive in open source development projects.

[TechJunkYard]

The MS bugs cited in this article affect practically nobody.

That unchecked buffer in the Locator Service is pretty serious... lots of domain controllers are vulnerable. That translates to a lot of Windows users -- particularly in business settings.

CVS is primarily used by developers and librarians. I never use it, because to get a tarball or an RPM, you don't need CVS.

[Bush2000]

That unchecked buffer in the Locator Service is pretty serious... lots of domain controllers are vulnerable. That translates to a lot of Windows users -- particularly in business settings.

Attacks from within the firewall are practically non-existent.

CVS is primarily used by developers and librarians. I never use it, because to get a tarball or an RPM, you don't need CVS.

The unfortunate thing is that somebody could slip trojan code into a CVS dev tree, it would get built, and then you pick up the tarball or an RPM. Now, you're affected.

[TechJunkYard]

Yeah... and a two-year-old bug in MS-SQL can bring down half of the 'net.

[jammer]

Still working with both in multiple production environments, I truly believe that, unless you need sophisticated networking, you are talking about a "sidegrade", not an upgrade.

[dark_lord]

# Content Management - How many people actually run this? A thimbleful?

Just curious. I saw that you posted a thread day before yesterday indicating your belief that because CVS (a source control system used for programmers) was found to have a security flaw, that this again showed that open source is fundamentally flawed.

Yet here when a security flaw is found that impacts Microsofts Content Management server -- which does essentially what CVS does -- that it is a non-issue?

Now I tend to be neutral on the MS/Mac/Unix/Linux wars - I have used all of them and currently run Win2000, WinXP, and Linux. But it appears you are quite biased. Why do you have a knee-jerk reaction to attack Linux and Mac and defend MS no matter what? Especially here where you have attacked the one and defended the other - for flaws in the same functional area?

Is this like a religious issue for you?

[bvw]

Is CVS as important as SQL-Server?

[bvw]

Bush2000, all bluster, nearly content free. He does have a chip on his shoulder.

No matter what position one has re MS vs Linux, etal ... I can't see as any take Bosh2K's religious mypoia about MSs work product for any value, as clearly tainted by bias it is.

MS has some great stuff, and so does Linus, open source, Sun, and Mac, etc. This CVS bug is not the problem Herr Bosher has made it to be ... there are many safeguards, checks and oversights over builds that would flag a compromise. Yet he complains not for edification, for where has the Master of MS-Mayhem been today, the day of molasses over MS-serverdom? No, not for education -- but simply to knock and mock.

[Bush2000]

Yeah... and a two-year-old bug in MS-SQL can bring down half of the 'net.

Is it Microsoft's fault that some customers refuse to keep their servers updated/patched?

[Bush2000]

Is CVS as important as SQL-Server?

It depends on what's actually done about it by the people that use it. If they patch their stuff, it's should have a minimal impact.

[Bush2000]

Yet here when a security flaw is found that impacts Microsofts Content Management server -- which does essentially what CVS does -- that it is a non-issue?

CVS is a widely used source control system. Most open source projects use it. Content Management server is barely used by anybody. Therefore, which do you think affects more customers? Duh.

[TechJunkYard]

Is it Microsoft's fault that some customers refuse to keep their servers updated/patched?

Of course not. But it IS Microsoft's fault that the bug got out there in the first place.

WTF man! An unchecked buffer is one of the easiest flaws to prevent before it's released, and one of the most expensive to fix after release. I used to fix these things all of the time! I get steamed at the Open Source crowd for this too.

IF (length - pointer) <= buffer length
  THEN copy the buffer
  ELSE signal error
ENDIF

It's one of the easiest constructs in programming! I know you guys don't program in assembler, but why don't your tools and code reviews pick this stuff up?