×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Another Critical Microsoft Hole

michael posted more than 11 years ago | from the your-daily-dose dept.

Security 601

gmuslera writes "Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system. Now there is another related to an ActiveX control that can make IE and IIS to run any code in the system. The Microsoft solution? kill the related ActiveX control and replace it with a safe one. The Microsoft problem? As this control is Microsoft signed, any site can require it, upload it and replace the "good" one with the vulnerable one. The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft." Gimble points to the appropriate locations on Microsoft's website: "Another buffer overrun (that allows arbitrary code to be run) has been admitted to by MS, and it affects IIS and IE on clients (but not on XP), and they have a patch available here Security Hotfix for Q329414. The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email. The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

601 comments

Hey great (-1, Flamebait)

l33t j03 (222209) | more than 11 years ago | (#4722565)

They have already released a patch, but you fucking idiots don't worry about that shit.

Re:Hey great (0)

Anonymous Coward | more than 11 years ago | (#4722735)

If you'd bothered to read the article, you'd see that the ``patch'' consists of a nonvulnerable ActiveX control. The problem is that the old control has been signed by Microsoft, so it's considered safe by default in IE. Unless you turn that off, I can create a website that uses the old control, and your browser will upload it. It would seem that either there is no fix, or Microsoft must change their signature so that all controls are void. Either way, it's another good reason to not use IE.

Re:Hey great (0)

Anonymous Coward | more than 11 years ago | (#4722746)

You gotta admit, though, that it's funny as hell that MS recommends that MS be removed from the trusted list.

M$ sucks (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4722571)

hahahahaha...

A Toast!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4722572)

...to the HOST who BOASTS the MOST first POSTS!

Re:He's right about the fonts (5, Funny)

Rebel Patriot (540101) | more than 11 years ago | (#4722574)

Why doesn't Microsoft wake up and just apply the "mozilla patch"? :^)

why the kill bit does not work. (5, Insightful)

leuk_he (194174) | more than 11 years ago | (#4722703)

According to the MSTECH bulletin:
Why isn't it feasible to set the Kill Bit in this case?

The ActiveX control involved in these vulnerabilities is used in many applications and web pages to access data. Many applications, including third-party applications, contain hard-coded references to it; if the patch set the Kill Bit, the web pages would no longer function at all - even with the new, corrected version. As a result, the patch updates the control to remove the vulnerabilities, but does not provide a brand-new control and set the Kill Bit on the old one.


Conclusion:
-Microsoft refuses to kill itself.

how does this relate to: the story Microsoft on Security: We'll Break Your Apps [slashdot.org]

Hey... linus refused to change the behaviour of kill -9 -1 also

Sound Advice (3, Funny)

stevens (84346) | more than 11 years ago | (#4722578)

``Don't trust Microsoft'' is just a good security principle in general. Finally they realize it. :-)

Re:Sound Advice (1)

FatRatBastard (7583) | more than 11 years ago | (#4722714)

They should move everything over to FreeBSD since they like it so much [theregister.co.uk] .

Amazing how their own internal whitepaper points out that a Unix based system is simple, easy to administer, secure, modular, and can be bloat free.

Microsoft ActiveX Controls? (3, Insightful)

og_sh0x (520297) | more than 11 years ago | (#4722580)

Hey, good thing that little bird told me to never check the box that says "Always trust content by Microsoft Corporation"

why? (1, Interesting)

el_mex (175423) | more than 11 years ago | (#4722582)

Why are these things posted here? Is it because of the many /. users that use windows :-), or is it because we're always trying to make windows look bad?

It's getting tiring to see all this sarcasm, like open source is so free of bugs or something...

Re:why? (3, Insightful)

Anonymous Coward | more than 11 years ago | (#4722619)

Slashdot reports on pretty much anything security related. Besides this is not a little problem it's something that is pretty damn serious if you ask me.

Re:why? (-1)

Anonymous Coward | more than 11 years ago | (#4722661)

Actually a lot of /. readers do use Windows.

Re:why? (5, Informative)

jandrese (485) | more than 11 years ago | (#4722665)

Because if you don't bring these problems out into the open, Microsoft won't fix them. There have been several cases in the past where security vulnerabilities were left unpatched until people started clamoring for a fix. Also, this hole is rather severe (if a similar hole was found in SSH or Apache Slashdot would announce it) and the fact that it is digitally signed makes it unusual and newsworthy.

Re:why? (5, Interesting)

NecroPuppy (222648) | more than 11 years ago | (#4722704)

Because there are still quite a few of us
who still use Windows...

I've got half a dozen software packages that
are currently only available for Windows or
Mac, and as I don't like Macs, I'm stuck
with Windows for the time being.

This kind of story is "News for Nerds", and
as such, is, IMO, much more valid a story than
most that get posted here.

And as far as the Open Source comment; yes,
Open Source systems have bugs. However, I
don't know of a single one that will have a
website pop-up ask you to download a major
security hole under the name of trusted
computing.

Do you?

Re:why? (3, Interesting)

netsharc (195805) | more than 11 years ago | (#4722717)

Probably because a lot of us are sysadmins with companies stuck with Windows, and with this sort of news, we can take steps to protect our computer systems from MS-induced death, including convincing the PHBs to switch to Linux. ;-)

Also, Windows is more popular, so this sort of thing affects more people, especially clueless ones, the ones we need to educate to switch to Opera (ohokay, Mozilla then)

Re:why? (0)

Anonymous Coward | more than 11 years ago | (#4722742)

Open source (Linux and Linux Apps in particular) is probably more buggy in my opinion. Expecially anything that uses X. At least the M$ windowing system doesn't crap out constantly.

The difference is it's not more insecure primarily due to the deny by default theory used with most distros. If we'd get ACLs in place and use them and they were tightly integrated to make them decently easy to use it would get even better.

The reason people bash M$ so much in this case is because they've got an insecure system and they have a horrible attitude toward fixes and security in general. What kind of fix is "Don't trust us."?

This bodes well (5, Insightful)

evilpenguin (18720) | more than 11 years ago | (#4722584)

Doesn't this just make you excited for the prospect of Palladium and a world where all code is digitally signed? I'm tingling all over.

I'm all for code signing for authenticity, but not for code signing as execution control. Code signing should be purely an audit mechanism.

Re:This bodes well (2)

aphor (99965) | more than 11 years ago | (#4722664)

HERE HERE! I'll drink to that! There is no such thing as implicit trust, and if you think there is, please send me a blank check. I agree not to abuse it ;)

Re:This bodes well (5, Funny)

kmellis (442405) | more than 11 years ago | (#4722698)

"There is no such thing as implicit trust, and if you think there is, please send me a blank check." - aphor
Sure, just give me your address, and it'll be on its way.

Typical slashdot crap (0)

Anonymous Coward | more than 11 years ago | (#4722585)

The solution from the page linked is to install MDAC 2.7. There is no mention of removing MS from the trusted list.

Re:Typical slashdot crap (3, Insightful)

compwizrd (166184) | more than 11 years ago | (#4722641)

From the article:

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft.

Re:Typical slashdot crap (-1, Troll)

REBloomfield (550182) | more than 11 years ago | (#4722699)

unfortunately, these posts will get modded as trolls or flamebait, whereas theose posts with "screw M$" get modded as funny, or insightful. As far as I'm concerned, there is an issue, it's been dealt with. Those that need to know about it, ie. those IIS admins, etc. will already be doing something about it. Just a shame the rest of the online community feels the need to jump up and down about it.

Re:Typical slashdot crap (5, Insightful)

evilpenguin (18720) | more than 11 years ago | (#4722726)

The problem is that unless you remove Microsoft from the list of trusted publishers, a malicious web site or e-mail message can reinstall the vulnerable version without your knowledge or consent.

To me, this proves that digitally signed code, that is, "trusted systems" are absolutely no guarantee of security. Bad code can be signed.

pain (0)

Anonymous Coward | more than 11 years ago | (#4722586)

It truly hurts me each time they put out a new patch. As I am addicted to microsoft, each patch seems to not help as much as the one before. I'm feeling like a smoker now trying to quit.

Re: Another critical Microsoft hole (5, Funny)

T1girl (213375) | more than 11 years ago | (#4722587)

Not was enough that recent vulnerability in IE that can run any program in an unpatched windows system.

Difficult to read this post is, hmmm?

Another hole..... (0)

Anonymous Coward | more than 11 years ago | (#4722592)

Wheres the slashdot article on the whole "leaked longhorn alpha" deal? I have 2 different releases, and it still hasnt been an article here at /.

"Don't trust Microsoft" (4, Funny)

ctid (449118) | more than 11 years ago | (#4722594)

This must be the most utterly humiliating admission I have ever read. The fact that it comes in the context of a security problem beggars belief.

In other news (1)

beaviz (314065) | more than 11 years ago | (#4722596)

Microsoft's new security initiative announced that a 100% secure Operating System Platform (tm) is possible. And it's very simple too: Don't trust Microsoft. Don't buy Microsoft Products. Don't talk about Microsoft. Don't look in any direction.

We knew that already...

I Like Their Solution! (2, Funny)

0101000001001010 (466440) | more than 11 years ago | (#4722597)

The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft.

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers.

Will Do!

Microsoft Security Bulletin MS02-065 (3, Informative)

henben (578800) | more than 11 years ago | (#4722598)

Interestingly, that page doesn't render properly in Opera 7 Beta unless you identify as MSIE - when it works fine.

Re:Microsoft Security Bulletin MS02-065 (2)

henben (578800) | more than 11 years ago | (#4722621)

Actually, the DHTML stuff is still broken, but you can at least read the page.

This must be a first... (1)

WampagingWabbits (627551) | more than 11 years ago | (#4722600)

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

...at last we can all agree about something!

More Bias (5, Insightful)

OpCode42 (253084) | more than 11 years ago | (#4722604)

Can we please stop all this MS bashing? Every piece of software has security alerts and patches issued. Why, in a week where we have alerts for Samba, php, kde (libs and network) and apache, do we have to hear about IE yet again? Yes, we know thats its not a secure bit of software. It just makes us look like insecure teenagers if we keep bashing it like this.

*flame retardent jacket on*

That is all.

Re:More Bias (5, Insightful)

Seahawk (70898) | more than 11 years ago | (#4722651)

Well - I see your point, an I am oppesed to needless MS bashing as well! The difference between the OSS vulnaribilities and this IE is that the OSS vulnaribilities is fixed rather easy, and Microsofts solution to the problem(Dont trust MS activex controls) just wont help the average user as he has no idea how to not trust Microsoft

As you say - there are bugs in ALL software - but there are great differences in how quickly those bugs are fixed!

Re:More Bias (1, Informative)

Anonymous Coward | more than 11 years ago | (#4722756)

If you read the article, their advice is to "make sure you have no trusted publishers, including Microsoft." Every time that you hit a website that uses an ActiveX control, you'll get a warning message.

So they are requesting that people do what most people here recommend already - don't trust anyone.

flaming retard jacket? (0)

Anonymous Coward | more than 11 years ago | (#4722653)

is that some kind of Leisure Suit Larry thing?

Re:More Bias (2)

mao che minh (611166) | more than 11 years ago | (#4722668)

Stop stating the obvious and go away. Slashdotters don't need to hear this. We love our comfortable little world.

Re:More Bias (5, Funny)

warrior_on_the_edge_ (605123) | more than 11 years ago | (#4722671)

It just makes us look like insecure teenagers

Maybe we should apply the SECURE teenager patch I thought I saw somewhere....

Re:More Bias (1)

richie2000 (159732) | more than 11 years ago | (#4722716)

Maybe we should apply the SECURE teenager patch I thought I saw somewhere....

Don't bother, it was signed by Bill Gates himself twenty years ago.

Re:More Bias (2)

binaryDigit (557647) | more than 11 years ago | (#4722678)

Well the biggest problem is the sheer number of IE users and therefor the potential impact of a security hole. While a problem in say, Samba, has fairly limited exposure.

And probably the thing that any OS proponent will gleefully point out, is that the "solutions" offered by M$ are typically not very satisfying and there really isn't much you can do about it (vs switching OS's of course ;)

I agree that there is a a large amount of M$ bashing, but then what would one expect, when in Rome ....

Re:More Bias (0)

Anonymous Coward | more than 11 years ago | (#4722715)

"*flame retardent jacket on*"

More like a flame retardent wet blanket.

Re:More Bias (3, Insightful)

keyne9 (567528) | more than 11 years ago | (#4722759)

Well, in my household, I will generally only update the secondary computers every month, give or take. More critical patches, I'll update immediately. I do not really consider these updates as bashing, per se, but rather a boon for me.

I seem to remember a poll that indicated that a significant portion of the /. crowd used or otherwise had installed Windows on at least one machine. I can't see how this woudl be totally irrelevant.

I can, however, see that the updates are quite one-sided. Is it, perhaps, that less people submit the linux related bugs? or that the editors choose to publish more Microsoft-related ones? I think only they know for sure. Either way, people benefit.

a solution...? I reckon. (2, Insightful)

girl_geek_antinomy (626942) | more than 11 years ago | (#4722610)

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

Am I the only one who finds this uproariously funny...?

Micro$oft wants us not to trust it. Not that this will be a problem in many cases, but... Maybe if we applied this more generally the world would be a nicer and safer place?

Don't worry, we know just what to do... (2)

Spazholio (314843) | more than 11 years ago | (#4722613)

"Now listen to me very closely, because I have the answer for your problems. The way to fix your troubles is to not trust me..."

Catch-22, eh? The company that's giving you the solution is also telling to that they're not to be trusted. I don't care WHAT company that comes from, it's funny...

Question (5, Insightful)

zero-one (79216) | more than 11 years ago | (#4722615)

Why can't IE run in a process with reduced privaliges? Why does IE need the privalages of the current user on NT/2000 when all it does is browse the web?

Re:Question (4, Insightful)

pVoid (607584) | more than 11 years ago | (#4722673)

The current user is a perfectly safe security context - unless, you are doing the same stupid thing 98% of bad users out there do: run as admin.

IIS needs to run as system for a couple of reasons that aren't worth detailing. The issue was the there was no distinction between Local-System, and Network-System as there is now in XP.

Re:Question (4, Funny)

Peer (137534) | more than 11 years ago | (#4722750)

The current user is a perfectly safe security context

Sure if you never store personal documents under it.

This is big (5, Insightful)

ceswiedler (165311) | more than 11 years ago | (#4722616)

Wow. Some heads must be rolling at Microsoft over this. Recommending that Microsoft be removed from the list of trusted signees? They're certainly not pulling punches on this one. It looks to me like they're placing a higher priority (with the treatment of this bug) on user security than company image. That's a first...

The reason they're in this mess is the whole "trusted computing" paradigm which they started with this signed-ActiveX stuff and are continuing with Palladium. Perhaps this will make them reconsider. Quis custodiet ipsos custodes: Who watches the watchers?

Re:This is big (1)

GooRoo (245743) | more than 11 years ago | (#4722733)

It would be bigger if this was a default setting, but I don't believe it is.

You have to have said at some point that you trust Microsoft, and while I use their products all the time I certainly don't trust them.

So basically unless you said at some point 'Always trust software from Microsoft Corporation' when those security warnings come up to install active x controls, or you always click ok when you go to web sites that try to install things, then you don't need to worry.

Reversal of Fortune. (2)

viper21 (16860) | more than 11 years ago | (#4722617)

I never though I would see Microsoft telling us NOT to check the box:

"Always trust content from Microsoft Corporation"

I guess with the next version of IE they will be changing it to:

"Never trust content from Microsoft Corporation"

Now that's the kind of checkbox I'm talking about.

-S

Microsoft knows best (4, Funny)

Anarchofascist (4820) | more than 11 years ago | (#4722622)

All you linux freaks should pay attention - here is Microsoft issuing some very timely and correct advice.

"Don't trust us"

Re:Microsoft knows best (1)

TheRealDeal (628168) | more than 11 years ago | (#4722753)

OK where does everyone see that it says not to trust Microsoft? All I see is not to trust an ActiveX pop-up warning that might be comming from someone OTHER than Microsoft...

Oh and if I see M$ or Micro$oft one more time I'm going to puke... It's not witty, it's not funny, and above all else it is NOT in any remote fasion new... get over it...

Trusted computing. (2, Funny)

MongooseCN (139203) | more than 11 years ago | (#4722623)

As this control is Microsoft signed...

Trusted computing, digital signing... I guess it all boils down to "You can trust Microsoft that this signed control will screw over your computer."

Excellent. (1, Redundant)

grub (11606) | more than 11 years ago | (#4722626)


The final recomendation from Microsoft? Don't trust/run ActiveX controls signed by Microsoft.

Ah excellent, for years I never trusted anything from Microsoft but now I can just distrust their signed ActiveX crud.

The admission is in the faq section. (5, Informative)

terradyn (242947) | more than 11 years ago | (#4722629)

Reproduced for your enjoyment:

What steps could I follow to prevent the control from being silently re-introduced onto my system?

The simplest way is to make sure you have no trusted publishers, including Microsoft. If you do that, any attempt by either a web page or an HTML mail to download an ActiveX control will generate a warning message. Here's how to empty the Trusted Publishers list:

1. In Internet Explorer, choose Tools, then Internet Options.
2. Select the Content tab. In the Certificates section of the page, click on Publishers.
3. In the Certificates dialog, click on the Trusted Publishers tab.
4. For each certificate in the list, click on the certificate and then select Remove. Confirm that you want to remove the entry.
5. When you've removed all entries from the list, select Close to close the Certificates dialog, then click on OK to close the Internet Options dialog.

Don't trust... (2)

Torinaga-Sama (189890) | more than 11 years ago | (#4722632)

"The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers."

That is solid GOLD.

It is poetic justice that Microsoft's own measures for security are working against them.

MS from the list of Trusted Publishers. (2)

oliverthered (187439) | more than 11 years ago | (#4722634)

Already done, a long long time ago........
I didn't want them running anything they happened to sign on my PC.

Ok, I don't run windows at home any more, unless I need it for reverse engineering drivers or file formats.

So what.. (2, Insightful)

ybmug (237378) | more than 11 years ago | (#4722638)

that can run any program in an unpatched windows system.

If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.

Re:So what.. (1)

lalas (85981) | more than 11 years ago | (#4722744)

that can run any program in an unpatched windows system.

If my Linux box wasn't kept up to date, there would be quite a few remote root exploits similar to this.


If you had read a little further:
The kicker is that a patched system can be rendered vulnerable again by a hostile web site or HTML email.

Re:So what.. (2)

Penguinoflight (517245) | more than 11 years ago | (#4722762)

No, man there would be quite a few user-root exploits. I.E. if someone had shell access, they could get full access. That's a HUGE difference. They don't need your password to get in with the IE hack.

DOJ reaction (5, Funny)

MosesJones (55544) | more than 11 years ago | (#4722642)


Today the DOJ announced that they would no longer trust Microsoft and had removed Microsoft from the list of companies it would allow to police themselves. This was done on Microsoft's advice as they felt they could not be trusted not to screw around like they had before.

"Lets face it" said Bill Gates "asking us to police ourselves is like asking Dan Quayle to front a literacy program, its just not a good idea"

Muha (2)

mao che minh (611166) | more than 11 years ago | (#4722643)

Right about now, Bill Gates is asking himself why in the world he paid millions for that "security approval" thing for Windows 2000 and wasted all of those marketing dollars in the over-hyped (and non-existent) "we make all of our programmers go to security school or something" campaign.

what can one do? (2, Interesting)

proky (627414) | more than 11 years ago | (#4722644)

If Microsoft tells users not to trust it for this, when should users trust it?

The joke is to say never. But with Microsoft controlling however many trillions of computers, it seems like something they should seriously be addressing. And more seriously than they are.

I also don't trust software i write (2, Funny)

TrueKonrads (580974) | more than 11 years ago | (#4722656)

I also don't trust software i write, why should MS do different? I mean you can't say elseway " The programmer was a moron" and keep the pride

Bad Timing (1)

YetAnotherDave (159442) | more than 11 years ago | (#4722658)

Damn, when I saw this there were no coments listed, I thought I might be able to post 'first yawn'.

I mean, how is _another_ IE flaw even news anymore...

Ironically, I probably missed is cuz I was opening my morning comics in other (mozilla) tabs...

Microsoft update! (0)

j4pjeff (627186) | more than 11 years ago | (#4722660)

If you have bad controls, patch it. If you have security issues, patch it. The whole of their operating system is becomeing one giant windows update...

Re:Microsoft update! (1)

mschoolbus (627182) | more than 11 years ago | (#4722718)

Well it is, they have to fix the current bugs and introduce some new ones for users to get fucked over with...

Windows Update (2, Insightful)

Peer (137534) | more than 11 years ago | (#4722670)

The real pain is that people that have used Windows Update often will have checked "Always trust content from Microsoft", otherwise they will have RSI by now from clicking Yes.

Redundant (1)

anno1a (575426) | more than 11 years ago | (#4722681)

Dammit, all news about security issues with microsoft products should be rated reduntant... I know I'm losing interest by now... There's just a limit to how often you can get amazed by a new security hole in the same company's products. :P

funny (1)

sT0n3_h34d (572639) | more than 11 years ago | (#4722687)

i don't know if it's a innocents week (days) but it's funny to hear microso~1 saying "don't trust our software and either our company"
that's what i'd like to expect from my supplier XD

hahaha
i couldn't help XD

pd: what about making a 100 things that you shouln't expect to hear from microso~1?

No more Windows Updates (0)

Anonymous Coward | more than 11 years ago | (#4722697)

So I guess this means they'll be discontinuing the windows updates program as it tries (or used to) load an Active X componenet signed by M$.

Incredible... (3, Interesting)

Pellelelle (133444) | more than 11 years ago | (#4722701)

I didn't beleve this was true at first but this is actually what it says in the Security Bulletin:
--
What steps could I follow to prevent the control from being silently re-introduced onto my system?
The simplest way is to make sure you have no trusted publishers, including Microsoft.
--

I found it ammusing... (5, Interesting)

oconnorcjo (242077) | more than 11 years ago | (#4722705)

but I think Microsoft is doing the right thing here. They are in a pickle and they have given a good solution (and one that is embarrasing to them). Of course what they should really do is redesign IE to not run in "root" mode but that is another story. I wish the slashdot editors did not relish so much the foibles of Microsoft in their editorial comments.

Microsoft update /.'ed (1)

ITShaman (120297) | more than 11 years ago | (#4722706)

As of 10:01am EST, the microsoft update website displayes the message "SERVICE UNAVAILABLE". Oh the irony of it all...

I find it amusing... (5, Funny)

analog_line (465182) | more than 11 years ago | (#4722708)

...that the only safe place to run a Microsoft browser is on an Apple Computer operating system.

WTF ? (5, Insightful)

FauxPasIII (75900) | more than 11 years ago | (#4722712)

How is it that they implemented a cryptographic signature system and don't provide for revocation? Surely somebody's missed something here...

Why don't people use something else? (5, Insightful)

Mr_Silver (213637) | more than 11 years ago | (#4722713)

See this comment [slashdot.org] followed by my response [slashdot.org] .

People don't move to something because, firstly it's something different and many people are happy to stick with something comfortable. Secondly many people don't see the point in downloading something that they already have installed ("it works for me, why do I need anything else?" mentality) and finally, for many people they never experience the nasty possible ill-effects of these security alerts.

Sure, plenty of people were hit by Code Red but it never really affected them. Sure it affected their computer, but as far as their documents were concerned - there was no change.

Until we see a security alert that does cause damage to personal files and does roam rampant in the wild, the average Joe Blow user doesn't give a toss whether or not there 6 or 6000 security alerts.

remember when... (0)

Anonymous Coward | more than 11 years ago | (#4722722)

microsoft announced that their public keys had been stolen?

(i cannot remember my slashdot password.. haha)

FWIW: .NET may help this... (4, Informative)

Kanagawa (191142) | more than 11 years ago | (#4722723)

I'm no M$ fan, but I deal with it at work so I make a point at figuring out how to deal with the problems. Frankly, this isn't a suprise. The most well secured enterprises I've seen allow only internal ActiveX publishers -- ActiveX is just too hard to make safe.

Looking forward, I recently picked up .NET Framework Security [amazon.com] -- anyway, it seems like Microsoft is at least attempting to solve this particular problem. And, their approach isn't completely idiotic. Really.

Mobile code that runs in the .NET common language runtime (read: M$ JVM) is controlled by a fairly sophisticated access control system. The default policy in XPsp1 from M$ allows no code from the Internet to execute, at all. Not exactly what I want as a user, but its what I want as an admin...

Frustratingly, you can't run .NET mobile code without also enabling ActiveX controls. Not sure what the issue there is, but I suspect the CLR loader is some sort of ActiveX control. Anyone know about that?

Anyway... here's some additional links to M$ references on mobile code:

Security in .NET: Enforce Code Access Rights... [microsoft.com]
Security in the .NET Framework [microsoft.com]

Unfixable? (0)

Anonymous Coward | more than 11 years ago | (#4722730)

In the bulletin, Microsoft tells you to not trust it. But windows update, where I guess you have to go to fix the problem, says to click yes to install everything signed by microsoft. so?

When will they learn? (1)

SLASHAttitude (569660) | more than 11 years ago | (#4722731)

Microsoft has been trying to make the same buggy code work for a few years now. When will the start over? I think the do alot right, but they do not to think a little more about security and change there code. Microsoft is so big that I bet there is not one team there that knows what all is in the kernel. That is wrong! I am no programer but I do know a few. I know they tell me they hate fallowing some ones undocumented buggy code becouse they can never figure out all the problam. This has changed in the open source comunity becouse of all the per review and support. I wonder why, with all of its vast billions, Micosoft can not come up with a better system. For now on all my systems that store stuff that is importaint I will just keep using *BSD and linux.

Time to upgrade (2, Funny)

Hasie (316698) | more than 11 years ago | (#4722737)

The solution is to upgrade to Windows XP because it doesn't have this problem. This is the best news Microsoft has had in years!

Trusted (0)

Anonymous Coward | more than 11 years ago | (#4722738)

The 'solution' from MS in Microsoft Security Bulletin MS02-065 recommends that you remove MS from the list of Trusted Publishers.

Yes, I had better remove security.microsoft.com from my apt sources.list as quickly as possible.

Irony, delicious irony (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4722739)


hmmm

Does no one realize its a TROJAN PR MOVE (5, Insightful)

peculiarmethod (301094) | more than 11 years ago | (#4722740)

Doesn't anyone consider this a mysterly convenient way to incourage the masses of windows users who won't drop them to move over to XP? All the news sources highlight that XP isn't vunerable.. yeah.. not with THIS flaw. I wondered how long it would be before they started admitting the really bad flaws in all the other versions to move everyone towards their .net mordern os. hmph

or maybe I'm just nervous 'cause my coffee just accidently cross bred with a poison-ivy staph-infection vaccine GE plant and was recalled after I drank it

pm

Install MDAC 2.7 (4, Informative)

Brazzo (22202) | more than 11 years ago | (#4722749)

Yes, there are still bugs with MDAC 2.6; install MDAC 2.7. You'll note at the bottom of the security update that MDAC 2.7 is not affected by this issue.

Here's a URL for you, even...

MDAC 2.7 Refresh [microsoft.com]

Keeping Windows secure is hard, but it's easier if you install the recent components...

Use separate certificates for each control? (5, Interesting)

virtcert (512973) | more than 11 years ago | (#4722751)

According to the MS release, the reason that they can't simply revoke the certificate for the control is that they signed other controls with the same certificate.

Wouldn't it make sense for them to just sign every control with a DIFFERENT certificate, so when one is found to be flawed they can revoke the cert and only the new version will install easily?

It's not like MS can't afford the cost of the individual certs, if they aren't a CA themselves already...

resistance is futile (0)

Anonymous Coward | more than 11 years ago | (#4722760)

*inserting vulnerable forced activex code here*
*execute WMP, forced to update to DRM*
*blinding laser from BillBorg "from this time forward, you will service us."*

Wait A Minute.... (2)

Tsali (594389) | more than 11 years ago | (#4722765)

I thought we were all critical Microsoft 'holes.

Oh.... I misread it....

J.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...