Microsoft warns of new Windows flaw

[idea_hamster]

For all those MR folks who use MS, they call it "critical".

http://money.cnn.com/2004/02/10/technology/windows_flaw.reut/index.htm?cnn=yes

Here's the MS page with the description:

http://www.microsoft.com/security/security_bulletins/20040210_windows.asp

"A security vulnerability exists in the Microsoft ASN.1 Library that could allow code execution on an affected system. The vulnerability is caused by an unchecked buffer in the Microsoft ASN.1 Library, which could result in a buffer overflow.

An attacker who successfully exploited this buffer overflow vulnerability could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges."

 

[Lancetx]

And it took MS over 200 days to get a fix out for this from the time they were first informed of it. Funny how C|NET was all over Apple when they took a month or so to get a comparatively minor security fix out for Jaguar a couple of months back...

 

[thecow]

Hmm. Another microsoft security patch. Why does swiss cheese come to mind whenever I think about this company's OS?

 

[pinto32]

I'll be going home to my PC this weekend.....it will probbaly take the whole 3 days I have off just to download all of the patches......

 

[Dippo]

Didn't I just update a couple of days ago???

At first I thought that this was just the old news about some updates released last week, but no these are new updates!

I can see why these virus spread like they do, no one has time to update their computer this much, I certianly don't!

 

[~Shard~]

I don't care. Why? Because I'm the proud owner of a Mac.

 

[MoparShaha]

It seems like these critical updates aren't even bothering Microsoft anymore. It seems to me they're banking everything on Longhorn. What worries me is that Longhorn might be as good as MS thinks it's going to be.

 

[Dippo]

Originally posted by MoparShaha
It seems like these critical updates aren't even bothering Microsoft anymore. It seems to me they're banking everything on Longhorn. What worries me is that Longhorn might be as good as MS thinks it's going to be.

That may be the case, but in the mean time what is a Windows user supposed to do?

Last I heard, it won't be out for at least two years.

 

[Opteron]

I've been running Windows since 95 (95-98-Me-XP) never had a virus, and have never used a virus check, eg. norton

 

[HexMonkey]

"A security vulnerability exists... that could allow code execution on an affected system."

I knew there was some reason why it has always been so hard to use Windows: Under normal circumstances, it prevents you from running code!

 

[Dippo]

Originally posted by Opteron
I've been running Windows since 95 (95-98-Me-XP) never had a virus, and have never used a virus check, eg. norton

I have never caught a virus either (if I don't include spyware), but I always update my computer everytime a new update is released, but I know a lot of people who don't update and a few people that have gotten serious viruses because they didn't.

The majority of Windows users don't bother to update, and that is the problem.

Also, how do you know that you never had a virus if you never ran any anti-virus software?? Most people that get a virus, espically the nasty backdoor opening kind, never know it.

 

[idea_hamster]

Originally posted by Dippo
I have never caught a virus either...

Right, but if you saw what happened when MSBlaster hit, it was sharply clear that there's an enormous difference between malicious code that runs locally and malicious code that can be executed remotely.

Also, there seemed to be a general consensus of opinion around the time of MSBlaster that part of the problem was that system administrators in general shyed away from prompt patching because of compatibility problems. I'll bet that they pick up this patch quickly, tho....

 

[Dippo]

Originally posted by idea_hamster
Also, there seemed to be a general consensus of opinion around the time of MSBlaster that part of the problem was that system administrators in general shyed away from prompt patching because of compatibility problems. I'll bet that they pick up this patch quickly, tho....

There was also an issue about one of Microsoft's patches that just didn't plain work at all. Microsoft had to re-release the patch to fix the problem the second time.
http://news.com.com/2100-1009-5072672.html

I personally haven't had any system problems after a "security update" but I am also not running a server.

One on my friends is the tech at a local High School, and due to budget cuts he alone is in charge of hundreds of windows machines. Guess what he will be doing for the next couple of weeks?

 

[iGav]

Originally posted by Opteron
I've been running Windows since 95 (95-98-Me-XP) never had a virus, and have never used a virus check, eg. norton

just out of interest how do you know you've never had a virus if you've never run the software to check to see if you have or not??

 

[jxyama]

Originally posted by Opteron
I've been running Windows since 95 (95-98-Me-XP) never had a virus, and have never used a virus check, eg. norton

thanks for an insightful post. it's clearly the case that your use history is anything but typical.

 

[virividox]

new widnows flaw? you mean ANOTHER windows flaw

 

[MorganX]

Originally posted by Dippo

The majority of Windows users don't bother to update, and that is the problem.

Also, how do you know that you never had a virus if you never ran any anti-virus software?? Most people that get a virus, espically the nasty backdoor opening kind, never know it.

Auto-update is great. The fix was waiting for me when I got home the day it was released. I have it set to download, but I need to approve before install. You can set it to autoinstall and you won't have to do anyting. Few people actually set the autoupdate preferences.

A PC user without VIRUS protection is a scary, scary thought. Anyone without it probably "thinks" they haven't been infected, odds are you have if you use email, or download using Kazaa. You just don't know it and have probably spead it to severy of your contacts. Well, not several, but everyone in your address book.

 

[jxyama]

Originally posted by Dippo
The majority of Windows users don't bother to update, and that is the problem.

having so many "critical" problems that regular updating is a prerequisite of a working machine is also a problem.

where do you draw the line between burdening the users with the responsibility to upgrade and providing a working OS that needs not so many updates?

cars generally need oil replacement once every 3k to 5k miles to keep running well. if that was, say, 200 miles instead, requiring practically weekly oil changes, can the car owners be faulted for not following up on it? can the car makers get away with burdening the users with such troublesome and inconvenient maintenance requirements?

i'm not implying that windows "critical" updates is like having to change the oil every 200 miles. i just threw out an analogy to illustrate a point - what's the reasonable level of burden to be placed on the user to do maintenance? at some point, shouldn't the manufacturers be held to a higher standard to provide the users with reasonably "maintenance-free" products?

i don't think it's as simple as "users are the problem because they don't upgrade."

 

[MorganX]

Originally posted by jxyama
having so many "critical" problems that regular updating is a prerequisite of a working machine is also a problem.

where do you draw the line between burdening the users with the responsibility to upgrade and providing a working OS that needs not so many updates?

How does XP compare to linux and OS X?

I know when I installed Linux the most time consuming part was downloading all the patches and security updates.

I remember quite a few for OS X and OS X has far too many incremental OS patches IMO.

So, given the size of the platform, is it really any different than all the rest?

 

[jxyama]

morganX:

generally, i don't care to make comparisons between windows and other OSes. i was just responding to the "users are the problem" attitude - if it's the industry "standard" to expect much user maintenance, regardless of the OS, then i guess so be it.

however, i'd argue that since windows made themselves the dominant OS in the market and along that dominance (should) come the responsibility to be even better than other OSes. if being dominant means more attacks, then so be it. they asked for (and got) dominance - now deal with the consequences as well.

this ends my rant. i don't use windows anymore so i don't personally care. but i *do* wish M$ would do a little better job with longhorn since it will be used by many, many people. if anything, it will reduce the number of annoying virus email warnings like i've gotten the last year because of virus and worms.

 

[MorganX]

Originally posted by jxyama
morganX:

generally, i don't care to make comparisons between windows and other OSes. i was just responding to the "users are the problem" attitude - if it's the industry "standard" to expect much user maintenance, regardless of the OS, then i guess so be it.

however, i'd argue that since windows made themselves the dominant OS in the market and along that dominance (should) come the responsibility to be even better than other OSes. if being dominant means more attacks, then so be it. they asked for (and got) dominance - now deal with the consequences as well.

::nods respectfully in agreement::

 

[idea_hamster]

Originally posted by jxyama
...i *do* wish M$ would do a little better job with longhorn since it will be used by many, many people. if anything, it will reduce the number of annoying virus email warnings like i've gotten the last year because of virus and worms.

I agree -- I'm not fond of having my In Box full of spoofed mailer daemons, either!

Aside from that, this latest flaw (while "critical") seems to be substantively the same as the MSBlast worm and the subsequent Mac OS X security patch -- specifically, a buffer overflow vulnerability. For everyone's sake, maybe they have one poor chump in charge of all the buffers in Longhorn to make sure they don't overflow!