Microsoft to fix critical Windows, Office holes

Microsoft will issue fixes for five critical holes affecting Windows and a variety of other software on Patch Tuesday next week.

The critical holes, which could allow an attacker to remotely run code on a PC and take control of it, affect Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and 2008, Windows Client for the Mac, Office 2000, XP and 2003, Microsoft Office Small Business Accounting 2006, Visual Studio .NET 2003, Microsoft Internet Security and Acceleration Server 2004 and 2006, and BizTalk Server 2002, according to a Microsoft security advisory released on Thursday.

Four additional vulnerabilities, rated "important," affect Windows and Windows .NET Framework and could allow an attacker to remotely execute code, launch a denial-of-service attack or elevate system privileges, the company said.

[jpmays]

It sure would be nice if Microsoft could fix these things before releasing the software to the public! It just reinforces the idea that their products are severely lacking in proper security!

[monkeyfun14]

It would be nice if Apple and Linux could do that as well but they can't.

[knowles2]

It be nice if all products were perfect when they were release, but then we do not live in a perfect world and never will.

[santuccie]

http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html<br />http://www.darknet.org.uk/2008/03/mac-owned-on-2nd-day-of-pwn2own-hack-contest/<br />http://blogs.zdnet.com/security/?p=2917<br />http://it.toolbox.com/blogs/securitymonkey/mac-os-x-local-user-exploit-appears-12026<br />http://www.linuxtoday.com/news_story.php3?ltsn=2009-04-17-030-35-SC-SW<br />http://blogs.computerworld.com/why_windows_is_safer_than_the_mac<br />http://blogs.zdnet.com/hardware/?p=533&#38;tag=rbxccnbzd1

[birdonthebeach]

Microsoft should change its logo to an image of Swiss Cheese.

[goodspeed8701]

If the do that I can't differentiate you from microsoft.

[santuccie]

http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html<br />http://www.darknet.org.uk/2008/03/mac-owned-on-2nd-day-of-pwn2own-hack-contest/<br />http://blogs.zdnet.com/security/?p=2917<br />http://it.toolbox.com/blogs/securitymonkey/mac-os-x-local-user-exploit-appears-12026<br />http://www.linuxtoday.com/news_story.php3?ltsn=2009-04-17-030-35-SC-SW<br />http://blogs.computerworld.com/why_windows_is_safer_than_the_mac<br />http://blogs.zdnet.com/hardware/?p=533&#38;tag=rbxccnbzd1

[FF2009]

WINDOWZ VISTA, LOL

[TSkeptic]

There are always holes in any OS. The key is to patch them as quickly as they are discovered - before any attackers can get a foothold. Lets see the Swiss Cheese commentators come up with a more secure and capable OS than Microsoft or Apple!

[tm_anon]

It's called Linux. It's much more secure and yes, it is more capable. <br /><br />I used Windows from 95 through XP. I even gave Vista a try. Just tried it once but I still gave it a try. <br /><br />Linux has allowed me to run high end graphics, run my machine for 6 months with no defrag and zero needed AV scans, update without restarting 99% of the time, update all of my apps at one time, download and install apps from a trusted source each and ever time without using a browser, learn more about software and it has even given me the time to help get my friends machines up and running properly (running XP or Vista). Oh, forgot to mention. Linux has let me do all this on a P-IV machine running at 1.87 GHz with 1GB RAM. <br /><br />The Swiss Cheese commentators are most likely Linux users. Apple guys tend to point out the virus thing. Linux commenters tend to know a thing or two about code.

[knowles2]

Have you ever thought that the reason Linux is not so ridden with viruses and security holes is not because it better design but because it actually is not that populur in consumer market where most virus makers can make easier money and are up against non tech users. If Linux ever become popular with these people I can guaranteed that Linux will start experiencing just as many problems as Microsoft does with Windows. Unfortunately it will never become that popular anyway but that a other discussion for a other day.

[santuccie]

@tm_anon:<br /><br />http://news.cnet.com/8301-1009_3-10291022-83.html<br /><br />Try again. Obscurity and inherent security are two very different things. You don't earn stripes when you've never been in the line of fire. Now, looking at the fact that we're still waiting for an ItW exploit for Vista after three years, THAT'S pretty darned impressive.

[birdonthebeach]

Awww...lighten up a little and enjoy a laugh.

[Hokulea]

Since there are over 450 varieties of Swiss Cheese I think further clarification is needed:<br /><br />Smells like Raclette but looks like Emmentaler with it's numerous large holes.<br /><br />If you've never had Raclette I highly recomment it. It smells horrible but tastes delicious.

[Hokulea]

Microsoft does a good job of patching vulnerabilities before they are exploited. OTOH, can't say the same for Big Mac and Limpets. They seem to worry about it after the cows are out of the barn.

[tm_anon]

You've got that backwards. Since there are still so many vulnerabilities and exploits for those vulnerabilities for Windows systems and since there are so few vulnerabilities and exploits for those vulnerabilities for OS X and Linux (I'm assuming that's what you meant in your exceedingly ignorant comment), then it's fairly easy to see just how poorly you did your research. <br /><br />Of course, if you can point out more vulnerabilities for either OS X or Linux than have been pointed out for Windows then please do so and prove me wrong.

[knowles2]

Actually figure shows that OSX have as many exploits as Windows have had in the last couple of years but why Microsoft release patches for the holes almost straight away, Apple can takes months ever years to do it. <br />Linux is pretty good but I have not seen any data on how fast they can fix a major flaw with in the operating systems, and I guessing it would also depends on which flavour of Linux, if it is a specific flaw with a specific flavour linux I am sure it would take far longer than Microsoft, especially the smaller ones.

[Hokulea]

@tm_anon, NO you've got it backwards!<br /><br />Sorry, but it would appear that your ignorance trumps mine. When it comes to poor research you're on top there as well. Apparentyl you are too lazy to even do a simple search regarding vulnerabilities for various OS's.<br /><br />Let's start with OSx versus Vista. Secunia reports the following statistics for 2009 (secunia.com/advisories):<br /><br />Apple Mac OS X <br />Solution Status (Based on 6 advisories from 2009)<br />Unpatched: 17%<br />Criticality: Exremely 0% ; Highly 83%<br />Remotely Exploitable: 83%<br /><br />MS Windows Vista<br />Solution Status (Based on 8 advisories from 2009)<br />Unpatched: 0%<br />Criticality: Extremely 0% ; Highly 38%<br />Remotely Exploitable: 63%<br /><br />For the year 2008:<br /><br />Apple Mac OS X <br />Solution Status (Based on 12 advisories from 2008)<br />Unpatched: 0%<br />Criticality: Exremely 0% ; Highly 67%<br />Remotely Exploitable: 92%<br /><br />MS Windows Vista<br />Solution Status (Based on 8 advisories from 2009)<br />Unpatched: 10%<br />Criticality: Extremely 0% ; Highly 50%<br />Remotely Exploitable: 63%<br /><br />Here's an article from 24 June 2004 that compares Windows XP, Suse Linux, Red Hat, and Mac OS X:<br /><br />http://www.techworld.com/security/news/index.cfm?newsid=1798<br /><br />"For example, Windows security holes generally receive a lot of press because of the software's popularity, but the statistics show that Windows isn't the subject of significantly more advisories than other operating systems. Windows XP Professional saw 46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access, Secunia said.<br /><br />Suse Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58 percent of the holes exploitable remotely and 37 percent enabling system access. Red Hat's Advanced Server 3 had 50 advisories in the same period - despite the fact that counting only began in November of last year. Sixty-six percent of the vulnerabilities were remotely exploitable, with 25 granting system access.<br /><br />Mac OS X doesn't stand out as particularly more secure than the competition, according to Secunia. Of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system. The proportion of critical bugs was also comparable with other software: 33 percent of the OS X vulnerabilities were "highly" or "extremely" critical by Secunia's reckoning, compared with 30 percent for XP Professional and 27 percent for SLES 8 and just 12 percent for Advanced Server 3. OS X had the highest proportion of "extremely critical" bugs at 19 percent." <br /><br />This report from 21 June 2007 breaks down Vista vs Linux builds vs Mac OS X for the first 6 months of release:<br /><br />http://blogs.csoonline.com/windows_vista_6_month_vulnerability_report<br /><br />The graph posted in the report shows Vista with fewer total and fewer high severity vulnerabilities than Red Hat, Ubuntu, Novell, and Mac OS X 10.4 by a significant margin.<br /><br />Frankly I think it's rather pointless to attempt to be logical and rational with people who are neither. If you look at statistical trends going back over the last three years it does indicate MS is better than Apple at identifying and patching vulnerabilities. While Linux distros generally fare better, exploits targeting Linux servers are the most worrisome considering its install base. Even Red Hat's servers were compromised in August of 2008.

[santuccie]

@tm_anon:<br /><br />You're talking about Windows XP. We're talking about Windows Vista. XP was released in 2001; there was no such thing as a drive-by download back then. You can't blame MS for failing to address something that didn't even exist yet. DUH!!!<br /><br />Just FYI, repeating the memes that other Linux fundamentalists tell you is not what I'd call doing your own research. You just crammed your foot so far in your mouth that you ought to be choking. Nice try.<br /><br />http://news.cnet.com/8301-1009_3-10291022-83.html<br />http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html<br />http://www.darknet.org.uk/2008/03/mac-owned-on-2nd-day-of-pwn2own-hack-contest/<br />http://blogs.zdnet.com/security/?p=2917<br />http://it.toolbox.com/blogs/securitymonkey/mac-os-x-local-user-exploit-appears-12026<br />http://www.linuxtoday.com/news_story.php3?ltsn=2009-04-17-030-35-SC-SW<br />http://blogs.computerworld.com/why_windows_is_safer_than_the_mac<br />http://blogs.zdnet.com/hardware/?p=533&#38;tag=rbxccnbzd1

[cjs-8]

Why do bugs (or whatever it was that needed fixing) in user-space applications allow an attacker to take over the Windows system?<br />They keep patching Office, Media Player, and other user space applications. Maybe I'm wrong in what that is telling me, but that tells me its easy to write any program, and run it as a normal user, to take over the system. Seems to me what really needs fixing is the underlying kernel space applications, kernel API, and/or security model (permissions and ACLs) so the system can't be exploited in the first place by user space applications.<br /><br />Anyone heard of a user space app exploiting Linux or Mac, without elevated permissions?

[santuccie]

http://news.cnet.com/8301-1009_3-10291022-83.html<br />http://it.toolbox.com/blogs/securitymonkey/mac-os-x-local-user-exploit-appears-12026<br />http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html<br />http://www.darknet.org.uk/2008/03/mac-owned-on-2nd-day-of-pwn2own-hack-contest/<br />http://blogs.zdnet.com/security/?p=2917<br />http://www.linuxtoday.com/news_story.php3?ltsn=2009-04-17-030-35-SC-SW<br />http://blogs.computerworld.com/why_windows_is_safer_than_the_mac<br />http://blogs.zdnet.com/hardware/?p=533&#38;tag=rbxccnbzd1<br /><br />Sorry, but root authentication is not as airtight as you think it is.

[cjs-8]

No need for multiple links about the same exploit on Mac. Its like you're giving it too much weight.<br />I'm aware root authentication is not airtight.<br />But why does MS keep issuing patches for user space applications to fix those exploits?<br />To answer my own question, I guess its because most Windows users are administrators, so therefore, an exploit in a user space app can affect the entire system. Its nice to see Microsoft is finally fixing that aspect of their security model. The number of vulnerabilities one has on a given OS (you cited Vista having the fewest) doesn't seem as relevant as the amount of damage caused by those vulnerabilities. Also, how vulnerabilities are reported isn't the same for the OSs, so you can't simply throw them on one bar chart.

[Dalkorian]

@Cjs-8, don't waste your effort. Notice how this other poster here has apparently discovered the joy of copy and paste? Those who are able, do. Those who aren't able, teach. The rest practice their copy and paste skillz in mommy's basement.

[santuccie]

@cjs-8:<br /><br />They're not about the same exploit. There are four different ones for the Mac, three years in a row. Secondly, the reason Microsoft patches the vulnerabilities is not necessarily because Vista is a sitting duck while they persist, but because you can't assume that Vista's mitigations will make it 100% impossible to exploit them. Even when Windows 7 hits the market with its new "Safe Unlinking" technology, rest assure that MS will continue to patch vulnerabilities. This is a proactive measure, filling in the holes before criminals even get the chance to try and exploit them. You're a little too quick with your assumptions there.<br /><br />@Dalkorian:<br /><br />Cheap shot from a Mac fundamentalist. This is old news as far as you are concerned, yet you continue to pretend it's not really happening. That is called denial, and denotes a serious case of insecure desperation. The reason I copy-pasted was because that should have been all that was needed to respond to the question, "Anyone heard of a user space app exploiting Linux or Mac, without elevated permissions?" Unfortunately, the OP read too quickly, under half-steam.

[EvanSei]

ah now all they need to do is fix the rest of vista! <br />the darn os has crashed on me at least 4 times in the last year, along with countless other problems it has caused, but hey the good in all that is that I am now self reliant when it comes to troubleshooting and fixing my computers :)

[Dalkorian]

But haven't you heard? UAC makes fista secure against these kinds of vulnerabilities.<br /><br />Oh.