Comments on: Windows flaw spawns dozens of attacks

Attacks designed to exploit Windows Meta File flaw range from malicious spam to an MSN Messenger worm.
Sites harbor Windows Trojan

[Bill Dautrive]

Why is it?

That MS always waits for attacks before pluggin holes?

Why is it that people actually defend microsofts "security" practices?

MS security- the biggest oxymoron since military intelligence

[yrrahxob]

Microsoft is the main reason

why I use Linux....

[robertcampbell2]

Yeah right

And the Linux, OS crowd is most likely responsible for the majority of attacks on Windows. Obviously, since they don't seem able to beat MS by competing, they'll try beating them by attempting to trash thier systems.

In the long run that won't work either. As a matter of fact, this type of tactic is likely to make Microsoft appear as the underdog! Good work guys!

[Peter Bonte]

99 percent

"We estimate 99 percent of computers worldwide are vulnerable
to this attack."

Nope, 95 percent. The rest is Mac or linux ;)
Let those Windows users boil in there troubles, they know there
are better systems but refuse to use it.

Happy New Year

Great way to start the year.....

Also,

""According to PC World, users of the Windows OS should install
an unofficial security patch now, without waiting for an official
patch from Microsoft, security researchers at The SANS
Institute's Internet Storm Center (ISC) advised.

The flaw stems from a malicious email containing the file
?HappyNewYear.jpg?. Microsoft had advised last week that to
exploit a WMF vulnerability by e-mail, "customers would have to
be persuaded to click on a link within a malicious e-mail or open
an attachment that exploited the vulnerability."

Experts are now saying that users only need to view the folder
that contains the affected file, or allow the file to be indexed by
desktop search utilities such as the Google Desktop. To make
matters worse, the security advisors say source code for a new
exploit was widely available on the Internet by Saturday, allowing
the creation of new attacks with varied payloads."

copy and paste the entire url (not just the first line)
http://www.pcworld.com/resource/article/0,aid,124142,pg,
1,RSS,RSS,00.asp

oooooooooooh dozens!

I'm scared. I hope my computer is not one of the 12 affected.

[rcrusoe]

It's dozens of attacks

and thousands of victims. In other words, a normal day if you
run Windows.

We've locked IE's settings so neither it or Outlook can display
images. And if just one of our Windows boxes falls victim to this
latest example of MS security only our Macs and Linux machines
will be allow to access the internet or send/receive email
attachments.

Our management is fed up with Windows problems and asking
for alternatives.

[System Tyrant]

Faster Updates Please

I understand the reason Microsoft releases updates once a month instead of three or four times a week, but I'm not sure that's such a good idea.

This may help keep down on network traffic and may keep you from updating everyday, but it is giving Virus writers and hackers a good windows of opertunity to do their worst. Maybe Microsoft should consider having a set weekly or bi-weekly update instead of once a month. Helps close that gap a little bit more.

[Bill Dautrive]

That would be helpful

And they need a team that is dedicated solely to coming out with an emergency patch when exploits rear their ugly head. They are copying everything else that has to do with open source, they might as well set a precedent of getting patches out in days, when needed.

It is funny that MS has a few of the top security experts on the payroll, and have even published outstanding security books, yet can't apply that knowlege.

They are just too big, too slow, and have no forward thinkers. Which is why Vista will be far too little, years too late.

[Phillep]

Specializing

Programmers are starting to specialize on different fields withen programming, and a good deal of their ability to deal with any particular problem depends in good part on how they think.

The bugs crop up effectively at random, so there is no way to tell which programmers will be able to attack the new problem most effectively. Ilfak Guilfanov came out with an effective fix this time, he might have to use someone elses fix for the next.

That's why open source can react so much faster, no one is pigeon holed in some other part of the company.

[rcrusoe]

The problem:

MS says: "Upon learning of the attacks, Microsoft mobilized
under its Software Security Incident Response Process (SSIRP) to
analyze the attack, assess its scope, define an engineering plan,
and determine the appropriate guidance for customers..." . But
days later they don't have a solution.

In the meantime, "Ilfak Guilfanov, a Russian security engineer,
has released an unofficial fix that has been found to work." Way
to go IIfak!

While MS is searching for a clue perhaps it would be best if they
push Ilfak's program out through Windows Update. At least HE
appears to have a clue to what's going on.

[Philips]

You got wrong.

M$ new about the problem for ages. I have heard about this vuln
month or so ago when security people complained that the hole
was found many months ago, M$ was orderly notified and did
nothing.

For *MONTHS*. Yeah, they take security [CENSORED] seriously.

Thou people always complain about Apple's closed mouth
policies or Linux distro's waterfall of updates - it's only M$
which displays such ignorance toward its customers.

[Dachi]

People always say that.

It isn't as simple as you make it out to be. MS is no doubt aware of the method Guilfanov used to blockthe attack and I am sure they could easilly block it using the same method.

Id be willing to bet they determined the threat is not serious enough to hack in a countermeasure and push it to a couple billion windows machines just to break working systems and have to push another update later on.

They likely decided to wait and fix it right rather than half assing it.

[technewsjunkie]

"Secure Computing" initiative

Nada.

[CA1900]

Ready for a Mac yet?

Yet another reason to use a Mac. Still, after all these years, 100%
free of viruses and spyware. Software *cannot* install on a Mac
without a user's explicit permission.

I pity Windows folk these days. I laugh, but I pity. :-)

[Old babe]

Love my Mac but...

I love my Mac but I'll never laugh at Windows users' difficulties
because many of my friends and relatives are PC users and all
those infected machines keep filling up my mailbox with junk.
Even with junk filters and no infections, it's a huge pain in the tush.
Besides, my friends are neat people who are often stuck with
Windows because of work, and I hate to see them having so much
difficulty.

[platform-independent]

Some balance please...

I am a long-time Mac user (since the 512ke), and prefer it for my own use. But in a large corporate environment, I am a Windows XP (Pro only!) user because of the greater flexibility and features it offers, though at the cost of very high administration overhead. Also, XP Pro has proved to be robust, well-integrated and much closer to true plug-and-play than any Windows OS to date.

That said, it is a no-brainer that if Mac OS X (or Linux, or other UNIX variant) was the dominant OS, it would be the one being attacked by swarms of hackers, and the Windows users would be smugly laughing.

So I do not wish for much more market share for the Mac (well, maybe a couple more percent), because I like the lack of attention we get from the bad guys...

[kingofgods]

Sure.....

When Apple lets me buy the components and build it myself for half the price sure why not.

How is it that the price for computer parts are dropping but the macs continue to stay at such a high price?

I hear these stories of people who drop $3000 on a new mac and when a new high end game comes out (that's if it comes out for mac) they couldn't run it....How about the people who bought the emac and can't upgrade to USB 2.0 and are forced to use 1.1 or the dying firewire.

My point is this, if I drop $2000-$3000 for a new pc I better not be locked in to something I can't uprade. The shelf life of a Windows PC is 5-7 years...I shouldnt have to upgrade to a new $2000-$3000 PC every other year just to run a new OS.

Apple is a cult that requires you to buy new expensive equipment every year to be "cool".....Apple users stay away from the Kool-aid :0)

Go ahead apple fanboys start your flaming

[larryennis18466]

Windows Flaws

It is time for Window Users to make the switch to the
Mac and buy a $499 Mac Mini. Or take their Intel box
and put Linux on it. Forget about Windows! It is like
having a "High Maintenance" girl or boy friend!

[I Miss DOS]

I would LOVE to dump Windows, believe me!

But my employer uses it, and all of our customers use it, so if I want to exchange files and work from home, I'm stuck with the damned mess of a thing.

I'll never forget when the first version was released. It just seemed like a big, clunky box that you had to unwrap any time you wanted to do your WORK. We installed it just to check it out, then immediately uninstalled it -- it slowed our computers down to a crawl, and the general consensus was, "What is this crap?"

But oh dear, then came the big Windows 95 rollout, and the general public was seduced by all the dancing trashcans and talking paperclips and other goofball, resource-wasting cartoons, and all of a sudden we were all but forced to upgrade to mini-mainframes in order to run all that junk. And lo and behold, suddenly it was damn near impossible to repair your own OS, because (are you kidding me?) some idiot had decided to make the code inaccessible.

To protect its "intellectual property value," or simply to hide the fact that the product SUCKS? Microsoft throws a zillion programmers onto every "new release," and none of the left hands knows what any of the right hands are doing, but they slap the whole bloated mess together and shove it out the door, and oh to hell with security, we'll just fix all the problems some time later...yeah, sure they will. If I bought an automobile that I had to drive in for a recall repair every two days, and then every third repair caused the thing to stall on the highway, I'd junk that lemon and drive something else, but nooooo, can't just junk Windows, because if you're dealing with the public at large, it's very sadly the only ride in town.

We can all be thankful Bill Gates made his fortune by duping computer users, instead of setting his sights on conquering the automobile market (although at least in that case, he'd have been in jail a long time ago).

[Mendz]

Personally...

I like Unix/Linux because... I don't know... I just feel like it... Though it's too "techie"... That's OK for the "techie" guy in me...

I like Mac more because of the eye candies... Though it's too expensive... That's OK for the consumer guy in me (unless my wife checks the tag price and objects)...

I like Windows most because it works just right for me as a consumer, professional and as a "techie" guy -- all-in-one!

I look forward to Windows Vista which promises better security (ala Unix/Linux) and better eye candies (ala Mac)...

Well, OK... so Microsoft is copying... err... stealing ideas? Whatever... Who ever said OpenOffice's GUI is original? :D

What's the point? If Unix/Linux fans can choose to be blind about what's wrong with Unix/Linux; and if Mac fans can choose to be blind about what's wrong with Mac; I can too...

Quits. ;)

[Bill Dautrive]

Windows is broken

You are not much of a "techie guy" if you think windows "just works".

[Zoolooau]

hehe

Hehe I like the way you think. I mean everything has its faults and if its the faults u look at when choosing anything then GL to ya ^.^;

;-)

Not everyone is how you think they are.

There are some serious issues with Macs. Price isn't one of them. The average PC user compared to the average Mac user will spend more on tech support and virus updates then the Mac user on their whole experience.

OS X server is a pain in the ass. And royally so. However, OS X client version is nearly unbeatable from any other standpoint. Games? Who cares, go by an Xbox, which is built to do nothing but run games at an HD resolution, comfortably in your living room.

There are soem things I don't like, want changed or added to OS X. But all it takes is time. Windows has had what? 6 years since XP was released, and all they can come up with is a couple of service packs? The Mac OS in that time made vast improvements from OS 9 to 9.2.2, and then a HUGE jump to OS X. There's been three versions of SO X that have been outstanding.

So, I think all of your arguements are pretty, well, lame.

[SmartITGUY]

Microsoft SHOULD NOT be allowed to profit from this

You KNOW, Microsoft will use this flaw to leverage users into buying new software. They will ONLY patch Windows XP, and anyone using Windows 2000 or older, who wants their systems fixed or made more secure will be FORCED to buy WIndows XP.
In alot of cases this will force people to have to buy new hardware.

So far Microsoft has seen surges in sales of Windows XP for every flaw and exploit that has come out. THIS IS VERY WRONG! Microsoft should not be rewarded for poor programming. What's to stop them from deliberately creating flaws and vulnerabilities to increase sales.

The LAW needs to step in and FORCE Microsoft to patch "EVERY" version of Windows that is affected by this flaw... AT NO COST TO THE USER.

[Charleston Charge]

Surges in sales???

MS still provides patches for 2000 and I believe still for 98. Many people still have not upgraded to XP because 2000 still works and is supported by MS.

[kingofgods]

SmartITGuy.....Riiight

Get your facts straight....MS supports 98 through 2003 and there are always patches available for all OSs that are affected.

[CoachWT]

Linux/MAC/Unix Vulnerabilities Outnumber Windows' 3 To 1

To Linux/MAC fans ignorance is bliss...

Linux/MAC/Unix Vulnerabilities Outnumber Windows' 3 To 1


By Gregg Keizer, TechWeb News - 01/04/2006

Tallies kept by the U.S. government's computer security group show that Linux and Unix operating systems faced nearly three times the number of vulnerabilities in 2005 than did Microsoft's often-maligned Windows.
In the US-CERT (United Stated Computer Emergency Readiness Team) year-end vulnerability summary, Linux/Unix accounted for a whopping 2,328 vulnerabilities, about 45 percent of the 5,198 total.

Wow. You are so morbidly wrong.

3 to 1? How do you figure that? You do know that Linux is, quite practically, a rip off of Unix, right?

And you do know that there are various versions, right?

SO, when you compare OS X (a unix/bsd based OS) to Windows XP, how many are there?

But you don't do that! You are grouping every version of unix and linux, which all are different no matter how similar, into one category. So tell me that ONE, one SINGLE version of any of those has more flaws than any version of windows.

They don't. Learn how to fairly compare things and don't post such nonsense you fanboy.

[ssutherland]

Re: Linux/MAC/Unix Vulnerabilities Outnumber Windows' 3 To 1

> To Linux/MAC fans ignorance is bliss...
> Linux/MAC/Unix Vulnerabilities Outnumber Windows'
> 3 To 1

Get real. Number of vulnerabilities means very little. Here are some REAL numbers:

Last virus infection:
My Windows PC: 6 months ago
My Mac: 1993

Last time I had to completely reinstall the OS because of Spyware or infection:
My Windows PC: 6 months ago
My Mac: never

You can't even reinstall the Windows OS, unless the machine is off the network or behind a firewall. Last time we tried that, it was infected before we could even go on-line and apply all the patches.

[Earl Benser]

Too bad you didn;t read the list......

Once you remove the attempts to hack and ODS Unix server
systems, Windows and IE are by far the clear majority. Mac OS had
a count of 41, compared to the WIndows count of 812. and almost
all of the Mac vulnerabilities were never exploited by any hacker
before they were fixed. (In fact, Apple found most of them).

So as they say, figures don't lie, but...
........ well, you know the rest

[Zoolooau]

Macs

Macs cant fix there own mistakes. I was in a mac lab for 6 months, those 6 months were hell.

>.< Ya thay may be good at what they do when they worked. Our "power macs" or whatever they were G5, *shrugs*.

Number 1: They had this 2 hour shut down bug, or 2 hour stuff up bug, either way they would go to check the temp and the fan would just start full ball and basicly crash the computer, ya s they "fixed that" after like 4-5 months and still they died a lot.

Number 2: The usb ports on them wouldent work they "fixed that" round the same time, they stil dident work.

Number 3: The DVD burners in the g4's i think they were would just sit there "buring" for hours so we had to put the files on the other computers so we could burn it, they never fixed that.

Number 4: Just general loss of data on random occations. Probly just a computer thing but who knows.

Anyway I guess u gotta bace your love or hate of something by your experiances, though I saw we were using macs and I almost died even before I started using them. Also my Windows PC's have never needed a reinstall of windows.

I dont know what that mac v's pc guy was doing having to re install windows cause of a virus, I have had the net of this computer for years (around 4) and it hasn't had any problems (also young and old people using it, you know how they were with opening things) Maybe just luck? *shrugs* I dunno maybe one day il try linix or something but till then windows powers on ^.^;

;-)

[Earl Benser]

I'd guess that...

.... your mac 'experts' were certified idiots, retreaded PC IT people
who weren't any good on the PC either. And you should have found
a better company to work for .

[seashellz]

Were you fired...?

for incompetence-as well as third-grade language skills?

>>Macs cant fix there own...etc etc.


I seriously doubt you even know what a Mac is,
let alone WORKED *their*.(tee-hee)


Hint: its not something you eat.

[uwiger]

re the CERT database

So, I checked out the CERT vulnerability database search facility:

- "SunOS or Solaris": 64 total, since 95
(ca 10/year)
- "FreeBSD": 21 total, since 2000
- "Linux kernel": 16 total, since 2001
- "Red Hat": 23 total, since 1997
- "Debian": 39 total, since 1999
- "Apple": 49 total, since 2001
- "Windows NT": 80 total, since 1998
- "Windows XP": 76 total, since 2001
- "Windows 98": 26 total, since 1999
- "Explorer": 147 total, since 1999
- "Firefox": 19 total, since 2004
- "Outlook": 73 total, since 1998

The numbers are rough - for example, two hits on "Apple" were actually Windows vulnerabilities that seemed to have nothing to do with the company Apple.

Difficult to draw any conclusions - especially
that Linux/Unix would fare worse than the
Microsoft products.

[sathish297]

not really... win vs lin

unices / linux are better than windows because of the very nature of their systems
* though they are also prone to virus attacks, files cannot be tampered with due to very strict adherence to permissions.. hence ur data is really "safe"...
* there are only very few cases of root privileges attack.. it happens mostly in softwares that we never use at our homes..
* the response time to write a fix for an attack is great because for the simple reason that there are many number of developers who know linux /unix and come up with a solution

there are many more, more, more reasons why u should not compare linux with windows... windows is a garbage that grows with age... he he :))

[sathish297]

not really... win vs lin

unices / linux are better than windows because of the very nature of their systems
* though they are also prone to virus attacks, files cannot be tampered with due to very strict adherence to permissions.. hence ur data is really "safe"...
* there are only very few cases of root privileges attack.. it happens mostly in softwares that we never use at our homes..
* the response time to write a fix for an attack is great because for the simple reason that there are many number of developers who know linux /unix and come up with a solution

there are many more, more, more reasons why u should not compare linux with windows... windows is a garbage that grows with age... he he :))

[sathish297]

dont ever try to compare linux and windows

unices / linux are better than windows because of the very nature of their systems
* though they are also prone to virus attacks, files cannot be tampered with due to very strict adherence to permissions.. hence ur data is really "safe"...
* there are only very few cases of root privileges attack.. it happens mostly in softwares that we never use at our homes..
* the response time to write a fix for an attack is great because for the simple reason that there are many number of developers who know linux /unix and come up with a solution

there are many more, more, more reasons why u should not compare linux with windows... windows is a garbage that grows with age... he he :))

[clsgis]

You can pass. It's not even that hard.

"But my employer uses it, and all of our customers use it, so if I want to exchange files and work from home, I'm stuck with the damned mess of a thing."

I had a job at a small appliance company in '99. Management, manufacturing, sales, and IT all used Windoze 98 or NT. The programmers mostly used FreeBSD. I had to exchange files with all of them. Much of the job for a while was editing the CEO's powerpoint slides. Lots of Excel and Word files. Lots of purty HTML email.

As far as I know, I was the only Linux user (SuSE, pre-Novell) in the place. I picked a window manager theme that looked like Windoz 98 and visitors to my office seldom noticed.

I was outed when the Melissa worm came through. All the Windoze boxes were ruined and had to be reinstalled. The FreeBSD users hadn't bothered to set up their own MTA and kept mailboxes on the NT server, so they were fairly dead too. I had the only working computer in the place.

If you work at a good sized place, I'll bet you've got stealth Linux users, too.

[clsgis]

I saw a mac worm this fall

There's at least one MacOS-X worm in the wild.

I got a spam from a server at a magazine publisher in Florida last fall. It was an unusual source (most spam comes from Windoze bot-nets on residential broadband) so I called them. Got through to the IT guy right away and he got on his Xserve box that second and confirmed he was compromised and sending. Called me back an hour later to tell me Apple's OS security folks had found the thing, and it was really small, and they were all astonished, and they wouldn't have known if I hadn't called.

So report your spam. Pick the weirdest one each week if that's all you have time for. And give CNet a hard time for not informing the world about which corporations are responsible.

[clsgis]

who needs it

I'd been using unix for a few years when Windoze was announced. Didn't see any need for it then, still don't. When the set user-ID patent expired in '89, unix became free, and Linux was usable for real work by mid-92. BSD took a little longer because of that idiotic litigation. All the while, the MS-DOS lemmings were predicting imminent death of unix, and I'd better conform or die, blah blah blah.

These days you don't even have to install it to use it. Today's "live" CDs are so good the Windoze users don't believe it when you tell them. If you haven't tried Knoppix or Ubuntu yet, run do not walk to Knoppix.net or Ubuntulinux.org and be amazed.

[clsgis]

We don't know that

"Why is it that MS always waits for attacks before pluggin holes?"

We don't know that. Hundreds of organizations have licensed Windoze source code. They're under strict nondisclosure agreements. It's *possible* the NSA or McAfee is poring over the Windoze kernel the way the public goes over Linux-2.6 and Apache-2.3, quietly reporting bugs before any exploit appears, and MSFT is quietly fixing them. I doubt it, but there's no way to know either way.