Exploits released for new Windows flaws

A Chinese security group has released sample code to exploit two new unpatched flaws in Microsoft Windows.

The advisory comes in the week before Christmas, a time when many companies and home users are least prepared to deal with the problems. Security firm Symantec warned its clients of the vulnerabilities on Thursday, after the Chinese company that found the flaws published them to the Internet.

One vulnerability, in the operating system's LoadImage function, could enable an attacker to compromise a victim's PC when the computer displays a specially crafted image placed on a Web site or in an e-mail. The other vulnerability, in the Windows Help program, likewise could affect any program that opens a Help file.

Because the flaws are in a library used by Windows programs, almost all browsers and e-mail clients are likely affected by the flaws, said Alfred Huger, senior director of engineering at Symantec.

"They are rather serious," Huger said. "Both can be exploited by anything that processes images or reads help files."

Because the flaws were accompanied by sample code--known as exploit code--that shows how to take advantage of the security holes, Huger expected the exploits to be quickly incorporated into the tools of malicious Internet users.

"The fact that there is an exploit out there is very concerning," he said. "I think you will see it in phishing scams and spyware in very short order."

A mass-mailing computer virus could also quickly begin using the vulnerabilities to spread.

Microsoft could not immediately be reached for comment on the issues.

The flaws came to light on Thursday, when a Chinese security forum, Xfocus Team, posted the issues to its Web site. The vulnerabilities were found by Chinese firm VenusTech and posted on Monday to the Internet, according to the Xfocus posts.

Software companies and corporate information technology departments are often short-staffed during the holiday season. That could mean that the response to this latest threat will be slow, Huger said.

"It is a bad time of year for this to come out," he said.

Note to Windows aplogists - new Windows flaws

I know you think that it is only because windows is the dominant
operating system and Linux and Mac would have problems too,
but the fact remains - Windows is so full of holes that you are
paying constantly for the lack of security. The truth remains, I do
not use Microsoft products and do not worry about malware,
virus, adware, etc. I don't have antivirus software on my machine
and do not worry about it at all, never have. UNIX was built for
security and simply does not have the holes all over it the way
Windows does. Time to stop making excuses and get away from
Microsoft so you can get some work done.

[hadaso]

I actually have "installed" LINUX!

I actually have LINUX "installed" on one of my computers. However, for some reason no graphic interface. The Debian installer had no problem displaying ads during the instalation, but when it came to identify the graphics card it just couldn't identify my 6 years old ATI xpert 16MB (or wahtever it was). I tried to do what the installer suggested, but my card was nowhere among the hundreds of cards listed, and iventually the instalation was finished with only command line. WIN98 had no problem instaling a generic VGA driver so I can start with a graphic interface. Now I am able to use command line to get help (by typing "man ExactlySpelledCrypticCommand" and getting a full description of any command I'd like to use, with ALL options listed with the perfect prioritization technique - alphabetically). I asked around and tried to follow people's advice. I gave up when some automatic "interviewer" asked me to look in my monitor's documentation and type in the refresh rate. I'd really like to learn to use LINUX, but I also need to work... :-(

What if your work is AutoCAD?

What OS would you use then?

I also do not worry about malware, viruses, adware, etc. I have antivirus installed (what difference does that make?)and I never worry about it, never have.

And Linux and Mac are not UNIX, by the way. Check your facts.

[Tex Murphy PI]

Note to antagonists

Finger pointing doesn't FIX the problem.

It's people like "Tom Wooton" who make working in IT feel like a walk through Bagdad.

We need to find SOLUTIONS to problems here, folks - not "My OS is better than yours."

[cbiltcliffe]

Here's the problem with that....

>>We need to find SOLUTIONS to problems here, folks - not "My OS is better than yours."

The *nix guys have been saying for years that Unix and unix-like OS's are more secure than Windows. Originally, it was said as a solution.

People chose to ignore it, and continued to use Windows, because people use Windows, so it must be good, because people use Windows, so it must be good, because.....

After years of people not following good advice given by experts in their field, the experts have taken to laughing at the self-imposed torture that computer users put themselves through. If you'd followed the advice in the first place, you'd have had a solution for years.
In order for you to have a solution, you have to accept it when it's given to you. If you don't, whose fault is it?

Just start executing the scums.

Give it a few years and you'd be amazed at how little "malicious" internet users remains to cause trouble.

And if the scums are overseas, just implement the Israeli model: government sponsored exterminations of vermin in vermin friendly countries.

[aabcdefghij987654321]

XP SP2 is not affected!

Windows XP with SP2 is not affected by these. As usual CNET news.com.com.com.com is doing irresponsible and shoddy reporting in not mentioning this important fact. Most sensible people who have upgraded to SP2 on XP will be fine. Of course it is still an issue for non SP2 folks, but its not like the doomsday scenario CNET is painting it to be in that everyone is going to be affected. XP is used by more than half of all users and around 2/3rd of home users.

Mac OS 6 is not affected either

I guess since it only took Microsoft 15 years to come up with an
operating system that is not affected by this one you should lash
out at others for Microsoft's bad software. The next flaw they find
in a couple of dars is sure to include the coveted XP Service Patch
that took two years to make. Face it, CNET is doing a shoddy job by
not pointing out that Microsoft is to blame and everyone should
wake up and switch to UNIX.

[Dachi]

Right, to leave that out is irresponsible reporting

You would think if SP2 was affected or not is a critical point. Looks like Robert Lemos was just in an anti-Micrsoft mood when he wrote it.

[dhk]

What's your source?

Given the nature of the exploits, there is no reason to assume that XP is not affected especially in the light of the recent announcements about the three flaws that do affect XP with SP2. What's your source that XP is not affected by this exploit?

[George Cole]

SP2 on XP

http://www.analogstereo.com/saab_9-5_owners_manual.htm

[iKenny]

Heavens

"Goodness Robert, more Windows flaws discovered? Just what I
wanted for Christmas! Betty from across the street was telling
me that her family just purchased an iMac, and they don't have
to worry about these issues. Well, let's just turn our noses up at
them; they're obviously too good for us!"

[elementskat3r]

Wow.

Man, I hate Microsoft.

Open source rules, screw 'em!

So, you agree with me, good.

(1) Apple has not been able to and as of this point in time, cannot call OS X UNIX. I am correct on this point.

(2)The reason I stated that OS X isn't UNIX, is because it isn't. See above point. It is UNIX-like, or UNIX-based if you prefer (seems Apple does.)

I have clearly made my point, and backed it up with evidence. You screaming "But it's UNIX!", does not make it so. If you can prove to me that Apple can call OS X 'UNIX', i.e. "Our OS is UNIX", I will concede.

[dhk]

You don't even agree with you: You keep contradicting yourself

Read all your comments. A. You're the only one screaming. You need to get a grip on yourself.

B. You keep harping on one thing -- the word "Unix" -- you are trying to claim that a brand name actually has some physical meaning as to content. It does not.

You have been contradicting yourself about what you really mean, because your comment has no relevance to a discussion of security on Unix versus Windows operating systems.

Trademarks identify the legal origin of certain products -- in this case, the Open Group's Unix trademark identifies the product of "certification" for certain Unix products -- not all of them. It doesn't appear to be even most of them. In fact, the Open Group must list which ones, or else they could be sued for claiming to certify IT professionals and computer architectures as meeting standards for products they have no right to certify.

Certification can be a highly useful thing to have for folks selling certain services (e.g., IT professionals) and certain products (e.g., companies and professionals selling computer architectures).

However, not everyone needs certification to be in an excellent position to sell their services and products (e.g., IBM with AIX, another Unix OS not certified by the Open Group).

In addition, it's a brand name that now has been legally challenged and which Open Group stands an excellent chance of losing. Unwisely, they chose to trademark a word that's been too long in the marketplace as a generic term for a family of products.

Also, they didn't challenge SCO's very highly publicized use of the term as belonging to them in SCO's failed lawsuit against IBM regarding Linux. To keep a trademark, one cannot allow any instance of its usage to go unchallenged.

In fact, even a public discussion like this one puts their trademark in legal jeopardy.

The wisest thing for them would have been to only trademark words or phrases that distinguish competitors from each other. Choosing "Unix" to trademark broke the basic rule for successful trademarking and asked for trouble.

Finally, a brand name does not change what something is. To say something isn't Kleenex doesn't mean it's not facial tissue -- it only means that it's not facial tissue produced by the Kleenex corporation. I choose Kleenex as an example on purpose -- that word wasn't even in general usage when they trademarked it, and they still lost the right to challenge anyone saying they produced kleenex. They only have the right to challenge someone claiming to sell a product produced by them.

OS X is a Unix OS. It was developed from BSD, another Unix OS (one of the earliest Unix OSes and also not certified by the Open Group). Linux is another Unix OS -- none of them need branding as such to be what they are. No IT professional using them can claim to be certified to use them by the Open Group, but so what. They can get certification for those OSes elsewhere.

And, to the Open Group's undermining of their trademark, everyone knows that OS X, the hundreds of Linux distributions, Solaris, AIX, UnixWare, System V, BSD, and so on are all Unix OSes -- and there is nothing the Open Group (or you) can do about it.

Claiming that people agree with you in a subject heading and then in the text saying something irrelevant that also shows you contradicting yourself yet again does nothing but make you look silly. I hope you're not using your real name.

My last post on the subject ....

because I have already proved my claim, and it has not been refuted with any evidence.

http://www.unix.org/trademark.html

Another poster made the claim that OSX is UNIX(tm). I did not bring the subject up, I simply refuted their statement. You apparently took offense to that, and entered into a debate without doing any research, or backing up any of your statements with evidence. I asked that you provide evidence that Apple can call OSX UNIX(tm), which you have not provided. Thus my claim stands.

I never once disputed that OSX was based on UNIX(tm). In fact, I agree that OSX is UNIX-based, and Apple seems to agree with me (http://www.apple.com/macosx/features/unix/).

Now, some quotes from your last post:

-"However, not everyone needs certification to be in an excellent position to sell their services and products (e.g., IBM with AIX, another Unix OS not certified by the Open Group)." - maybe you should contact IBM for a job, seeing as you apparently know more than their lawyers. AIX is certified UNIX(tm) by the Open Group, and has been for awhile.
http://www.opengroup.org/press/10nov04.htm
So why would IBM have to certify? -
?This important certification provides real validation of IBM's commitment to open standards and underscores our strategic, long-term commitment to AIX as our platform for innovation,? said Karl Freund, Vice President of pSeries Marketing, IBM. ?IBM clients across the globe rely on AIX to run mission critical applications with outstanding performance, scalability and reliability. We believe industry standards can play a pivotal role in allowing clients to integrate data and business processes, helping them to become true on demand businesses.?

-"Also, they didn't challenge SCO's very highly publicized use of the term as belonging to them in SCO's failed lawsuit against IBM regarding Linux." - why would they have to challenge it, as it is certified UNIX(tm)by the Open Group?
http://www.sco.com/products/unixware714/
http://www.opengroup.org/openbrand/register/brand2713.htm

-"And, to the Open Group's undermining of their trademark, everyone knows that OS X, the hundreds of Linux distributions, Solaris, AIX, UnixWare, System V, BSD, and so on are all Unix OSes -- and there is nothing the Open Group (or you) can do about it." - you are correct that all the above mentioned OS's are UNIX-based, and there is nothing I nor the Open Group can do about it. However, Solaris, AIX, Unixware, and System V can all be called UNIX(tm) as well. The rest cannot.
Here's a list for you, in case you are interested as to which OS's are in fact UNIX(tm).
http://www.opengroup.org/openbrand/register/

If Apple decided to apply for certification to the Open Group to have OSX certified UNIX(tm), I am sure it would pass certification. To this date, unless you can prove me wrong, they have not. As it stands right now, OSX is not UNIX(tm). It is UNIX-based.

[dhk]

You now admit you were wrong with your alleged "fact check"

I see you now have discovered the inherent mistake you've been making all along, because you're only now qualifying your statement by claiming OS X is not "UNIX(tm)" -- something all the rest of us have been trying to get you to note.

No poster claimed that OS X was "UNIX(tm)." Not a one. The claim was that it was Unix. This is, I assume, as close as you will ever get to admitting your error (because you obviously have another even more severe problem also noted by others).

OS X is Unix, as everyone here knows. Anything derived from a Unix OS is going to be Unix just as a cloned sheep is a sheep.

Being "UNIX(tm)" does not in fact make anything at all Unix. It only means that the particular OS allows the Open Group to certify architectures and IT professionals for it. That's all it means -- it could be used to certify non-Unix-derived OSes as well. It's just a trademark indicating a brand name for a certification process.

As an aside, one hopes that the Open Group has a mandate that says it will use its "UNIX(tm)" trademark only for OSes in the Unix family, but there is nothing inherent in trademarking that forces that issue.

Unix, OTOH, is a family of OSes that share basic code that distinguishes a member of that family from other OSes like BeOS, DOS, CP/M, and so forth. The posters who gave OS X as an example of Unix were correct in doing so. You were incorrect in your attempts to challenge that.

As I said earlier, I hope you didn't use your real name for these posts.