Expert: Flaw still dogs Windows patch

Antivirus specialist GeCad Net is warning that it has found a problem with Microsoft's most recent software patch for Windows.

The Bucharest, Romania-based security service provider said that a critical patch issued by Microsoft in its MS05-001 bulletin earlier this month fails to resolve all of the security issues surrounding the HTML Help ActiveX control in Windows. Microsoft distributed the fix, along with additional security updates, to address the threat of attackers placing and executing malicious programs such as spyware on affected computers.

GeCad, which sold its antivirus software business to Microsoft in 2003, said that the patch has not addressed at least one so-called attack vector, or weakness, that could allow an exploit of the HTML Help ActiveX control vulnerability.

A Microsoft representative said Monday that the Redmond, Wash.-based company is already working to close the loophole reported by GeCad, and emphasized that the January patch had fixed the original reported problem.

"Microsoft issued an update to address a vulnerability in the HTML help control in Windows, and this update does protect against the publicly reported vulnerability," the representative said.

Moreover, the software maker disagreed that it overlooked a potential exploit with its patch. Instead, it said that the problem is a new flaw in HTML Help control that was not tackled in the update.

"Microsoft has been made aware of a publicly reported exploit of a different vulnerability than the one addressed," the representative said. "This vulnerability could be exploited in such a way as to cause the HTML Help control to execute code on a user's computer."

Microsoft did not say whether the fix would be released before its February patch bulletin.

GeCad said it is not disclosing technical details of the attack method right now for "security reasons." Microsoft has butted heads with security researchers in the past when they have disclosed information about flaws before the company has been able to patch them.

The antivirus company said the potential for attack is opened up if a computer is updated with Microsoft's Windows XP Service Pack 1 or Windows 2000 Service Pack 4, along with the most recent security patches. It also noted that updating with Microsoft's Windows XP Service Pack 2 seems to prevent the problem.

In 2003, Microsoft purchased GeCad Software, GeCad's antivirus software development business, but the remaining company continues to operate as a security researcher and consultancy. Microsoft is expected to release its own antivirus software sometime later this year.

[Dr Dude]

Ho hum; meanwhile Mac OS X keeps moving ahead

Another week, another Microsoft virus/security warning. With
all the effort expended on this stuff, why can't they fix it? This is
a truely innocent question from a non-programmer.

Seems as if Mac OS X can stop most of these threats by the very
nature of its BSD unerpinnings (needing permissions to do stuff,
etc.), why can't Windows require such permission before some
malicious code executes?

And don't give me the whole, "Macs only represent 2%...." stuff.
If a cracker wanted fame for his work, he would crack Mac OS X
and not be one of 70,000 plus getting into Windows. Anyway,
millions of Macs are sold every quarter and so there are tens of
milions of them out there to target.

Can anyone tell me why a company that has more money than
God canot patch the holes in the seive it calls an OS? Anyone?

[Andrew J Glina]

Anyone is here

Easy. The "flaws" in Windows largley only bother those who press the wrong button. Windows has had read/write permissions since 1993, and it didn't need to borrow code like Mac OS X did. But people don't use low prividge account because they are annoying. (I don't but I have never had a problem with viruses, even though I have been using broadband since 2000, which is rare for us poor Australians.)

Even so, you discount the whole market share to easily. Viruses and Trojans work well for one reason. If they find a host that they can send from then there is a 90%+ chance that the receiver will be a Windows OS, and thus for a virus to work well it has to rely on that. I can see a virus/trojan working if it supported Windows plus Linux/MacOS, but not if it relies on MacOS. Their just isn't enough compatable hosts out there.

Incindently, this story was not about Macs. Can't you keep these comments to one of the many Mac stories? Furthermore, as the story says, Microsoft has fixed the problem. I find it funny how Mac only just got a decent OS (Cooperative multi-tasking is garbage) but that doesn't stop the zealots coming out with the same "Windows Sux" comment every day. MacOS X looks great to me (I haven't used it much unfortunatly, but I did use System 7 a lot and I did not like it) but I have not heard of one original feature in it. Anyone?

[loose_screw]

The flaw still exists

I have XP SP2 with the latest patches, and my browser still fails this teast:

http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/

yup

IE fails and firefox doesn't. Gee what a surprise.

[Sboston]

Firefox/IE

Ok, Firefox didn't even show a window, IE (XP SP1) did show the window and the address of the paypal location. Yep, they still need to fix that puppy.

[Tex Murphy PI]

Sour Grapes and Holy Wars

Why is it that evertime some security flaw comes out (regardless of the platform) another Holy War starts?

My Mac is better.
My Windows is better.

Okay, let's get the facts straight here:
1) Worms and Viruses are written to wreak MAXIMUM HAVOC. You can't do that by taking down 2% of the internet's computers - that won't earn these people their bragging rights.
2) User Education is a phallacy. There is only so much you can do to train people - assuming they want to change their ways. Stupid users will always outnumber the smarter ones - Mac or PC.
3) A tool is only as good as the person who uses it. This means that a Windows Box in the hands of an expert will always be more secure than Mac OSX in the hands of a novice.
4) Microsoft has to WORK HARDER AND SMARTER to address these security issues. Several security alerts a month is inexcuseable, and the times it takes them to issue a code fix is even more unacceptable.
5) Despite the fallacy if innovation, Apple really didn't innovate at much as people think they did. The GUI and mouse were stolen from PARC Xerox. Multi-threading and Protected Memory showed up in Windows NT 3.5 before it ever did on the Mac. In fact, it wasn't until OSX did Apple have a true multi-tasking, multi-threading, protected.
6) Microsoft is like Apple. They take other's ideas and improve them. The difference is that Apple has the magic touch to make them look cool!
7) Application availability on the PC is at least a hundred times greater than that on the Mac. People do not buy computers for the OS, they buy it to perform tasks. Until Apple can get more "killer apps" it will remain at 2% of the market share.
7a) Linux is an exception. It is growing because many companies are porting their software over to Linux as well. But why not to OSX? Simple. Linux is "free". OSX costs $$, and has to run on a more expensive and proprietary hardware.

This isn't supposed to be a "My OS is better than yours" forum - it should be a FIND THE SOLUTION forum.

Here's one for the Windows Users. Set IE's security to HIGH, install Firefox 1.0 and do most of your browsing with it instead.

[System Tyrant]

Here's a history link

I don't know how accurate this history is but here you go.

http://members.fortunecity.com/pcmuseum/windows.htm

Apple didn't steal anything other than the concept of a gui from xerox. If you are going to argue that apple stole the gui from xerox then you have to argue that they all did including microsoft.

In my opinion it doesn't really matter because the end result is os options. I suppose that if xerox owned the patent to gui interface and had sued for licence fees and royalties the os would probably not be were it is today. However, for what ever reason they didn't so you have the os of today.

They only way they are ever going to better secure software is to first have a language that does it's best to stop holes to begin with. Programmers are going to have to be more careful (like this will ever happen). Third, build tools that can analize code better for holes or possible security problems.

You are missing something

If 'Worms and Viruses are written to wreak MAXIMUM HAVOC', then where are all the viri for linux/apache/mysql or the ones for all the mission critical unix machines?

That would cause some serious, real havok. Not writing a virus that effects a million idiot AOL users that have nothing important on their machines anyway.

[jv]

Problem was addressed a year ago

Proper security for IE when set to "high" has always been able to block this kind of attack. SP@ goes further to protect against this and works even with the Internet Zone set to "medium". Other browsers may be unafected because they do not support ActiveX. This is fine except in a corporate environment where ActiveX is still the most used method for customizing Intranet web content.

You should NEVER download a control or allow a java applet to run from any site that you are not COMPLETELY familiar with. Browser hijacking and rogue code downloads can affect all modern browsers. Unfortunately the hackers pick on the most used browser beceause they get the most bang for their buck. FireFox has already posted numerous holes and fixes and continues to become a new favorite of hackers.

Users need to take on more of the responsibility for secure web surfing.

[loose_screw]

Gimme a break...

On the same token, I could argue that all computer viruses were fixed 20 years ago: simply don't use one!

C'mon, yes--users *should* take some accountability for responsible usage of their machines, but what happened to making software user friendly and easy to use?

The fact is, most non-IT end users have no clue what javascript and ActiveX are. They turn on their store purchased PC, and expect things to work. And frankly, it shouldn't be their job to research what obscure vulnerabilities exist, and the needed hidden configuration changes to prevent exploitation.

If the fix for IE is to disable ActiveX, then Microsoft should include that in a security update IMO. Don't just create a security bulletin and say it's now the user's responsibility. That's just BS.