- Related Stories
-
Code to exploit Windows graphics flaw now public
September 22, 2004 -
Sasser worm begins to spread
May 1, 2004 -
Microsoft warns of a score of security holes
April 13, 2004
The advisories, and patches published with the bulletins, range from an "important" flaw affecting only Microsoft Windows NT Server to a collection of eight security holes, including three rated "critical," that leave Internet Explorer open to attack. Microsoft's highest severity rating for software flaws is its "critical" ranking, while "important" is considered slightly less severe.
One flaw, in Microsoft Excel, even affects Apple Computer's Mac OS X.
The abundance of flaws could leave corporate PCs vulnerable to attack if administrators are not able to patch quickly. A similar situation occurred in April, when Microsoft published seven advisories detailing 20 flaws. While one security hole stood out among those 20--and led to the widespread Sasser worm--there are no standouts in the current gaggle of goofs.
"Our challenge is trying to guess what the criminals are going to attack," said Stephen Toulouse, security program manager for Microsoft's security response team. "The guidance we are giving in general is to treat the critical ones first."
A single computer would not be vulnerable to all the flaws, Toulouse added.
Oliver Friedrichs, senior director of Symantec's security response center, said three vulnerabilities could lead to a Sasser-like worm, but the danger is lessened by the fact that the vulnerable services are not started by default on most versions of Windows. These flaws are related to three network protocols that are not generally activated on Windows computers: Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), and Network Dynamic Data Exchange (NetDDE).
"Blaster and Sasser targeted core system vulnerabilities, where if you didn't have the patch you were vulnerable," Friedrichs said. "The key thing here is that these are not (generally) enabled by default.The question is how large is the deployment of vulnerable systems."
Microsoft rates the SMTP flaw critical only for Microsoft Exchange Server 2003. The NNTP flaw is rated critical for Microsoft Exchange 2000.
The other major class of flaws are those that affect applications on desktop computers, such as Internet Explorer and Excel. Threats to so-called client-side applications have been growing, Friedrichs said.
Of the current crop of vulnerabilities, 12 fall into that category. Of these, Microsoft rated five critical: three of the eight vulnerabilities in Internet Explorer, as well as two flaws in Excel.
Several of the flaws could be used to create Web content that would run a program from the Internet, if a victim could be lured to the malicious Web site.
Symantec raised its overall Internet Threat Condition to 2 from 1, on account of the newly released vulnerabilities.
Microsoft has also re-released a patch from last month's graphics vulnerability, fixing a conflict with Windows XP Service Pack 2.
Will MS pay for the overtime I'm going to be working to scramble to patches these systems? ***holes.
Are you really that bored that when you do a Windows Update you watch the bytes download?
Stop complaining.
Also, if you got paid to install patches, why would you complain? Isn?t it easy work or would you rather try to recovery a physical hard drive failure instead?
HMMMMM...
PayPal outage ? or security flaws ?
<rant>
Just as a notice to those people: NO M$ IS NOT DOING A GOOD JOB! NEVER DID, NEVER WILL. If they were doing a good job, then there wouldn't have to be any patches at all!
Don't complain that the biggest player always gets most of the wind. M$ wanted to be the biggest player. They broke the law to become the biggest player. If they didn't want the wind, then they should have known better that to release bug ridden software. Or stayed low profile.
The only thing M$ is good at, is to destroy cometition by illegal means, and throw junk at their customers.
However, what we are seeing as a result of their rubbish is that other companies can make a living by working on M$ incompetence. This can be good for economics, but it is such a waste of energy. If all those programmers that are wasting their time on fixing M$ junk would be doing something really usefull, then we would see some real innovation going on.
</rant>
realize that the market is beginning to leave them behind, they
buy (or whatever) any product that can be quickly fixed to carry
the M$ label and fill the gap. That approach is guaranteed to
leave all sorts of problems, but it pumps the M$ bottom line
with the least amount of time and investment.
If you do business with M$, you have to recognize how M$
works. And you have to quit complaining. M$ isn't going to get
any better. As long as large numbers of computer users
continue to think that the M$ approach to software design is
good, there is no reason for M$ to change.
IE (plus OE and ActiveX) to eliminate their security risks and
substandard performance. But M$ says that FireFox and Opera
just won't work. It has to be IE !
That's a bummer. I'm not activating IE for ANY reason, so M$'s
updates are a gross waste of time.
Oh well... MediaPlayer has always worked fine for me. I prefer WinDVD for DVD playback, and an old version of WinAmp for MP3s, but MediaPlayer has never given me problems... Sure beats the heck out of RealPlayer and QuickTime.
our enterprise systems on. Those who know me, know that I
have made this argument for nearly 20 years.
What on earth do you expect from a company that based its
original OS modifications on back-doors and holes designed to
disable competitive software?
These are not accidental flaws, or security holes. Someone had
to write these capabilities into the software and they are just
being exposed. Going forward, the mindset never changed, so
they could not recognize this ill-fated approach.
So the mediocrity continues, what else is new?! ...
HMMMMM...
PayPal outage ? or security flaws ?
If you own a PC, see the following URL for help on Anti-virus software, free anti-spyware download links and more
http://searchwars.squarespace.com/free-software-downloads/
Or you can buy a MAC and put an end to your Microsoft nightmare!
Here's my view on the economics of a small company.
A boss of a small company (with eg. 20 PCs) is struggling to get his company alive, and wants to make sure his personnel gets paid at the end of the month. Having to pay for another M$ license to install a "free" tool like SUS is just overhead for that company. Neither would he have the resources to keep the system properly maintained.
If he wants to make sure his system is secure by changing the way his people are using their PC's (e.g duping IE and Outlook), then he is still required to use this piece of Internet Expoiter. See some of the comments below, you know them.
In a company IT is considered to be a money pit because of all this junk. And it is a prejudice that is confirmed every time again...
Anybody with half a day's experience knows that you estimate the cost of patching manually, and compare it to the estimated cost of an automated patch system. The lower cost solution wins.
So... figure that an IT employee will cost a company at least $50/hour (with benefits). Now, how many hours of patching does it take to equal the cost of a single server license? A person running a small business will quickly identify the most economical solution.
So maybe I do sound like a manager to you. If that is the case, then I am a manager who is fiscally responsible and will keep my company alive and employing IT workers for many years to come. You are welcome to waste your company's money with an anti-Microsoft attitude that raises the cost of security.