Microsoft on Tuesday warned of two security issues that could put some Windows users at risk of attack and said it is investigating a third possible vulnerability.
One security problem is reminiscent of the recent high-profile security woes that affected Windows. It is related to how aging versions of Internet Explorer handle malformed Windows Meta File images on the Windows Millennium Edition and Windows 2000 operating systems.
The flaw exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in a security advisory. Users could be attacked simply by viewing a malicious image on a Web site, in an e-mail or in an image viewer, Microsoft said.
"An attacker who successfully exploited this vulnerability could take complete control of the affected system," Microsoft said in its advisory.
Though the WMF vulnerability may appear similar to previous flaws related to WMF that plagued Windows, the issue is different, Microsoft said. Last month the software maker rushed out a fix for a WMF rendering flaw that was being exploited to install spyware on the computers of unwitting Windows users.
To remedy this new WMF problem, Microsoft recommends users upgrade to IE6 with Service Pack 1 and said it may issue a security patch.
In a second security advisory, Microsoft warned of a problem with overly permissive access controls in Windows XP and Windows Server 2003. The problem exists only in versions that do not have the latest service packs installed, the company said.
The access control issue could be exploited by a user with low privileges to run programs and commands that normally require a higher privilege level, Microsoft said. The software maker suggests installing Service Pack 2 on Windows XP or Service Pack 1 on Windows Server 2003 to limit exposure, or manually changing access controls on the four affected Windows components.
In addition to the security advisories, a Microsoft representative on Tuesday said the company is investigating a potential vulnerability in its HTML Help Workshop, a part of the HTML Help Software Development Kit version 1.4.
Attack code that takes advantage of the flaw is publicly available. A successful attack could give an attacker full control over a vulnerable computer, security monitoring company Secunia said in an alert. However, the scope is limited because the vulnerable software is used only by software developers and is not part of Windows, according to Microsoft.
"Microsoft's initial investigation has revealed that customers who have not installed the HTML Help SDK on their systems are not impacted by this report," the representative said.
Microsoft's next "patch Tuesday" is on Feb. 14. The company on Thursday is expected to release some details on what software fixes it will deliver.
I just (like 25 minutes ago) got an older laptop working again, and it has windows 2000, I just updated it, as it was long out of service. First thing I did, was use IE to download Firefox so I could get the new SP from the windows website, lol. 2000 isn't even that bad of an OS (in fact, XP sometimes seems slower, and buggier), but combine 2000 with IE, yikes, its a scary situation.
The Mozilla Foundation will change your computer experience.
Just using a different browser in XP or any other Microsoft OS isn't going to make your machine or your surfing any more secure. Because of the tight integration between Internet Explorer and Windows Explorer there hit just the same! Remember, your Windows File Explorer will display web pages too. So just changes browsers will not make you surfing any more secure.
I know it is easier to just bash MS and say OOOH another Internet Explorer vulnerability instead of reading what it was. This is in IE version 5 on Windows ME and Windows 2000 - let's see, old version of IE on older operating systems. The vulnerabilities are not present in Windows XP, or in version 6 of IE. Thus it has long been fixed. BTW, have you not noticed the Firefox vulnerabilities that have come up, some which have been listed as serious? No browser is completely safe - the more popular it becomes, the more people will try to exploit it.
XP was insecure the first week it was presented over 3 years ago. Microsoft users have been punished with knowing that there Microsoft powered networks will never be safe!
My office just got windoze 2k in Aug. 2003, which is very new for us considering we had windoze 95 before the work-station upgrade. Our medical office has always been like most companies--slow to change unlike personel computer users.
I rather hope MS work on flaws on SP2, IE7 and Vista
instead on legacy OS like 2000 or browsers like IE5. People who dun buy e newer software are either those that dun not want e new products so why bother with customers of low value? Another group of people who use old products are those that feel new products are not good enough, so why not work on the new ones? Dun bother about what the Mac n linux useres, they are not yr customer, then to get them is like selling music players to iPod users, dream on if u think u can get them.
So, combine this article with the ones posted on www.TechViewsToday.US and you have all the reason's in the world to go get yourself some security in the form of a Mac!
Apple's been releasing a steady stream of security patches as well. Not as severe perhaps, but don't for a second believe Macs are impervious to viruses.
Nothing is perfect in software, but... With the massive resources and money that MS has, there is NO excuse for this level of poor quality/security in their products.
If ANY other product on the market in the US was so flawed, the government would have gotten involved.
Buy a MAC for security, lol thats funny. Yeah you could could chain your valuables to it I suppose.
MACs use UNIX which has more security holes than swiss cheese. The only reason their vulnerabilities are not targetted as much is that no one uses them so its not worth the effort for hackers.
Talking like others is what you doing without investigating the real reason. UNIX, Linux, IBMs AIX, HP UX and Sun Solaris are based on a totally different design and is THEREFOR MORE secure then Windows.
UNIX is designed from the ground up as a Multi-user Multi tasking OS. Hence it is more scalable, more reliable, faster and more secure. NOT perfect though..... but much better in terms of security then Windows.
Study the subject before you start talking like other dummies.
... repeating the stupid claim that Mac's are not common enough to get attacked. But what the heck, stupid people have to say something to prove they are stupid.
It isn't like this just happened. Windows has been having significant security issues since the mid 90s, so if you've bought it since then, you're partly to blame. You voted with your wallet for an insecure OS.
Now they want more from you, so you have to make a decision. Are you going to let them keep sticking it to you or are you going to spend your money on a better product?
Even if you just started using Windows 2000 (well 3 years ago), the flaw affects version 5.01 of Internet Explorer - there is no reason you should not be using version 6.
this is nothing more then flame bait. How is this news? If you are running all updates i.e. (no pun intended) WinXPSP2 this is a joke. Even WinXPSP1 isnt affected. I feel sorry for anyone using IE5.
1. The "user" who first signs on to a Windows machine right out of the box becomes the root user of the OS. That's known as "admin" in Windows world, but some call it "root" anyway. The root user is GOD to a computer. The word "root" makes real server admins (as opposed to casual ones) cringe a little because they understand the power of that word. Keep that in mind for reason 2.
2. Integration of browser, messaging, update systems, keyboard input, scripting, email, IM, inter-application messaging, server authentication and a thousand other things is very tight in Windows. One process sneezes and the other ones say "gesundheit". Since any of these input mechanisms are running under root (GOD) they trust each other implicitly. That's why you can use IE to visit a web site containing a malicious piece of code in the HTML and - ZOOM - it's jumping around in your operating system doing whatever the hell it wants. There's a wonderful scripting system available that will happily follow the command of the malicious code as "root" - which is everthing running on the computer. Bang, you're a spam server. Pow, there go all your files to Hong Kong. OOF, you're an IRC server for someone in Belgium.
Since everything is running with root privileges in Windows, there's no way for the computer to tell whether someone at the keyboard told the computer to give up all the secrets or if some script from an email, IM or some stupid task bar app told it to do that. "Click Here to See the Dancing Monkeys" - and you're sending 40,000 emails a day to everyone on the planet. Play a music file or open a JPEG and you're a Windows zombie attacking banking systems within 10 minutes. Your computer doesn't know and can't tell the difference between "admin" and "user" unless you set up the machine correctly.
Viruses and worms are written to automatically jump from machine to machine using the all powerful admin privileges and automatically propagate themselves - and "admin" is the base user on about 90% of the Windows machines out there. Viruses will test every machine in the world (or try to) and climb in the known back doors of every unsecured Windows machine at will.
If the same worm or virus tests a Mac or Linux machine, nothing happens. I've been running a Mac web server since 1996 and I see all the viruses testing the machine constantly, 24 hours a day, 7 days a week. These viruses run through every IP address we have in the company - 2 class C blocks - and test everything. Any Windows machine we've had exposed to the Internet, patches or not, has caught a virus. All the Macs, old and new, simply log the attempt and do nothing except keep serving.
Oh, there are patches for Windows that plug holes in these viruses and worms running around but MICROSOFT HAS NEVER ADDRESSED THE UNDERLYING ISSUE OF VULNERABILITY. They mostly apply a patch to identify and halt an expected or current virus. Microsoft appears to have FAR more security activity than Apple because THEY NEED IT. Hackers change the signature of the virus slightly and Microsoft is right back to designing a new band-aid. At other occasions, they simply do something silly like disable the use of a particular URL syntax to "fix" the problem - a syntax that doesn't harm dozens of other operating systems because NOBODY ELSE IS STUPID ENOUGH TO DESIGN AN OS THAT DEFAULTS TO ROOT PRIVILEGES EXCEPT MICROSOFT.
Sorry for yelling, but until that's fixed, the Mac, Linux and all the other Unicies will be more secure. Firewalls can slow "them" down but if you can make a network connection to the firewall, you can talk to it and trick it into being circumvented. The level of security behind the firewall becomes very important and Windows doesn't do it.
There are a bunch of known EXPLOITS for the other systems, a dozen or so, which most all rely on someone sitting at the keyboard with the administrator password to install or enable the exploit. An exploit is a misuse of a computer and a virus is considered self propagating without user knowlege or intervention.
A good way to get your Mac or Linux machine exploited is to be a person lazy enough to use the same simple word for the username AND the password. That's not the operating system's fault, though - that's the dumb admin. We had one of those once. Username "media", password "media" and I got a root kit installed with an IRC server for Darwin (the unix flavor of OS X).
One last thing - two years ago I got REAL tired of playing virus whack-a-mole at work. I removed about 40 Windows machines and gave them all OS X Macs. The users ******* and moaned for a few weeks, much like the Mac pundits here who clearly haven't lived with one for any length of time. They quieted down when they learned the machine and had that "Aha" moment - 6 weeks on average. After that, virtually every one of those people have thanked me for the Mac and many have replaced their PCs at home with a Mac. There wasn't one machine that had a problem with a virus or an exploit and I was HAPPY.
There's a reason for everything and to each his own. Lately, a lot of people have been questioning the reason for Windows. There will be SOMETHING that tackles the Mac or Linux some day, but Windows has a head start of over 100,000 viruses out there that will kill your machine and that's just plain inexcusable on Microsoft's part.
On Windows, some programs seem to require admin access to run correctly. I recently had this problem with "Sims 2" --- it wouldn't run correctly unless I made my normal user account an admin account.
Your assessment is very well conceived and posed. Even I, as an MS OS user must agree. The MS OSes have not addressed any of the issues you mentioned, to any formidable degree as of yet. As a person that is new to the Apple OSes, I must know - what happens if a user other than a "root" user is placed in the position of installing a software that requires that level of permission(s)? If you would, please address the method an Apple software writer might use when considering an installation package to work with any Apple system or OS.
Your assessment is very well conceived and posed. Even I, as an MS OS user must agree. The MS OSes have not addressed any of the issues you mentioned, to any formidable degree as of yet. As a person that is new to the Apple OSes, I must know - what happens if a user other than a "root" user is placed in the position of installing a software that requires that level of permission(s)? If you would, please address the method an Apple software writer might use when considering an installation package to work with any Apple system or OS.
Apple says it's got a third-party group looking for issues at manufacturing partners it uses. Read CNET's FAQ to find out how we got here, and what the next steps are.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Proposal provides $140 billion for research and development of technologies such as clean energy, wireless communications, and cybersecurity--a 5 percent increase over 2012.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
There are a lot of things that AT&T's humongous Samsung Galaxy Note smartphone is, like a digital memo pad, a medium-size reader, and a great photo companion.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
The Mozilla Foundation will change your computer experience.
going to make your machine or your surfing any more secure.
Because of the tight integration between Internet Explorer and
Windows Explorer there hit just the same! Remember, your
Windows File Explorer will display web pages too. So just changes
browsers will not make you surfing any more secure.
~Justin
Microsoft users have been punished with knowing that there
Microsoft powered networks will never be safe!
~Justin
People who dun buy e newer software are either those that dun not want e new products so why bother with customers of low value? Another group of people who use old products are those that feel new products are not good enough, so why not work on the new ones? Dun bother about what the Mac n linux useres, they are not yr customer, then to get them is like selling music players to iPod users, dream on if u think u can get them.
system. So the thought of a Secure Vista is the equivalent of finding
a NEW PLANET!
Slim to NONE!
~Justin
www.TechViewsToday.US and you have all the reason's in the world
to go get yourself some security in the form of a Mac!
~Justin
Nothing is perfect in software, but... With the massive resources and money that MS has, there is NO excuse for this level of poor quality/security in their products.
If ANY other product on the market in the US was so flawed, the government would have gotten involved.
Thank goodness MS doesn't make brake systems!
BCA
Yeah, See <a class="jive-link-external" href="http://www.bmw.com" target="_newWindow">http://www.bmw.com</a>
MACs use UNIX which has more security holes than swiss cheese. The only reason their vulnerabilities are not targetted as much is that no one uses them so its not worth the effort for hackers.
UNIX is designed from the ground up as a Multi-user Multi tasking OS. Hence it is more scalable, more reliable, faster and more secure. NOT perfect though..... but much better in terms of security then Windows.
Study the subject before you start talking like other dummies.
get attacked. But what the heck, stupid people have to say
something to prove they are stupid.
The headline originally had the word flaws in it and I believe that to be more accurate, anwyay.
security issues since the mid 90s, so if you've bought it since then,
you're partly to blame. You voted with your wallet for an insecure
OS.
Now they want more from you, so you have to make a decision. Are
you going to let them keep sticking it to you or are you going to
spend your money on a better product?
..Yawn..
anyone actually hacked anything just that one man said their
machine was hacked.
And yes, although supposedly independent, SecurityFocus is owned
by Symantec Corporation who have pulled this kind of stuff before.
This is no proof that it was invented but nor is there any proof that
it wasn't.
of the box becomes the root user of the OS. That's known as
"admin" in Windows world, but some call it "root" anyway. The
root user is GOD to a computer. The word "root" makes real
server admins (as opposed to casual ones) cringe a little because
they understand the power of that word. Keep that in mind for
reason 2.
2. Integration of browser, messaging, update systems, keyboard
input, scripting, email, IM, inter-application messaging, server
authentication and a thousand other things is very tight in
Windows. One process sneezes and the other ones say
"gesundheit". Since any of these input mechanisms are running
under root (GOD) they trust each other implicitly. That's why you
can use IE to visit a web site containing a malicious piece of
code in the HTML and - ZOOM - it's jumping around in your
operating system doing whatever the hell it wants. There's a
wonderful scripting system available that will happily follow the
command of the malicious code as "root" - which is everthing
running on the computer. Bang, you're a spam server. Pow, there
go all your files to Hong Kong. OOF, you're an IRC server for
someone in Belgium.
Since everything is running with root privileges in Windows,
there's no way for the computer to tell whether someone at the
keyboard told the computer to give up all the secrets or if some
script from an email, IM or some stupid task bar app told it to
do that. "Click Here to See the Dancing Monkeys" - and you're
sending 40,000 emails a day to everyone on the planet. Play a
music file or open a JPEG and you're a Windows zombie
attacking banking systems within 10 minutes. Your computer
doesn't know and can't tell the difference between "admin" and
"user" unless you set up the machine correctly.
Viruses and worms are written to automatically jump from
machine to machine using the all powerful admin privileges and
automatically propagate themselves - and "admin" is the base
user on about 90% of the Windows machines out there. Viruses
will test every machine in the world (or try to) and climb in the
known back doors of every unsecured Windows machine at will.
If the same worm or virus tests a Mac or Linux machine, nothing
happens. I've been running a Mac web server since 1996 and I
see all the viruses testing the machine constantly, 24 hours a
day, 7 days a week. These viruses run through every IP address
we have in the company - 2 class C blocks - and test everything.
Any Windows machine we've had exposed to the Internet,
patches or not, has caught a virus. All the Macs, old and new,
simply log the attempt and do nothing except keep serving.
Oh, there are patches for Windows that plug holes in these
viruses and worms running around but MICROSOFT HAS NEVER
ADDRESSED THE UNDERLYING ISSUE OF VULNERABILITY. They
mostly apply a patch to identify and halt an expected or current
virus. Microsoft appears to have FAR more security activity than
Apple because THEY NEED IT. Hackers change the signature of
the virus slightly and Microsoft is right back to designing a new
band-aid. At other occasions, they simply do something silly like
disable the use of a particular URL syntax to "fix" the problem -
a syntax that doesn't harm dozens of other operating systems
because NOBODY ELSE IS STUPID ENOUGH TO DESIGN AN OS
THAT DEFAULTS TO ROOT PRIVILEGES EXCEPT MICROSOFT.
Sorry for yelling, but until that's fixed, the Mac, Linux and all the
other Unicies will be more secure. Firewalls can slow "them"
down but if you can make a network connection to the firewall,
you can talk to it and trick it into being circumvented. The level
of security behind the firewall becomes very important and
Windows doesn't do it.
There are a bunch of known EXPLOITS for the other systems, a
dozen or so, which most all rely on someone sitting at the
keyboard with the administrator password to install or enable
the exploit. An exploit is a misuse of a computer and a virus is
considered self propagating without user knowlege or
intervention.
A good way to get your Mac or Linux machine exploited is to be
a person lazy enough to use the same simple word for the
username AND the password. That's not the operating system's
fault, though - that's the dumb admin. We had one of those
once. Username "media", password "media" and I got a root kit
installed with an IRC server for Darwin (the unix flavor of OS X).
One last thing - two years ago I got REAL tired of playing virus
whack-a-mole at work. I removed about 40 Windows machines
and gave them all OS X Macs. The users ******* and moaned for
a few weeks, much like the Mac pundits here who clearly haven't
lived with one for any length of time. They quieted down when
they learned the machine and had that "Aha" moment - 6 weeks
on average. After that, virtually every one of those people have
thanked me for the Mac and many have replaced their PCs at
home with a Mac. There wasn't one machine that had a problem
with a virus or an exploit and I was HAPPY.
There's a reason for everything and to each his own. Lately, a lot
of people have been questioning the reason for Windows. There
will be SOMETHING that tackles the Mac or Linux some day, but
Windows has a head start of over 100,000 viruses out there that
will kill your machine and that's just plain inexcusable on
Microsoft's part.