Just days after Microsoft rushed out a patch to fix a critical Windows flaw related to the processing of Windows Meta File images, two more problems with the component were flagged.
The newly disclosed issues could be a conduit for denial-of-service attacks, according to a description sent to the Bugtraq mailing list on Monday. A core function of the Windows operating system, explorer.exe, will crash a vulnerable Windows PC if a user views a specially crafted WMF image, according to the description. Explorer runs the Windows user interface, including the Start menu, taskbar, desktop and file manager.
Microsoft is aware of the problems, a representative for the software maker said in an e-mailed statement. The company had identified these issues before the report and is evaluating fixes for inclusion in the next service pack for the affected products, the representative said.
"Microsoft's initial investigation has found that these are not security vulnerabilities but rather performance issues that could cause an application to stop responding," the representative said.
Microsoft disputes that the flaws can cause Windows to stop responding, but said they may affect an application used to view a WMF image. Such applications include the Windows Picture and Fax Viewer.
"(The issues) may cause the WMF application to crash, in which case the user may restart the application and resume activity," the software maker said. The issues do not allow an attacker to commandeer a Windows system, Microsoft noted.
It is no surprise that more WMF flaws are being found, said Mike Murray, the director of vulnerability and exposure research at nCircle, a vulnerability management company in San Francisco. "When a part of Windows yields up a couple of vulnerabilities, it draws attention, and many malicious researchers start looking at that part more closely," he said.
Bugs affecting components of software typically come out in bunches, Murray said. "A few years ago it was IIS, then SQL Server, then RPC, now it's the Windows Graphics Engine," he said. IIS is Internet Information Services (the Web server part of Windows Server), SQL Server is Microsoft's database product, and RPC is the Remote Procedure Call component.
The newly reported Windows issues aren't as serious as the one Microsoft just patched--at least, not yet, Murray cautioned. "In the current release, they're only denial-of-service attacks. However, it's likely that they could be leveraged to be more severe. "If it's possible to write an exploit to take control of an attacked machine, we'll see one in the next week or two," he said.
Microsoft is not aware of any attacks that use the newly disclosed issues as a conduit, it said.
That sounds less like malware and more like a valuable public service!!
Don't get me wrong---Windows isn't "evil" or anything... It's just that I'm sick and tired of "my" operating system obeying every whim of everyone on the internet but me! (the first time I got pr0n-reg-hacked I was furious! :)) It just seems like a really poor permissions model... running *NOT* in administrator mode takes away 85% of my functionality, and running in administrator mode is like waterskiing on liquid hot magma.
"switch OSes l4m3xx0rz!!!!110101!!!" My response is "hack windows better and I will!!" ha...
Personally I'm sick of all these flaws with windows, I understand that nothing is perfect, and having millions of people using a product, flaws would surface. But overall as a paying customer, your expectations of such software are high. And now this, apparently explorer.exe can crash by viewing an image. __________________________________ R.K. <a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
The rushed security patch was listed as "Critical" however the severity was "not critical" if it involves the Windows 95, 98 and Millenium Edition versions of Windows.
This translates into "Critical unless we don't care about you anymore". The drop of support for these older versions brought an outcry that Microsoft could and would allow the Operation System to remain vulnerable to multiple points of attack in an effort to force users to buy new versions. Seems the fears have come true, but I don't see much about this issue yet.
If you're running 95, 98 or ME you don't have any security in the first place. Those OSes were based on a system that never had any security except as window dressing. How long are you planning on continuing to run those ancient and now very obsolete OSes anyway? Are you going to complain that vendors aren't fixing bugs in 5, 7 and 10 year old releases of Linux now either?
Or are you not actually running one of those but just sounding off because you feel like complaining?
I'm not sure relying on Microsoft's opinion regarding how critical a vulnerability is would be a good idea.... I mean... look at their judgments in the past... they have not been very good at picking what is critical and what is not.
Apple says it's got a third-party group looking for issues at manufacturing partners it uses. Read CNET's FAQ to find out how we got here and what the next steps are.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
Proposal provides $140 billion for research and development of technologies such as clean energy, wireless communications, and cybersecurity--a 5 percent increase over 2012.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
There are a lot of things that AT&T's humongous Samsung Galaxy Note smartphone is, like a digital memo pad, a medium-size reader, and a great photo companion.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Don't get me wrong---Windows isn't "evil" or anything... It's just that I'm sick and tired of "my" operating system obeying every whim of everyone on the internet but me! (the first time I got pr0n-reg-hacked I was furious! :)) It just seems like a really poor permissions model... running *NOT* in administrator mode takes away 85% of my functionality, and running in administrator mode is like waterskiing on liquid hot magma.
"switch OSes l4m3xx0rz!!!!110101!!!" My response is "hack windows better and I will!!" ha...
:|
__________________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
This translates into "Critical unless we don't care about you anymore". The drop of support for these older versions brought an outcry that Microsoft could and would allow the Operation System to remain vulnerable to multiple points of attack in an effort to force users to buy new versions. Seems the fears have come true, but I don't see much about this issue yet.
Or are you not actually running one of those but just sounding off because you feel like complaining?
vulnerability is would be a good idea.... I mean... look at their
judgments in the past... they have not been very good at picking
what is critical and what is not.