Microsoft Fixes 'critical' Flaws

[LaoPo]

Microsoft fixes 'critical' flaws

Windows users are being urged to download the latest security patches from Microsoft to protect themselves.

In its monthly security update Microsoft released five patches, four of which are for flaws the software firm rates as "critical".

Flaws given this rating are so serious that they could be used to hijack a Windows PC without a user's knowledge.

The update includes a new version of a patch released in early April that had been causing problems for some users.

Update event

The second Tuesday of every month is the day Microsoft chooses to issue security updates for its software.

The five updates issued in April are for users of Windows Vista, XP, 2000, Server 2003 and Microsoft Content Management Server.

The four critical patches are for flaws that Microsoft says could lead to "remote code execution" which means that hackers could exploit them to take over a PC, steal information on it or put it to their own uses.

Also in the security bundle is a fix for a patch that Microsoft released in early April to close a flaw in the way that Windows handles animated cursors.

It released the patch early because many criminal hacking groups were using the flaw to set up booby-trapped websites that could hijack a PC.

Among those targeted in this way were World of Warcraft players as a single account for the hugely popular game can prove very lucrative.

However, Microsoft was forced to issue a fix for the cursor patch as some users found it conflicted with other programs installed on their PC.

Users of programs such as ElsterFormular, TUGZip, CD-Tag, and Realtek HD Audio Control Panel found that installing the patch stopped these utilities working.

From:

http://news.bbc.co.uk/2/hi/technology/6544089.stm

Your comments are appreciated.

LaoPo

Edited April 12, 2007 by LaoPo

[taxexile]

the very nature of the cat and mouse games played by hackers with microsoft etc. means that what is secure today will be insecure tomorrow.

all the companies can do is provide patches via updates , and that is what they do.

it is up to users to keep their software updated , just as we service our cars , check our blood pressure and oil our bicycle chains.

[sjaak327]

Yes, you could say that the last two months were quite slow, as the number of patches released by Microsoft were very low indeed, usually they release more patches. Microsoft update and windows update are invaluable services which should be switched on on every computer. I would go for Microsoft Update, since it includes patches to not only Windows but also other products from Microsoft. For Lan admins the WSUS service is a great tool, automating and centralizing patch management.

The whole patching issue is a pain, but very necessary. Keep your OS up to date.

[cdnvic]

I'm actually been amazed that there was only one real security issue with Vista so far and out of all variants of NTFS Windows, it was the least vulnerable.

[sjaak327]

Well Vista is by far the most secure of Microsoft releases, and it shows in the number of released pathes so far. Of course the users have to pay a little price (UAC for one) but I think it pays.

[kayo]

running xp.

i generally just let windows inform me (ask me) when time comes.

the box comes up (rapid install or custom install.. ) I have a peek, then let it do as it pleases.

is that wrong?

With yesterday's patches i had to reboot, then another security thingie was installed, and some search was performed, malicious software removal tool, or something.

i don't recall ever having refused a windows update, though I do always look at them first.

Edited April 12, 2007 by kayo

[nikster]

Well Vista is by far the most secure of Microsoft releases, and it shows in the number of released pathes so far. Of course the users have to pay a little price (UAC for one) but I think it pays.

Yeah right. Except for the fact that hackers pretty much leave Vista alone, just like they leave OS X alone. rather, they focus on the most widespread OS, XP. Let's revisit this issue next year shall we?

UAC is the most retarded implementation of a "security" model I have ever seen. One wonders why the same thing works very well on OS X?! By works well I mean that whenever this kind of dialog pops up on OS X, you know exactly why - usually it only happens when you install software. On Vista, it happens constantly and for no discernible reason. Further, Vista doesn't require you to enter a password so the first hacks that automatically push the OK button "for you" are just around the corner, guaranteed.

Personally, I think Vista will be an improvement over XP, but still far from being secure. I also don't think users will put up with the constant annoyance that is UAC and turn it off. It's a "blame the user" feature, nothing more. Even if you leave UAC on, how are you going to distinguish the normal programs that trigger UAC 10 times a day from a virus? UAC is a failure at the conceptual level, and on the implementation level.

/rant whoops.

Vista will be better than XP mainly for the sandbox around IE which conceptually is the right thing to do. The current implementation doesn't really work - there's still holes in it. But it's the only way to secure a web browser, and Microsoft as at least started to implement it. And eventually they'll fix the bugs.

This is different from XP where the concept - free for all, basically - is so wrong that there is no way of fixing it - you can patch each hack, but you can also guarantee that there will be an endless stream of new hacks.

Edited April 13, 2007 by nikster

[nikster]

running xp.

i generally just let windows inform me (ask me) when time comes.

the box comes up (rapid install or custom install.. ) I have a peek, then let it do as it pleases.

is that wrong?

With yesterday's patches i had to reboot, then another security thingie was installed, and some search was performed, malicious software removal tool, or something.

i don't recall ever having refused a windows update, though I do always look at them first.

I do the same thing. Too much trouble to keep track of all the various windows flaws.

Just let auto update do it's thing. I don't recall this ever having broken anything on my system so that's what I will continue doing. Microsoft may have terrible (or no) security on windows, but they do test their patches pretty well.

I do check what it wants to install though - I keep an eye out for stuff that's not really a security update, like the "Windows Genuine Advantage" stuff.

I find it offensive that Microsoft hides software that only benefits themselves and at the same time inconveniences some users in critical security updates. This once again shows that Microsoft has absolutely no sense of ethics. It's like a doctor in a hospital telling you you need a surgical procedure when you don't and the only benefit is for the hospital - a severe breach of trust.

Edited April 13, 2007 by nikster

[JustAnotherFarang]

I have recommended it before and I will recommend it again

http://windowsupdate.62nds.com/

This site allows you to download all the latest windows patches and updates. I have been using it for nearly 2 years and never ever had a problem. Give it a try and you will see why I like it so much

JAF

[sjaak327]

Yeah right. Except for the fact that hackers pretty much leave Vista alone, just like they leave OS X alone. rather, they focus on the most widespread OS, XP. Let's revisit this issue next year shall we?

We don't have to wait a single day. Vista is by design more secure then XP, there are numerous security improvements over XP, so the remark that Vista will be microsoft's most secure release yet is justified.

Of course it remains to be seen if the number of exploits go down, but for sure Microsoft has made it harder for hackers to break in, harder for malware to infect the system.

UAC is the most retarded implementation of a "security" model I have ever seen. One wonders why the same thing works very well on OS X?! By works well I mean that whenever this kind of dialog pops up on OS X, you know exactly why - usually it only happens when you install software. On Vista, it happens constantly and for no discernible reason. Further, Vista doesn't require you to enter a password so the first hacks that automatically push the OK button "for you" are just around the corner, guaranteed.

It is actually similar to OSX implementation, but more secure, it will not only pop up when installing software, but also when you for instance open computer management, UAC kicks in whenever a user wants to do anything remotely administrative. the fact that it doesn't prompt you for credentials is just because you are running as administrator, if you run as normal user (which is recommended) UAC will ask for administrator credentials.

Personally, I think Vista will be an improvement over XP, but still far from being secure. I also don't think users will put up with the constant annoyance that is UAC and turn it off. It's a "blame the user" feature, nothing more. Even if you leave UAC on, how are you going to distinguish the normal programs that trigger UAC 10 times a day from a virus? UAC is a failure at the conceptual level, and on the implementation level.

/rant whoops.

I don't know what you do with your workstation, but days go by for me without any UAC dialog, I mean I would switch it off when installing a workstation, but it is switched on afterwards, if you just run IE, and office for instance, you won't see UAC, or at least very few times.

Further UAC is only one of the many security enhancements and the one that is most apparent because it is visible. But there are many more "under the hood". One example is the way windows handles services another weak spot in XP. Indeed IE7 is another.