| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
No Vista fixes in Microsoft's dirty dozen | |
|
||
| Time: 00:03 EST/05:03 GMT | News Source: News.com | Posted By: Kenneth van Surksum | ||
|
Microsoft on Tuesday released fixes for 20 vulnerabilities in a variety of products including Windows, but none of the operating system flaws affect Vista. The fixes arrived in a dozen security bulletins, released as part of Microsoft's monthly patch cycle. Six of the alerts were tagged "critical," the company's most serious rating. These flaws could enable an attacker to gain complete control over a vulnerable computer with no action, or minor action, on the part of the user, Microsoft warned. The critical vulnerabilities are in Windows, Internet Explorer, Office and in Microsoft security tools such as Windows Live OneCare and Windows Defender. None of the Windows or Office flaws affect Vista or Office 2007, Microsoft's latest updates. However, Windows Defender ships as part of Vista, so the new operating system is at risk from that direction. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 325 Last | Next |
The time now is
8:28:40 AM
ET.
Any comment problems? E-mail us |
| #1 By 2960 (24.254.95.224) at 2/14/2007 7:49:42 AM |
|
Incorrect...
There was a critical patch for Windows Defender. TL |
| #2 By 2201 (212.117.228.133) at 2/14/2007 8:18:55 AM |
| Again, no fixes for VISTA! |
| #3 By 3746 (72.12.166.62) at 2/14/2007 8:45:42 AM |
|
#1
I didn't receive a critical update for defender in vista update. I just checked again and there was nothing. Do they label the updates as critical in windows update when you check what has been installed? The highest level I have ever received is important. This post was edited by kaikara on Wednesday, February 14, 2007 at 08:48. |
| #4 By 2459 (69.22.113.215) at 2/14/2007 8:59:26 AM |
|
Windows Defender likely installed the update via its auto-update mechanism which is why it doesn't show in Windows Update on Vista. Open Windows Defender, go to Help | About, and check that the Engine version is 1.1.2101.0.
The affected component is the Microsoft Malware Protection Engine, which is used by a number of their security products, including OneCare, Forefront, Antigen, and Defender. The security bulletin is here: http://www.microsoft.com/technet/security/Bulletin/ms07-010.mspx This post was edited by n4cer on Wednesday, February 14, 2007 at 09:00. |
| #5 By 2960 (24.254.95.224) at 2/14/2007 9:07:54 AM |
|
That is correct, n4cer.
Since WD is an integral part of Vista, and the exploit allows one to take control of the computer, it should be counted as a Vista update. TL |
| #6 By 23275 (68.17.42.38) at 2/14/2007 9:10:21 AM |
|
#3, See note [2] as at, http://www.microsoft.com/technet/security/bulletin/ms07-feb.mspx
Expand the Affected Software Download Locations table - one may see the software impacted as #4 describes. **This site and its parent site, http://www.microsoft.com/technet/security/current.aspx are good places to save to favorites/bookmarks for network and system admins. There is an advanced notice that one may subscribe to and it offers helpful information so when it comes to proliferating patches, one may fold the information into patch proliferation plans and policies. This site, http://www.microsoft.com/technet/security/guidance/patchmanagement.mspx offers a good starting point where very good information and examples may be found. |
| #7 By 15406 (216.191.227.68) at 2/14/2007 9:45:28 AM |
|
Nice. Your system can be owned when Defender, the thing that's supposed to protect you from malware, scans a bad PDF.
|
| #8 By 32132 (64.180.219.241) at 2/14/2007 9:52:10 AM |
| Good for Microsoft. They patched Defender before there was an exploit. Or even a publicly known vulnerability. Thats service. |
| #9 By 3653 (68.52.143.149) at 2/14/2007 10:07:20 AM |
| techlarry, why don't you graduate from 'passive hostility'. You're like a flower bud, that just can't quite get enough sunshine to full-on bloom. |
| #10 By 23275 (68.17.42.38) at 2/14/2007 11:17:36 AM |
|
Windows Defender [and OneCare], will update themselves to, Windows Defender Version: 1.1.1505.0 and Engine Version: 1.1.2101.0. Their updates won't even show up in Windows/Microsoft updates on a Windows Vista PC - just as n4cer suggests.
As at the applicable CVE-2006-5270, the vulnerability is a "user-assisted" one and would require user interaction - most especially so, on a PC running Windows Vista. In the case of Windows Defender, it would have updated itself in the background, but users may force a manual update check, for which it will reflect that there are no updates available. A check of the engine version as above, against the CVE as at Mitre, will reflect that the running version of the engine is not affected by the vulnerability - if it does, then the system would not have been connected to the Internet, or otherwise prevented from accessing the update site. #8 is right - Microsoft's patch management and proliferation architecture is working and has been extended to its partners and customers as evidenced by the above behaviors and the information as published at the resources in my post at, #6 above. #7, We addressed far more vulnerabilities in *nix we manage last night - with one very vital exception - not one of those customers wanted patches proliferated - they were afraid of the impact on the applications and dependent processes!!!!! - that is the most often reflected posture exhibited by developers and admins among customers running OSS/FOSS. The best we can do is alert them, offer to share our test results, and proliferate patches when the customer does allow - aside of course, from totally isolating the V-LAN's to protect other systems. I share this, because there is a reality and truth out here that too few OSS/FOSS advocates ever face with any measure of candor, or full honesty - they seem to rely instead, on a dangerous assumption - that their systems, like OS X users assert, are invulnerable. For me, the practice defines foolishness, arrogance and what a lie is. The practice is made worse as these same advocates do not acknowledge that Microsoft has devised good means to fully manage the software they write - an enormously important distinction. I must conclude that the example Microsoft is setting as regards its work to make computers more secure and its software safer to use, is a very good one - so good, it is worth emulating. |
| #11 By 2459 (69.22.113.215) at 2/14/2007 11:21:12 AM |
|
Both camps are right, and it just depends on your view of what constitutes the OS.
Though the malware engine is technically and organizationally a seperate component, it also ships w/ the OS in the case of Vista and is on by default as TL points out, so if you consider the entire distribution the OS, then this can be viewed as an OS vulnerability for Vista. On the other hand, the engine is an application component, not a core OS component, so technically it's not an OS vulnerability, but an app/distribution vulnerability. While it's nice that this isn't a core OS issue, and some of Vista's mitigations may affect the ease of exploitation (I've not examined this closely enough to make that determination), if you were comparing similar default configurations of various OSes, you'd likely count this issue against the Vista distribution as compared to another OS distribution as you want to represent realistic, supported configurations for each platform, unless you have a specific target configuration for a particular environment. See past debates over Linux vs. Linux distribution vulnerabilities for obvious parallels. |
| #12 By 15406 (216.191.227.68) at 2/14/2007 1:17:35 PM |
|
#10: I don't know what kind of brain-dead chimps you have for customers, but the people I deal with certainly do not assume their systems are invulnerable just because they're Unix. And they have no problems with patching. btw, I'm curious. Which patches for which Unix were you busy with last night?
"I must conclude that the example Microsoft is setting as regards its work to make computers more secure and its software safer to use, is a very good one" You conclude that everything to do with MS is good -- so what else is new? Are you hoping that Gates will adopt you if you polish the MS apple frequently & vigourously enough? |
| #13 By 32132 (142.32.208.231) at 2/14/2007 1:34:29 PM |
|
"Which patches for which *nix were you busy with last night?"
Maybe these ones for last 5 days: This week, advisories were released for samba, mozilla, kdelibs, mpg123, wireshark, gd, libwmf, php, gtk, kernel, bind, java, postgresql, and dbus. The distributors include Debian, Mandriva, Red Hat, Slackware, and Ubuntu. http://www.linuxsecurity.com/content/view/126955/187/ How about the previous week? advisories were released vlc, firefox, bind, libtop2, gtk, libsoup, fetchmail, squid, cacti, thttpd, ksirc, elinks, xine, ulogd, libsoup, kernel, squirrelmail, and tetex. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, Slackware, SuSE, and Ubuntu. http://www.linuxsecurity.com/content/view/126854/187/ etc etc for week after week after week .... |
| #14 By 8556 (12.207.97.148) at 2/14/2007 2:32:15 PM |
| Latch: You will wash out your keyboard with soap young man if you use that tone of voice again! |
| #15 By 2960 (24.254.95.224) at 2/14/2007 3:05:40 PM |
|
#9,
I have no idea what you're talking about. All I said here is there WAS a patch for Vista, it just wasn't shown as a Vista patch. TL |
| #16 By 23275 (68.17.42.38) at 2/14/2007 5:09:20 PM |
|
#13, Don't forget the slew of SSH vulns and versions, or all the Oracle 9i and 10g bugs - the entire platform is so porous and infested the lists from very costly RH AS support are dang near endless.
#12, I could paper a decent sized room with them and I am most disappointed that *nix customers don't take the stuff nearly as seriously as the Windows customers do... and these are finely tuned installs, too - I know, we spent weeks working up and testing the packages and configs for them and many more devising the patch proliferation plans and policy for them. Fact is, their devs are afraid to change a thing. Sad. Oh well... I can't break their arms to get them to patch. Also, Latch, I do see Microsoft as a force for good - where its people seem to be driven by that which is good and worthy of human effort. That much is true. I don't agree with everything they do and sure don't like all their software - but I sure do like how positive, hopeful and decent they are as people. I am a good bit older than Mr. Gates, but I tell you, I do admire how positive he is and how a boyish enthusiasm for technology and software still show in his face - I believe that would be there even if Microsoft had not become a success. I admire anyone who looks for the best in anything - especially when it is within themselves. I bet one day you'll do that for the most part, too. You'll smile a lot more and computers will be fun again - even when they tank a days work. In the end no one will give a whit about what we do - they'll remember us for how we went about it. This post was edited by lketchum on Wednesday, February 14, 2007 at 18:11. |
| #17 By 28801 (68.81.50.122) at 2/14/2007 5:51:11 PM |
|
You know, there was a time, not that long ago, when Latch actually brought something to the table. We all enjoyed his endless bantering with Parker and sometimes, although rarely, he made some good points.
I liked the old Latch, who on occasion would provide thought provoking insight into the world of Linux losers and MS haters. Maybe its time he had a makeover. He can return as NotLatch |
| #18 By 15406 (216.191.227.68) at 2/15/2007 9:50:37 AM |
|
#16: How can you see MS as a 'force for good', despite all of the problems, lawsuits, court cases, deceptive practices, grossly unethical business behaviour, stifling of competition, lack of innovation, theft of IP, etc that has happened over the past 30 years? And for all of Mr. Gates' supposed boyish enthusiasm etc, you should see some of his deposition videos. They show Gates' public face to be a construct. He is really a petulant, vindictive person and driven to succeed where success is measured by the failures of others. His private behaviour, and the behaviour of Microsoft by extension could be summed up as sociopathic. I see MS like the US as a nation; the people are inherently good, but the guys at the top are ruining it for everyone.
If you've posted anything negative about MS, be it about their software or business, I have never read it here. Every one of your posts looks like an MS marketing brochure. #17: I get crustier in the cold weather. |
| #19 By 23275 (68.17.42.38) at 2/15/2007 11:13:41 AM |
|
#18, Because I am old enough to remember how things were and spent decades living in other countries. I remember what the world and its economy were like before a common ecosystem supporting computer science and communications was like. I wasn't just an observer, my role was to figure out as many ways as possible to understand that and devise means that would protect the interests of a great many people [vague, I know, but that is as clear as the law will allow one to be]. I saw enough of Microsoft to know - really know, what they were and what they were not and from a perspective that I think a very few people would have had - then or now. I remember when they were really small fish - young execs calling to get paid. One of my closest colleagues now, used to fend off a calling Paul Allen - usual business stuff about payables. I remember when they didn't write conformant messaging systems and banging my head off of a desk in Munich - and later writing long technical memo's that were distributed as guidance to Microsoft, but of course, many others. I remember their competition, too and how they acted and I can tell you straight up, Microsoft EARNED their opportunities and success - that is how competition works and it does work.
I don't know where we get this idea that businesses shouldn't compete - and when they do, some win and some lose. Just because Microsoft won some business cases, doesn't mean they can, or should stop competing. Success is a funny thing - it isn't always good and even a little of it results in a cascade of people doing their level best to take some of it from those that do succeed. Some people seem to think that leaders should do nothing - pursue complacency as a policy - that's not leadership and like it or not, not every decision made is going to have great results - that's the way of it - leaders and businesses do their best and that's as good as it gets. I don't just believe, I know, that Microsoft never intended to hurt anyone - and intent matters. On the contrary, the opposite was and is true. No one, especially Americans, like to be disliked - doesn't mean we get it right, but there is clear evidence of intent. As far as what I write here, it centers on trying to help other users of Microsoft software understand it and get the most from it - being a Microsoft centric site and very optimistic about people in general, it will, by intent, reflect as positive a tone as is possible. I could of course look at every fault and share that - anyone can, but what good would come of that - who would that help and what would it add, or accomplish? Nothing. It'd just be more noise and more reason to keep arguing - for what? about what? There is just too much good that can be done and too much fun to be had while doing it to go down that path. |
| #20 By 15406 (216.191.227.68) at 2/15/2007 12:37:43 PM |
|
#19: MS in the 70's and 80's was a far different beast than it is today. Back then, MS was small, fast, hungry and adept. It had a great long-term vision and good ideas (not always new) in software design. But things changed. They realized that they didn't need to compete purely based on product anymore. Now it could leverage other tools to keep rivals at bay. This was the start of MS' path down the road to evil.
Of course businesses should compete. The difference is in the implementation. I've used this analogy before, but when you are at the grocery store, why do you not just walk to the head of the queue? It's certainly not illegal and it gets you what you want faster so why not? The obvious answer is that it's socially unacceptable and uncivil. I have no problem with MS competing based on merits on a level playing field. I DO have a problem with MS using lobbying tactics to get legislation to favour itself, using FUD to disparage rivals, using threats to keep partners in line, etc etc etc. There was a quote the other day that struck me as funny, and indicative of the MS mindset. Some MS product manager or spokesman was talking about competing with other vendors when he said that all MS wanted was a fair advantage. Perhaps MS has altered the meaning of various English words in my last sentence to suit itself, but to me fair means that there is no advantage given to anyone. To MS, 'fair' means it has an advantage over everyone else. It smacks of an entitlement mindset. |
| #21 By 3653 (68.52.143.149) at 2/15/2007 1:41:39 PM |
|
latch, we know your mantra too well by now. Yeah, you love capitalists... just not SUCCESSFUL capitalists. As long as they are broke ass or lacking of all ambitions... then they are A-OK with you.
And btw, using descripters like "evil" shows nothing short of immaturity in an otherwise mature conversation. This post was edited by mooresa56 on Thursday, February 15, 2007 at 13:58. |
| #22 By 15406 (216.191.227.68) at 2/15/2007 2:03:04 PM |
|
#21: Time to crack open your dictionary, mini-moore:
Evil: 1a: morally reprehensible : sinful, wicked 1b: arising from actual or imputed bad character or conduct 2a: (archaic) inferior 2b: causing discomfort or repulsion : offensive 2c: disagreeable 3a: causing harm : pernicious 3b: marked by misfortune : unlucky Let's see... for MS, I would say that 1a, 1b and 3a certainly apply. Perhaps even 2a and 3b. Thanks for playing! |
| #23 By 32132 (142.32.208.231) at 2/15/2007 5:46:31 PM |
|
Latches definition of EVIL:
Microsoft selling OEM copies of Windows to companies like Dell for 50$ -- who in return only charged customers about 50$ for Windows - making easier for people to buy cheaper PC's thereby selling more copies of Windows etc etc .... instead of making them pay retail. |
| #24 By 3653 (68.52.143.149) at 2/16/2007 5:03:05 PM |
| Providing good paying jobs to ~85,000 people ... Pure EVIL |
|
Write Comment
Return to News |
Displaying 1 through 25 of 325 Last | Next |
The time now is
8:28:41 AM
ET.
Any comment problems? E-mail us |
