Microsoft is about to issue an emergency security update to plug a vulnerability which could allow an internet worm to be spread via a computer without the user doing anything. The update is rated as critical for users of Windows 2000, XP and Server 2003 and the less severe rating of "important" for users of Windows Server 2008 …
Without the user doing anything?
.... doesn't installing Windows count then?
Re: doesn't installing Windows count then?
No, it doesn't, because most users don't install Windows themselves. But maybe "buying HW with Windows pre-installed" should count as a user action.
I make that teatime across Europe, peak traffic and a roll-out from MS on top.
Here we go again
Windows: unsafe at any speed.
@Without the user doing anything
Its M'shafts latest auto installer - just switch on any computer with a blank hard drive and it is automatically infected.
@Without the user doing anything?
How many users actually do this themselves?
I must rush home immediately after work and get this installed as quickly as possible!
Oh, wait.... I'm running Ubuntu so I've nothing to worry about at all.
Mine's the one with no critical holes in it...
Here come the penguins...
... and don your flameproof gear.
A Patch in Time
You've got to feel a bit sorry for Microsoft. They respond quickly to a very nasty exploit and are slagged off for it.
If they did nothing or denied that there was a problem (like Adobe or Apple) they would be slagged off for it.
Call me pedantic but...
Microsoft's Patch Tuesday is the 2nd Tuesday of the month, however that is not necessarily the 2nd week of the month. If the 1st of the month is on a Wednesday, then the 1st Tuesday will be the following week, i.e. the 2nd week of the month, and Patch Tuesday will be the 3rd week of the month.
Sorry for being so pedantic.
Mine's the one with me getting my coat and going to the pub instead of being in the office on a Thursday night downloading patches for Microsoft's flawed operating systems.
"I make that teatime across Europe, peak traffic and a roll-out from MS on top"
America are behind us, so I make it the middle fo the night for us.
That's right there have never, ever been any holes in "Ubuntu", in fact Linux has never had anything wrong with it, it's perfect, nope not one flaw EVER...
Get over it and go do your homework, otherwise your mum will ground you as your grades slip....
All O/S's have holes in them, but feel free to belive the bullshit your mates tell you...
Paris, because....oh best stop there....
@ Aortic Aneurysm
"America are behind us, so I make it the middle fo[sic] the night for us."
The article clearly says 10.00am Pacific Time (6pm BST). You're not trying to be pedantic enough.
Re: A Patch in Time
I agree. I would much rather Microsoft give us a fix rather than, well, not giving us a fix.
I often think that people slag off Microsoft for the sake of slagging off Microsoft.
Flame-proof jacket: On
Hang on a second, play fair..
I have to agree with Slartybardfast - at least they acknowledge it and fix it straight away. I'm not sure anyone can possibly think that any software written by humans will be error free.
10.00am Pacific Time (6pm BST).
6pm BST (British Summer Time) so that will be 6pm in the UK and 7pm across most of Europe, so Sam is correct.
Too busy trying to flame you missed the article
The patch is scheduled for 10.00am Pacific Time (6pm BST).
The reason for the emergency out-of-sequence patch
it's an emergency patch for CVE-2006-2094, here's the link:
Agreed, this is playing fair.
Seems even Microsoft do it sometimes.
If I was feeling generous I'd say they'd learned their lesson after the ssl exploit where all other browsers had a patch out in hours and they had a press release the following day playing down the severity. Sadly I doubt they've learned much.
No reason for the icon except it is actually 16:59 by my work clock and that's almost coat-time.
if ONE more person emails me to say "wow - how do you know so early?" - sheesh. It was a joke above -JOKE- , check out the smiley.
They haven't even bothered to patch that 2006 exploit yet
Trusted Computing eh?
I'd rather have everyone on the same debain ssh key than this haha < note that this is also a joke. except, now I think about it, it's still more preferable!
aha windows flaming post
ahh i love it
how can any windows lover back up their so fortunate OS now lol
Bin it and save yourself lots of agro and money
and maybe once you have binned it your brains can open and work out what is behind all those GUI's
pfft. windows is only for amatuers not serious computer users.
No-one cares about writing exploits for Linux, in the same way that chop shops don't do a brisk trade in unicycle parts. Penguin fans, go get some market share, then you can point all the fingers not currently plugged in your orifices.
Anyone have a CVE for this or technical information about it?
It's not for CVE-2006-2094
I guess Gordon Slater was making a joke about it being an emergency patch for CVE-2006-2094 from 2006 but this patch doesn't seem to have anything to do with that.
Someone seeing his reply and not realising it's a joke might think the problem is to do with IE and not bother installing the patch because they don't use IE.
In fact, the problem seems to be in the RPC service and browser choice won't matter.
Read the numbers and weep
For those that complacently sit back and assume that their non-MS OS of choice is inherently safer and more secure than Microsoft's offerings, you should educate yourselves about the facts before spouting off in public.
For January through March of 2008, Mac OS X users experienced the highest
number of vulnerabilities as well as the highest number of High severity
vulnerabilities while Windows Vista users experienced the fewest and the fewest
High severity vulnerabilities.
NO operating system / application / software / user is ummune from hackers and malware and to assume otherwise is just plain stupid.
Microsoft, and any other vendor for that matter, should be commended for releasing well-tested fixes for important vulnerabilities. But they DEFINITELY deserve commendation for offering a webcast explaining the vulnerability and the fix - how often do YOUR platform/app vendors do THAT for YOU?
Wot? Vista too?
Once again we discover that Vista is bug compatible with earlier releases of Windows.
Exactly how much of Vista is actually new code?
"I'm not sure anyone can possibly think that any software written by humans will be error free."
Well, yeees ... but who took the decision to have a Remote Procedure Call server permanently running in their OS.
RPC is *designed* to let other machines run code on your machine, and Windows doesn't let you turn it off because a second genius decided to use it for basic windows functions (ie. using the "remote" functions to run code on the same machine as itself).
Question: What's better?
a) Depending on RPC to be 100% bug free
b) Not having RPC enabled (except on fancy server farms which actually need it).
Bottom line, yes, blame Microsoft. Things like RPC, UP&P and ActiveX are broken by design.
Worse than that, people told them what would happen in the design phase but they went ahead and did it anyway because it made things like things like file sharing easier to configure if you leave all the machines wide open to network activity.
WGA lock-down is worse
Microsoft knows what they are doing.
I bet this hole was used for WGA to knock out unlicensed versions of Windows XP.
Re: previous poster, I believe you mean this page:
Seems to be CVE-2008-4250
although as I write this the CVE entry is just a placeholder. Quite why Gordon posted a link to a 2006 CVE bulletin... anyway, could happen to anyone.
The actual MS update, MS08-067, says "A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests".
The bulletin also says that Server 2008 and Vista users are less vulnerable because on those OSes "the vulnerable code path is only accessible to authenticated users". It adds "To prevent this vulnerability, add a rule that blocks all RPC requests with the UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188."
Another buffer overflow, maybe? Another one down, and a few thousand more to go.
Are you seriously suggesting that some of the people who comment here don't know exactly what they are talking about and are out to score cheap points, in order to make themselves look better?
This place is exclusively commented by serious IT professionals, we're all above that sort of thing. Aren't we?
Your irony sensor is faulty.
Am I missing something...?
What's so urgent about a fix for a flaw discovered in APRIL, TWO THOUSAND AND SIX?
Well, it's arrived here
Downloaded and (annoyingly) rebooted the PC while I was getting my tea (Chicken portions and rice).
Well lets be honest - Microsoft here have discovered a flaw and fixed it pretty quickly, and people still attack them... for fixing a bug. As Slartybardfast said, people would have flamed Microsoft here whether they had fixed it or not.
Microsoft are far from perfect - but I think this was a good move, and they've got the fix out pretty quickly. Personally, I find it hard to negatively criticise Microsoft here.
Linux has no critical holes??
It makes me laugh that everyone who hates windows claims that linux have no critical holes in it. Like all large piece of software it will, these however arent found as users, dont use it therefore the bad guys dont target it, (as whats the point of stealing geeks identies??), therefore they remain dormant.
As soon as (ie never) the ordinary man in the street uses linux, all these hackers will target it and we will be flooded with critical patches for all these holes.
I use windows and linux, BTW.
To all those doubting linux
Look here to all the linux haters all those non serious multi booter and the likes of Vincent etc
Microsoft gets attacked for a few reasons here they are:
1. They develop code with copyright tag and do not allow the general public to view/comment/expand on their code. [linux is open source and if anything should be getting exploited more than any other OS due to this factor]
2. the develop duff code from taking code from 1980's and adding new colour to it and want to charge general public license money for this per year [ no wonder why they get attacked]
3. They keep changing the standard so people have to go and spend money on their stupid licences look at open office and Microsoft Office.
With all these 3 in mind do u not wonder why it is they get attacked lol
This I hope explains to u all why MS is shit and will be dead in the next 10 years