The Register® — Biting the hand that feeds IT

Feeds

Microsoft rushes out emergency fix for critical Windows bug

Microsoft on Monday rushed out an emergency patch for a critical vulnerability that criminals are exploiting to install malware on all supported versions of the Windows operating system. As promised Friday, Microsoft released the update outside of its normal patching schedule because the vulnerability is being actively targeted …

This topic is closed for new posts.
Anonymous Coward
Linux

Goodbye winblows

I am so glad I am basically done with microsoft and windows ... all I use it for is games, the rest of all my work is in linux.

AndrueC
Thumb Down
Reply Icon

I'm so happy for you.

Content in your knowledge that nothing can hurt you ever again.

Or as other people might say "Muwahahahahahah".

Anonymous Coward
FAIL
Reply Icon

That's nice...

..I'll stick with Windows and it's availabilty of software and drivers.

There, that's the pointless statement balanced out.

Of course I'm sure you already know that Open Source software has 0 bugs and 0 vuls. That's why there have been 0 security updates for the likes of Linux & Firefox for the last 10 years. Correct?

Anonymous Coward
Anonymous Coward
Reply Icon

Well actually...

Open Source has plenty of bugs. And Linux may well be full of security holes, but since it's less popular than MS OS's, there are very few exploits doing the rounds. I'm sure if we all switched to Linux based machines, it'd only be a matter of time before we were back to our usual routine of patching holes every other day.

And as for your use of Firefox as an example, no, there hasn't been many security updates for it, but there have been plenty of bugs patched over the last few years.

Say all you want about IE, it may not display web content properly, or conform to any known standards, but at least it left the inflated memory usage to the operating system ;)

The BigYin
Reply Icon

@AC 10:45

"I'm sure if we all switched to Linux based machines, it'd only be a matter of time before we were back to our usual routine of patching holes every other day."

Very true. At least the repository system employed by many Linux distros would make that task much, much easier and there'd be no need to reboot the machine (well...rarely a need, kernel updates).

Seb123
FAIL
Reply Icon

Great!

Security by obscurity! Awesome.

As for firefox

http://www.mozilla.org/security/known-vulnerabilities/

I see quite a few there.

Steve McPolin
Alert

it was being used to attack SCADA .....

Isn't it a tad more accurate to say that MicroSoft was the attack on SCADA; and the inevitable repercussion was SCADA systems that are vulnerable to all manner of compromise... The SCADA suppliers shoulder the blame as well; but it is hard to believe that many companies would make the decision to switch platforms had the inherent design flaws of Windows been admitted.

Robert E A Harvey
FAIL
Reply Icon

quite

I've never understood the abandonment of proper real-time kernels, and OS's like OS9 wor Windows.

Nor do I understand naive connection of scada systems to the internet. Surely there should be some secure server/firewall/vpn destination as a cut-out?

Anonymous Coward
Anonymous Coward
Reply Icon

not on the nets

If i recall correctly those scada systems where actually pwnd by an infected USB stick rather that over the interwebs.

Anonymous Coward
Stop
Reply Icon

But...

... if they weren't on the net then how could they be pwnd? They might have been compromised but if they were isolated then there would be no way of getting data off them, or getting access to them to control them.

Alex Rose

What versions of Windows are affected

I've read this article, and followed links to 2 previous articles and the nearest I can find to useful information in any of them is that "even fully patched Windows 7 machines are vulnerable".

Does this mean that all Windows machinea from 2.0 onwards are affected? What about x64 versions?

Come on Reg, if you're going to report this stuff at least give us useful information. I look after systems running everything from 2000 onwards in all desktop and server flavours - throw me a bone here!

Peter Kay
Reply Icon

C'mon Alex, do your job..

You should be reading the security bulletins and using WSUS

- not expecting thereg to do everything.

In any case, as you really should know, anything earlier

than XP SP3 (which includes 2000) is now completely

unsupported.

stizzleswick
Coat

Er...

it was used to attack "systems that control sensitive equipment at power plants, gas refineries, and other other critical infrastructure" -- now what idiot would use Windows on any system connected to THAT?!?!

(Yes, I know, your nearest electricity company... *sigh* Another reason why admins should make software acquisition decisions, and not the fatheads up yonder where they don't even have the faintest idea what they're doing to us admins...)

Coat, beer, exit stage left...

Fraser
Reply Icon

Hmm...

The trouble with getting admins to choose which software to run is that Windows admins will always choose Windows, Linux admins will always choose Linux, AIX admins will always choose AIX etc. etc.

You need to have senior engineering/design staff who know all the systems in use in a company and all those available, they can then take appropriate advice from vendors, management, others experienced in the field and make an appropriate decision. Guess what? Sometimes the correct answer is Windows. SCADA can run happily on Windows, it's when it is connected to public networks or if removeable media is allowed, that this becomes a problem (the same with any other system running SCADA).

AndrueC
Thumb Down
Reply Icon

Silly them

I know that older versions of Windows used to specifically state in their T&C that they shouldn't be used for mission critical systems. I think they even mentioned nuclear facilities by name. Anyone know if that's changed recently?

As a casual user I can be blasé about such things but I would expect those operating critical plant would take things like that far more seriously. If MS continues to advise against mission critical use of Windows then it's the facility operators fault for inappropriate use of tools.

stizzleswick
Thumb Down
Reply Icon

@Fraser

So-labelled "Windows admins," "Linux admins," and so on are usually hired by the same imbeciles who soak up the relevant advertising talk-up by the respective suppliers.

There actually are simple, straight "admins" out there whose only aim is to run the rigs as best possible. If that means that, because of user preferences, the office workstations run Windows, so be it. More maintenance, but the better user relations usually make up for that. But on mission critical systems, the plain admins (myself included) will only install Windows (or any of several other security-impacted systems, including certain Linux and BSD distributions) if directly ordered to, and hand in their resignations during the process.

Online Mark
Stop

Admin equivalent rights

Where is this malware installed?

Presumably a PC would not be infected if users were not given administrator equivalent rights to the local system for day to day use?

AndrueC
Thumb Up
Reply Icon

Presumably

If so that would make Vista and Windows 7 fairly(*) secure out of the box. Until the user gets annoyed with the dialogs and some interweb commentard shows them how to disable UAC. Come to that it would mean XP could be made fairly safe but you have to be a bit of a masochist to run as a limited user on that OS :)

(*)Yeah I know - a poxy dialog with 'Yes'/'No' buttons isn't very secure. Having to enter a different user's credentials is better but tbh even I don't bother with that. Still - as long as Windows asks first that's a big improvement.

johnvile
Linux

What a mess.

I'm glad I live in Linux land. These Microsoft antics are giving me a headache, what a *****g mess.

Lost all faith...
FAIL
Reply Icon

What a mess.....

...so glad I live in Windows land.

http://www.linuxidx.com/linux.php?q=Linux+Kernel++Root+Exploit

No get over yourself.

LinkOfHyrule
Joke
Reply Icon

Double Agent here

I go both ways, I use Windows but use a lot Open Source software on it. I even have Ubuntu too. I'm Bi-OS!

I'm thinking of even posibly trying a bit of the old Apple too! So I guess that means i'll be into threesomes if I do! Yeah, I'm a computer slut! But apparently apple stuff if the best and I will be a better person if I use their stuff!

Can we just agree that all computers and all software are shit?

blackworx

For those who don't use WU

The x86 XP redistributable is here:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=12361875-b453-45e8-852b-90f2727894fd

Anonymous Coward
FAIL

@ Alex Rose

If you manage systems I would 'expect' you to look on the Technet article (like everyone else) that the reg posted, MS should be able to provide you with this information. In fact I just looked for you and yes it affects all supported versions or Windows.

Alex Rose
Reply Icon

Like everyone else?

Well, I've just called my Mum and she says she didn't look at it. So I guess that your claim that everyone else looked at this article is an "epic fail, n00b, lolz."

I read the technet post, my point was that the Reg could have outlined the affected sytems in their articles.

Now, if you're going to be an acerbic twat at least have the bollocks to do it without posting anonymously.

Stuart Castle
Reply Icon

Re: Like everyone else

"Well, I've just called my Mum and she says she didn't look at it. So I guess that your claim that everyone else looked at this article is an "epic fail, n00b, lolz."

I don't think he did claim that everyone else looked at the article. I think he claimed that he would have expected anyone involved in systems management to look at it, and the associate tech net page.

I would expect anyone involved in systems management on Windows to keep up to date with at least Microsoft Security reports. I would not expect anyone who isn't involved in systems management, and is not interested, to keep up to date.

So, unless your mum is a systems admin, I doubt she would have read the article.

James Ashton
Stop

Win2K Vulnerable?

So I guess this is the first known critical vulnerability for Windows 2000 that Microsoft won't release a public patch for. Time to upgrade people.

stizzleswick
Reply Icon

Re: Win2K Vulnerable

Time to throw out Windows, you mean. For good.

James Pickett
Gates Horns

Other applications

That reminds me - how’s Windows for Warships getting on? I don’t remember seeing any reports of unexpected sinkings, but then you wouldn’t, would you?

Anonymous Coward
Happy
Reply Icon

Aye

their being monitored a scada system.

Anonymous Coward
Anonymous Coward

RE: All Penguin fanbois

It annoys me all the silly comments from the Penguin lovers out there!

The steady stream of security patches for Windows is more to do with its market dominance, particularly in the home user area and the typical user base. Linux has enjoyed a good period of security by obscurity for a long time and is generally used by the more intelligent user, who is less likely to be compromised by falling for daft malware scams, where as Windows used by countless numpties in almost every home.

But as, and probably when, Linux really breaks into the mainstream market that Windows dominates in a big way that will change and there will no doubt be a steady stream of security patches for Linux too.

Chemist
Reply Icon

Re : RE: All Penguin fanbois

As many people have pointed out there is already a steady stream of updates/patches for Linux distros. The main difference is that they come out at any time as soon as a problem is fixed or a new version becomes available. The major distros can automatically update, if that's what you want, and because rebooting is not required (except for kernel upgrades) the only way a user will know is if the logs are read or an application notifies such as a Firefox upgrade page.

A superior system

Anonymous Coward
Anonymous Coward

Re RE: All Penguin Fanbois

Actually, as I read previous posts; all but two seemed to be Windows fans; the very first being overtly 'Linux rools and Window$ suck$' variety.

Perhaps the correct mode of reponse is 'let's try and produce this effect on Linux desktop icons' from all the Windows fans.

Yes. Linux does have security issues; my updater routinely updates a number each week. Perhaps MS could start a resarch project into Linux/Unix security failings and publish them, (with the evidence that Windows does not have the issues)?

Chemist
Thumb Down
Reply Icon

Re RE: All Penguin Fanbois

As I've previously posted

http://www.kb.cert.org/vuls/id/940193

"Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing *dynamic icon functionality*. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be *processed within the context of the Windows Control Panel*, which will result in arbitrary code execution."

And no - as far as I'm aware there's no possibility that Linux desktop icons are susceptible to this sort of nonsense.

Daniel Voyce
FAIL

SCADA on Windows?

Why would any company trust their critical real time systems to a throw a six to start OS?

yomchi86
Paris Hilton

dear god

I would assume we are all professionals here, so here's an idea to chew on...

1) No matter what OS you're running - Someone will ALWAYS create a way of exploiting it

Hell, those pesky aliens in Indepandance day flew 50 million light years to have a computer virus installed on them by pesky humans lol....

*Paris - cos come on....she gotta be infected, exploited and more.

This topic is closed for new posts.