Microsoft on Monday rushed out an emergency patch for a critical vulnerability that criminals are exploiting to install malware on all supported versions of the Windows operating system. As promised Friday, Microsoft released the update outside of its normal patching schedule because the vulnerability is being actively targeted …
I am so glad I am basically done with microsoft and windows ... all I use it for is games, the rest of all my work is in linux.
I'm so happy for you.
Content in your knowledge that nothing can hurt you ever again.
Or as other people might say "Muwahahahahahah".
..I'll stick with Windows and it's availabilty of software and drivers.
There, that's the pointless statement balanced out.
Of course I'm sure you already know that Open Source software has 0 bugs and 0 vuls. That's why there have been 0 security updates for the likes of Linux & Firefox for the last 10 years. Correct?
Open Source has plenty of bugs. And Linux may well be full of security holes, but since it's less popular than MS OS's, there are very few exploits doing the rounds. I'm sure if we all switched to Linux based machines, it'd only be a matter of time before we were back to our usual routine of patching holes every other day.
And as for your use of Firefox as an example, no, there hasn't been many security updates for it, but there have been plenty of bugs patched over the last few years.
Say all you want about IE, it may not display web content properly, or conform to any known standards, but at least it left the inflated memory usage to the operating system ;)
"I'm sure if we all switched to Linux based machines, it'd only be a matter of time before we were back to our usual routine of patching holes every other day."
Very true. At least the repository system employed by many Linux distros would make that task much, much easier and there'd be no need to reboot the machine (well...rarely a need, kernel updates).
Security by obscurity! Awesome.
As for firefox
I see quite a few there.
it was being used to attack SCADA .....
Isn't it a tad more accurate to say that MicroSoft was the attack on SCADA; and the inevitable repercussion was SCADA systems that are vulnerable to all manner of compromise... The SCADA suppliers shoulder the blame as well; but it is hard to believe that many companies would make the decision to switch platforms had the inherent design flaws of Windows been admitted.
I've never understood the abandonment of proper real-time kernels, and OS's like OS9 wor Windows.
Nor do I understand naive connection of scada systems to the internet. Surely there should be some secure server/firewall/vpn destination as a cut-out?
not on the nets
If i recall correctly those scada systems where actually pwnd by an infected USB stick rather that over the interwebs.
... if they weren't on the net then how could they be pwnd? They might have been compromised but if they were isolated then there would be no way of getting data off them, or getting access to them to control them.
What versions of Windows are affected
I've read this article, and followed links to 2 previous articles and the nearest I can find to useful information in any of them is that "even fully patched Windows 7 machines are vulnerable".
Does this mean that all Windows machinea from 2.0 onwards are affected? What about x64 versions?
Come on Reg, if you're going to report this stuff at least give us useful information. I look after systems running everything from 2000 onwards in all desktop and server flavours - throw me a bone here!
C'mon Alex, do your job..
You should be reading the security bulletins and using WSUS
- not expecting thereg to do everything.
In any case, as you really should know, anything earlier
than XP SP3 (which includes 2000) is now completely
it was used to attack "systems that control sensitive equipment at power plants, gas refineries, and other other critical infrastructure" -- now what idiot would use Windows on any system connected to THAT?!?!
(Yes, I know, your nearest electricity company... *sigh* Another reason why admins should make software acquisition decisions, and not the fatheads up yonder where they don't even have the faintest idea what they're doing to us admins...)
Coat, beer, exit stage left...
The trouble with getting admins to choose which software to run is that Windows admins will always choose Windows, Linux admins will always choose Linux, AIX admins will always choose AIX etc. etc.
You need to have senior engineering/design staff who know all the systems in use in a company and all those available, they can then take appropriate advice from vendors, management, others experienced in the field and make an appropriate decision. Guess what? Sometimes the correct answer is Windows. SCADA can run happily on Windows, it's when it is connected to public networks or if removeable media is allowed, that this becomes a problem (the same with any other system running SCADA).
I know that older versions of Windows used to specifically state in their T&C that they shouldn't be used for mission critical systems. I think they even mentioned nuclear facilities by name. Anyone know if that's changed recently?
As a casual user I can be blasé about such things but I would expect those operating critical plant would take things like that far more seriously. If MS continues to advise against mission critical use of Windows then it's the facility operators fault for inappropriate use of tools.
So-labelled "Windows admins," "Linux admins," and so on are usually hired by the same imbeciles who soak up the relevant advertising talk-up by the respective suppliers.
There actually are simple, straight "admins" out there whose only aim is to run the rigs as best possible. If that means that, because of user preferences, the office workstations run Windows, so be it. More maintenance, but the better user relations usually make up for that. But on mission critical systems, the plain admins (myself included) will only install Windows (or any of several other security-impacted systems, including certain Linux and BSD distributions) if directly ordered to, and hand in their resignations during the process.
Admin equivalent rights
Where is this malware installed?
Presumably a PC would not be infected if users were not given administrator equivalent rights to the local system for day to day use?
If so that would make Vista and Windows 7 fairly(*) secure out of the box. Until the user gets annoyed with the dialogs and some interweb commentard shows them how to disable UAC. Come to that it would mean XP could be made fairly safe but you have to be a bit of a masochist to run as a limited user on that OS :)
(*)Yeah I know - a poxy dialog with 'Yes'/'No' buttons isn't very secure. Having to enter a different user's credentials is better but tbh even I don't bother with that. Still - as long as Windows asks first that's a big improvement.
What a mess.
I'm glad I live in Linux land. These Microsoft antics are giving me a headache, what a *****g mess.
What a mess.....
...so glad I live in Windows land.
No get over yourself.
Double Agent here
I go both ways, I use Windows but use a lot Open Source software on it. I even have Ubuntu too. I'm Bi-OS!
I'm thinking of even posibly trying a bit of the old Apple too! So I guess that means i'll be into threesomes if I do! Yeah, I'm a computer slut! But apparently apple stuff if the best and I will be a better person if I use their stuff!
Can we just agree that all computers and all software are shit?
For those who don't use WU
The x86 XP redistributable is here:
@ Alex Rose
If you manage systems I would 'expect' you to look on the Technet article (like everyone else) that the reg posted, MS should be able to provide you with this information. In fact I just looked for you and yes it affects all supported versions or Windows.
Like everyone else?
Well, I've just called my Mum and she says she didn't look at it. So I guess that your claim that everyone else looked at this article is an "epic fail, n00b, lolz."
I read the technet post, my point was that the Reg could have outlined the affected sytems in their articles.
Now, if you're going to be an acerbic twat at least have the bollocks to do it without posting anonymously.
Re: Like everyone else
"Well, I've just called my Mum and she says she didn't look at it. So I guess that your claim that everyone else looked at this article is an "epic fail, n00b, lolz."
I don't think he did claim that everyone else looked at the article. I think he claimed that he would have expected anyone involved in systems management to look at it, and the associate tech net page.
I would expect anyone involved in systems management on Windows to keep up to date with at least Microsoft Security reports. I would not expect anyone who isn't involved in systems management, and is not interested, to keep up to date.
So, unless your mum is a systems admin, I doubt she would have read the article.
So I guess this is the first known critical vulnerability for Windows 2000 that Microsoft won't release a public patch for. Time to upgrade people.
Re: Win2K Vulnerable
Time to throw out Windows, you mean. For good.
That reminds me - how’s Windows for Warships getting on? I don’t remember seeing any reports of unexpected sinkings, but then you wouldn’t, would you?
their being monitored a scada system.
RE: All Penguin fanbois
It annoys me all the silly comments from the Penguin lovers out there!
The steady stream of security patches for Windows is more to do with its market dominance, particularly in the home user area and the typical user base. Linux has enjoyed a good period of security by obscurity for a long time and is generally used by the more intelligent user, who is less likely to be compromised by falling for daft malware scams, where as Windows used by countless numpties in almost every home.
But as, and probably when, Linux really breaks into the mainstream market that Windows dominates in a big way that will change and there will no doubt be a steady stream of security patches for Linux too.
Re : RE: All Penguin fanbois
As many people have pointed out there is already a steady stream of updates/patches for Linux distros. The main difference is that they come out at any time as soon as a problem is fixed or a new version becomes available. The major distros can automatically update, if that's what you want, and because rebooting is not required (except for kernel upgrades) the only way a user will know is if the logs are read or an application notifies such as a Firefox upgrade page.
A superior system
Re RE: All Penguin Fanbois
Actually, as I read previous posts; all but two seemed to be Windows fans; the very first being overtly 'Linux rools and Window$ suck$' variety.
Perhaps the correct mode of reponse is 'let's try and produce this effect on Linux desktop icons' from all the Windows fans.
Yes. Linux does have security issues; my updater routinely updates a number each week. Perhaps MS could start a resarch project into Linux/Unix security failings and publish them, (with the evidence that Windows does not have the issues)?
Re RE: All Penguin Fanbois
As I've previously posted
"Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing *dynamic icon functionality*. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be *processed within the context of the Windows Control Panel*, which will result in arbitrary code execution."
And no - as far as I'm aware there's no possibility that Linux desktop icons are susceptible to this sort of nonsense.
SCADA on Windows?
Why would any company trust their critical real time systems to a throw a six to start OS?
I would assume we are all professionals here, so here's an idea to chew on...
1) No matter what OS you're running - Someone will ALWAYS create a way of exploiting it
Hell, those pesky aliens in Indepandance day flew 50 million light years to have a computer virus installed on them by pesky humans lol....
*Paris - cos come on....she gotta be infected, exploited and more.