back to article Microsoft rushes out emergency Windows update

Microsoft is about to issue an emergency security update to plug a vulnerability which could allow an internet worm to be spread via a computer without the user doing anything. The update is rated as critical for users of Windows 2000, XP and Server 2003 and the less severe rating of "important" for users of Windows Server …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Joke

    Without the user doing anything?

    .... doesn't installing Windows count then?

  2. Winston Smith
    Gates Horns

    Re: doesn't installing Windows count then?

    No, it doesn't, because most users don't install Windows themselves. But maybe "buying HW with Windows pre-installed" should count as a user action.

  3. Sam
    Unhappy

    Nice going

    I make that teatime across Europe, peak traffic and a roll-out from MS on top.

  4. IGnatius T Foobar

    Here we go again

    Windows: unsafe at any speed.

  5. Anonymous Coward
    Black Helicopters

    @Without the user doing anything

    Its M'shafts latest auto installer - just switch on any computer with a blank hard drive and it is automatically infected.

  6. Anonymous Coward
    Anonymous Coward

    @Without the user doing anything?

    How many users actually do this themselves?

  7. Ed
    Coat

    OHMY GOD!

    I must rush home immediately after work and get this installed as quickly as possible!

    Oh, wait.... I'm running Ubuntu so I've nothing to worry about at all.

    Mine's the one with no critical holes in it...

  8. TimM
    Alert

    Here come the penguins...

    ... and don your flameproof gear.

  9. Slartybardfast
    Thumb Up

    A Patch in Time

    You've got to feel a bit sorry for Microsoft. They respond quickly to a very nasty exploit and are slagged off for it.

    If they did nothing or denied that there was a problem (like Adobe or Apple) they would be slagged off for it.

    Ho Hum...

  10. Anonymous Coward
    Coat

    Call me pedantic but...

    Microsoft's Patch Tuesday is the 2nd Tuesday of the month, however that is not necessarily the 2nd week of the month. If the 1st of the month is on a Wednesday, then the 1st Tuesday will be the following week, i.e. the 2nd week of the month, and Patch Tuesday will be the 3rd week of the month.

    Sorry for being so pedantic.

    Mine's the one with me getting my coat and going to the pub instead of being in the office on a Thursday night downloading patches for Microsoft's flawed operating systems.

  11. Aortic Aneurysm

    @Sam

    "I make that teatime across Europe, peak traffic and a roll-out from MS on top"

    America are behind us, so I make it the middle fo the night for us.

  12. Anonymous Coward
    Paris Hilton

    @Ed

    That's right there have never, ever been any holes in "Ubuntu", in fact Linux has never had anything wrong with it, it's perfect, nope not one flaw EVER...

    Get over it and go do your homework, otherwise your mum will ground you as your grades slip....

    All O/S's have holes in them, but feel free to belive the bullshit your mates tell you...

    Paris, because....oh best stop there....

  13. Anonymous Bastard
    Boffin

    @ Aortic Aneurysm

    "America are behind us, so I make it the middle fo[sic] the night for us."

    The article clearly says 10.00am Pacific Time (6pm BST). You're not trying to be pedantic enough.

  14. Vincent
    Coat

    Re: A Patch in Time

    I agree. I would much rather Microsoft give us a fix rather than, well, not giving us a fix.

    I often think that people slag off Microsoft for the sake of slagging off Microsoft.

    Flame-proof jacket: On

  15. Mike
    Thumb Up

    Hang on a second, play fair..

    I have to agree with Slartybardfast - at least they acknowledge it and fix it straight away. I'm not sure anyone can possibly think that any software written by humans will be error free.

  16. Anonymous Coward
    Anonymous Coward

    @Aortic Aneurysm

    10.00am Pacific Time (6pm BST).

    6pm BST (British Summer Time) so that will be 6pm in the UK and 7pm across most of Europe, so Sam is correct.

  17. Chris iverson
    Alert

    Too busy trying to flame you missed the article

    The patch is scheduled for 10.00am Pacific Time (6pm BST).

  18. Gordon Slater
    Jobs Horns

    The reason for the emergency out-of-sequence patch

    it's an emergency patch for CVE-2006-2094, here's the link:

    http://www.frsirt.com/english/Reference-CVE-2006-2094.php

    ;)

  19. Anonymous Coward
    Coat

    Agreed, this is playing fair.

    Seems even Microsoft do it sometimes.

    If I was feeling generous I'd say they'd learned their lesson after the ssl exploit where all other browsers had a patch out in hours and they had a press release the following day playing down the severity. Sadly I doubt they've learned much.

    No reason for the icon except it is actually 16:59 by my work clock and that's almost coat-time.

  20. Gordon Slater

    CVE-2006-xxxx

    if ONE more person emails me to say "wow - how do you know so early?" - sheesh. It was a joke above -JOKE- , check out the smiley.

    They haven't even bothered to patch that 2006 exploit yet

    Trusted Computing eh?

    I'd rather have everyone on the same debain ssh key than this haha < note that this is also a joke. except, now I think about it, it's still more preferable!

  21. Anonymous Coward
    Happy

    aha windows flaming post

    ahh i love it

    how can any windows lover back up their so fortunate OS now lol

    Bin it and save yourself lots of agro and money

    and maybe once you have binned it your brains can open and work out what is behind all those GUI's

    pfft. windows is only for amatuers not serious computer users.

  22. Peter Jones

    Waaah, Linux

    No-one cares about writing exploits for Linux, in the same way that chop shops don't do a brisk trade in unicycle parts. Penguin fans, go get some market share, then you can point all the fingers not currently plugged in your orifices.

  23. Coalescence

    CVE?

    Anyone have a CVE for this or technical information about it?

  24. Leo Davidson

    It's not for CVE-2006-2094

    I guess Gordon Slater was making a joke about it being an emergency patch for CVE-2006-2094 from 2006 but this patch doesn't seem to have anything to do with that.

    Someone seeing his reply and not realising it's a joke might think the problem is to do with IE and not bother installing the patch because they don't use IE.

    In fact, the problem seems to be in the RPC service and browser choice won't matter.

  25. Rich Turner
    Pirate

    Read the numbers and weep

    For those that complacently sit back and assume that their non-MS OS of choice is inherently safer and more secure than Microsoft's offerings, you should educate yourselves about the facts before spouting off in public.

    http://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx

    For January through March of 2008, Mac OS X users experienced the highest

    number of vulnerabilities as well as the highest number of High severity

    vulnerabilities while Windows Vista users experienced the fewest and the fewest

    High severity vulnerabilities.

    NO operating system / application / software / user is ummune from hackers and malware and to assume otherwise is just plain stupid.

    Microsoft, and any other vendor for that matter, should be commended for releasing well-tested fixes for important vulnerabilities. But they DEFINITELY deserve commendation for offering a webcast explaining the vulnerability and the fix - how often do YOUR platform/app vendors do THAT for YOU?

  26. Nomen Publicus
    Jobs Horns

    Wot? Vista too?

    Once again we discover that Vista is bug compatible with earlier releases of Windows.

    Exactly how much of Vista is actually new code?

  27. John Stag

    Re: Mike

    "I'm not sure anyone can possibly think that any software written by humans will be error free."

    Well, yeees ... but who took the decision to have a Remote Procedure Call server permanently running in their OS.

    RPC is *designed* to let other machines run code on your machine, and Windows doesn't let you turn it off because a second genius decided to use it for basic windows functions (ie. using the "remote" functions to run code on the same machine as itself).

    Question: What's better?

    a) Depending on RPC to be 100% bug free

    b) Not having RPC enabled (except on fancy server farms which actually need it).

    Bottom line, yes, blame Microsoft. Things like RPC, UP&P and ActiveX are broken by design.

    Worse than that, people told them what would happen in the design phase but they went ahead and did it anyway because it made things like things like file sharing easier to configure if you leave all the machines wide open to network activity.

  28. Jodo Kast
    Pirate

    WGA lock-down is worse

    Microsoft knows what they are doing.

    I bet this hole was used for WGA to knock out unlicensed versions of Windows XP.

    Re: previous poster, I believe you mean this page:

    http://www.frsirt.com/english/advisories/2006/1559

  29. Anonymous Coward
    Gates Halo

    Seems to be CVE-2008-4250

    although as I write this the CVE entry is just a placeholder. Quite why Gordon posted a link to a 2006 CVE bulletin... anyway, could happen to anyone.

    The actual MS update, MS08-067, says "A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests".

    Source: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    The bulletin also says that Server 2008 and Vista users are less vulnerable because on those OSes "the vulnerable code path is only accessible to authenticated users". It adds "To prevent this vulnerability, add a rule that blocks all RPC requests with the UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188."

    Another buffer overflow, maybe? Another one down, and a few thousand more to go.

  30. Anonymous Coward
    Anonymous Coward

    @Vincent

    Are you seriously suggesting that some of the people who comment here don't know exactly what they are talking about and are out to score cheap points, in order to make themselves look better?

    This place is exclusively commented by serious IT professionals, we're all above that sort of thing. Aren't we?

  31. Anonymous Coward
    Anonymous Coward

    @Stu Reeves

    Your irony sensor is faulty.

  32. Anonymous Coward
    Stop

    Am I missing something...?

    What's so urgent about a fix for a flaw discovered in APRIL, TWO THOUSAND AND SIX?

  33. David Jackson

    Well, it's arrived here

    Downloaded and (annoyingly) rebooted the PC while I was getting my tea (Chicken portions and rice).

  34. Vincent

    @Fraser

    Well lets be honest - Microsoft here have discovered a flaw and fixed it pretty quickly, and people still attack them... for fixing a bug. As Slartybardfast said, people would have flamed Microsoft here whether they had fixed it or not.

    Microsoft are far from perfect - but I think this was a good move, and they've got the fix out pretty quickly. Personally, I find it hard to negatively criticise Microsoft here.

  35. Anonymous Coward
    Linux

    Linux has no critical holes??

    It makes me laugh that everyone who hates windows claims that linux have no critical holes in it. Like all large piece of software it will, these however arent found as users, dont use it therefore the bad guys dont target it, (as whats the point of stealing geeks identies??), therefore they remain dormant.

    As soon as (ie never) the ordinary man in the street uses linux, all these hackers will target it and we will be flooded with critical patches for all these holes.

    I use windows and linux, BTW.

  36. Anonymous Coward
    Thumb Down

    To all those doubting linux

    Look here to all the linux haters all those non serious multi booter and the likes of Vincent etc

    Microsoft gets attacked for a few reasons here they are:

    1. They develop code with copyright tag and do not allow the general public to view/comment/expand on their code. [linux is open source and if anything should be getting exploited more than any other OS due to this factor]

    2. the develop duff code from taking code from 1980's and adding new colour to it and want to charge general public license money for this per year [ no wonder why they get attacked]

    3. They keep changing the standard so people have to go and spend money on their stupid licences look at open office and Microsoft Office.

    With all these 3 in mind do u not wonder why it is they get attacked lol

    This I hope explains to u all why MS is shit and will be dead in the next 10 years

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019