Early warning that July is going to be a busy month! ;)

On 13 July 2004 the Microsoft Security Response Center is planning to release:
- 7 Microsoft Security Bulletin affecting Microsoft Windows. The greatest maximum severity rating for these security updates is Critical. Some of these security updates will require a restart. At this time no additional information on these bulletins such as details regarding severity or details regarding the vulnerability will be made available until 13 July 2004.

Got news for you,
They are already released. At least this morning I got them in automatic update. Taking a long time to download too.

It's been a long time but there is a critical update for Windows Me.


Incog. :)

Windows ME :disturbd: Just did my mum's laptop and there were a few driver updates. I always worry that the damn thing won't come back up :(

<goes off to run Windows Update>

Updates:
One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Moderate, MS04-018
- One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Important, MS04-019
- One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Important, MS04-020
- One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Important, MS04-021
- One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Critical, MS04-022
- One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Critical, MS04-023
- One Microsoft Security Bulletin affecting Microsoft Windows with a maximum severity of Important, MS04-024

Summaries for these new bulletins may be found at the following page:
- http://www.microsoft.com/technet/security/bulletin/ms04-jul.mspx

You may also be interested in:
Microsoft has learned of a Trojan program that is downloaded by the Download.Ject malware, also known as Scob, to client machines from infected IIS servers. When a user visits a Web site hosted on an IIS server that is infected with Download.Ject, the Web pages downloaded to the userâ₠¬Ã¢â€žÂ¢s system contain an additional JavaScript program that downloads another Trojan program to the userâ₠¬Ã¢â€žÂ¢s system. This second Trojan is called Backdoor:W32/Berbew, also known as Backdoor-AXJ, Webber, or Padodor. When this second Trojan runs on the userâ₠¬Ã¢â€žÂ¢s machine, it performs several actions, including:

- Monitoring Internet access. When the user visits one of several financial or ISP Web sites, the Trojan captures sensitive informationâââ€Å ¡Ã‚¬Ã¢â‚¬ÂÂÂ�such as log-in names, passwords, and so onââ‚ ¬ÃƒÂ¢Ã¢â€šÂ¬Ã‚ÂÂ�and sends it to a Web server for the Trojanââ‚Ã⠀šÃ‚¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢s author to retrieve.
- Installing a proxy server that allows the userâ₠¬Ã¢â€žÂ¢s system to be used as a relay for such actions as sending spam.
- Opening fake dialog boxes that prompt the user to enter confidential information such as ATM card codes, credit card numbers, and so on. This information is then sent to a Web server for the Trojanââ‚Ã⠀šÃ‚¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢s author to retrieve.

Microsoft has released a tool to help you remove Backdoor:W32/Berbew Trojan variants from your computer. You can download this tool from the Microsoft Download Center and run it on your computer to remove Backdoor:W32/Berbew.A, Backdoor:W32/Berbew.B, Backdoor:W32/Berbew.C, and Backdoor:W32/Berbew.D, Backdoor:W32/Berbew.E, Backdoor:W32/Berbew.F, Backdoor:W32/Berbew.G and Backdoor:W32/Berbew.H infections.
This tool is discussed in Microsoft Knowledge Base article 873018. This KB can be found here:
http://support.microsoft.com/default.aspx?kbid=873018

Oops they did it again! :mad:

On MONDAY 26 JULY 2004 the Microsoft Security Response Center is planning to release:

- One Microsoft Security Bulletin affecting Microsoft Windows. The greatest maximum severity rating for this security update is Critical. This security update will require a restart. Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released. At this time no additional information on these bulletins such as details regarding severity or details regarding the vulnerability will be made available until 26 July 2004.

They've even had to bug fix a bug fix because they messed up.

My Windows 98SE machine has also received critical updates.

I thought Microsoft had stopped supporting W98.

I can't beleive Windows has so many bugs in it, I know I had to download 130mb's worth of updates when I got linux but they were mostly adding things into the software, not many fixing bugs etc :erm:

Microsoft need to get there software sorted is all I have to say.

I can't beleive Windows has so many bugs in it, I know I had to download 130mb's worth of updates when I got linux but they were mostly adding things into the software, not many fixing bugs etc :erm:

Microsoft need to get there software sorted is all I have to say.
I don't think Windows has any more or fewer bugs than any software. We were taught at Uni that IBM (who have done a lot of work on bug-tracking systems) found that, on average, there was 1 bug for every 1000 lines of code. They tested software written for all operating systems (including Linux).

Another way of looking at it is that somewhere around 95% of the worlds PC's use Windows. This means there are more hackers looking for faults. Of course more bugs will show up.

At least Microsoft are regularly releasing patches.

I don't think Windows has any more or fewer bugs than any software. We were taught at Uni that IBM (who have done a lot of work on bug-tracking systems) found that, on average, there was 1 bug for every 1000 lines of code. They tested software written for all operating systems (including Linux).

Yes, but most people *fix* the bugs in Beta Testing instead of *releasing* what is effectively a Beta Test version and letting the users unwittingly find out the problems...! :mad:

I don't think Windows has any more or fewer bugs than any software. We were taught at Uni that IBM (who have done a lot of work on bug-tracking systems) found that, on average, there was 1 bug for every 1000 lines of code. They tested software written for all operating systems (including Linux).

Another way of looking at it is that somewhere around 95% of the worlds PC's use Windows. This means there are more hackers looking for faults. Of course more bugs will show up.

At least Microsoft are regularly releasing patches.

Averages are very good at disguising the real offenders. If the average is one buggy line per 1,000, then one company may produce one every 500 while another, just one every 1,500. The average is still 1 every 1,000 but one company produces three times as many bugs as the other.

Yes, but most people *fix* the bugs in Beta Testing instead of *releasing* what is effectively a Beta Test version and letting the users unwittingly find out the problems...! :mad:
You can beta test software for as long as you like, and as thoroughly. There will still be bugs that slip through the net though (for instance, IIRC, Windows 2000 was in beta testing for over a year)


Averages are very good at disguising the real offenders. If the average is one buggy line per 1,000, then one company may produce one every 500 while another, just one every 1,500. The average is still 1 every 1,000 but one company produces three times as many bugs as the other.
That is true, and being an average it must be taken as such. I was actually trying to make the point that there are bugs in ALL software, and Microsoft do at least correct some of them..

Having said that, I am sure that there are still bugs within Windows, as much as I am sure there are bugs within Mac OS, Solaris, Linux, Free BSD & any other Operating System you care to name.

All bugs are not created equal, either, nor do they have equal effect - critical code should be subject to much greater testing and review than areas where a "bug" may be more noticeable (eg. a menu option missing/malfunctioning) but less crucial in the wider scale of things - Microsoft do not seem to be very proactive in searching for vulnerablities, or the initial quality of code left a lot to be desired.

You're forgetting that Microsoft Beta tested Windows for years (Windows 3.1, 95, 98...) before releasing a production version (XP). Okay it's still riddled with bugs and security holes you can drive a bus through but hey - Microsoft made the effort. Surely that counts? And you only have to look at how many customers, I mean Beta testers, Microsoft has to see how dedicated it is to producing quality software.

:p:

All bugs are not created equal, either, nor do they have equal effect - critical code should be subject to much greater testing and review than areas where a "bug" may be more noticeable (eg. a menu option missing/malfunctioning) but less crucial in the wider scale of things - Microsoft do not seem to be very proactive in searching for vulnerablities, or the initial quality of code left a lot to be desired.

I agree. Also the software architecture is key to reducing the number of security related bugs. Microsoft's problem, particularly with IE is that it starts from the premise that it's code is trusted and therefore has full access to everything & then has to provide security at every interface. A more sensible approach is to have the operating system kernel provide a finer degree of rights access to individual non-kernel OS modules. This would make buffer overruns less of a security issue (except in the kernel itself) In this regard NT 3.51 was better than NT4. The problem was that all this extra OS based security slowed the computer down too much, so in NT4, the graphics drivers were elevated to have full hardware access. This specific case is an example of the more general problem throughout windows.

I believe that the next step MS will be taking will be to remove write access to pages that are supposed to only contain program code. This should help a bit.

Oops they did it again! 26-07-2004 fix:mad:

Will be delayed!!! by approx two weeks! :confused: Cross everything!

I believe that the next step MS will be taking will be to remove write access to pages that are supposed to only contain program code. This should help a bit.
Support is built into XP SP2. It's called "Data Execution Protection". It works better if your CPU supports it (although I believe that only the Athlon 64 bit processors provide this support at the moment), but it should hopefully be quit effective.

Will be delayed!!! by approx two weeks! :confused: Cross everything!

Actual text:
The security update slated for release on MONDAY 26 JULY 2004 has been
delayed. This security update should be ready for release within the
next two weeks as soon as testing and quality review is complete. We
will release the update as soon as we are fully confident that we are
providing a quality release with detailed prescriptive guidance to help
customers effectively manage and deploy the update.

Strike 2 ;)
On Friday 30 JULY 2004 the Microsoft Security Response Center is
planning to release: One Microsoft Security Bulletin affecting Microsoft Windows. The greatest maximum severity rating for this security update is Critical. This security update will require a restart.

Enjoy! :mad:

On 10 August 2004 the Microsoft Security Response Center is planning to release: One Microsoft Security Bulletin affecting Microsoft Exchange. The greatest maximum severity rating for this security update is Moderate. This security update will not require a restart.

A calm month then!

On 14 September 2004 the Microsoft Security Response Center is planning to release:

- One Microsoft Security Bulletin affecting Microsoft Windows, Microsoft Office, Microsoft Home, Microsoft Visual Studio, and Microsoft .NET Framework. The greatest maximum severity rating for this security update is Critical. This security update may require a restart.

- One Microsoft Security Bulletin affecting Microsoft Office. The greatest maximum severity rating for this security update is Important. This security update does not require a restart.

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.

On 14 September 2004 the Microsoft Security Response Center is planning to release:

- One Microsoft Security Bulletin affecting Microsoft Windows, Microsoft Office, Microsoft Home, Microsoft Visual Studio, and Microsoft .NET Framework. The greatest maximum severity rating for this security update is Critical. This security update may require a restart.

- One Microsoft Security Bulletin affecting Microsoft Office. The greatest maximum severity rating for this security update is Important. This security update does not require a restart.

Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.
Those updates are now out,
this one is listed as critical
https://www.microsoft.com/security/bulletins/200409_jpeg.mspx and affects users of windows XP who are not patched to SP2 and the following

* Windows XP
* Windows XP Service Pack 1 (SP1)
* Windows Server 2003
* Internet Explorer 6 SP1
* Office XP SP3
Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
* Office 2003
Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.
* Digital Image Pro 7.0
* Digital Image Pro 9
* Digital Image Suite 9
* Greetings 2002
* Picture It! 2002 (all versions)
* Picture It! 7.0 (all versions)
* Picture It! 9 (all versions, including Picture It! Library)
* Producer for PowerPoint (all versions)
* Project 2002 SP1 (all versions)
* Project 2003 (all versions)
* Visio 2002 SP2 (all versions)
* Visio 2003 (all versions)
* Visual Studio .NET 2002
Note Visual Studio .NET 2002 includes Visual Basic .NET Standard 2002, Visual C# .NET Standard 2002, and Visual C++ .NET Standard 2002.
* Visual Studio .NET 2003
Note Visual Studio .NET 2003 includes Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, and Visual J# .NET Standard 2003.
* .NET Framework 1.0 SP2
* .NET Framework 1.0 SDK SP2
* .NET Framework 1.1
* Platform SDK Redistributable: GDI+
There is also an update for users of MS Office 2000 and upwards
https://www.microsoft.com/security/bulletins/200409_wordperfectconverter.mspx
which is listed as an important update.

...Oh great, another buffer overflow security hole, this time with virus infected .jpeg files :mad:

http://www.theregister.co.uk/2004/09/15/windows_jpeg_bug/

And I already have the update, in fact within 2 mins of getting the email last night.

BBC report here on the latest vulnerability in M$ products. Our corporate IT guys here are on the ball though, the patch ran as I logged in this morning,

http://news.bbc.co.uk/1/hi/technology/3661678.stm

I don't know what's funnier, that M$ has been caught out again, that the BBC used a photo of Avril Lavigne to illustrate the fact that JPEGS can put viruses on your PC or that the image alt caption for Avril was 'Pop singer' ... :rofl:

In 1994 this was actually a april fools joke, and now in 2004 it is reality!

http://www.2meta.com/april-fools/1994/JPEG-Virus.html

yikes!

<Snip>

Chris,

While commenting about vulnerable browsers, looking at your sig I hope you've taken notice of http://www.theregister.co.uk/2004/09/15/mozilla_patches/ - a whole load of vulns in Firefox and mozilla :shocked: .
BTW, I'm not knocking Firefox - I use it myself for browsing anything outside the company firewall - safer and quicker than IE (sure I'll be flamed about that statement !)

Steve.

I guess the picture will just be a blue screen, nobody will ever know the difference

I suspect the virus JPEG would be porn related or some other high hitting context

BBC report here on the latest vulnerability in M$ products. Our corporate IT guys here are on the ball though, the patch ran as I logged in this morning,

http://news.bbc.co.uk/1/hi/technology/3661678.stm

I don't know what's funnier, that M$ has been caught out again, that the BBC used a photo of Avril Lavigne to illustrate the fact that JPEGS can put viruses on your PC or that the image alt caption for Avril was 'Pop singer' ... :rofl:

http://www.cableforum.co.uk/board/showthread.php?t=17521 not sure if it's the same.

Chris,

While commenting about vulnerable browsers, looking at your sig I hope you've taken notice of http://www.theregister.co.uk/2004/09/15/mozilla_patches/ - a whole load of vulns in Firefox and mozilla :shocked: .
BTW, I'm not knocking Firefox - I use it myself for browsing anything outside the company firewall - safer and quicker than IE (sure I'll be flamed about that statement !)

Steve.

Now that would be off topic :nono: ;) :p:

Looking at that Reg article, there is clearly a radically different philosophy towards secutity and approach towards fixing bugs. In the longer term this is going to mean fewer problems with Mozilla-based software and more rapid fixes.

http://www.cableforum.co.uk/board/showthread.php?t=17521 not sure if it's the same.

Wups you're right :dunce:

Merging...

Not sure why this is closed, a side effect of the merge I think. Re-opened. :D

Just patched both of our 'puters. If you have MS office you need to patch that as well........

Strange :erm: do I detect a seemless merge??? Apart from a post going missing :p:

Strange :erm: do I detect a seemless merge??? Apart from a post going missing :p:

It might look that way to you, but from where I'm sitting there are bodies everywhere :p: :D

Funny it said I didn't need to patch M$ Office.Oh well. :shrug:

It did try very hard to persuade me to download SP2 though. :)

Funny it said I didn't need to patch M$ Office.Oh well. :shrug:


Go to the office page and click on updates......see if it mentions the vulnerability, it did on my wifes laptop.

Funny it said I didn't need to patch M$ Office.Oh well. :shrug:

It did try very hard to persuade me to download SP2 though. :)
Windows Update will not tell you about Office updates, that's a different update engine alltogether :) Follow Ramrods instructions and you should be prompted for any updates you require.

Windows Update will not tell you about Office updates, that's a different update engine alltogether :) Follow Ramrods instructions and you should be prompted for any updates you require.

its quite misleading - well for me, using Win98se, it was. Windows Update identified 2 'critical' updates available - one an IE6 patch & the other the patch for the jpg file vulnerability. During installation the jpg file thingy loads a new page which advises a 4 point check - one of which is a link to check if Office needs updating, I think that is what Incog meant. :)

Just received an email from my antivirus provider Panda, that the virus writers out there now have a nice scripting kit ready to exploit the JPEG vulnerability mentioned earlier in this thread. Great now even innocent photos aren't safe. :mad:

No doubt someone will find a way to attach viruses to PDFs soon. :disturbd:

Nothing is safe as long as sloppy coding, no checking for buffer overruns etc is tolerated.

Infact in today's modern society it's even encouraged as part of the rush to get the product to market first,and spin off whole update industries.

The memory protections functions in Xp Service Pack 2 SHOULD reduce the effect of buffer overruns in the future, but, by default only protect the Operating System (and don't work fully unless you have hardware support ).

On 12 October 2004 the Microsoft Security Response Center is planning to
release:

- One Microsoft Security Bulletin affecting Microsoft Office. The greatest maximum severity rating for this security update is Critical. This security update does not require a restart.

- Seven Microsoft Security Bulletins affecting Microsoft Windows. The greatest maximum severity rating for these security updates is Critical. Some of these security updates will require a restart. Some of these security updates may require a restart.

- Two Microsoft Security Bulletins affecting Microsoft Windows and Microsoft Exchange. The greatest maximum severity rating for these security updates is Critical. These security updates may require a restart.

At this time no additional information on these bulletins such as details regarding severity or details regarding the vulnerability will be made available until 12 October 2004.


Another quiet month then!

Iâ₠¬ÃƒÆ’¢â€žÂ¢ve got a bit of a funny peculiar going on. Since about 10.30 his morning I have had the Microsoft icon in the systray. Mouse over it brings up the balloon †œdownloading updates 48%ââ‚Âà ‚¬Ãƒâ€šÃ‚ÂÂ� (that was the last check a few minutes ago).
48% in something over 4 hours would indicate a very slow connection, or a massive update.
Is Microsoft forcefeeding SP2 on the unwary, or is there an innocent explanation.
My download updates preference is set to †œnotify do not installââ‚à ‚¬Ã‚ÂÂ�
Is anybody else getting this? Can anybody offer a rational explanation.
Thanks Joe.

Yup, it's downloading SP2 for you! Nice waste of bandwidth, assuming you plan to say no when it asks to install!

There is a registry hack to disable the SP2 download on the MS web site, otherwise it will try to download it for you!!! Really trying to push SP2.

Yup, it's downloading SP2 for you! Nice waste of bandwidth, assuming you plan to say no when it asks to install!

There is a registry hack to disable the SP2 download on the MS web site, otherwise it will try to download it for you!!! Really trying to push SP2.

Thanks. Thats what I thought. I will install SP2 when I am ready (if at all), not when Uncle Bill tells me to!

This months bulletin has been released :

http://www.microsoft.com/technet/security/bulletin/MS04-oct.mspx

Seven critical (including a patch to the new improved IE6 on XPSP2 :shocked: ) and three important.

Get patching guys !!!

There is also an update to last months JPEG vuln :

* MS04-028

- http://go.microsoft.com/?linkid=1190073
- Reason for re-release: Bulletin updated to advise on the
availability of revised security updates for Office XP,
Visio 2002, and Project 2002 customers that are using Windows XP
Service Pack 2. Microsoft Knowledge Based Article 833987
documents the currently known issues that customers may
experience when installing these security updates. The article
also documents recommended solutions for these issues. Microsoft
has also released the MS04-028 Enterprise Update Scanning Tool
to help customers detect and deploy the required updates. For
more information about the MS04-028 Enterprise Update Scanning
Tool, see Microsoft Knowledge Base Article 886988. Microsoft has
also released an update for Windows 2000 based systems that have
installed the Windows Journal Viewer. The bulletin has also been
updated with a new FAQ that addresses questions regarding the
Visio 2002 Viewer, Visio 2003 Viewer, and PowerPoint 2003
Viewer programs.

HTH

Ooh it's crafty.Automatic update wanted to install summat.So I thought I'd check before installing.Guess what?It wants to install SP2.It just won't give up.I can see it sneaking an install of SP2 when I'm not looking.

Guess I will HAVE to disable auomatic updating. :rolleyes:

Guess I will HAVE to disable auomatic updating. :rolleyes:
Shouldn't be a major problem if you check a manual windows update every second Weds of the month.

My Windows Update wanted to install SP2 and after I said no it offered me the relevant five of the new updates.

Users of M$ IE may be interested in this one:

Microsoft is investigating reports of a security issue with Internet Explorer affecting all supported versions of Windows that may allow an attacker to place malicious code on a user's computer if the user visits a malicious Web site.

Today Microsoft is establishing a Microsoft Knowledge Base article, 888534, that will help them better understand the reported vulnerability and what is needed for mitigation.

The Knowledge Base article is available here: http://support.microsoft.com/kb/888534