homepage Welcome to WebmasterWorld Guest from 54.204.249.184
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
Forum Library, Charter, Moderators: ocean10000

Microsoft IIS Web Server and ASP.NET Forum

    
Microsoft Issues Full Critical Security Alert to all Windows Users from 98 to XP
Root level exploit found in all modern Windows OS's
Brett_Tabke




msg:943074
 11:44 pm on Mar 19, 2003 (gmt 0)

Microsoft has issued it's highest warning to all windows operating system users from Windows 98 to Windows XP. A flaw exists in all versions that could allow root access to ANY computer.

Windows Versions Affected:

Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition (Windows Me)
Microsoft Windows NTŪ 4.0
Microsoft Windows NT 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP

[microsoft.com...]

[express.co.uk...]
[siliconvalley.com...]

Please update your windows now.

 

jrobbio




msg:943075
 1:05 am on Mar 20, 2003 (gmt 0)

Thanks for the heads up Brett.

carfac




msg:943076
 3:52 am on Mar 20, 2003 (gmt 0)

Brett:

Thanks- would not have seen this anywhere else for a while!

dave

txbakers




msg:943077
 4:01 am on Mar 20, 2003 (gmt 0)

That's a scary announcement - basically every windows computer can be affected. Better get the duct tape and plastic sheeting too.

toadhall




msg:943078
 5:48 am on Mar 20, 2003 (gmt 0)

Don't go nuts. Sure there aren't any nefarious lines of code in the patch? Big change in licensing attitudes at M$ these days. Backdoor indeed!

From the MS bulletin:

- Computers configured to disable active scripting in Internet Explorer are not susceptible to this issue.

- Microsoft tested W98, W98SE, Me, NT 4.0, NT 4.0 TSE, 2000, and XP. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

- This is a buffer overrun vulnerability. The vulnerability is caused by a heap overflow in the Windows Script Engine for the JScript scripting language, JScript.dll.


So disable active scripting - you shouldn't have it running anyway - and rein in Active X.

See the update site at the link in Brett's post for details on disabling.

And beware Greeks bearing gifts.

T

aspdaddy




msg:943079
 8:48 am on Mar 20, 2003 (gmt 0)

That is right, you should alos make sure scripting host is disabled in Outlook.

Common sense really - why would anyone want to give people the right to run scripts on thier computer?

Balboa




msg:943080
 9:17 am on Mar 20, 2003 (gmt 0)

Is it me, or is almost every MS vunerability a buffer overrun?

Don't they read the MSDN?
Writing Secure Code [msdn.microsoft.com]

;)

Also, hello - this is my first post after lurking for some time.

Tor




msg:943081
 10:30 am on Mar 20, 2003 (gmt 0)

Thank`s for letting us know Brett. We will start updating ASAP.

Xoc




msg:943082
 11:56 am on Mar 20, 2003 (gmt 0)

The problem is that much of Microsoft's code in the last 10 years has been written in C++, which encourages buffer overflow bugs. I would say that 99% of the security flaws in Microsoft's software can be attributed to two things:

1) Buffer overflows in various pieces of software.
2) Web browser enhancements that give the web browser too much power. Specifically the enhancements of JavaScript and ActiveX controls. Because Outlook and Outlook express allow HTML mail, that includes email.

If Microsoft had written their software in a better programming language (such as their new C#), there wouldn't be the buffer overflow problems.

If Microsoft had limited the power of ActiveX controls and disabled JavaScript and ActiveX controls in HTML mail, then that would have eliminated much of the rest.

TheRealTerry




msg:943083
 2:37 pm on Mar 20, 2003 (gmt 0)

Geez, seems like more than once a week now there's some kind of flaw in security with some MS app or OS that will allow people to execute programs on your computer, turn it into a zombie, or worse. Whatever happened to this whole security initiative MS was supposed to be making on securing their software?

No wonder other OS platforms are gaining ground.

stlouislouis




msg:943084
 6:05 pm on Mar 20, 2003 (gmt 0)

Sounds to me like the real problem is one of permissions.

Why in the world does a browser need root on one's machine?

Even if they want to use the browser for root purposes,
Microsoft could score a lot of points by providing a
second, "safe surfing" browser that doesn't have root
powers on the machine. Think how they could spin that
"innovation"; heck they could even say "it's for the children".

cornwall




msg:943085
 7:01 pm on Mar 20, 2003 (gmt 0)

One of the tips I picked up here is to go to the "start" button on bottom left of IE browser, and pick "Update Windows" there, it takes you straight to the page on M$ that you need.

ukgimp




msg:943086
 8:55 am on Mar 21, 2003 (gmt 0)

This is a real wounder for me. Relatives needing updates on slow modem connections. Guess who will have to do it all. Oh yeah, I wont get paid!

I despair at the amount of time that I have to spend downloading "freaking" MS patches.

percentages




msg:943087
 9:08 am on Mar 21, 2003 (gmt 0)

As an XP user I just love the fact that it has forced updates 7 days in a row now:)

Every morning my PC is rebooted for me after an XP update, one way to keep your memory clean......lmao!

I love MS...but this is getting a little out of hand. Can we have some QA please?

hutcheson




msg:943088
 7:32 pm on Mar 21, 2003 (gmt 0)

>Can we have some QA please?

Sorry, this is Microsoft. Now if you want a bulletproof CONTRACT, they've got the largest legal firm in the world. But it is not fair either to the Computer industry or to Microsoft to compare them with software development firms.

aspdaddy




msg:943089
 7:45 pm on Mar 21, 2003 (gmt 0)

>Can we have some QA please?

Sure, as more people use it, more bugs are found, software is regulary upgraded to fix the bugs.

How else would you have it?

martinibuster




msg:943090
 8:28 pm on Mar 21, 2003 (gmt 0)

Without diving into a political discussion (PLEASE let's avoid it)

I have my doubts about this. You'll probably think I'm paranoid for thinking this but...

The reasons are:

1: Most security problems are discovered by an outside company, who reveals it to MS who usually drags their feet. It's incredibly unusual that a flaw of this magnitude was overlooked by all major security firms.

Think about it: We are being told to believe that a major OS hole has been undetected since 1998; that hackers and security firms totally missed this major security hole for over five years.

2: The company quoted as confirming the flaw, trusecure corporation, employs "an expert who helped design classified networks at the CIA"

3: This company is part of a National Security Council group whose goal is securing our computer infrastructure against cyberattacks-

4: In the weeks prior to this, I've been experiencing an unusual amount of IE crashes, regardless of version or computer, with an unusual pop-up asking if I want to send a notice to MS, which made me think that it was engineered.

5: If one were to insert code capable of monitoring computers/information, this is the way to do it.

6: If MS wanted a break from the Justice Department, this is the way to get it.

I sincerely have my doubts about this security flaw.

txbakers




msg:943091
 9:20 pm on Mar 21, 2003 (gmt 0)

For many, many years doctors were convinced that ulcers were caused by stress.

It was only recently discovered that ulcers are a bacterial infection.

Sometimes we forget to look at the trees while we look at the forest. As we stand on the mountain top we're puzzled as to the spectacular view that was supposed to be there. All we see are more mountains and trees and a river below.

toadhall




msg:943092
 5:07 am on Mar 22, 2003 (gmt 0)

I'm with you martinibuster.

And what better opportunity for a knee-jerk installation than during days of high-anxiety?

There's something fishy about this.

txbakers > Don't bogart that joint... ;-)

T

OntheEdge




msg:943093
 5:22 am on Mar 22, 2003 (gmt 0)

I love MS...

You can get help for that.. ;)

This is a real wounder for me. Relatives needing updates on slow modem connections.

Consider yourself lucky, the whole town's calling me, and when i run the update scan turns out not one of them (so far) has updated since the day they bought their computers.
And, being a rural town, our ISP loves to drop off at will.

Hey Toadhall...quit hogging!
~~=====

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved