Microsoft Security Bulletin MS03-040 - 828750

[newpseud]

"cquirke (MVP Win9x)" <[email protected]>
wrote in message

On Sat, 4 Oct 2003 20:45:23 -0400, "newpseud"


Could you clarify a bit there?

I certainly appreciate the attempts by
<name_oversnipped> and others to get the word out
through the newsgroups, and I don't propose they should
stop doing that.

But choosing between one message cross-posted to
multiple newsgroups, and the same message sent
individually to each of the same set of newsgroups, I
would vote for the latter. This thread is already 45
posts and counting upwards, and because the original
message was cross-posted, all of these replies will
appear in all newsgroups regardless of which newsgroup
they originated in - traffic++

It seems as if you are advocating the reverse, i.e.
that such alerts should be cross posted rather than
sent to each news group seperately, on the general
premise that the latter is "bad". I'm interested in
your reasons, as they aren't obvious to me.

It is reasonable to cross post to some - say three -
related newsgroups if you are seeking a posted response.
I don't think it's necessary, but it isn't unreasonable.

http://www.aspfaq.com/5003

That is the practical reason. I am not sure Forte Free
Agent will let you click on PA Bear's discussion on this
topic with Eli Aran, but if it will here's the link:

The technical reason is that cross posting places only
one post on the server, pointed at from each newsgroup;
however multi posting places one post per newsgroup,
consuming its space times the number of postings.

The only *response* to Jerry Bryant's original post
should have been *to get updated.* It's too bad his
notice, which should have drawn as much posted response
as an HP-UX security alert in comp.security.misc, got
this obscenely long tail. The post looked too much like
Swen for Phil Weldon, who unfortunately didn't confine
his flame to microsoft.public.virus with a cross post to
netiquette. So this one got out of hand, due to passions
of the moment. MSFT didn't *have* to post at all.

If Microsoft is posting an urgent notice which requires
no posted response, general cross posting is appropriate.

 

[Gary S. Terhune]

More specifically, in my case, (and I'm betting this is the case with Sandi,
also) we are aware of new patches as soon as they hit the wires (and in some
cases sooner). We have a number of machines that we are responsible for, either
in a network IT position, or a number of self-contained clients whose interests
we look out for. We not only need the patches for our own machines, we need them
for others, and we need to know what versions to apply to what machines and what
possible pitfalls exist.

We need those updates as stand-alone executables, for lots of different reasons,
along with the in-depth documentation that goes along with them, and you get
that at TechNet. I certainly didn't see Sandi's message as denigrating WinUp.
Just a grinning acknowledgment that she, personally, doesn't happen to see that
page often--for the same reason as I don't often see it except when I'm in the
field.

Sandi also pointed out the other reason that I also happen to have in common--we
participate in a Windows Updates beta program that requires us to wire our
machines in such a way that to visit the "live" site--the public one--requires a
fair amount of re-wiring and possible confusion. Only problem with this program
is that the beta site isn't sometimes as up to date or responsive as the live
site.

I see your attitude as being one of overly idiot oriented. You imply that
because there are so many idiots out there, we should make sure to only point
them to the most idiot-proofed solution for security issues, even to the extent
of not publicly discussing other more IT-oriented solutions, for fear that they
will screw it up.

Goes back to my standard mantra on the subject--"Make something totally
idiot-proof, and only an idiot would use it."

Yes, idiots need protection, more and more these days. But that doesn't mean
they need to be shielded from the technology behind the curtain. Do that and the
only sure thing is that they will *remain* idiots. Go to WinUp, press the
button, ignore the documentation, then come whining to us that something got
broken by Windows Updates--something that in all likelihood could have been
prevented if they had only read the documentation first!

--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++

 

[Robert Moir]

I see your attitude as being one of overly idiot oriented. You imply
that because there are so many idiots out there, we should make sure
to only point them to the most idiot-proofed solution for security
issues, even to the extent of not publicly discussing other more
IT-oriented solutions, for fear that they will screw it up.

I never said that Gary, Sure your reply was meant for me?

 

[PA Bear]

Without wading through the 80+ posts to this thread since I last visited it,
please note that Trojan.Qhosts was only identified by anti-virus
manufacturers on Wednesday, 01 Oct-03, though this (unnamed at the time) and
similar exploits have been a hot topic in recent weeks amongst those of us,
MVP and non-MVP alike, trying to nail new hijackware before it gets too
out-of-hand. See "Are You Trying to Get to Google" in Spyware Weekly
Newsletter, 30 Sept-03:
http://www.spywareinfo.com/newsletter/archives/0903/30.php.

I can assure you that the MS Security team has been working diligently to
patch vulnerabilities but no one, including MS, knew fully about this
specific Trojan.Qhosts exploit until a few days ago.

Hijackware is now the #1 cause of several thousands of posts to the IE
newsgroups each and every day. New MVPs Siljaline and TonyKlein received
their awards in recognition of the efforts they've made in the past year
identifying such malware and helping those in the online community deal with
its affects.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com
AH-VSOP
http://forum.aumha.org/

...A machine at my organization was infected with
Trojan.Qhosts BEFORE ms03=040 was released !!! The machine was behind a
firewall, using a proxy, full up-todate patches, latest antirus. Why do
you
think M$ rushed this patch on Firday night? Have you even read the
Qhosts
news articles?

Microsoft knew about the vulnerabilities AND knew that thousands of
machines
were being infected with Qhosts but Microsoft still did not issue [an]

alert
<snip>

 

[Papa]

So now you are regarding the general user as idiots? Look, I respect your
TECHNICAL knowledge about computers a great deal, but don't let your
technical knowledge get in the way of unwise choices as to safe practices.
You are no more of an expert in that area than anyone else.

 

[Papa]

The answer is quite simple. As you may have noticed, the Swen virus is
lurking amidst legitimate warnings posted in numerous newsgroups. However
well intended, suggesting to the general user to look for protection from
multiple sources is an accident just waiting to happen when he/she opens a
virus attachment from a hoax warning post.

There is an old saying - "Keep it simple". So my advice will continue to
be - obtain your updates from one place, and one place only - the Update
button.

Best regards.

 

[Me2]

Cquirke,

I understand your arguments. A simple truth remains (on an odd lock defect
planet in the andromeda galaxy): You need to find out that the lock on your
car or house (aka IT infrastructure) is defective from a fixit shop (aka
Symantec) rather than from the lock manufacturer (aka Microsoft) because if
the lock manufacturer does talk about lock defects rather than the fixit
shop, it is thought that thieves will find out about the lock defect better
and at a higher rate than if only the fixit shop talked about the lock
defects.

Car owners (on this planet) are thus blissfully un-aware about all kinds of
lock defects (unless they need their car fixed and visit a fixit shop) -
kind of a lock defect blindness. Thieves have a good time because they
always visit the fixit shops and find out about the lock defects that the
manufacturer wont tell their customers about because thieves might find out
about lock defects that the thieves find out about from the fixit shops.

[It is thought that the lock defect blindness on this planet (and the lack
of defect communication from the lock manufacturer) is caused by headaches
and the highly complex lock mechanisms. One look at the complex lock
mechanism and most people have a blistering headache for the rest of the
day. To prevent these headaches, lock manufactures recommend that their
customers not look at the locks and think about lock defects unless they
already have a headache because their car was stolen, or house broken into -
in which case the lock manufacturer is not blamed for headaches because
headaches are caused by stolen cars and houses and not by the manufacture's
locks.]

Me out

 

[Jim Eshelman]

Car owners (on this planet) are thus blissfully un-aware about all
kinds of lock defects (unless they need their car fixed and visit a
fixit shop) - kind of a lock defect blindness.

This is where your analogy breaks down. In your analogy, yeah, there is no
reason someone would visit a lock fixit shop for a car lock they didn't know
was broken. But that's not a valid comparison to antivirus manufacturers.
Unlock car lock fixit shops for car owners, every single computer user needs
to have a good, updated antivirus program running that dynamically monitors
for virus intrusion. These are the people on whom one should rely for
antivirus protection, and Microsoft should (and, I believe, does) quietly
communicate with these entities even when they are not yet ready to release
information to the general public (which includes the burglars).

Anyone who is running a good, updated antivirus program that meets these
needs, there is no problem. Anyone who is not is, at best, seriously
ignorant of the current state of things.

--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/

Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp

 

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Yes Phil, Microsoft knows exactly what his is doing and pays him to do it.

If you have a XP machine stick on Automatic updates as we should be
doing and get this patch automatically.

This is a standard posting that is done every time there is a security
bulletin. Jerry has done this 39 times before this. Do a google search
and you will see that Jerry does this all the time. It's his job.

Yes, your posting sounds harsh. And quite frankly over the top.

All security bulletins are released by Microsoft with standard wording.
Jerry cannot change the posting.

If you want the "home user" version try this
http://www.patchdayreview.com/

And this ISN'T the same as the fake security bulletin. It's plain text
and has a digital signature. Swens don't do that.

This may sound harsh.

It is meant to sound harsh.

I just re-read it.

I am still posting it.

Pardon me, but don't you think you could have EXPLAINED the meaning and
importance of this (AND the other critical fix just issued)? What does
MSFT, MSCE, or MCDBA mean if YOU are allow to put it after your name? Not
much, evidently.

Take into account the users who are asking questions on these newsgroups.

Take into account that they all are worried about the flood of infected,
fake Microsoft security bulletins that USE EXACTLY THE SAME LANGUAGE as what
you just posted.

Pardon me, but do you have ANY idea how foolish your post is? Why did you
do it? Was ANY thought involved?

I am appalled. Do you have a keeper? Does Microsoft know what you are
doing?

And cross-posted too, just like the 'swen' worm posts to newsgroups!



Please, could some responsible adult at Microsoft cancel the top of this
thread.... quickly, before more damage is done? Except, of course, for the
newsgroup that does not resolve!

--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your patches.
Demand better security from vendors and hold them responsible.
Use what you have, and make sure you know how to use it properly
and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt

 

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

In my experience not that long. Case it point it popped up on my
autoupdate that same night.

That's not exactly true. Windows Update is the place to go under normal
circumstances but in the case of these rapid security alerts you'll be able
to download them more quickly from the TechNet or Security areas. It
sometimes takes a day or so for updates to be migrated to the Windows Update
site.

--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your patches.
Demand better security from vendors and hold them responsible.
Use what you have, and make sure you know how to use it properly
and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt

 

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

What part of the posting about

1. it's not html
2. It has no attachment

Since "Jerry Bryant [MSFT] massively cross-posted (the same technique the
'swen' worm uses in posting to newsgroups), this is somewhat difficult to
explain, so I'll append an example of the same information that was posted
to microsoft.public.security.virus (not cross-posted as the 'swen' worm
cross-posts fake Microsoft Security bulletins [which, by the way, ALSO have
valid hot-links to appropriate Microsoft websites, it's just that they also
have a malformed header and an infected attachment]) in a much better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to ensure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at (but be
very, very sure that you have all necessary Microsoft security patches and
Service Packs installed AND have an antivirus program with the latest virus
definitions scanning all operations of your computer before looking) the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT


The post generated by the 'swen' worm has a malformed header AND has the ~
106,000 byte infectious attachment. Open this attached file and, without
up-to-date antivirus protection on your Windows 98 and up operating system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ----------------------------------------------------------------------

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in the
security context of the Internet Zone. In addition, an attacker could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630, you
will still be able to use HTML Help functionality after applying this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
-Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
http://www.microsoft.com/security/security_bulletins/MS03-040.asp
for information on obtaining this patch.


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.




-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----

--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your patches.
Demand better security from vendors and hold them responsible.
Use what you have, and make sure you know how to use it properly
and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt

 

[Gary S. Terhune]

No, it wasn't, Robert. I grabbed the wrong post to reply to.

My Bad! Sorry!

--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++

 

[Gary S. Terhune]

Excuse me? Not using Windows Updates is an "unwise choice as to safe practices"?

Suggesting that some other option exists than using Windows Updates is an
"unwise choice as to safe practices"?

Give me a break, Papa! And don't put words into my mouth. I did not equate
"General User" with "Idiot". You did, by claiming that telling general users
that some other option for downloading and installing patches exists other than
WinUp, some that are, in fact, superior in many ways... By claiming that telling
the "general user" about such options is leading them astray and into
potentially hazardous territory, and therefore we should all be ashamed of
ourselves for even suggesting it...

Seems to me that *you* are the one implying that the "general user" is an idiot.

As for my use of the term "idiot" (my use of that term, mind you), it's a
technical term, not intended as denigrating. Indicates a user who's operating a
technology they are ill-equipped to operate, and potentially who's knowledge of
the technology they operate borders on the dangerous, both to themselves and to
the rest of us. In most cases, this is due to being sold something that they
really have no business owning or operating, by people who have convinced them
that "any idiot can do it".

--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++

 

[Me2]

PA Bear,

So I read from your link that known Trojans/virus/whatever were hijacking IE
at least as far back as 09/27/03
(http://news.com.com/2100-7349-5083234.html).

Doesn't this just make it more outrageous that Microsoft does not counsel
it's customers to restrict IE use or pull the plug on IE until a fix is
available - when a known vulnerabilities is starting to be exploited? What
was (and is) Microsoft waiting for - a full blown active attack effecting
millions of systems? This makes me feel even better about security support
from M$.

I believe that Microsoft is working very hard on producing the patches and
stuff. But it would be *nice* when a new vulnerabilities is ACTIVELY being
exploited that Microsoft warn their customers. When a manufacture knows
that a certain type of tire can blowup on your car, these tires ARE blowing
up on cars, wouldn't you like to know before you go to drive?

If Microsoft does not have a network monitoring center (or whatever you want
to call it) to notice things like Trojan.Qhosts (and the other nasties you
fight), then they should. Symantec seems to have something - news reports
say that "Symantec on alert after surge in net activity - in response to a
substantial jump in domain name server-related activity across the globe".
Symantec must have it more together than Microsoft when it comes to looking
out for security problems.

Sorry, for my hot-headedness. When the bugs bug me I'm bugged!
Me out

Without wading through the 80+ posts to this thread since I last visited it,
please note that Trojan.Qhosts was only identified by anti-virus
manufacturers on Wednesday, 01 Oct-03, though this (unnamed at the time) and
similar exploits have been a hot topic in recent weeks amongst those of us,
MVP and non-MVP alike, trying to nail new hijackware before it gets too
out-of-hand. See "Are You Trying to Get to Google" in Spyware Weekly
Newsletter, 30 Sept-03:
http://www.spywareinfo.com/newsletter/archives/0903/30.php.

I can assure you that the MS Security team has been working diligently to
patch vulnerabilities but no one, including MS, knew fully about this
specific Trojan.Qhosts exploit until a few days ago.

Hijackware is now the #1 cause of several thousands of posts to the IE
newsgroups each and every day. New MVPs Siljaline and TonyKlein received
their awards in recognition of the efforts they've made in the past year
identifying such malware and helping those in the online community deal with
its affects.
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE)
http://mvp.support.microsoft.com
AH-VSOP
http://forum.aumha.org/

...A machine at my organization was infected with
Trojan.Qhosts BEFORE ms03=040 was released !!! The machine was behind a
firewall, using a proxy, full up-todate patches, latest antirus. Why do
you
think M$ rushed this patch on Firday night? Have you even read the
Qhosts
news articles?

Microsoft knew about the vulnerabilities AND knew that thousands of
machines
were being infected with Qhosts but Microsoft still did not issue [an]

alert
<snip>

 

[Bill Sanderson]

And you thought the opposition was right when they said IE wasn't an
integral part of the OS?
(meant jocularly, but it probably isn't the least bit funny.)

 

[PA Bear]

As another (MVP Richard Harper?) pointed out in this overly-long thread
[Yeah, I'm adding to it!], when any software manufacturer publicly
acknowledges any vulnerability, doing so also draws it to the attention of
bad guys who are tempted to create, often successfully, malware/Trojans to
exploit the vulnerability before a patch can be written, thoroughly tested,
and released to end-users. I think you can easily see it's a tough call to
make.

And how would it serve Microsoft's interests if it were negligient enough to
assist in creating more vulnerability for Windows users?

The fact that a Cumulative Patch for IE was released late on a Friday or
anytime on a Saturday (depending on where one lives on this planet) and with
great fanfare gives you a clue as to both the critical nature of this patch
and the extra resources (read: MS coders and testers) who were pushed to
accomplish the task.

At least that's my take on it.

Your tire analogy is a poor one to me. The vulnerability addressed in
MS03-040/Q828750 *may* cause inconvenience to some Windows users (and if
your virus definitions were up-to-date, all current MS patches were
installed, and you practiced Safe Hex, you weren't very vulnerable in the
first place). The Ford Motor/Firestone fiasco (http://snurl.com/2kk0) in
comparison *killed* hundreds, if not thousands, of people (an inordinate
number of them from Latin America and Third World countries). And Firestone
did warn Ford about the dangers associated with underinflating the tires but
Ford chose to ignore it in the interests of sales and corporate greed
(IMHO). (BTW Firestone was forced out of business, but not Ford.)[/QUOTE]

 

[Bill Sanderson]

Show me the digital signature in Jerry's post?

I think that is what Phil was complaining about, and I think it is a valid
criticism. Here we've been hyping:

http://www.microsoft.com/security/antivirus/authenticate_mail.asp

and although two of the three bulleted points are covered, there's no
digital sig.

I'm of two minds about this--I don't relish talking newbies through
acquiring PGP and learning how to validate the signatures--I've never done
this myself! However, it's a very reasonable thing to do, and Larry
Samuel's post does it right (well, with postscripts!)

 

[Papa]

Really? Give ME a break. No matter how you want to slice it, using the
Update button is the one positively safe way to get your OS updated. Other
sources, even though some of them are legitimate, are chancey because the
user can inadvertently (and easily) click on the wrong post or go to the
wrong URL.

And your use of the word "idiot" is not technical, it's patronizing.

So please get back to giving out the excellent advice we have come to
expect. In this thread, you and some of the other MVPs have gone far astray.

 

[Gary S. Terhune]

Can't say it any plainer, Papa. On this, you are plain *wrong*.

In fact, I can envision ways that someone could highjack the Windows Update
shortcut in Windows systems much more easily than they could highjack
http://www.microsoft.com/technet

The former is rather easy to do, in fact, while the latter is nearly impossible.
Of course, only an idiot would fully trust either a *link* to TechNet *or* a
shortcut on their Desktop. Which is why idiot-proofing is so dangerous--makes it
too easy to hide nasties behind the veil of simplicity.

--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++

 

[Stefan Berglund]

On Sun, 5 Oct 2003 20:26:41 -0400, "Bill Sanderson"

And you thought the opposition was right when they said IE wasn't an
integral part of the OS?
(meant jocularly, but it probably isn't the least bit funny.)

No Bill, I was never that naive. But, I'll tell you what I do
think. Look for the price of software to climb exorbitantly.
Because, regardless of the outcome of the class action suit filed
against MS this week regarding the vulnerabilities of their
software, there ~will~ be subsequent legislation which will
result in the vendor being held liable just like the auto
industry and the tobacco industry and I'm sure you can name many
others.

There will be no more disclaimers disavowing responsibility and
there will be no more posts signed: This posting is provided "AS
IS" with no warranties, and confers no rights.

I'm not a ~the apocalypse is coming~ person by any means, but the
party is over and the industry as we have all known it is about
to undergo a major overhaul. Unfortunately for us, our
legislators will wait until these virus mongers kill a few
hundred or a few thousand people by taking out a communications
hub or what have you before they come to their senses and
consider this for the crime it is.

This is not funny, and it's not innocent script kiddies. These
bastards must be made to pay. Perhaps, death by firing squad.
Nah, too lenient.