Network News

X My Profile
View More Activity

Six Security Patches for Windows

As promised, Microsoft Corp. today released a bundle of six software security updates for computers running its Windows operating systems, including three patches that earned its most severe "critical" rating.

The free patches, available for download through the Microsoft Update Web site, include a patch bundle for Microsoft's Internet Explorer Web browser. Because these flaws could be exploited by attackers to take complete control of vulnerable Windows computers, and because Web browser traffic is allowed by default through most firewalls, it is important not to put off installing these patches. "Aha! But I don't use IE, I use Firefox," you say? Well, even still, you've got to apply these patches: A long list of other programs in Windows use IE or the engine that drives IE as their default display application.

Another vulnerability detailed today that should be of concern for home and business Windows users is a flaw in the "plug-and-play" function of Windows, a process that -- as its name suggests -- figures out what to do with new hardware devices when users plug them into Windows machines. PNP, as it turns out, relies a service deeply embedded into Windows machines called "remote procedure call" or RPC for short. RPC flaws in Windows have been exploited by some of the most successful and infamous Internet worms to date, including "Blaster,"  "Sasser" and their many variants. This particular flaw has been present in Windows for several years, and exists on Microsoft PCs dating back to Windows 2000.

Exactly why a so-called "local service" like plug-and-play needs to be connected to RPC -- which was designed to let Windows computers communicate remotely over a network -- still has me a bit stumped. Nevertheless, do not delay installing this patch, as some security experts say it won't be long before the bad guys start exploiting it.

"Pretty much anyone who can write Windows exploits can take advantage of this flaw," said Marc Maiffret, chief hacking officer for eEye Digital Security. The IE flaws and the plug and play vulnerability "means attackers can pretty much break into any Windows system right now," he said.

The final critical flaw deals with a security glitch in the way Windows handles network printer requests that could expose companies to attackers. However, Stephen Toulouse, security program manager for Microsoft, said this vulnerability -- as well as the plug-and-pray vulnerability -- have a number of mitigating factors that could make them harder for hackers to exploit.

As I mentioned in an earlier post, if you plan to get the patches by visiting the Microsoft Update Web site, you will be required to first participate a program Microsoft has started that checks to see if you're running a pirated version of Windows. If you fail this test, you will be barred from downloading patches directly from Microsoft (or anything else for that matter). However, if you are using Windows 2000 or a later version of Windows (XP, Server 2003), you can still get all of the patches by turning on automatic updates.

UPDATE, AUG. 10, 1:23 P.M.: Apparently, some readers have had trouble downloading the IE patch bundle. According to the Microsoft Internet Explorer Weblog the patches had to be yanked after a glitch caused "some of the updates to be corrupted, breaking the digital signature and preventing them from installing. The updates available on Microsoft Update and Windows Update are not affected and are installing properly." The blog says Microsoft has identified the problem, removed the affected updates from the Download Center and will repost them shortly to correct the issue.

By Brian Krebs  |  August 9, 2005; 3:11 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Antivirus Software: A Tool, Not a Panacea
Next: Spam, Spam, Hummers(?) and Spam

Comments

Just a heads up on MS05-038 that was released today. The version available on the download center (microsoft.com/downloads) was not properly signed. It has been pulled and a corrected version will be posted soon.

This does not affect the update through Windows Update or Microsoft Update.

Also, you should note that the WGA check is only required for Windows 2000 (client, not server) and Windows XP. All other versions do not need to validate to download files from Microsoft.

Posted by: Matt | August 9, 2005 4:40 PM | Report abuse

Also, if you notice, the rating for MS5-039 (Plug and Play) is critical only for Windows 2000.

This is because on XP SP1, only an authenticated user could try to exploit this vulnerability remotely. On XP SP2 and 2003, only an administrator can exploit it remotely. This means the vulnerability is restricted to a local user elevating his privileges.

Windows 2000 is the only OS affected in which an anonymous user could remotely exploit this vulnerability, which is why the update is critical for that OS.

Finally, if you read the workarounds section of the bulletin, you will see that blocking the RPC ports (TCP 139 and 445) will close the remote avenue of attack. These ports are typically blocked at the edge of most networks these days. The patch should still be applied, but if you are running the latest OS and have a firewall that blocks RPC, you will reduce the risk significantly.

Posted by: Matt | August 9, 2005 4:51 PM | Report abuse

Per the note in the story that even windows users who do not use IE need the updates, I went to the Microsoft link for the critical upgrades using Mozilla.

The site would not allow access to me. It said I had to be using IE to get the updates.

Am I the only one who thinks that this sounds a restaint on trade?

Posted by: Michael | August 9, 2005 9:35 PM | Report abuse

Were you trying to use Windows Update? That requires ActiveX, which FF does not support.

You can download all the updates at http://www.microsoft.com/technet/security/bulletin/ms05-aug.mspx

Posted by: Matt | August 9, 2005 10:07 PM | Report abuse

You could also enable Automatic Updates if you are running an OS that supports it.

Posted by: Matt | August 9, 2005 10:08 PM | Report abuse

I have to agree with Michael.

How can the act of refusing to supply service to a monopoly product (Windows XP) except through a program supplied by the same company (IE) not be seen as a violation of MSs restraining order with the DoJ? Granted, I never followed the case that closely to be sure of the details. But if MS had to separate IE from XP then how can they force someone to use IE to 'fix inherent flaws in XP'.

Aside: Thank God the DoJ forced MS to separate IE. Although at the time it seemed to me a bit of a fruitless effort because people would have to use IE anyway, the fact is this action, precisely as intended, seemed to spur the competition necessary to produce FF, Opera etc. And these programs are infinitely superior to IE.

Brian, WP should do a story on the outcome of the DoJ's actions on the browser market.

Jon

Posted by: Jon | August 10, 2005 9:45 AM | Report abuse

I have to agree with Michael.

How can the act of refusing to supply service to a monopoly product (Windows XP) except through a program supplied by the same company (IE) not be seen as a violation of MSs restraining order with the DoJ? Granted, I never followed the case that closely to be sure of the details. But if MS had to separate IE from XP then how can they force someone to use IE to 'fix inherent flaws in XP'.

Aside: Thank God the DoJ forced MS to separate IE. Although at the time it seemed to me a bit of a fruitless effort because people would have to use IE anyway, the fact is this action, precisely as intended, seemed to spur the competition necessary to produce FF, Opera etc. And these programs are infinitely superior to IE.

Brian, WP should do a story on the outcome of the DoJ's actions on the browser market.

Jon

Posted by: Jon | August 10, 2005 9:51 AM | Report abuse

It appears that the update broke my Norton Antivirus 2005 installation.

After spending the last hour and a half removing and reinstalling it (as per Symantec directions), the net result is the same: NAV won't run.

The Symantec tech support line is -- surprise surprise -- busy.

I hope this gets fixed, immediately. For your readers, SOME immediate insight about what to next might be helpful.

Posted by: Tom S. | August 10, 2005 10:00 AM | Report abuse

FOR FIRST YEAR I USED INTERNET EXPLORER & HAD DAY TO DAY OR EVEN BY HOUR PROBLEMS WITH STABILITY. MOVED TO MAXTHON, WHICH IS MICROSOFT & PROBLEMS CEASED. NOTED THAT WRITER OF "FIREFOX" HAD ANTICIPATED GREAT PROBLEMS THERE, YET NONE HAVE OCCURED. "FIREFOXS" CREATOR STATED:"STRANGELY, ALL PROBLEMS ON INTER NET ARE CREATED BY MICROSOFT FOR SPECIFIC ATTACKS UPON INTERNET EXPLORER WEB BROWSER". THINK OF "BILLIONS OF DOLLARS" MICROSOFT IS HUCKING PUBLIC OUT OF THRU "IT PROFESSIONALS?" & YOU'LL REALIZE MICROSOFT IS BUNCH OF SCREAMING, HATEFUL CHILDREN.SIGNED:PHYSICIAN THOMAS STEWART VON DRASHEK M.D.

Posted by: THOMAS STEWART VON DRASHEK | August 10, 2005 10:21 AM | Report abuse

Just incase you want to get the windows updates and you want to use Firefox or Opera.
http://windowsupdate.62nds.com/

Posted by: Bill | August 10, 2005 11:41 AM | Report abuse

Call me crazy, or paranoid, but I don't care how many Web sites link to their "extension".... I would think very hard about downloading SECURITY fixes for Windows from anyone but Microsoft (especially a Web sites like 62nds.com which hosts the source code for some of the worst viruses to hit Windows, including Mydoom and Beagle.

Posted by: Bk | August 10, 2005 12:07 PM | Report abuse

How about this message after "updating" the update program and then requiring validation:
Message: Validation Not Completed: Service Unavailable[0x80080204]

Why did it not validate?
It appears that our activation servers are not functioning properly. Please return to complete the validation process at a later time.

Posted by: Dick Kaplan | August 10, 2005 12:43 PM | Report abuse

I beg to differ with the following statement Brian Krebs made in his August 10 column on Microsoft's six new security patches: "If you fail this test, you will be barred from downloading patches directly from Microsoft (or anything else for that matter). However, if you are using Windows 2000 or a later version of Windows (XP, Server 2003), you can still get all of the patches by turning on automatic updates."

I failed the validation check even though I was using Windows XP with SP2, and had been receiving updates for almost a year. That failure notice made it impossible to download ANY security updates from Microsoft, even though my Automatic Updates had been turned on.

In a totally unrelated problem, I was asked to do a "SFC /scannow" procedure to check damaged files. After that scan I decided to go back to Windows Update to see if the scan had any effect on my ability tp pass the validation. It sure did and I passed the validation scan and was able to see my entire Windows Update history - 61 updates since last October. I have subsequently received today's six patches.

Posted by: Chuck | August 10, 2005 1:06 PM | Report abuse

The answer to all of your MS problems is Linux. No crashes, no viruses, no spyware. And itÅ› much, much cheaper, like $0.

Posted by: Michael | August 10, 2005 1:57 PM | Report abuse

The corrected MS05-038 patches have been posted to the Download Center.

People who go through a proxy to download files may still have the old file cached, so be aware of that.

Posted by: Matt | August 10, 2005 3:19 PM | Report abuse

I noticed those patches yesterday, when I was updating my software during one of my breaks, and I thought it was interesting.

One of the titles, the last one, that was installed was some kind of a removal tool for something; but, I forget what it said the name of it was. It's not important...

Personally I think Windows OS is a mess!
However, I just don't like the Linux OS!
So I suffer Windows and wait to go home!

Posted by: Theodore Craig | August 10, 2005 4:22 PM | Report abuse

You patch your work machine?

Anyway, that was the malcious software removal tool. It checks for common malware and removes it if found.

It is updated every month and has been a critical update for several months now.

Posted by: Matt | August 10, 2005 6:41 PM | Report abuse

Running Windows 2000 Pro. I've tried Windows Update several times already and keep getting rejected because I can't get past the Windows Genuine Advantage validation tool installation. I have a LEGAL, bought-and-paid-for Windows 2000. Thanks for the additional hurdle to upgrade the buggy os, MS.

Oh well, off to get the hack.

Posted by: Kyle | August 10, 2005 8:33 PM | Report abuse

Ports 137-139 as well as 445 needs to be blocked at the perimeter. Blocking the NetBIOS layer default binding to TCP/IP allows for many a vulnerability to be thwarted.

Posted by: Scott | August 10, 2005 9:58 PM | Report abuse

"Oh well, off to get the hack."

Not sure why WGA is failing for you, but a better idea would be to turn on automatic updates. There is a huge button on the Windows/Microsoft Update site that will help guide you through the process of enabling AU.

Posted by: Matt | August 11, 2005 12:59 AM | Report abuse

I find it quite strange to read all the problems people seem to have with simple downloading and applying patches for Microsoft. I run about 50 PCs in our own company, about 6 PCs at home and several hundred for our customers - all on Windows XP Pro, Windows 2000 / 2003 Server. Funny though, that on no machine out there there are any problems with patching and downloading. Mainly - sorry to say - if there are problems, it is because of misconfigured PC's because of lack of knowledge. If this is the case - than - sorry for that again - it cannot be MSs fault, is it?

Posted by: Bernie | August 11, 2005 7:55 AM | Report abuse

I just had enough of Microsoft OSes or asses.
Just imagine doing a clean installation on 14 pc. It is a pure waste of money and time.

Security patches online is a no no. You can only security ptaches using IE. That is where the viruses, spywares, etc crawled in. Norton was popping up messages.

The only to do it is on a Linux OS. Grab a Live CD (Knoppix). Download the patches, burn it and then install it.

We looking into running all pc on Linux SuSe once version 10 is out.

Posted by: Mike | August 20, 2005 11:31 AM | Report abuse

Message: Validation Not Completed: Service Unavailable[0x80080204]

Can somebody please please please post a fix for this problem... The one from Microsoft does not work!!!

Posted by: Arwin | September 11, 2005 6:37 AM | Report abuse

OK, I found a solution to "Validation Not Completed: Service Unavailable[0x80080204]". Just disable Windows Firewall, and that's it.
Open start, run, type ncpa.cpl, right-click your LAN card or/and dialer, poroperties, last tab - advanced, and disable it.

Comments: JaneLame@walla.com

Posted by: JaneLame | September 17, 2005 10:55 PM | Report abuse

oogga booga

Posted by: Anonymous | November 3, 2005 3:07 AM | Report abuse

my windows xp pro vailed validation and i can't install shared computer xp any way i can get it to be validated? without buying windows xp agen!

Posted by: louy | November 14, 2005 1:23 PM | Report abuse

How can i get it to be validated*

Posted by: louy | November 14, 2005 1:27 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company