Click HereClick Here
home features news forums classifieds faqs links search
5219 members 
Amiga Q&A /  Free for All /  Emulation /  Gaming / (Latest Posts)
Login

Nickname

Password

Lost Password?

Don't have an account yet?
Register now!

Support Amigaworld.net
Your support is needed and is appreciated as Amigaworld.net is primarily dependent upon the support of its users.
Donate

Menu
Main sections
Home
Features
News
Forums
Classifieds
Links
Downloads
Extras
OS4 Zone
IRC Network
AmigaWorld Radio
Newsfeed
Top Members
Amiga Dealers
Information
About Us
FAQs
Advertise
Polls
Terms of Service
Search

IRC Channel
Server: irc.amigaworld.net
Channel: #Amigaworld
Channel Policy and Guidelines

(Uses JAVA Applet and Port 1024)
Visit the Chatroom Website

Who's Online
 46 guest(s) on-line.
 2 member(s) on-line.


 Ami603,  amigang

You are an anonymous user.
Register Now!
 Ami603:  6 secs ago
 amigang:  3 mins ago
 zzd10h:  9 mins ago
 Rob:  16 mins ago
 jtsiren:  18 mins ago
 tonyw:  21 mins ago
 minator:  35 mins ago
 thellier:  36 mins ago
 strim:  43 mins ago
 saimon69:  48 mins ago

Miscellaneous News   Miscellaneous News : Microsoft admits 'critical' flaw
   posted by DaveyD on 11-Feb-2004 0:18:15 (1479 reads)
Microsoft has warned that a "critical" flaw in the latest versions of its Windows operating system could allow hackers to access a person's computer.

In its monthly security bulletin, the world's largest software maker said Windows versions NT, 2000, XP and Server 2003 were affected.


Giving the problem its highest security rating of "critical", Microsoft has called on users to download a software repairing patch free from its website.

This is said to cure the problem.


The flaw is also said to be completely unconnected with the latest clutch of computer viruses currently causing problems around the world.

'Serious vulnerability'

It could however allow hackers to quietly break into someone's computer to steal files, delete data, or eavesdrop on what that user is doing.

Marc Maiffret of eEye Digital Security, the US company that discovered the Windows flaw, said it was a major issue.

"This is one of the most serious Microsoft vulnerabilities ever released," said Mr Maiffret.

"The breadth of systems affected is probably the largest ever."

He added: "This is something that will let you get into internet servers, internal networks, pretty much any system."

Keynote speaker

Microsoft security executive Stephen Toulouse urged users to download the free upgrades.

He said the problem software was "an extremely deep and pervasive technology in Windows".

Craig Schmugar, a virus research manager at US computer firm Network Associations, recommended that people install the patches "as soon as possible".

Microsoft's disclosure comes just weeks before chairman Bill Gates is to deliver a keynote speech at a key computer security conference in San Francisco.

Source: BBC
    

Related Links
· More about Miscellaneous News
· News by DaveyD


Most read story about Miscellaneous News
DiscreetFX Partners Makes an Urgent Appeal to the Amiga Community

Last news about Miscellaneous News
New Amiga.org Design Mugs Available
Printer Friendly Page  Send this Story to a Friend

PosterThread
Bodie 
Re: Microsoft admits 'critical' flaw
Posted on 11-Feb-2004 0:23:21
#1 ]
Super Member
Joined: 9-Jan-2003
Posts: 1438
From: Azjol-Nerub

ah ha! this means our winME machine is the most secure

 Status: Offline
Profile     Report this post  
mjohnson 
Re: Microsoft admits 'critical' flaw
Posted on 11-Feb-2004 0:41:59
#2 ]
Super Member
Joined: 11-Aug-2003
Posts: 1297
From: going to and fro in the earth, and from walking up and down in it.

@Bodie

Nah, yer Miggy's more secure.

 Status: Offline
Profile     Report this post  
The_Editor 
Re: Microsoft admits 'critical' flaw
Posted on 11-Feb-2004 4:40:31
#3 ]
Elite Member
Joined: 7-Mar-2003
Posts: 7625
From: 192.168.0.02 ..Pederburgh .. Iceni

Sounds like a neat Scam to get pre XP owners to install a convienient patch. Wonder what other code is lurking in that patch ?

 Status: Offline
Profile     Report this post  
BrianHoskins 
Re: Microsoft admits 'critical' flaw
Posted on 11-Feb-2004 7:39:32
#4 ]
Cult Member
Joined: 4-Jan-2003
Posts: 623
From: South Wales, UK

Downloading "security patches" is all my Windows machine next to me seems to do, they're coming out with them all of the time. When I first bought the machine I was prompted to do a Windows update (was on dialup at the time) and when I clicked on it I was presented with a list as long as my arm! And not small updates either, it took FOREVER. Infact I got so pi**ed off with it taking all my dial-up bandwidth that I ended up taking it into work and sticking it on the LAN to complete the download.

The amount of updates it's had, it must be a whole new Operating System by now.

I suppose at leas they ADMIT these security flaws straight away and provide you with the updates cost-free. It'd be worse if they attempted to cover up these sorts of things.

This always makes me wonder how AmigaOS would stand up to the attempts of a hacker though. I always feel safer using my Amiga on the internet, but that's mainly because most of the hackers are not familiar with AmigaOS and would probably not bother attempting to compromise it, and none of the trojans or viruses doing the rounds will effect my Amiga either. But if the Amiga was suddenly to become the world's leader in desktop computer/OS then I wonder how long it would be before AmigaInc released security patches for AmigaOS?

Is AmigaOS significantly more robust in terms of security issues or do we not worry about it merely because our OS is not under the spotlight?

Brian

 Status: Offline
Profile     Report this post  
Bean 
Re: Microsoft admits 'critical' flaw
Posted on 11-Feb-2004 7:55:03
#5 ]
Super Member
Joined: 4-Apr-2003
Posts: 1225
From: U.K.

I have to be honest, when I saw the security update on Microsoft's website I totally dismissed it as "yet another security patch.". After reading the above it looks like I'm going to have to apply this one to my work machine quickly.

There are so many updates these days that it's getting pretty ridiculous.

Ah well..

 Status: Offline
Profile     Report this post  
olegil 
Re: Microsoft admits 'critical' flaw
Posted on 11-Feb-2004 8:05:02
#6 ]
Elite Member
Joined: 22-Aug-2003
Posts: 5414
From: Work

Basically, you can only have a security hole in an open service, the io mechanism (ip-stack, keyboard-input etc) or the login mechanism itself.

I would say a BSD based ip stack is likely to be quite safe. So unless you open up any services (like telnet, samba, http and so on) you are safe.

If you need one of these open, you will need to figure out which are safe and which are not.

For instance, samba can not be considered as safe as http, because one is (usually) a free-for-all webservice hosted by a professional webserver (apache) while the other is a reimplementation of a Microsoft protocol, using an inferior password mechanism.

So for a LAN with samba, you'll need a firewall. Setting the Amiga to accept samba traffic only on the internal network, not from the internet, should be possible. In which case it will act as a firewall.

Now, if you insist on using a different webserver than apache, you're on your own.

And telnet should of course not be used. By anyone. For anything.
Use ssh instead.

Remember that a firewall is only ever as secure as the ip stack it is running on (in fact less, because if there's x bugs in the ip stack and y bugs in the firewall the resulting number of holes is x+y and neither can be a negative number. Zero bugs should be aimed for but the only way to ever get it (try to scientifically proove that there is no bugs ) is to have zero functionality (see OpenBSD for more examples ), so if you do not trust the ip stack on a machine, you'll need to find a better machine to run the firewall on. This machine and its ip stack should have as little functionality as possible (outside the firwalling capabilities).

Hmm, I wonder if any of the above made sense?


Anyway, a "popular" type of security hole is an overflow on username/password input or similar. If the programmer makes a bummer there, nothing will save you.

The way this works is that the buffer meant to handle the user input isn't large enough to handle the data coming in, so other data in memory gets overwritten. The trick here is to overwrite data that is actually CODE, with OTHER code. Then you can make the system do whatever you want. But you need to do it in assembly, which is where security by obscurity enters. If you are running the not most popular CPU, you will likely not be the target of the first wave of scripts for the script kiddies. Which means you have at best a few days to close the vulnerability before someone thinks of targetting you.

Unless you platform becomes so popular that it is worth it.
But a corporate platform is always more popular to hack than a private platform, because the resulting bandwidth available for emailing and DDOS is so much greater, along with the possibilities to sneak off with IP

I mean, if someone could choose which of my computers to hack into, the work PC with proprietary code and PCB designs, or the home PC with maybe two games, open source applications and MPlayer (it's my home entertainment system) installed, which do you think he would target? Yeah, duh

 Status: Offline
Profile     Report this post  
Chris_Y 
Re: Microsoft admits 'critical' flaw
Posted on 11-Feb-2004 10:05:13
#7 ]
Elite Member
Joined: 21-Jun-2003
Posts: 2870
From: Beds, UK

@BrianHoskins

I'm surprised people still use Windows, the amount of serious security issues and viruses it has had, even over the last three or so months. The amount of time it takes to update on dial-up, it is no wonder that people have unpatched WIndows machines on the Internet.

I read an article a few days ago about a service pack for (I think) Windows Server 2003. It said that due to security issues, the update will include a firewall. I instantly wondered why they didn't just fix the security holes.

@olegil
It depends, is the second machine an AmigaOne? Does it have OS4 on it? Now, that's an incentive to hack in.

Chris

 Status: Offline
Profile     Report this post  
BobC. 
Re: Microsoft admits 'critical' flaw
Posted on 11-Feb-2004 15:13:01
#8 ]
Cult Member
Joined: 9-Mar-2003
Posts: 556
From: Mid Atlantic State USA

Seems the coming of the Amiga has saved me some grief because I have held off updating my OS and still use Windoze98 not even 98SE, AMD CPU. Its has been a pain in other ways of course (almost NEVER boots 1st try and can take 10 or 15 tries to boot some days..SIGH!) I have so many programs on it I loath to wipe and reload.

I have a second slightly slower AMD dual boot system (Win98/Redhat9) that works well and I'm gonna slowly transfer.

Anyway I can't wait to see the the A1 up and running so I start my Windoze withdrawal and get back to an Amiga again.

@olegil

Nice explanation, thanks.

Bob C.

 Status: Offline
Profile     Report this post  
Geomol 
Re: Microsoft admits 'critical' flaw
Posted on 11-Feb-2004 15:31:59
#9 ]
Regular Member
Joined: 19-May-2003
Posts: 214
From: Denmark

(Slightly Off Topic)

I was sitting in Opera and went to MS site for WindowsUpdate:
http://windowsupdate.microsoft.com/

It redirect me to:
http://v4.windowsupdate.microsoft.com/default.asp

where I get the message, that I should upgrade to Internet Explorer 5 or higher. So I use Quick Prefs in Opera to make it identify as MSIE6.0, refresh the page, and now I get the message:

<citat>
Thank you for your interest in Windows Update

Windows Update is the online extension of Windows that helps you get the most out of your computer.

Follow these steps to access Windows Update through the Help and Support Center:
Click Start, and then click Help and Support.
If you are running Windows XP, click Keep your computer up-to-date with Windows Update.
If you are running a Windows Server 2003 operating system, click Windows Update.
</citat>

So I need the latest IE to get a message to use another program???
WHY is this company still in business? They keep on destroying the computer market, destroying free market. What happened to the law suit from all those american states against MS? (Not to say all the companies, that have cases against them.)

/John.

 Status: Offline
Profile     Report this post  
Rudei 
Re: Microsoft admits 'critical' flaw
Posted on 12-Feb-2004 11:19:45
#10 ]
Elite Member
Joined: 20-Nov-2002
Posts: 3499
From: Dallas, Texas

Oops!

 Status: Offline
Profile     Report this post  
Esquilax 
Re: Microsoft admits 'critical' flaw
Posted on 12-Feb-2004 18:00:51
#11 ]
Regular Member
Joined: 30-Jan-2004
Posts: 136
From: Scotland

Patch number 985298289323668 applied

 Status: Offline
Profile     Report this post  
Intuitioned 
Re: Microsoft admits 'critical' flaw
Posted on 15-Feb-2004 17:13:31
#12 ]
Super Member
Joined: 27-Oct-2003
Posts: 1340
From: Unknown

I found it quite ammusing when applying a security patch to IE5. It told me to upgrade to IE6 which I did, then it told me it needs 5 more security updates than I started with!

I can't keep up with these updates. I found it unusual that the security flaw made it to the mainstream news as these flaws are every day occurances. Windows upate is no use as says I don't need any more updates. But, just this week there is "MS04-007 ASN.1 Vulnerability Could Allow Code Execution (828028)" and "MS04-004 Cumulative Security Update for Internet Explorer (832894)".

Last week I got another DCOM RPC type of virus called Gaobot.gen. I have thought the msblast update would have prevented this, and the ZoneAlarm firewall did not block the effected ports either.

The trouble is Microsoft just does not have a security mindset. They had to bribe their employees by having a bonus scheme for identifying and preventing security flaws. They keep churning out more and more bloated code than they can test effectively. One of the susposedly benifits of NT / Win2k / XP Pro is that it has C2 level security, but it seems more insecure than ever!

 Status: Offline
Profile     Report this post  
[ home ][ about us ] [ forums ][ classifieds ] [ links ][ news archive ] [ link to us ][ user account ]
Copyright 2000 - 2011 Amigaworld.net.

Page took 0.128617 seconds to load.