Microsoft Security Bulletin MS03-040 - 828750

  • Thread starter Thread starter Jerry Bryant [MSFT]
  • Start date Start date
cquirke said:
I don't *ever* confuse antivirus (exploit detection) with risk
management. The one is NOT a substitute for the other, and it's a
gross disservice to even the newest user to suggest that all they have
to do is keep thier av up to date, then they can do what they like.

At no point did I say this was the whole story. Its just the part of the
story that deals with the question under discussion.

Also, we must, I think, presume that the typical user doesn't want to be
anything close to a computer professional. They want to use a computer like
a television set. Protections have to be primarily simple and transparent
for them, and require little or no active participation by them. On my
security links page, I focus on four main themes: AV, firewall,
adware/spyware detection and removal, and *basic* "safe hex" rules. For the
typical user, I think we need to have basic rules that are the equivalent of
"look both ways before you cross the street, and pay attention to the color
of the light," and that's about as far as it can go.

--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/

Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp
 
Gary said:
In fact, I can envision ways that someone could highjack the Windows
Update shortcut in Windows systems much more easily than they could
highjack http://www.microsoft.com/technet

Hijacks are easy!

Add this line to your c:\Windows\Hosts file:
66.39.115.252 windowsupdate.microsoft.com

Now launch Windows Update -- and I thank you for your patronage! <g>

--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/

Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp
 
Papa said:
Days?? Hardly. I was aware of it simply by clicking on the Update
button and installing the two critical updates that were listed. When
did I do it? Friday, October 3rd.

That was this time. But it's not usual. "Days" is frequent, and "weeks" has
sometimes been the case.
Every user should frequently check for updates, whether they have the
update notification enabled or not.

Agreed.

--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/

Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp
 
Please ignore this silly post.

I have now read the patch description, and retested. Firehole still fails
on the server, which is an excellent result, but I doubt it has anything to
do with this patch!

Bill Sanderson said:
FWIW, which is very little:

I've not had time to even read the patch description carefully, nor check
all the references.

I do have a server with a copy of Firehole, version 1.01, which is a sample
test exploit.

You can find this via google, I'm sure--it is quite safe.

My recollection is that exploit worked fine last time I tried it.

It fails after this patch.

I'm glad that hole is patched--now on to the others!

Me2 said:
"mass post" "cross post" same thing...

My basic question is: Does MS03-040 fix the Trojan.Qhosts bug??? Do we just
guess or wait for Symantec to tell us??

Thanks

Me2 said:
Jupiter, so, it's ok to mass post... Let e'r rip...

With MS03-040 M$ released a 6% fix with some good descriptions of what to
change with IE
security setting.

What I can not figure out is what exactly this is supposed to fix.
Trojan.QHosts? Something other kind of Trojan/virus/worm. The technical
details and FAQs have a lot of wording about this and that - all good stuff.
But it looks like it all comes down to two fixes (three if you include the
Media player update):

a.. Object Tag vulnerability in Popup Window: CAN-2003-0838
b.. Object Tag vulnerability with XML data binding: CAN-2003-0809

The odd thing is the two "CAN-xxxx-xxxx" links don't work in the security
bulletin. If I try to match it up to the 31 IE vulnerabilities listed on
"http://www.pivx.com/larholm/unpatched" then it looks like M$ fixed 2
of
the
31 (6%) leaving us with 29 (94%) IE vulnerabilities to go.

Still waiting for the other 94% of the IE fixes...

I am viewing this thread through the Microsoft servers and I do see a
difference.
Perhaps you need to read more posts.
People often point out that this information does not get enough
publicity in these newsgroups.
Now Microsoft posts this very information to the newsgroups and people
complain.
Microsoft will lose no matter what they do.
Some of the patches need massive exposure.
In a 2 hour time frame, I saw the information about this patch from at
least 4 different methods.
This is what it is sometimes necessary to do.

You can pick all you want, the point is the information is getting out
in a non threatening way.
There are NO attachments.
If you would like to panic over a legitimate post, what did you do
when all the viruses were here?

I obviously realize a lot more than you think, a point that should be
obvious to you if you only look.

--
Jupiter Jones [MVP]
An easier way to read newsgroup messages:
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
http://dts-l.org/index.html


Since "Jerry Bryant [MSFT] massively cross-posted (the same
technique the
'swen' worm uses in posting to newsgroups), this is somewhat
difficult to
explain, so I'll append an example of the same information that was
posted
to microsoft.public.security.virus (not cross-posted as the 'swen'
worm
cross-posts fake Microsoft Security bulletins [which, by the way,
ALSO have
valid hot-links to appropriate Microsoft websites, it's just that
they also
have a malformed header and an infected attachment]) in a much
better
fashion. If you are not viewing this thread in the
microsoft.public.security.virus you may not realize how bad the post
from
"Jerry Bryant [MSFT] looks in context.

Realize that millons of fake, infected "Microsoft Security
Bulletins" are
being sent out hourly by systems and networks infected by the 'swen'
worm.
Some of us are geting a thousand or more each day. That makes it
extremely
important to make every effort to insure any legitimate information
purporting to be from Microsoft to distinguish itself from that
provided by
the 'swen' worm.

Just in case you need a glimpse of the 'swen' worm product, look at
(but be
very, very sure that you have all necessary Microsoft security
patches and
Service Packs installed AND have an antivirus program with the
latest virus
definitions scanning all operations of your computer before looking)
the
post to microsoft.public.security.virus

Watch this security patch
From: Karol
Sent: 02OCT03 4:18 PM EDT


The post generated by the 'swen' worm has a malformed header AND has
the ~
106,000 byte infectious attachment. Open this attached file and,
without
up-to-date antivirus protection on your Windows 98 and up operating
system
and your system WILL be infected.
______________________
Quote Begins
______________________
-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------
----
Title: Cumulative Patch for Internet Explorer (828750)
Date: October 3, 2003
Software: Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6.0
Internet Explorer 6.0 for Windows Server 2003
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS03-040

Microsoft encourages customers to review the Security Bulletins at:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

http://www.microsoft.com/security/security_bulletins/MS03-040.asp
- ------------------------------------------------------------------
----

Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for Internet Explorer 5.01, 5.5 and 6.0.
In addition, it eliminates the following newly discovered
vulnerabilities:

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server in a
popup window. It could be possible for an attacker who exploited
this
vulnerability to run arbitrary code on a user's system. If a user
visited an attacker's Web site, it would be possible for the
attacker
to exploit this vulnerability without any other user action. An
attacker could also craft an HTML-based e-mail that would attempt to
exploit this vulnerability.

A vulnerability that occurs because Internet Explorer does not
properly determine an object type returned from a Web server during
XML data binding. It could be possible for an attacker who exploited
this vulnerability to run arbitrary code on a user's system. If a
user visited an attacker's Web site, it would be possible for the
attacker to exploit this vulnerability without any other user
action.
An attacker could also craft an HTML-based e-mail that would attempt
to exploit this vulnerability.

A change has been made to the method by which Internet Explorer
handles Dynamic HTML (DHTML) Behaviors in the Internet Explorer
Restricted Zone. It could be possible for an attacker exploiting a
separate vulnerability (such as one of the two vulnerabilities
discussed above) to cause Internet Explorer to run script code in
the
security context of the Internet Zone. In addition, an attacker
could
use Windows Media Player's (WMP) ability to open URL's to construct
an attack. An attacker could also craft an HTML-based e-mail that
could attempt to exploit this behavior.

To exploit these flaws, the attacker would have to create a
specially
formed HTML-based e-mail and send it to the user. Alternatively an
attacker would have to host a malicious Web site that contained a
Web
page designed to exploit these vulnerabilities. The attacker would
then have to persuade a user to visit that site.

As with the previous Internet Explorer cumulative patches released
with bulletins MS03-004, MS03-015, MS03-020, and MS03-032, this
cumulative patch will cause window.showHelp( ) to cease to function
if you have not applied the HTML Help update. If you have installed
the updated HTML Help control from Knowledge Base article 811630,
you
will still be able to use HTML Help functionality after applying
this
patch.

In addition to applying this security patch it is recommended that
users also install the Windows Media Player update referenced in
Knowledge Base Article 828026. This update is available from
Windows
Update as well as the Microsoft Download Center for all supported
versions of Windows Media Player. While not a security patch, this
update contains a change to the behavior of Windows Media Player's
ability to launch URL's to help protect against DHTML behavior based
attacks. Specifically, it restricts Windows Media Player's ability
to launch URL's in the local computer zone from other zones.

Mitigating Factors:
====================
- -By default, Internet Explorer on Windows Server 2003 runs in
Enhanced
Security Configuration. This default configuration of Internet
Explorer
blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections
put in place that prevent this vulnerability from being
automatically
exploited would be removed.

- -In the Web-based attack scenario, the attacker would have to host
a
Web site that contained a Web page used to exploit this
vulnerability. An attacker would have no way to force a user to
visit a malicious Web Site. Instead, the attacker would need to lure
them there, typically by getting them to click a link that would
take
them to the attacker's site.

- -Exploiting the vulnerability would allow the attacker only the
same
privileges as the user. Users whose accounts are configured to have
few privileges on the system would be at less risk than ones who
operate with administrative privileges.

Risk Rating:
============
-Critical

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletins at
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

http://www.microsoft.com/security/security_bulletins/MS03-040.asp
for information on obtaining this patch.


- ------------------------------------------------------------------
---

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO
THE FOREGOING LIMITATION MAY NOT APPLY.




-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP34rCY0ZSRQxA/UrAQFmqAgAlS+ZctG+OT7Rd49WfGdz2ISdMNZ1E1ay
IpWYrj5leBrc5KTLf7fadhy9209A96gppJbV6lIWqP1gvQWrWaW8XZzyhvsX7FH+
922nYeQLUsPp3R+wA2jZP6OvcfTFOUqa4nDM9oisO7qMEc2SuDdQWont2IzeAf6h
3P6VjblfQ72pxPAYuFSRN0xKZGzqcSKqWYwy+APgjp3a+J1tO17ur+1jhz6BgI9w
CZcAOxluayX6IxOixaWFBZUmiITGFImYFY1Ql+LQSdTCVv11R+IKrhAsRwfyfA9r
7AqjjZfWrB/ScpPdrobt3W9eFSxgHCjMen7SIB5SuTldsWwpu7IBHg==
=vhUD
-----END PGP SIGNATURE-----


--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -


_______________
Quote Ends
--
Invisible Dance, (e-mail address removed)

Phil;
Why are you posting "It is meant to sound harsh"?
This is a newsgroup.
One purpose is to exchange of information.
Jerry gave information about an important Critical Update.
How much more of an explanation is needed.
Instead of wasting bandwidth, Jerry posted the relevant link,
click
it, the link works.
 
Bill said:
I'm of two minds about this--I don't relish talking newbies through
acquiring PGP and learning how to validate the signatures--I've never
done this myself!

And I *won't* do it. (Did for a few weeks when it first came out... but it's
just not worth it!)

--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/

Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp
 
Frankly, I think the troll had a good point, although he certainly didn't
express it in the way I might have myself.
 
I agree--I won't do it either, not with a clear link pointing to a known
safe site.

However, it IS what their own document suggests is the appropriate way to
verify message validity.
 
You got me!

So, I retract my statement about TechNet being impossible to highjack. Foolish
statement, that. I can only blame fatigue from a 36-hour marathon diskedit and
de-garble session to extract a weeks worth of work my wife "lost" on her
machine. She accidentally saved a new file with the important file's name in
WordPerfect. And no second copy... God I hate word processors and all those
formatting characters! Want to insist that everything be done in NotePad, but I
don't think I'll be able to get her to comply with that one. At least, now, I've
convinced her of the need for automatic nightly backup or work product, even if
it's only to the same HD.

--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++
 
And I went a bit over the top in this debate. My apologies. (See, also, my reply
to Jim.)

My only point is that there is nothing that makes WinUp an intrinsically safer
source for updates than any other Microsoft.com source. And I just don't see the
value in over-simplifying, as you do, to the point of considering even the
suggestion that other options exist as doing the general user a disservice.
Certainly not to the point of establishing a Rule that Windows Updates is the
only safe source for Updates, and that any other procedure is dangerous or even
just foolish. That's simply not the case.

What *is* the case is that general users need to be taught, *quickly*, that
there are a lot of wolves in sheep's clothing on the internet, and I'm not just
talking about the super-nasties. The only real defense is to improve those same
users' knowledge about what procedures are and are not good for their
systems--"Safe Hex--What it is and why you need it." In this sense, I feel that
over-simplifying (what I call idiot-proofing) *is* doing these users a
disservice.

The only alternative to people being in large measure responsible for their own
systems, and taking it upon themselves to individually learn enough to protect
their own interests, is a is a Big Brother scenario. That scares me much more
than any of these current "scary" issues.

--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++
 
That was not a good point. It was a personal shot at Jerry, who was doing
nothing different than he has in years past. A good point would have
addressed the complaint primarily, and not resorted to name-calling and
insults right out of the gate. The post was moronic at best.
 
In addition to the name calling, he did point out the great similarity to
the behavior of Swen--the language, and the cross-post. He also called-out,
whether in that message or a different one, the lack of a digital signature,
which the reference we've all been touting suggests as one of three basic
elements to look for--Jerry's post has the other two.

Yes Jerry was doing just what he's always done. For Phil Weldon, however,
the world post-swen is a different place, and "how it's always been done"
isn't sufficient anymore.

I think he's correct, although I absolutely agree that his chosen form of
expression was over the top.
 
I've deleted this whole thread twice now and it just won't go away.

--
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see
9x/ME
http://aumha.org/win4/a/tshoot.htm
2000/XP
http://aumha.org/win5/a/tshoot.htm
| Actually, you may be right. :-)
|
| Sorry, the last time I read this much prose in one sitting it had a Russian
| author's name attached to it. <VBG>
|
| --
| Richard G. Harper (MVP Win9x) (e-mail address removed)
| * PLEASE post all messages and replies to the newsgroup so all may
| * benefit from the discussion. Private mail is usually not replied to.
| Help US help YOU ... http://www.dts-l.org/goodpost.htm
|
|
| | > Actually I think I did as a side comment to something Jim had stated.
| >
| > --
| > George (Bindar Dundat ©) MS-MVP
| > This information is provided "AS IS"
| > It may even be wrong!
| > For Windows Troubleshooting Tips see
| > 9x/ME
| > http://aumha.org/win4/a/tshoot.htm
| > 2000/XP
| > http://aumha.org/win5/a/tshoot.htm
| > | > | Actually, I think Jim pointed that out. <G>
| > |
| > | --
| > | Richard G. Harper (MVP Win9x) (e-mail address removed)
| > | * PLEASE post all messages and replies to the newsgroup so all may
| > | * benefit from the discussion. Private mail is usually not replied to.
| > | Help US help YOU ... http://www.dts-l.org/goodpost.htm
| > |
| > |
| > | | > | > As another (MVP Richard Harper?) pointed out in this overly-long
| thread
| > | > [Yeah, I'm adding to it!], when any software manufacturer publicly
| > | > acknowledges any vulnerability, doing so also draws it to the
| attention of
| > | > bad guys who are tempted to create, often successfully,
| malware/Trojans to
| > | > exploit the vulnerability before a patch can be written, thoroughly
| > | tested,
| > | > and released to end-users. I think you can easily see it's a tough
| call
| > | to
| > | > make.
| > | >
| > | > And how would it serve Microsoft's interests if it were negligient
| enough
| > | to
| > | > assist in creating more vulnerability for Windows users?
| > | >
| > | > The fact that a Cumulative Patch for IE was released late on a Friday
| or
| > | > anytime on a Saturday (depending on where one lives on this planet)
| and
| > | with
| > | > great fanfare gives you a clue as to both the critical nature of this
| > | patch
| > | > and the extra resources (read: MS coders and testers) who were pushed
| to
| > | > accomplish the task.
| > | >
| > | > At least that's my take on it.
| > | >
| > | > Your tire analogy is a poor one to me. The vulnerability addressed in
| > | > MS03-040/Q828750 *may* cause inconvenience to some Windows users (and
| if
| > | > your virus definitions were up-to-date, all current MS patches were
| > | > installed, and you practiced Safe Hex, you weren't very vulnerable in
| the
| > | > first place). The Ford Motor/Firestone fiasco (http://snurl.com/2kk0)
| in
| > | > comparison *killed* hundreds, if not thousands, of people (an
| inordinate
| > | > number of them from Latin America and Third World countries). And
| > | Firestone
| > | > did warn Ford about the dangers associated with underinflating the
| tires
| > | but
| > | > Ford chose to ignore it in the interests of sales and corporate greed
| > | > (IMHO). (BTW Firestone was forced out of business, but not Ford.)
| > | > --
| > | > ~PA Bear
| > | >
| > | > Me2 wrote:
| > | > >> PA Bear,
| > | > >>
| > | > >> So I read from your link that known Trojans/virus/whatever were
| > | > >> hijacking IE at least as far back as 09/27/03
| > | > >> (http://news.com.com/2100-7349-5083234.html).
| > | > >>
| > | > >> Doesn't this just make it more outrageous that Microsoft does not
| > | counsel
| > | > >> it's customers to restrict IE use or pull the plug on IE until a
| fix is
| > | > >> available - when a known vulnerabilities is starting to be
| exploited?
| > | > >> What was (and is) Microsoft waiting for - a full blown active
| attack
| > | > >> effecting millions of systems? This makes me feel even better
| about
| > | > >> security support from M$.
| > | > >>
| > | > >> I believe that Microsoft is working very hard on producing the
| patches
| > | > >> and stuff. But it would be *nice* when a new vulnerabilities is
| > | > >> ACTIVELY being exploited that Microsoft warn their customers. When
| a
| > | > >> manufacture knows that a certain type of tire can blowup on your
| car,
| > | > >> these tires ARE blowing up on cars, wouldn't you like to know
| before
| > | you
| > | > >> go to drive?
| > | >
| > |
| > |
| >
|
|
 
Very well. I have purged it from my "Keepers"!

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| Please ignore this silly post.
|
| I have now read the patch description, and retested. Firehole still
fails
| on the server, which is an excellent result, but I doubt it has
anything to
| do with this patch!
|
| | > FWIW, which is very little:
| >
| > I've not had time to even read the patch description carefully, nor
check
| > all the references.
| >
| > I do have a server with a copy of Firehole, version 1.01, which is a
| sample
| > test exploit.
| >
| > You can find this via google, I'm sure--it is quite safe.
| >
| > My recollection is that exploit worked fine last time I tried it.
| >
| > It fails after this patch.
| >
| > I'm glad that hole is patched--now on to the others!
| >
| > | > > "mass post" "cross post" same thing...
| > >
| > > My basic question is: Does MS03-040 fix the Trojan.Qhosts bug???
Do we
| > just
| > > guess or wait for Symantec to tell us??
| > >
| > > Thanks
 
Two? Why was I gypped, Papa? What was the second one? Here are the last
six it had for me...

Successful Saturday, October 04, 2003 October 2003, Cumulative Patch for
Internet Explorer 6 Service Pack 1 (KB828750) Web site

Successful Wednesday, August 20, 2003 August 2003, Cumulative Patch for
Internet Explorer 6 Service Pack 1 (822925) Web site

Successful Sunday, August 17, 2003 Root Certificates Update
Read more... Web site

Successful Saturday, August 02, 2003 DirectX 9.0b End-User Runtime
Read more... Web site

Successful Thursday, July 10, 2003 823559: Security Update for Microsoft
Windows Web site

Successful Friday, June 27, 2003 Flaw In Windows Media Player May Allow
Media Library Access (819639) Web site

And here is my sum total showing in various places...

(A) At IE6, Help, About:
SP1, Q313829, Q328970, Q328389, Q324929, Q810847, Q813951 Q816506,
Q813489, Q330994, Q818529, Q822925, & Q828750.

(B) At "START, Run, MSInfo32, Software Environment, Software Updates":
Windows 98 Second Edition=4,10,0,2222
Updates=Year 2000 Update for Windows 98b
SP2: Windows 98 Second Edition USBHUB
W98: Q245729, Q274113, Q314147, Q323172, Q323255, Q329115,
Q811630
W98SE: Q823559, Q245272, Q256015, Q259728, Q260067, Q273017, Q273991
Win98SE: Q249973, Q238453, Q239887, UHCD
Windows 98 Second Edition Digital Video
Windows 98 TELNET

(C) At "Control Panel, Add/Remove Programs":

(1) 128 bit encryption support for Dial-up Networking
(2) Internet Explorer Q828750 (was Q822925, Q818529)
(3) Microsoft Internet Explorer 5 Web Accessories
(4) Microsoft Internet Explorer 6 SP1 and Internet Tools
(5) Microsoft Internet Print Services
(6) Microsoft Outlook Express 6
(7) Outlook Express Update Q330994
(8) Windows 98 Q823559 Update
(9) Windows 98 Second Edition Digital Video Update
(10) Windows Media Player system update (9 series)

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| Days?? Hardly. I was aware of it simply by clicking on the Update
button and
| installing the two critical updates that were listed. When did I do
it?
| Friday, October 3rd.
|
| Every user should frequently check for updates, whether they have the
update
| notification enabled or not.
|
| | > | >
| > > There is an old saying - "Keep it simple". So my advice will
continue to
| > > be - obtain your updates from one place, and one place only - the
Update
| > > button.
| >
| > And when a critical update takes days to appear on Windows Update,
yet can
| > be access via the Technet article that is invariably linked to the Q
| article
| > that points to Windows Update in the first place? Then what?
| >
| > Your attitude is wrong.
| >
| > --
| > Install the latest IE cumulative patch for protection against QHost:
| > http://www.microsoft.com/security/security_bulletins/ms03-040.asp
| > More information about QHosts can be found here:
| > http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
| > ________________________________________
| > Sandi - Microsoft MVP since 1999 (IE/OE)
| > http://www.mvps.org/inetexplorer
| >
|
|
 
I don't mind if poor, dear Jerry Bryant - MCSE, MCDBA metamorphoses into
the MS Critical Update Notification Tool... but... BUT... he better not
access my hard drive every five minutes, whether or not I am on- or
off-line! My hard drive!

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| | > Yeah, that's what I figured. But by the same token, folks who know
Jerry,
| > know Jerry. No sense trying to justify that to someone who
obviously
| can't
| > grasp lesser concepts.
|
| But...but...we're eternal optimists :o)
|
| --
| Install the latest IE cumulative patch for protection against QHost:
| http://www.microsoft.com/security/security_bulletins/ms03-040.asp
| More information about QHosts can be found here:
| http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
| ________________________________________
| Sandi - Microsoft MVP since 1999 (IE/OE)
| http://www.mvps.org/inetexplorer
|
 
Mark it *ignored*.

~PAÞ
I've deleted this whole thread twice now and it just won't go away.

--
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see
9x/ME
http://aumha.org/win4/a/tshoot.htm
2000/XP
http://aumha.org/win5/a/tshoot.htm
Richard G. Harper said:
Actually, you may be right. :-)

Sorry, the last time I read this much prose in one sitting it had a
Russian author's name attached to it. <VBG>

--
Richard G. Harper (MVP Win9x) (e-mail address removed)
* PLEASE post all messages and replies to the newsgroup so all may
* benefit from the discussion. Private mail is usually not replied to.
Help US help YOU ... http://www.dts-l.org/goodpost.htm


Actually I think I did as a side comment to something Jim had stated.

--
George (Bindar Dundat ©) MS-MVP
This information is provided "AS IS"
It may even be wrong!
For Windows Troubleshooting Tips see
9x/ME
http://aumha.org/win4/a/tshoot.htm
2000/XP
http://aumha.org/win5/a/tshoot.htm
Actually, I think Jim pointed that out. <G>

--
Richard G. Harper (MVP Win9x) (e-mail address removed)
* PLEASE post all messages and replies to the newsgroup so all may
* benefit from the discussion. Private mail is usually not replied
to. Help US help YOU ... http://www.dts-l.org/goodpost.htm


As another (MVP Richard Harper?) pointed out in this overly-long
thread [Yeah, I'm adding to it!], when any software manufacturer
publicly acknowledges any vulnerability, doing so also draws it to
the attention of bad guys who are tempted to create, often
successfully, malware/Trojans to exploit the vulnerability before a
patch can be written, thoroughly tested, and released to end-users.
I think you can easily see it's a tough call to make.

And how would it serve Microsoft's interests if it were negligient
enough to assist in creating more vulnerability for Windows users?

The fact that a Cumulative Patch for IE was released late on a
Friday or anytime on a Saturday (depending on where one lives on
this planet) and with great fanfare gives you a clue as to both the
critical nature of this patch and the extra resources (read: MS
coders and testers) who were pushed to accomplish the task.

At least that's my take on it.

Your tire analogy is a poor one to me. The vulnerability addressed
in MS03-040/Q828750 *may* cause inconvenience to some Windows users
(and if your virus definitions were up-to-date, all current MS
patches were installed, and you practiced Safe Hex, you weren't very
vulnerable in the first place). The Ford Motor/Firestone fiasco
(http://snurl.com/2kk0) in comparison *killed* hundreds, if not
thousands, of people (an inordinate number of them from Latin
America and Third World countries). And Firestone did warn Ford
about the dangers associated with underinflating the tires but Ford
chose to ignore it in the interests of sales and corporate greed
(IMHO). (BTW Firestone was forced out of business, but not Ford.) --
~PA Bear

Me2 wrote:
PA Bear,

So I read from your link that known Trojans/virus/whatever were
hijacking IE at least as far back as 09/27/03
(http://news.com.com/2100-7349-5083234.html).

Doesn't this just make it more outrageous that Microsoft does not
counsel it's customers to restrict IE use or pull the plug on IE
until a fix is available - when a known vulnerabilities is
starting to be exploited? What was (and is) Microsoft waiting for
- a full blown active attack effecting millions of systems? This
makes me feel even better about security support from M$.

I believe that Microsoft is working very hard on producing the
patches and stuff. But it would be *nice* when a new
vulnerabilities is ACTIVELY being exploited that Microsoft warn
their customers. When a manufacture knows that a certain type of
tire can blowup on your car, these tires ARE blowing up on cars,
wouldn't you like to know before you go to drive?
 
Back
Top