Tillbaka till svenska Fidonet
English   Information   Debug  
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   14150/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3252
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13302
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
COMICS   0/15
CONSPRCY   0/899
COOKING   33461
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33946
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41708
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13615
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16075
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
Möte OSDEBATE, 18996 texter
 lista första sista föregående nästa
Text 12643, 151 rader
Skriven 2006-08-22 20:36:20 av /m (1:379/45)
Ärende: Microsoft patch opens users to attack
=============================================
From: /m <mike@barkto.com>


http://www.securityfocus.com/news/11408

===
UPDATE: Microsoft continued to work on Tuesday to create a fix for an
exploitable flaw introduced by the company's latest security update to Internet
Explorer.

The flaw, initially thought to only crash Internet Explorer, actually allows an
attacker to run code on computers running Windows 2000 and Windows XP Service
Pack 1 that have applied the August cumulative update to Internet Explorer 6
Service Pack 1, security firm eEye Digital Security told SecurityFocus on
Tuesday. The update, released on August 8, fixed eight security holes but also
introduced a bug of its own, according to Marc Maiffret, chief hacking officer
for the security firm, which notified Microsoft last week that the issue is
exploitable.

By the following day, network administrators and users began complaining that
the update, MS06-042, caused Internet Explorer to crash when browsing some
sites. Three days later, security researchers at eEye discovered that the issue
could be used to not just crash the browser, but to compromise PCs running
Windows XP SP1 and Windows 2000. Other security researchers have also reported
the issue to Microsoft, Maiffret said.

"This information is definitely out in the underground," Maiffret said.
"Because of all the discussions on security mailing lists, they know that this
is a bug. Any half-decent researcher knows that this is an exploitable bug."

The issue likely affects millions of Windows users. Data released by Microsoft
in a report published in June broke down the types of operating systems used by
the 270 million computers scanned by the company's malicious software removal
tool. While nearly two thirds of systems were running Windows XP Service Pack
2, nearly 23 percent--or about 47 million systems--ran either Windows 2000 or
Windows XP SP1.

Microsoft had originally committed to supplying a new patch for the issue on
Tuesday, but due to an problem discovered during the final tests of the
software update, the company decided against releasing the fix. In a statement
sent to SecurityFocus after the initial story was published, Microsoft
confirmed the exploitability of the vulnerability and took eEye to task for
publicizing the ability of attackers to exploit the flaw.

"One of the researchers who originally disclosed the issue responsibly to
Microsoft has now chosen to publicly disclose the exploitability of the issue
before an update is broadly available for customers to deploy in order to
protect themselves," the company said in the statement sent to SecurityFocus.
"Microsoft continues to encourage responsible disclosure of vulnerabilities to
minimize risk to computer users."

The security slip-up casts a shadow on Microsoft's fight to convince users and
network administrators to immediately apply security patches issued by the
software giant. The latest monthly patches, released on August 8, fixed 23
flaws in common components of the Windows operating system. The flaws included
10 vulnerabilities that Microsoft deemed a critical concern. The U.S.
Department of Homeland Security even added its collective voice to those urging
users to fix their systems.

Microsoft planned to fix the problem introduced by the cumulative update on
Tuesday, but has delayed the release of its patch to the patch because it did
not pass final muster. eEye released its own advisory on Tuesday, withholding
specific details. That's more than Microsoft did, eEye's Maiffret said.

"It is reminiscent of early Microsoft security days that they would play the PR
blame game as a way to somehow shift attention from all of the mistakes they
have made surrounding the handling of this vulnerability," Maiffret said. "The
reality is that we released zero technical details to the public. The only
place where you can know exactly what the flaw location is, is from the
Microsoft advisory itself-- Another mistake to add to their list."

When and how much to disclosure about software vulnerabilities is a contentious
issue within the security community. Most recently, one researcher drew both
praise and criticism for releasing a browser bug every day for the month of
July. Other industries, such as those that build the systems used to monitor
and control manufacturing and power networks, are also starting to have a
similar debate.

In this case, more researchers were discovering that the issue could be
exploited, Maiffret said. Because attackers were likely learning of the issue
as well, he decided to publicize the fact that the flaw could be used to
compromise systems

"The cat's out of the bag," Maiffret said. "When there are multiple threads on
the patch crashing systems on multiple security mailing lists, then you know
that people are going to investigate this. And multiple researchers have
already reported this to Microsoft.

The software giant originally declined to comment on the issue, but referred
SecurityFocus to its security Weblog, posted last week, which confirmed that a
bug introduced by the cumulative update crashed Internet Explorer and pledged
to bring out a patch on Tuesday.

"Since MS06-042 resolves a number of security vulnerabilities we recommend
customers continue to deploy the update, but we do plan to revise only the
IE6SP1 update and re-release the bulletin with more information by August 22nd
for all IE6SP1 customers," Mike Reavey, operations manager for the Microsoft
Security Research Center, stated on the group's blog.

A company spokesperson originally could not confirm that the flaw also could be
used to exploit vulnerable Windows systems.

The software giant posted a more in-depth article on the problem on August 11
and has a hotfix available from its product group. Users can also turn off
support for HTTP 1.1 in Internet Explorer as a temporary workaround. Using an
alternative browser, such as Mozilla's Firefox or Opera's eponymous browser,
also eliminates any threat from the flaw.

The incident may undo a great deal of the work that Microsoft has done to
convince users to trust its software updates and install them by default.

Under its nearly five-year-old Trustworthy Computing Initiative, the company
has fought to increase the number of users that apply patches automatically. In
the past, some network administrators have waited to test, or hear the
community reaction to, Microsoft's latest patch. A year ago, the company
refused to release a fix rather than push out a software update that could
cause problems.

Introducing a security issue in its latest set of patches undermines network
administrators' confidence in Microsoft's software updates, said Johannes
Ullrich, chief technology officer for the SANS Institute's Internet Storm
Center.

"The entire danger of this particular issue is that this is an important patch
to apply, but if they cause your applications to not work, network
administrator won't deploy patches," Ullrich said.

The Internet Storm Center had a couple of dozen reports of users encountering
crashes after the August cumulative update. That's the most complaints reported
to the group following a Microsoft patch, Ullrich said. The security expert
could not confirm that the flaw in the latest patch could be used by attackers
to compromise systems.

Yet, the security expert agreed with Microsoft's advice. Patching systems with
the latest software update is still important.

"Given that there were people exploiting some of the flaws fixed by this patch,
users should apply the fix," he said. "You have to somehow put other defenses
in place to defend against other issues.

UPDATE: The article was updated Tuesday at 3 p.m. PST with Microsoft's
confirmation of the exploitability of the flaw, Microsoft comment on the
disclosure and eEye's response to that comment. Microsoft had originally been
given a chance to comment on the disclosure and declined.
===


 /m

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)