Flutterby™! : Windows XP insecurity

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Windows XP insecurity

2001-12-20 19:12:59+00 by Dan Lyke 3 comments

blah blah blah massive Windows XP insecurity discovered 5 weeks ago, fix announced today, blah blah "the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet" blah blah blah blah. Yawn.

[ related topics: Microsoft Software Engineering Current Events ]

comments in ascending chronological order (reverse):

#Comment made: 2002-02-21 05:33:55+00 by: Mike Gunderloy

Been a bad week for MS security in general. In addition to the XP problem (which hasn't been actively exploited, so far as I can tell), there's also yetanother IE problem -- it's possible for a properly-crafted page to present an EXE file that shows up as TXT or whatever when you get prompted to download. That one *is* being actively exploited. There is an MS fix for it, which you'll be prompted to install if you're running Windows Update -- but what they don't tell you is that the fix doesn't fix all variants of the hole, so it's worthless.

Then there's the one that's getting no publicity at all -- remotely-exploitable hole in SQL Server that allows execution of arbitrary code on the server. You're vulnerable if you run SQL Server and allow web users to enter queries without doing careful validation of what they're typing. At least that one is fixed by SQL 2K SP2, so it's only a 50MB download to patch...

#Comment made: 2002-02-21 05:33:55+00 by: Shawn

Mike, do you have a link for the SQL Server one? I don't run MS SQL Server, but I know some folks who do - and I haven't heard anything about it.

#Comment made: 2002-02-21 05:33:57+00 by: Mike Gunderloy

The security bulletin is at http://www.microsoft.com/techn...t/security/bulletin/MS01-060.asp

There are a variety of patches available. For SQL 2K, my recommendation is to just install Service Pack 2, which just came out & includes the fix. For SQL 7 or SQL 2K that you don't want to risk with a service pack, you need one or two patches depending on how things are configured.