UPDATE: Microsoft patches new Windows flaw
Posted by malebolgia on 11 May 2004 - 22:11 · 22 comments & 2274 views
About the Author
Full name: Unknown
Forum name:
malebolgia
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name:
malebolgiaContact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
#1 Posted by HappyCar on 11 May 2004 - 22:28
- I just patched it
no more death and rodents for me! 
-
(1 reply)
#2 Posted by Panorama on 12 May 2004 - 00:19
- Thanks for the info or else I wouldn't have known for a while. Just patched.
-
#3 Posted by Darkness2k on 12 May 2004 - 00:42
- MS04-015 Update Linkhttp://www.microsoft.com/technet/security/bulletin/MS04-015.mspx
Didn't see a quick access link in the topic, so I thought i'd put it here for users who didnt want to explore the technet site looking for the new bulletin lol.
Of course its also on V4 windowsupdate (I didn't see it at first as I'm sent by default to Test.V5 lol)
-
#4 Posted by cork1958 on 12 May 2004 - 01:27
- In the bulletin article it says "For the installation of this security update to be successful, the Help and Support Center service cannot be disabled." How about set to manual?
-
(2 replies)
#5 Posted by ThunderRiver on 12 May 2004 - 01:35
- Oh well, once again, another patch that probably won't make its way into SP2..
-
#5.2 Posted by Unforgiven on 12 May 2004 - 10:25
- From Microsoft Security Bulletin MS04-015:
QUOTE Inclusion in Future Service Packs:
The update for these issues will be included in Windows XP Service Pack 2.
-
#6 Posted by Ciderx on 12 May 2004 - 02:18
- It appears to be a bug for the extremely incompetent user by the amount of interaction need to do the exploit, and then only run code in the user's permissions.
Anyway, patched up and my SUS server takes care of my many thousand machines at work....
-
(6 replies)
#7 Posted by Smeg on 12 May 2004 - 02:20
- Not again
does this effect non-IE browsers? (it's something to do with the hcp:// thing isn't it?) -
#7.1 Posted by configure on 12 May 2004 - 04:10
- I'm guessing that Help and Support Center will use IE regardless of user's default browser, and if that's the case, non-IE users will still have to apply the patch anyway.
-
#7.2 Posted by mipra on 12 May 2004 - 04:59
- I belive no....Firebird is quite vulnarable to this threat
-
#7.3 Posted by Zatoichi on 12 May 2004 - 05:18
- ROFLMAO
How many holes are in WinXP anyway?
I'd bet a couple of hundred more! -
#7.5 Posted by shao on 12 May 2004 - 08:41
- 7,3's point being he's an idiot, and he has a detachable ass.
-
(2 replies)
#8 Posted by Test Zero on 12 May 2004 - 06:54
- Do I need to download this if I'm running SP2 RC1? I'd check at Windows Update, but...
-
#8.1 Posted by configure on 12 May 2004 - 10:12
- Are you trying to run Windows Update on a normal (not administrators) users account?
-
#9 Posted by jwjw1 on 12 May 2004 - 08:52
- no..if you have sp2 installed...you do not need this...
-
(1 reply)
#10 Posted by Tager on 12 May 2004 - 13:44
- do I still need this patch if I have the "Help and support" services disabled?
edit: ack, I had it set to disabled but when I clicked on Help and Support in the Start menu, the service restarted and set itself to Automatic startup. Whaaaaa? I thought when services are disabled, they stay that way even if you try to start a program that relies on it being running???
The software maker described the problem as "important," its second-highest rating for such problems. Antivirus software maker Symantec, meanwhile, characterized the vulnerability as "high risk," citing the impact that there could be if the vulnerability was successfully exploited.
The flaw exists in the way Windows' Help and Support Center validates information that is sent to it. The software maker released a patch for the vulnerability and urged customers to "install the update at the earliest opportunity." The patch is posted to the company's security Web site, as is a bulletin outlining the flaw.
The bulletin was released as part of Microsoft's regularly scheduled monthly security update, according to Stephen Toulouse, a security program manager in the Microsoft Security Response Center. As for the rating level, Toulouse said Microsoft typically only deems vulnerabilities "critical"--the highest level--if they can be exploited without the user taking any action.
UPDATE: On a side note, Microsoft has also updated MS01-052, and MS04-14 yesterday. The details are listed below.
MS01-052
http://www.microsoft.com/technet/security/bulletin/MS01-052.mspx
Reason for re-release: Bulletin updated to advise of the availability of an update for Windows NT Server 4.0 Terminal Server Edition. This update addresses an additional denial of service vulnerability.
Originally posted: October 18, 2001
Updated: May 11, 2004
Version: 3.0
MS04-014
http://www.microsoft.com/technet/security/bulletin/MS04-014.mspx
Reason for re-release: Microsoft has released a revised version of the Windows XP security update that contains the correctly localized optional Jet error strings.
Originally posted: April 13, 2004
Updated: May 11, 2004
Version: 2.0