Jump to content

USCERT Alert regarding Windows security fault


emarkay
 Share

Recommended Posts

Apparently affects win98SE.... Any third party fixes?

We NEED to start monioring these sites and GET OUR THIRD PARTY DEVELOPERS TO DO SO TO!

Let's come up with a unified way, HERE, to act as the WINDOWS UPDATE FOR THOSE WHO DON'T USE XP/VISTA!

COMMENTS???

MRK

******

Systems Affected

* Microsoft Windows

* Microsoft Office (Windows and Mac)

* Microsoft Internet Explorer

Microsoft Windows, Office, and Internet Explorer Vulnerabilities

Original release date: August 08, 2006

Overview

Microsoft has released updates that address critical vulnerabilities in Microsoft Windows, Office, and Internet Explorer. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Note that one of the patches released today addresses a critical vulnerability in the Microsoft Server Service (MS06-040). We have received reports that this vulnerability is actively being exploited.

I. Description

Microsoft Security Bulletin Summary for August 2006 addresses vulnerabilities in Microsoft products including Windows, Office, and Internet Explorer.

One of the patches released today addresses a critical vulnerability in the Microsoft Server Service (MS06-040). More details are available in Vulnerability Note VU#650769.

Note that we have received reports that VU#650769 is actively being exploited.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. An attacker may also be able to cause a denial of service.

III. Solution

Apply patches from Microsoft

Microsoft has provided updates for these vulnerabilities in the Security Bulletins.

When prioritizing these patches, it is strongly encouraged that the patch for VU#650769 be applied first.

Updates for Microsoft Windows and Microsoft Office XP and later are available on the Microsoft Update site. Microsoft Office 2000 updates are available on the Microsoft Office Update site. Apple Mac OS X users should obtain updates from the Mactopia web site.

System administrators may wish to consider using Windows Server Update Services (WSUS).

Appendix B. References

* Microsoft Security Bulletin Summary for August 2006 - <http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx>

* US-CERT Vulnerability Note VU#650769 - <http://www.kb.cert.org/vuls/id/650769>

* Microsoft Update - <https://update.microsoft.com/microsoftupdate/>

* Microsoft Office Update - <http://officeupdate.microsoft.com/>

* Mactopia - <http://www.microsoft.com/mac>

* Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>

http://www.us-cert.gov/cas/techalerts/TA06-220A.html

******

Extended security update support for Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition ended on July 11, 2006. I am still using one of these operating systems; what should I do?

Windows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

http://www.microsoft.com/technet/security/...n/ms06-040.mspx

Link to comment
Share on other sites


No big deal. All you need is a simple Firewall will protect you. From the web page you linked to:

"To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP and with Windows Server 2003."

Link to comment
Share on other sites

We've already got the sticky thread for 9x updates. When something new is installable on 9x the first post there is updated. Usually while an effective solution is being worked on, the replies on the thread indicate whatever progress is being made as how to best apply the new fixes on each 9x Operating System.

Is this what you mean?

Link to comment
Share on other sites

critical vulnerability in the Microsoft Server Service
Win98se doesn't even *have* a Server service... it doesn't even have services at all!

Correct, it's for WIN2000 and up, and XP, and is found in file: Netapi32.dl. Again my point was regarding updates to 98SE.

BTW, As of today, even DHS warns against it

http://www.dhs.gov/dhspublic/display?content=5789:

Link to comment
Share on other sites

We've already got the sticky thread for 9x updates. When something new is installable on 9x the first post there is updated. Usually while an effective solution is being worked on, the replies on the thread indicate whatever progress is being made as how to best apply the new fixes on each 9x Operating System.

Is this what you mean?

No, for that is found UNDER the "Unofficial WIN98SE Service Pack" subcategory (which has nothig to do with updates and non-USP users), AND it's THIRTY TWO PAGES of discussions, comments, opinions and a few file locations!

WE CAN DO BETTER!

Edited by emarkay
Link to comment
Share on other sites

Well, what else would you suggest? The thread has all the latest links to new updates on the first post that is continuously updated. And the discussions are among the folks deciding how best to provide the updates.

A visit to where full descriptions of ALL 9x, MS-DOS, XP, jeez even Science Fiction information exist provide all possible updates anyone could desire, mdgx.com.

Maybe you want the same thing in a different format? What is it you're asking for?

I mean, if you don't like using a pre-packaged service pack then all you need is comprehensively provided at the mdgx site. No long discussions, just the meat. You go from the bottom of the lists to the top for oldest to newest. You can read the descriptions and decide for yourself if you want an add-on (but the critical updates for your OS, Internet Explorer, Windows Media, and DirectX should be applied on all systems). In cases where an update has prerequisites, it is clearly noted in the descriptions.

The placement of the thread in question is in a sticky in the Service Pack forum because that forum was where the hands on folks are working on providing this stuff and just happened to start there.

You don't need to install the Service Pack, or anything else there, to contribute or benefit from reading the threads. It just would make it less time consuming to use the pack. You'd just be installing all that stuff yourself anyway. It just provides the important critical fixes to 98SE, with options to also install a few other things along with it. But anyone is free to examine the same (plus a lot more) updates, fixes and add-ons on the mdgx website.

Link to comment
Share on other sites

Well, what else would you suggest? The thread has all the latest links to new updates on the first post that is continuously updated. And the discussions are among the folks deciding how best to provide the updates.

A visit to where full descriptions of ALL 9x, MS-DOS, XP, jeez even Science Fiction information exist provide all possible updates anyone could desire, mdgx.com.

Maybe you want the same thing in a different format? What is it you're asking for?

OK, yea, see this thread:

http://www.msfn.org/board/index.php?showtopic=80502

I mean, if you don't like using a pre-packaged service pack then all you need is comprehensively provided at the mdgx site. No long discussions, just the meat. You go from the bottom of the lists to the top for oldest to newest. You can read the descriptions and decide for yourself if you want an add-on (but the critical updates for your OS, Internet Explorer, Windows Media, and DirectX should be applied on all systems). In cases where an update has prerequisites, it is clearly noted in the descriptions.

I know, and I am pretty good at sorting out information, but it's still a convoluted format, and (are you the maintainer of that site?) even to me a bit "wordy". For example, one post, from that site:

"Microsoft Windows 98/98 SE Embedded Web Fonts T2EMBED.DLL 5.00.2195.7073 Security Vulnerability Fix:

Direct download [211 KB, English].

Requires MS IE 5.5 SP2 or newer already installed!

BUG: T2EMBED.DLL Fix above installs BUGgy INF file!

FIX: MUST Install this INF Fix [63 KB] AFTER installing T2EMBED.DLL Fix above!"

Nowhere is the MS KB# or MS update number found, and any specifics AT THIS POINT WHY the update is "buggy", why there are TWO "fixes" and WHAT the "fixes" do, are, and how/why they are needed!

Finally, unless I KNOW I have a font problem, I have no clue why I need it! Imagine if I am a "much less than a power user" who just wants to keep my "windows" updated! This needs to be made clear and easy to reference back to either a MS bulletin, a CERT advisory, or a publicized security issue that can be remedied by third parties - such as you kind folks!

Don't you see that THIS IS MY POINT!

The placement of the thread in question is in a sticky in the Service Pack forum because that forum was where the hands on folks are working on providing this stuff and just happened to start there.

You don't need to install the Service Pack, or anything else there, to contribute or benefit from reading the threads. It just would make it less time consuming to use the pack. You'd just be installing all that stuff yourself anyway. It just provides the important critical fixes to 98SE, with options to also install a few other things along with it. But anyone is free to examine the same (plus a lot more) updates, fixes and add-ons on the mdgx website.

I had an issue a while back with the SP LITERALLY trashing my computer - feel free to go back a year or so and see the agony.... I prefer more control on just what is updated and changed on my machines these days.

Thanks for your input, and I am just looking to streamline things for all.

Edited by emarkay
Link to comment
Share on other sites

I mean, if you don't like using a pre-packaged service pack then all you need is comprehensively provided at the mdgx site. No long discussions, just the meat. You go from the bottom of the lists to the top for oldest to newest. You can read the descriptions and decide for yourself if you want an add-on (but the critical updates for your OS, Internet Explorer, Windows Media, and DirectX should be applied on all systems). In cases where an update has prerequisites, it is clearly noted in the descriptions.
I know, and I am pretty good at sorting out information, but it's still a convoluted format, and (are you the maintainer of that site?) even to me a bit "wordy". For example, one post, from that site:

"Microsoft Windows 98/98 SE Embedded Web Fonts T2EMBED.DLL 5.00.2195.7073 Security Vulnerability Fix:

Direct download [211 KB, English].

Requires MS IE 5.5 SP2 or newer already installed!

BUG: T2EMBED.DLL Fix above installs BUGgy INF file!

FIX: MUST Install this INF Fix [63 KB] AFTER installing T2EMBED.DLL Fix above!"

Nowhere is the MS KB# or MS update number found, and any specifics AT THIS POINT WHY the update is "buggy", why there are TWO "fixes" and WHAT the "fixes" do, are, and how/why they are needed!

Finally, unless I KNOW I have a font problem, I have no clue why I need it! Imagine if I am a "much less than a power user" who just wants to keep my "windows" updated! This needs to be made clear and easy to reference back to either a MS bulletin, a CERT advisory, or a publicized security issue that can be remedied by third parties - such as you kind folks!

Don't you see that THIS IS MY POINT!

That quote is from my site [just look at the URL where it was quoted from ;)]:

http://www.mdgx.com/web.htm#9SU

Now for the way I decided to post updates at my site [to make it short and easy to understand for everybody, not just for a restricted crowd of power users/geeks like us, and without posting any MSKB Qxxxxxx/KBxxxxxx and/or MS0x-0xx numbers, which most people find annoying and unnecessary]:

- Official updates start with the word "Microsoft".

- Unofficial updates start with the word "Unofficial".

- All Windows editions a particular update applies to are listed after "Microsoft", from oldest to newest.

- Brief bug/error description follows.

- File(s) name(s) which will be replaced by the update follow(s).

- File(s) version(s)/build(s) follow(s) [this is also a bit annoying for some people].

- The 1st link is either to MS security bulletin or MSKB article which describes the bug and its fix [if all that info available].

- The 2nd link which says "Direct download" is to the file itself.

- If any other steps are necessary for a particular update to work/install properly, they will be detailed step by step, eventually with links to files that might be necessary.

- If more info [from MS and/or other 3rd parties] is available on the subject, it will be listed as link(s) to relevant web pages.

And if anybody wants to view the MS security bulletin and/or MSKB number or entire file name/location, all you have to do is place your mouse cursor on top of the link, and the entire URL will appear in your browser's status bar at the bottom [depending on which browser is used, and particular browser settings].

Or if you like, just right-click on a link and select Properties. Then copy + paste it into Notepad/etc if you wish.

I found this way to be effective for most users out there.

I started posting updates ~ 9 years ago, and it seems to work ok so far.

But if anyone has suggestions on how to improve this update posting system [and if I have the time to do it], please post here your ideas/templates/etc, and I'll carefully consider them.

Please consider the fact that a single change to my system of posting updates requires me to change all wording for all updates at my site [all MS OSes], and I probalby have a few thousand updates that would need to be changed. Please consider the amount of time and work necessary to do this.

Hope this helps

Link to comment
Share on other sites

I mean, if you don't like using a pre-packaged service pack then all you need is comprehensively provided at the mdgx site. No long discussions, just the meat. You go from the bottom of the lists to the top for oldest to newest. You can read the descriptions and decide for yourself if you want an add-on (but the critical updates for your OS, Internet Explorer, Windows Media, and DirectX should be applied on all systems). In cases where an update has prerequisites, it is clearly noted in the descriptions.
I know, and I am pretty good at sorting out information, but it's still a convoluted format, and (are you the maintainer of that site?) even to me a bit "wordy". For example, one post, from that site:

"Microsoft Windows 98/98 SE Embedded Web Fonts T2EMBED.DLL 5.00.2195.7073 Security Vulnerability Fix:

Direct download [211 KB, English].

Requires MS IE 5.5 SP2 or newer already installed!

BUG: T2EMBED.DLL Fix above installs BUGgy INF file!

FIX: MUST Install this INF Fix [63 KB] AFTER installing T2EMBED.DLL Fix above!"

Nowhere is the MS KB# or MS update number found, and any specifics AT THIS POINT WHY the update is "buggy", why there are TWO "fixes" and WHAT the "fixes" do, are, and how/why they are needed!

Finally, unless I KNOW I have a font problem, I have no clue why I need it! Imagine if I am a "much less than a power user" who just wants to keep my "windows" updated! This needs to be made clear and easy to reference back to either a MS bulletin, a CERT advisory, or a publicized security issue that can be remedied by third parties - such as you kind folks!

Don't you see that THIS IS MY POINT!

That quote is from my site [just look at the URL where it was quoted from ;)]:

http://www.mdgx.com/web.htm#9SU

Now for the way I decided to post updates at my site [to make it short and easy to understand for everybody, not just for a restricted crowd of power users/geeks like us, and without posting any MSKB Qxxxxxx/KBxxxxxx and/or MS0x-0xx numbers, which most people find annoying and unnecessary]:

- Official updates start with the word "Microsoft".

- Unofficial updates start with the word "Unofficial".

- All Windows editions a particular update applies to are listed after "Microsoft", from oldest to newest.

- Brief bug/error description follows.

- File(s) name(s) which will be replaced by the update follow(s).

- File(s) version(s)/build(s) follow(s) [this is also a bit annoying for some people].

- The 1st link is either to MS security bulletin or MSKB article which describes the bug and its fix [if all that info available].

- The 2nd link which says "Direct download" is to the file itself.

- If any other steps are necessary for a particular update to work/install properly, they will be detailed step by step, eventually with links to files that might be necessary.

- If more info [from MS and/or other 3rd parties] is available on the subject, it will be listed as link(s) to relevant web pages.

And if anybody wants to view the MS security bulletin and/or MSKB number or entire file name/location, all you have to do is place your mouse cursor on top of the link, and the entire URL will appear in your browser's status bar at the bottom [depending on which browser is used, and particular browser settings].

Or if you like, just right-click on a link and select Properties. Then copy + paste it into Notepad/etc if you wish.

I found this way to be effective for most users out there.

I started posting updates ~ 9 years ago, and it seems to work ok so far.

But if anyone has suggestions on how to improve this update posting system [and if I have the time to do it], please post here your ideas/templates/etc, and I'll carefully consider them.

Please consider the fact that a single change to my system of posting updates requires me to change all wording for all updates at my site [all MS OSes], and I probalby have a few thousand updates that would need to be changed. Please consider the amount of time and work necessary to do this.

Hope this helps

I find your pages invaluable and have done over the past several years, I am sure there are countless win9x users who would like to thank you for all your hard work you have put into making our life so much easier. So no I for one have no issues whatsoever in your sites construct

It would be nice to have a sticky thread in this forum concerning any current/forthcoming security issues that may or may not affect us if and when they are found, and to have professional opinions from you guys concerning each ones severity.

All the best

Link to comment
Share on other sites

But if anyone has suggestions on how to improve this update posting system [and if I have the time to do it], please post here your ideas/templates/etc, and I'll carefully consider them.

Please consider the fact that a single change to my system of posting updates requires me to change all wording for all updates at my site [all MS OSes], and I probalby have a few thousand updates that would need to be changed. Please consider the amount of time and work necessary to do this.

You got the best Win98SE i ever seen

matter fact you got the best site overall IMO

Link to comment
Share on other sites

I mean, if you don't like using a pre-packaged service pack then all you need is comprehensively provided at the mdgx site. No long discussions, just the meat. You go from the bottom of the lists to the top for oldest to newest. You can read the descriptions and decide for yourself if you want an add-on (but the critical updates for your OS, Internet Explorer, Windows Media, and DirectX should be applied on all systems). In cases where an update has prerequisites, it is clearly noted in the descriptions.
I know, and I am pretty good at sorting out information, but it's still a convoluted format, and (are you the maintainer of that site?) even to me a bit "wordy". For example, one post, from that site:

"Microsoft Windows 98/98 SE Embedded Web Fonts T2EMBED.DLL 5.00.2195.7073 Security Vulnerability Fix:

Direct download [211 KB, English].

Requires MS IE 5.5 SP2 or newer already installed!

BUG: T2EMBED.DLL Fix above installs BUGgy INF file!

FIX: MUST Install this INF Fix [63 KB] AFTER installing T2EMBED.DLL Fix above!"

Nowhere is the MS KB# or MS update number found, and any specifics AT THIS POINT WHY the update is "buggy", why there are TWO "fixes" and WHAT the "fixes" do, are, and how/why they are needed!

Finally, unless I KNOW I have a font problem, I have no clue why I need it! Imagine if I am a "much less than a power user" who just wants to keep my "windows" updated! This needs to be made clear and easy to reference back to either a MS bulletin, a CERT advisory, or a publicized security issue that can be remedied by third parties - such as you kind folks!

Don't you see that THIS IS MY POINT!

That quote is from my site [just look at the URL where it was quoted from ;)]:

http://www.mdgx.com/web.htm#9SU

**********

But if anyone has suggestions on how to improve this update posting system [and if I have the time to do it], please post here your ideas/templates/etc, and I'll carefully consider them.

Please consider the fact that a single change to my system of posting updates requires me to change all wording for all updates at my site [all MS OSes], and I probalby have a few thousand updates that would need to be changed. Please consider the amount of time and work necessary to do this.

Hope this helps

MDGX, I wasn't sure if you were "Eck" or not. I did not mean to be critical as I appreciate your efforts.

HOWEVER most OFFICIAL security related sited DO use the MS KB or Update# as a PRIMARY way to notify users of a problem. Now that MS is no longer using ANY Win98/ME listings, it is up to US to take the information found in that KB/Update# and see if it is applicable to 98/ME!

OK I don't want to ask you to redo your templates, but how about FROM NOW ON, being that Windows Update is DEAD for 98/ME, you list SOME sort of external reference that indicated WHY the new 98/ME update is needed? Something linked and "official" as opposed to just a reference that this is a user enhancement or a unofficial update by itself. Also, how about a line on the UNOFFICIAL FIXES to the OFFICIAL FIXES as to WHAT and WHY the OFFICIAL update is flawed, and what the UNOFFICIAL update is.

Any additional clarification is always welcome and can be ignored, but deficiencies of important data only lead to flawed assumptions.

I just want to be able to easily keep my WIN98SE secure and relevant now that it's no longer a supported product.

MRK

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...