I don't usually point to these things. There just seem to be too many of these things (read on to discover there have been 26 such bulletins so far this year!)
Longhorn, Microsoft's next generation OS (due in 2005) is claimed to be their biggest OS effort since Windows 95. Let's hope for the sanity of Windows users everywhere that is has a more solid base and greater security.
Microsoft has issued a warning about a critical security flaw that affects most versions of its Windows software.The flaw involves DirectX, an extensive collection of programming add-ons for Windows used by computer games.
The flaw is unusually widespread, affecting all versions of DirectX from version 5.2 to the current 9.0a running on all versions of Windows from Windows 98 through the new Windows Server 2003, according to the Microsoft bulletin.
If exploited, the flaw could allow a malicious hacker to run their own specially crafted computer code to plant a virus or even take over a machine.
Microsoft has given the flaw its highest severity rating.
(For the patch, visit http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-030.asp)
(patrickv) [Lockergnome Bytes]
Here are Microsoft's security bulletins just for July 2003
MS03-030 : Unchecked Buffer in DirectX Could Enable System Compromise (819696)
MS03-029 : Flaw in Windows Function Could Allow Denial of Service (823803)
MS03-028 : Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (816456)
MS03-027 : Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)
MS03-026 : Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
MS03-025 : Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679)
MS03-024 : Buffer Overrun in Windows Could Lead to Data Corruption (817606)
MS03-023 : Buffer Overrun In HTML Converter Could Allow Code Execution (823559)
I deleted one for SQL Server as that was an application not the OS.
You can find all of the security updates from this link.
Here's a running score of issues which are severe enough to allow unauthorised code execution, change in privileges or denial of service attacks. I have included Internet Explorer as it is part of the Operating System.
Jan 1 issue, Feb 3 issues, Mar 4 issues, April 4 issues, May 3 issues, Jun 3 issues, Jul 8 issues. Total year to date - 26!
Apple issues updates from time to time for security issues. They seem to fix issues which are less critical to the safe operating of the system that the ones I see from Microsoft. I don't know whether that's because they have a newer OS - Mac OS X, or an older OS (the Mach kernel and BSD underpinnings).
Here are the updates for Apple year to date
Security Update 2003-07-23
SecurityUpdate 2003-06-09: Information and Download
SecurityUpdate 2003-06-12:Information and Download
SecurityUpdate 2003-03-03 (10.2.4): Information and Download
Two of these only Security Update 2003-03-03 address software which are not enabled by default (Sendmail and Apache). Follow the links and make your own assessments. My view are these generally address quite mild risks. Put it this way I have not installed a single Apple security update this year and I am not losing any sleep over it. I don't think I could have done the same if I was running Windows.
Anyhow that's the score year to date: Microsoft 26, Apple 5.
Update 28 Jul: lightanddark , a fellow TypePad beta tester, serendipitously pondered similar questions in their post - "Is Microsoft really that stupid?". I am not a programmer, nor is Light and Dark. Can someone explain to us why the same errors (out of bounds) keep occuring.
Comments