There was a time when service packs fixed problems, it seems that something is seriously wrong with the M$ testing process that the SP's now do more harm than good. I run a small network of both XP and Vista machines and for the first time ever I'm holding back from installing SP's until the SP's have SP's. (Actually I'm about to download Fedora 9. Maybe it's time for a change.

If you installed SP3 recently, you have this fix. The affected module was msjet40.dll v < 4.0.9505.0.

Cheers,

Sabahattin

Yawn. Really, I'd buy a Mac before I'd get Lienux. You get what you pay for.

Six months to fix a 'critical' flaw, actively being exploited. Microsoft's attitude toward security continues to scare me.

That's better than average for them actually..

"Yawn. Really, I'd buy a Mac before I'd get Lienux. You get what you pay for."

I'm not sure what puts me off the Mac more, the interface, which I never really got on with, or the ignorant self righteous user base.

Paris, 'cos she has more brains than the average Mac Troll.

there are no updates for it even if you force Mac Office 2008 to use the updater.app to check for new stuff. you may be wrong in your posting, i know, it'd be hard to take on board, but it is possible!

>> Yawn. Really, I'd buy a Mac before I'd get Lienux. You get what you pay for.

Your comment is free to read. 'nuff said.

It has taken me an hour and a half to get my system working again after today's patches were applied to my XP/SP3 AMD/nVidia box. Here's hoping I don't have similar problems on the other boxes, especially the HP/AMD ones.

Everything went absolutely swimmingly with SP3 on this machine and all the office machines were happy apart from a couple of Sony Vaios. (The KB925877 problem required tracking down a set of uninstall files for the KB925877 executable)

Yes, it's a 'critical' flaw because of the potential damage it could do if triggered - but doesn't reflect the chance of it actually happening. Also, I've yet to see anything in any of the independent advisories about this to say that it's actively being exploited.

If you look at the vulnerability itself (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6026), it's described as "allows user-assisted attackers to execute arbitrary code via a crafted MDB file". Exploit which can be performed without user interaction - it requires the user to trigger it, and requires the user to have the crafted MDB file. Whilst not impossible - is lower risk than other vulnerabilities.

Microsoft's initial opinion when investigating the issue was that MDB files are already classed as "unsafe file types" (like .exes etc) and are automatically blocked by IE and Outlook etc. Therefore the user has to actively (rather than passively) do something to get the file opened.

Download the full XP SP3 ISO file and you won't see the AMD issue.

http://www.microsoft.com/downloads/details.aspx?FamilyID=2fcde6ce-b5fb-4488-8c50-fe22559d164e&DisplayLang=en

Still no sign of SP3 on Windows Update for me...

The McMenemy and Albard families have been blocked from this wave over backward-compatibility problems. Refer to KB9300259267 For more info.

(Or maybe you have a pirated copy/malware blocking the WU.)

"One vulnerability involved the way Office handles Rich Text Format documents and another involved cascading style sheets, both of which could be used to take complete control of vulnerable machines."

Ridiculous. A RTF file can turn your box into a spam bot or worse. MS are a joke, unfortunately those that believe this are in the minority.

MS products are a security nightmare, and to think MS are just about ubiquitous across business and government systems. I am amazed that MS software has been allowed, let alone used on such systems and so extensively. It is, and always has been unfit for purpose, if that purpose includes a secure and reliable platform. If it was a case of once bitten fair enough, but MS seem to be not only teasing the dog but allowing it unfettered access to the jugular.

Does any IT professional associate the word Microsoft with Confidentiality, Integrity and Availability? And if IT professionals are such a responsible bunch how the fsck has MS software gained so much widespread use?

I cannot see how any self respecting and diligent security professional would recommend the use of any MS software on any system that required any kind of security. Security professionals however do not decide on whose products are used, they merely advise. And then have to jump through hoops patching the OS and disabling services to protect those systems. I for one believe an OS should be secure out of the box. What cost savings MS products have provided with ease of use, system flexibility and integration are eaten up by support costs.

And with too many paper MCSE's and not enough 'nix/Linux professionals in the business things are not likely to change any time soon.

As for the SP3 AMD/Intel driver debacle, how hard can it be to detect the type of CPU in a system and install/remove drivers accordingly. Sorry MS your buck passing cuts no slack here.

Accepted MS has done wonderful, innovative and many useful things with its software systems, unfortunately the good in MS software is more than outweighed by unnecessary complication, unneeded, insecure component integration and the positioning of ease of use above security. MS are huge, they have the resource to do things right yet they don't. This to me means that not only is MS software unfit for purpose but Microsoft themselves are unfit for purpose.

Bit of a rant, doncha think?

"And if IT professionals are such a responsible bunch how the fsck has MS software gained so much widespread use?"

By mass saturating the market with general purpose, compatible software that doesn't require years of experience and training to make work. Not the greatest thing in the world, but good business sense.

"And with too many paper MCSE's and not enough 'nix/Linux professionals in the business things are not likely to change any time soon."

Not an MCSE, but MCSA, and yes, the exams aren't the most accurate depiction of skill, but backed up by a good few years experience I think that my quals count for something. I like M$, monkeying around on the command line never really got me going, but thats why we have an RCSE to work alongside me on our Linux boxes.

As for the suggestion that Linux is somehow hacker proof, stick your box out there on the net, without a firewall or any kind of security, and lets see it stay uncompromised. when I have a W2K3 box that acts as a DC, File and Print server, Mail server, and also hosts 3rd party apps, FTP and other functions....tell me how you would make that secure OOTB??

"This to me means that not only is MS software unfit for purpose but Microsoft themselves are unfit for purpose"

Exchange 2003 does a decent enough job of moving my mail around...W2K3 hosts my files and printers nicely...ISA locks my system down well....Office lets my EU's write documents and spreadsheets....OWA, Activesync and windows mobile means my users can work remotely....and it is all compatible, all works together (when configured correctly) and there is a wealth of experience and knowledge out there to help me support it all when it breaks.

No, M$ may not be the best technical option, they may not be the most secure, but with 40+ windows servers, 250+ XP/Vista end users and everything that comes with it, they keep me in a job and damn I love the money :)

Mines the one with "I'll blow M$ for overtime" on the sleeve

Yup was a bit of a rant no denying. My questions were rhetorical though, I am aware of some if not all the devious and nasty dealings that have ensured MS are the worlds dominant software player. It should have never been allowed to happen.

I don't have any paper qualifications at all, just years of experience, from 1st line support to management. And I did not suggest Linux was hacker proof. Although If I put an OpenBSD server on the net out of the box I would expect it to take more than 4 minutes to compromise. I don't design operating systems so I personally would find it impossible to build an OS that is secure OOTB. However, MS have over twenty years experience and billions of dollars of resource they should have it sorted by now.

I do appreciate the living that supporting flawed systems has given me and should be grateful to MS to some extent. But I do ponder on what may have been achieved if the energies given to patching, testing, securing and making MS software work properly were directed elsewhere.

Just remembered, I do have a paper qualification: City and Guilds level III 'C' applications programming from around 1993 I think. This was from a time when a student was taught the subject and not how to pass the exam.

I appreciate what you say. MS products can be secured, sort of, can be made to work well enough and when done right do provide the services requested of them. They also provide plenty of work for the likes of yourself and me, so I shouldn't be so eager to bash them eh?. Well, I have never been afraid to bite the hand that feeds me.

Lets see why Windows is so widespread.

We'll given the fact that it's taken Linux / Unix years come come even as close as being user friendly as Windows, there is one reason.

Next Windows 95 & 98 was around before most people had even heard of the Internet, security was not even a real issue then, but as online transactions have become more widespread, so as the appeal to hacker.

MS are releasing patches to fix hole. ALL os's have them. FACT! What would you rather do, MS leave them wide open?

It may of taken 6 months for a very good reason, maybe they found fixes, but they in turn crashed out apps. I rather they took six month to find dozens of dead systmes after an update.

Personally I'm happy with XP, it does what I want it to do and very well thankyou, so I have no intention of changing.

If you don't like Windows, then don't bloody use it !

"Ridiculous. A RTF file can turn your box into a spam bot or worse. MS are a joke, unfortunately those that believe this are in the minority."

Sometimes people seem to forget that Microsoft aren't the only people that release insecure software. The first google result for "rtf exploit" is a vulnerability in OpenOffice - OpenOffice RTF File Parser Buffer Overflow Vulnerability (http://www.securityfocus.com/bid/24450/)

"I don't have any paper qualifications at all, just years of experience."

You can have all the experience in the world, but if think you can get far without qualifications your extremely ignorant.