MS Windows and Office CRITICAL UPDATE Security Bulletin MS02-050 -- New 9-5-02

[Harvey]

Microsoft Security Bulletin MS02-050 -- More info

Certificate Validation Flaw Could Enable Identity Spoofing (Q328145)

Originally posted: September 04, 2002
Updated: September 05, 2002

Summary:

Who should read this bulletin: Customers using Microsoft® Windows®, Office for Mac, Internet Explorer for Mac, or Outlook Express for Mac.

Impact of vulnerability: Identity spoofing.

Maximum Severity Rating: Critical

Recommendation: Administrators should install the patch immediately.

Affected Software:

Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Office for Mac
Microsoft Internet Explorer for Mac
Microsoft Outlook Express for Mac

Patch availability:

Download locations for this patch:

Microsoft Windows 98/98SE
Windows Me
Windows NT 4.0
Windows NT 4.0 Terminal Server Edition
Windows 2000: (To be released shortly)
Windows XP and Windows XP 64 Bit Edition

Microsoft Office v.X for Mac: (To be released shortly)
Microsoft Office 2001 for Mac: (To be released shortly)
Microsoft Office 98 for the Macintosh (To be released shortly)
Microsoft Internet Explorer for Mac (for OS 8.1 to 9.x) (To be released shortly)
Microsoft Internet Explorer for Mac (for OS X) (To be released shortly)
Microsoft Outlook Express 5.0.5 for Mac (To be released shortly)

 

[Sunner]

<Nelson Muntz voide> Haaw haaw!</Nelson Muntz voice>

Funny how Microsoft was downplaying this in another security bulletin a while back, basically saying it's not a biggie.
Makes me feel all the better about not using IE at all, and keeping Windows usgae at a minimum.

 

[Harvey]

Uh huh! Then, why is the headline on News.com Credit card theft feared in Windows flaw ? :Q

Remember, Windoze is a virus with mouse support, and Microsoft is the Borg of Software. Resistance is futile. You will be assimilated. :|

 

[Sunner]

Originally posted by: Harvey
Uh huh! Then, why is the headline on News.com Credit card theft feared in Windows flaw ? :Q

Remember, Windoze is a virus with mouse support, and Microsoft is the Borg of Software. Resistance is futile. You will be assimilated. :|

I wasn't saying it isn't serious, I was merely pointing out that MS had a security bulletin up that basically said something along the lines of "There's an ever so slight problem with the way MSIE handles SSL certs, but really, it's nothing to worry about, it's really hard to exploit, and would require the user not to check a few things".

And that was a while ago, the differences in response times is amazing.
KDE has a patch in CVS some 5 hours after the explot was published on Bugtraq, and released KDE 3.0.3 5-6 days later(dont quote me on that one, it's off the top of my head).
Opera released v6.05 a few days(2-3?) after the exploit was found.
Mozilla was never affected.
Microssoft took a while before they released this bulletin, and then took several friggin weeks to actually do something about it.

Feels good to know that the largest software company in the world takes security so seriously, really makes this "Trustworthy Computing" thing look very good.

 

[Harvey]

I found it while reading the article on News.com (see earlier post). It isn't on Windows Update, yet because it's too new. It'll probably be there next week. From the article, I thought it was important enough to spread the word ASAP.

 

[Barnaby W. Füi]

so whats new? is this surprising at all? is this out of the ordinary at all? just another example that MS proponents are nothing but goddamned fools.

it'll be put up on windows update NEXT WEEK? why?

what a joke. might as well just never release any patches. code red is still all over the place too.

 

[Pcteck]

I ran baseline security analyzer today and it showed that this particular Hotfix was missing. I installed it immediately on all my machines.