digg

Facebook Connect Join Digg About

Two Serious Windows Flaws Uncovered

twit.tv The first is a zero day exploit that affects Internet Explorer (and Outlook) even on fully patched copies of Windows XP. The second is a file corruption bug in Windows 2000 introduced by a Microsoft patch. Steve Gibson has fixes for both in his Security Now podcast, plus an interview with the fellow who discovered the VWL exploti.

Who dugg this? Made popular Sep 22, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

60 Comments

show profanity settings
expand all
  • jhuebel, on 10/12/2007, -2/+25Absolutely. The more coverage the flaws get, the better. For two broad reasons:

    1. It embarrases Microsoft into fixing the problem and points out the ongoing security issues with XP. It also reaffirms many security experts' opinions (including Steve Gibson) that Vista will NOT be the "most secure Windows ever", as Microsoft continues to claim..

    2. It spreads the word and gives more people the information they need in order to FIX the problem. Every person who patches or installs a workaround is another XP machine that doesn't become a zombie.
  • BillDoE, on 10/12/2007, -3/+23#1 worst Windows flaw. The average user.
  • duke_nate, on 10/12/2007, -4/+21Why dont you do us a favor and go choke on something.
  • i440, on 10/12/2007, -6/+21Are serious Windows flaws still news?
  • Raian, on 10/12/2007, -2/+16More at 11: Everything ever created by humans has flaws.... except for tetris.
  • zweben, on 10/12/2007, -6/+20You just made me like Apple and Linux both slightly less.

    And i'm typing this on a Mac.
  • KillerJ59J, on 10/12/2007, -3/+16affanjam, have you tried using Linux to read it? You should really look into that.. if your ever going to get that data off Linux would probably be the answer.
  • dacheetah, on 10/12/2007, -2/+14Why was KillerJ59J being dugg down? He's got a very valid point. When Windows breaks and won't boot, using a Live Linux CD (such as Knoppix or Ubuntu) is by far one of the easiest ways to safely recover data. I'm not saying that everyone should switch to Linux, I'm just saying that a live linux CD is an invaluable tool for data recovery on systems where OS won't boot. (You can even get them to write to an NTFS partition if you've played around with linux enough, and in such cases you can sometimes remove and replace whatever file Windows is complaining about, and sometimes that will fix windows... Sometimes it doesn't...)
  • sinembarg0, on 10/12/2007, -1/+9...hacked my Gibson.
  • strotee, on 10/12/2007, -2/+10This just in.....everything ever created by humans has flaws.......more at 11.
  • pillfred, on 10/12/2007, -2/+9digg us both down but i agree. Outlook can kiss my ass.
  • p9s50W5k4GUD2c6, on 10/12/2007, -1/+7Link to Gibson's workaround: http://www.grc.com/sn/notes-058.htm (middle of the page)
  • thehouse, on 10/12/2007, -4/+9use an amiga, nobody will find and h4q you then.
  • duality, on 10/12/2007, -1/+5Flaws for pretty much every OS are usually newsworthy, but for different reasons. As jhuebel has said, it usually takes a virtual cattle prod to get Microsoft to fix its products' flaws. Hence, this article and others like it commonly get to the front page of Digg. (Bzzzzzt!!)

    The various Linux distributors like Redhat, Ubuntu, etc., are usually very good-natured when other people discover flaws in their products. They WANT people to disclose them, because it usually gives them a chance to show off how seriously they take such problems. When Ubuntu released a flawed update patch that locked a bunch of people out of their systems, people were shocked and incensed, but practically nobody was burning a photo of Mark Shuttleworth in effigy. The problem was quickly discovered and fixed, just as it should be.

    My experience with Apple is limited in this respect, so I will leave the floor open to whoever knows more about them than me. (Many people here do, I suspect.)
  • kingace, on 10/12/2007, -6/+10It's a good thing I don't use Internet Explorer or Outlook...
  • kingace, on 10/12/2007, -0/+3...So, you're an idiot.
  • PsychoPNut, on 10/12/2007, -1/+4this should be under the Apple category so all the macies can lol at us hipsters
  • Reno582, on 10/12/2007, -1/+4The Exploit doesn't effect IE7
  • VSack, on 10/12/2007, -0/+3What will be most interesting is Microsoft's response time. After all, the "fix" for the DRM crack came out in record time, proving that Microsoft QA was not the reason for their typical procrastination on security issues.
  • ig33k010011, on 10/12/2007, -1/+4eh, its windows. what do you expect...
  • inactive, on 10/12/2007, -2/+4Easy to protect from anything,,,just use the free SANDBOXIE program recommended by Steve Gibson. Essentially no overhead , doesn`t slow your computer at all. ANY program on your puter can be protected by Sandboxie.
  • Rodalli, on 10/12/2007, -2/+4Good thing I use Firefox and Thunderbird.
  • MacSuxWindozSux, on 10/12/2007, -0/+2Unfortunately simpley saying Linux or mac methods are better doesn't cut it.
    (Although open source is abolutely unbeatable!)

    As far as fixing things goes... MS has way more code to manage. Maybe it's bloated... but you can't ignore that they have so many things on the go at the same time it's rediculously hard to change things and garuntee it wont break other things.

    I really think that a lot of people underestimate this difficulty, which all large software companies have to deal with.
  • dralezero, on 10/12/2007, -1/+3They said it checks all versions of IE and Firefox and pinpoints the exploits of your version.
  • affanjam, on 10/12/2007, -3/+5I'm so pissed! I think thats what happened to my installation of Windows 2000. It won't boot up cause the ntoskrnl.exe is missing.And I can't acces the hard drive casue its currupt. I still have the hard drive with that instalation, does any one know how to recover it fully
  • inactive, on 10/12/2007, -7/+9W00t Windows!!!!!!!!!!!!
  • justnick, on 10/12/2007, -3/+5or just use firefox, one cost thousands of dollars and you have to wear a black turtle neck when you use it, the other is free. If you like IE, download IE7. Also a good idea to not visit the porn sites. Use limewire.
  • OBKenobi, on 10/12/2007, -2/+4"Are serious Windows flaws still news?"

    Only to the tards still using IE and Outlook.
  • Goldenatom, on 10/12/2007, -0/+2What makes a "security expert" in your expert opinion then?
  • ryawn, on 10/12/2007, -3/+4i work for a major ISP tech support department and we have been getting HUNDREDS of calls about this problem. it started around 7:30pm and has been non stop since. when people open IE, it displays for about 1 second, and the browser closes. sucks for all the suckers who never got a chance to download firefox. serves them right if you ask me.
  • Khuffie, on 10/12/2007, -0/+1Ya...whatever happened to good old fashioned text articles? That summary posted here alone tells me more than the first 3 minutes of the mp3...then I got annoyed at all the stupid rambling and ads. (Yes, it's an mp3. It's people talking to each other. Gah.)
  • dBLiSS, on 10/12/2007, -1/+2@sinembarg0

    wow.. haven't heard THAT in a long time lol. DIGG+
  • phi0x, on 10/12/2007, -0/+1So IE is exploitable? Who's really going to be exploited? I mean come on, who doesn't use Firefox or Opera now days? :P
  • sammyc53, on 10/12/2007, -1/+2"Link to Gibson's workaround: http://www.grc.com/sn/notes-058.htm (middle of the page)"

    Um, that's not Gibson's workaround. It's Microsofts. It's been on their website for days, along with 3 other solutions.

    Other solutiosn include ways to disable it on a Domain:
    http://www.microsoft.com/technet/security/advisory/925568.mspx

    And there is another great article somewhere on an undocumented way of protecting from it within a Domain evironment using Group Policies and Security Templates.

  • kingace, on 10/12/2007, -4/+5Fishing for diggs by mentioning Diggnation doesn't work when you let slip that you just turned it off...
  • porkstacker, on 10/12/2007, -0/+1Excellent!
  • nibble128, on 10/12/2007, -1/+1Click Start
    Click Run
    Type the following:
    regsvr32 -u "%ProgramFiles%CommonFilesMicrosoft SharedVGXvgx.dll"
    Click OK

    This will unregister vgx.dll and fix one of the bugs
  • slashdotislame, on 10/12/2007, -2/+2zero day?
    VWL ?
    way to be leet!
  • ProfessorGadget, on 10/12/2007, -0/+0WARNING: VML "fix" breaks Peachtree Accounting 2006

    I just tested unregistering the VGX.DLL on an XP and a Win2k system. After reboot Peachtree Accounting 2006 will no longer work on either system. It gives an error asking you to either reinstall Peachtree or Internet Explorer 5.5 or higher since it now thinks that IE is no longer on the machine, even though IE works fine after the "fix." I tried re-registering the VGX.DLL per the instructions at GRC.com, reboot each machine, and Peachtree still will not work.

    The only fix I've found is to reinstall XP SP2 (reinstalling IE 6), "upgrade" to IE 7 (only for XP) or reinstall Win2k .
  • nibble128, on 10/12/2007, -1/+1oops, throw slashes in there where apropriate... I missed my edit window
    regsvr32 -u "%ProgramFiles% CommonFiles Microsoft Shared VGXvgx.dll"

    damn digg not letting file paths
  • dtfinch, on 10/12/2007, -3/+2I remember way back when Microsoft had the money and talent to fix vulnerabilities the same week they were widely publicized, not counting those many years before when internet access was rare and software was never patched after initial release. They've since given up and rely on the lazy, misguided assumption that hackers will wait until after their patch tuesday updates before trying to use any of the exploits discovered over the previous month. Good for Linux and Mac adoption I suppose.
  • burtonbe, on 10/12/2007, -9/+8http://media.grc.com/sn/SN-058-lq.mp3

    Lower quality version from GRC.
  • matt.rubin, on 10/12/2007, -2/+1its not a zero day exploit anymore :b
  • OBKenobi, on 10/12/2007, -4/+3I love how you snuck in that Limewire plug in there for absolutely no reason. You're about as helpful as that Buy-a-Mac troll. I bet you even really do have a black turtle neck, you swine!
  • CBTF, on 10/12/2007, -6/+4Ahem.. http://digg.com/apple/Apple_Macs_vulnerable_to_Wi_Fi_hijacks_3
  • stock99, on 10/12/2007, -4/+2i would agree with you the first time i listen to his podcast on mp3. The way he describes concept and level of details indicate he is no security pro. But, its good for getting 'general info' .Say if you never heard about vmware or virtualization, then his podcast give you some idea to allow you dive deeper on particular topic.

    grc.com is a good resource website but one got to use it wisely.
  • unversed, on 10/12/2007, -3/+1kernel*
  • pr0cty, on 10/12/2007, -5/+2Oddly enough the exploit is about a week old...and coincides with Microsoft's "Patch Tuesday" and hasnt been fixed
  • Gronkk, on 10/12/2007, -5/+1Who's this mia person?

    http://www.miamyselfandi.com/
    http://www.gamespot.com/pages/unions/home.php?union_id=adultgamers

    G
  • lopla, on 10/12/2007, -6/+2I gave up on windows 14months ago. Been on a mac since with zero virus, spyware, or security apps other than the built in firewall. Have not had a single issue ever! I surf the net like mad, install craploads of apps and this thing runs exactly as the day I bought it. Even if someone offered me a 16core Alienware PC for free I'd say get F^$#@!!d

    I have seen the light, as for you PC folks.. suckahs!!
  • Fetching more discussions...
    Show 51 - 59 of 59 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.