![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Microsoft .NET Remote Code Execution exploit
Similar class of problem as last time with the TCP/IP thing:
From: http://www.auscert.org.au/render.html?it=11798&template=1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1410.2
Vulnerabilities in the Microsoft .NET Common Language
Runtime Could Allow Remote Code Execution
15 October 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft .NET Framework
Microsoft Silverlight
Publisher: Microsoft
Operating System: Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-2497 CVE-2009-0091 CVE-2009-0090
Original Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
That list of Operating System: entries? That's every single supported version of Windows, from XP (which should be end-of-life but isn't), to Windows 7 (the supposedly new "much more secure" shiny thing). They forgot to put Mac OS in the list - if you have Silverlight installed on a Mac somehow (I don't know who uses it), then it's vulnerable too.
Seriously, if you are a normal person, or even a small business with no ability to pay serious tech-support (and I'm talking about a real network and systems administrator, worth at absolute minimum AUD90k p/a, or a regular contractor worth at least AUD90 per hour for at least a day every week) to make sure you're safe and securely firewalled and patched 100% of the time, don't run Windows, and don't run any Microsoft products if you can help it.
Unless, of course, you don't value about your personal information, anyone else's personal information you might have, your bandwidth, your sales data, your netbanking, and anything else that you might use your computer to access. No worries, have fun with that.
Microsoft Danger Sidekick: All your data are belong to bitbucket
For more fun in that space, late last week, Microsoft managed to blow away all the storage for all Sidekick mobile customers. As in, boom, gone, no backups, kiss all your contacts and anything else supposedly securely backed on their "cloud service" goodbye, unless you were sensible and had your own offline backup (which isn't an officially supported thing on that platform).
See:
T-Mobile Sidekick Disaster: Danger’s Servers Crashed, And They Don’t Have A Backup. There's a rumour today that
Microsoft May Be Able To Restore All Of The Lost Sidekick Data, After All, but so far it's a rumour.
Even if they manage to recover some of the lost data, that's going to be due to heroic manual data recovery of the SAN disks, rather than routine backup restoration. And when I say "routine", I mean - everyone involved in Systems Administration at any serious level knows full well that you have to have a full backup of all data with a regularly tested and validated restore process before you commence any kind of important upgrade.
That is industry standard procedure, and has been industry standard procedure for many decades. Which Microsoft Danger obviously wasn't following. Of course you can play the "blame the subsidiary" card - but they've been a M$ owned company for long enough, with a high profile M$ exec moved in to be in charge for long enough, that basic disaster recovery processes should be in place. There isn't any valid excuse for that kind of data loss by a corporation. None.
ETA: Looks like there has been successful data recovery. Microsoft Confirms Data Recovery for Sidekick Users.
