Slashdot Mirror

A bunch of geeks with a "hate MS" attitude saying something doesn't make it so.

Everyone is entitled to their own opinion. Some people like to push an agenda based on past experience or knowledge of an event. If you really do not follow MS security issues or know of any current or past exploits for Outlook/OE/IE which are all VERY closely tied together and to the base OS of Windows itself, I would suggest you do some Google searching before blindly passing off the rants as baseless. See past the agenda pushing and investigate yourself. There are holes and have been many holes (often times, IE security issues are also OE/Outlook issues as they share the same rendering engine and both use the IE security zones for operation).

Search Google for Outlook security holes.
Another place to look is the NTBUGTRAQ mailing list, here is a search for Outlook from 1/2003 to current (the link is not inclusive or all specific to the Outlook or OE clients, but will provide some history if you are interested). Again, you can use whatever client you want but do not assume that because you do not know of any holes that they do not exist.

http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0409&L=ntbugtraq&F=P&S=&P=98 84

According to NTBugtraq's article, TiVo has software package that allows a user to setup an Image and Audio server on their PC. When connected to the same LAN as the TiVo it allows the image and audio files to be viewed on a TV via the TiVo DVR. The software uses gdiplus.dll file that has a JPEG parsing engine.

I found NTBugtraq as a nice resource for those brave enough to take the plunge right away. I would suggest joining the listserv and checking out the archives online at http://www.ntbugtraq.com/

SANS has a site as well at http://isc.sans.org/xpsp2.php with user experiences. It looks like most the problems are the usual 3rd party firewall and VPN products breaking, and miscellaneous hardware issues. Though this one might be an issue for some corporate users http://support.microsoft.com/default.aspx?scid=kb; en-us;883606&Product=windowsxpsp2

New version, MBSA 1.2.1, needed for Windows XP SP2 compatibility:
Users of Windows XP Service Pack 2 will need to update their MBSA to version 1.2.1 for compatibility and deeper integration with SP2 security improvements. When MBSA version 1.2.1 is available later this month, Windows XP SP2 users who are running MBSA 1.2 will be automatically notified when they run the tool from the Start menu with an Internet connection.

...checks to make sure you have:

• A software firewall.
• An up-to-date antivirus program.
• Automatic Updates set to download and install updates automatically.

How hard would it have been to enclose that URL with the ?

http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind0408&L=ntbugtraq&F=P&S=&P=28 86

http://www.activedir.org

http://www.ntbugtraq.com/

http://www.securityfocus.com/archive

FAS Secrecy News

Linux Users Group of Davis Lists

linux-wlan(tm) Project Mailing Lists

In addition to BugTraq and NTBugTraq, Full-Disclosure is another excellent vulnerability list, and is always a week or two ahead of the "official" advisories.

For other lists, Fyodor's SecLists.org is the list of security mailing lists.

The NT Bugtraq list has been discussing this patch today, focussing on it's poor timing of release (there are indications that it could have been pushed earlier than the Friday before a major US holiday). Russ Cooper, owner and maintainer of the list had some good points, about the patch itself. Definitely worth a read if you have to maintain Windows systems.

It's not IE's fault - it's the fault of stupid users.

If you believe that, you are no further ahead than the people you reference.

An analysis of the 180 Solutions Trojan.

A NTBugtraq post with info.

There are many many other sources of info that describe how software and malware get onto your computer using combinations of holes in Windows and IE that does not present the user an acceptance screen. The links referenced are just a sample of what is out in the wild, they are not exceptions, they are the norm.

The only way this will stop is by educating users

I hear ya..

Firefox and any browser other then IE can have holes but IE and Explorer are directly tied together which opens a new new class of expliots and holes that the other browsers with less integration just do not have.

Some History:
MS realized that the transparent integration of IE and Explorer that started around IE5.x? is not without security
issues. The currently hidden [1] "My Computer" zone is the security wrapper between the two. There are multitudes of issues that can exploit holes and create cross zone issues [2]. A majority of the patches for security patches for IE in the last 2 years has been fixing these issues as they appear.
Looking forward, the trend with MS operating systems is going to be a more restrictive "My Computer" zone. Third parties have made tools for existing systems [2] to ease the introduction of these restrictions and MS themselves have responded with XP SP2 [3] that is in beta now. These are major changes but it is the industry trend. The claims made by Pixv Solutions are pretty impressive as noted in the white paper [3b] (+1 bonus to the marketting department) for avoiding past exploits and worms by using their version of a lockdown which I believe is more then just reconfiguring My Computer zone. I am in no way shape or form giving a suggestion to use their software or services, just noting that companies DO see a problem with the MS security model and are doing something about it. Any impementation of the concepts they use would do equally as well if researched enough.

[1] How to Enable the My Computer Security Zone in Internet Options

[2]Google Search for IE and Zone exploits

[2a]Security list posting by Pixv Solutions describing the concept of security zones

[3] Pivx Solutions "Quik-Fix"

[3a] White Paper describing "Quik-Fix"

[4] Changes to Functionality in Microsoft Windows XP Service Pack 2

All this 'you don't even have to click on the attachment' stuff is not new. When you receive HTML formatted mail in Outlook or Outlook Express you are exposed to the same set of vulnerabilities as in Internet Explorer. This can include malicious code (if you don't stay patched) or privacy invasion in the form of web bugs.

In Outlook Express 6.0 you can disable all that nasty HTML stuff. Click on Tools, Options, Read and put a check mark beside 'Read all messages in plain text'. (You may have to hit F5 to refresh before seeing the difference).

Outlook users should look here for information on how to disable HTML.

Adobe Acrobat Reader... can be extended using the XML Forms Data Format or XFDF... XFDF files... are rendered automatically on downloaded [sic] when using applications such as Internet Explorer... When parsing an XFDF document the Adobe Reader suffers from a classic stack based buffer overflow vulnerability... On contacting Adobe, they confirmed that the current version is no longer vulnerable and NGSSoftware urgently advises users of Adobe Reader to upgrade.

Adobe Acrobat Reader... can be extended using the XML Forms Data Format or XFDF... XFDF files... are rendered automatically on downloaded [sic] when using applications such as Internet Explorer... When parsing an XFDF document the Adobe Reader suffers from a classic stack based buffer overflow vulnerability... On contacting Adobe, they confirmed that the current version is no longer vulnerable and NGSSoftware urgently advises users of Adobe Reader to upgrade.

I could no longer live with the serious and unpatched security flaws in IE. I thought the URL spoofing flaw was terrible. Then it was followed up with a file extension spoofing flaw. This basically meant that I couldn't trust IE to correctly show me what site I was visiting or what kind of file I was opening!

Yes, a patch was finally issued for the URL flaw, but the fix was criticized by people like Russ Cooper for not going far enough.

I am finding Firefox on Windows XP to be excellent so far. It was a minor pain to reinstall support for Macromedia Flash, Shockwave, etc. but my QuickTime and Acrobat plugins just continued to work. What pleases me most is that web pages are loading noticeably faster in Firefox. I have heard this claim made my many new browsers over the years but this is the first time I have ever actually perceived a difference.

I also like that downloads seem to start immediately in the background as soon as a link is clicked on. With IE, when I click on a download nothing starts transferring until I browse to a location to save the file, choose a filename (perhaps) and then click OK. In Firefox, I am sometimes surprised to find that my download is completed by the time I have finished choosing a location for the file!

It is not advisable to completely abandon IE on Windows, however. Firefox won't work for grabbing updates from windowsupdate.com.

When I used to work with Windows, I found Russ Cooper's NTBugtraq mailing list to be an invaluable resource.

More info at http://www.ntbugtraq.com/

-molo

These security problems were publically known in September.

What was released recently was sample exploit code.

If you are a Microsoft spokesman then, of course, you have to say that, "Hey, if we don't have a fix then it must mean we didn't know about it." So it's not even lying to say that you weren't told. It's the only logical thing.

The spokesman was not aware that Microsoft had released unmarked patches for some of the problems.

Huh. From R'ing TFA, it seems there is an exploit using five new security holes disclosed on 11/25/03, not the seven originally reported on 9/11/03.

Russ Cooper made some good points.

I think MS has the responsibility to address their customers concerns immediatelly (naive, I know), especially IE's overly close integration with the OS which causes most of these exploits.

It seems like you are pro-open-source, but don't dismiss the commercial products completely. Novell's ZENworks for Desktops (ZfD) product is quite simply amazing! It also happens to do exactly what you're talking about.

Does it require Novell servers? No, it does not. You can read more from the ZENworks documentation at Novell's website. Read the ZENworks 4 docs. ZENworks 6 is a bundle of ZENworks 4 for Desktops and ZENworks for Servers and ZENworks for Handhelds.

I once read about a university (I think in the UK) that managed 30,000 Windows desktops with only six people! Also, the largest companies on the planet tend to favor ZENworks for Desktops over SMS for deploying patches.

My computer support group uses ZfD to manage about 1,500 computers whose configurations vary widely from P2-400's to P4-3.06 Ghz boxes running anything from Win98 to WinXP. About 400 machines are in labs, but the rest are faculty or staff desktops. ZfD is extremely flexible. ZfD has an imaging solution, but is not limited to that.

ZfD imaging boots up a Linux agent first, either from the hard disk or by booting it over the network from the ZfD server or from a bootable CD-ROM. This agent checks Novell eDirectory to see what it should do (store an image of this workstation on the server, install an image onto the workstation, or other tasks). Once the image has been transferred, the computer reboots into Windows. Each time the computer boots, ZfD will check to see if it should perform an imaging task; if not, then it just boots Windows. ZfD can also add software to the base image on-the-fly!

Alternately, you can automate an install of Windows (just the base OS, with patches). Then install the ZfD agent and let it install all the other software for you. This solution is the ultimate in flexiblity, but requires you to have a pretty intimate knowledge of how Windows and ZENworks function, like what registry entries are dangerous to deploy to other workstations.

A combination of imaging and software deployment is an excellent way to get a workstation installed quickly and have a large selection of software available. You can deploy a small image (Windows, ZfD agent) and allow the ZfD agent to install other software as needed by the users. For example, ZfD can put items on the Start menu and when the user clicks on that item for the first time, ZfD installs the software. Rarely does one need to reboot.

ZENworks is probably the best solution available for managing large numbers of Windows desktops. It is powerful and flexible. Like many powerful tools, it is also a double-edged sword. It can easily deploy a patch and fix thousands of workstations, but if you deploy the wrong registry entry, you can just as easily break thousands of workstations. This is why you have to know Windows inside and out.

Finally, Novell has really good discounts for education. If you don't already have it available to you, check into it.

Ever heard of NT Bug Traq?

Obviously you don't work with Windows boxes :)

--Kormac

sPh

The included URL, for reference.

I was recently quoted in a WashingtonPost.com article saying I was in favor of fines against people who emit viruses or worms (not just originate, but infectees who perpetuate attacks.) There wasn't any meat in that article describing my proposal, so it comes off sounding kind of cold. I've had this proposal for quite some time, after being asked by a U.S. Senator staffer once to write something up to identify what's lacking in the U.S. National CyberSecurity Strategy document.

I've tried to explain it as clearly as I can, and have included a poll to take your feedback on whether you think the idea would be valuable to you. I'd appreciate it if you'd give it a read and take the poll.

I hereby acknowledge that the poll is hosted on my little T1, so you may well experience bandwidth-related fun. At least you only have to click two buttons to take the vote.

Feel free to repost this request to other lists.

Yep, Windows Update has issues. There's been lots of discussion on NTBugTraq about problems with Windows Update. See this one about MS03-026.

Think about it.. if the Windows gurus in the NTBugTraq community are confused by the behavior of Windows Update, how the heck are regular consumers supposed to reliably use the service???

And you raise a good point. If WU can't reliably patch your computer, how can pushed patches from MS be any better? If you're counting on your computer being automatically patched by MS and the updates are failing, isn't the perception of security when there is in fact none even worse than nothing at all?

Humor you? People that maintain and patch MS systems for a living *should* have a favorite grouping of mailing lists and forums to follow information like this. If you are truely interested I would suggest you subscribe to the NTBugtraq mailing list for starters. Just because you choose to limit your knowledge to what is posted on slashdot does not mean these things do not exist. Many of the introduced bugs are somewhat small, may not effect more then a small % of the users, and fixed with relative ease but they still exist. Specific to NTBugtraq, if there is a problem, you will noramlly see a reply within a day or so of the lists announcing the MS patch. The group knowledge is very helpful in troubleshooting and repairing any issues. Very few of the patches cause something major to fail but that does happen also.

Here is a couple of quick finds from Google. I don't track or keep lists of problems like you are requesting. I do monitor select mailing lists and web sites and take note of things that will directly effect me. These bugs or lack of fixes were a little bigger so they got news coverage.

NT patch causes other services to fail
Microsoft patch causes system failure
Microsoft Knowledge Base Article - 192816
Super patch fails to fix worst flaw in Internet Explorer
Microsoft fails Slammer's security test Not a direct patch failure but describes the complexity of deploying some patches and the side effects.
Researchers: Newest Microsoft IE patch flawed

How about this

Or this

I've had patches fail to install, or not even get listed thinking they were already installed, as well as cases where something is already installed and it believes an installation is necessary.

Just try reinstalling a system and restoring a backup of it, using the built-in xp backup tools on top of it and check out the mess you get afterwards.

FUD generated by propaganda isn't even necessary, the poor state of how the whole system functions speaks for itself.

The very fact that we deal with these worms once every 2-4 months speaks for itself. If the system worked, and properly explained the danger of leaving the system unpatched we wouldn't have ISPs and government agencies complaining of down time due to a worm.

On top of that there's at least one patch each month that plugs up some kind of exploit that allows remote attackers to run arbitrary code on your system. Go ahead, reinstall your XP system from scratch and read through the descriptions for the patches. A sizable number of them patch against these sorts of issues.

On all fronts it is unacceptable.

Careful with Windows Update; it is notorius for falsely reporting that patches are installed properly.. See this discussion about this very patch (MS03-026).

Your point is certainly valid, but what makes this particular problem frustrating is not that it was a widely publicized hole, but that Microsoft's tools (e.g. Windows Update) for checking patch status are wholly inadiquate. There has been a fair amount of discussion on NTBugTraq on this point leading up to the worm discovery.

Also, 30 days to test an impliment a patch on mission-critical production systems is sometimes more difficult than it seems like it should be.

Apparently blocking outbound port 69 (==tftp) will also prevent the worm from being downloaded.

NTBugtraq has the details

Since you are concerned with how they will react to you, I suggest you allow someone else to approach them. Hushmail is one way, but another is to disclose the details to me. As the NTBugtraq Editor, I frequently approach Vendors with exploits that are, at the time, unpublished. I phone them, find the appropriate person to speak with (usually within their Management, not tech support) and apprise them of the issue. With the right person's email in hand, I forward the issue to them (from my address, with your information completely removed). I expect, and get, a reaction within 2 business days, and then move on to the resolution phase. I get them to explain how long it will take to fix, and why, and keep after them monitoring the progress of the fix. When a fix is ready, I get a copy before they go public to test.

Of course throughout this process I send you a copy of all communication with the Vendor. In your case, I'd ask them how they would react to the person who discovered the issue, so you'd be able to see what their reaction would be. You're free to jump in the communication any time you want.

I seek no credit in the affair, and any publication of the issue would bear your name (or nym, whatever you prefer).

Once the fix is done, you can write up any explanation you deem appropriate. I encourage people to do this responsibly, and not disclose sample exploit code and/or complete details on how to exploit the issue. It should be easy to describe the issue sufficiently to provide an accurate indication of the threat without such details, but its your call. Again, you can use your own address to send the write up, or I can do it for you.

You can read my short disclosure policy at http://www.ntbugtraq.com/policy.asp

Cheers,
Russ - NTBugtraq Editor
Russ.Cooper@rc.on.ca

Yup, this seems to be the way to do it. I still feel uneasy about that, though. Remember when Windows Update got hit by Code Red? Obviously those web servers aren't always kept up to date themselves, so maybe someone could replace some of the patches on them. Besides which, Windows Update is not at all reliable.

There are a few fundamental problems with Windows update and Microsoft's security patches. NTBugtraq's Russ Cooper recently had this to say about it.

Secondly, Microsoft has the very very bad habit of releasing the "fixed" version of a bad patch under the same filename. Guess what, if you installed the "bad" patch, WindowsUpdate won't tell you there's a revised patch out. Because it is dumb dumb dumb and only checks registry keys and not file dates and versions. So windowsupdate leads one into a very FALSE sense of security.

Phil

It's nice to know that Microsoft are listening, but until they stop releasing patches that break their end-users applications and even their own OS, noone will trust them.

I run a couple of production servers on NT4, and am exceedingly wary about patching unless I have a snapshot on our SAN for quick DR.

The last time Microsoft broke my server, I only had a tape backup, and was very embarrassed to have to admit to 3 hours downtime.

Maybe it will make this guy happy. Discussion here

Like I said, use software update services. :-)

Oh, and subscribe to NTBUGTRAQ. That's pretty much an abosoulte must - heads up as to which patches (like MS 03-010) it might be a good idea to hold off on.

SUS lets the admin specify which patches the workstations are to download and install. It uses the same (more or less) client software as the standard windows auto-update, but you use Group Policies to connect to your own, internal, controlled, server.

And, yes, you *do* need to automatically install the patches, because there's no way several hundred (or more) users are going to install the patches themselves. The Admin just has to test them (or at least, wait for NTBUGTRAQ posts) before setting the server to distribute them.

Secondly... sounds awfully odd on that network.

So where is their product that makes hackers extinct!

NTDLL.DLL, of course.

The original "discovery" was made by Louis Solomon of SteelBytes Software
He posted it to ntbugtraq on Monday Feb 24th
Here is the original post, where it describes the issue in a clear fashion, and does point out that Microsoft do tell you exactly what information they gather, however most people are unaware of this as they don't read the EULA - like me

kai

As explained by Russ Cooper of NTBugTraq in a lengthy rant on Tax Day of 2002, Windows Update is a horrible piece of crap. He followed it with another lengthy rant about what he thinks Microsoft should be doing instead of Windows Update.

In the meantime, while downloads are large (~1.5MB), the XML package you get for HFNETCHK searches your system for proper file versions and remains the most reliable way to ensure your system is properly patched. Unfortunately, the best tool for checking your patch state (HFNETCHK) doesn't help you download the patches you need. It does identify the MS security alert addressed and even the KB article, but it's not painless. MBSA gets you one step closer by actually having the URL of the KB article, but it's not as painless as downloading updates via Windows Update (when WU properly identifies your patches).

Anybody who's used the atrociously-bad Automatic Update Service will know that it doesn't cover many important software updates and neither does Windows Update. In fact, if you use all three products, you'll frequently find that each product identifies a different set of patches that are required, and usually, none of them list all the patches identified by the others.

What I've found is that HFNETCHK actually identifies truly critical patches, while Windows Update improperly identifies non-critical updates as being critical. For instance, it tells you that installing Internet Explorer 6.0 SP1 is critical (even when you're running a fully-patched IE 5.5SP2) or even worse, it tells you that a patch meant to improve functionality of using a non-IE default browser is critical.

Sorry, but as much as I hate MS and as much as I prefer Mozilla to IE for my own browsing needs (and even though it works better), I don't make it my default browser anywhere, especially on servers, so this update is hardly critical.

In short, while sysadmins at least have a chance to stay fully-patched these days--unlike the days before Code Red--MS still has incredibly shoddy patch management tools, incredibly inconsistent patch installation mechanisms and still takes liberties with customer data it shouldn't need to take.

If Microsoft ever gets serious about patch management, they'll have a common tool that sysadmins can use to patch any and all of their MS software with a common interface and no unnecessary transmission of system-specific data to MS. Is that too much to ask? Apparently.

As explained by Russ Cooper of NTBugTraq in a lengthy rant on Tax Day of 2002, Windows Update is a horrible piece of crap. He followed it with another lengthy rant about what he thinks Microsoft should be doing instead of Windows Update.

In the meantime, while downloads are large (~1.5MB), the XML package you get for HFNETCHK searches your system for proper file versions and remains the most reliable way to ensure your system is properly patched. Unfortunately, the best tool for checking your patch state (HFNETCHK) doesn't help you download the patches you need. It does identify the MS security alert addressed and even the KB article, but it's not painless. MBSA gets you one step closer by actually having the URL of the KB article, but it's not as painless as downloading updates via Windows Update (when WU properly identifies your patches).

Anybody who's used the atrociously-bad Automatic Update Service will know that it doesn't cover many important software updates and neither does Windows Update. In fact, if you use all three products, you'll frequently find that each product identifies a different set of patches that are required, and usually, none of them list all the patches identified by the others.

What I've found is that HFNETCHK actually identifies truly critical patches, while Windows Update improperly identifies non-critical updates as being critical. For instance, it tells you that installing Internet Explorer 6.0 SP1 is critical (even when you're running a fully-patched IE 5.5SP2) or even worse, it tells you that a patch meant to improve functionality of using a non-IE default browser is critical.

Sorry, but as much as I hate MS and as much as I prefer Mozilla to IE for my own browsing needs (and even though it works better), I don't make it my default browser anywhere, especially on servers, so this update is hardly critical.

In short, while sysadmins at least have a chance to stay fully-patched these days--unlike the days before Code Red--MS still has incredibly shoddy patch management tools, incredibly inconsistent patch installation mechanisms and still takes liberties with customer data it shouldn't need to take.

If Microsoft ever gets serious about patch management, they'll have a common tool that sysadmins can use to patch any and all of their MS software with a common interface and no unnecessary transmission of system-specific data to MS. Is that too much to ask? Apparently.

Besides the one recent example of the SQL worm cited in the article, CNN made no mention of other security problems. This isn't to say that they aren't there because they obviously are, but it just seemed like they based their whole thesis of security shortcommings on one recent incident. It would have been nice to see some kind of list, or maybe a timeline of sorts with other MS security flaws. The article seemed like some kind of publicity plug for "TruSecure Corp."

Perhaps, but you probably don't know who Russ Cooper is. What makes this article a little more damning for Microsoft is that Russ Cooper is the editor for the NTBugTraq Windows Adminstration and Security mailing list with about 30000 or so subscribers.

Worst than this, lets suppose that you want to be patched at any cost, as soon at it appears. Another patch coming from microsoft for another MS SQL problem disabled this patch (this is in the CNN article linked in this story), so you must be half responsible, half not, to have one patch applied and not the later one, to be safe.

The tool you refer to is the Microsoft Baseline Security Analyzer. The latest version is 1.1, but Russ of NTBugtraq fame recommends you use a custom definition file in this situation:

mbsacli.exe /hf -x https://xml.shavlik.com/mssecure.xml

It has a nasty bug when using Outlook with an IMAP server, but since you're using it with Exchange, that should not be a problem.

See, I knew Russ would be good for something :).

This may have been mentioned already...

Subscribe to mailing lists like Bugtraq and NT Bugtraq and any other OS or application specific products you are supporting. Not bleeding edge but not worth ignoring either.

Granted Microsoft has not always been forthcoming with security alerts but hell even since 98 with WindowsUpdate you can more or less stay on top of these.

Actually, there's been a lot of discussion on the NTBugTraq mailing list in the last few months about how innadequate windowsupdate is. Most of the problems stem from Microsoft having multiple security and patch sites in addition to windowsupdate which sometimes offer patches not found or listed on the other security pages, windowsupdate included. You can download and install everything listed in windowsupdate, but there may be other hotfixes which you still have to download and install from elsewhere. Here's a link to the original posting by Russ Cooper, NTBugTraq Editor:

So Windows Update is a dog, now what?

The example code that fails with the patch is here.

• The registry in Windows seems to be a logical choice. There are standard tools to use it, it can be manipulated remotely, and except for those horrible clid crap. It is, however, difficult to understand for a human except for those common areas like HKLM\Software\Microsoft\Windows\Run.
• The Windows registry implementation is horribly flawed. It's too likely to get corrupted. A lot of this is from being part of a roaming profile. Losing your registry is like losing all of your application's and user preferences. It really sucks.
• *NIX is a mess when it comes to location of config files, as stated in the article. Even various Linux distros. We have Redhat boxen doing a lot of work now, having switched from a proprietary UNIX (dg/ux) a while back. Some of my techs think we should switch to Debian. I installed it on my workstation in vmware. It's nice, but it'll just require re-learning where the hell everything is. Maybe no big deal but I've got too much to remember already.
• Windows registry trees are not commented. You need to know how to find various reg hack sites and own a ton of resource kits, just to keep a leg up on the crap. Even then everything is not revealed. "You should configure it through the GUI." Yeah, right, on 2,000 machines?
• UNIX config files generally only have one per app. Configuring an app is simply a matter of loading the config file into an editor, reading the including commentary, and adjusting to taste. The exception here is the redhat /etc/sysconfig tree where everything is basically just loading of env vars for other scripts. Not commented, minimal defaults, if you need to figure out something it's dig through docs or read the rc scripts yourself to figure out what to set in it. Yack...
• Windows configs are often done through a maze of menu entries, dialog boxes, tabs, "advanced" buttons, etc... It always leaves you wondering if you've convered everything...
• UNIX config files are easily replicated to another box for a poor man's backup/failover situation. I had a 2000 server in a SAN go down and while I could easily mount that boxes disks into another 2000 server, moving the printer and file shares over was a problem because that shit is all stored in the registry. Instead of a simply copy command, I'd either need to write some sort of program to extract and merge into the backup's registry or figure out another way to replicate the shares. Keeping config crap out of a common database means the service isn't tied to a box so much. Need to move it to another box? Install, copy config files, change a virtual DNS name to point to new location.
• Windows registry is horribly insecure, not by design, but implementation. Loads of apps insist on writing per-user stuff to HKLM during runtime. I should be able to make HKLM r/o for all users but if I do that, shit breaks horribly. Damn it, HKLM should only be scribbled into by an application during its install process.

NTBugtraq is actually part of TruSecure, not SecurityFocus. What SecurityFocus has in a separate list called BugTraq. Very confusing...

Naw, I'll let these guys say it. :)

DOS itself may be dead, but XP still has a command line prompt (cmd.exe) or, more accurately, the idea of Console-Mode executable. Unfortunately the 32-bit prompt still acts brain-dead to emulate the COMMAND.COM behaviour, so scripting is painful, there are still hacks to "magic" file names (CON, PRN etc.) and, at some levels, the "ohmigod I can't believe that crashes the machine" mentality survives - the following code as a console app will crash an NT, Win2K or XP machine - no BSOD, just plain gone...

#include

main(void)
{
printf("\t\b\b");
return 0;
}

T