Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaws May Be Microsoft's Undoing

Posted by ryuzaki0 on from the you'd-think dept.

tarpitt writes: "According to this article in the LA Times, repeated software flaws in Microsoft products has begun to raise concerns that they 'threaten the stability of a major piece of the world economy and to raise questions about Microsoft's future.' Flawed security is seen as a stumbling block to accepting Microsoft sponsored on-line services. It is also driving discussion about making software manufacturers liable for damages caused by flawed products." This piece in eWeek on troubles with XP's automatic updates is an interesting companion; releasing often doesn't seem to be enough. Update: 01/15 15:00 GMT by J : Bruce Schneier's January Crypto-Gram came out this morning, and is also topical: "Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense..."

5 of 505 comments (clear)

  1. I've heard this argument before... by tswinzig · · Score: 5, Informative

    ...except instead of 'security' it was 'stability.' Now Win2K/WinXP can stay up and running for weeks and months on end, and you don't hear too much about Windows stability problems for users of the new OS versions.

    Windows has been unstable for years. Did it threaten Microsoft even one iota? Nope.

    Dream on, sorry...

    --

    "And like that ... he's gone."
  2. Unpatched IE security hole list by tomgilder · · Score: 5, Informative

    Hello! I'm sure everyone will be glad to know that currently IE (even
    a fully patched IE6) can currently...

    * Run any command or program off the hard disk
    * Monitor the users clipboard, and steal the contents
    * Read or steal any file off the local disk
    * Check existence of any local file
    * Access the DOM, cookies, or read the content of any other website
    regardless of domain, protocol or security zones
    * Fake the file name in a download dialog

    ..although most of those only work if active scripting is enabled.

    These security holes are all *proven* to work, and could easily be
    used to create a devastating worm. Some of them are about a month old,
    and still not patched by MS. Delightful.

    The two latest exploits are http://tom.vpwsys.co.uk/clipboard/ (mine!)
    and http://www.osioniusx.com - see http://www.securityfocus.com for
    more.

  3. Re:Windows Update Down Again ? by Anonymous Coward · · Score: 3, Informative

    Many countries have consumer protection laws that forbids any such attempt to remove liability for a product you sell. That is, it doesn't matter if you agree to such a thing since the law says it is void. This may not nessecarilly apply to companies (that is not private persons) buying things though since they are not consumers in the aspect of that law. So that case any such license agreement is irelevant since the law says so meaning they ARE liable.

  4. Re:Actually, they're better by jeremyp · · Score: 3, Informative

    Come on, that list is more than 6 months out of date. No objective stats of occurrences of incidents are provided (try the CERT site for that). Many of the references to advisories/bug reports etc are even older than 6 months (a quick scan shows two or three that appear to have been logged in the year 2000, the rest seem to be mainly 1999). The newest CERT advisory on sendmail for instance was raised in 1997 on version 8.8.4. In fact, basically the whole list comes under the categories a) running out-of-date software, b) running software on machines that don't need it. e.g. DNS on a machine that isn't a DNS server.

    In fact there is a more up to date and better structured list here:

    http://www.sans.org/top20.htm

    Even on this page, taking the sendmail example (ref U2) again, the most recent bug report they quote is on 8.8.4 which is ancient (8.8 was release before any of sendmail's current Open Source competitors were even written). Which means that this vulnerability is really an instance of not keeping your software up to date (included in G1).

    Use your common sense, the biggest computer security problem at the moment is viruses and worms which affect mainly Windows systems mainly because of the popularity of Windows, particularly amongst non technical users.

    --
    All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
  5. Re:I despise XP by overturf · · Score: 3, Informative
    Misinformation. This account is used by the "Remote Assistance" feature that lets you grant someone access to remotely troubleshoot your machine. It is only available once you've generated a request for remote assistance and can easily be completely disabled in control panel.

    MS Support Link on this

    Needless to say, if you live 5 states away and have ever tried to talk your parents or friends through support over the phone: "No.. don't click that one... click on the ADVANCED button... now what do you see...?" -- this is much better.