Slashdot Mirror
Serious IIS Hole; Minor X Bug
EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
To me that's one of the benifits of Mozilla. I view everything at 120%. Take that CNN! You can't stop me from actually reading stories now.
I really hate Dan Patrick.
About Status quo in M$ land.... :-)
About Status quo in Linux land
Wow, I didn't know that Mozilla had a DOS version! How many users does it have? Three?
"Backups are for wimps. Real men upload their data to an FTP site and have everyone else mirror it." -- Linus Torvalds
This is hardly a major bug IMHO... "an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP." "The IIS Lockdown Tool disables this functionality by default. Customers who have retained the functionality but deployed the URLScan tool as discussed in Microsoft Security Bulletin MS02-018 would likewise be protected against the vulnerability." So, it only really affects those sysadmins who don't bother to lock their server down. It's not going to be a major issue for the majority.
Join the Free Software Foundation
and
I've come to expect this sort of reporting. Oh, a bug that lets people who have no right mess up your work, that's a BAD thing! Microsoft did nothing about it when they could have, ooh, that's BAD!
Where's the representative for the evil population of the world? Where's the representation of the eMasochist?
This is actually a pretty bad threat. Redirect a page to a gopher link and hijack the computer. Bad MS!
I have been pwned because my
3 days or 2 month, when you think the users have updated the servers anyhow?
Yes its good that bugs get fixed fast, but I wounder how many just doesnt care to install the fixes.
A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft.
Was that this agreement they are talking about?
(Don't click I Agree for God's sake)
big deal. M$ security holes are dime a dozen, M$ makes the most insecure application in the face of the planet.
to DOS Mozilla users
... ok, just kidding here :) ).
read: "to cause Denial Of Service to Mozilla users".
(It's the same than saying MS-DOS: Microsoft's sw causes Denial Of Service to its users
Cheers.
(yeah, my sig is wrong, so what?)
667 The Neighbour of the Beast
The fact is Microsoft doesn't give a damn, because it doesn't need to give a damn anymore. Windows in its various forms continues to have outrageous security holes, and still people keep using it, buying licences and standing by it.
I honestly still think that some sort of un*x for idiots is needed before people will actually see open source opsys'es an alternative to bloody windows.
I can speak for myself, I'm a dumb windows-based webdesigner, and as much as I really like the idea of Linux, and the look of gnome and kde, and the coolness of using a console... you'd still have to dumb it down a bit more for me. Perhaps Apple's X... but then I hate Apple computers, it'd have to run on a PC.
Oh well, what I mean is: there's no point in comparing how much more terrible MSs bugs are and how much longer it takes for them to solve them. There has to be a real alternative to windows for the DUMB user, not for the tech-savy-geek, before people will actually say "hey, wait a minute, this is full of bugs and THAT over there isn't... I'll swap."
Just my opinion.
Moita Carrasco
MoitaCarrasco "Everyday I beat my own previous record for the number of consecutive days I've stayed alive." - CARLIN
I'd heard briefly about the Mozilla bug, and I understand why it's X's fault, but I'm curious... how is it that X is able to crash the system this hard? Because it's got direct access to hardware? Because it runs with root privledges? Also, is this just XFree86, or are all variations of X affected?
For someone who was brave enough to try the crashing link supplied by the Register, does this kill the whole machine, or just X? And can you salvage things without rebooting by using either a virtual term or logging in via ssh?
I personally think Mozilla should implement some short-term patch to prevent exploitation of this bug until it's patched in XFree, but as the register article says, the fault doesn't lie with them.
"I may not have morals, but I have standards."
Slackware doesnt use xfs font server so that mozilla doesnt crash when viewing big ( really big ) fonts .
Never learn by your mistakes, if you do you may never dare to try again
The X bug is very serious. It's possible to set up a web site that will cause any X based computer looking at it to crash. But it's not a microsoft product so I expect the majority of people here will just ignore it and carry on bashing microsoft products as usual.
Sig is taking a break!
Isn't this X bug a symptom of a more serious linux bug? Why should any process get to take all of the memory. I've done this with strictly user level programs, and I was able to make the system crash (a severe memory leak in a small program I had written). How should any user level process stop a machine?
In a couple of cases, Linux was able to kill my memory hog, but there's some sort of serious resource contention. I hope the 2.6 kernel addresses this issue.
I demand a million helicopters and a DOLLAR!
It can hardly be just to compare the two software bugs where one is a web server and one a internet browser. That's like comparing getting rid of pollution to getting rid of bad breath.
And also I'm surprised about the stupidity in this sentance: "Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days." - well honestly, what does that say: isn't it obvious that a lesser problem takes less time to fix than a larger one? That's just dumb.
I'm no huge M$ fan myself, but this article smells awfully much of unjustified M$-hatred. Let products speak for themselves, and let users make their own opinions.
Bottom line: propaganda sucks.
The author says that it took Microsoft two months to fix a big flaw in IIS, while it took open source only three days to fix a little flaw in Mozilla.
This comparison defies rational comprehension. The length of time it takes to do two totally different tasks on two totally different pieces of sofware for two totally different markets is completely meaningless. I can write a program and pop it onto internet in an hour...so what? Whats the relationship?
The bigger the hole the more stuff they need to put in it to plug it, the longer it takes!
:)
Hey, this makes sense to my 3 year old niece, so it should do to you too
Go together like a peanut butter and thousand island sandwhich.
Can we get international newspapers? Maybe someone should start, 'The Microsoft Times' or something?? Then all the stories can be put in one place!
How bout it?
This is your day - make it what it is!
OK, is anyone else sick of the inane way in which we compliment ourselves continuously?
Come on, we really do not need to say these sort of things nah nah, we fixed something first, we're better than you. Does anyone else find it retarted that you can crash an X server just by telling it to display a font which is too big?
What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation? or the fact that fonts still look like ass?
If you think we can laugh at others, check those market share figures. We have a lot of work to do.
Microsoft's time to adequately test the patch in a plethora of working environments and configurations: two months.
Open source's time to adequately test the patch in a plethora of working environments and configurations: Test? Fuck dat. Let the morons figure out how to properly configure it their damned selves. Lazy shits, go back to Windows.
> Welcome to the new MSN.COM built on
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Not wanting to be pedantic but the duration of time it takes to fix a bug isn't exactly a great indicator of anything (except maybe, how long it took to fix it).
It's a bit like assuming that a program with 5000 lines is obviously worse than one with 7500 lines.
We know nothing about the internals of IIS and the two bugs are not even remotely related. You simply can't compare the two and come out with anything meaningful.
Avantslash - View Slashdot cleanly on your mobile phone.
In which context do you consider it a minor bug, if the XFree tries to scale it's font any size you determine? Memory-hog bugs are never minor (just see Microsoft Windows for reference ;)) - I mean this can also be an indicator of some even more serious mis-think on checks that are done to Xfree fonts before trying to display them. I would not be surprised if in 2 weeks there was an article on securityfocus stating "displaying 'gimme root' in supersize fonts in Xfree environment provides the intruder with remote root exploit."
<font size=<?php
if (stristr(HTTP_USER_AGENT,'mozilla')){
echo '16666666666';
} else {
echo '12';
}
?> >
Welcome to the new MSN.COM website, powered by the
(sorry about the previous post... previewed ok, but didn't post correct without extrans...)
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
The fact is Apple does give a damn, because it has to. The operating system must be checked and supported to maintain the market share which Apple must viciously battle Microsoft to maintain.
... (which, as far as I know -being based on Quartz/PDF - is one of the best windowing systems ever). Just one thing peeved me a little. You say "I hate Apple computers." But, you seem to like the OS. Want a good OS (X)? Then buy a good computer. Macs have steadily improved and are very competitive (consumer iMac with Super Drive ... mayhaps that doesn't suit your needs ... anyone?) with PCs. As Apple continues to expand it's marketshare, albeit slowly, we can continue to see prices drop and, let's face it, innovation to improve.
I agree on paragraph II, for the most part. UNIX for idiots is needed. And, as for Unix's GUI, let's put it plain and simple: X-Windows sucks. I'm sorry to have offended anyone, but I come from the standpoint of an Aqua user
Open source and Apple are the only real lights of the industry. In hardware, everyone tries to kiss Microsnuff's ass, so innovation is slow. Apple can develop independent of them. In software, the PC space kisses Microsnuff's ass. And so, software is also limited that way. Unless, of course, you go open source. But Open Source itself is not so great. The reason I say this is because it tries too much to imitate closed source. Gimp to be Photoshop StarOffice to be MS Office, etc. And all of that's great. Still, the non-opensource is better. Why I say, then, that open-source is innovative is the fact that it has potential. To break the mold. To create new categories of applications. The Mac's killer app was Photoshop and image editing. Apple II had Visicalc. The IBM PC had a random assortment of junk. My question is, what's open-source's killer app?
He may be mocking the bad capitalization of the "Denial of Service" abbreviation. It's usually "DoS", not "DOS".
I do so love the smell of sarcasm in the morning
i have only one thing to say:
MOUAHAHAHAHAHAHAHHAHAHHAHAHAHHAHA
MS.. MS MS.... They will never learn it....
And i know so much ppl trusting them... They are all disappointing to..!
This is the 4th this week, on top of the latest one that was all over the news these last few days. http://www.pcquote.com/stocks/news/getnews.php?tic ker=MSFT&newsstory=CX20020612u5t8&start=0
Microsoft needs to wake up and smell the Bawls. :)
The X developers could use this an excuse to FIX the problems with fonts - aka. They LOOKS LIKE SHIT!
The reason why I usually boot into windows is because of the fonts, I'd rather use notepad in windows that vi, kedit, gedit whatever in Linux, because the fonts are fucking horrible!
Fix the font system.
Three users confirmed, just like gopher!
right up there with coffee and napalm...
oh, wait, it's morning already? Another night wasted away on a Win2K box... thank god the new office OpenBSD/Samba server is up and running
It strikes me that there might be some quite serious money in these "agreements with Microsoft". In a post dotcom world, it's a pretty plausible business plan:
* Find holes in MS software.
* Publicise them frantically.
* Come to "an agreement".
* Kachingggggg!
Dave
I write a blog now, you should be afraid.
Checkout the bugzila item here
Also, this is _not_ a DOS attack. What it does is make X consume all available memory and swap. And it can be triggered remotely by running mozilla, and browsing a webpage with absurdly large fonts. But it is by no means a DOS attack, because no-one is actively attacking you, making you "Deny Service" to other users.
<H1>Your Hacked</H1>
but i am sure there is more to it than that...
Cruise TT
When I was working as a consultant for a major database vendor I walked into customer sites, looked at the problems at hand and usually started to script in either perl or shell.
This provoked indescribable looks from (mostly) younger IT staff and questions around the line, of:
What the hell is this? What are you doing here? Why don't you use a GUI? This was often accompagnied with smirks and laughs.
Laughing was reduced to an absolute minimum after 2 hours of scripting (including testing) and 10 minutes running the script, instead of opening a window 3000 times in order to uncheck a checkbox.
It was ususally also the very GUI oriented shops that ran into wicked recoverability problems, since they implemented their databases with GUIs, modified their database structures with GUI's and the last time they re-generated scripts from the physical schema was in the summer of '98 or so.
If they would have used scripts to start with and would have treated those scripts like source code, they could have avoided weeks - if not month - of agony and pain. Not even to mention the costs.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
That's it, pure and simple. Freedom to do what you want with your machine. Freedom from proprietary formats and the hassle of interchanging data with others. Freedom to alter the code in any way you want, or to learn from it. Freedom to participate in more substantial ways than buying and installing some product from off the shelf. Freedom to use your computer as it best suits you, not as it best suits Bill Gates or Steve Jobs.
This might sound like fluff, but this is the reason why I gave up on Apple years ago, and it's why I've stayed with Linux ever since then. Apple has done some great things in the past few years, and I applaud them for it, but they are still not Free as in Freedom. Yes, I know about Darwin, but what about Aqua? Yes, I know about QTS Server, but what about iMovie? I'm not saying Apple should open these products or that they shouldn't make money, but simply that they're not going to make any more money from me because I will never feel safe with them after they discontinued a raft of great technology. This will not happen with Linux. Ever.
That's the killer app for me, and I know it's the killer app for others. Microsoft and Apple will never fully offer that freedom, and as a result I can never trust them fully. They might have more innovative products, but it doesn't matter. Quickdraw GX was innovative. So was Opendoc. And the original Cocoa project (kid's programming environment that I dearly miss). Where are these projects now? Innovation doesn't matter. Just that you're there, and free stuff will always be there, whether it's GPL or BSD or whatever, so long as it's Free as in Freedom. That's a far more powerful killer app than any I've ever heard of.
"I may not have morals, but I have standards."
I know its fixable, and I know that GNU/Linux/XFree combination is usually very rebiable, but lets call a spade a spade here. This one is an absolute SCREAMER!
Brian P.
"I see lots of Pengins, is that good?" "Thats good Dad, click yes."
Another fine piece of Slashdot reporting. I guess no one saw fit to report the new gaping holes in "unbreakable" Oracle.
I guess bugs only matter if they're curtesy of Microsoft. If Bill was smart he'd grow a scruffy beard, claim his O/S is unbreakable and come up with rediculous predictions once a week (NetPC, etc.). No one would bother him then.
I wish Slashdot would grow up and become a real news site, you know, just the facts maam. Instead it's a whine fest for people with an axe to grind. Report the news, and save your commentary for the comments section.
it doesnt work for me either so make that two. I can't offer any reason why it doesnt work as according to the reg xfs makes no difference and the other differences between linux distro's shouldn't affect (i.e. filesystem layout)
:) If you have a big enough sample you can draw any conclusion you want.
Maybe its something to do with the version of mozilla. Mines an oldish nightly (2002042510) as none of the newer versions I've tried are anything like as stable/fast here. When loading a page with these huge fonts my mozilla just shows blank space where the fonts would be then stops processing it. The rest of the page loads fine and I cannot replicate any of the faults reported on lemuria.org
I wouldn't however state categorically from this that all slackware users are safe
I think you meant:
.NET framework....
<body>
<font> site=<%
if Left(Request.ServerVariables("HTTP_REFERER") = 'mozilla')) then
response.Write("16666666666")
else
response.Write("12")
end if
%>
Welcome to the new MSN.COM website, powered by the
Guvf vf abg n EBG zrffntr
I am pretty sure this bug has been in Bugzilla for months without being fixed. However, bugzilla-search seems to be broken so I cannot prove it right now.
However, I am 100% positive I crashed my machine due to a remotely exploitable X bug using Mozilla a few months back. That bug is in bugzilla (search on crash, X, css, hensema when bugzilla search works again).
This is your sig. There are thousands more, but this one is yours.
Not really 3 days. Where's the fix for my distrib ?
That's one small bug for open source, one giant bug for microsoftkind.
Microsoft announced Wednesday that there is a serious software flaw with its IIS web server.
[increasing in pitch]Whaaaaaaaaat? Can't be.
I belong to the ______ generation.
It presents the GNU/Linux and free software side, which is a small step towards bringing balance, as we do not have the big advertisement budgets to buy editorial good will, or money to order favorable rewievs from "the customer is always right" analysis companies.
What I am getting tired of is the the people who whine that slashdot is not Ars Technica or kuro5hin, both excellent web places with a different focus than slahsdot.
What do you mean "we", white man? I have "taken advantage of" 2D gfx hardware under Unix for longer than slashdot (or Linux) has existed. They fonts don't look "like ass" on my screen. I guess what you want is anti-aliasing. The free technology for that is awailable, it is just a question of installing it. Maybe your OS distributor have done it for you in a sufficiently recent version.ridding yourself/your company of the ill eagle kingdumb's payper liesense bugwear scam, is MUCH easier than you've been MiSled to bulleave.
.HTR is a flawed protocol and should be avoided. No sane developer will use .HTR pages in his site on an IIS machine, since the .HTR parser is crappier than crap since day one with buffer overruns all over the place. Most sysadmins have .HTR disabled anyway, since it's of no use. When there is a bug in that parser, thus _NOT IN IIS!_ but in an extension (like mod_perl to apache), and that parser is not used by a lot of people, would you put a lot of developers on that bug? No.
Never underestimate the relief of true separation of Religion and State.
your use of C#? is disturbing on /. If java well, it's just strange.
A fool throws a stone into a well and a thousand sages can not remove it.
..who would have figured it would take less time to fix a minor bug...were you trying to make any type of real point here?
can a scruffly beard be far behind? will it help with the BiG ?pr? poosh?
...and we're double-checking our procedures for emergency out-of-hours release of updated virus definition (signature) files. I would not be AT ALL surprised if a Nimda or Code-alike worm appeared, using this exploit, within the next few weeks. Although when it happens, guess what time of day our developers will ask us to QA and upload the new definitions... 2am? 3am? *deep joy* (not. We don't get paid overtime...)
Most applications will attemnpt to allocate sufficient memory to handle the task the user assign to it, and depend on the system to refuse the request if there are not enough memory. They then handle the refusal with warying amount of grace. It should not crash the OS, unless the OS itself is broken.
For example, if you feed GCC with ridiculous large input, GCC will (attempt) to allocate ridiculous amount of memory. Which is how it should be, the applications should not try to second guess the user.
Applications that take data from untrusted sources, like web browsers, should course make sanity checks. So the error is in Mozilla, not X11.
Nonetheless, one can expect more from a desktop server like X11 than from more traditional applications, since if the desktop crash all the user visible applications will go with it. So it would be a reasonable feature for X11 to make more sanity checks on its input than other local programs do.
If people don't apply patches, fixes, updates and security recommendations, then Microsoft could have released a fix in 2 seconds, and it still won't do any good.
Linux and other open source software aren't impervious to bugs being discovered either, they just respond faster - so the lesson here is simply "if you're an idiot, you can get '0wn3d' on any OS".
Yeah it sucks that Microsoft take two months to fix an exploit, but if it only affects a service that would have been switched off already if you followed instructions, then it's not *that* big of a deal.
There's a serious IIS hole? That's not news. Tell me when there no serious hole.
Why should XFree86 care how much memory the system has? Any program should use as much memory as it reasonably needs to fulfill the request of the user. If a program uses too much memory, the OS should take care of it somehow. Whatever the OS does, it shouldn't go unresponsive.
I certainly don't want to retrofit every program I've ever written to put a cap on memory usage, just so I don't hurt the poor little OS.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
It's not X-WindowS, it's X-Window System or just X.
Since Mozilla has the option of a minimum font size, wouldn't it be trivial to have a preference for a maximum font size, as well? That'd be a good feature to have even if the X bug didn't exist.
"(The reason the Bugzilla link isn't a proper href is that I tried to check it just now, and Bugzilla said links from Slashdot aren't allowed. Make of that what you will!)"
/.ing; the clueful can still read, but it reduces the amount of strain on the server if you have to put some effort in, if Ctrl+c, Ctrl+v counts as effort.
There is a perfectly simple reason for that, no conspiracy needed. They are just using the referrer to reduce their chances of a
"I Know You Are But What Am I?"
Seems to me that real problem is in the design stage and failure to consider all relative conditions and required constraints.
As a general understanding and practice in software engineering.
It's a heap overrun. Very hard to exploit to exec custom code, all you can really do is crash the server. Not that that's a good thing... interesting to see that IIS5 auto-restarts too (so that an attacker can compromise the binary then crash the server so it re-loads?)
MS actually _overplays_ this one in the release. For once. Too bad they claim its newly discovered.
OTOH the moz bug is (a) not in mozilla but in X as mentioned elsewhere, (b) not really fixed, just workarounded in mozilla and (c) A TOTALLY DIFFERENT ISSUE.
OTOH the IIS bug was an overrun and would be a 5min patch.
its php.
--"Karma is justice without the satisfaction"
I use an early version of mozilla, which i assume is unpatched for this. And for the life of me I can not get the test site to crash my box. I'm very dissappointed.
I was just pointing out that I doubt that msn.com would uses php. They would rather use their own product (asp), wouldn't they ?
Guvf vf abg n EBG zrffntr
I'm don't know the details of each bug, but off hand I'd say this is an unfair comparison.
The length of time to patch a bug isn't as simple as how impactive it is. It depends on lots of factors including where the bug is and how impactive the fix is. Any bug can be a real pain to fix if it is the right place.
Also, I'd hope that any server side software goes through a little more scrutiny than client side software. Which would you rather have, a single client not working or all users for a site not working?
Of course, this doesn't excuse the fact that yet another MS IEE bug has surfaced. Is anyone keeping count of the major security bugs?
As for the HTR, anybody that does a "typical" install (i.e. just selecting default options) of a Web server has larger problems than their OS.
"Da ist ein Technölüst in mein Unterpanten!"
I don't think the killer app exists anymore. A Killer app, is an application which forces you to buy the computer and operating system in order to run it.
Windows original killer app was Excel. It wasn't as good as 1-2-3, but it didn't have the memory issues which 1-2-3 had in the DOS environment. After that, why bother with WordPerfect, when you already have that Windows machine to run Excel, and MS Word will run better in your environment.
Now when the "average user" wants a computer, they don't even have an application in mind. They have a list of things they want to do. Certainly you've heard this conversation before:
user: "I need a computer"
tech: "what do you need a computer for"
user: "my son/daughter needs it for school"
tech: "what are they taking?"
user: "computer engineering"
tech: "shouldn't they be researching this themselves?"
user: "They don't really know all that much about computers. They got really good marks in programming though"
tech: (shudder) "well then just about anything will do fine. A low-end PC with Windows will be compatible with all the popular document formats out there, and will run MS Office and IE without any problems."
user: "What about a Mac?"
tech: "They're good, they have a strong following, but it won't be what they're using at the school, and their friends won't be able to help them with technical problems. Despite what anyone says they're more expensive too, but the hardware is technically superior."
user: "oh, I also want them to be able to play a few games too..."
tech: "the faster and more expensive the better, but the low end PC would be good for most games."
When the cheapest computer is "what everyone else is using", people will buy the cheapest computer. The killer app isn't what a computer can do anymore, it is what a computer can't do. Why buy anything other than a Windows PC when a Windows PC is the cheapest and does everything?
(Of course if the student were going into some multimedia program and asked this question to a faculty member, they would probably buy a Mac... because in that field, it is "what everyone else is using".. they might not though... mistakenly thinking that a low end PC whcih can run all the necessary software will perform as well as a low end Mac.)
Its a very difficult problem. Applications do over
allocate because they don't know how much they would
use. Kernel overcommits because it expects apps to
over allocate. If kernel wouldn't over commit then
you would require absurd amounts of Swap to run.
X11 is a special app, because if it dies the screen
dies and you can't interact with the system although the system might be functioning fine.
What happens in this case is that the X11 is
killed promptly by the kernel, and does not get
any time to restore the console. Kernel cannot
and must not differentiate between processes.
In this case though the problem is more clear cut
X11 must not allow absurdly large fonts. There
should be a limit to the size of the memory it is
allocating based on the system memory. So that
it doesn't put itself into danger. It might be a
difficult question in different settings but this
case just requires a upper limit on font size,
based on the display size and system memory.
-anand
1. Write open-source software
2. Find holes in MS software, publicize them frantically, and come to "an agreement"
3. Profit!
See how insecure Linux is now? You should be using Windows XP, folks.
Slackware 8.0 (without patching) runs the 3.3.6 XFree86 tree.
Being that version 4 was a serious break from the version 3 code, I'd expect the bug was introduced between version 3.3.6 and version 4.0 (It appears it may have only been introduced in version 4.2 from other posts here).
HTH.
Another Mozilla bug that will bring Windows XP to its knees is the "snow effect" bug ( bugzilla.mozilla.org/show_bug.cgi?id=64516 ) that hogs nearly 100% of the CPU time. XP's concept of multitasking is such that while CTRL-ALT-DEL will theoretically respond so you can kill the process, in practice you might as well hit the reset button (at least I've never had enough patience to wait). Please go and vote for this bug.
does the Mozilla bug (well X bug actually) still work if you use pam limits on memory? I'm not to familiar with X.
Much as I'm no fan of Microsoft's products or their approach to security(sic), Taking 60 days to get a fix released is not necessarily a bad thing and is pretty standard for vendor-software.
Security fixes which are rushed out often simply open up new holes (or cause other problems). Hence, common practice among Unix vendors is to release an emergency fix or patch, which is available sooner, and to later release an update which is fully tested.
Mitre and @Stake recently proposed a standard vulnerability disclosure RFC setting out apprpriate response times for software vendors (open source and proprietary). Basically, the RFC says "contact the vendor, give them at least 30 days to respond / fix; the vendor is responsible for keeping in touch with the reporter every 30 days; don't announce the vulnerability until there is a fix;
The intent here is to get problems fixed and announced in a manner that ensures that system users have a way to update vulnerable systems. (And personally I'm just fine if vendors also use some of that time to update critical customers, say financial institutions ahead of the rest of us)
In my own practice I usually wait a bit on patches. My immediate approach to a new vulnerability which affects my systems is to disable the vulnerable aspects or apply suggested work-arounds.
As I think many shops using MS are taking patches by the auto-update feature, perhaps propagating internally with SMS; Microsoft has an onus to try to be sure that fixes they put out are in fact correct and without unfound side affects.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
There's somebody on the cluephone. It's for you.
hence the newness of it. Its not like ms doesn't run open source servers or anything...
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
I've been skeptical for a while about the ease with which someone would actually be able to execute code on a machine as a result of a heap overflow.
If you've got a buffer overflow on the stack, it's trivial to clobber the stack frame pointer, and therefore the return address, and have the CPU jump into the middle of your buffer for the next instruction. *BUT* if all you can do is write into the heap, how do you ever convince the CPU to jump to your buffer and execute it?
In the special case that you knew the position of a function pointer, I could see how you'd go about it, but is there a general technique to exploit this sort of thing? If not, then I think people are getting a bit more hyped up about this than is warranted.
Calling /. "advocacy" is just an excuse incoherent, puerile screeds against MS, xxAA, broadband companies and whoever else we don't like because they won't give us their stuff for free.
/. has never pretended to be anything else. How about "News for Nerds, Stuff that Matters" (as if, but that's a different topic). Nothing about advocacy. (I interpret "Stuff that Matters" to be a modification of the "News" part, not an independent clause.)
You say
I remember the advocacy newsgroups (particularly os/2). Lowest signal-to-noise ratio of all comp.os.*.* groups. You want to tag Slashdot w/that? No thanks.
The slashdot bandwagon against m$ still has not made a valid statement against MS, without ignoring the problems of linux and WHY it isn't mainstream as their hearts desire. It's the mind set that linux is for the 3733t, and to hell with anyone that doesnt want to read man pages and how-tos for weeks before and after an install to be able to us it, that is its major downfall. By use I mean in an average home.
The linux bandwagon has to first get down off that hi-horse, face their own issues, attempt to HELP instead of bash, use the knowledge to create a linux distro the mainstream can use (mandrake is close), before pointing a finger and screaming rants about mopopoly and bugs. Is it important to follow YOUR way to do things? NO. Is it important to CYA? YES! In business you have to, so MS has done nothing wrong by having a bug in code and releasing a patch that corrects these bugs and a few others all at once AFTER testing it.
Despite the errata page, Linux leetest still claim linux has no bugs, if you have 1 roach then there are a thousand you dont see (so why declare the bug and how to use it to the world?)...
MS bashing is getting real old, and crying wolf reminds me of a little story that could teach a lesson...
karma, hah...
The mozilla bug was known for some time by everyone on irc.mozilla.org #mozilla that tried my little url test link several weeks back. I gave warning before posting it but you know people. =)
...
g i?id=149014
Basicly it's not just CSS it's also mixtures of center and header tags that are NOT escaped. I ran into the bug on a poorly done eBay user home page with code like:
The bug is Mozilla (gecko) doesn't parse this very well, and causes the font to scale larger and larger. This in turn allocates more and more main memory until your poor box runs out.
From our tests on #mozilla:
My linux 2.4.16/gdm/XFree 4.x box only crashed X.
A BSD user with experimental video drivers had his machine reboot.
Several other linux users ( 2.4 ) only had X crash.
One linux user with > 1GB of RAM had no effect b/c his session was too short to fill all that. =)
In short this was reported and being worked on before Mozilla 1.0 was even out.
Here's the bug report kindly filed by #mozilla:
http://bugzilla.mozilla.org/show_bug.c
Slackware 8.0 (without patching) runs the 3.3.6 XFree86 tree.
No, it doesn't. From the Slackware 8.0 changelog:
Mon Jun 4 22:53:34 PDT 2001
Upgraded to XFree86-4.1.0.
Slackware 8.0 (without patching) runs the 3.3.6 XFree86 tree
This is incorrect. Stock Slackware 8.0 runs the XFree86 4.1 tree. Your claim is true for the Slack until 7.1.
Which brings up an interesting point... maybe XFree86 versions earlier than 4.2 are not affected by this bug. But I don't have any machine to check this out, my home linux box runs Slack 8.0 but with an updated (an probably "buggy", I'll check it out when I get home) 4.2 Xfree86 package, along with other stuff I've updated myself.
Anyone care to check this out?
What's the difference between a bug that allows remote access, and a bug that allows remote denial of service? None, really. In either case, you can't use your equipment properly, and there's a chance for data loss/corruption. And haven't "many eyes" been looking at the code for a hell of a lot longer than "three days?" I wouldn't exactly be calling this a victory for OSS.
Vintage computer games and RPG books available. Email me if you're interested.
"Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days."
..... 7 days
Time is takes to install patch in open source land because the documentation stinks and the programs are hard to use
> (yeah, my sig is wrong, so what?)
Not necessarily, if you're not talking of streets, but of numbers, and, if neighbouring numbers are (+|-)1 the original number.
Definitions baby, definitions.
The Mozilla team was given little time (days/weeks) to address this bug before it was publicized while Microsoft was given months.
Meanwhile, 90% of computers running X will be fixed within a month, 1/2 of the windows machines will still be vulnerable in 6 months.
Good deal, you GO Microsoft!
nope, using 4.2.0 compiled from source on slack7.1 here and I can't get it to die. Possibly something to do with new kernel? I seem to remember seeing warnings about malloc.h being changed to slab.h...could be related..or I may just be grasping at straws :)
Just post every site that has this exploit on slashdot and the /. effect seems to be able of handling the problem just fine.
HTTP/1.1 400
Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
;-)
Give michael some credit. He stated two facts. I can eat an apple in 2 minutes and an orange in 5 minutes. The facts just don't rationally coordinate with each other, thats all
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
This article says a patch for XFree86 is avaiable but I can find no signs of it. Nothing here, nothing on the XFree86 font list, nothing on the XFree86 main list, no patch mentioned on Bugtraq, etc. Can anyone point me to it?
Havoc Penington, the bane of my Linux desktop.
Unlike mature people who would just go away and find some place targeted towards them, they purile insist that the whole world must revolve around their needs, and thus use the tag line as an excuse to whine when they see articles about the fight for freedoms or for GNU/Linus, which has always been the core of slashdot.
I can understand that a OS/2 advocate would feel homeless these dayes, but the /. focus has never been about one mammut company making a slightly better product than another mammut company, and attracting a horde of fanboys because of that. GNU/Linux is something quite different, it is about freedom, not technology. You would most likely find yourself more at home in the countless technology oriented sites on the net.
"Virtually the only purpose for which HTR technology is still used today is web-based password management services. IIS ships with a set of HTR scripts that, if deployed, make it possible for users to change their Windows NT passwords via a web server, and "
....hmm time for self promotion of alternative password management for NT/2000 over the web dewnt
Microsoft announced Wednesday that there is a serious software flaw with its IIS web server.
Say no more.
Ok guys when I posted my first comment I checked with mozilla cvs version ( latest code but they didnt fixed the font bug yet ) and It didnt crash X and it didnt make X eat more ram either . All went fine . I use Xfree 4.2 from -current. But the main logic of the bug is ( as its first appeared in the vuln-dev mailing list ) to get xfs to show big font so getting it using %100 of system resources . So I think Slackware 8.0 with whatever Xfree version is safe... So sad day for Redhat guys instead ;-) They run a nice xfs server.
Never learn by your mistakes, if you do you may never dare to try again
if(iFontRenderSize>FONT_MAX_SIZE){
iFontRenderSize=FONT_MAX_SIZE;
Tokyo.Stomp.Stomp.Stomp();
}
Let's not stir that bag of worms...
Many admins working on IIS Platforms do so simply because they are given no choice in the matter. A company will write its code in VB/ASP, get their proof of concept server running, and then hire people to scale it out for them. I, as an admin, have no /RIGHT/ to tell them to re-write everything in perl, and to be honest, a lot of parts of our site are un-duplicatable (cool, new word) in a Unix environment.
I, and other admins I know, work to become the best server administrators, regardless of platform, that we can be. It makes no difference if you're using Linux as a frontend if you still have a drooling moron running it.
Besides, what looks better to an interviewer for a potential job:
Candidate A:) I have administered NT/IIS, Exchange, Linux, Sendmail, Apache, QMAIL, MSDNS, DJBDNS, MS-SQL, MySQL, Win2k Active Directory, LDAP, NFS/NIS.
Candidate B:) I am a Unix Admin. If you have Microsoft, you are criminally negligent morons. I refuse to touch IIS lest I be prosecutable as an accessory to stupidiy.
I see an Anti-MS admin view as short sighted and trollish. Take the long view of network security and you can make any OS reasonably secure.
I like music
From the MS Bulletin:
Impact of vulnerability: Run code of an attacker's choice on the system
Maximum Severity Rating: Moderate
---
So, if being able to run arbitrary code is merely "Moderate", what is severe?
How come nobody is posting a quick source patch? WTF? Isn't that one of the great things about open source?
You have all the code. It shouldn't be too hard to find the few places that you need to cap font size.
Where's all the programmers?
Let's not stir that bag of worms...
I read MS's bulletin, and noticed this...
"I've disabled the HTR functionality on my IIS server. Do I need the patch?
The vulnerability results because of an arithmetic error in the ISAPI extension that implements the HTR functionality. Specifically, the error lies in a function that enables data to be uploaded to a web server via chunked encoding, and causes IIS to allocate a buffer of the wrong size to hold incoming data, with the result that the data could overrun the end of the buffer. "
They don't answer the question!
Request.ServerVariables("HTTP_REFERER")? Exactly what good would checking the referring web site do? :)
Comparing apples and oranges, in an otherwise decent post. It's bad logic to say "We can fix our holes quickly, therefore we are better!".
I doubt anyone would argue that the MS OS product is everywhere. However, there is a distinct differenct between patching a component and patching a dam. IMHO, this would be a more-constructive discussion (libraries vs. everything interleaved).
Seriously, MS does a good job of packaging the fixes and making them available to the public. They work at making things easy enough that I can explain "how to update windows" to my girlfriend's mother. Although their patches aren't 100% smooth, you only hear about the "one that got away". That 1% slip, thru the cracks, is probably the responsibility of some low-life on their last day.
OSS projects push the support on their users, whom generally have a minimum double-digit IQ and a set of "supported hardware". MS works for the dolts that built their PCs from recycled auto parts.
...as much as I really like the idea of Linux, and the look of gnome and kde, and the coolness of using a console... you'd still have to dumb it down a bit more for me.
I can not accept this complaint against a Linux desktop. This might have been true in 1999, but today Linux with KDE 3 (and maybe GNOME 2) is ready.
When a user starts KDE for the first time, it runs a little wizard to customize settings. One of the screens asks "How should I behave?" with options to act like Windows, Mac, Sun (CDE), or plain KDE style. A "dumb" (your word, not mine) user can just select the Windows option and get to work. No real learning curve and no hard-to-use applications, with maybe a five-minute tour of the available features will let even the least tech-savvy user be productive and comfortable. The system pretty much behaves as expected.
I installed Mandrake 8 on my laptop and hid the console icons from my spouse's user account. She never noticed they was missing. She uses Linux every day, and doesn't know that the console even exists.
A Linux desktop in 2002 is featureful, stable, attractive, fun, and useful. There are applications available that fit every common niche from games to desktop tools to network software. SuSE 8 even comes on 7 CDs! That is a lot of software!
The only excuse I still accept for not making the switch is "I need to run and it needs Windows!" If that is your reason, fine. But do not let a fear of the command prompt keep you from freeing yourself. Linux is dumb enough.
Thanks, this is great. Thanks, you guys are wonderful.
Why isn't XFree86 written to handle a kill -9 in a more friendly manner? As I recall, processes can catch a 'kill -9' and respond sanely to it.
So I guess it is an X bug after all... But personally, I feel it should be fixed on both sides. Mozilla shouldn't be able to overload X, and X shouldn't be able to crash the video hardware when it's killed.
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
What are you talking about? Thanks to various bits of acceleration in XFree86, my desktop is zippy fast. Games and DVDs play as smoothly as I could want. Ugly fonts? Well, yes, truly free fonts tend to be a bit weaker. However, you can easily get the fonts Microsoft generously makes available for free, using the webFonts4Linux script. They won't be quite as nice as on Windows by default thanks to a patent on the TrueType hinting engine, you can either build your own FreeType library to include the patented code, or you can use anti-aliased fonts. KDE has anti-aliased fonts and Gnome is right on its heels.
First, it doesn't matter what our market share is. So long as the community continues to grow, there will be a future. Second, The latest market figures for servers show Linux as gaining market share. On desktops, things aren't quite so good, but we're definately increasing our numbers. Things are looking quite good in the long run. Yes, there is a lot of work to do, and we need to remain honest of how far we have to go. But some cheerleading and hyping our strengths is key.
I'd heard briefly about the Mozilla bug, and I understand why it's X's fault, but I'm curious... how is it that X is able to crash the system this hard? Because it's got direct access to hardware?
... the hardware access routines go into the device driver, the rest of the logic resides in user-space libraries. You get the complete hardware abstraction via the kernel features, including accelerated 3d support, without the kernel bloat Linus and others so feared. It is really quite elegant, and might have spared us the whole GLX/DRM/DRI mess anyone wanting to do 3d acceleration under X has to suffer through these days, had anyone listened at the time].
There's an interesting historical footnote that underscores how developer egos and stubborness (on both sides of the argument) can lead to disagreements and very sub-optinmal solutions. The folks working on the GGI project tried to fix this back in the 2.0 kernel days (and possibly earlier) and were poo-pooed by Linus Torvalds. Their argument was that the kernel's job is to abstract the hardware layer from userspace software, so that applications like X don't have to talk to the graphics card directly, they simply make functions calls to the kernel code, which are handled by the appropriate device drivers. Similiar to the way just about every other piece of hardware on your GNU/Linux system works.
This was an argument that, at the time, I felt Linus was completely wrong on, and the GGI folks were completely right on. But of course, as a mere user and developer on GNU/Linux, and not a kernel developer, my opinion counts for little (even less since I chose not to get involved in that particular argument at the time).
Ironically, the kernel developers backpedaled a little on this with 2.2, and moreso with 2.4, in which they implimented the rudiments of a framebuffer system that does precisely what GGI advocated, though not nearly as well, and not for as much diverse hardware.
The GGI project is still very much alive, and doing very intersting work, for any who are interested. I haven't had time to play with it for a while, but it is on my list to get back to at some point. Imagine how much cleaner graphics usage would be under GNU/Linux (and perhaps other *nixes) if, instead of having to tack on hardware specific tasks onto X, it were being done in hardware device drivers instead. They argued, quite compellingly IMHO, that X crashes should never be able to take down the operating system, regardless, and that with proper hardware abstraction done via kernel device drivers, as is done with every other piece of hardware in the system, it would be impossible for X to do so (barring, of course, bugs in the kernel code itself).
[the counter argument was that 3d acceleration and other graphics primitives were too bloated to go into the kernel. The GGI folks didn't design their stuff this way
So instead, today, we have X talking directly to the video hardware with little or no kernel involvement (unless you're using framebuffer support and the fb-dev X driver), and when X goes south, there's a good chance your entire hardware and operating system are heading south along with it. It is the only situation in which GNU/Linux performance approaches that of Microsoft Windows, and it is due to a design flaw in how grafics cards are accessed from within GNU/Linux -- directly from the userspace program instead of via a standard, hardware device driver like everything else.
The Future of Human Evolution: Autonomy
If anyone really thinks that a buffer overflow in an obsolete server extension (that no competent sys admin would have loaded) is really more serious than a bug that kills X-Windows boxes just by setting large fonts on a web page then they have got their head so far stuck up their arse I doubt they'll ever get out.
I think it's time I found a replacement for Slashdot, the news is getting so biased it's nothing more than glorified Linux-love.
What's more worrying is the number of open-source programmers I'm speaking to who are also looking for something more neutral.
bye
[)amien
[Not that it's clear that the IIS bug is really a remote access bug (see above where it's explained as a DOS bug) but there have been plenty of remote access IIS bugs (see Code Red).]
The X bug only crashes your machine if you browse to a malicious web site. The malicious person can't do anything to your machine if they can't induce you to go to their web site, and the effect on your machine of visiting the web site is immediately obvious (X and possibly your whole box crashes) so you can learn not to visit that web site again. The malicious user doesn't really gain anything other than the jollies of knowing they crashed some machine.
A remote access bug allows someone to take over your machine surreptitiously, which is much, much worse than just crashing your machine. It means your machine's data can be inspected and changed without your knowledge, and also that your machine can be used as a staging point for other illegal activities. Particularly if your data is sensitive, this provides a great deal more incentive to a malicious user.
j/k ! :P
I'm starting to suspect that Microsoft releases these .htr holes on purpose. I mean, nobody in their right mind uses it. So I think they just cook up a vulnerability, and let the word out. Then, up in Redmond, they must all sit around and have a good laugh at the flurry of indignant outrage that inevitably appears on /.
After all, everybody knows that Apache has no vulnerabilities in the default installation.
Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days."
/. editors.
Give it a rest please, we all know that Open Source projects are magically superior to any closed source project. Seriously, I can not stand MS and I am sick of hearing this elitest attitude, especially from
Can the bug install Linux? Because that would cause some major issues.
"The two most abundant elements in the universe are hydrogen and stupidity." -Harlan Ellison
Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months.
Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
Microsoft providing us arguments to make fun of closed-source users: priceless
"Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days."
/.er who thinks just because s/he runs an open-source product, that everyone else should. It's more complicated than that.
...a much less serious bug
Of course it took longer for M$ to patch the hole. There are literally hundreds of thousands of IIS server, possibly millions. Microsoft is accountable for every single installation of the server and if a hole patch doesn't work or fucks up those servers, they get sued.
Who sues the Open-Source community?
Also, it's a server, not some browser application with nothing else depending on it. For IIS, an entire company's infrastructure may depend on the servers running it's websites. Of course this means the patch should have been expidited but my first point should be reason enough to explain why it wasn't.
And of all of the BS 'IIS admins don't patch their servers..' posts, fuck off. I am an IIS admin and I don't know any IIS admins who 1) pledge allegence to Microsoft and don't run anything but... and 2)don't take security of our servers very seriously.
Sometimes the decision of which OS/Webserver Application combination is not in the hands of us lowly admins. Some of us work for extremely large companies where those things are decided by a committee and the decision is swayed by political factors.
I'm tired of being insulted be every self-righteous
"You are not a beautiful and unique snowflake."...Tyler Durden
This is a fabulous example of something that still sucks mightily about X, and shows no signs of being fixed. Ok, how a real font system would render a 500 foot tall 'A':
send the 'A' glyph, along with whatever hinting it needs for 'insanely, off the scale big' (i.e. probably the hint for the biggest glyph it defines, like 72 pt). The renderer takes the 'A' and converts it into a series of strokes. The strokes are then rendered into the clipped region, resulting in pretty instantaneous drawing. The font manager decides wisely that this rendered glyph, being "pretty big", shouldn't get cached as a bitmap the next time you want to draw it.
Here's how X does it:
Request the font for the 'A' glyph, scaled to 500 feet tall. Construct an uncompressed 1bpp bitmap of the letter A to give to X to blindly blit onto the screen. Die a miserable thrashing death.
I've finally had it: until slashdot gets article moderation, I am not coming back.
It's also a place where people who don't know how to use a compiler are free to repeat the few small intelligent programming points they've read in an effort to appear knowledgeable.
Also, it's a place where true wit takes a back seat using spellings like "Micro$oft" and "Winblows" (gee, never heard THAT one before).
Rather than complaining about the site, view those who frequent it regularly with pity. One day they'll discover sex and then they'll have something to take their minds off of the geek empires.
I don't think X is even remotely designed to withstand hostile clients. Last time I checked, if you telnet to port 6000 and just do nothing, it will freeze the server for long time, even if you are not in xhosts. And once you are allowed to connect, you can do tons of fun things, like opening a transparent window on top of the whole screen that captures all the keystrokes. Asking X to protect itself against hostile requests is like asking memcpy to do bound checking. Mozilla on the other hand lets you view content written by unknown people and should validate everything before rendering it. Font size is just one new thing. There is no fix even for the simple for(;;) window.open(...).
Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months.
Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
Slashdot gloating at yet another Microsoft bug: priceless.
- Percentage of IIS servers affected by the Microsoft vulnerability: 0.01%
- Percentage of X-windows/XFS users that also run Mozilla and are affected: 100%
- Stallman Points awarded for saying minor X bug that merely crashes your computer: 100
- 853 bytes of pure FUD read by 2.5 million people: priceless
There are things money can definitely buy. For everything else, there's Slashdot.Open Source's time to thoroughly test all ramifications of the above-mentioned patch, under all hardware configurations: 0 days.
Troll me if you must, but there's a reason companies don't release things the day after the patch is done. We did that - once.
Why would anyone engrave "Elbereth"?
I am all for a good MS bashing, but just don't jump on the bashing band wagon without thinking. There are plenty of legitimate things to complain about.
A minor bug generally takes a lot less time to fix, it's minor. A fundamental flaw with the security of a program will take much longer. In any case, from the other posts, the bug in linux (X-whatever) isn't even fixed. So the whole 3 day thing is bogus anyways.
I'm sorry, you have just been assessed the /. Troll Tax. You spoke out against OpenSource and sided with the "Enemy."
Is it just me, or is OpenSource becoming more and more like communism every day?
Oh, and I am fully prepared to accept the Troll Tax. I am even willing to accept the "Oops, your post was deleted never to be seen again" tax. Kinda funny how an "Open" community can be so "Closed."
Does the Kernel throw a nonblockable signal before it throws the blockable signal? Would XFree respond sanely to a blockable kill?
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
There have been a rash of security flaws announced recently by MS. Does anyone know how many of these are being found by outside parties, and how many by MS internally? If the five-month-old security initiative is finding the errors, good for them! There was a boatload of code to cover, and it was bound to take time. If the majority of these are still being found by outside people who don't have access to the source, then BillG needs to smack his security czar upside the head.
Perhaps you'd like to check your definition of DOS.
Even strictly defined, ie. looking only at the accronym. DOS stands for, as I'm sure you're aware, Denial Of Service. Well, if my X server crashes becuase Rob and crew decide they was 166666 point fonts, then I most certainly have service being denied.
And it is most certainly being launched as the placement of that font tag is actively placed in the html or css code.
a better definition can be found here (I'm there are others, but this was the first one I came across from google).
On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have.
Again, I'm being deprived of resources that I would otherwise expect to have access to.
any questions?
Choke on it little boy????
Actually it does matter how many geeks coined the term: ie, on the East coast, SCSI used to be pronounces "sexy", but we got stuck with "scuzzy"; microcomputers were also called "home computers", before IBM got everyone to call them personal computers or "PC's"
Computer jargon doesn't have an ANSI standard, bigboy.
Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
Conclusivly proving it is faster to fix a small bug than a large one?
Wow, what a brilliant observation.
If I'd have moderating points the only reason why I wouldn't mod you up to +5 (insightfull) is that I started the whole ruckus and couldn't
I could never have put it more eloquent and concise.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Hrm... isn't X suid, though?
If so, it *definately* needs to be able to handle (read: fail gracefully given) malicious input. Although it sounds like this only results in a DoS...
Granted, there might be some 1 4m 4 50 fucK1n6 c00L haX0r d00dZ frequenting /., but you might want to give the average reader a tad more credit.
I run a business, privately held and founded in '99. It's based on keeping my customers out of being dumped into the harbor with cement shoes when it comes to operating their databases. I conciously banked my business on Free Software because it provides the required environment to run 4 different industry strength databases on a simple box with limited resources. This in turn serves my customers very well. I can reproduce their real world problems with multimillion row tables in order to gather hard data in terms of clustered index usage for example. And all that on my modest 128MB 500Mhz clunker, which overall still serves me nicely.
Recently I got a cold call from a prospect, who was slightly fed up with Microsofts licensing games and was interested in the possibilities to switch the environment. According to your specification I should have tormented him with the unix-advocacy-everything-will-be-great-gospel. Well, I didn't quite do that. I instead recommended that he compiles a list of the must have- and the nice to have- applications they require and that such a list serves as the baseline to determine the feasibility and the cost. They didn't switch after all due to time constraints that would have not been realistic.
You you might see why I take a slight offense, when you charactarize me as a zealot with a bad shave and even worse communication skills.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
If the vulnerability was reported to M$ and is only becoming public now then it must be fixed.
Remember, kiddies, the more you post, the more management can justify those costly advertising rates.
2) There's a helluva lot of Micro$oft pimps hanging out on /.
t_t_b
I'm on PJ's "enemies" list! Are you?
Its a lie! Open Source took 11 months to fix
bug 120238 [mozilla.org] is the bug I remembered, it was filed 2002-01-16 and still stands
unresolved (IOW it has beem ignored). Worse still, bug 90547 [mozilla.org] also reports a crash due to
large fonts. It was reported around 2001-07-12, which is 11 months ago.
Also i really wonder why it should take two weeks to put a patch on a webserver and write a brief documentation about it, especially since they've enough time to put together documentation while doing internal testing (they need that anyway for customer testing).
Because not all Windows system administrators are fluent in the Seattle dialect of the American English language. Microsoft needs to hire translators to localize the advisory and any new GUI elements that the patch introduces. This takes time and money.
Will I retire or break 10K?
Now every little widget that pops up will get that much memory allocated.
Of course, this is not really a bug, but a feature, because AFAIK Sun never fixed it.
The X bug only crashes your machine if you browse to a malicious web site. The malicious person can't do anything to your machine if they can't induce you to go to their web site
Do you think you have control over what web sites you "go to"? If the malicious person sticks the exploit code in a pop-up ad window, then every innocent site on the ad network becomes a vector for the attack.
Will I retire or break 10K?
Ol' Bill Gates, he had a bug
e-Eye, e-Eye. Oh!
Incidentally, in case you wanted to know, Objective-C/OpenStep bombed the Visual.NET developer back into the primordial soup around 1993 or so. :-)
When I was studying computer Operating Systems, it quickly dawned on me that my PC _oughta_ be able to do lots of things - virtual memory, protected memory, asynchronous(interrupt-driven) I/O, multitasking, user/task seperation & protection - that M$-DoS was simply denying me. Hence the name, DoS == Denial of Service.
Well, it certainly wasn't an Operating System!
Exceeding the recommended torque is not recommended.
http://www.internetnews.com/dev-news/article.php/1 365491
Remote access for MS RAS
I see. I want to see how many computers are compromised in this two month window. I set up a workstation with XP and let it go for 4 months without a single update to all of these security flaws. No firewall, default settings. Did anybody do anything? Nope.
Get over it.
-Brodie
[ a directive occured while processing this error ]
Netware, believe it or not, runs on top of DOS. True IP file/print sharing, web serving (yes, if you didn't know, Apache and Netscape Enterprise server run on Netware!), all that good stuff run on Netware, yet you can still type down at the server prompt and get a C:\> prompt.
Caldera DR-DOS was pretty popular on Novell servers. Netware boots just like LoadLin boots Linux, except unlike Linux, you can exit to DOS, and just type server at the C prompt and basically warm-boot your server without rebooting it.
or virtual or protected memory (on 486 so the hardware is no excuse), good user seperation in the file system, but still not really an OS.
Novell NetWare == DDoS (Distributed DoS) M$- or DR-, as the case may be, because it's _still_ denying you many services a computer OS provides.
Exceeding the recommended torque is not recommended.
In those days (1978-82) the Berkeley people were developing SystemIV on PDP-11s, which sucked compared to the 286 for hardware task separation, virtual memory support, memory address space (the PDP Maxxed out at 256K (yes, that's K NOT M!)) and even CPU performance at the low end. (A 16MHz 80286 easily dusted off anything in the LSI-11 family.)
The 286 ran Xenix, so the Empire bought it (Xenix, not the 286) and priced it at $1000 for a run-time license and another $1000 for software development tools, to keep it off the PC market.
Trying to add virtual memory, multitasking and all those other OS things onto a platform which originally had never thought of them is an excercise in futility, and that was called WinBloze (both 16- and 32-bit, AFAICT). Sure, it could use 32-bit pointers, but when it went to access the disk drive, the low-level driver switched the CPU out of virtual protected mode and back to real mode, because the disk access code was all real mode. This kind of silliness forced all the device drivers to live in the real mode memory space (the 1M addressable by an 8086), which resulted in a big fight over the low RAM. All my most frustrating fights with DoS were over the low RAM, which the Empire in its wisdom saw fit to further limit to 640K. 4M, then 8, then we had a 16M RAM, and everybody is still squabbling over the first 640K!
Exceeding the recommended torque is not recommended.
And probably a few other places too.
Of course, the hard thing is to figure out EXACTLY what the bug is. (Better make that "bugs are";)
Pretty easy to see from all this why Open Source is better. No magic bullets, but it sure improves the odds.
because my Novell experience is limited to about 3.12 or so (circa 1995). It's no doubt made some progress since then, hell DoS/WinBloze has even made progress, but so have I, and I no longer pay attention to either, except of course to laugh at the M$ vulnerability of the week.
Exceeding the recommended torque is not recommended.
I quoted your sig the other night.
Writers imply. Readers infer.
Mozilla wasn't built with the same attention to security details as Microsoft products are. If this was the case, you can be sure that we'd see the same sort of overwhelm in the (not) holier than thou OS world as you are in the Microsoft response. It's not that Microsoft's programmers don't care about security... The problem is that they have so many holes to fix, that they don't know where to begin If the Mozilla people had the sheer volume of bugs to deal with that the MicroSoft people do, I'd expect that they'd be just as slow to deal with serious bugs --probably slower. Unfortunately, they don't, so I think that it's unfair to judge them on the same footing as Microsoft.
You have to remember that Mozilla isn't written and supported by professionals. who get paid for supporting it. No- It's done by a rag-tag team of rebel coders who aren't even backed up by the resources of a multi-billion dollar company with enough cash reserves to buy most third-world countries.
Microsoft's unique approach to security has made them the darlings of the script-kiddie crowd, and I expect that they'll stay the leaders in that market for years to come. These script kiddies represent a new wave of innovation in the software market, and it would be un-American to shut them down.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
...there is no obvious solution on ressource starvation attacks. You can add an arbitrary limit, but arbitrary limitrs are annoying. Why should a person who want an enormous "A" for a poster in Gimp, and who have plenty of virtual memory suffer because of an arbitrary limit? And if we set the arbitrary limit to high, the "bug" will still affect small memory machines, and thus not really be solved.
The software can try to "guess" the limit from information about system memory size, and some heuristics (i.e. guesswork) of how much memory other applications are likely to need. That would obviously be very unreliable.
The least bad "solution" on the server side would probably be a soft limit covering "common uses", with an option to increase or disable the limit using "xset" for the occational Gimp artist who need a huge letter.
However, whether this should be doen depend on the design of X11. X11 is generally designed to be a relatively "thin" server, pushing the UI to the client side. I don't know if X11 is designed to be robust in the case of unreasonable demands from the clients. If not, it might be silly to add checks for font size on the server side, if it doesn't make checks for e.g. pixmap sizes or other client requests. In that case, the check belong on the client side.
Freedom is the killer app. But who has enough skill to use that freedom? As of currently, only the few computer owners who care about having complete control over their system and who understand tech-talk enough to manage it themselves (and the few MS haters of course).
The general market for computers couldn't care less about coding their own features, or fixing issues themselves, or recompiling binaries when a patch comes along... Sure *nix is geared for the tech-savvy - but it's downfall is that lack of consumer friendliness that would give it appeal to the public. When it comes to servers and admin level users, it very well may be the OS of choice. But until it embraces the 'ease of use' that Windows has cleverly grasped over the years of its public reign, or has the software support and stability that windows has, it won't be the best overall OS. Each OS on the market has it's own weaknesses and strengths. *nix is destined to remain a tech-user's dream unless things change.
It has so much potential, but it has to get away from the source code oriented system, and leave that as an easily accessible option for those who do care.
Why should a person who want an enormous "A" for a poster in Gimp, and who have plenty of virtual memory suffer because of an arbitrary limit?
Then put the cap code in Mozilla... Anybody need a letter "Q" that's 10 times the size of your screen? If you do, why are you drawing it with Mozilla?
I don't know if X11 is designed to be robust in the case of unreasonable demands from the clients.
Apparently it's not.
.
Let's not stir that bag of worms...
My use of the term 'geek' was meant to be that of the way my companies clients would view a 'geek'.
Someone who has a lot of technical knowledge, but also has a good degree of social skills, and can understand a clients needs around a meeting table was not what I meant to describe that that post using 'geek'.
One of my flatmates is a rather serious open source enthusiast, and is not a 'geek' when put in front of clients - he is one of the exceptions. Of the scores of open source enthusiasts Ive met over the years, I wouldn't be comfortable putting no more than perhaps 10% (being generous) of them in front of clients, but that figure is 3-4 times higher for those using 'Dows'
At the end of the day, it comes down to client needs, and the clients perception of the business. A small business does not trade, as the larger service companies do (e.g. IBM) on a solid reputation, instead they trade on the front they put across to a client during the analysis stages - and as for talking about Win32/IIS as a 'product' - well, it's a PLATFORM for us, not a product, we don`t sell it. It acts as the platform on which we deploy and develop our solutions, and in many years of developing, I've very very rarely come across problems caused by the 'problems' that open source enthusiasts hammer Win32 for.
Security? No problem.
Reliability? 3 months or more of uptime (far more than the business need).
Price? miniscule compared with other operating expenses.
Compatibility? Other than a few LineBreak quirks, not a problem. Not one.