Slashdot Mirror
Serious IIS Hole; Minor X Bug
EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
The majority of Code Red attacks came (and is still coming) from private users that have never even heard of a Microsoft Security Bulletin, the URLScan tool or the Lockdown Tool.
Sadly these type of users are still in the majority.
Remember, there are no stupid questions. But there are a lot of inquisitive idiots.
It can hardly be just to compare the two software bugs where one is a web server and one a internet browser. That's like comparing getting rid of pollution to getting rid of bad breath.
And also I'm surprised about the stupidity in this sentance: "Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days." - well honestly, what does that say: isn't it obvious that a lesser problem takes less time to fix than a larger one? That's just dumb.
I'm no huge M$ fan myself, but this article smells awfully much of unjustified M$-hatred. Let products speak for themselves, and let users make their own opinions.
Bottom line: propaganda sucks.
The author says that it took Microsoft two months to fix a big flaw in IIS, while it took open source only three days to fix a little flaw in Mozilla.
This comparison defies rational comprehension. The length of time it takes to do two totally different tasks on two totally different pieces of sofware for two totally different markets is completely meaningless. I can write a program and pop it onto internet in an hour...so what? Whats the relationship?
OK, is anyone else sick of the inane way in which we compliment ourselves continuously?
Come on, we really do not need to say these sort of things nah nah, we fixed something first, we're better than you. Does anyone else find it retarted that you can crash an X server just by telling it to display a font which is too big?
What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation? or the fact that fonts still look like ass?
If you think we can laugh at others, check those market share figures. We have a lot of work to do.
This is a lot easier to exploit for the malicious hacker than the IIS bug. You just set up a page with huge fonts and that it, you've crashed X. But the payoff for that is a laugh at the (relatively) rare X user who visits your site.
As for the IIS bug, I'll just quote the Wired article... This, in my opinion, is a lot worse than simply crashing X. Hell, my Windows 98 crashes almost daily but that doesn't stop me from using it. Crashing isn't so bad. Black Hats stealing information and gaining control of my computer, that's bad.
"I may not have morals, but I have standards."
It's not a Linux bug, but rather an XFree86 and mozilla bug. It would probably crash any box running those two programs just as handily...
When I was working as a consultant for a major database vendor I walked into customer sites, looked at the problems at hand and usually started to script in either perl or shell.
This provoked indescribable looks from (mostly) younger IT staff and questions around the line, of:
What the hell is this? What are you doing here? Why don't you use a GUI? This was often accompagnied with smirks and laughs.
Laughing was reduced to an absolute minimum after 2 hours of scripting (including testing) and 10 minutes running the script, instead of opening a window 3000 times in order to uncheck a checkbox.
It was ususally also the very GUI oriented shops that ran into wicked recoverability problems, since they implemented their databases with GUIs, modified their database structures with GUI's and the last time they re-generated scripts from the physical schema was in the summer of '98 or so.
If they would have used scripts to start with and would have treated those scripts like source code, they could have avoided weeks - if not month - of agony and pain. Not even to mention the costs.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
That's it, pure and simple. Freedom to do what you want with your machine. Freedom from proprietary formats and the hassle of interchanging data with others. Freedom to alter the code in any way you want, or to learn from it. Freedom to participate in more substantial ways than buying and installing some product from off the shelf. Freedom to use your computer as it best suits you, not as it best suits Bill Gates or Steve Jobs.
This might sound like fluff, but this is the reason why I gave up on Apple years ago, and it's why I've stayed with Linux ever since then. Apple has done some great things in the past few years, and I applaud them for it, but they are still not Free as in Freedom. Yes, I know about Darwin, but what about Aqua? Yes, I know about QTS Server, but what about iMovie? I'm not saying Apple should open these products or that they shouldn't make money, but simply that they're not going to make any more money from me because I will never feel safe with them after they discontinued a raft of great technology. This will not happen with Linux. Ever.
That's the killer app for me, and I know it's the killer app for others. Microsoft and Apple will never fully offer that freedom, and as a result I can never trust them fully. They might have more innovative products, but it doesn't matter. Quickdraw GX was innovative. So was Opendoc. And the original Cocoa project (kid's programming environment that I dearly miss). Where are these projects now? Innovation doesn't matter. Just that you're there, and free stuff will always be there, whether it's GPL or BSD or whatever, so long as it's Free as in Freedom. That's a far more powerful killer app than any I've ever heard of.
"I may not have morals, but I have standards."
No.
As a web browser, Mozilla should be able to withstand maliciously formatted content. It really is a bug.
It presents the GNU/Linux and free software side, which is a small step towards bringing balance, as we do not have the big advertisement budgets to buy editorial good will, or money to order favorable rewievs from "the customer is always right" analysis companies.
What I am getting tired of is the the people who whine that slashdot is not Ars Technica or kuro5hin, both excellent web places with a different focus than slahsdot.
What do you mean "we", white man? I have "taken advantage of" 2D gfx hardware under Unix for longer than slashdot (or Linux) has existed. They fonts don't look "like ass" on my screen. I guess what you want is anti-aliasing. The free technology for that is awailable, it is just a question of installing it. Maybe your OS distributor have done it for you in a sufficiently recent version..HTR is a flawed protocol and should be avoided. No sane developer will use .HTR pages in his site on an IIS machine, since the .HTR parser is crappier than crap since day one with buffer overruns all over the place. Most sysadmins have .HTR disabled anyway, since it's of no use. When there is a bug in that parser, thus _NOT IN IIS!_ but in an extension (like mod_perl to apache), and that parser is not used by a lot of people, would you put a lot of developers on that bug? No.
Never underestimate the relief of true separation of Religion and State.
Most applications will attemnpt to allocate sufficient memory to handle the task the user assign to it, and depend on the system to refuse the request if there are not enough memory. They then handle the refusal with warying amount of grace. It should not crash the OS, unless the OS itself is broken.
For example, if you feed GCC with ridiculous large input, GCC will (attempt) to allocate ridiculous amount of memory. Which is how it should be, the applications should not try to second guess the user.
Applications that take data from untrusted sources, like web browsers, should course make sanity checks. So the error is in Mozilla, not X11.
Nonetheless, one can expect more from a desktop server like X11 than from more traditional applications, since if the desktop crash all the user visible applications will go with it. So it would be a reasonable feature for X11 to make more sanity checks on its input than other local programs do.
If people don't apply patches, fixes, updates and security recommendations, then Microsoft could have released a fix in 2 seconds, and it still won't do any good.
Linux and other open source software aren't impervious to bugs being discovered either, they just respond faster - so the lesson here is simply "if you're an idiot, you can get '0wn3d' on any OS".
Yeah it sucks that Microsoft take two months to fix an exploit, but if it only affects a service that would have been switched off already if you followed instructions, then it's not *that* big of a deal.
As a web browser, Mozilla should be able to withstand maliciously formatted content. It really is a bug.
Hmm...the flaw itself is in XFree, and it's handling of huge fonts. Presumably the only reason a web browser is such a problem is because of the potential to attempt display of a *lot* of text at once (I would assume opening a long document in Star/Openoffice with gigantic fonts would produce the same effect, although I haven't tested it myself...). Therefore, while it's a "nice" thing that Mozilla throws a limit in there to prevent one vector of attack, it's merely throwing a band-aid over the real problem, which should be fixed in XFree.
Hardly. Hasn't everyone at some point telnetted to a *nix machine to kill and restart a hung X11 process?