Slashdot Mirror
Windows 98, Me, NT4, 2000 and XP SSL Flawed
JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the
SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions
that Konqueror was patched against the same bug in 90 minutes.
m=M $:Yea if you idiots out there knew not to trust us this would not be a problem
Everything is flawed. FP.
Experiment!
Uh-oh. IANA Windows Developer....does anyone know how many apps use this API that microsoft might potentially break? (Fixing bugs: good, breaking stuff: bad....)
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
And yet another proof that all critical applications should be peer reviewed by everyone who wants.
Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
the browser is embedded at the lowest level in the OS, so the "unexpected, amazing" news is no news at all, according to M$' own claims.
There's a difference? I thought they were the same thing...
is that for most consumers, this doesn't even matter. I mean, they will be effected by the security hole, but if their computer gets hacked or something, they'll end up just blaming their own lack of computer knowledge. They'll eventually install the patch from windows update (if they know how to access windows update), and then blindly keep surfing the net and playing "who wants to be a millionaire".
Glad it's only a client side issue then.
If you bothered to read Bill Gate's .plan, you would know that he eventually will own everything.
So, what's he afraid of? Stealing from himself?
Bill can do no wrong.
As long as the majority of the population thinks Microsoft is da bomb, nothing will change.
Kind of like the way people think about the government, flawless.
So I guess it's safe.
It's a good thing I didn't upgrade.
Je t'aime Stéphanie
We can just sue anyone that uses the exploit for violating the DMCA. There, problem solved!
If the flaw is in the OS and not the browser, then how was the Konqueror team able to patch their bug in 30 minutes? After all, KDE is not the operating system, nor is Konqueror.
This "makes sense" up until the point where you have to patch your kernel instead of upgrading a library. When OpenSSL had a bug, they fixed it and you could upgrade OpenSSL. When Konqueror had this specific bug, it could be uprgraded easily enough. Now Windows users have to patch their entire OS to fix this (or just use another browser that doesn't use the crypto-in-the-kernel routines).
This is the result of "integrating" IE into the OS. Now when there is a "browser" sesecurity problem, it's really an OS problem.
Sorry MS - kill by integration, be killed by integration. It's a circle of life kinda thing...
"As God is my witness, I thought turkeys could fly." A. Carlson
Hmm.
...blah blah blah... Windows users ha ha they are unintelligent piles of putrid flesh that is why they use Windows despite these kinds of flaws there is no other reason ...blah blah blah... Konqueror was fixed so much faster so Windows is the suck hahaha GO LINUX M$ (hahaha i so witty i use dollar sign instead of "s") IS THE SUCK"
I don't think we all need to read through the hundreds of replies this is sure to get, so I'll just summarize it for you here!
"This just show that Windows is so inferior it's a bad product Linux rules
You're welcome.
"This is not a flaw....its a 'feature' that allows you to anonymously share all your secret info with people without being able to track it." -- Bill Gates
Honesty may be the best policy, but apparently by elimination, dishonesty is the second best policy.
You can disable SSL in the advanced options menu. ;-)
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
Just another reason not to use Microsoft.
Tell Tim OReilly not to abandon opensource!
The article says: "SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only" But if it only affects IE, and not programs such as netscape (which also of course runs on windows), then technically it IS a problem with IE!
Here's a golden opportunity for MS to ramrod another "We can root your machine" EULA down the throats of desperate Windows Victims.
We only wrote bad code that made it through QA for 5 different versions of the OS dating back to the mid 90s. Of course, with Palladium, our new secure platform, things like this will never happen. Good thing we got that patch out quick!
(Oh wait, that was the Konqueror people!)
We'll I'm sure with our new secure computing focus it will be out any time now. Please don't stop doing ecommerce, just because all your personal data can be hacked, just use Passport.
(Oh wait, that happens with Passport too!)
Ummmm...
The last article seemed a bit weak on details with respect to Mozilla, trying 0.9.4 or something. But anyway, I'm assuming Mozilla doesn't use this CryptoAPI (CAPI). Can someone hopefully more knowledgeable than I give some details? Is Mozilla open to this hole, or to a similar one of its own?
Of course, since it's open-sourced, I guess I can check the source. But does someone know off the top of their head?
I am so shocked to hear Microsoft didn't follow the standards when implementing SSL. I wonder what other technologies they have failed to implement according to the standards everyone else follows?
http://www.askthevoid.com
Computerworld hath been annointed with thine /. effect.
Browse at thine own risk!
Honesty may be the best policy, but apparently by elimination, dishonesty is the second best policy.
Where can I get the windows version of konqueror? I want to browse securely too.
GoatPigSheep, the 3 most important food groups
...in about two years. While I was reading the article, Windows Update pops up to tell me that a "critical update" was available. For a second I foolishly thought it might be for the very problem I was reading about, but the fix is dated November 2000 and has nothing to do with security.
(I use Windows because I have to, but at least I don't use IE.)
What is the effect of this "feature" on other browsers running on top of Windows? Is Mozzila suseptable too?
Seeing continued OS-level design flaws in Microsoft products is, to me, reassuring. When MS goes ahead with Palladium I'm now quite confident that it will be riddled with fundamental design flaws that will make its "security" (read: capitalist totalitarianism rule over the masses) a joke.
In order to make sure we compare apples to apples and oranges to oranges, I suppose it would be fair to ask the question of when the Konqueror fix will be available to the normal and possibly rather non-sophisticated public consumer crowd?
I mean, when the fix becomes ready from MS (weeks or months, but it will) it will be applicable to most users of Windows, but the current fix for Konqueror after 90min weren't immediatly ready for the masses.
So, when will it?
Right, because it is so much easier to patch the entire OS instead of one app. If I were a windows user, I could do without running IE until a patch was released, I could not however go without running the OS until a patch came out. BTW, there is no expected release date for the patch. The quote above from MS was in repsonse to being informed that Konqueror fixed a similar problem in 90 minutes. MS does have a point concerning the reuse of crypto services in the OS. I think for something as widely used as a web browser, it may be best to let it handle it's own crypto transactions and not tie it to the success or failure of the entire OS. What do you think?
Wait, so does this mean that SSL through Internet Explorer has been insecure since Windows 98 days? This is absolutely obscene.
I don't have the link on hand, but I think I saw someone posting on here the link to a security firm saying they found this bug 2 years ago.
Since SSL is something that e-commerce is based on and most people use IE, this means that it's be open to man-in-the-middle attacks since Windows98?
Who's to say if it's actually been exploited yet?
This is totally unacceptable. I almost *WISH* that it will-get/has-been exploited and harm some large company so they can bring their full weight onto Microsoft for knowing about this flaw for 2+ years and not fixing it.
MS TCP/IP stack is in inet.dll. That is probably where the bug is.
I was a beta tester for IE4 (so flame me, OK) and I found a bug in the HTTP1.1 keep-alive implementation. They never saw it because they tested only against IIS and I tested against Apache which implemented it correctly of course.
They didn't want to fix it until I explained that %60 (at the time) of the web runs on Apache servers.
In fact the MS product manager wanted me to call "the Apache company and have them fix Apache." Duh. Me- "There is nobody to call sir, and the problem is YOUR problem and not theirs."
They delayed IE4 for two weeks after it had gone gold to fix it. So don't flame me.
Anyway, that bug was in inet.dll, and I bet this one is too.
Use a different web browser.
;-)
(or better yet, a different OS altogether...)
I seriously doubt that the NT kernel provides the afformentioned cryptographic services. (Maybe some key generation using Intel's fancy hardware seeding thing, who knows) More likely they have a DLL that provides these services. The only real difference is that the DLL is part of the Windows Operating System and is authored by the same (really large) company. Whereas OpenSSL is installed via a separate package into a distribution. The age old question, but surely you think that there is more to an Operating System than the kernel. If you don't, try deleting /sbin/init, reboot, and see how far you get.
reading the comments here just proves to me the rising stupidity level of MOST slashdot members
Windows 98, Me, NT4, 2000 and XP SSL Flawed
Isn't this supposed to be " News For Nerds"?
not a flaw in the browser, but in the operating system itself
the sky is blue. There is no Santa Claus.
- The bug is in the OS crypto services
- It's NOT MS's crypto api
- Only IE is affected.
Time for rhetorical questions:Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?
How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
This problem clearly illustrates *why* someone would implement it themselves, so problems can be fixed in 90 minutes, and not weeks...
Someone shoot QA in the foot.
You know what? I bet the 'soft could do this too. I mean have a guy, or team of guys available 24/7 to patch bugs. And you know what else? They'd still get flack for it, as Microsoft don't release patches straight away - for better or for worse, they do actually test them first (usually), make sure they don't kill wierd and exotic installs etc. I know they've released dodgy patches, but my point is that Microsoft isn't an overnight operation.
And more to the point, how does this patch get to people? Via autoupdate of course. The patch may have been written in 40 minutes, but it's still not available on SuSE auto update (as far as I can tell) despite the fact that Waldo works for SuSE! We really need to stop patting ourselves on the back simply because we can see the progress of the patch and Microsofters can't, otherwise this bullheaded arrogance WILL bite us on the ass.
90 minutes????? What are the KDE boys doing, sleeping???
This is just unacceptable. I cannot believe and refuse to accept that it could take 90 minutes to get a major security fix out for a browser. This is completely unacceptable. It's no wonder everyone uses IE.
I guess the Microsofties were right after all. Support for open source software is nearly impossible to find.
-- Before you post, are you sure you got it?
I've already gushed about this gem o' news already, concerning MS's piss-poor plan to introduce better security in their OS's via Palladium...
Vos teneo officium eram periculosus ut vos recipero is.
...indeed.
Thank's for those memos, Bill.
Howard Dean for president
Note that this doesn't mean the bug was only there for 90 minutes, it was there for [months, years, I don't know]. Why didn't Konqueror take the initiative to fix this before instead of waiting until it was published? Sounds like they had the fix all along and were just waiting for the announcement so they could look good by fixing it so quickly.
Now will MS pull of the coup de gras and include DRM or .NET when they come out with a "security update"? Read those EULAs carefully, folks.
... OS X is so much better!
I can understand all the other other operating systems listed being smacked with this problem, but MS didn't start "integrating" the browser into the operating system until Windows 98, which was released well after NT 4.0. I was under the impression that the NT 4.0 Explorer is based on the Windows 95 interface and IE was just another application.
'nuff said
This bug is not within CryptoAPI but in the code that validates SSL certificates and how it passes that info to and from IE. IE is the only thing vulnerable, they'll just patch a few lines of code. Problem: regression testing. MS has so much regression testing they have to do (compared to Konqueror) that it's gonna take two months at least. In the meantime, I don't expect any exploitation of this since, really, this is quite lame.
"Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either..."
Instead of "CAPI", shouldn't it be "CrAPI"?
I think it's ironic that MS has pushed netscape and
the rest out of the browser market, and has managed
to make the purpose of ssl worthless since most
of the browers out there will not ever be updated.
Did netscape around 1996/1997 have this bug when
it was competing against microsoft/explorer?
What about those other older browsers which have
gone by the wayside?
hmm...
We're the "O" in O/S.
Why does Slashdot waste time publishing pointless drivel about M$, other than to mock and slander it? We all *KNOW* M$ operating systems are *FULL* of bugs, even some we haven't discovered yet, I'm sure. Besides, the true Nerd & Geek uses some version of Linux, UNIX, BSD (I use Mac OS X), etc... and should not even have a peripheral interest in this junk-news. It doesn't affect us (LMAO). Everyone, come on, gather around now, start clapping, and let's here it (Horray!) for Micro$oft for a job well done, especially for being the wealthiest software giant in the world that employs the best programmers that (blood) money can buy.
Dial-up users with ignorance of patch/upgrade will never be able to trust on-line transactions. This is the vast majority of users, and the problem is going to haunt individuals for 2+ years.
"Flyin' in just a sweet place,
Never been known to fail..."
can someone explain to me why SSL is still used? didn't slashdot report that SSL was cracked anyway? shouldn't someone be working on a more secure encryption for the web? or is SSL still secure enough?
Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology
Yes, indeed, it does make sense for the OS to provide such a service to any program that wants to use it, so long as that's a GOOD service.
In general, it makes sense to provide everything from outside the program, and just have the program call on outside services. However, that means you need to make the outside services good, and it means that those writing programs don't just string together a bunch of requests (i.e., draw this, check that calls) but also work on looking for fixes to the common outside service, which would be shared by many programs.
In other words, this approach only makes sense when the outside services are OSS / FS / public domain, which means that developers of programs can check their integrity and submit improvements. Otherwise, its just a big black hole for developers: should I trust this cryptographic routine, or shouldn't I? One never knows with proprietary routines. One can check, and improve such routines provided OSS / FS.
social sciences can never use experience to verify their statemen
to install spyware in those older operating systems, like they've done with XP and win2k.
Damn operating system intergration with the browser.
Before SSL bug :
:
IE had 22 non-fixed vulnerabilities
Add SSL bug
22 +1 = 23 non-fixed vulnerabilities
Now simple math : 30 - 23 = 7
Man only 7 more vulnerabilities to let microsoft release a "cumulative patch" for ie!
Never learn by your mistakes, if you do you may never dare to try again
If IE is a consumer of a service provided by the OS then IE is not part of the OS.
Microsofts ascertion to the contrary is hereby refuted.
I'm gonna tell Uncle Bill that you're browsing /. rather than working. For shame you Microsurf.
actually, i have nothing better to do, as this is my last day on the job, so call away.
Make products buggy as hell, then get people to upgrade and pay them for it by releasing new versions which have fixed the old bugs, but introduced new bugs. Repeat ad infinetum.
In parallel, also make sure to develop file formats and "standards" which aren't backwards compatable and don't work with any other OS', so as to lock people into MS products and force costly upgrades.
Bwuhahahaha.
social sciences can never use experience to verify their statemen
Well, this really shows the difference in basic design principle between any UNIX/Linux distrobution and Microsoft - modularity vs. integration. Now of course it's very nice to offer lots of services built into the operating system, because it means that your developers have to do less work, their apps are smaller, and their time-to-market is significantly shorter, if they can merely use one of your API calls. However, by making your developers do more work, you end up with a leaner operating system, and you offload the responsibility to patch security holes to third parties. This usually makes patches easier, because it doesn't involve replacing part of the operating system, just part of an individual application. This may be why linux/UNIX -based OS'es are usually faster than Windows on the same hardware, and why patches (provided that the developers are concerned, and have an interest in maintaining their code) are issued quicker.
Karma: Ran over your dogma.
Why is it, every 6 months or so, I get into an argument with somebody over the fact Microsoft doesn't seem to have a clue what DLLs are for?
I have people try to convince me that the integration of Internet Explorer into the Operating System is a good thing.
Where the hell do these people get their training? Microsoft has a tendancy to put function calls where they are convenient for the programmer at hand (not necessarily any future programmers mine you), not in the most appropriate DLL. This isn't unusual, it happens. But why the hell do people justify it??
Why the hell am I using a Web Browser (something whos base design is to browse web pages!!) to manage files on a local computer? The old Windows Explorer worked better and had a more appropriate (although similar) interface.
And then, when I chalenge them on this they always retort: Can you write an OS?
Damnit, yes I can. I don't have the time to write one, but I -could- write one.
Even if I couldn't, Microsoft is very much an example of bad design in general. (They have some well desgiend aspects to a lot of programs too. But Clippy isn't one of those!)
And note that I got the patch from windows update this morning. Total effort required by me: one mouse click.
Wait! what am I saying! this is slashdot, quick, ignore the facts:
"Micro$oft will probably patch this in a year, and then no one will get it cuz it requires 34 reboots to install"
Really? Call MIT! Scientists might want to study that.
Will this affect my ability to surf pr0n?
The object can be found here.
I liked this article under its former name, "IE and Konqueror Bug Makes SSL Insecure"
And to add to the irony, posting a Microsoft-bashing article placed against a giant square ad that says "Microsoft Visual Studio.NET - Try it Now! Get your Trial DVD today!!" is just ignorant.
Aw, fuck it. Let's go bowling. - The Big Lebowski
Eh... Who cares.. I personally don't have time to give a shit about downloading every patch every day.... so in my eyes it really doens't matter if MS comes out with a patch like a month later why? (btw on my monthly clicks on the windows update I was pleasantly surprised to see that service pack 3 is out :)).. because I don't spend all day browsing all the pages to find every single stupid little bug on my OS (I do have better things to do.... ie... Porn is acutally more enjoyable then looking for bugs and patches or better yet.. Actually taking a walk outside without bringing the laptop!!! What a concept!! )and getting every single patch for it. And the only computer that is on all the time is my server... which does nothing except NAT.. then again... I guess alot of em /. spend 23 hours a day on the computer so i guess it is important then
What matters is of course that I 0wnz0r J00 AllZ!
In amazingly underreported news, the patch for this went out via windows update this morning. I was automatically alerted, and it took me a whole mouse click to apply. Boy, this M$ software is a real pain in the ass.
This is a pretty important point. Just because the KDE people fixed it doesn't mean everyone will have it. Instead of asking, "How long did it take for it to get fixed", we should be asking, "How long until it is widely enough deployed such that exploit writing becomes unprofitable?" It seems to me that even if Microsoft is a little slower getting a bug fixed, the universal "Windows Update" probably gets the patch on a greater percentage of machines more quickly.
;-)
Of course, the number of Windows desktops dwarfs the number of KDE desktops so if even a small percentage of Windows installations don't get patched, it would probably be about the same as if KDE never got patched at all.
In Soviet Russia, hot grits put YOU down THEIR pants.
Am I the only one who sees it coming? The Reg has an article about the new EULA for Win2K SP3 that gives MS explicit permission to examine your hard drive for installed hardware and software usage data. The SSL patch, when it comes, will surely include the same EULA...
Humpty Dumpty was pushed.
Who gives a f$ck about Microslop products?
Thanks and have a marijuana inspired weekend.
From the article:
They're perfectly right. Everybody can have a bug like this. But there are two problems that puzzle me:
I really fear the time where users have to choose to either install a patch so fix a severe security hole and sell their (OS and computer data) souls to somebody else or just not fix their OS at all and be open to these man-in-the-middle attacks. This could become a very new quality of unsecured machines from a security point on the 'net: Users that don't want to install patches because they don't want Microsoft to own their machines - and trade this with security. (I can fully understand this.)
With Open Source OSes, if the vendor won't fix a bug like this, somebody else would (maybe even you). With Windows, you have to rely on Microsoft even recognizing something as a bug. And if they do, there's nothing you can do but wait.
Yes, I know, we all know this. But this problem hasn't gone away yet.
42. Easy. What is 32 + 8 + 2?
Is it just me or more posts that seem to bemoan that they are going to be down-modded seem to make it to the high ground??
Microsoft officials said it makes sense for the operating system to provide p0rnographic services to any application that needs it, instead of each application having to include its own p0rnographic technology.
or something like that.
In fact, my XP and 2000 systems automatically updated - they notified me that there was a patch, what it was for, and could I please press OK to update my computer?
Then it just happened.
No sweat.
I am very small, utmostly microscopic.
Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy?
The logic is so obviously simple:
increased redundancy == increased failsafety
So, if one of the crypto API's has a security hole, the OS can rely on the backup API, just like how a bike with one flat tire can be ridden home on the remaining good tire.
I tell you, those MS guys really got some effective circumetry in their noggins!
pi = 3.141592653589793helpimtrappedinauniversefactory7
90 minutes to Patch? Was it a known problem that some developers knew about but a design team decided not to implement? I find it hard to believe the fix was simply a matter of adding an IF statement, patching and testing.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
I seem to remember something regarding this when I was involved with the Litestep project.
The explorer.exe that is the desktop of these versions of Windows, depending on the version of IE installed, is essentially iexplorer.exe in a different mode of operation. I could be mistaken though.
to make free software mandatory in government.
"Then can you explain why Microsoft releases bugfixes that uhhm break stuff?"
Despite your glaring lack of maturity in the above sentence, I figured I would respond.
Microsoft software (Windows/Office/Internet Explorer or any combination of the above) runs on approximately 95 out of every 100 client computers on the Internet. Now, on those computers, you have every piece of weird x86 hardware ever invented, from crappy $5 ISA modems to $5,000 SCSI RAID arrays. You also have Microsoft software that runs on Macintosh, Solaris, HP-UX and FreeBSD computers.
Now, figure that Linux runs on approximately 1 out of every 100 client computers on the Internet. (This is a high guess -- I'm giving Linux the benefit of the doubt here.) Now assume that KDE runs on 100% of those computers (also an extremely high guess.) So for every 1 person who receives the KDE fix, there will be about 92 (I'm taking out the non-Windows, non-Linux users) people who receive the Microsoft fix.
Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.
"Ever heard of Debian's apt-get, Mandrake's urpmi, RedHat's up2date, etc.? It's up to each vendor to make the fix available to the users."
Oh, I love these arguments. It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get. "But I run Linux so I can do everything myself!"
I run about 12 Linux servers. I trust my vendors (Red Hat and Sun Cobalt in this instance) to provide me with timely updates. But the funny thing is that whenever I recommend that people trust their vendor for services like Apache or PHP and use up2date, I get laughed at. In fact, when I say that I use Red Hat and Sun Cobalt, I get laughed at. "Why not just compile everything yourself? Why not just use Debian?" Well, guess what, ladies and gentlemen -- I run a profitable business off of my servers and I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers. I trust my vendor to test the updates on their set of supported hardware and release them to me in a timely manner. I will then run the vendor-supported update tool and download them.
The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves -- the epitome of the "trust no one" saying. These are the SAME people, much like yourself, who also say that it's up to the vendor to release patches. I have news for you. You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to. You can't bash Microsoft for taking time to release tested updates and then claim that Linux is better because you can install a fix that is untested instead of "waiting for the vendor to catch up".
This is clever spin by MS to keep the existing fixes (eg. www.mozilla.org) out of the mainstream press. MS would rather have people think the error is in windows to keep them from changing browsers.
Why can't the tech press see through this?
Public need to be told "change browser or don't use online banking etc. until bug is fixed is patched". Instead they are fed "ms are working on a patch for windows".
I really hate to hear about security bugs related to SSL and anything that has to do with my personal credit cards.
Does this really mean that people that weren't ment to might have my credit card numbers now?
Should everybody have to get replacement credit cards now? It is the banks that will eat the loss but in reality it should be Microsoft. It is their fault for giving me a fake sense of security due to false advertising!
It's sad to say, but given all those unpatched bugs in Internet Explorer, this flaw is a minor issue. Why bother with DNS Spoofing etc., when you just can install and start any executable you want on your victim's computer?
It's funny that Microsoft always comments publicly on the minor bugs, but ignores the serious ones, just until they release a patch.
How many people out there are REAL Windows Admins? Seriously? I bet not that many are true windows admins. Using windows does not qualify you as an admin. I'll admit I'm very weak on my nix admin but that's because I don't bother learning about it. In my mind Windows 2k can be just as good an OS. I bet many of you don't know that Microsoft's knowledge base acutally keeps track of all it's bugs and patches for them before they stick it on Windows Update for the rest of the masses. I bet many of you don't know that microsoft has a tool called hfnetchk ... what does it do?.. It'll download the LATEST patches that microsoft has available for you to use. It'll check your system to see what patches are installed and what aren't and give you a report telling you which article # in MS knowledge base you can find the patch for you problem. More tools you want?... How about Qchain... (which i know many of you don't know about either) that lets the user install multiple patches WITHOUT rebooting your system multiple times. For IIS Windows has IISlockd .. which many wanna-be admins didn't bother finding out during the time when nimda worms were going crazy. And the list goes on I can easily list pages worth of other tools that windows has that most people don't know about because they're ignorant. If anything I'd say windows has done a wonderful job by making people lazy.
But let's take a step back. I bet many of you are saying pfft the Nix machines have this and that tool. Think about that for a moment.. why would a multibillion dollar corporation, who have a million times more resources then the average linux programmer, not bother to make a similar tool for windows if it's so useful? Kinda defies logic doesn't it especially since nowadays with IBM's backing of linux MS needs to compete performance and feature wise even more (or are you going to tell me that MS has a stranglehold on IBM?).
So before anyone else goes on with the typical. . "wat you expect form MS"
read up about what MS really has and acutally maintain an intellectual conversation
What about the back button exploit that came out oh... almost exactly *4 MONTHS* ago now that has yet to be resolved?
1
http://online.securityfocus.com/archive/1/26756
Wake up microsoft, 23 vulnerabilities that have gone unpatched?? 1 should be enough!
By the way, here's the list of the current 23 for those looking:
http://www.pivx.com/larholm/unpatched/
Mod this up - I unfortunately don't have moderator access today...
It's true.
How about Mac OS X or OS 9 Browsers, are they affected at all?
As a rock-in-roll Physicist once said, No matter where you go, there you are.
What's so amazingly surprising about that?
You are comparing the software that you paid for somftware that generate billions.
What if you paid for car that had problems like this, you would be standing at your dealers door and wont leave untill he has a fix for you. Dont compare it with the clunker that we build ourselves even though it runs circles arround your great innof**invation.
Sorry it should read:
You are comparing software that you paid for with software that generate billions.
Maybe I gotta get off that stuff!!
Remember that you can use an alternative browser while you wait. Windows users may find this easy too, but they wouldn't if Microsoft had its way.
Not so. I honestly don't care whether or not you get cracked. Whether or not your system is patched has no bearing on how useful the OS/application is to me.
While "How long did it take for it to be fixed" is a rather useless figure, It's still quite closely tied to the only important question: "How long did it take before I could patch my system(s)?"
As another observant reader pointed out, writing an expoit will always be profitable. Worms like Nimbda have been around for a year, and the funny part is they use exploits that have been "fixed" even longer. There are still quite a few computers out there that haven't patched the IIS unicode exploit.
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
Owned by Microsoft vs. 0w3N3d by h4X0r M4sT3r
/. poll:
Sounds like one for a
Would you rather be:
1. Owned by Microsoft
2. 0w3N3d by h4X0r M4sT3r
3. Given away by RMS
4. Used and discarded by nobody in particular
5. CowboyNeal's bitch
Mozilla uses it's own personal security manager to provide cryptographic services.
On top of the mindblowing SSL problem, MS today announced
that Network Connection Manager had a critical problem.
-
-
Go Back, go back to the land of Redmond. And follow me
no more!!!
Go Back.
At first glance, I didn't see the SSL part of the title, and thought "that's news? What about Windows 95?" :-)
Wow. I really hope you're not in charge of any installation of 10+ Windows boxes, because your post is absolutely clueless.
"Let's say you need to update a 100 windows machines when MS finally get around to issuing a patch. What do you do? Go to each machine and press windows update, answer a a few questions, click a few buttons, and reboot at least once."
Um, no. Do you REALLY think that's how large (I'm talking 50,000+ desktop) installations work? Do your research. Check out the Systems Management Server, or the free (yes, I said free) tools that Microsoft offers to system administrators here.
Next time, don't post until you know the facts on BOTH sides of the story.
If it's in the subject, moderators will be more likely to notice. :)
-HFnetchk -nt4, w2k, and xp written by mark shavlik
-Qchain- included in W2k since may 18, 2001
IISlockd aug 2001 not for NT4. Locks down web
services but keeps FTP and smtp up and running.
-
-
Look honestly we are happy you have your MS certs. Also
We are happy you don't know crap about unix. Really.
We are. And thanks for the pointers.
And yes Microsoft with all of its billions has matched most
of the tools available on unix.
Now unfortunately I am having trouble understanding how
this applies here. Microsoft spent 4 billion on R&D
last year, and I would hope that they would have some
really nifty tools.
And yet still they are having trouble get their Operating
Systems running securely.
win 98, NT4, W2K, and XP. It boggles the mind.
Please read the replies before moderating.
Sorry Elmer FUD.
You will have to do better than that.
T h a t s ALL folks.
either way it's great to know there's a huge hole in every windows x86 release since '96
Software Freedom Day!.
I hope that Opera's Not affected by this, I threw out the IE crap along time ago.
| - | - |
Not quite. I was recently banned from posting to Slashdot for around a month (every time I attempted to post to a form, Slash would tell me I `wasn't allowed' to do that). I generally post intelligently, my karma sits at a perpetual excellent and has since it was fifty.
The only reason I can think of is because around the time I was banned I made a joke that the Slashdot editors didn't like. A joke that was
Judge for yourself - and decide how free of censorship Slashdot truly is
well, there's a truth if ever I've read one.
but not OS X which uses OpenSSL.
IE must have implemented the buggy crypto library from Windows.
Note that Lynx and Curl are also affected - most simple ssl implementations don't check cert chains correctly, if at all.
I run an apache server with mod_ssl. About two weeks ago we started geting complaints from mac people that they were getting encryption error. Last week the problem started with IE on win2k. Yesterday I downloaded the latest IE and run it on winNT and it worked fine. One the "security update" was applied, it started having problems with ssl connections to apache servers (but not IIS servers)
So there are more bugs out there and this one is going to make the Apache crowd look bad.
Everyone goes on about the speed at which patches are released. If Microsoft had released a patch the exact time they announced the issue, everyone would be bitching about "oh, how long did they know about this bug before informing us?" Give me a break. Be thankful that patches will be released, and for christ's sake be thankful they're informing the public about the problem NOW. It gives administrators a chance to maybe lock down some things in the meantime.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
i am confused..how is it a ms-only bug when konqueror gets it to, fucking linux zealots..
The article mentions that Konqueror was patched against the same bug in 90 minutes.
I thought you said it was a problem with the operating system.
And exactly how many hundreds of millions of dollars in cash assets is Microsoft sitting on?! Isn't this the biggest and by far the wealthiest software corporation in the world? Is it really not unreasonable that Microsoft ought to have gotten this SSL stuff right the first time? Especially since this security software turns out to be a fundamental component in all of their current OSes?? Didn't Microsoft just spend a month and more having its programming staff supposedly reviewing their software for potential security issues???
Konqueror is just a browser developed and maintained by a handful of individuals, probably mostly part-time and without pay. I'd be more willing to expect/tolerate some bugs (although hopefully any major ones like this would get fixed real quick ...).
Geez! No wonder people get on Microsoft's case!
The only trend I see is Microsoft's parade of bugs. Oh look, here comes their bloated OS blimp being pulled the fingerpointing PR clowns ...
Windows 98, Me, NT4, 2000 and XP SSL Flawed; Does this come as a surprise to anyone?
I have hfnetchk and yes, it works and d/ls patches that Micrsoft have released. If they haven't released the patch yet, you are stuffed. I also have qchain and I don't trust it (some fixes didn't stick after being chained) and anyway, why should I have to run it? I manage 2K server boxes and it makes life easier.
However, there are a lot of 0wn3d 2K and XP boxes out there which can be used DOS me, you or Slashdot at the drop of a hat sitting on Cable modems or ADSL. The guys running those boxes are at home and as someone else points out over half couldn't find the C:\ prompt if they tried.
On Linux, I use RedHat's up2dat and XImian's Red Carpet. Very nice and very prompt with fixes. I also have Gentoo, but this is definitely not for people who dislike shell prompts.
Ok. I have Red Hat 7.3 Linux... I have KDE 3.0 installed on this machine.
I want to know the answer to two questions.
a. Am I vulnerable?
b. If so where do I download a binary patch?
http://www.kde.org has no news postings about this flaw, they are apparently more interested in letting us know about a release candidate for KOffice.
http://bugs.kde.org is unreachable.
http://www.redhat.com has no security bulletins relating to KDE 3.0 that shipped with Redhat 7.3.
Meanwhile back at the ranch, you go to http://www.microsoft.com/security, click on the IT Professional information and this issue is the top headline. Yes, there is no patch yet, but at least Microsoft is acknowledging that there is a problem and letting us know that they are working on it.
Fact is, until there is a binary patch available for my Redhat 7.3 install, along with a security bulletin on the website at least acknowledging the issue... the issue is not resolved.
Oh yeah, I find no mention of this on the Mandrake Linux website either despite them shipping with KDE 2.2.x which is supposedly impacted. You know with all this patting yourself on the back, you sure haven't done anything to help out the enduser.
Is that still 'fair game'?
Well anyway here are new clam heads.
erika christensen
christopher masterson, and brother danny
jason lee
lynsey bartilson, and her whole family, mom=332
michelle stafford young and the restless
lea remini king of queens
pablo santos
catherine bell jag
sofia milos sopranos
O well. More shows to boycott. Malcolm in the middle
is funny but it has to go.
The person who found the SSL flaw in IE (and thus in Windows) said in his first mail to the bugtraq mailing list that he didn't bother mentioning this to Microsoft because he didn't believe it would help anyway.
I can only say that this kind of stupid behaviour is ruining more people than it does any good. Yesterday Microsoft released a patch for SQLServer, the fix was for a flaw which was reported in late July. At the same day the patch was released, the person who found the bug mails to the bugtraq mailing list.
THAT's how it should be done.
And yes, some KDE developers fixed it in 90 minutes and MS hasn't come up with a patch. Who cares who comes first. With MS you can be sure it's tested on a large set of setups. With the KDE patch, you can be sure it's not tested on a large set of setups. It's a client side risk now, but in general, do you trust patches on mission cricital systems when it's not tested on a large amount of setups? I surely won't.
Never underestimate the relief of true separation of Religion and State.
It is.
But they posted V 6.05 within 24 hours, making the fix available to Joe A. User before anyone else.
I'm in a Unix state of mind.
Just go grab it, it's a great browser.
I'm in a Unix state of mind.
Let me rephrase grandparent in more understandable terms:
If more uninformed people keep spouting their suggestions at the developer, this will only create more noise for the developer.
Will I retire or break 10K?
I could never tell a difference b/w Win95 w/ IE 4.0 and Win98.
Unlike Windows 98, retail Windows 95 did not support USB nor FAT32. Windows 95 OSR2 supported FAT32 and introduced rudimentary USB support, but Microsoft did not release a retail version of OSR2 and in fact cracked down on computer stores that sold copies.
Will I retire or break 10K?
You think every corporation using Microsoft software is bound by their consumer licenses?
Yes. If not when they install the software, they become bound by the standard Microsoft EULA once they install any patches from Windows Update. Such EULA contains terms like "You may not disclose benchmark results of the .NET framework to a third party. For example, if you make a video game using the .NET framework, you may not include a frames-per-second indicator."
Will I retire or break 10K?
Will I retire or break 10K?
I just think VS.NET makes a hell of a difference when it comes to raw productivity, when you compare the total package with a combination of tools on Linux. That's all there is to say about the sig. I also think you should read more serious media and less rant'n'raves on trollsites like The Register.
ps: my OSS is solely for Win32/.NET and BSD licensed, but still open source.
Never underestimate the relief of true separation of Religion and State.
computers are too
I never noticed the lack of USB support [in Windows 95 and Windows 98] because the only computers I've run 95 & 98 on didn't have USB ports.
Did they have hard disk drives bigger than 2 GB? FAT16 supports only up to 65,525 clusters. Windows 95 retail supports only the FAT16 file system for fixed disks, and Windows 9x's implementation of FAT16 has a maximum cluster size of 32 KB, giving a 2 GB maximum filesystem size.
Will I retire or break 10K?
Boy, you've just proven that guy's case. You, too, have no clue how to properly administer a Windows network.
"How do you move a piece of software, such as Microsoft Office, from C: to D: so that it works flawlessly after the move (a thousand registry entries will make this very difficult)?"
Find a registry tool that does search-and-replace, adn search and replace C:\Program Files\Office (or whatever your Office directory is) to D:\Program Files\Office. Yes, it works, and yes, I've done this exact thing. Total time spent? 10 minutes to find and download a registry editing program that has search and replace, 10 minutes to do the search and replace and make sure that everything works properly. Voila, free hard disk space on C:.
"What useful and powerful scripting languages ship with Windows, so you can automate all your routine administrative tasks? DOS Shell does not count."
Windows scripting host. Google it. Or you can write a Visual Basic program in 10 minutes that has the Windows standard GUI to do things, or you can write a Visual C++ program in a bit longer that has the Windows standard GUI to do things.
"more than one person needs to run Office on the same computer at the same time, how does that work?"
Windows XP has fast user switching. Google it.
"How would you automatically update the network, printer, file sharing, or user configuration on 100 Windows computers?"
You write a script using WSH or DOS batch scripting, and you put it in the startup commands that Windows runs whenever you log on to the domain.
"Trust me, in the long term, Windows becomes a bitch to maintain."
Only if you don't know how to properly administer it, and believe me, you don't.
Consider as an equivalent, Hollywood and the movie "Three Weddings and a Funeral." More money was spent on promoting the movie in the USA than was spent on making the film in the first place. A lot of businesses make money that way, and Microsoft appears to be no exception.
You should see some counseler, dude. I don't see the link between software making and afghanistan.
.NET api. Not because MS doesn't want it, but because the viral part of the GPL which states that libs linked to the GPL-ed code should also be GPL-ed. In the case of the .NET api, this means that the .NET code also should be GPL-ed. Which is of course utterly stupid, because who am I to tell another company what to do?
and FYI: I'm a far left wing participant, 'bombs back to the stone age' is an expression, it has nothing to do with death nor with war.
About the GPL: I don't agree with RMS' POV so I'll never choose a non-freedom license like the GPL.
About the GPL and some EULA: I live in the Netherlands, where like in other European countries, some judges have decide no EULA can bound a user of a product in its creativity, so the EULA can't limit me in what I do with what I create. And yes, GPL-ed software can't be using the
(oh, and the same thing is valid for a piece of GPL-ed java code and Sun's non-GPL JVM + java api).
Never underestimate the relief of true separation of Religion and State.
Uh, I'd love to know what company has "50,000+" Windows machines on a single site. I work for a huge AFB with one of the largest on-site networks (I've been told) in the world... and it has a "meer" ~20,000 user machines. That said, hell yes you do it via remote management tools. Unfortunately, the tools in question cost in money and hardware.