Windows 98, Me, NT4, 2000 and XP SSL Flawed

JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions that Konqueror was patched against the same bug in 90 minutes.

Oh, that's good then...

[MrFenty]

...Scott Culp, manager of the Microsoft Security Response Center said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.

Glad it's only a client side issue then.

What's the problem?

If you bothered to read Bill Gate's .plan, you would know that he eventually will own everything.

So, what's he afraid of? Stealing from himself?

Didn't mention Windows 95

[SpanishInquisition]

So I guess it's safe.
It's a good thing I didn't upgrade.

Re:Didn't mention Windows 95

I wonder if this is why my computer thinks it's 1902. And here I thought my ssl certs wouldn't expire for another 101 years.

Not a big deal!

[joshua404]

We can just sue anyone that uses the exploit for violating the DMCA. There, problem solved!

Re:Not a big deal!

[Otter]

1) Make contrived, stupid DMCA jokes.
2) ???
3) Profit

All your base are belong to us!

Quick fix

[Subcarrier]

You can disable SSL in the advanced options menu. ;-)

Oh good, it's not an IE bug

[freerangegeek]

We only wrote bad code that made it through QA for 5 different versions of the OS dating back to the mid 90s. Of course, with Palladium, our new secure platform, things like this will never happen. Good thing we got that patch out quick!

(Oh wait, that was the Konqueror people!)

We'll I'm sure with our new secure computing focus it will be out any time now. Please don't stop doing ecommerce, just because all your personal data can be hacked, just use Passport.

(Oh wait, that happens with Passport too!)

Ummmm...

Re:Oh good, it's not an IE bug

[SlugLord]

Now now! You're just not being fair! Windows has done wayyyy too many good things to let ONE LITTLE ISSUE like this ruin their reputation. I mean there's never been a security problem with Windows before... Why is that? because Microsoft is good for business! The "unstoppable Windows NT" never crashes, and to prove it, Have you ever seen what the MS developers call a "blue screen"? No! of course you haven't, because it never crashed. Get this: All the new versions have this "blue screen" built in as well, but I don't know anybody who has ever seen one. Why? because it just can't crash. But laying that aside, I think it's unfair to accuse Windows of being insecure... after all, Outlook is secure and it uses SSL, right? I know all you people like to bash Microsoft, but the fact is that you're just jealous because Microsoft products are so good that nobody feels the need to compete. (except for Steve Jobs, but he's a fanatic that likes inferior hardware... c'mon, one mouse button?)

Yet again...

[estoll]

I am so shocked to hear Microsoft didn't follow the standards when implementing SSL. I wonder what other technologies they have failed to implement according to the standards everyone else follows?

Long-term fix

[Damek]

Use a different web browser.

(or better yet, a different OS altogether...) ;-)

News

[Citizen+of+Earth]

Windows 98, Me, NT4, 2000 and XP SSL Flawed

Isn't this supposed to be " News For Nerds"?

90 Minutes for Konqueror fix.

[FreeLinux]

90 minutes????? What are the KDE boys doing, sleeping???

This is just unacceptable. I cannot believe and refuse to accept that it could take 90 minutes to get a major security fix out for a browser. This is completely unacceptable. It's no wonder everyone uses IE.

I guess the Microsofties were right after all. Support for open source software is nearly impossible to find.

-- Before you post, are you sure you got it?

Trustworthy computing as its finest...

[lysurgon]

...indeed.

Thank's for those memos, Bill.

got the patch this morning

[2short]

In amazingly underreported news, the patch for this went out via windows update this morning. I was automatically alerted, and it took me a whole mouse click to apply. Boy, this M$ software is a real pain in the ass.

Re:Bug is in inet.dll

[shyster]

MS TCP/IP stack is in inet.dll. That is probably where the bug is.

Yeah, I'm sure the code for checking the heirarchy of SSL certificates is in the TCP/IP stack .dll.

Maybe peer reviewed code isn't really that great of an idea after all....

I'll tell you why

[tunabomber]

Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy?

The logic is so obviously simple:

increased redundancy == increased failsafety

So, if one of the crypto API's has a security hole, the OS can rely on the backup API, just like how a bike with one flat tire can be ridden home on the remaining good tire.

I tell you, those MS guys really got some effective circumetry in their noggins!

Re:We really depend on the bugs

Yes, but the superficial design flaws will hide the fundamental design flaws.

Re:favorite quote

[rmohr02]

Shouldn't that mean anything using that same API would have the problem?

Yes. But nobody but M$ stupid enough to trust M$'s closed source encryption API.