Windows 98, Me, NT4, 2000 and XP SSL Flawed

JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions that Konqueror was patched against the same bug in 90 minutes.

How many apps will this break?

[Vengie]

Uh-oh. IANA Windows Developer....does anyone know how many apps use this API that microsoft might potentially break? (Fixing bugs: good, breaking stuff: bad....)

Re:How many apps will this break?

[catwh0re]

Microsoft make the following point:

"Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology."

However from this example alone, we can already see that if each program did have it's own crypto, then the user would be much more secure, rather than relying on Microsoft for security(akin to getting hounds to mind a butchers store.)

Browser == OS

[keesh]

not a flaw in the browser, but in the operating system itself

There's a difference? I thought they were the same thing...

Re:Browser == OS

Uninteresting fact: LinuxToday censored my post on this topic, which i made to their article describing the flaw.

The first post on the article was by a drooling KDE fan, and it slobbered over how quickly the fix was in the KDE CVS version. I pointed out that both Microsoft and the KDE project have a history of poor security - the only thing that has saved KDE in the past is the more solid security of the unix model. I also mentioned that, just because a fix is in the KDE project's CVS, does not mean that it is available for everyone - that will have to wait until the next release. Microsoft has hundreds of millions of customers across the world, and the systems handle billions of dollars of revenue... this puts a huge responsiblity to get their fixes right and properly tested. Not simply shove a few changes into some CVS code and hope it works.

The post was censored by LinuxToday editors - presumably because it did not contain any drooling KDE zealotry and did not bash Microsoft. Quite frankly, LinuxToday is becoming unreadable by anyone not a) a KDE super-fan b) rabidly anti-Microsoft. If you think slashdot is bad, consider that you can at least post here... even it it does ultimately end up at -1.

Re:Browser == OS

[torndorff]

Actually, the fact that it is in the CVS makes it accessable to anyone who wants it. Granted not many end users will connect to the CVS and get the latest dev version of KDE, but at least it's there.

Windows on the other hand cannot do this. I respect your point in saying they have a lot of money and customers to deal with, but their perspective on security is a bit skewed. No Windows user can fix their SSL flaw if theyre extremely paranoid, they can only hope that MS will sheild the exploit from the script kiddies of the world.

But youre right, LinuxToday is getting bad.

Re:Browser == OS

[RelliK]

I pointed out that both Microsoft and the KDE project have a history of poor security

And KDE's history of poor security would be...?

I also mentioned that, just because a fix is in the KDE project's CVS, does not mean that it is available for everyone - that will have to wait until the next release.

Bull shit. Ever heard of Debian's apt-get, Mandrake's urpmi, RedHat's up2date, etc.? It's up to each vendor to make the fix available to the users. You can also install it yourself without waiting for the vendor to catch up.

Microsoft has hundreds of millions of customers across the world, and the systems handle billions of dollars of revenue... this puts a huge responsiblity to get their fixes right and properly tested

Then can you explain why Microsoft releases bugfixes that uhhm break stuff? Despite the fact that Microsoft takes 2-3 months to uhhh "test" stuff, Open Source community has a much better track record in this regard.

Quite frankly, LinuxToday is becoming unreadable by anyone not a) a KDE super-fan b) rabidly anti-Microsoft.

Quite frankly, you are an idiot spreading FUD.

Re:Browser == OS

[transient]

You generaly don't want to run cvs software on servers.

You also generally don't want to run KDE, or anything else involving X, on servers.

--

Re:Browser == OS

[tshak]

Great post. Although Linux patches are generally more prompt, one has to consider the testing aspect. A corporation has to answer to customers if a patch breaks. If a Linux (or another OSS program) patch breaks, they claim it was "Alpha" and can "patch the patch" (read: APATCHY web server). This still gives a slight edge to OSS in the long run, but it's not as dramatic as "90minutes vs. 45 days".

Re:Browser == OS

[RickHunter]

Quite frankly, you are an idiot spreading FUD.

Really, what do you expect? All his post needs to be a classic antiKDE troll (note that there's not a shred of proof whatsoever for any of his assertions) is a claim that GNOME would've made a new major release immediately after discovering this or some such drivel. Neither project has a "history of security holes", because neither runs anything important as root.

the funny thing

[vectus]

is that for most consumers, this doesn't even matter. I mean, they will be effected by the security hole, but if their computer gets hacked or something, they'll end up just blaming their own lack of computer knowledge. They'll eventually install the patch from windows update (if they know how to access windows update), and then blindly keep surfing the net and playing "who wants to be a millionaire".

favorite quote

[nestler]

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

This "makes sense" up until the point where you have to patch your kernel instead of upgrading a library. When OpenSSL had a bug, they fixed it and you could upgrade OpenSSL. When Konqueror had this specific bug, it could be uprgraded easily enough. Now Windows users have to patch their entire OS to fix this (or just use another browser that doesn't use the crypto-in-the-kernel routines).

Re:favorite quote

[GiorgioG]

This "makes sense" up until the point where you have to patch your kernel instead of upgrading a library. When OpenSSL had a bug, they fixed it and you could upgrade OpenSSL. When Konqueror had this specific bug, it could be uprgraded easily enough. Now Windows users have to patch their entire OS to fix this (or just use another browser that doesn't use the crypto-in-the-kernel routines).

Why is everyone nitpicking over this? What difference does it make if one has to patch an application or an OS (Is an OS not an application?) What other crypto services do you use in Windows at the moment outside of your browser? Ok, Ok, I know you all hate MS/Windows, but this is just childish.

Re:favorite quote

[topham]

Because it takes Microsoft far longer to release a patch for an OS than an application.

By the way, read the article and you find out that according to Microsoft the bug only effects IE, yet it is contained in an OS level API.

Huh? Shouldn't that mean anything using that same API would have the problem? Unless of course this is just one piece of the IE code they toss in an in-appropriate DLL.

No, can't be. Microsoft wouldn't do that.

Re:favorite quote

[Amazing+Quantum+Man]

Here's a question - who do I sue if that bug in Konqueror causes me to lose money? Nobody!

Here's another question. Who do you sue if that bug in IE causes you to lose money? Nobody! Read the EULA!

What goes around comes around...

[R2.0]

This is the result of "integrating" IE into the OS. Now when there is a "browser" sesecurity problem, it's really an OS problem.

Sorry MS - kill by integration, be killed by integration. It's a circle of life kinda thing...

It doesn't make too much sense

[thelinuxking]

The article says: "SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only" But if it only affects IE, and not programs such as netscape (which also of course runs on windows), then technically it IS a problem with IE!

Re:Konqueror

"And yet another proof that all critical applications should be peer reviewed by everyone who wants."

As if 'everyone' were qualified to do so.

Re:Not a big deal!

[Wrexen]

Can we stop with the "Foo blah blah DMCA foo!" jokes already? The first 600 or so were funny (ok maybe not), but it's getting old. Especially when the subject matter has nothing to do with copy control circumvention or the ??AA businesses

90min to the fix, but how long to the masses?

[lalleglad]

In order to make sure we compare apples to apples and oranges to oranges, I suppose it would be fair to ask the question of when the Konqueror fix will be available to the normal and possibly rather non-sophisticated public consumer crowd?

I mean, when the fix becomes ready from MS (weeks or months, but it will) it will be applicable to most users of Windows, but the current fix for Konqueror after 90min weren't immediatly ready for the masses.

So, when will it?

Re:Yet again...

[Scutter]

I am so shocked to hear Microsoft didn't follow the standards when implementing SSL.

Neither did Konqueror. Blame where blame belongs, please. It's trendy to just blame everything on the Big Evil Empire, but let's not forget they aren't the only ones who have bugs.

Let's be fair here

[IamTheRealMike]

Now I'm a Linux user and lover, as anybody who reads my past comments can discover. But let's be fair to Microsoft here - all this talk is of how fast KDE (actually Waldo Bastion) patched the bug, as if this makes them superior to MS.

You know what? I bet the 'soft could do this too. I mean have a guy, or team of guys available 24/7 to patch bugs. And you know what else? They'd still get flack for it, as Microsoft don't release patches straight away - for better or for worse, they do actually test them first (usually), make sure they don't kill wierd and exotic installs etc. I know they've released dodgy patches, but my point is that Microsoft isn't an overnight operation.

And more to the point, how does this patch get to people? Via autoupdate of course. The patch may have been written in 40 minutes, but it's still not available on SuSE auto update (as far as I can tell) despite the fact that Waldo works for SuSE! We really need to stop patting ourselves on the back simply because we can see the progress of the patch and Microsofters can't, otherwise this bullheaded arrogance WILL bite us on the ass.

Hmmm

[Patik]

The article mentions that Konqueror was patched against the same bug in 90 minutes.

Note that this doesn't mean the bug was only there for 90 minutes, it was there for [months, years, I don't know]. Why didn't Konqueror take the initiative to fix this before instead of waiting until it was published? Sounds like they had the fix all along and were just waiting for the announcement so they could look good by fixing it so quickly.

Re:Yet again...

[estoll]

Monopolistic is the key in your reply. It is easy to blame the big guy when they are screwing you.

On an OS Providing Cryptographic service

[dh003i]

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology

Yes, indeed, it does make sense for the OS to provide such a service to any program that wants to use it, so long as that's a GOOD service.

In general, it makes sense to provide everything from outside the program, and just have the program call on outside services. However, that means you need to make the outside services good, and it means that those writing programs don't just string together a bunch of requests (i.e., draw this, check that calls) but also work on looking for fixes to the common outside service, which would be shared by many programs.

In other words, this approach only makes sense when the outside services are OSS / FS / public domain, which means that developers of programs can check their integrity and submit improvements. Otherwise, its just a big black hole for developers: should I trust this cryptographic routine, or shouldn't I? One never knows with proprietary routines. One can check, and improve such routines provided OSS / FS.

IE != OS

"This SSL flaw has been described as an [Internet Explorer] problem, but it is a Windows issue. It's in the crypto of the operating system, so we have to patch the OS," said Scott Culp, manager of the Microsoft Security Response Center. "IE is a consumer of those crypto services."

If IE is a consumer of a service provided by the OS then IE is not part of the OS.

Microsofts ascertion to the contrary is hereby refuted.

MS's master business plan

[dh003i]

Make products buggy as hell, then get people to upgrade and pay them for it by releasing new versions which have fixed the old bugs, but introduced new bugs. Repeat ad infinetum.

In parallel, also make sure to develop file formats and "standards" which aren't backwards compatable and don't work with any other OS', so as to lock people into MS products and force costly upgrades.

Bwuhahahaha.

patch distribution model

[Kris+Warkentin]

This is a pretty important point. Just because the KDE people fixed it doesn't mean everyone will have it. Instead of asking, "How long did it take for it to get fixed", we should be asking, "How long until it is widely enough deployed such that exploit writing becomes unprofitable?" It seems to me that even if Microsoft is a little slower getting a bug fixed, the universal "Windows Update" probably gets the patch on a greater percentage of machines more quickly.

Of course, the number of Windows desktops dwarfs the number of KDE desktops so if even a small percentage of Windows installations don't get patched, it would probably be about the same as if KDE never got patched at all. ;-)

Re:patch distribution model

[spectral]

How many people do you know actually go to Windows Update? I've had several people call me and ask me to get rid of the critical update notification because they were too stupid to figure out how to turn it off. They didn't want to update, they wanted to do what they already knew how to do, and didn't care about anything else that got in their way. To expect people to go out of their way to update something like this is a bit skewed. I think a much, much higher percentage of people who use linux (kde/konqueror) would know/care enough to keep up to date on patches and upgrades. Not because they're necessarily more paranoid about security (though i'm sure that's the case for some people), but because they know more and know that it's usually a good idea.

People who only want to use AIM, Winamp, IE, and whatever email program they've been trained to use (probably outlook express) don't want to deal with "SSL Vulnerability!" notifications popping up in their system tray.

And they certainly don't care enough to go looking for fixes in Windows Update, even though the link to it is right at the top of the start menu.

Re:things i dont get

[J.+J.+Ramsey]

"Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API?"

Um, maybe one crypto service is for SSL, while the other is for, oh, maybe encrypting files?

There are so many good reasons to bash MS, why invent a bad one?

Slow down there.

"Then can you explain why Microsoft releases bugfixes that uhhm break stuff?"

Despite your glaring lack of maturity in the above sentence, I figured I would respond.

Microsoft software (Windows/Office/Internet Explorer or any combination of the above) runs on approximately 95 out of every 100 client computers on the Internet. Now, on those computers, you have every piece of weird x86 hardware ever invented, from crappy $5 ISA modems to $5,000 SCSI RAID arrays. You also have Microsoft software that runs on Macintosh, Solaris, HP-UX and FreeBSD computers.

Now, figure that Linux runs on approximately 1 out of every 100 client computers on the Internet. (This is a high guess -- I'm giving Linux the benefit of the doubt here.) Now assume that KDE runs on 100% of those computers (also an extremely high guess.) So for every 1 person who receives the KDE fix, there will be about 92 (I'm taking out the non-Windows, non-Linux users) people who receive the Microsoft fix.

Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.

"Ever heard of Debian's apt-get, Mandrake's urpmi, RedHat's up2date, etc.? It's up to each vendor to make the fix available to the users."

Oh, I love these arguments. It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get. "But I run Linux so I can do everything myself!"

I run about 12 Linux servers. I trust my vendors (Red Hat and Sun Cobalt in this instance) to provide me with timely updates. But the funny thing is that whenever I recommend that people trust their vendor for services like Apache or PHP and use up2date, I get laughed at. In fact, when I say that I use Red Hat and Sun Cobalt, I get laughed at. "Why not just compile everything yourself? Why not just use Debian?" Well, guess what, ladies and gentlemen -- I run a profitable business off of my servers and I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers. I trust my vendor to test the updates on their set of supported hardware and release them to me in a timely manner. I will then run the vendor-supported update tool and download them.

The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves -- the epitome of the "trust no one" saying. These are the SAME people, much like yourself, who also say that it's up to the vendor to release patches. I have news for you. You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to. You can't bash Microsoft for taking time to release tested updates and then claim that Linux is better because you can install a fix that is untested instead of "waiting for the vendor to catch up".

Re:Slow down there.

You can't bash Microsoft for taking time to release tested updates and then claim that Linux is better because you can install a fix that is untested instead of "waiting for the vendor to catch up".

(Disclaimer, I think I may have been trolled)

Precisely WHY can't I bash Microsoft for that? Say there comes a day when one of your 12 precious servers absolutely NEEDS a fix, but that that issue is not on a large scale important enough for Red Hat /Cobalt to push instantly. Thanks to how the world of linux software works you CAN go out and pull the relevant patch from CVS, apply it, and resume operation. With Microsoft you DO NOT get that opportunity. Sounds like a perfectly valid excuse for some bashing to me. Having vendors that you trust is great. Having the chance to roll your own in the rare cases when your vendor does not deliver is even better.

Re:Slow down there.

[jsse]

"Why not just compile everything yourself? Why not just use Debian?" Well, guess what, ladies and gentlemen -- I run a profitable business off of my servers and I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers. I trust my vendor to test the updates on their set of supported hardware and release them to me in a timely manner. I will then run the vendor-supported update tool and download them.

I feel obliqued to answer regardless of the fact that you choose to be a coward.

Exactly what kind of profitable business you are doing? Yes you could trust your vendors to supply the latest fixes to you in timely fashion, but you don't seem to get the idea of risk management. If your 'profitable business' cannot bear the loss resulted in not-up-to-time fixes from vendors, you must check closely with latest security updates.
Since you mentioned security update site like security focus, have you realize that there's nothing you can do when your vendor like Microsoft who don't give a damn to the security problems in their products and you've no choice but to remove the problematic products until they are generously enough to release the patch?

In conclude, you either has no clue on the word 'risk' or you simply have way too much money to spare(or your boss has way too much spare money to hire the like of you). :)

Re:Windows update was available on 8/16 at 9am EST

[PsychoSpunk]

Yeah, it was for a problem in the Network Manager. Of course, since this was the big 'sploit of the week, you and 2short seem to have mistaken the patch for something that it's not. This morning's patch description

Re:Konqueror

Yeah, that's why they found the bug in closed source IE before they found it in the open source Konquerer..

Re:In defense of microsoft

[Alien+Being]

Your comment is informative, but what good are auto-update scripts when there are no updates?