Windows 98, Me, NT4, 2000 and XP SSL Flawed

JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions that Konqueror was patched against the same bug in 90 minutes.

Look, nobody outside of /. cares

Bill can do no wrong.

As long as the majority of the population thinks Microsoft is da bomb, nothing will change.

Kind of like the way people think about the government, flawless.

Uh-oh

[buzzdecafe]

Here's a golden opportunity for MS to ramrod another "We can root your machine" EULA down the throats of desperate Windows Victims.

this is good news

[GoatPigSheep]

Where can I get the windows version of konqueror? I want to browse securely too.

We really depend on the bugs

[tshoppa]

Seeing continued OS-level design flaws in Microsoft products is, to me, reassuring. When MS goes ahead with Palladium I'm now quite confident that it will be riddled with fundamental design flaws that will make its "security" (read: capitalist totalitarianism rule over the masses) a joke.

Bug is in inet.dll

[sneakerfish]

MS TCP/IP stack is in inet.dll. That is probably where the bug is.

I was a beta tester for IE4 (so flame me, OK) and I found a bug in the HTTP1.1 keep-alive implementation. They never saw it because they tested only against IIS and I tested against Apache which implemented it correctly of course.

They didn't want to fix it until I explained that %60 (at the time) of the web runs on Apache servers.

In fact the MS product manager wanted me to call "the Apache company and have them fix Apache." Duh. Me- "There is nobody to call sir, and the problem is YOUR problem and not theirs."

They delayed IE4 for two weeks after it had gone gold to fix it. So don't flame me.

Anyway, that bug was in inet.dll, and I bet this one is too.

Re:Bug is in inet.dll

[platypus]

IE4 was so uncompliant on a deeper level, it wasn't funny.
There was a bug with packet fragmentation and redirects that caused internet explorer to display a blank page which said "Object moved, object can be found _here_.", where _here_ was a link to the target of the redirect.
Funnily, their own proxy software tended to cause fragmentation of the redirect packet quite often.

What I didn't understand was how they were capable to produce this bug, this completely negates everything I know about seperating the different layers of transport.

Re:Konqueror

[captain_craptacular]

Doesn't matter if everyone is qualified. If they aren't their suggestions will be ignored by those who are, who also happen to be those who integrate the suggestions/new code.

things i dont get

[jeffy124]

i saw the article earlier today. there are some things I just do not understand here. first some facts:

• The bug is in the OS crypto services
  
• It's NOT MS's crypto api
  
• Only IE is affected.

Time for rhetorical questions:

Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?

How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.

Shared code ok - but what EULA?

[Antity]

From the article:

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

They're perfectly right. Everybody can have a bug like this. But there are two problems that puzzle me:

1. When will the patches for the OSes be available?
2. And, the worse one: Will the patches for this really ugly security leak will also come with Microsoft's new EULA that gives them access to one's computer?

I really fear the time where users have to choose to either install a patch so fix a severe security hole and sell their (OS and computer data) souls to somebody else or just not fix their OS at all and be open to these man-in-the-middle attacks. This could become a very new quality of unsecured machines from a security point on the 'net: Users that don't want to install patches because they don't want Microsoft to own their machines - and trade this with security. (I can fully understand this.)

With Open Source OSes, if the vendor won't fix a bug like this, somebody else would (maybe even you). With Windows, you have to rely on Microsoft even recognizing something as a bug. And if they do, there's nothing you can do but wait.

Yes, I know, we all know this. But this problem hasn't gone away yet.

Re: Shared code ok - but what EULA?

[lizzybarham]

Here's the situation:

I use linux on my systems but my mother uses Win98. I basically take care of her machine and it provides the connection to the net. Recently I became aware of a flaw in MSN-Messanger and decided to upgrade but pulled on the brakes when I saw the EULA - meaning I refused to upgrade and the MSN-Messanger on her machine is not secure.

Since the EULA's apply to the latest, secure versions of their code and I disagree with their EULA, I essentially have a frozen win98 machine in regards to MS code (which includes the OS).

While most people may ignore the EULA, not all of us do and their new EULA is beginning to cause some serious problems for those of us who purchased the OS when the newer EULA was not in affect.

The general EULA system is becoming more of a problem; they are showing up on more and more software. For example, in order to run a 'support' java applet I was supposed to agree with a EULA that wasn't even applicable to the current situation (it mentioned "evaluation purposes only" which I was *not* going to do). So, I did not install it. It seems that if these companies are going to make us agree to their EULA they could at least spend the time up making their EULA fit to the particular situation.

Re:Let's be fair here

[tshak]

But, lest we forget, this bug was reported to Microsoft a very long time ago. Furthermore, MS has not been trying to fix the bug. Instead they chose to try to place the blame on Verisign.

Sometimes it is better to stick with the facts - even on Slashdot. Microsoft is A) working on a patch and B) claims to have not been alerted until it was publicly released. Here's some facts from MS's website:

Despite the many challenges associated with exploiting the flaw, there is indeed a flaw here and Microsoft is developing a patch that will eliminate it. ...
However, the report, which neglected to discuss any of the challenges associated with actually exploiting the vulnerability, was made public without any advance warning to Microsoft. Responsible security researchers have the safety of users in mind and work with vendors to ensure that the information published about potential vulnerabilities is balanced and, above all, correct.

Reference: http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/news/IARWSV.asp

Spin

This is clever spin by MS to keep the existing fixes (eg. www.mozilla.org) out of the mainstream press. MS would rather have people think the error is in windows to keep them from changing browsers.

Why can't the tech press see through this?

Public need to be told "change browser or don't use online banking etc. until bug is fixed is patched". Instead they are fed "ms are working on a patch for windows".

Re:Browser == OS

Well, this summer alone, I have seen a fair number of Konqueror security flaws posted, much more than I would like to see. As many as IE? No, but you don't say something is secure by comparing it to something less secure.

Also, most vendors do not provide CVS packages for things like this. Hell, debian still doesn't even have an official KDE3. And even if there is a CVS version, how many people are going to be quick to hop on it, considering the code in CVS is typically beta at best? And what newbies are even going to know about this?

And then your issue on bugfixes. Are you trying to say that OSS patches never break anything? I think you ought to check out www.lkml.org or something. Patches break other things all the time, because they're often unforseeable.

Quite frankly, you're a close-minded individual who chooses to ignore certain obviouses.

Re:Slow down there.

[pmz]

You also have Microsoft software that runs on Macintosh, Solaris, HP-UX and FreeBSD computers.

I work on Solaris every day...where's the Microsoft software? I know that IE is available for Solaris, but I certainly wouldn't be so stupid as to actually install it.

...there will be about 92 (I'm taking out the non-Windows, non-Linux users) people who receive the Microsoft fix

Your giving the Windows users too much credit. The fraction of KDE users who will eventually upgrade KDE is much higher than the fraction of Windows users who will ever bother to patch their systems.

Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.

Actually, a patch that breaks something because of an odd hardware configuration simply indicates architectural flaws in the OS.

It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get.

??.

I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers...

You should at least read up on what is being delivered to you during an "up2date" session, so you know what the configuration of your servers is at any moment. Software changes can have complex ramifications, if done blindly.

I think the rabid Linux people you are going after simply are the people who want to know where they actually are at any given moment. This is actually a responsible attitude towards system administration. If you don't have time for it, perhaps you are overworked and need an assistant?

The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves...

So certain Peruvian congressmen are uber-elite system administrators? People who simply want a non-proprietary Office format also write their own kernel modules?

Re:Browser == OS

[DunbarTheInept]

A corporation has to answer to customers if a patch breaks.

On the surface of it that would appear to be a true statement. But the existance of Microsoft is a counterexample. They often have broken patches and nobody bothers calling them to task for it.

Re:patch distribution model

[TobyWong]

No developer has control over the end user and how often they feel like updating/patching so the best they can do is expedite matters on their end. So yes, we should be asking "how long did it take for it to get fixed" because that is something the developer has direct control over.

Re:Browser == OS

[Tony+Hoyle]

We tried to install Win2k service pack 3 on two test machines to see if it broke anything. It destroyed them, right back to the 'can't find NTLDR' prompt.

Does microsoft answer to all the machines that SP3 breaks? (Some companies might not be as careful as us and could lose important data). No, the EULA explicitly states that they have zero liability even if sp3 triggers World War 3 (before GWB does).

Anyone who uses the 'liability' FUD about MS software deserves shooting. If it breaks, you get to keep both pieces (to coin a phrase).

Re:Slow down there.

[bergeron76]

You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to.

I implicity trust Redhat, Mandrake, and all the major Linux vendors for that matter; _implicitly_. Based on nothing more than the fact that they have a proven track record of being trustworthy, and not eavesdropping/abusing/fscking the consumer. Microsoft on the other hand has a notorious reputation for abusing customers, vendors, programmers and competitors. I won't provide any references because I'm quite certain that google will provide more than I care to count. Do the homework yourself if you don't already agree.

If for no other reason than that, I will trust Redhat to provide "vendor" patches because I have no reason not to. For the record, I'm not one of those "paranoid"/"I'll fix the code myself" people you spoke of. I'm just joe-average-sysadmin with my company's best interests in mind.