Windows 98, Me, NT4, 2000 and XP SSL Flawed

JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions that Konqueror was patched against the same bug in 90 minutes.

We really depend on the bugs

[tshoppa]

Seeing continued OS-level design flaws in Microsoft products is, to me, reassuring. When MS goes ahead with Palladium I'm now quite confident that it will be riddled with fundamental design flaws that will make its "security" (read: capitalist totalitarianism rule over the masses) a joke.

Bug is in inet.dll

[sneakerfish]

MS TCP/IP stack is in inet.dll. That is probably where the bug is.

I was a beta tester for IE4 (so flame me, OK) and I found a bug in the HTTP1.1 keep-alive implementation. They never saw it because they tested only against IIS and I tested against Apache which implemented it correctly of course.

They didn't want to fix it until I explained that %60 (at the time) of the web runs on Apache servers.

In fact the MS product manager wanted me to call "the Apache company and have them fix Apache." Duh. Me- "There is nobody to call sir, and the problem is YOUR problem and not theirs."

They delayed IE4 for two weeks after it had gone gold to fix it. So don't flame me.

Anyway, that bug was in inet.dll, and I bet this one is too.

Re:Bug is in inet.dll

[platypus]

IE4 was so uncompliant on a deeper level, it wasn't funny.
There was a bug with packet fragmentation and redirects that caused internet explorer to display a blank page which said "Object moved, object can be found _here_.", where _here_ was a link to the target of the redirect.
Funnily, their own proxy software tended to cause fragmentation of the redirect packet quite often.

What I didn't understand was how they were capable to produce this bug, this completely negates everything I know about seperating the different layers of transport.

Re:Konqueror

[captain_craptacular]

Doesn't matter if everyone is qualified. If they aren't their suggestions will be ignored by those who are, who also happen to be those who integrate the suggestions/new code.

things i dont get

[jeffy124]

i saw the article earlier today. there are some things I just do not understand here. first some facts:

• The bug is in the OS crypto services
  
• It's NOT MS's crypto api
  
• Only IE is affected.

Time for rhetorical questions:

Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?

How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.

Shared code ok - but what EULA?

[Antity]

From the article:

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

They're perfectly right. Everybody can have a bug like this. But there are two problems that puzzle me:

1. When will the patches for the OSes be available?
2. And, the worse one: Will the patches for this really ugly security leak will also come with Microsoft's new EULA that gives them access to one's computer?

I really fear the time where users have to choose to either install a patch so fix a severe security hole and sell their (OS and computer data) souls to somebody else or just not fix their OS at all and be open to these man-in-the-middle attacks. This could become a very new quality of unsecured machines from a security point on the 'net: Users that don't want to install patches because they don't want Microsoft to own their machines - and trade this with security. (I can fully understand this.)

With Open Source OSes, if the vendor won't fix a bug like this, somebody else would (maybe even you). With Windows, you have to rely on Microsoft even recognizing something as a bug. And if they do, there's nothing you can do but wait.

Yes, I know, we all know this. But this problem hasn't gone away yet.

Re:Let's be fair here

[tshak]

But, lest we forget, this bug was reported to Microsoft a very long time ago. Furthermore, MS has not been trying to fix the bug. Instead they chose to try to place the blame on Verisign.

Sometimes it is better to stick with the facts - even on Slashdot. Microsoft is A) working on a patch and B) claims to have not been alerted until it was publicly released. Here's some facts from MS's website:

Despite the many challenges associated with exploiting the flaw, there is indeed a flaw here and Microsoft is developing a patch that will eliminate it. ...
However, the report, which neglected to discuss any of the challenges associated with actually exploiting the vulnerability, was made public without any advance warning to Microsoft. Responsible security researchers have the safety of users in mind and work with vendors to ensure that the information published about potential vulnerabilities is balanced and, above all, correct.

Reference: http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/news/IARWSV.asp

Re:Slow down there.

[pmz]

You also have Microsoft software that runs on Macintosh, Solaris, HP-UX and FreeBSD computers.

I work on Solaris every day...where's the Microsoft software? I know that IE is available for Solaris, but I certainly wouldn't be so stupid as to actually install it.

...there will be about 92 (I'm taking out the non-Windows, non-Linux users) people who receive the Microsoft fix

Your giving the Windows users too much credit. The fraction of KDE users who will eventually upgrade KDE is much higher than the fraction of Windows users who will ever bother to patch their systems.

Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.

Actually, a patch that breaks something because of an odd hardware configuration simply indicates architectural flaws in the OS.

It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get.

??.

I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers...

You should at least read up on what is being delivered to you during an "up2date" session, so you know what the configuration of your servers is at any moment. Software changes can have complex ramifications, if done blindly.

I think the rabid Linux people you are going after simply are the people who want to know where they actually are at any given moment. This is actually a responsible attitude towards system administration. If you don't have time for it, perhaps you are overworked and need an assistant?

The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves...

So certain Peruvian congressmen are uber-elite system administrators? People who simply want a non-proprietary Office format also write their own kernel modules?

Re:Browser == OS

[DunbarTheInept]

A corporation has to answer to customers if a patch breaks.

On the surface of it that would appear to be a true statement. But the existance of Microsoft is a counterexample. They often have broken patches and nobody bothers calling them to task for it.

Re:patch distribution model

[TobyWong]

No developer has control over the end user and how often they feel like updating/patching so the best they can do is expedite matters on their end. So yes, we should be asking "how long did it take for it to get fixed" because that is something the developer has direct control over.

Re:Browser == OS

[Tony+Hoyle]

We tried to install Win2k service pack 3 on two test machines to see if it broke anything. It destroyed them, right back to the 'can't find NTLDR' prompt.

Does microsoft answer to all the machines that SP3 breaks? (Some companies might not be as careful as us and could lose important data). No, the EULA explicitly states that they have zero liability even if sp3 triggers World War 3 (before GWB does).

Anyone who uses the 'liability' FUD about MS software deserves shooting. If it breaks, you get to keep both pieces (to coin a phrase).

Re:Slow down there.

[bergeron76]

You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to.

I implicity trust Redhat, Mandrake, and all the major Linux vendors for that matter; _implicitly_. Based on nothing more than the fact that they have a proven track record of being trustworthy, and not eavesdropping/abusing/fscking the consumer. Microsoft on the other hand has a notorious reputation for abusing customers, vendors, programmers and competitors. I won't provide any references because I'm quite certain that google will provide more than I care to count. Do the homework yourself if you don't already agree.

If for no other reason than that, I will trust Redhat to provide "vendor" patches because I have no reason not to. For the record, I'm not one of those "paranoid"/"I'll fix the code myself" people you spoke of. I'm just joe-average-sysadmin with my company's best interests in mind.