Windows 98, Me, NT4, 2000 and XP SSL Flawed

JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions that Konqueror was patched against the same bug in 90 minutes.

things i dont get

[jeffy124]

i saw the article earlier today. there are some things I just do not understand here. first some facts:

• The bug is in the OS crypto services
  
• It's NOT MS's crypto api
  
• Only IE is affected.

Time for rhetorical questions:

Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?

How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.

Shared code ok - but what EULA?

[Antity]

From the article:

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

They're perfectly right. Everybody can have a bug like this. But there are two problems that puzzle me:

1. When will the patches for the OSes be available?
2. And, the worse one: Will the patches for this really ugly security leak will also come with Microsoft's new EULA that gives them access to one's computer?

I really fear the time where users have to choose to either install a patch so fix a severe security hole and sell their (OS and computer data) souls to somebody else or just not fix their OS at all and be open to these man-in-the-middle attacks. This could become a very new quality of unsecured machines from a security point on the 'net: Users that don't want to install patches because they don't want Microsoft to own their machines - and trade this with security. (I can fully understand this.)

With Open Source OSes, if the vendor won't fix a bug like this, somebody else would (maybe even you). With Windows, you have to rely on Microsoft even recognizing something as a bug. And if they do, there's nothing you can do but wait.

Yes, I know, we all know this. But this problem hasn't gone away yet.

Re:Browser == OS

[Tony+Hoyle]

We tried to install Win2k service pack 3 on two test machines to see if it broke anything. It destroyed them, right back to the 'can't find NTLDR' prompt.

Does microsoft answer to all the machines that SP3 breaks? (Some companies might not be as careful as us and could lose important data). No, the EULA explicitly states that they have zero liability even if sp3 triggers World War 3 (before GWB does).

Anyone who uses the 'liability' FUD about MS software deserves shooting. If it breaks, you get to keep both pieces (to coin a phrase).

Re:Slow down there.

[bergeron76]

You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to.

I implicity trust Redhat, Mandrake, and all the major Linux vendors for that matter; _implicitly_. Based on nothing more than the fact that they have a proven track record of being trustworthy, and not eavesdropping/abusing/fscking the consumer. Microsoft on the other hand has a notorious reputation for abusing customers, vendors, programmers and competitors. I won't provide any references because I'm quite certain that google will provide more than I care to count. Do the homework yourself if you don't already agree.

If for no other reason than that, I will trust Redhat to provide "vendor" patches because I have no reason not to. For the record, I'm not one of those "paranoid"/"I'll fix the code myself" people you spoke of. I'm just joe-average-sysadmin with my company's best interests in mind.