Windows 98, Me, NT4, 2000 and XP SSL Flawed

JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions that Konqueror was patched against the same bug in 90 minutes.

How many apps will this break?

[Vengie]

Uh-oh. IANA Windows Developer....does anyone know how many apps use this API that microsoft might potentially break? (Fixing bugs: good, breaking stuff: bad....)

Re:How many apps will this break?

[catwh0re]

Microsoft make the following point:

"Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology."

However from this example alone, we can already see that if each program did have it's own crypto, then the user would be much more secure, rather than relying on Microsoft for security(akin to getting hounds to mind a butchers store.)

Re:How many apps will this break?

[Vegeta99]

And ity would make applications much more bloated like, shall we say... GNU/Linux?

Browser == OS

[keesh]

not a flaw in the browser, but in the operating system itself

There's a difference? I thought they were the same thing...

Re:Browser == OS

[torndorff]

Actually, the fact that it is in the CVS makes it accessable to anyone who wants it. Granted not many end users will connect to the CVS and get the latest dev version of KDE, but at least it's there.

Windows on the other hand cannot do this. I respect your point in saying they have a lot of money and customers to deal with, but their perspective on security is a bit skewed. No Windows user can fix their SSL flaw if theyre extremely paranoid, they can only hope that MS will sheild the exploit from the script kiddies of the world.

But youre right, LinuxToday is getting bad.

Re:Browser == OS

[RelliK]

I pointed out that both Microsoft and the KDE project have a history of poor security

And KDE's history of poor security would be...?

I also mentioned that, just because a fix is in the KDE project's CVS, does not mean that it is available for everyone - that will have to wait until the next release.

Bull shit. Ever heard of Debian's apt-get, Mandrake's urpmi, RedHat's up2date, etc.? It's up to each vendor to make the fix available to the users. You can also install it yourself without waiting for the vendor to catch up.

Microsoft has hundreds of millions of customers across the world, and the systems handle billions of dollars of revenue... this puts a huge responsiblity to get their fixes right and properly tested

Then can you explain why Microsoft releases bugfixes that uhhm break stuff? Despite the fact that Microsoft takes 2-3 months to uhhh "test" stuff, Open Source community has a much better track record in this regard.

Quite frankly, LinuxToday is becoming unreadable by anyone not a) a KDE super-fan b) rabidly anti-Microsoft.

Quite frankly, you are an idiot spreading FUD.

Re:Browser == OS

[optikSmoke]

Actually, the fact that it is in the CVS makes it accessable to anyone who wants it. Granted not many end users will connect to the CVS and get the latest dev version of KDE, but at least it's there.

On top of this, I believe there has been mention of them backporting the fix as far back as KDE2.2.2 so users who don't want to get the fix from CVS can fix their systems.

Re:Browser == OS

[LMCBoy]

The fix was also backported to non-HEAD branches of CVS. So, all you'd have to do is specify a "stable" branch like KDE_3_0_BRANCH.

Re:Browser == OS

[transient]

You generaly don't want to run cvs software on servers.

You also generally don't want to run KDE, or anything else involving X, on servers.

--

Re:Browser == OS

[tshak]

Great post. Although Linux patches are generally more prompt, one has to consider the testing aspect. A corporation has to answer to customers if a patch breaks. If a Linux (or another OSS program) patch breaks, they claim it was "Alpha" and can "patch the patch" (read: APATCHY web server). This still gives a slight edge to OSS in the long run, but it's not as dramatic as "90minutes vs. 45 days".

Re:Browser == OS

[DunbarTheInept]

A corporation has to answer to customers if a patch breaks.

On the surface of it that would appear to be a true statement. But the existance of Microsoft is a counterexample. They often have broken patches and nobody bothers calling them to task for it.

Re:Browser == OS

[tshak]

They often have broken patches

Microsoft has released hundreds of patches (thanks to swiss cheese security design) within the last year. Could you please quantify the percentage of documented bugs that make your claims of "oft-broken" patches true? I've applied a [rediculous] number of patches to Windows and I've never had one break on me. Of course, that's very anecdotal, but it's at least some form of evidence.

Re:Browser == OS

[HiThere]

Quite frankly, you are an idiot spreading FUD.

What proof do you have that he's an idiot? I thought that it was a rather good job. Well, at least far superior to the average FUD.

Re:Browser == OS

[DunbarTheInept]

You provide all the evidence I need right there in your own post. If the patches weren't broken you wouldn't need multiple ones to fix the same problems.

Re:Browser == OS

[RelliK]

Well, this summer alone, I have seen a fair number of Konqueror security flaws posted

How many? One?

Also, most vendors do not provide CVS packages for things like this. Hell, debian still doesn't even have an official KDE3. And even if there is a CVS version, how many people are going to be quick to hop on it, considering the code in CVS is typically beta at best? And what newbies are even going to know about this?

Some ridiculously stupid mumbles there. Each distribution has an easy way of upgrading the packages. In Debian it's "apt-get updage; apt-get upgrade". In Mandrake & RedHat you just run the GUI updater software. The update icon is right there on the desktop.
Nobody is suggesting that you should install a CVS version of software to get a security fix. The fixes are backported into the stable branches of the software, and vendors package them. Wow, what a concept!

And then your issue on bugfixes. Are you trying to say that OSS patches never break anything?

No, I'm saying that Microsoft breaks stuff more often despite taking months to release a fix.

Re:Browser == OS

[Tony+Hoyle]

We tried to install Win2k service pack 3 on two test machines to see if it broke anything. It destroyed them, right back to the 'can't find NTLDR' prompt.

Does microsoft answer to all the machines that SP3 breaks? (Some companies might not be as careful as us and could lose important data). No, the EULA explicitly states that they have zero liability even if sp3 triggers World War 3 (before GWB does).

Anyone who uses the 'liability' FUD about MS software deserves shooting. If it breaks, you get to keep both pieces (to coin a phrase).

Re:Browser == OS

[the+eric+conspiracy]

they claim it was "Alpha" and can "patch the patch" (read: APATCHY web server

The "patchy" web server has a security record so far superior to Microsoft's IIS that the edge is more like 4 milliseconds vs. 4 billion years.

The number and severity of compromises of IIS is legendary (the FBI has ranked IIS as the number one security problem on the internet). There have been times where the servers I administer have been recieving more hits from compromised IIS installations trying to spread virii than they have from legitimate users. The problem got so severe last summer that my broadband ISP had to block port 80 to keep their network up.

And this is NOT an issue of population base causing statistics to be skewed - the patchy web server has more installations than all others combined.

Re:Browser == OS

[tshak]

This is flawed logic. By the same logic I can say that all of the very numerous patches needed for Apache (remember the history of the name. hint: A PATCHY) were because the patches were broken.

Re:Browser == OS

[jaavaaguru]

Windows users can do something about it, they could use a better web browser such as Netscape 7 or Mozilla 1.1b.

Re:Browser == OS

[DunbarTheInept]

How many of those patches are related to the same exact thing? The windows patches keep fixing the same problems over and over.

the funny thing

[vectus]

is that for most consumers, this doesn't even matter. I mean, they will be effected by the security hole, but if their computer gets hacked or something, they'll end up just blaming their own lack of computer knowledge. They'll eventually install the patch from windows update (if they know how to access windows update), and then blindly keep surfing the net and playing "who wants to be a millionaire".

Re:the funny thing

[mosch]

Actually, I prefer to play Who Wants To Smoke My Honeybear.

Oh, that's good then...

[MrFenty]

...Scott Culp, manager of the Microsoft Security Response Center said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.

Glad it's only a client side issue then.

What's the problem?

If you bothered to read Bill Gate's .plan, you would know that he eventually will own everything.

So, what's he afraid of? Stealing from himself?

Didn't mention Windows 95

[SpanishInquisition]

So I guess it's safe.
It's a good thing I didn't upgrade.

Re:Didn't mention Windows 95

I wonder if this is why my computer thinks it's 1902. And here I thought my ssl certs wouldn't expire for another 101 years.

Re:Didn't mention Windows 95

[ncc74656]

So I guess it's safe. It's a good thing I didn't upgrade.

IIRC, Win95 was end-of-lifed a while back. Whatever holes remained in Win95 at that time will never be fixed.

(Then again, IE was never an integral part of Win95. You could presumably run Win95 & Mozilla (assuming Mozilla supports Win95...turns out that it does) and not run into these problems.)

Re:Didn't mention Windows 95

[MsGeek]

That Stones song you referenced has a refrain that goes "You make a grown man cry." 7 years after Windows 95 retail came out, this still applies to MS operating systems.

Re:Didn't mention Windows 95

[rmohr02]

Then again, IE was never an integral part of Win95...

It was if you installed IE4.0+. I could never tell a difference b/w Win95 w/ IE 4.0 and Win98.

favorite quote

[nestler]

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

This "makes sense" up until the point where you have to patch your kernel instead of upgrading a library. When OpenSSL had a bug, they fixed it and you could upgrade OpenSSL. When Konqueror had this specific bug, it could be uprgraded easily enough. Now Windows users have to patch their entire OS to fix this (or just use another browser that doesn't use the crypto-in-the-kernel routines).

Re:favorite quote

[GiorgioG]

This "makes sense" up until the point where you have to patch your kernel instead of upgrading a library. When OpenSSL had a bug, they fixed it and you could upgrade OpenSSL. When Konqueror had this specific bug, it could be uprgraded easily enough. Now Windows users have to patch their entire OS to fix this (or just use another browser that doesn't use the crypto-in-the-kernel routines).

Why is everyone nitpicking over this? What difference does it make if one has to patch an application or an OS (Is an OS not an application?) What other crypto services do you use in Windows at the moment outside of your browser? Ok, Ok, I know you all hate MS/Windows, but this is just childish.

Re:favorite quote

[topham]

Because it takes Microsoft far longer to release a patch for an OS than an application.

By the way, read the article and you find out that according to Microsoft the bug only effects IE, yet it is contained in an OS level API.

Huh? Shouldn't that mean anything using that same API would have the problem? Unless of course this is just one piece of the IE code they toss in an in-appropriate DLL.

No, can't be. Microsoft wouldn't do that.

Re:favorite quote

[proj_2501]

The term "operating system" often means more than "kernel". Library patches can be a real pain in the butt to apply if, especially if you've been distributing statically linked binaries!

Re:favorite quote

[tswinzig]

You are looking at this from the perspective of a linux user. When someone says 'the OS' you think the kernel. But when Microsoft says 'the OS' they mean the kernel and the thousands of .dll's that work with the kernel. I'd be VERY SURPRISED if the crypto functionality they're talking about is actually in the kernel!

Re:favorite quote

[Ed+Bugg]

Ummm I use crypto services outside of my browser all the time. My VPN client that I use to attatch to my company's network. I at times have a need to send encrypted/signed emails. My network uses Novell's NDS which heavily uses digital certs (hidden from the user) for authentication. My wife's computer is running WinXP and everytime it loads a driver it checks the digital signature on the driver.
I'm sure that others that use Windows more than I do can come up with other applications that use the crypto API.

Re:favorite quote

[topham]

Thats funny.

According to the EULA Microsoft Isn't responsible for the code either.

I'm a programmer by trade.

Microsoft doesn't have a fucking clue.

Re:favorite quote

[Amazing+Quantum+Man]

Here's a question - who do I sue if that bug in Konqueror causes me to lose money? Nobody!

Here's another question. Who do you sue if that bug in IE causes you to lose money? Nobody! Read the EULA!

Re:favorite quote

[sphealey]

Here's a question - who do I sue if that bug in Konqueror causes me to lose money? Nobody! Microsoft is a corporation, they have to be sure whatever they fix doesn't create 14 other security holes or Joe Schmoe will sue their pants off and in turn piss off their shareholders.

Who do you sue if a bug in any software product by SuperMegaSoft causes you to lose money? I have been involved with software contracts large enough to bring even Microsoft to the negotiating table, and even though the software purchased under those contracts did have bugs that caused us to lose money, and even though we had pretty good lawyers, we didn't have a chance in the world of collecting a penny via lawsuits.

sPh

Re:favorite quote

[topham]

I sure as hell could have implemented the API in question without this fuckup.

I could also patch the source code in about 10 minutes, then check the propgation of the error code and verify it is handled correctly, another 10 minutes. Longer if it isn't of course, but again, not the end of the world, other Certificate errors are already handled.

Send it off for 3rd party testing and have results back within what, an hour?

Add in the time to generate a certificate for testing, blah blah... Your not talking days. Regardless.

And no, Microsoft doesn't have a a god damn clue how to write an OS or divide functions up between appropriate DLLs.

By the way, go ahead and try to sue Microsoft based on the assumption that EULA won't stand up in court. You can't.

Re:favorite quote

[j7953]

Umm, even Microsoft doesn't implement all of the Windows API in the kernel. The cryptography services are a shared library, just like OpenSSL.

Re:favorite quote

[Verizon+Guy]

Yeah, just ask RMS... "The kernel is Linux, but the Operating System is GNU."

Re:favorite quote

[tshak]

Since when was one DLL the "entire OS". Just because it's packaged with the OS or even integrated doesn't mean that it's not just as easy of a patch.

Re:favorite quote

[KaiserSoze]

When OpenSSL had a bug...
When Konqueror had this specific bug...
Now Windows users have to patch their entire OS...

Funny thing about that, though, is that its probably still easier for the average user to patch a windows installation than to upgrade or rebuild to a new version of a linux app. Of course, what else the Windows patch breaks as it fixes the known problem is another matter altogether :)

Re:favorite quote

[rmohr02]

Shouldn't that mean anything using that same API would have the problem?

Yes. But nobody but M$ stupid enough to trust M$'s closed source encryption API.

Re:favorite quote

[ceejayoz]

I sure as hell could have implemented the API in question without this fuckup.

And I'm sure you could implement thousands of different ones without ever making a mistake, right?

Bugs are a given in anything as complicated / huge / bloated as Windows. Same goes for just about any program more complicated than "Hello World".

Re:favorite quote

[ceejayoz]

You can't hold Linux distributers accountable for lost data, either. What the fuck is you point?

Re:favorite quote

[(void*)]

But if I was a programmer at MS, who would check my code other than the few people tasked to do so?

And if I was the user, who can disover and fix this error? Not me!

Re:favorite quote

[irix]

Go ahead, point out a case where a corporation has successfully sued Microsoft over a bug in their software.

I'm waiting............

Re:favorite quote

[gilroy]

Blockquoth the poster:

You can't hold Linux distributers accountable for lost data, either. What the fuck is you point?

OK, this is some weird acausal spacetime irregularity, right? Way back when, someone said something like, "Microsoft is slow to release patches becasue they have to test them extensively. If they didn't and someone lost data, they could be sued. On the othe hand, KDE is Open Source and there's no one to sue, so they can force patches out the door and quality be damned!"

So a bunch of people have replied that, although Microsoft likes to spread that FUD, under the EULA they force you to accept, you can't hold them liable, either. So really that excuse for the slow response of Microsoft doesn't hold water.

Re:favorite quote

[topham]

As a programmer I'm fully aware of that. BUt the specific case that came up is downright embarasing. A simple test case would have caught it.

I hope the programmers working on Konquerer pay attention, not just to the bug, but why they missed it.

I expect better of them than I do Microsoft.

Re:favorite quote

[sheldon]

When Konqueror had this specific bug, it could be uprgraded easily enough.

Where do I download the patch?

I know nothing about compiling source code.

What goes around comes around...

[R2.0]

This is the result of "integrating" IE into the OS. Now when there is a "browser" sesecurity problem, it's really an OS problem.

Sorry MS - kill by integration, be killed by integration. It's a circle of life kinda thing...

Re:What goes around comes around...

[platypus]

Hmm,
actually the idea to put security sensitive piece of software in a library isn't bad.
While I have no idea how this specific case is handled in linux, it's clear that also in linux cryptographic libraries exist and are used throughout different apps.

>ls -1 /usr/lib /usr/lib/libssl.a /usr/lib/libssl.so.0 /usr/lib/libssl.so.0.9.4

see?

Re:What goes around comes around...

[OnyxRaven]

Blockquoth platypus:

actually the idea to put security sensitive piece of software in a library isn't bad.
While I have no idea how this specific case is handled in linux, it's clear that also in linux cryptographic libraries exist and are used throughout different apps.

Exactly right and having the crypto in a library every can get at is a good thing. What you missed was that this windows problem isnt in the security library it should have been in.

"Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer."

So they screwed up and didnt include this code for verifying trust signatures in their API, its somewhere in the OS.

And although knowing MS's previous security problems, its highly unlikely that this a problem in the kernel, since it affects NT based as well as 9x based systems.

Re:What goes around comes around...

[Verizon+Guy]

Before everyone goes berzerk over "Microsoft the Evil Integrator!", I'm gonna take a wild stab at it and say the problem lies somewhere in here:

C:\WINNT\system32>dir crypt*.*
Volume in drive C is Local Disk
Volume Serial Number is 46D4-73A2

Directory of C:\WINNT\system32

08/23/2001 07:00 AM 554,496 crypt32.dll
08/23/2001 07:00 AM 70,144 cryptdlg.dll
08/23/2001 07:00 AM 29,184 cryptdll.dll
08/23/2001 07:00 AM 48,640 cryptext.dll
08/23/2001 07:00 AM 53,248 cryptnet.dll
08/23/2001 07:00 AM 51,200 cryptsvc.dll
08/23/2001 07:00 AM 470,016 cryptui.dll
7 File(s) 1,276,928 bytes
0 Dir(s) 19,188,736,000 bytes free

Re:What goes around comes around...

[Peaker]

Funny, my dad's Windows XP is crawling while KDE, especially Konqueror is running fast as hell here.
He's also more happy using it as its so much easier for him..

Re:What goes around comes around...

[tshak]

This is the result of "integrating" IE into the OS. Now when there is a "browser" sesecurity problem, it's really an OS problem.


This statement is void of any technical reality. IE's SSL implementation uses a shared library a lot like OpenSSL. If MS's definition of "integrate" means "package" so that you, as a 3rd party developer, KNOW that you'll have specific libraries and API's available on certain client OS's. So, yes, it's an "OS" problem in the sense that anything using the OS's SSL lib is affected, just like with OpenSSL.

Quick fix

[Subcarrier]

You can disable SSL in the advanced options menu. ;-)

It doesn't make too much sense

[thelinuxking]

The article says: "SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only" But if it only affects IE, and not programs such as netscape (which also of course runs on windows), then technically it IS a problem with IE!

Uh-oh

[buzzdecafe]

Here's a golden opportunity for MS to ramrod another "We can root your machine" EULA down the throats of desperate Windows Victims.

Oh good, it's not an IE bug

[freerangegeek]

We only wrote bad code that made it through QA for 5 different versions of the OS dating back to the mid 90s. Of course, with Palladium, our new secure platform, things like this will never happen. Good thing we got that patch out quick!

(Oh wait, that was the Konqueror people!)

We'll I'm sure with our new secure computing focus it will be out any time now. Please don't stop doing ecommerce, just because all your personal data can be hacked, just use Passport.

(Oh wait, that happens with Passport too!)

Ummmm...

Re:Oh good, it's not an IE bug

[SlugLord]

Now now! You're just not being fair! Windows has done wayyyy too many good things to let ONE LITTLE ISSUE like this ruin their reputation. I mean there's never been a security problem with Windows before... Why is that? because Microsoft is good for business! The "unstoppable Windows NT" never crashes, and to prove it, Have you ever seen what the MS developers call a "blue screen"? No! of course you haven't, because it never crashed. Get this: All the new versions have this "blue screen" built in as well, but I don't know anybody who has ever seen one. Why? because it just can't crash. But laying that aside, I think it's unfair to accuse Windows of being insecure... after all, Outlook is secure and it uses SSL, right? I know all you people like to bash Microsoft, but the fact is that you're just jealous because Microsoft products are so good that nobody feels the need to compete. (except for Steve Jobs, but he's a fanatic that likes inferior hardware... c'mon, one mouse button?)

Yet again...

[estoll]

I am so shocked to hear Microsoft didn't follow the standards when implementing SSL. I wonder what other technologies they have failed to implement according to the standards everyone else follows?

Re:Yet again...

[Scutter]

I am so shocked to hear Microsoft didn't follow the standards when implementing SSL.

Neither did Konqueror. Blame where blame belongs, please. It's trendy to just blame everything on the Big Evil Empire, but let's not forget they aren't the only ones who have bugs.

Re:Yet again...

[ergo98]

Sweet time? Indeed, saying that the Konquerer team fixed it in 90 minutes makes them sound very irresponsible, not proactive : Every change like that can have hundreds of ramifications, and I assure you that there is a programmer at Microsoft who could point to a particular segment of code and say "There, we just need to change that line right there". But after several high profile incidents where someone did a change and it broke a dozen large applications, they seem to be a lot more weary about that nowadays. Working in software development, I've seen many situations in large systems where someone wanted to rush out an incompletely thought out feature or fix and the net result was disaster.

Re:Yet again...

[estoll]

Monopolistic is the key in your reply. It is easy to blame the big guy when they are screwing you.

Re:Yet again...

[shyster]

Sweet time? Indeed, saying that the Konquerer team fixed it in 90 minutes makes them sound very irresponsible, not proactive : Every change like that can have hundreds of ramifications, and I assure you that there is a programmer at Microsoft who could point to a particular segment of code and say "There, we just need to change that line right there". But after several high profile incidents where someone did a change and it broke a dozen large applications, they seem to be a lot more weary about that nowadays. Working in software development, I've seen many situations in large systems where someone wanted to rush out an incompletely thought out feature or fix and the net result was disaster.

I don't know, 90 minutes sounds ok for Konqueror. It's a relatively simple application (a web browser). IE is a bit more complicated, due to its hooks into the OS. Now that MS says the flaw is actually in the OS, we're talking about a much larger code base and potential impact for a patch to break things.

Also, Microsoft isn't really known for releasing beta patches (though they do it occasionally), whereas open source projects (like Konqueror) can put it on CVS and wait to see if bug reports come in before releasing a new version.

Re:Yet again...

[zurab]

Sweet time? Indeed, saying that the Konquerer team fixed it in 90 minutes makes them sound very irresponsible, not proactive : Every change like that can have hundreds of ramifications...

I think if you are going to call KDE team "very irresponsible" you should state at least some of the "hundreds of ramifications" that KDE's fix has caused. If you have no such data, then you have no grounds to criticize them, and calling negative names in that manner is simply FUD.

Re:Yet again...

[Arandir]

Every change like that can have hundreds of ramifications

Well duh! That's why they didn't make a release ninety minutes later!

If the fix had remained on the developers desk, no one could have possibly tested it. But by committing it to CVS, the testing can begin.

As a professional software developer, I expect I could have done a moderate amount of unit testing before I committed a fix like this. But there's no way in hell anyone is going to be able to do any integration or systems test until I commit it to the code base.

Code review and QA testing occur in the CVS tree. Neither can happen until the code is committed. Or are you recommending that KDE start using a private, restricted and closed development environment?

Re:Yet again...

[RWarrior(fobw)]

This makes me wonder why the code in question isn't modularized to the point where such changes -don't- have this kind of effect. Maybe it's my poor programming, but if you modularize to -very- tiny levels, you may be able to reduce these kinds of effects. Global variables bad.

Re:Yet again...

[the+eric+conspiracy]

I am so shocked to hear Microsoft didn't follow the standards when implementing...

You left out the tag.

Re:Not a big deal!

[Skyshadow]

Yeah, along with whoever discovered and reported the problem. Now that's scary.

Re:Not a big deal!

[Wrexen]

Can we stop with the "Foo blah blah DMCA foo!" jokes already? The first 600 or so were funny (ok maybe not), but it's getting old. Especially when the subject matter has nothing to do with copy control circumvention or the ??AA businesses

We really depend on the bugs

[tshoppa]

Seeing continued OS-level design flaws in Microsoft products is, to me, reassuring. When MS goes ahead with Palladium I'm now quite confident that it will be riddled with fundamental design flaws that will make its "security" (read: capitalist totalitarianism rule over the masses) a joke.

Re:We really depend on the bugs

[GutBomb]

pixel-shadered

is that like when the football gets kickered down the field?

90min to the fix, but how long to the masses?

[lalleglad]

In order to make sure we compare apples to apples and oranges to oranges, I suppose it would be fair to ask the question of when the Konqueror fix will be available to the normal and possibly rather non-sophisticated public consumer crowd?

I mean, when the fix becomes ready from MS (weeks or months, but it will) it will be applicable to most users of Windows, but the current fix for Konqueror after 90min weren't immediatly ready for the masses.

So, when will it?

Bug is in inet.dll

[sneakerfish]

MS TCP/IP stack is in inet.dll. That is probably where the bug is.

I was a beta tester for IE4 (so flame me, OK) and I found a bug in the HTTP1.1 keep-alive implementation. They never saw it because they tested only against IIS and I tested against Apache which implemented it correctly of course.

They didn't want to fix it until I explained that %60 (at the time) of the web runs on Apache servers.

In fact the MS product manager wanted me to call "the Apache company and have them fix Apache." Duh. Me- "There is nobody to call sir, and the problem is YOUR problem and not theirs."

They delayed IE4 for two weeks after it had gone gold to fix it. So don't flame me.

Anyway, that bug was in inet.dll, and I bet this one is too.

Re:Bug is in inet.dll

[platypus]

IE4 was so uncompliant on a deeper level, it wasn't funny.
There was a bug with packet fragmentation and redirects that caused internet explorer to display a blank page which said "Object moved, object can be found _here_.", where _here_ was a link to the target of the redirect.
Funnily, their own proxy software tended to cause fragmentation of the redirect packet quite often.

What I didn't understand was how they were capable to produce this bug, this completely negates everything I know about seperating the different layers of transport.

Re:Bug is in inet.dll

[shyster]

MS TCP/IP stack is in inet.dll. That is probably where the bug is.

Yeah, I'm sure the code for checking the heirarchy of SSL certificates is in the TCP/IP stack .dll.

Maybe peer reviewed code isn't really that great of an idea after all....

Long-term fix

[Damek]

Use a different web browser.

(or better yet, a different OS altogether...) ;-)

News

[Citizen+of+Earth]

Windows 98, Me, NT4, 2000 and XP SSL Flawed

Isn't this supposed to be " News For Nerds"?

Re:Konqueror

[captain_craptacular]

Doesn't matter if everyone is qualified. If they aren't their suggestions will be ignored by those who are, who also happen to be those who integrate the suggestions/new code.

things i dont get

[jeffy124]

i saw the article earlier today. there are some things I just do not understand here. first some facts:

• The bug is in the OS crypto services
  
• It's NOT MS's crypto api
  
• Only IE is affected.

Time for rhetorical questions:

Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?

How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.

Re:things i dont get

[J.+J.+Ramsey]

"Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API?"

Um, maybe one crypto service is for SSL, while the other is for, oh, maybe encrypting files?

There are so many good reasons to bash MS, why invent a bad one?

Re:things i dont get

[Target+Drone]

MS has two crypto implementations? One for the OS, one for the API? Why the redundancy?

Ever wondered where all that bloat comes from?

Let's be fair here

[IamTheRealMike]

Now I'm a Linux user and lover, as anybody who reads my past comments can discover. But let's be fair to Microsoft here - all this talk is of how fast KDE (actually Waldo Bastion) patched the bug, as if this makes them superior to MS.

You know what? I bet the 'soft could do this too. I mean have a guy, or team of guys available 24/7 to patch bugs. And you know what else? They'd still get flack for it, as Microsoft don't release patches straight away - for better or for worse, they do actually test them first (usually), make sure they don't kill wierd and exotic installs etc. I know they've released dodgy patches, but my point is that Microsoft isn't an overnight operation.

And more to the point, how does this patch get to people? Via autoupdate of course. The patch may have been written in 40 minutes, but it's still not available on SuSE auto update (as far as I can tell) despite the fact that Waldo works for SuSE! We really need to stop patting ourselves on the back simply because we can see the progress of the patch and Microsofters can't, otherwise this bullheaded arrogance WILL bite us on the ass.

Re:Let's be fair here

[FreeLinux]

You do have some valid points that should be addressed and probably will be over time. But, lest we forget, this bug was reported to Microsoft a very long time ago. Furthermore, MS has not been trying to fix the bug. Instead they chose to try to place the blame on Verisign.

Regardless, of whether Verisign should shoulder some of the blame or not, Microsoft simply dismissed a potentially serious problem. A week later, we find out that, not only is it Microsoft's problem, but it is in the OS itself not just the browser like we had thought. Conversly, KDE was able to identify the problem and produce a fix in 90 minutes.

Now, to your point about the availability of the patch to everyone, as I said you have point. But, if you check out KDE's site you will find that they clearly state that they do NOT distribute binaries. KDE distributes source code only and that patched source code is, and has been, available. KDE leaves binary distribution up to the distros to handle. So, Suse and Red Hat et al need to step it up a bit but, KDE did a great job!

Re:Let's be fair here

[tshak]

But, lest we forget, this bug was reported to Microsoft a very long time ago. Furthermore, MS has not been trying to fix the bug. Instead they chose to try to place the blame on Verisign.

Sometimes it is better to stick with the facts - even on Slashdot. Microsoft is A) working on a patch and B) claims to have not been alerted until it was publicly released. Here's some facts from MS's website:

Despite the many challenges associated with exploiting the flaw, there is indeed a flaw here and Microsoft is developing a patch that will eliminate it. ...
However, the report, which neglected to discuss any of the challenges associated with actually exploiting the vulnerability, was made public without any advance warning to Microsoft. Responsible security researchers have the safety of users in mind and work with vendors to ensure that the information published about potential vulnerabilities is balanced and, above all, correct.

Reference: http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/news/IARWSV.asp

Re:Let's be fair here

[drinkypoo]

KDE leaves binary distribution up to the distros to handle. So, Suse and Red Hat et al need to step it up a bit but, KDE did a great job!

In other words: Microsoft has divisions responsible for each part of this process -- Development, testing, packaging, distribution. Let us also not forget spin control, which in KDEland is handled by users.

Microsoft may be at the very same place as KDE, which is to say, the patch has been completed. We don't know, because their processes are not "open", as KDE's are. Now the patch must be built (outside of KDE dev) by the various (fragmented) teams which will eventually package and distribute it... redhat, suse, and so on. Then it must be completely tested; some distributions are better about this than others, of course; some just see if it compiles, and if it does they pack it up and make sure their package installs, then they send it out. Some of them actually run some tests. Some go through the trouble of creating and running a test plan.

Anyway, the users are doing the spin control for KDE. As such there are many different (again, fragmented) messages floating around, as evinced by the running commentary here. Microsoft has one messages, which may be a lie of course. However, from a purely business standpoint, it makes sense to have one story.

90 Minutes for Konqueror fix.

[FreeLinux]

90 minutes????? What are the KDE boys doing, sleeping???

This is just unacceptable. I cannot believe and refuse to accept that it could take 90 minutes to get a major security fix out for a browser. This is completely unacceptable. It's no wonder everyone uses IE.

I guess the Microsofties were right after all. Support for open source software is nearly impossible to find.

-- Before you post, are you sure you got it?

Re:90 Minutes for Konqueror fix.

[Tim+Macinta]

This is just unacceptable. I cannot believe and refuse to accept that it could take 90 minutes to get a major security fix out for a browser. This is completely unacceptable.

Yes, there's no way that Konqueror can compete at that rate. The fix for IE was out even before the bug was reported. Everybody can download the fix for IE here.

Re:this is good news

[Salsaman]

Just use mozilla or kmeleon. They are not affected by this bug.

Well, DUH.

[Spencerian]

I've already gushed about this gem o' news already, concerning MS's piss-poor plan to introduce better security in their OS's via Palladium...

Trustworthy computing as its finest...

[lysurgon]

...indeed.

Thank's for those memos, Bill.

Hmmm

[Patik]

The article mentions that Konqueror was patched against the same bug in 90 minutes.

Note that this doesn't mean the bug was only there for 90 minutes, it was there for [months, years, I don't know]. Why didn't Konqueror take the initiative to fix this before instead of waiting until it was published? Sounds like they had the fix all along and were just waiting for the announcement so they could look good by fixing it so quickly.

Re:Hmmm

[Arandir]

Well maybe, just maybe, KDE didn't know about this bug until it was reported. Ever think of that?

Re:Not a big deal!

[Otter]

1) Make contrived, stupid DMCA jokes.
2) ???
3) Profit

All your base are belong to us!

Re:this is good news

[JabberWokky]

http://sf.net/projects/kde-cygwin/

Although, as others have pointed out, Konqueror is really a *nix app (not just a Linux app or even an X app, as commonly assumed). You'd be best off just grabbing a copy of Mozilla if you're really worried.

--
Evan (no reference, not even to a certain Toho Industries character)

(I thought the Browser was claimed to BE the OS!)

[Jeremiah+Cornelius]

Client-side issue is the BIGGEST - most intractable problem. Culp said this to minimize the issue. He only reassures large commercial bodies of their liability,This does not minimize anything.

Dial-up users with ignorance of patch/upgrade will never be able to trust on-line transactions. This is the vast majority of users, and the problem is going to haunt individuals for 2+ years.

On an OS Providing Cryptographic service

[dh003i]

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology

Yes, indeed, it does make sense for the OS to provide such a service to any program that wants to use it, so long as that's a GOOD service.

In general, it makes sense to provide everything from outside the program, and just have the program call on outside services. However, that means you need to make the outside services good, and it means that those writing programs don't just string together a bunch of requests (i.e., draw this, check that calls) but also work on looking for fixes to the common outside service, which would be shared by many programs.

In other words, this approach only makes sense when the outside services are OSS / FS / public domain, which means that developers of programs can check their integrity and submit improvements. Otherwise, its just a big black hole for developers: should I trust this cryptographic routine, or shouldn't I? One never knows with proprietary routines. One can check, and improve such routines provided OSS / FS.

Re:On an OS Providing Cryptographic service

[kcbrown]

When I use a 3d API like glide, openGL, or D3D, I don't give a damn how they work. And what's more, I'm not going to go digging into their guts to "check their integrity and submit improvements." The whole reason I'm using an API/service is to save myself time by *not* having to deal with the routines the services provide.

Which is fine for most types of libraries.

But we're talking about cryptography libraries here -- libraries which are used to keep data secure. A bug in one of these libraries doesn't merely cause the occasional strange artifact on the screen, or the occasional application crash. A bug in a crypto library can very easily mean that the data that you thought was secure really isn't. That's a much more serious consequence, and it's why bugs in crypto libraries have to be taken more seriously.

Re:On an OS Providing Cryptographic service

[dh003i]

Your argument sure sounds good, but OSS/FS/public domain libraries aren't any better than those provided by MS when you find a bug. Maybe you're a programming genius who can immediately immerse yourself in an entirely new code module and just *know* where the bug is, but for us mortals it's just not practical to go bug hunting every time we find one in someone else's "good outside service."

Your argument sure sounds good, but you ignore a few key points: documentation and communication.

Documentation. Source code isn't just plopped out there. Alot of times, the specific parts are well-documented.

Communication. If you know what kind of vulnerability your looking for, or what kind of stability problem you need to fix, or where you want to improve performance, you can e-mail the developer with your inquiries, asking him/her what the relevant parts of the source-code are.

Re:On an OS Providing Cryptographic service

[sheldon]

In other words, this approach only makes sense when the outside services are OSS / FS / public domain, which means that developers of programs can check their integrity and submit improvements.

Granted, peer review by others is always a good idea.

Now what would you say if Microsoft understands this so that they have third parties such as RSA Laboratories help to develop and review their cryptographic routines? It's really not all that hard to believe that third parties work with Microsoft, is it?

I guess my question is, are you claiming that somehow you know more about cryptography than some of the well known members of the crypto community? I guess I'm just curious if giving you the source code is really going to make much of a difference?

This OSS is the only way to achieve peer review trumpet has been tooted too many times without any thought behind it to still be credible.

Re:On an OS Providing Cryptographic service

[dh003i]

Your question is irrelevant.

All that's relevant is the results, and MS has a crappy record.

It takes them ages to release bug fixes, and they're hardly upfront about security vulnerabilities/problems.

Maybe OSS isn't the only way. However, its certainly produced great results so far with minimal costs. Compare that to MS -- horrible results, with outrageous costs, and their products are ridiculously pricey.

Re:On an OS Providing Cryptographic service

[sheldon]

Your question is irrelevant.

No, the only thing irrelevant here is your inability to argue with my point.

Re:On an OS Providing Cryptographic service

[dh003i]

You don't have a point, because MS' products have a legacy for being ridden with security and stability problems, not to mention other annoying bugs. Whatever organizations MS uses to help it check for problems obviously aren't doing their job very well.

Even if these organizations are good, they obviously aren't doing enough for MS. Maybe RSA is the best at what they do, but they certainly haven't made MS' products the most stable or secure. MJ may be the best basketball player, but he didn't make the Wizards the best basketball team.

Please try thinking next time.

Re:On an OS Providing Cryptographic service

[dh003i]

By the way, you fail to mention that many Linux vendors -- i.e., RedHat, TurboLinux -- also have relationships with RSA (type in Linux to see), thus nullifying any potential advantage MS would have over them via RSA.

Re:On an OS Providing Cryptographic service

[sheldon]

Please try thinking next time.

Isn't it amazing when people are faced without the ability to make a valid argument they accuse the other side of not thinking?

The only way your argument could be considered logical is if the OSS way of doing things was better. Unfortunately that is not the case, so your entire argument simply falls apart.

Re:On an OS Providing Cryptographic service

[dh003i]

The only way your argument could be considered logical is if the OSS way of doing things was better. Unfortunately that is not the case, so your entire argument simply falls apart.

Actually, the OSS way is the better way of doing things: its produced better results. Duh. Please don't try to tell me that WinXP is as secure and stable as Debian, Slackware, OpenBSD, or FreeBSD. Its not. Period.

That's the results. And you can't argue with that: OSS has simply produced superior results so far. In other words, the evidence supports my theory. The only thing you have is your theories, which aren't backed up by reality.

Even in theory, the OSS way of doing things is better. With OSS, you have the "many eyes" advantage, in that anyone can look for problems and fix them; you can also get expert help from organizations like the RSA.

You are the one who is veering from the real issues here. You still haven't responded to the widely acknowledged fact that security/stability is much better on a properly configured (which is basically out of the box, for OpenBSD and Debian) Linux/BSD box. Nor have you responded to my point that BSD/Linux organizations can get help from the RSA as well. MS isn't the only one who can work with the RSA.

With Linux and BSD, problems -- be they performance, security, or stability -- are openly acknowledged and usually quickly fixed. No press-spin is done to try to make it look better.

With MS, problems are not acknowledged and they'll sue you via the DMCA or any other applicable law if you point out problems with their software. Additionally, fixes come out at a very slow pace (though not quite as slow as fixes come out for Solaris).

So part of it comes down to the fact that you can't trust any corporation. Corporations are there to take money from your pocket and put it into theirs: not to make good products. They'll use any methods they deem will more likely than not give them more money, be those methods legal or illegal, whether they benefit their customers or not (refer here to MS' forced upgrade scheme).

Re:thought SSL wasn't secure anyway

[Jeremiah+Cornelius]

Dsniff was used as part of the practical exploit here.

The BugTraq post describes the nature of a MOTM exploit using this vulnerability.

A BugTraq reader was able to successfully demonstrate this using dsniff and OpenSSL as his tool kit. Screenshots on his site illustrate this, with his own bank account!

MS's master business plan

[dh003i]

Make products buggy as hell, then get people to upgrade and pay them for it by releasing new versions which have fixed the old bugs, but introduced new bugs. Repeat ad infinetum.

In parallel, also make sure to develop file formats and "standards" which aren't backwards compatable and don't work with any other OS', so as to lock people into MS products and force costly upgrades.

Bwuhahahaha.

Microsoft, Libraries and DLL

[topham]

Why is it, every 6 months or so, I get into an argument with somebody over the fact Microsoft doesn't seem to have a clue what DLLs are for?

I have people try to convince me that the integration of Internet Explorer into the Operating System is a good thing.

Where the hell do these people get their training? Microsoft has a tendancy to put function calls where they are convenient for the programmer at hand (not necessarily any future programmers mine you), not in the most appropriate DLL. This isn't unusual, it happens. But why the hell do people justify it??

Why the hell am I using a Web Browser (something whos base design is to browse web pages!!) to manage files on a local computer? The old Windows Explorer worked better and had a more appropriate (although similar) interface.

And then, when I chalenge them on this they always retort: Can you write an OS?

Damnit, yes I can. I don't have the time to write one, but I -could- write one.

Even if I couldn't, Microsoft is very much an example of bad design in general. (They have some well desgiend aspects to a lot of programs too. But Clippy isn't one of those!)

Re:Microsoft, Libraries and DLL

[tb3]

Why is it, every 6 months or so, I get into an argument with somebody over the fact Microsoft doesn't seem to have a clue what DLLs are for?

I have people try to convince me that the integration of Internet Explorer into the Operating System is a good thing.

Never argue with an idiot. Listeners can't tell which one's which.

Let's be even fairer...

[2short]

And note that I got the patch from windows update this morning. Total effort required by me: one mouse click.

Wait! what am I saying! this is slashdot, quick, ignore the facts:
"Micro$oft will probably patch this in a year, and then no one will get it cuz it requires 34 reboots to install"

The real question is...

[dubiousmike]

Will this affect my ability to surf pr0n?

Object Moved

[Verizon+Guy]

The object can be found here.

I liked this article under its former name, "IE and Konqueror Bug Makes SSL Insecure"

And to add to the irony, posting a Microsoft-bashing article placed against a giant square ad that says "Microsoft Visual Studio.NET - Try it Now! Get your Trial DVD today!!" is just ignorant.

patch distribution model

[Kris+Warkentin]

This is a pretty important point. Just because the KDE people fixed it doesn't mean everyone will have it. Instead of asking, "How long did it take for it to get fixed", we should be asking, "How long until it is widely enough deployed such that exploit writing becomes unprofitable?" It seems to me that even if Microsoft is a little slower getting a bug fixed, the universal "Windows Update" probably gets the patch on a greater percentage of machines more quickly.

Of course, the number of Windows desktops dwarfs the number of KDE desktops so if even a small percentage of Windows installations don't get patched, it would probably be about the same as if KDE never got patched at all. ;-)

Re:patch distribution model

[spectral]

How many people do you know actually go to Windows Update? I've had several people call me and ask me to get rid of the critical update notification because they were too stupid to figure out how to turn it off. They didn't want to update, they wanted to do what they already knew how to do, and didn't care about anything else that got in their way. To expect people to go out of their way to update something like this is a bit skewed. I think a much, much higher percentage of people who use linux (kde/konqueror) would know/care enough to keep up to date on patches and upgrades. Not because they're necessarily more paranoid about security (though i'm sure that's the case for some people), but because they know more and know that it's usually a good idea.

People who only want to use AIM, Winamp, IE, and whatever email program they've been trained to use (probably outlook express) don't want to deal with "SSL Vulnerability!" notifications popping up in their system tray.

And they certainly don't care enough to go looking for fixes in Windows Update, even though the link to it is right at the top of the start menu.

Re:patch distribution model

[Jondor]

I doubt and disagree. The possitive site of OS is that the moment a patch is available everybody CAN get it and usualy it doesn't take that much longer before patched version start showing up on freshrpm and the like.

Windows update on the other site makes updating easy, but then again with tens of megabyte big fixpacks which have to be downloaden with reboots in between doesn't make things easier either. If the update doesn't break the machine more than the problems it fixed to start with. Not to mention all those windows machines without network or just a modem for which this option is completely useless. And then one day they go online...

Besides, considering I still get a few hunders nimda and code red attempts a day on my servers, having an update service may help in absolute numbers, but in relative numbers I'm not so sure.

Of course when linux gets more mainstream it will run into these problems too. most people are just a little lazy.

Re:patch distribution model

[TobyWong]

No developer has control over the end user and how often they feel like updating/patching so the best they can do is expedite matters on their end. So yes, we should be asking "how long did it take for it to get fixed" because that is something the developer has direct control over.

tinfoil hat post #1

[oliphaunt]

Am I the only one who sees it coming? The Reg has an article about the new EULA for Win2K SP3 that gives MS explicit permission to examine your hard drive for installed hardware and software usage data. The SSL patch, when it comes, will surely include the same EULA...

Re:Define "Operating System "

[Peaker]

In the Windows case you have to reboot.
In Linux, you just load a loadable module, no recompilation/reboot required.

Re:ms market share

[shyster]

I think it's ironic that MS has pushed netscape and the rest out of the browser market, and has managed to make the purpose of ssl worthless...

And I think it's ironic that some /.'ers think this exploit is such a trivial one to pull off that it makes https:// worthless. For most intents and purposes, this isn't a practically useful exploit...it'd be much easier to just install a trojan/keylogger/etc.

Re:Konqueror

[bigjocker]

As if 'everyone' were qualified to do so

Well, as a matter of fact everyone is qualified to review anything. The issue here is that anyone who wants to do so should be able to review any code that handles their private and critical information.

If you have a good knowledge of the area you could make suggestions and even corrections. If those corrections are added to the final product is a decision of the maintainers of the software.

It's a win/win situation. Besides, anyone here can tell you that you will write a _lot_ better code if you know that anybody will be able to see it.

Shared code ok - but what EULA?

[Antity]

From the article:

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

They're perfectly right. Everybody can have a bug like this. But there are two problems that puzzle me:

1. When will the patches for the OSes be available?
2. And, the worse one: Will the patches for this really ugly security leak will also come with Microsoft's new EULA that gives them access to one's computer?

I really fear the time where users have to choose to either install a patch so fix a severe security hole and sell their (OS and computer data) souls to somebody else or just not fix their OS at all and be open to these man-in-the-middle attacks. This could become a very new quality of unsecured machines from a security point on the 'net: Users that don't want to install patches because they don't want Microsoft to own their machines - and trade this with security. (I can fully understand this.)

With Open Source OSes, if the vendor won't fix a bug like this, somebody else would (maybe even you). With Windows, you have to rely on Microsoft even recognizing something as a bug. And if they do, there's nothing you can do but wait.

Yes, I know, we all know this. But this problem hasn't gone away yet.

Re: Shared code ok - but what EULA?

[Antity]

True, a small percentage of users will care

Thanks for this interesting reply. This is what I'm experiencing every single day, too.

On the other hand: How many % of people did care about this maybe 10 years ago? And how many do now?

I feel that awareness of these problems has risen. It's still low, but AFAICS from here, more people actually care than did several years ago.

I hope this will continue, and I do my best. This includes discussing things like this with my mom, dad, siblings, and friends whenever such an issue arises. It's often frustrating, but I really see it as something I have to do to have them think about it. Make them care. Make them think before they buy.

This is the very complement of what the industry does: They try to tell everybody that they don't have to care about things like this. Everything is fine, and if something goes wrong, of course they will do their best to help their customers. Lies. Seen this far too much already.

Re: Shared code ok - but what EULA?

[lizzybarham]

Here's the situation:

I use linux on my systems but my mother uses Win98. I basically take care of her machine and it provides the connection to the net. Recently I became aware of a flaw in MSN-Messanger and decided to upgrade but pulled on the brakes when I saw the EULA - meaning I refused to upgrade and the MSN-Messanger on her machine is not secure.

Since the EULA's apply to the latest, secure versions of their code and I disagree with their EULA, I essentially have a frozen win98 machine in regards to MS code (which includes the OS).

While most people may ignore the EULA, not all of us do and their new EULA is beginning to cause some serious problems for those of us who purchased the OS when the newer EULA was not in affect.

The general EULA system is becoming more of a problem; they are showing up on more and more software. For example, in order to run a 'support' java applet I was supposed to agree with a EULA that wasn't even applicable to the current situation (it mentioned "evaluation purposes only" which I was *not* going to do). So, I did not install it. It seems that if these companies are going to make us agree to their EULA they could at least spend the time up making their EULA fit to the particular situation.

Windows update was available on 8/16 at 9am EST

[gatkinso]

or something like that.

In fact, my XP and 2000 systems automatically updated - they notified me that there was a patch, what it was for, and could I please press OK to update my computer?

Then it just happened.

No sweat.

Re:Windows update was available on 8/16 at 9am EST

[PsychoSpunk]

Yeah, it was for a problem in the Network Manager. Of course, since this was the big 'sploit of the week, you and 2short seem to have mistaken the patch for something that it's not. This morning's patch description

I'll tell you why

[tunabomber]

Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy?

The logic is so obviously simple:

increased redundancy == increased failsafety

So, if one of the crypto API's has a security hole, the OS can rely on the backup API, just like how a bike with one flat tire can be ridden home on the remaining good tire.

I tell you, those MS guys really got some effective circumetry in their noggins!

Re: integration vs modularity

[Antity]

modularity vs. integration. Now of course it's very nice to offer lots of services built into the operating system, because it means that your developers have to do less work, their apps are smaller, and their time-to-market is significantly shorter, if they can merely use one of your API calls.

Yeah, but it makes it harder to write portable applications.

Surprise, surprise...

(In this case, the article mentions that Internet Explorer is nearly the only application to use these OS functions at all. But the concept is clear - Put more convenient functions into an OS so that vendors won't write them on their own. The resulting product is then bound to this single OS - if the vendor doesn't want to pay more to his programmers to re-program all this code. Most won't, after they've start selling the product. And: This will artifically make porting a product to another OS seem more expensive.)

Slow down there.

"Then can you explain why Microsoft releases bugfixes that uhhm break stuff?"

Despite your glaring lack of maturity in the above sentence, I figured I would respond.

Microsoft software (Windows/Office/Internet Explorer or any combination of the above) runs on approximately 95 out of every 100 client computers on the Internet. Now, on those computers, you have every piece of weird x86 hardware ever invented, from crappy $5 ISA modems to $5,000 SCSI RAID arrays. You also have Microsoft software that runs on Macintosh, Solaris, HP-UX and FreeBSD computers.

Now, figure that Linux runs on approximately 1 out of every 100 client computers on the Internet. (This is a high guess -- I'm giving Linux the benefit of the doubt here.) Now assume that KDE runs on 100% of those computers (also an extremely high guess.) So for every 1 person who receives the KDE fix, there will be about 92 (I'm taking out the non-Windows, non-Linux users) people who receive the Microsoft fix.

Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.

"Ever heard of Debian's apt-get, Mandrake's urpmi, RedHat's up2date, etc.? It's up to each vendor to make the fix available to the users."

Oh, I love these arguments. It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get. "But I run Linux so I can do everything myself!"

I run about 12 Linux servers. I trust my vendors (Red Hat and Sun Cobalt in this instance) to provide me with timely updates. But the funny thing is that whenever I recommend that people trust their vendor for services like Apache or PHP and use up2date, I get laughed at. In fact, when I say that I use Red Hat and Sun Cobalt, I get laughed at. "Why not just compile everything yourself? Why not just use Debian?" Well, guess what, ladies and gentlemen -- I run a profitable business off of my servers and I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers. I trust my vendor to test the updates on their set of supported hardware and release them to me in a timely manner. I will then run the vendor-supported update tool and download them.

The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves -- the epitome of the "trust no one" saying. These are the SAME people, much like yourself, who also say that it's up to the vendor to release patches. I have news for you. You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to. You can't bash Microsoft for taking time to release tested updates and then claim that Linux is better because you can install a fix that is untested instead of "waiting for the vendor to catch up".

Re:Slow down there.

[pmz]

You also have Microsoft software that runs on Macintosh, Solaris, HP-UX and FreeBSD computers.

I work on Solaris every day...where's the Microsoft software? I know that IE is available for Solaris, but I certainly wouldn't be so stupid as to actually install it.

...there will be about 92 (I'm taking out the non-Windows, non-Linux users) people who receive the Microsoft fix

Your giving the Windows users too much credit. The fraction of KDE users who will eventually upgrade KDE is much higher than the fraction of Windows users who will ever bother to patch their systems.

Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.

Actually, a patch that breaks something because of an odd hardware configuration simply indicates architectural flaws in the OS.

It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get.

??.

I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers...

You should at least read up on what is being delivered to you during an "up2date" session, so you know what the configuration of your servers is at any moment. Software changes can have complex ramifications, if done blindly.

I think the rabid Linux people you are going after simply are the people who want to know where they actually are at any given moment. This is actually a responsible attitude towards system administration. If you don't have time for it, perhaps you are overworked and need an assistant?

The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves...

So certain Peruvian congressmen are uber-elite system administrators? People who simply want a non-proprietary Office format also write their own kernel modules?

Re:Slow down there.

[jedidiah]

You are vastly overestimating the number of hardware combinations. Furthermore, you are vastly overestimating the number of MUNDANE hardware combinations. Once you eliminate the statistically irrelevant in terms of WinDOS, the number of reasonable hardware configuration tests cases don't outnumber the ones for Linux by all that much. You neglect the fact that there are plenty of people running Linux with an even more random collection of hardware.

Then again, Microsoft fixpacks break things without even getting into issues like what particular video card is in a machine. In these instances (Lotus Notes), hardware isn't even an issue.

Linux is no less subject to the "random collection of spare parts" problem than is WinDOS.

Re:Slow down there.

[raistlinne]

"Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something." Are you suggesting that microsoft is as amazingly stupid as SSL directly using hardware would suggest? Most people who outright hate microsoft wouldn't suggest that they're that dumb. Hint: SSL has no requirements as far as hardware goes, at all. SSL should not depend on much of anything, at all. SSL is provided to other things to depend on.

Re:Slow down there.

[ajs]

Wait. The poster asked if you'd heard of vendor-updates (he gave several examples). Then you proceded to berate him and the community in general because others (not the poster) had "laughed" at your use of those tools.

That means that you agree with the poster to whom you were responding, no?

If so, then I guess I agree with you too.

I disagree with you on Debian. Debian is a nice Linux distribution that does maintain security and bug-fix updates well. apt-get is every bit as good as (and in many cases better than) rpmui or up2date or redcarpet for maintaining a secure and otherwise patched system.

I happen to be a Red Hat user at work and at home, but that doesn't mean that I ignore the value of other distributions (be they commercial or volunteer).

Re:Slow down there.

[Malcontent]

Let's say you need to update a 100 windows machines when MS finally get around to issuing a patch. What do you do? Go to each machine and press windows update, answer a a few questions, click a few buttons, and reboot at least once.

Let's say you need to do the same thing with a 100 debian machines. You write a script which takes about 15 minutes and you run it.

Which costs you less time and money?

Re:Slow down there.

[bergeron76]

You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to.

I implicity trust Redhat, Mandrake, and all the major Linux vendors for that matter; _implicitly_. Based on nothing more than the fact that they have a proven track record of being trustworthy, and not eavesdropping/abusing/fscking the consumer. Microsoft on the other hand has a notorious reputation for abusing customers, vendors, programmers and competitors. I won't provide any references because I'm quite certain that google will provide more than I care to count. Do the homework yourself if you don't already agree.

If for no other reason than that, I will trust Redhat to provide "vendor" patches because I have no reason not to. For the record, I'm not one of those "paranoid"/"I'll fix the code myself" people you spoke of. I'm just joe-average-sysadmin with my company's best interests in mind.

Re:Slow down there.

[jsse]

"Why not just compile everything yourself? Why not just use Debian?" Well, guess what, ladies and gentlemen -- I run a profitable business off of my servers and I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers. I trust my vendor to test the updates on their set of supported hardware and release them to me in a timely manner. I will then run the vendor-supported update tool and download them.

I feel obliqued to answer regardless of the fact that you choose to be a coward.

Exactly what kind of profitable business you are doing? Yes you could trust your vendors to supply the latest fixes to you in timely fashion, but you don't seem to get the idea of risk management. If your 'profitable business' cannot bear the loss resulted in not-up-to-time fixes from vendors, you must check closely with latest security updates.
Since you mentioned security update site like security focus, have you realize that there's nothing you can do when your vendor like Microsoft who don't give a damn to the security problems in their products and you've no choice but to remove the problematic products until they are generously enough to release the patch?

In conclude, you either has no clue on the word 'risk' or you simply have way too much money to spare(or your boss has way too much spare money to hire the like of you). :)

Re:Slow down there.

[delta407]

How about using Software Update Services? Takes you ten seconds to click on the update, download it to your local SuS server, and have it automatically installed onto all of the clients with whatever parameters (install at 3:00 AM and automatically reboot, install silently in the background and prompt, etc.) you specify.

Look, you may simply be blindly bashing Microsoft, but they actually do have some decent administrative tools. Ever hear of "Group Policy"?

Know the facts.

Re:Slow down there.

[Malcontent]

I have heard of group policy. Have you ever used it? It's a piece of shit. Same goes for roaming profiles, terminal server, etc. MS makes crappy products that promise much more then they deliver. I have not used the SUS but reading their FAQ it looks like I would have to go from desktop to desktop and install the client. If it's anything like SMS or anything else from MS it will be half usable piece of shit.

Every product MS makes delivers 70% of what the white papers promise.

Re:Slow down there.

[delta407]

Roaming profiles work if you set them up correctly. Terminal server is IMO a huge resource hog and is a waste of licensing.

And as far as deploying the SUS client goes, you can use Group Policy to do it. Group Policy is quite powerful, if you take the time to actually understand it. I dislike Microsoft as much as the next guy (and move as much as possible to *nix), but Microsoft is not a bad choice on a corporate desktop.

Not to flame, but: as someone else had said, I sincerely hope you are not responsible for maintaining a significant number of machines. Ignoring things like Group Policy (because "it's a piece of") results in losing a lot of functionality (like automatic deployment of whatever software you choose) -- but, hey, go around to each machine if you want. Install that software, change that local security policy, add that registry key...

Look. Microsoft thought of these things long before you started complaining about it. If you don't like their solution, fine. There's nothing to stop you from sitting down at all of those hundred machines and setting stuff up manually.

This bugs me

[ehiris]

I really hate to hear about security bugs related to SSL and anything that has to do with my personal credit cards.

Does this really mean that people that weren't ment to might have my credit card numbers now?

Should everybody have to get replacement credit cards now? It is the banks that will eat the loss but in reality it should be Microsoft. It is their fault for giving me a fake sense of security due to false advertising!

Minor problem

[Florian+Weimer]

It's sad to say, but given all those unpatched bugs in Internet Explorer, this flaw is a minor issue. Why bother with DNS Spoofing etc., when you just can install and start any executable you want on your victim's computer?

It's funny that Microsoft always comments publicly on the minor bugs, but ignores the serious ones, just until they release a patch.

In defense of microsoft

[cp5i6]

How many people out there are REAL Windows Admins? Seriously? I bet not that many are true windows admins. Using windows does not qualify you as an admin. I'll admit I'm very weak on my nix admin but that's because I don't bother learning about it. In my mind Windows 2k can be just as good an OS. I bet many of you don't know that Microsoft's knowledge base acutally keeps track of all it's bugs and patches for them before they stick it on Windows Update for the rest of the masses. I bet many of you don't know that microsoft has a tool called hfnetchk ... what does it do?.. It'll download the LATEST patches that microsoft has available for you to use. It'll check your system to see what patches are installed and what aren't and give you a report telling you which article # in MS knowledge base you can find the patch for you problem. More tools you want?... How about Qchain... (which i know many of you don't know about either) that lets the user install multiple patches WITHOUT rebooting your system multiple times. For IIS Windows has IISlockd .. which many wanna-be admins didn't bother finding out during the time when nimda worms were going crazy. And the list goes on I can easily list pages worth of other tools that windows has that most people don't know about because they're ignorant. If anything I'd say windows has done a wonderful job by making people lazy. But let's take a step back. I bet many of you are saying pfft the Nix machines have this and that tool. Think about that for a moment.. why would a multibillion dollar corporation, who have a million times more resources then the average linux programmer, not bother to make a similar tool for windows if it's so useful? Kinda defies logic doesn't it especially since nowadays with IBM's backing of linux MS needs to compete performance and feature wise even more (or are you going to tell me that MS has a stranglehold on IBM?). So before anyone else goes on with the typical. . "wat you expect form MS" read up about what MS really has and acutally maintain an intellectual conversation

Re:In defense of microsoft

[Alien+Being]

Your comment is informative, but what good are auto-update scripts when there are no updates?

Re:In defense of microsoft

[ffatTony]

You make a valid point, but please, please in the future use paragraphs, extra lines, bullets, anything.

Can you provide some reference documentation to some of these commands?

I think the confusion people experience is that windows has hidden away the command prompt so expertly with pretty widgets and now those cool balloons (weeeeee!).

I myself use cygwin for the perfect "fake unix" experience, but I've been told I'm weird.

Does this affect Mac OS X Browsers?

[OS24Ever]

How about Mac OS X or OS 9 Browsers, are they affected at all?

On Censorship

[Nailer]

If you think slashdot is bad, consider that you can at least post here... even it it does ultimately end up at -1.

Not quite. I was recently banned from posting to Slashdot for around a month (every time I attempted to post to a form, Slash would tell me I `wasn't allowed' to do that). I generally post intelligently, my karma sits at a perpetual excellent and has since it was fifty.

The only reason I can think of is because around the time I was banned I made a joke that the Slashdot editors didn't like. A joke that was

• moderated up accordingly
  
• on topic
  
• funny , if I do say so myself
  
• but apparently mentioned a `bad' word.
  

Judge for yourself - and decide how free of censorship Slashdot truly is

Re:On Censorship

[pmc]

You were banned for a month bacuase of a posting you made 17 days ago? What did they do - drag you back in a time machine after the ban was finished?

Re:On Censorship

[Nailer]

The rapper mentioned, Ludacris, uses this word all the time. So do many top selling popular R + B and rap artists. Why can't I use it? Political correctness (attempts to censor thought) disgusts me. Mentioning that Microsoft might be the best tool for the job doesn't.

More IE bugs?

[thogard]

I run an apache server with mod_ssl. About two weeks ago we started geting complaints from mac people that they were getting encryption error. Last week the problem started with IE on win2k. Yesterday I downloaded the latest IE and run it on winNT and it worked fine. One the "security update" was applied, it started having problems with ssl connections to apache servers (but not IIS servers)

So there are more bugs out there and this one is going to make the Apache crowd look bad.

Professionals or for the masses

[anonymous+cupboard]

MSKB doesn't get the stuff that quickly, nor the special security bulletins.

I have hfnetchk and yes, it works and d/ls patches that Micrsoft have released. If they haven't released the patch yet, you are stuffed. I also have qchain and I don't trust it (some fixes didn't stick after being chained) and anyway, why should I have to run it? I manage 2K server boxes and it makes life easier.

However, there are a lot of 0wn3d 2K and XP boxes out there which can be used DOS me, you or Slashdot at the drop of a hat sitting on Cable modems or ADSL. The guys running those boxes are at home and as someone else points out over half couldn't find the C:\ prompt if they tried.

On Linux, I use RedHat's up2dat and XImian's Red Carpet. Very nice and very prompt with fixes. I also have Gentoo, but this is definitely not for people who dislike shell prompts.

Patting yourself on the back?

[sheldon]

Ok. I have Red Hat 7.3 Linux... I have KDE 3.0 installed on this machine.

I want to know the answer to two questions.

a. Am I vulnerable?
b. If so where do I download a binary patch?

http://www.kde.org has no news postings about this flaw, they are apparently more interested in letting us know about a release candidate for KOffice.

http://bugs.kde.org is unreachable.

http://www.redhat.com has no security bulletins relating to KDE 3.0 that shipped with Redhat 7.3.

Meanwhile back at the ranch, you go to http://www.microsoft.com/security, click on the IT Professional information and this issue is the top headline. Yes, there is no patch yet, but at least Microsoft is acknowledging that there is a problem and letting us know that they are working on it.

Fact is, until there is a binary patch available for my Redhat 7.3 install, along with a security bulletin on the website at least acknowledging the issue... the issue is not resolved.

Oh yeah, I find no mention of this on the Mandrake Linux website either despite them shipping with KDE 2.2.x which is supposedly impacted. You know with all this patting yourself on the back, you sure haven't done anything to help out the enduser.

No

[Otis_INF]

The person who found the SSL flaw in IE (and thus in Windows) said in his first mail to the bugtraq mailing list that he didn't bother mentioning this to Microsoft because he didn't believe it would help anyway.

I can only say that this kind of stupid behaviour is ruining more people than it does any good. Yesterday Microsoft released a patch for SQLServer, the fix was for a flaw which was reported in late July. At the same day the patch was released, the person who found the bug mails to the bugtraq mailing list.

THAT's how it should be done.

And yes, some KDE developers fixed it in 90 minutes and MS hasn't come up with a patch. Who cares who comes first. With MS you can be sure it's tested on a large set of setups. With the KDE patch, you can be sure it's not tested on a large set of setups. It's a client side risk now, but in general, do you trust patches on mission cricital systems when it's not tested on a large amount of setups? I surely won't.

Re:No

[Malcontent]

"VisualStudio.NET bombs the Linux developer right back to the stone age."

Fist MS called open source developers communists, then they called open source a cancer now they are associating open source developers with Al Quada terrorists.

The tone get more violent as time goes on, the analogies grow more hateful as time goes along. I think it's time to be scared if you are an open source developer. It's clear MS is trying to incite the masses into committing violence against open source developers and advocates.

Re:Oh, that's good then... Thank God for Opera

[Frodo420024]

> I hope that Opera's Not affected by this

It is.

But they posted V 6.05 within 24 hours, making the fix available to Joe A. User before anyone else.

Say goodbye to frame rate indicators

[yerricde]

You think every corporation using Microsoft software is bound by their consumer licenses?

Yes. If not when they install the software, they become bound by the standard Microsoft EULA once they install any patches from Windows Update. Such EULA contains terms like "You may not disclose benchmark results of the .NET framework to a third party. For example, if you make a video game using the .NET framework, you may not include a frames-per-second indicator."

Enough with the underpants gnomes!

[yerricde]

1. Make contrived, stupid business model jokes.
2. ???
3. PROFFIT!!!1!1

Re:OSR2 never hit retail

[rmohr02]

Ok, now I know there is a difference. I never noticed the lack of USB support because the only computers I've run 95 & 98 on didn't have USB ports.

I *am* an open source developer

[Otis_INF]

I just think VS.NET makes a hell of a difference when it comes to raw productivity, when you compare the total package with a combination of tools on Linux. That's all there is to say about the sig. I also think you should read more serious media and less rant'n'raves on trollsites like The Register.

ps: my OSS is solely for Win32/.NET and BSD licensed, but still open source.

Re:I *am* an open source developer

[Malcontent]

" I just think VS.NET makes a hell of a difference when it comes to raw productivity, "

Yada Yada I don't care what you think. I care that you chose to use "bombing open source developers back to the stone age" metaphor. This was the same terminology that people used when describing the US bombing of the taliban and al quada in afghanistan. Apparently you wanted people to associate open source developers with the taliban and alqada specifically and terrorists generally. This is in keeping with MS executives trying to smear open source developers with labels lice "cancer", "communist" and "un american". It is also in keeping MS executives using mass murderer terms to talk about competition like "knifing the baby" and "cutting off the air supply".

"ps: my OSS is solely for Win32/.NET and BSD licensed, but still open source."

Good for you becuase it is illegal for you to produce GPLed code using VS.NET. It says so right in the EULA. It's also illegal to write GPLed code which uses the .NET framework.

Re:(OT)Windows 95 partition size limit

[rmohr02]

Did they have hard disk drives bigger than 2 GB?

Nope--the combined size of all the HDs was less than 2GB.

They don't sell patches

[Mandelbrute]

Think about that for a moment.. why would a multibillion dollar corporation, who have a million times more resources then the average linux programmer, not bother to make a similar tool for windows if it's so useful?

Simply because they have a marketing focus, they have driven many a better product into the ground by outselling and outbullshitting. They worked out long ago that they didn't need to be in the business of producing good software - but just good enough software (like in building a bridge - if it only has to take bicycles you don't make something elaborate and expensive). Their main failing in my eyes is by overstating the specs when they are selling the things - equivalent to saying that you can get your 350 tonne mining truck over the bridge designed for bicycles.

Consider as an equivalent, Hollywood and the movie "Three Weddings and a Funeral." More money was spent on promoting the movie in the USA than was spent on making the film in the first place. A lot of businesses make money that way, and Microsoft appears to be no exception.

haha

[Otis_INF]

You should see some counseler, dude. I don't see the link between software making and afghanistan.

and FYI: I'm a far left wing participant, 'bombs back to the stone age' is an expression, it has nothing to do with death nor with war.

About the GPL: I don't agree with RMS' POV so I'll never choose a non-freedom license like the GPL.

About the GPL and some EULA: I live in the Netherlands, where like in other European countries, some judges have decide no EULA can bound a user of a product in its creativity, so the EULA can't limit me in what I do with what I create. And yes, GPL-ed software can't be using the .NET api. Not because MS doesn't want it, but because the viral part of the GPL which states that libs linked to the GPL-ed code should also be GPL-ed. In the case of the .NET api, this means that the .NET code also should be GPL-ed. Which is of course utterly stupid, because who am I to tell another company what to do?

(oh, and the same thing is valid for a piece of GPL-ed java code and Sun's non-GPL JVM + java api).

Re:haha

[Malcontent]

"I don't see the link between software making and afghanistan. "

You made the analogy not me.

"Not because MS doesn't want it, but because the viral part of the GPL which states that libs linked to the GPL-ed code should also be GPL-ed."

Sorry to burst your bubble but MS does not want it. They say so in the EULA.

Re:You, too, are an idiot.

[pmz]

Find a registry tool that does search-and-replace...

1) This is an added per-host software installation to address the inherent flaws in the Windows Registry and the poor design of most Windows applications.

2) If the added Registry tool requires purchasing per-host licenses, then you will never have enough licenses nor have it installed when you really need it.

Windows scripting host.

How do you get by the almost non-existant set of useful system utilities that Microsoft bundles with Windows. Solaris has nearly 800 command line utilities available, by default, under /usr, each providing a nugget of usefulness in scripts.

Windows XP has fast user switching.

It's too bad that Windows XP doesn't have fast user adoption.

You write a script using WSH or DOS batch scripting, and you put it in the startup commands that Windows runs whenever you log on to the domain.

So, a person has to log out, first? I stay logged into Solaris months at a time, but I can update the service configurations on-the-fly with only momentary service interuptions (the time it takes to restart a specific daemon).

Only if you don't know how to properly administer it, and believe me, you don't.

Who does?