Windows 98, Me, NT4, 2000 and XP SSL Flawed

JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions that Konqueror was patched against the same bug in 90 minutes.

Browser == OS

[keesh]

not a flaw in the browser, but in the operating system itself

There's a difference? I thought they were the same thing...

Re:Browser == OS

[Tony+Hoyle]

We tried to install Win2k service pack 3 on two test machines to see if it broke anything. It destroyed them, right back to the 'can't find NTLDR' prompt.

Does microsoft answer to all the machines that SP3 breaks? (Some companies might not be as careful as us and could lose important data). No, the EULA explicitly states that they have zero liability even if sp3 triggers World War 3 (before GWB does).

Anyone who uses the 'liability' FUD about MS software deserves shooting. If it breaks, you get to keep both pieces (to coin a phrase).

Oh, that's good then...

[MrFenty]

...Scott Culp, manager of the Microsoft Security Response Center said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.

Glad it's only a client side issue then.

Didn't mention Windows 95

[SpanishInquisition]

So I guess it's safe.
It's a good thing I didn't upgrade.

favorite quote

[nestler]

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

This "makes sense" up until the point where you have to patch your kernel instead of upgrading a library. When OpenSSL had a bug, they fixed it and you could upgrade OpenSSL. When Konqueror had this specific bug, it could be uprgraded easily enough. Now Windows users have to patch their entire OS to fix this (or just use another browser that doesn't use the crypto-in-the-kernel routines).

Re:favorite quote

[Amazing+Quantum+Man]

Here's a question - who do I sue if that bug in Konqueror causes me to lose money? Nobody!

Here's another question. Who do you sue if that bug in IE causes you to lose money? Nobody! Read the EULA!

Quick fix

[Subcarrier]

You can disable SSL in the advanced options menu. ;-)

Oh good, it's not an IE bug

[freerangegeek]

We only wrote bad code that made it through QA for 5 different versions of the OS dating back to the mid 90s. Of course, with Palladium, our new secure platform, things like this will never happen. Good thing we got that patch out quick!

(Oh wait, that was the Konqueror people!)

We'll I'm sure with our new secure computing focus it will be out any time now. Please don't stop doing ecommerce, just because all your personal data can be hacked, just use Passport.

(Oh wait, that happens with Passport too!)

Ummmm...

Re:Not a big deal!

[Wrexen]

Can we stop with the "Foo blah blah DMCA foo!" jokes already? The first 600 or so were funny (ok maybe not), but it's getting old. Especially when the subject matter has nothing to do with copy control circumvention or the ??AA businesses

Re:Yet again...

[Scutter]

I am so shocked to hear Microsoft didn't follow the standards when implementing SSL.

Neither did Konqueror. Blame where blame belongs, please. It's trendy to just blame everything on the Big Evil Empire, but let's not forget they aren't the only ones who have bugs.

things i dont get

[jeffy124]

i saw the article earlier today. there are some things I just do not understand here. first some facts:

• The bug is in the OS crypto services
  
• It's NOT MS's crypto api
  
• Only IE is affected.

Time for rhetorical questions:

Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?

How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.

Let's be fair here

[IamTheRealMike]

Now I'm a Linux user and lover, as anybody who reads my past comments can discover. But let's be fair to Microsoft here - all this talk is of how fast KDE (actually Waldo Bastion) patched the bug, as if this makes them superior to MS.

You know what? I bet the 'soft could do this too. I mean have a guy, or team of guys available 24/7 to patch bugs. And you know what else? They'd still get flack for it, as Microsoft don't release patches straight away - for better or for worse, they do actually test them first (usually), make sure they don't kill wierd and exotic installs etc. I know they've released dodgy patches, but my point is that Microsoft isn't an overnight operation.

And more to the point, how does this patch get to people? Via autoupdate of course. The patch may have been written in 40 minutes, but it's still not available on SuSE auto update (as far as I can tell) despite the fact that Waldo works for SuSE! We really need to stop patting ourselves on the back simply because we can see the progress of the patch and Microsofters can't, otherwise this bullheaded arrogance WILL bite us on the ass.

Re:Let's be fair here

[FreeLinux]

You do have some valid points that should be addressed and probably will be over time. But, lest we forget, this bug was reported to Microsoft a very long time ago. Furthermore, MS has not been trying to fix the bug. Instead they chose to try to place the blame on Verisign.

Regardless, of whether Verisign should shoulder some of the blame or not, Microsoft simply dismissed a potentially serious problem. A week later, we find out that, not only is it Microsoft's problem, but it is in the OS itself not just the browser like we had thought. Conversly, KDE was able to identify the problem and produce a fix in 90 minutes.

Now, to your point about the availability of the patch to everyone, as I said you have point. But, if you check out KDE's site you will find that they clearly state that they do NOT distribute binaries. KDE distributes source code only and that patched source code is, and has been, available. KDE leaves binary distribution up to the distros to handle. So, Suse and Red Hat et al need to step it up a bit but, KDE did a great job!

90 Minutes for Konqueror fix.

[FreeLinux]

90 minutes????? What are the KDE boys doing, sleeping???

This is just unacceptable. I cannot believe and refuse to accept that it could take 90 minutes to get a major security fix out for a browser. This is completely unacceptable. It's no wonder everyone uses IE.

I guess the Microsofties were right after all. Support for open source software is nearly impossible to find.

-- Before you post, are you sure you got it?

Re:Yet again...

[ergo98]

Sweet time? Indeed, saying that the Konquerer team fixed it in 90 minutes makes them sound very irresponsible, not proactive : Every change like that can have hundreds of ramifications, and I assure you that there is a programmer at Microsoft who could point to a particular segment of code and say "There, we just need to change that line right there". But after several high profile incidents where someone did a change and it broke a dozen large applications, they seem to be a lot more weary about that nowadays. Working in software development, I've seen many situations in large systems where someone wanted to rush out an incompletely thought out feature or fix and the net result was disaster.

On an OS Providing Cryptographic service

[dh003i]

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology

Yes, indeed, it does make sense for the OS to provide such a service to any program that wants to use it, so long as that's a GOOD service.

In general, it makes sense to provide everything from outside the program, and just have the program call on outside services. However, that means you need to make the outside services good, and it means that those writing programs don't just string together a bunch of requests (i.e., draw this, check that calls) but also work on looking for fixes to the common outside service, which would be shared by many programs.

In other words, this approach only makes sense when the outside services are OSS / FS / public domain, which means that developers of programs can check their integrity and submit improvements. Otherwise, its just a big black hole for developers: should I trust this cryptographic routine, or shouldn't I? One never knows with proprietary routines. One can check, and improve such routines provided OSS / FS.

Re:thought SSL wasn't secure anyway

[Jeremiah+Cornelius]

Dsniff was used as part of the practical exploit here.

The BugTraq post describes the nature of a MOTM exploit using this vulnerability.

A BugTraq reader was able to successfully demonstrate this using dsniff and OpenSSL as his tool kit. Screenshots on his site illustrate this, with his own bank account!

patch distribution model

[Kris+Warkentin]

This is a pretty important point. Just because the KDE people fixed it doesn't mean everyone will have it. Instead of asking, "How long did it take for it to get fixed", we should be asking, "How long until it is widely enough deployed such that exploit writing becomes unprofitable?" It seems to me that even if Microsoft is a little slower getting a bug fixed, the universal "Windows Update" probably gets the patch on a greater percentage of machines more quickly.

Of course, the number of Windows desktops dwarfs the number of KDE desktops so if even a small percentage of Windows installations don't get patched, it would probably be about the same as if KDE never got patched at all. ;-)

Shared code ok - but what EULA?

[Antity]

From the article:

Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

They're perfectly right. Everybody can have a bug like this. But there are two problems that puzzle me:

1. When will the patches for the OSes be available?
2. And, the worse one: Will the patches for this really ugly security leak will also come with Microsoft's new EULA that gives them access to one's computer?

I really fear the time where users have to choose to either install a patch so fix a severe security hole and sell their (OS and computer data) souls to somebody else or just not fix their OS at all and be open to these man-in-the-middle attacks. This could become a very new quality of unsecured machines from a security point on the 'net: Users that don't want to install patches because they don't want Microsoft to own their machines - and trade this with security. (I can fully understand this.)

With Open Source OSes, if the vendor won't fix a bug like this, somebody else would (maybe even you). With Windows, you have to rely on Microsoft even recognizing something as a bug. And if they do, there's nothing you can do but wait.

Yes, I know, we all know this. But this problem hasn't gone away yet.

I'll tell you why

[tunabomber]

Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy?

The logic is so obviously simple:

increased redundancy == increased failsafety

So, if one of the crypto API's has a security hole, the OS can rely on the backup API, just like how a bike with one flat tire can be ridden home on the remaining good tire.

I tell you, those MS guys really got some effective circumetry in their noggins!

Slow down there.

"Then can you explain why Microsoft releases bugfixes that uhhm break stuff?"

Despite your glaring lack of maturity in the above sentence, I figured I would respond.

Microsoft software (Windows/Office/Internet Explorer or any combination of the above) runs on approximately 95 out of every 100 client computers on the Internet. Now, on those computers, you have every piece of weird x86 hardware ever invented, from crappy $5 ISA modems to $5,000 SCSI RAID arrays. You also have Microsoft software that runs on Macintosh, Solaris, HP-UX and FreeBSD computers.

Now, figure that Linux runs on approximately 1 out of every 100 client computers on the Internet. (This is a high guess -- I'm giving Linux the benefit of the doubt here.) Now assume that KDE runs on 100% of those computers (also an extremely high guess.) So for every 1 person who receives the KDE fix, there will be about 92 (I'm taking out the non-Windows, non-Linux users) people who receive the Microsoft fix.

Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.

"Ever heard of Debian's apt-get, Mandrake's urpmi, RedHat's up2date, etc.? It's up to each vendor to make the fix available to the users."

Oh, I love these arguments. It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get. "But I run Linux so I can do everything myself!"

I run about 12 Linux servers. I trust my vendors (Red Hat and Sun Cobalt in this instance) to provide me with timely updates. But the funny thing is that whenever I recommend that people trust their vendor for services like Apache or PHP and use up2date, I get laughed at. In fact, when I say that I use Red Hat and Sun Cobalt, I get laughed at. "Why not just compile everything yourself? Why not just use Debian?" Well, guess what, ladies and gentlemen -- I run a profitable business off of my servers and I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers. I trust my vendor to test the updates on their set of supported hardware and release them to me in a timely manner. I will then run the vendor-supported update tool and download them.

The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves -- the epitome of the "trust no one" saying. These are the SAME people, much like yourself, who also say that it's up to the vendor to release patches. I have news for you. You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to. You can't bash Microsoft for taking time to release tested updates and then claim that Linux is better because you can install a fix that is untested instead of "waiting for the vendor to catch up".

Re:Slow down there.

[bergeron76]

You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to.

I implicity trust Redhat, Mandrake, and all the major Linux vendors for that matter; _implicitly_. Based on nothing more than the fact that they have a proven track record of being trustworthy, and not eavesdropping/abusing/fscking the consumer. Microsoft on the other hand has a notorious reputation for abusing customers, vendors, programmers and competitors. I won't provide any references because I'm quite certain that google will provide more than I care to count. Do the homework yourself if you don't already agree.

If for no other reason than that, I will trust Redhat to provide "vendor" patches because I have no reason not to. For the record, I'm not one of those "paranoid"/"I'll fix the code myself" people you spoke of. I'm just joe-average-sysadmin with my company's best interests in mind.

Re:Slow down there.

[jsse]

"Why not just compile everything yourself? Why not just use Debian?" Well, guess what, ladies and gentlemen -- I run a profitable business off of my servers and I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers. I trust my vendor to test the updates on their set of supported hardware and release them to me in a timely manner. I will then run the vendor-supported update tool and download them.

I feel obliqued to answer regardless of the fact that you choose to be a coward.

Exactly what kind of profitable business you are doing? Yes you could trust your vendors to supply the latest fixes to you in timely fashion, but you don't seem to get the idea of risk management. If your 'profitable business' cannot bear the loss resulted in not-up-to-time fixes from vendors, you must check closely with latest security updates.
Since you mentioned security update site like security focus, have you realize that there's nothing you can do when your vendor like Microsoft who don't give a damn to the security problems in their products and you've no choice but to remove the problematic products until they are generously enough to release the patch?

In conclude, you either has no clue on the word 'risk' or you simply have way too much money to spare(or your boss has way too much spare money to hire the like of you). :)

In defense of microsoft

[cp5i6]

How many people out there are REAL Windows Admins? Seriously? I bet not that many are true windows admins. Using windows does not qualify you as an admin. I'll admit I'm very weak on my nix admin but that's because I don't bother learning about it. In my mind Windows 2k can be just as good an OS. I bet many of you don't know that Microsoft's knowledge base acutally keeps track of all it's bugs and patches for them before they stick it on Windows Update for the rest of the masses. I bet many of you don't know that microsoft has a tool called hfnetchk ... what does it do?.. It'll download the LATEST patches that microsoft has available for you to use. It'll check your system to see what patches are installed and what aren't and give you a report telling you which article # in MS knowledge base you can find the patch for you problem. More tools you want?... How about Qchain... (which i know many of you don't know about either) that lets the user install multiple patches WITHOUT rebooting your system multiple times. For IIS Windows has IISlockd .. which many wanna-be admins didn't bother finding out during the time when nimda worms were going crazy. And the list goes on I can easily list pages worth of other tools that windows has that most people don't know about because they're ignorant. If anything I'd say windows has done a wonderful job by making people lazy. But let's take a step back. I bet many of you are saying pfft the Nix machines have this and that tool. Think about that for a moment.. why would a multibillion dollar corporation, who have a million times more resources then the average linux programmer, not bother to make a similar tool for windows if it's so useful? Kinda defies logic doesn't it especially since nowadays with IBM's backing of linux MS needs to compete performance and feature wise even more (or are you going to tell me that MS has a stranglehold on IBM?). So before anyone else goes on with the typical. . "wat you expect form MS" read up about what MS really has and acutally maintain an intellectual conversation