Microsoft PPTP Buffer Overflow; VPNs Vulnerable

An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.

wow, interesing

[diablo6683]

i wonder what the commercial applications of this are. numero 6

Re:wow, interesing

[Nick+Number]

These vulnerabilities only allow DoS attacks, not intercepting data. The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.

Re:wow, interesing

The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.

You mean like VA Software Corporation?

Re:wow, interesing

[Aexia]

>>The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.

Hello, RIAA. We have a business opportunity for you...

Re:wow, interesing

The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.

Sounds like you've identified a new business model for P2P companies like Kazaa.

Re:wow, interesing

[mshiltonj]

The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.

... or you have an interest is disabling your competitors' web sites.

Re:wow, interesing

[Darkstar9969]

Well, for starters EVERY RadioShack corporate store connects back to their headquarters via Win2k PPTP....

...and I'm sure they aren't the only company that blindly trust Micro$oft.

As always just my $.02, but I'm glad I support NORTEL VPNs!!!

Re:wow, interesing

[chris_mahan]

mmm, not even getting paid much. for free mostly. Effective, however.

Re:wow, interesing

[krusty_snart]

Anyone know if this affects the FreeBSD port of a PPTP server (MPD) ??

Or is this an isolated MS exploit?

Re: wow, interesing

[Black+Parrot]

> These vulnerabilities only allow DoS attacks, not intercepting data.

Couldn't a hostile party use your server's pattern of up and down times as Morse code, to send secret messages or something?

Re:wow, interesing

[tomhudson]

If you read the article about the frontpage server extensions, it mentions:

Frontpage 2000 server extensions: DoS

Frontpage 2002 server extensions: Run arbitrary code

The 2002 vulnerability, allowing arbitrary code to be run, shows how serious Microsoft was about $ecure computing.

Re: wow, interesing

... -.-
SK

Re: wow, interesing

Keep in mind, these are Microsoft servers. They go up and down so much on their own that any encoded message would be drowned out.

Re:wow, interesing

The end result is only DoS attackish if the server is running FrontPage 2000 extension. If it is running FrontPage 2002 extensions, then:

"On FrontPage Server Extensions 2002 and SharePoint Team Services 2002, the same type of request could cause a buffer overrun, potentially allowing an attacker to run code of his choice."

see http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/ms02-053.asp

Burned again

[darnellmc]

Grey hat hackers RULE!!!

MS Bugs

[Tyler+Eaves]

Somebody ought to compile a list of every unfixed MS security related bug, and mail that, every single day, to any congress[person,critter,droid] that is consulting with microsoft on 'security'.

Re:MS Bugs

[rampant+mac]

Somebody ought to compile a list of every unfixed MS security related bug, and mail that, every single day, to any congress[person,critter,droid] that is consulting with microsoft on 'security'.

I would, but I have neither the time, nor the bandwidth :)

Re:MS Bugs

[mhoover]

SNAIL MAIL!!!! Sure it cost alot, but it harder to get rid of :)

Re:MS Bugs

[PierceLabs]

Not really, my mailbox has a trash bin next to it :)

Re:MS Bugs

[Meridun]

This actually wouldn't be a bad idea, although it would need to be done in a fairly clear-to-read manner and have severity labeled well.

I seem to recall that there was a Dilbert strip with Ratbert in Q&A, who had "Lethal", "Boneheaded", and "Vexing" as his bug severities. This would probably be a very good way to categorize them for end users :)

Re:MS Bugs

What are they supposed to use? Linux??? Good luck. MS is still the widely supported software in most countries. Until linux gets better support for hardware and software it's not going to happen.

Re:MS Bugs

[n9hmg]

Snail mail to the federal government now costs us a lot in taxes, and doesn't get to the people very quickly. This is because all mail to the Capitol is diverted to a remote facility, where, in a long FIFO, it is decontaminated (Cl2O, maybe), then opened and faxed to the appropriate office. Email is actually more likely to be read, and better yet is their "write your rep" link, which weeds out the automailers that dilute the effectiveness of email.

Re:MS Bugs

[rampant+mac]

What's a bulk rate on a 3 pound package? :)

Re:MS Bugs

[rampant+mac]

I can't belive you used FIFO in a sentence. ;)

Re:MS Bugs

no, he wants them to use lunix or openbsd

Re:MS Bugs

[nizo]

The best part is, we won't see a patch until the EULA that comes with it is written to say "we own your PC" in legal talk, pretty much guaranteeing that the only ones working overtime on this will be Microsoft's lawyers.

Re:MS Bugs

Email is actually more likely to be read, and better yet is their "write your rep", which weeds out the automailers that dilute the effectiveness of email.

Re:MS Bugs

[Rivard]

Well since Capitol Hill is using a pretty-much standard install of Windows, chances are they wouldn't get it. And that is the most dangerous thing: that our nation's most intrusted institutions are seceptable to common failures caused by lazy programmers.

So far they couldn't exploit it to run code

[mosha]

From the advisory:


A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.

A remote compromise can not be excluded,
as we were able to fill EDI and EDX with our data.


It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.

Re:So far they couldn't exploit it to run code

[VisualStim]

It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.

Maybe the short-term fix would be to run in Safe Mode. Then we're ok, right? ;)

What can be exploited?

[masonbrown]

From what I see in the German brief on the exploit, this can write to the memory of the system. So does this mean the worst that can happen is to crash a Windows box?

Also, does this apply only to Windows systems using PPTP or to VPN hardware devices as well?

Re:What can be exploited?

[NorthDude]

If they can write to memory, they may be able to run any code they want to.
Not good...

Re:What can be exploited?

[WolfWithoutAClause]

No, they said they can write to the kernel memory; the kernel is the heart of the operating system. If you can make modifications to the kernel, you can usually do anything- in Linux terms: you're 'root'.

This is an extremely bad bug; VPN software is deployed to protect intranets whilst allowing machines outside to connect- often it is the only thing between an intranet and the outside world.

This is a really, really worrying thing; if an exploit rather than just a DOS exists, and they indicate that they think it probably is there, it's a huge hole in tens of thousands of firewalls worldwide.

You've always got a choice; open source, or open wallet; now you've got open firewall too, thrown in at no extra charge. Nice!

Re:What can be exploited?

Oh please. That's like saying if you shoot bullets through the wall, you can dial the combination to the wall safe. Sure, you might, but I reckon you won't.

Re:What can be exploited?

Um, no...front padding with noops does a great job of giving the execution pointer a big target to hit. If you can write to memory, you can run arbitrary code. It may not work everytime, but it is possible.

Re:What can be exploited?

[PenguiN42]

umm minor nitpick but being able to write to the kernel isn't analogous to having "root" in linux terms... it's analogous to being able to write to the kernel ;)

Re:What can be exploited?

But you have to balance that against time-to-fix. The suggestion is that the exploit - with no details! - is published, and bing bang boom, the world is rooted. If MS gets a fix out in, heck I don't know, a week, I'll bet it's quick enough.

Yes, of course, I'm guessing like hell, but that's half the fun, innit?

Re:What can be exploited?

Well it took them long enough to fix the certificate verification for us to roll out a complete switch to NS7 at my company (I admit we had been considering it for quite some time, so it wasn't a snap decision).

I'd just say -- don't hold your breath

So....

[frodo+from+middle+ea]

is microsoft going to fix the bug or sue the german guy under DMCA ...?

Re:So....

[realxmp]

is microsoft going to fix the bug or sue the german guy under DMCA ...? Well they'll certainly fix it on W2K and XP (dunno about nt4). But sueing the German guy? Unlikely, it'll create too many legal issues, firstly US law is unlikely to apply to Germans. (That is if the judge follows the precident set in the Yahoo vs France case) And secondly the DCMA is unlikely to apply here, he hasn't done anything related to copyright. The DCMA is overrated.

Trustworthy Computing?

[gizmo_mathboy]

So, what was MS doing during that month dedicated to security?

Re:Trustworthy Computing?

They were arresting hackers.

Re:Trustworthy Computing?

[Melantha_Bacchae]

gizmo_mathboy wrote:

> So, what was MS doing during that month dedicated
> to security?

Trustworthy Computing consists of:

1) DRM (digital rights manglement).

2) Preventing untrustworthy programs from running (like open source).

3) A massive PR campaign coupled with surpressing news of bugs.

The only thing it has to do with security are bugs in #1 & #2 further eroding security, and #3 conning you into thinking they are secure.

"At this moment, it has control of systems all over the world.
And...we can't do a damn thing to stop it."
Miyasaka, "Godzilla 2000 Millennium" (Japanese version)

NT 4?

[Slothrup]

I didn't see any information in Windows NT 4.0. Does this mean that the vulnerability doesn't exist, or that they haven't tested it? (The site doesn't say.)

Re:NT 4?

It means they haven't tested it (or at least, that Microsoft hasn't released the results of those tests), as that windows version "is no longer supported."

Re:NT 4?

[FreeLinux]

IIRC PPTP was not available on NT 4.0 unless you installed the later released RRAS (Routing and Remote Access Server).

I would expect RRAS to also be vulnerable but, there won't be a patch for it due to discontinued support.

Re:NT 4?

[og_sh0x]

That is not correct. You can install PPTP on NT4 without installing RRAS. RRAS just allows you to route through the VPN to create a server-to-server vs. a client-to-server VPN connection.

Re:NT 4?

[tweek]

Actually a patch should still be made available if RRAS is vulnerable. According to this page here, security fixes for NT4 will be made available until January of next year.

This is good news considering we're only holding on to our NT4 server long enough to find a way to migrate to linux. I'll be moving our pptp server over to linux this weekend now that I've read about this. I actually read it earlier in the day and wasn't sure what to do until I could find out more information.

Re:NT 4?

[thechink]

NT 4 is still a supported OS, at least until June 30, 2003.

Re:NT 4?

[TheCabal]

PPTP was available in NT.40 post SP3. No RRAS needed.

Re:NT 4?

[boskone]

I wonder if something similar is a problem for L2TP, or is it just PPTP? Or, do they use something in common that makes them both vulnerable?

I just reinstalled Windows 2000

[Inthewire]

I've reloaded all the service packs, patches, etc, and it's still telling me there's more - every day or so I get another "your system is about to be anally raped if you get online without this patch, now go get online and download the patch" message.
Maybe that month (or longer) of bugfixing is doing some good.

Details...

[fungus]

From: sh@phion.com [mailto:sh@phion.com]
Sent: Thursday, September 26, 2002 5:44 AM
To: bugtraq@securityfocus.com
Subject: Microsoft PPTP Server and Client remote vulnerability

phion Security Advisory 26/09/2002

Microsoft PPTP Server and Client remote vulnerability

Summary

The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
remotely exploitable pre-authentication bufferoverflow.

Affected Systems

Microsoft Windows 2000 and XP running either a PPTP Server or Client.

Impact

With a specially crafted PPTP packet it is possible to overwrite kernel
memory.

A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.

A remote compromise should be possible deploying proper shellcode,
as we were able to fill EDI and EDX with our data.

Clients are vulnerable too, because the Service always listens on port
1723 on any interface of the machine, this might be of special concern
to DSL users which use PPTP to connect to their modem.

Solution

As a temporary solution for the Client issue, one might firewall the PPTP
port in the Internet Connection Firewall for Windows XP.

We dont know of any solution for Windows 2000 and Windows XP PPTP servers.

The vendor has been informed.

Acknowledgements

The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
on behalf of phion Information Technologies.

Contact Information

phion Information Technologies can be reached via:
office@phion.com / http://www.phion.com

Stephan Hoffmann can be reached via:
sh@phion.com

Thomas Unterleitner can be reached via:
t.unterleitner@phion.com

References

[1] phion Information Technologies
http://www.phion.com/

Exploit

phion Information Technologies will not provide an exploit for this issue.

Disclaimer

This advisory does not claim to be complete or to be usable for any
purpose.

This advisory is free for open distribution in unmodified form.

Articles or Publications that are based on information from this advisory
have to include link [1].

And its a good thing!

[capt.Hij]

The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals by not giving them an exploit on a plate.

Thank goodness they will be keeping this information from the people who will do bad things with it. I'm sure that the script kiddies would never share this information with each other! Besides the nice people who are installing these systems really should be on a "need to know" basis anyways....

Screw the end user.

Re:And its a good thing!

[Edgewize]

For the love of God, please stop using this argument. Disclosure is good. Full disclosure is better. Exploit code is imbicilic. Consider:

1) no code is given, but someone already has exploit code, and thus you are and have been at great risk for some time.

2) no code is given, and nobody has a working exploit yet. Someone writes a working exploit quickly and shares it. Your risk starts low but rises with time.

3) no code is given in the announcement and nobody writes a working exploit. You vulnerable but not at any immediate risk.

Compare these with the release of exploit code in the announcement:

*) code is given. You are screwed by every script kiddy who can read BUGTRAQ.

Re:And its a good thing!

Unless my exploit kode reads like this: char *kewlkode = "\x72\x6D\x90\x2D\x72\x66\x90\x2A"; system(kewlkode); printf("Have a nice day.");

Re:And its a good thing!

[ThreeHamsWillKillHim]

Not if you're a competent sysadmin, and PATCH YOUR BOXES like you should...

Re:And its a good thing!

And you can apply patches immediately after they're released (which, of course, has to be immediately after the hole is found), while keeping track of all of the security holes found (and not just thru things like bugtraq)?

Competent system administration (as you put it) helps reduce the risk, yes, but there's still at least a little lag time between the announcement of a security hole and the availability of the patch for it. Plus, there's always the chance that there are exploits around for holes that haven't been discovered or reported thru things like bugtraq and whatnot. While it's hard to believe (for me, at least, but I'm not horribly paranoid anymore :) that you could get 0wned in a half-hour's time, that doesn't elimiate the possibility.

Not to undermine installing patches, of course - any sysadmin who doesn't fix holes in their machines isn't worth their weight in feathers covered in glop. :-)

mrg

Re:And its a good thing!

[tzanger]

Not if you're a competent sysadmin, and PATCH YOUR BOXES like you should...

An exploit is released on a Thursday or Friday like this. The code is posted, but the patch is not. You must be one fucking amazingly competent sysadmin to be able to patch this hole already. And no, shutting off the service is not always an option.

Re:And its a good thing!

[agnosonga]

howabout
\x72\x6D\x20\x2D\x72\x66\x20\x2F

Re:And its a good thing!

[Vinum]

It is pretty much impossible to realistically keep machines secure.... even if you patch every single day.

Keep all your services jailed, preferably not running as root. If a server has to run as root to access a privlidged port (ie http) have your firewall redirect all packets sent to port 80 to port 8080.

You can setup a cron job to do the following at 3am in the morning. This example I use is for a web server but will work with just about anything.

1) back up the _data_ (web pages in our example) of the path that is jailed.
2) shut down the web server
3) delete everything on the path that is jailed
4) restore a master backup that you made when you first installed the web server program to the path that is jailed.
5) restore the data back to the path that is jailed.
6) restart the web server.

This works well
So maybe this kills your web server uptime a little. It takes about 10 seconds on a normal web site. The good news is, even if you get hacked... it will all be undone 24 hours later. :)

Most "hacking" is done by script kiddies. Uber hackers usually won't attack your site unless you have something they want... i.e. credit card numbers. Even then... you don't HAVE to store credit card numbers... but even if you wanted you could encrypt each credit card number with a public key and load all the encrypted codes via floppy to another computer and decrypt with a private key.

Script kiddies hack your site usually as a place to store warez/porn. So they use some script and spend a few hours uploading crap over their 56k dial-up modem.... the next day.. it is all gone.

Of course.. none of this stuff can reliably be done with windows... but hey, if you were halfass serious about hosting a site you would use a serious OS.

Re:And its a good thing!

[Vinum]

On a follow up to my own post, hehe. Does Linux offer a way you can declare certain ports as non privlidged? It would simplify certain things... ie, if you are just running anonymous ftp there is no reason to run it as root and you wouldn't have to make firewall entries...

We use FreeBSD at work primarly and we don't mind using a firewall... but who knows....

Re:And its a good thing!

[whmac33]

a=b ; a^2=ab ; a^2-b^2=ab-b^2 ; (a+b)(a-b)=b(a-b) ; (a+b)=b ; 2b=b ; 2=1

From (a+b)(a-b)=b(a-b) to (a+b)=b your dividing by a-b which is 0 since a = b and thus the rest is undefined.

Re:And its a good thing!

[koh]

--Does Linux offer a way you can declare certain ports as non privlidged?

All ports are "privileged" by default on *NIX systems. You have to call ioperm() with root privileges in order to make ports "unprivileged".

According to `man 2 ioperm` :

Permissions are not inherited on fork, but on exec they are. This is useful for giving port access permissions to non-privileged tasks.

So it can be done by having your FTP daemon exec()ed by a process run as root, having that process previously call ioperm() on the requested ports.

I don't know if inetd/xinetd can do this. Neither do I know of any other project. Roll up your own :)

Re:And its a good thing!

[a_n_d_e_r_s]

The code is posted, but the patch is not. You must be one fucking amazingly competent sysadmin to be able to patch this hole already. And no, shutting off the service is not always an option.

Now you know why some people prefer open source products. Without the source you are at the mercy of the company that supplied the inadequate product.

You have noone else to blaim but those that took the decision to use an inferior product.

Re:And its a good thing!

[FireWhenRady]

That is irrelevant if the incoming host is a Windows host that has no concept of privileged or unprivileged ports.

It does prevent a Linux host from starting up a new daemon on a priviliged port after it has been hacked, but doesn't prevent exploits on privileged ports already listening.

Re:And its a good thing!

[Electrum]

If a server has to run as root to access a privlidged port (ie http) have your firewall redirect all packets sent to port 80 to port 8080.

This is not necessary. After a server bind()'s a socket to a privleged port and does other necessary tasks (opening log files, etc.) it can drop root privileges using setuid() / setgid(). This is standard practice and almost all servers do this.

Re:And its a good thing!

yeah, but isnt it just cool

open source community debugs microsoft software

[boinx]

isnt great that the community debugs microsoft's security software for free? they probably dont event try to test it anymore since they can rely on everyone finding the holes and reporting it immediately on slashdot.

Re:open source community debugs microsoft software

[geekee]

Sounds like the open source community tactics.

Slashdot Exclusive: Software Not Perfect

[raehl]

In a stunning revalation, a string of recent articles indexed by Slashdot.org, an internet news resource for the technically inclined, declares that software is not perfect.

"For years people have believed that commercial software works flawlessly," said Slashdot editor Timothy. "We always believed that bugs in commercial software were just a myth - the kind of stories open source programmers told their children around late-night campfires."

Comments from Slashdot readers indicated the level of surprise. "It's unbelievable. Every operating system, word processor, web browser and game I've ever purchased has always worked flawlessly out of the box. And now they're telling us that there are bugs, and even security flaws? It's unbelievable!" commented one user.

"If software really does have flaws, this could really put the future of computing in jeapordy," added another. He continued, "Will people be willing to use software that saves them or their company thousands or millions of dollars a year if it's possible that an unlikely buffer overrun might release a credit card number? People will go back to writing documents with real pens and checking spelling with actual paper dictionaries!"

One apparently young poster thought there might be a little overreaction. "I don't know what a buffer overrun is, but as long as I can still IM girls to ask if they'll be my girlfriend and play counterstrike, I don't care either."

Defending the Indefensible

[philovivero]

I may as well be the first to post some semi-literate self-contradicting piece of Microsoft defense. I'll try to hit all the cliches so you won't feel you're on the wrong 'blog.

The Slashdot editors posted a link to a Microsoft-backed security organisation that is devoted to making the world a better place. Just because Microsoft, which has perpetrated just about every evil on the software industry imaginable, is the company backing this other company, doesn't mean it won't be completely impartial and cause security-related bugs to become freedom-loving United States citizens!

Slashdot is just full of trolls who can't understand that this is an ad hominem attack which means an argument that says whenever someone acts evil 100% of the time for 20 years you can't discount the possibility that this time they're acting to promote the greater good of mankind.

Just read the article, people! And I quote:

The organisation expects to release drafts of its guidelines in early 2003.

See? They're going to release drafts of the guidelines in early 2003. Nothing to worry about here, folks. Move along. DRM is good. Linux is bad. Stop worrying, buy your DVDs and CDs, and consume like you've never consumed before. If you don't like it, don't buy it. Microsoft is obligated to screw the consumer. There is no monopoly. The Justice Department meted out the justice already.

Re:Defending the Indefensible

[ebyrob]

The organisation expects to release drafts of its guidelines in early 2003.

So how come I already know that it's going to say:
"Partial disclosure should only be made after donating copious hours of free consultation to the vendor, full disclosure should never happen, even after the fixes are out..."

This is news?

[borwells]

Who needs an exploit to crash a Windows server?

Re:This is news?

[suicidal]

We've been seeing MUCH more stability since moving to Windows 2000. I have a little over 100 servers at this site, and the 2000 box's uptimes reflect zero crashes. They only go down for installations that (always) require a reboot.

But I still run linux at home, I keep my few services patched, and live happy.

Re:This is news?

[Anonvmous+Coward]

"Who needs an exploit to crash a Windows server?"

Who needs to use the words 'Windows' and 'crash' in a sentence to earn a +1, Funny?

Re:This is news?

[yelligsc]

I just wanted to make a comment on your sig.

I completely agree! I think most of the reason why the same conversations are heard over and over here is that the same articles are posted again and again

#ifdef MS_BUG
#include ms_sucks.h
#endif

#ifdef OSS_BUG
#include already_fixed.h
#endif

I think we need some more variety in artiles.

Ive started reading the stuff on news.google.com and I REALLY wish they had a discussion board for every article like /. does.

Oh well, maybe someday.

Scott.

Re:This is news?

[tomatobasil]

>> Who needs an exploit to crash a Windows server ..

Right, just install BearShare and watch it open several hundred sockets and leave 'em open forever - that'll do it. Testing this on your
nameserver is ideal..

Re:This is news?

[jawtheshark]

Installation of what software? I myself say "No" to reboots everytime a installer says me I should. Then I try the program, only 1 out of 10 time it really needs a reboot. It's the people who config the installers that often say "hey, a reboot...hmmm...better do that". Often it is not nessecary. Third party software ofter goes the easy way and requires a reboot "just to be sure".
I'm not a Windows fanboy, but don't believe what installers tell you, they are often wrong. Upgrades to the operating system do need a reboot, of course. IE upgrades require a reboot, in that case of course ;-)

Re:This is news?

Hay asshole. You're web site is down.

Must be on a linux server right?

So coooL!

Who does OIS think they are trying to kid?

[snoochyboochy]

From the vnunet article... "The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals by not giving them an exploit on a plate."

This kind of information is only going to be considered "handed on a plate" to the inexperienced/newbie script kiddie who poses a minor threat. The kind of person who is going to do real damage, who has the skills and experience to aggressively hack a system is not going to gain anything from public disclosure, they will already know about the exploit. Limiting release only protects the vendor from the incessant cry for a fix..

Re:Who does OIS think they are trying to kid?

Who does OIS think they are trying to kid?

The media.

And from where i'm sitting, it seems to be working.

Hmmm...

[mstyne]

What's an MSCE?

Re:Hmmm...

[PhxBlue]

It's what people call themselves after they've just taken their two-week crash course on how to take the tests and pass the examinations. Apparently this is a good way of earning the degree if you don't plan on remembering any of it afterward.

I remember fondly an individual who'd said he was an "MSCE," who knew less about how his Windows-equipped PC worked than I did--and I'd only been fixing computers professionally for about a year.

Re:Hmmm...

[dzym]

Minesweeper Certified Solitaire Expert.

Disclaimer: There are various (unofficial) levels of MCSE-- Some may not know how to play Minesweeper or Solitaire.

Disclaimer #2: I'm studying for a MCSE.

Re:Hmmm...

Must Consult Someone Experienced.

Re:Hmmm...

[sharkey]

What's an MSCE?

What CmdrTaco's spell-checker suggests for "MCSE".

Re:Hmmm...

[snake_dad]

Must Consult Senior Engineer

Re:Hmmm...

[stor]

Must Call Someone Experienced

Cheers
Stor

Re:Hmmm...

[hacker]

Minesweeper Certified Solitaire Expert.

I prefer to call them MCE's[tm] (my term). Magazine Certified Engineers.

MS bugs up the arse

[AragornSonOfArathorn]

Does Microsoft do any testing whatsoever of their software? It seems like every other day a new exploit is discovered. Is this ever going to stop? (Without hiding behind the "Organisation for Internet Safety" of course).

And yes, I'm aware that MS isn't the only guilty party when it comes to exploits and bugs, but it seems they have the most problems like this...

Re:MS bugs up the arse

They do test their software. In fact, Windows XP is in the testing phase right now.

Re:MS bugs up the arse

Um, microsoft software is used 50 times more by consumers than Linux, of course people are going to try to exploit bugs in it! (proof - look at the weblogs of an average commercial site)

I wonder why slashdot didn't cover the apache server exploit that appeared last week? Actually, scratch that, I don't wonder why.

Re:MS bugs up the arse

[AragornSonOfArathorn]

An Anonymous Coward wrote:
> (proof - look at the weblogs of an average commercial site)

This is not proof of anything. Several popular non-MS browsers can fake being IE (such as OmniWeb for OS X) just so poorly-designed "IE only" sites will work. This will skew the weblogs in favor of IE. I will agree that many more consumers use MS than anything else, but you'll need to find better proof.

Lawsuit, Linux VPN (details)

[phorm]

phion Information Technologies will not provide an exploit for this issue.

In reference to remarks about lawsuits. This is a smart move, this would probably help against the getting-our-asses-sued-by-MS possibilities.

If they poke their own machines I don't think it quite counts the same as hacking somebody else's machine and then telling them they're vulnerable.

I was just recently looking at the possibilities of setting up a linux VPN, instead of opening up my Windows machines (/. never posted it, boohoo for me). This looks like a good reason to do it that way, anyone have suggestions? I've looked at freeS/WAN, but the online documentation is dead

I'm downloading the freeSwan files before their server gets slashdotted now too - phorm

MCSE quotes.

WTF, I just patched that box 3 minutes ago!!

Yea, so what? They won't have a patch ready for weeks. I'm going to play golf.

It is acting kinda strange. You better reboot, just to be sure.

The server's down? Again??

It can't be down. I rebooted it 5 minutes ago.

Naw, they won't bother us. It's not like we're the DOD or something.

Don't bug me now. I've almost got high score on Pinball.

Sure, I've heard of Linux. It sucks!

Re:MCSE quotes.

Probably the best strategy (besides switching to Linux+Apache) is to use multiple boxes, not for load distributing, but for compromise distributing. Spread out your website across multiple boxes on different networks with different IPs, and use a BSD or Linux box as front-end proxy that forwards the web requests to thos boxed that still work...

Then let that front-end box send text messages to cell phones when the number of working IIS boxes get below a certain percentage, so that the MCSE reboot+reinstall the infected ones, and buy more to give him more time...

...

Then 3 months of heavy purchasing and rebooting later, the MCSE's boss will ask why not put the whole website on that front-end and they will all have all learned something...

More Details from cnet

[codwar]

CNET has more details on this problem:

cnet technews

From the article:

"This is top priority","We are proceeding with all due speed." - Christopher Budd, Microsoft security response center

Management

[dacarr]

As usual, management has all the answers to our security problems.

Outlaw IRC

That'll solve everything.

Re:Lawsuit, Linux VPN (details)

[dJCL]

Nah, PoPToP, it allows a windows vpn client to access a linux system using this broken protocol... but if the client is broken too, that sorta sucks. I have a group of VPN connections setup with my friends, we just use PPP over a SSH connection, secure, free and easy to use, lookup the howto on that one...

I have a new Band

[da-double-D]

Its called Blue Screen of Death.. We're currently on tour with Buffer Overflow and Malicious Code.

Coming to a VPN near you...

Microsoft is a bunch of hacks

[SteveJohnson]

Six months ago Microsoft said they were going to review their code for security problems. Six months later they're still popping up one a week or so. How long does it take to find all the instances of strcpy()?

They must be using the million monkeys with typewriters (keyboards?) software development method.

Re:Microsoft is a bunch of hacks

Do you not realise how many millions of lines of code there are to check? It won't be done in just one night. Give it a rest and go back to playing tuxracer.

Re:Microsoft is a bunch of hacks

[The+FooMiester]

No, more likely they're using the Mongolian Hordes Technique. It's much more appropriate in this sense

Re:Microsoft is a bunch of hacks

[msfodder]

My question is how the fsck you know how many millions of lines there are to check any better than he does. Hmm?

Re:Microsoft is a bunch of hacks

[geekee]

And open source code doesn't have security holes?

GREAT !?!?! months down the drain.

[Brigadier]

I spent months trying to get my IPTabled firewall to allow PPTP connections to my NT server. I doubt microsoft will address this since they have all but abandoned this type of VPN. Thats settles it IPSEC in tunneling mode here I come.

Re:GREAT !?!?! months down the drain.

I spent months trying to get my IPTabled firewall to allow PPTP connections to my NT server

You spent MONTHS?!?!?!?

How could you spend MONTHS doing this?

The first time I had to do this, it took me all of 10 minutes, including waiting for my system to boot so I could search google. (BTW, it's just TCP port 1723, and protocol 47)

If it took you months, you need to look for another job.

Re:GREAT !?!?! months down the drain.

[Brigadier]

yea right, IPTables does not support Protocol 47 which is required. the only way to get it to work is to patch the kernel. For which the patch only works with version 2.4.17. If you do get it to work it only supports one connection at a time. My server wouldn't work on a 2.4.17 kernel because of required hardware versions that worked only with later versions. so the patch is out of the question. The IPTables version of the pptp patch was just released with patchomatic and that fails whenever you try to apply it.

Re:GREAT !?!?! months down the drain.

Isn't linux WONDERFUL!

PPTP?

[NetJunkie]

Who still runs PPTP? It was found to be under-secured a while back. Everyone should have moved on to a more standard and secure technology by now. PPTP was good back when VPNs were new and hard to set up, but that time is long gone.

One of the first things I did when I took over my current company's network was to shut down PPTP and move everyone to an IPSec VPN. The upside is better security, the only downside was they had to install a client. You couldn't VPN from a stock Windows box. You have to install the Cisco client. Now with the Cisco gear working with Win2K/XP's L2TP and IPSec even that isn't an issue.

Re:PPTP?

[hklingon]

IPSec and NAT do not seem to mix well, for those of us that like to share their broadband not through windows. I'd appeciate any documentation you know of getting this to work.. it was a real pain. Also, ISPs that do transparent proxying seem to "eat" the IPSec packets.. they make it in.. but never get outside the isp. Finally ended up doing ppp over ssh. :(

Re:PPTP?

[Ed+Avis]

If you use a VPN, you probably don't care much about security anyway. VPNs are useful only when you have servers which grant access based on source IP address or other such nonsense. If you used secure protocols to start with (ssh, https with authentication) then you wouldn't need the VPN.

OK - this is a troll - but could someone explain whether VPNs have any real uses apart from working around insecure servers which trust the network too much. QoS is one thing perhaps, but it seems like overkill for that.

If you need to wrap clear-text protocols with an encryption layer, isn't ssh tunnelling a better and simpler solution?

Re:PPTP?

I work for a Microsoft Partner that does support for some of Microsofts popular software products. Our staff needs to connect to MS servers to get their support databases. We have to use PPTP to connect. Guess what? The server has been down since yesterday. Coincidence?

Re:PPTP?

[NetJunkie]

IPSec works fine through NAT. I'm doing it right now. It depends on your implementation, but most are very NAT friendly now.

Re:PPTP?

[WolfWithoutAClause]

Quite a lot of systems seem to kill the protocol 50/51 packets that IPSEC uses; I haven't managed to route these packets through an XP box for example.

But I've been using Nortel's Contivity client, through 2 levels of NAT without other problems, using Mandrake 8.2 as a firewall, and that was even over wireless connections. I think there may be something clever in the Contivity client to enable this, but I may be wrong. I've never used FreeSwan, but I looked at the documentation and it seemed to suggest that it wouldn't work with multiple levels of NAT, but I haven't any hands-on experience.

Re:PPTP?

[dissy]

Quoted:
~~~~~~~~~~~~~~~
OK - this is a troll - but could someone explain whether VPNs have any real uses apart from working around insecure servers which trust the network too much.
~~~~~~~~~~~~~~~

Sure. My company paid ARIN lots of money for a large block of IPs for its staff to use.

Well, they COULD pay another (granted not as large) chunk of money to get a C class over my DSL line at home, but it sure is nice to not waste my DSL providers IP space and use the ARIN alloacted space as it was intended, by setting up a tunnel between the two.

Thats just one example.

There are also times when its not possible to do any security above source IP ACLs..
A trollish comment on my part, but I would hate to put a windows machine running a service on the public internet.
Im a UNIX admin, not a Windows admin.. I dont want to spend my time making sure my system is as secure as one can possibly make it only to find out there are still hundreds of bugs in their software that are explotable and unfixable.

To me for windows, source IP filtering is weak but exists and works for what it is.

Using secure services is great and all, and I fully aggree, but having two locked doors instead of just one is still a better choice.

Re:PPTP?

[swb]

What about client VPN is easy with IPSec? The extra client software? The simple OS configuration?

I can walk a remote user through a VPN setup with the 2K PPTP setup in under 5 minutes with my eyes closed. I'm not sure I can walk myself through the 2K ipsec setup without some external docs to setup.

I'll grant you its simple with tunneled mode between two router-like devices, but client end nodes?

Also, I think most of the security vulnerabilities of PPTP were specific to an older, unpatched MS client or server. I don't think a modern (2k/XP) PPTP stream is particularly vulnerable.

Re:PPTP?

[Abcd1234]

This depends very much on your firewall. First of all, IPSec using AH will never work using NAT, so we'll ignore that. This is due to the way AH packets are authenticated (the NAT changes the packet, thus invalidating it). The same goes for transport mode ESP. Now, tunnel mode ESP can work... sometimes. If you're doing simple IP NATing that doesn't require access to the upper level headers (ie, TCP port remapping, etc), then yes, tunnel-mode NAT will work. However, if your firewall decides to be smarter than that, things will break, since all the upper-level headers are encapsulated inside the ESP packet.

Note that whether or not IPSec will work through your NAT has absolutely *nothing* to do with the IPSec implementation. IPSec's difficulties with NAT are inherent in it's design (and understandably so). So referring to most IPSec implementations as "NAT friendly" is probably not correct.

Re:PPTP?

[Abcd1234]

Is there another Nortel box at the other end unwrapping these things? If so, it might be doing something tricky like wrapping your IPSec packets in a standard UDP packet and then shipping those off. These will pass through the NAT unmolested, and are then unwrapped at the other end and forwarded to the IPSec target host.

Re:PPTP?

[schon]

If you use a VPN, you probably don't care much about security anyway.

In a word, you're full of shit. People use VPNs because they care about security.

VPNs are useful only when you have servers which grant access based on source IP address or other such nonsense.

What have you been smoking? People use VPNs to link large networks together, and to allow standard protocols (like filesharing) to operate.

Show me a "secure protocol" that allows you to mount your home directory across a network.

OK - this is a troll

Ahh, now I understand. Please answer this question: how the hell did a troll with such a low user ID get to post at 2?

Re:PPTP?

[Jacco+de+Leeuw]

I can walk a remote user through a VPN setup with the 2K PPTP setup in under 5 minutes with my eyes closed. I'm not sure I can walk myself through the 2K ipsec setup without some external docs to setup.

Setting up L2TP/IPSEC is basically the same routine. Only you have to install a certificate as well, using MMC (XP/2000) or IE (95/98/ME/NT4).

Also, I think most of the security vulnerabilities of PPTP were specific to an older, unpatched MS client or server.

Yes, most of them. But how good are your users' PPTP passwords?

I don't think a modern (2k/XP) PPTP stream is particularly vulnerable.

What does the Windows version have to do with this? Is the implementation in, say, Win95 flawed, compared to Win2000/XP? What do you know that we don't know? :-)

Re:PPTP?

[zrodney]

with the buffer overflow issues that ssh has
has in the last year, I have blocked port 22 from
the public side of my servers, and allow it from
the internal network which is reachable via IPSEC.

this is more secure and stops ssh scans from public script kiddies.

there are lots of other reasons too

Re:PPTP?

[Jacco+de+Leeuw]

it might be doing something tricky like wrapping your IPSec packets in a standard UDP packet and then shipping those off. These will pass through the NAT unmolested, and are then unwrapped at the other end and forwarded to the IPSec target host.

Correct. Note that the IPSEC over UDP standard has not been ratified yet. It also adds some overhead.

For FreeS/WAN you'd need the unofficial NAT-T patch.

Re:PPTP?

[exodus2]

question
My offices VPN software says I need to allow ESP and AH packets.

I am running a linux server doing nat, any idea what I need to do?

Re:PPTP?

[msfodder]

Then use CIPE.
http://sites.inka.de/sites/bigred/devel/cipe.html

Re:PPTP?

[WolfWithoutAClause]

Actually IRC it doesn't do this, I sniffed the packets, I don't remember any UDP. TCP and protocol 50/51 stuff but I don't think there was any UDP. Anyway, I thought the big issue was that the protocol wrapped the IP address, so the NAT messes around with the IP address and compromises the validation of the packet. So wrapping the packets further wouldn't help with this issue.

Re:PPTP?

[kir]

I thought having a low user ID gave one the right to troll. Taco and gang do all the time!

Oh wait! I'm trolling. At 2 no less. It must the low user ID. Aaaaahhhhh!

Re:PPTP?

[kcurrie]

OK - this is a troll - but could someone explain whether VPNs have any real uses apart from working around insecure servers which trust the network too much. QoS is one thing perhaps, but it seems like overkill for that.

There are MANY things that you cannot use an SSH tunnel or SSL for. Anything that uses UDP, for instance. This leaves out nearly all video conferencing software, and many other apps as well.

Re:PPTP?

Also, I think most of the security vulnerabilities of PPTP were specific to an older, unpatched MS client or server. I don't think a modern (2k/XP) PPTP stream is particularly vulnerable.

The bugs are not the point. The implementation is flawed by design. The security of the whole thing is based on the user's password rather than a randomly generated key. Now unless your users' password are bout 700 english characters long, then they do not have the same entropy as a 128 bit randomly generated key. And if they are not that long, then your VPN is not secure. Are your user's passwords 700 words long, or equivalent?

Re:PPTP?

[LWolenczak]

A lot of people still run it. I may not like them using it at all, but they still use it. The problem with ipsec is that it not a vpn protocol. Sure, I can link my networks up with so much encryption it is not even funny, but that damn road warriro with the win2k laptop is shit out of luck. IPSec is more a peer to peer protocol. Give it a little time, and some more work on it with the IETF, and we may have something more suitable for VPNs. Until then, companies like microsoft, ssh, and other security vendors will make their little odd authenticating clients.

Up until I lost my job today, I used PPTP to gain access to any part of a fairly large IPSec based wan that did private network routing on top of the internet. Pritty sweet eh? It was fairly useful when I was at the lan party gaming away and needed my q3 key or something off one of my workstations.

Re:PPTP?

[stor]

> Everyone should have moved on to a more standard and secure technology by now.

Indeed. I'd go further and state that they shouldn't have installed PPTP in the first place. However a great number of people don't have the time/inclination to change. The PPTP thing works and has become relied upon for operations and they/a manager/ some slightly misguided employee don't want it broken.

PPTP has been reasonably popular in the "MS-Shop" world as you got it for free with (some later version of) RRAS in NT so it's been around for a while and the setup is trivial and of course documented.

Also remember the "VPN Craze" a few years ago? Where you could hardly read a computer rag without an article on VPNs? I recall to main ideas that came out of that:

- VPNs are cool
- Something about "a higher level of security"

In the company I previously worked for they wanted me to set up a VPN. It took me a while to explain why a VPN offers less security rather than more security if you're currently seriously restricting remote access. I had to write a report on that.

Hopefully people will make the change though.

Cheers
Stor

Re:PPTP?

[Ed+Avis]

You make a good point - 'show me a secure protocol that allows you to mount your home directory across a network'. There isn't one, or if there is then it's not widely deployed and doesn't have the maturity of NFS. However, if the protocol is insecure, then doesn't VPNing it just hide the problem? It does nothing to protect you from internal attacks.

I accept that hiding the problem from the outside world is better than leaving it exposed, but still the best answer would be to fix the problem altogether (using Kerberized NFS, if such a thing existed, or just ssh/scp).

Re:PPTP?

[mpe]

Who still runs PPTP? It was found to be under-secured a while back.

Most likely it's more that people who don't have any intention of using it have it enabled, but don't know it's enabled...

Re:PPTP?

[arkanes]

Of course it doesn't - by the same rational, you shouldn't use NFS behind a firewall, either, because that only hides the problem. VPNs are used to connect one trusted network to another trusted network (note that in many cases one of those "networks" can be a single machine.)

Just like in a LAN environment, you're using less-secure protocols for the greater convenience.

Re:PPTP?

[Ed+Avis]

Yeah, the arguments against firewalls are very similar to those against VPNs.

I don't have a problem with using these as an additional layer of defence - as well as secure, encrypted protocols - but too often they seem to be slapped on top of an existing insecure setup rather than fixing the underlying problems.

But you and most people here will already know all that.

Re:PPTP?

[Cato]

You are correct that IPSec has protocol issues with NAT, but they are being addressed. Until the solution is standardised, the IPSec implementation matters a lot - some implement ESP over UDP, i.e. pre-standard versions of http://www.ietf.org/internet-drafts/draft-ietf-ips ec-udp-encaps-03.txt and http://www.ietf.org/internet-drafts/draft-ietf-ips ec-nat-t-ike-03.txt

There's an overview of IPSec over NAT at http://www.networkcomputing.com/1123/1123ws2.html - I'm not fully up to date with all this, but it does work and I use it every day to get past my Linux NAT/firewall at home from a CheckPoint SecureClient IPSec implementation on Windows.

Re:PPTP?

[Cato]

If your office VPN setup *has* to use IPSec AH, you are probably out of luck. AH means Authentication Header, which means it cryptographically authenticates every IP packet, including the IP address. NAT changes this address, and AH on the server rejects the packet as it should do.

The only way round this is to use ESP, and most likely ESP over UDP. CheckPoint VPN-1 supports this in recent versions, as do most other vendors I think. See my other post in this thread for links.

MSCE is...

MicroSoft Certified Exploit

lack of knowledge

[zdzichu]

PPTP service continually listens on an I/O port

What a bullshit. PPTP service listens on socket bind do tcp/ip port. That's the network 'service'.
I/O port is a way to communicate with hardware, it's like place in computer memory (RAM) when you can write or read bytes and words of information to control computer hardware.
I/O port and network port are two different things!!

dumbass

It's MCSE not MSCE

it stands for Microsoft Certified Systems Engineer

Re:dumbass

[elliott666]

after working tech support, i though MCSE stood for Microsoft Certified Stupid Enduser

Re:dumbass

[PerryMason]

I think that parent post was refering to the "no-rest-for-the-weary-MSCE" misspelling in the story, but regardless, why would you abuse someone to point out something so obvious to I think 99.99% of people who read ./?

Anway it stands for Moron Cheated then Sat Exam.

As always, what must be said:

When you have the top numbers on OS marketshare, you too will have the most published exploits. Period.

Wait until the day that Linux is feature-rich enough to truly replace Windows in the home and workplace. It will have every problem Windows currently has, if not more.

Re:As always, what must be said:

No fucking way...

Re:As always, what must be said:

Linux will never allow itself to become the bloated feature overkilled piece of shit that windows is.

Re:As always, what must be said:

Don't bet on it. The source code is there. If you wanted to, you could look for the problem discussed right *now* in Linux. It could be fixed (assuming it is there) before any soccer mom or grandma even knows what Linux is. It could be fixed tomorrow.

To coin a phrase: Don't count your chickens before they're hatched (or bugs, for that matter. Do bugs "hatch?").

"We are Microsoft. You will be assimilated. Your biological and technological uniqueness will be added to our own. Resistence is futile."

Don't get me wrong, however. I know that Linux is not perfect and may contain this very same vulnerability. But I can only go on what evidence I have and that is that I have had no malicious hacks, no viri, and no annoying sisters reconfiguring my system.

Re:As always, what must be said:

you are so full of SHIT

Re:As always, what must be said:

[jrnchimera]

Yeah I bet Linux does have this same bug. Microsofts PPTP service was probably stolen from the Linux source code.

So, what's new?

[Mr.+Firewall]

PPTP's encryption algorithm was cracked years ago (in fact, about a month after it was introduced) by Bruce Schneier (sp?) et. al. and hasn't been considered safe ever since.

So now we have a buffer overflow exploit in a "VPN" product which was already known to be insecure. Another nail in PopTop's coffin, but little else.

At the time, Schneier referred to Micro$oft's clumsy attempts at do-it-yourself encryption as "Kindergarten Cryptography."

Nothing has changed much since then, except that maybe they've graduated to somewhere around Third Grade by now....

Re:So, what's new?

Professionals.
When discussing IPSEC, and MS in the same sentence, add the words 'uncertified' and 'relativitly' before 'virtual'. Relative to cisco, ms has brittle security credibility. What functional testing?

Demanding a rebate on licence 6 for every security patch is something you should discuss with your MS account rep.

The perfect Slashdot Friday.

YAMSF (Yet Another MicroSoft Flaw)

Slashdot couldn't ask for a better story to end the day on Friday.

This one should keep em busy til Saturday morning. At least.

Neat

[Verteiron]

I read this headline on Google News. Didn't know slashdot was getting read by it!

Re:Neat

Me too. Haven't been on /. for a month and am here now cause of da Google capture.

AbbieNormal

PPTP & ADSL

[samfreed]

My (and many other) ISPs use PPTP as the protocol from the customer's machine to the ADSL modem or whatever "black magic", and we run PPP on top of that.

This means that gazillions of machines using a "secure" ADSL channel are now vulnerable.

Ho Hum. Am I glad not to be using LoseDows.

Re:PPTP & ADSL

[Wudbaer]

You are sure you do not think of PPPoE (PPP over Ethernet) which is the common protocol between a client computer and a DSL modem ? I never heard of using PPTP (who should be listening on the cabel between your computer and the modem anyway ?). But maybe we are just backwards over here...

(oops, the browser ate my login, sorry for the same post as AC).

Re:PPTP & ADSL

[Jacco+de+Leeuw]

PPTP is often used by Alcatel ADSL modems in Europe.

Re:PPTP & ADSL

[Wudbaer]

Cool. I didn't know this. But still I do not understand where the benefit lies for encrypting network traffic between one's ethernet interface and the ADSL modem, or did I get it completely wrong and they encrypt the traffic on the network side between the ADSL modem and the port in the switching center ?

Re:PPTP & ADSL

[sfe_software]

I don't claim to know much about PPTP but I believe many modems use it simply for encapsulation. PPTP is, literally, "Point to Point Tunnelling Protocol". Any encryption is done elsewhere (a VPN).

It's simply used to tunnel all sorts of network traffic between the ethernet adaptor and the modem. I believe this is why a typical ethernet ADSL modem works fine behind a switch or hub.

I could be completely full of shit, too. I do recall reading about PPTP being used by my Alcatel modem, but it doesn't require any oddball software on my side (just PPPoE and pppd).

Anyway, if this is the case, I don't think DSL users are at risk in this situation. But of course I can't be sure, but it seems like it's a completely unrelated use of the PPTP protocol...

Re:PPTP & ADSL

[Jacco+de+Leeuw]

I believe many modems use it simply for encapsulation.

You're right. When I explicitly enabled encryption to the ADSL modem, the connection failed. (The Dutch PTT used to have an ADSL service where you could get 4 IP addresses. Had encryption worked, I would have been able to securely share the ADSL subscription with neighbours and share the costs ;-)

I don't think DSL users are at risk in this situation. But of course I can't be sure, but it seems like it's a completely unrelated use of the PPTP protocol...

Interesting. I guess DSL users being at risk depends on whether the buffer overflow is in PPTP's encryption part or not...

But the overflow could also be in the compression part (happened to zlib recently). I don't know if the modems support compression, but it seems unlikely. In that case you could also work around the problem by explicitly disabling compression on PPTP servers (Windows, Linux etc.).

time to start firing/ reducing pay

[Twillerror]

Microsoft should start punishing their programers who are writing this code. If your writing the code responsible for accepting network connections, you should check your code for this.

Furthermore, why has microsoft not bought or written some buffer overflow detection tools and done a complete sweep of their code base. There are a ton of dlls to check, but with the right tool(s) it's nothing a team of 10-20 guys couldn't pull off in a short amount of time.

I wonder if this issue was actually known interally, and was planned on being released in SP4 or the next XP SP. I can't believe MS has not done some checking of their code tree. I would also hope that the linux kernel, SSL, and apache developers are doing the same with their code. Buffer overflows are just getting old.

Also, perhaps GCC should get a switch to detect them as well and throw warnings.

Not that Java is right in every case, but this is a good argument for using it more often in Server related products since Java doesn't suffer from buffer overflows.

Re:time to start firing/ reducing pay

[TerryAtWork]

Hire Theo.

Really - Hire OpenBSD leader Theo to teach a seminar at MS on buffer overflows. No one knows better how to catch them.

Whie we're at it - they should hire Bruce Schneier to check their crypto, too....

Re:time to start firing/ reducing pay

[Lussarn]

Are you sure MS wants to release bugfree secure code. It's important for them that there users upgrade to the next big thing. More stable more secure more in kernelspace.

Re:time to start firing/ reducing pay

[sharkey]

has microsoft not ... written some buffer overflow detection tools

MS Buffer Overflow was written, but it kept crashing. Some kind of overflow bug or something.

Re:time to start firing/ reducing pay

[sfe_software]

...why has microsoft not bought or written some buffer overflow detection tools and done a complete sweep of their code base

I don't know if you're a programmer or not, but it's really not just that simple. Many pointers are completely dynamic, depending on many other dynamic things that simply couldn't possibly be found at compile-time.

And many times, you might pass a pointer off to a function (that is in a separate library), which then manipulates the memory pointed to, and passes a pointer off somewhere else, ad infinitum. It's just not always that easy in a reasonably complex peice of software to just find and erradicate buffer overflows.

Even the debug runtimes for MS VC++ aren't perfect; they simply allocate a couple extra bytes on either side of any allocated memory, and if those bytes are touched a breakpoint is called the *next* time you access a memory-related function. Which doesn't always help (especially in a multi-threaded program).

Sorry for the rant, but I've been knee-deep in VC++ all day hunting buffer issues (not security-related but still a pain). It's very easy to over-step what you allocated, especially when you're several functions (and possibly several DLL's) away from where you started...

Exploit, shmexploit!

[Geeyzus]

Only on Slashdot would people complain about this. Didn't your mom ever complain about leaving the iron or stove on, and she had to drive all the way home to turn it off? This is obviously a remote shutdown mechanism put in place to allow sysadmins to turn their machines off if necessary, from home. No more late night runs to your cube! It's kind of like an "Easter Egg", if you will.

Man, we praise Tivo for allowing a certain series of keystrokes to allow 30-second fast-forwarding (or is that ReplayTV, I don't remember). But when MICROSOFT has secret, useful features in place.... we rip them apart! Come on people!

(yes, it's humor, calm down)

Re:Exploit, shmexploit!

Funner still, it's modded as Insightful.

I guess it looked like you were defending Microsoft, so you get modded up.

Seems to be the way things work here anymore.

Another Windows Bug

[Eric+Savage]

Why is it that /. constantly posts a considerably higher % of MS's bugs than other software? It seems counterintuitive that a non-MS crowd would care about MS stuff so much. We knows its buggy, we know its unstable and hard to manage, big deal, what is knowing about another exploit or two going to do for us?

Re:Another Windows Bug

[zyglow]

Because some individuals on here, myself included, tend to make money every time a new exploit/bug is found. Thanks to Microsoft, my childen will be able to attend Yale. I'd say these stories do a lot for me.

Virtual Public Network

The initials are the same! It's not a bug - it's an example of embrace and extend!

Re:Lawsuit, Linux VPN (details)

[phorm]

I would really like to hear more about how you set this up. Can you fill me in a little more about how you set this up on your particular system, and any issues you ran into?

My email is: phormix at phormix.com
s/ at /\@/

NT4 lacks an IPSEC stack

[maynard]

NT4 never shipped with an IPSEC or PPTP stack. Thus, they are not obliged to support that which didn't ship with the product. --M

Re:NT4 lacks an IPSEC stack

[TheCabal]

NT never shipped with one, but it was a feature added in by Service Pack. But since NT4.0 has lived past its lifecycle at MS, they won't support it.

My idea for vulnerability disclosure

[kbielefe]

I have a simple solution for the full vs limited disclosure dilemma. Charge the software company a recurring fee (monthly or weekly) to keep the disclosure limited. Have a reasonable grace period of a week or two with no fee. If they do not wish to pay, then fully disclose the vulnerability at that point.

This gives the software company a financial incentive to patch their code quickly, but also a method of keeping the disclosure limited if they need more time. Of course, there are a lot of particulars to work out, like fee amounts and what exactly to do with the money, but I think my method could work.

This could also solve the open source projects with volunteer coders can have a patch out in 2 hours, but Microsoft needs 2 months mystery.

Re:Slashdot Exclusive: Software Not Perfect

[mrjive]

Read "The Onion" much?

Why bother?

[RealAlaskan]

The bad thing about a crack which crashes an MS server is that no one will notice. Why bother?

The great thing about MS software is that it keeps your downtime up and your uptime down. Constant problems are a great way to show management just how essential all the sysadmins are. This is the secret of MS's success.

As Foghorn Leghorn would say: ``That's a joke, I say, that's a joke, son.''

Re:Why bother?

The sad thing, is that with all the "part-time sysadmins" promoted because "Windows is easy", the phrase, "no one will notice" is literally true!

Two reasons

[FreeLinux]

1. The first rule of Slashdot is to never miss a chance to slam MS and draw attention to its vulnerabilities.

2. Most Slashdot readers run Windows, whether they admit it or not. Many Slashdot readers also administer Windows boxes professionally therefore, such posts are important and informative.

Re:Two reasons

[Flower]

Dammit, the first rule of SlashDot is to never talk about SlashDot!

Re:Two reasons

[ccwf]

Most Slashdot readers run Windows, whether they admit it or not.

Nitpick: 19,475 Windows boxes out of 40,982 votes (47.5%) is not quite "most".

Re:Two reasons

[back_pages]

I read Slashdot at home exclusively on linux. I read Slashdot at work exclusively on Windows. I would like to read Slashdot at work with linux, however circumstances beyond my control make that impossible. Conversely, there is practicaly no realistic chance that someone would read Slashdot against their will on a linux box. Further, I know that I am not alone.

So though it makes a lame joke and your mom thinks it's funny, the statistics are worthless - but by all means, don't let me discourage you. Cling to them with all the desperation of someone who is really going to make a difference in the world, not like some half-wit spouting untruths in a venue that couldn't care less. Aim high, man.

beowulf cluster

Imagen a beowulf cluster of these!!!

not to mention

this article is AT LEAST 2 days old now.

get a life.

What's the average per week?

[burgburgburg]

What is the average of new MS bugs discovered per week? My guess would be around 3 a week.

Fix the description

[jolan]

a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit.

An exploit is vulnerable to an exploit?

The PPTP bug

[Florian+Weimer]

Currently, we don't know if the PPTP bug is real or a fake. Anyone can write an advisory like this, and there is no way you can tell if they tell the truth or not, unless you look carefully at the source code.

Okay, maybe you can confirm that their claim is true using some black box testing. Unfortunately, the guys with the unlimited time budget aren't the good ones, usually.

I don't understand the purpose of this advisory, really (at least not from a technical perspective). I don't think anyone has got a policy to disable any services based on such information. Microsoft won't admit that there is a problem until they have got a some fix. The bad guys will work overtime to discover the exact nature of this security defect, and the good guys will work overtime as usual, but are busy with other issues.

Re:Slashdot Exclusive: Software Not Perfect

Nice satire.
But, of course, some software is less not perfect than others.

Slashdot accountability problems

Michael the Slashdot editor wrote: "the front group Microsoft organized for the purpose of quashing bug disclosure"

Would you care to back that up, Michael, or will it be just another in a long series of libellous remarks?

1.5 Official bulletins / week.

[FreeLinux]

This will be number 54 if they officially issue a bulletin.

NEWS FLASH! PPTP VULNERABLE!

[SlashdotTroll]

Microsoft's PPTP technology is flawed. Hundreds of Internet Service Providers are effected. Microsoft is yet to address the situation. AOL is offline; thousands of crackers are dancing in their cubicles and drinking Jag. DMCA prosecuting Slashdot.org editor, michael, for disclosing the PPTP flaw.

Do we have great editors or what? We just successfully slashdotted staging.infoworld.com, news.com.com, phion.com, and vnunet.com. Great job, michael. Keep up the good journalism.

Covered in hot grits

By a petrified Natalie Portman who clicks on a link to goatse.cx.

MS? VPN? *laff*

[fire-eyes]

Sorry, I can't take anyone seriously who uses MS for a VPN solution.

Doomsday?

[__aadhrk6380]

Sure, sloppy code and security holes are as bad as watered down drinks at a topless bar, but don't we get paid to stop crap like that from being perpetrated on our networks? Microsoft makes me look like a hero as far as security goes.

Yes, Mr. Customer, I did charge you quite a bit, but I have enclosed a listing of the bugs and security flaws that I patched while I was here. These are things you usually never know about until you get burned by them, but I feel I owe it to you to stay on top of them and help you stay current...

Microsoft+Bugs+Patches=Value added for me

Keep up the good work, Bill!

Re:Doomsday?

[kir]

I was expecting to see one of those profit lists. You know...

1) Patch Microsoft bugs

2) ???

3) Profit!!!

Re:Doomsday?

[trapvector]

Sure, quashing MS bugs is a tremendously successful make-work project that helps stimulate the economy and provides thousands and thousands of people with essentially meaningless jobs that will never really be completed...

but then again, so is the War on Drugs.

Re:NEWS FLASH! PPTP VULNERABLE!

yea, not to mention this article has been out (news.com, etc) for at least 2 days now.

KEEP UP THE GOOD WORK!

linux pptp

is the linux pptp code vulerable?

How many are buffer overflows?

[Trinition]

I'd be curious to know how many are buffer overflows. Seems like at least 50% are. What would it take for Microsot to incur the overhead of checking array bounds? Java seems to do this implicitly, and it works OK for tons of applications. Ever heard of a buffer overflow EXPLOIT in Java (sure, you could get an ArrayIndexOutOfBoundsException, but it wouldn't let arbitrary code run).

Re:How many are buffer overflows?

[kingkade]

...What would it take for Microsoft to incur the overhead of checking array bounds? Java seems to do this implicitly...

Yeah but so does VB 6, so that doesn't say much ;-)

Re:How many are buffer overflows?

[edrugtrader]

unless you explicitly said you wanted to in the try catch....

Re:How many are buffer overflows?

[msfodder]

Usual complaints:
Yes, but java is soooo slooow...
It sucks so badly when it comes to string handling I almost prefer C.
It's a clunky mess internally with deprecated thisnthat everywhere.

Aside from that: Pptp implementations are not going to be written in a language with the overhead of java.
Go write a channel driver in java and then one in C. You'll see things more clearly I 'spect.

Re:How many are buffer overflows?

[cscx]

If you have a solution that is as fast and low-level as C, yet allows you to do this, please, by all means, speak up!

Re:How many are buffer overflows?

[asland]

There is a solution. Check out cyclone at http://www.research.att.com/projects/cyclone/

Quoth the homepage:
Cyclone is a programming language based on C that is safe, meaning that it rules out programs that have buffer overflows, dangling pointers, format string attacks, and so on. High-level, type-safe languages, such as Java, Scheme, or ML also provide safety, but they don't give the same control over data representations and memory management that C does (witness the fact that the run-time systems for these languages are usually written in C.) Furthermore, porting legacy C code to these languages or interfacing with legacy C libraries is a difficult and error-prone process. The goal of Cyclone is to give programmers the same low-level control and performance of C without sacrificing safety, and to make it easy to port or interface with legacy C code.

Re:How many are buffer overflows?

[jovlinger]

a low level solution is a design _requirement_!? That seems ill-considered.

Re:How many are buffer overflows?

[Jucius+Maximus]

"Ever heard of a buffer overflow EXPLOIT in Java (sure, you could get an ArrayIndexOutOfBoundsException, but it wouldn't let arbitrary code run)."

Ever heard of GARBAGE COLLECTION in Java? :-P

I mean, really, if Java had proper garbage collection, most programs would self-delete on execution.

Re:How many are buffer overflows?

[rabidcow]

And the thing is, it's really trivial to avoid buffer overflows in C if you understand how things work. All it takes is a small amount of extra discipline and you don't have to use baby sitter languages.

Of course, what's really awful is sitting in my programming class and hearing the teacher explain that copying a string into a buffer that's too small (with strcpy) will truncate the string. This man will be personally responsible for hundreds of buffer overflows in the next few years.

Re:How many are buffer overflows?

[Trinition]

Java-bashing aside, you've missed the point. The point was "why not check all buffer writes/reads in Microsoft code?"

Microsoft has so many layers of API's and othe rlegacy crap that even their C code is slower (just look at how fast a clean OS written in C is comapred to Windows). Why not at least incur a slowdown for soemthing useful like security. If instead of using unchecked buffers, they used safe buffer code, they wouldn't have this problem.

One particular Outlooke xploit I recall used an overflow in the timezone field. So, instea dof "GMT+500", someone might but "GMT+505005050505050505...". Because Microsoft made an array of 4 bytes to hold the timezone offset, but didnt' stop reading until teh end of the string... someone could overwrite memory space.

Now, I'd accept slightly-slower timezone parsing if it meant some thug couldn't take control of my compter by sending me an e-mail!

Re:How many are buffer overflows?

[ivan_13013]

Of course, what's really awful is sitting in my programming class and hearing the teacher explain that copying a string into a buffer that's too small (with strcpy) will truncate the string. This man will be personally responsible for hundreds of buffer overflows in the next few years.

You mean you didn't correct him?

My Pascal teacher from college (yeah, yeah) still owes me "a million dollars" from the time he wagered me, in front of the whole class, that Turbo Pascal simply would not let you change the value of the integer iterator from within its For loop.

Provided with proof the following week (it's quite a common thing to do, really) he retracted the statement and offered to pay the debt with the equivalent value in back issues of PC Magazine... It's really too bad I didn't have any place to store them ;-)

-=Ivan

Re:How many are buffer overflows?

[MisterBlister]

Visual Studio .Net actually has the ability to automatically insert bounds checking into your C++ code (even 'unmanaged' code). The solution is fast enough to use for most applications even in release builds, but obviously it is still a speed hit and not right for every situation.

Re:How many are buffer overflows?

[rabidcow]

You mean you didn't correct him?

If it comes up again, I probably will, but it's kind of a dilemma really. I don't want to have to work with code by the people in this class, but I do want their jobs.

At any rate, I did correct him on another issue (that pointers are passed by value, not reference) and he just kept restating his argument in weaker terms until he was saying nothing at all. It makes you wonder what the point is when he doesn't really assert that you are wrong, but he doesn't concede that you're right either.

Re:How many are buffer overflows?

This is completely off topic, but the State of Texas had just changed the core educational requirements when I took my first "programming" course in highschool. So instead of teaching Basic they were teaching Pascal (a language I had been fluent in for several years and my instructor knew it). It's pretty sad when, after virtually every statement your instructor makes, he looks up to you for confirmation that what he has said is correct.

Re:How many are buffer overflows?

[psyclone]

java is definately slow..

but if you can handle strings in C as easily as in java, please post a link the the libraries you are using. strings suck so much in C, I have to use C++. C++ sucks ass for strings too, so I'm left with java and perl.

Re:How many are buffer overflows?

> just look at how fast a clean OS written in C is comapred to Windows

Oh! Really?

Where's your evidence?

How fast at what?

Nah. Didn't think so. Just more slashbot hot air.

Re:How many are buffer overflows?

Hey pal! This is slashdot for fuck's sake!

We don't want to hear anything remotely positive about Visual Studio or any other M$(sic) so-called products.

Why aren't you smart enough to just write some emacs extensions tha insert the bounds checking code in your C? ;)

Re:How many are buffer overflows?

[cscx]

Why aren't we using this??!?!

Re:How many are buffer overflows?

[Electrum]

but if you can handle strings in C as easily as in java, please post a link the the libraries you are using. strings suck so much in C, I have to use C++. C++ sucks ass for strings too, so I'm left with java and perl.

http://cr.yp.to/lib/stralloc.html

Re:How many are buffer overflows?

[msfodder]

Nothing in C (IMHO) is going to be as convenient
as a high level interface.
The stralloc lib mentioned by the other poster
really doesn't seem to be much nicer than the
non-ansi string handling functions available with linux.

Re:How many are buffer overflows?

[Trinition]

BeOS

BeOS' OpenGL imlementation was may times faster than Windows, for example. They cut out all of the crap.

Seems you're still stuck in kindergarten.

[Otis_INF]

because MS moved on to IPSec based VPN. PPTP is not the VPN layer anymore. Win2k and XP have IPSec based VPN functionality build in.

Kindergarten cryptography? Don't think so.

Re:Slashdot Exclusive: Software Not Perfect

[Ralph+Wiggam]

Your sarcasm is noted.

I write code and I've let more bugs out than I could possibly remember. They happen, it's part of the game. But two things make this type of thing mock-worthy. 1) MS has more net worth than most countries. They need to be held to a standard that their size and resources dictates. 2) Bill has quite publicly stated that security is now their number one priority. I for one have not seen any improvement in that department.

-B

PPTP is not used anymore

[Otis_INF]

IPSec VPN is used nowadays. I doubt a lot of servers are harmed (NT4 uses PPTP VPN if you haven't installed a 3rd party product. Win2k server uses IPSec).

MS also said that they can't find a way to make this vulnerability to execute code on the target, vulnerable machine (CNet.com's article on this). An advisory from an unknown group which hasn't informed the vendor first but finds it necessary to cry out loud from the top of their lungs that they found a possible flaw in an old protocol and everyone should know about it, isn't very trustworthy IMHO. I think the german security group was running low on attention. Well, they got their attention now.

I hope next time they are not this stupid and think about the people who run vulnerable systems and first discuss the flaw with the vendor and after a period (say 3 weeks) publish the flaw.

Re:PPTP is not used anymore

In the real world...

People are still running Netware 3.12. You can bet they're still running PPTP on WinNT 4.0. Stuff gets installed and nobody cares how or why unless it stops working.

MS02-53, Quicktime 5.0.2 for Windows

MS02-53 DEALS with a FrontPage exploit. Look it up yourself.
Quicktime on windows is vulnerable due to the beautiful design of ActiveX. I LOVE that code. OSX is not vulnerable.
-

Re:NT 4? ONLY if you don't want it to exist baby.

Anything you want you can have. That's right. Just think it and it will happen.
'Microsoft operating systems are UNBREAKABLE'
'Microsoft operating systems are UNBREAKABLE'
repeat until your nose bleeds.

Re:Lawsuit, OpenBSD VPN (details)

Jump on over to a real operating system. Leave your emotional baggage behind.

It just bugs me

[name_already_in_use]

Well, bugger me. Some programmer (aka 'bug finder') finds a bug and decides to bug everyone else by telling them about this bug. Those buggers at the giant Bug are probably bugged about this and will be bugging every worker bugs phone line fron now on - buggers. Meanwhile I am just buggered off at the fact that I spend all my days finding and fixing bugs, bug after bug after bug, only to find that all my emails contain new reports of bugs, bugs that have occurred as the result of 'fixing' other bugs, and bugs that, well, just don't exist, can't be found, can't be reproduced or are, infact, not bugs but 'unsupported features'. I mean really, this makes no sense and if you have read this far then nor, perhaps, do you, but it BUGS ME anyw...bugger it.

Re:It just bugs me

[catman]

"Buggrit. Millennium hand and shrimp, I told'em"

Re:Doomsday!

So, by running Linux, I am using Windows less, therefore I am causing a dip in M$ profits (poor them. I feel soooo bad). By not having any problems, I cause you to lose money, and when you and M$ lose money, the shareholders loose money. When the share holders lose money, then people begin to cut back on M$ product purchases, thereby causing less work for you and leading to a profit loss, which in turn causes the stock price to fall again which....

So basically, I am causing the downfall of capitalism by using Linux? I feel so powerful! I wonder how far down the stock market will go if I can get all of my friends on Linux.

Re:MS bugs up the arse Where were you?

It was covered. It was covered twice. There is a story at the Register why crackers find it boring to look for exploits on Microsoft stuff. Take a look.
m2ig

Microsoft's Response: Keep it under wraps

[ebyrob]

There is only one response to these growing doubts about the quality of proprietary software. We must put a stopper in this aiding and abetting of vandalware.

It's okay if users whisper stories around the campfire about software bugs and hacking exploits, but we must make sure that they don't begin to peel back the layers of proprietary software and peer inside. After all, it is not the user's responsibility to worry about their welfare, they need to let the properly respected authorities handle things.

The best course of action is to deny all vulnerabilities reported on this slashdot. Next, we should use these open forums to ferret out and prosecute anyone caught trafficing in vandalware or any information that could be used to create such an atrocity. Developers and users alike must be taught that they have no business worrying about what goes on inside their computer, that is the job of Proprietary Makers of Software.

Re:MS bugs up the arse Where were you? mi2g

hacker groups declare war on us.gov

Re:Lawsuit, Linux VPN (details)

[Paranoid]

FreeS/WAN works, kinda, if you don't mind it taking over routing and a couple of other things with it. pipsecd is a lot simpler (just tunnels, and not even dynamic) to set up, for fixed point-to-point links.

If you don't have to interoperate with win32 peers (other than merely routing for them), I'd suggest tinc. A lot easier to deploy than IPSec variants (in my experience), it's quite good security, and the most easily manageable solution I've come across yet, especially for meshes of more than two machines.

Freshmeat has lots of other possibilities, I haven't even tried the majority, let alone all of them. I'm sure you'll find something that suits you're needs, though. =)

Re:Developer reveals What Killed FreeBSD

[name_already_in_use]

absolute classic :-)

hello me

[name_already_in_use]

hello to me

Re:PPTP is not used anymore They should

wait until the movie comes out. So that everyone has a good chance to see the exploit in all its glory.

AC accountability problems

[alienmole]

Would you care to back that up, Michael, or will it be just another in a long series of libellous remarks?

...followed by a long series of anonymous complaints. Yawn...

Re:AC accountability problems

...followed by a long series of anonymous complaints. Yawn...

If you prefer, I can write about the proper applications of hot grits.

Something Else That Must Be Said!

Microsoft has always used bugs as a marketing tool. When we had Windows 3.1 Microsoft said, "It has a few bugs but they will all be fixed in Windows 95, and by the way we are going to make subtle changes to all our file formats and communications and force you to pay for our OS all over again!".

Then we had Windows 98 and the same story, "It will all be fixed in the next release, and by the way, we won't support JAVA and all the file formats will have just a few more changes, and you will have to pay us for your OS all over again!".

Now we have Windows 2000/XP and the story is almost the same, although this was touted as Microsoft's most bug free OS. The only difference is the names of the magic bullets that are going to produce "Trustworthy Computing". I keep hearing about .NET but the more I hear the less I know about what it really is/will be when the vapours are cleared! Oh! And did I mention that now we not only will we have to pay for the OS all over again, but soon we will have to pay for it every month!

Microsoft claims that this is progress!!!

I think not.

[Brigadier]

These are not bugs, just extended features that have not been documented. In this case a remote administration tool. :) Hell technically speaking viagra was a bug initially it was designed as a medicine for hypertension which failed. But it's bug was well you know.

Blackmail?

[Jason+Earl]

Are you seriously proposing that security vendors should blackmail software companies? I can imagine that now:

Hey Microsoft, we have found a remotely accessbile buffer exploit in Windows 2000. For a small fee we will even tell you how it works. For a somewhat larger fee we will not announce this to the world until you have a fix. And for the island of Puerto Rico we won't use it immediately to hack into your 10 largest customers and steal their financial data.

Full disclosure is the only response that makes any sense at all. The end users should be able to decide for themselves if they should risk their information with unpatched software.

PPPoE ?

You are sure you do not think of PPPoE (PPP over Ethernet) which is the common protocol between a client computer and a DSL modem ? I never heard of using PPTP (who should be listening on the cabel between your computer and the modem anyway ?). But maybe we are just backwards over here...

Mod this up

[cscx]

Any Walken quote deserves at least a +1 Funny ;)

as a corporate firewall admin

[Archfeld]

if the vendor knows of a vulnerability and DOES NOT disclose it to US, YOU can expect to see us in court very soon, M$ or not. As far as making the whole exploit and gruesome details known to the public I can agree that it might be overkill and help the script kiddies, but letting your customers fly blind is criminal when you know better. We've already dropped IIS because of M$'s inability to keep it secure in the face of poor design, if they keep it up we'll begin dropping other components.

Re:as a corporate firewall admin

[JoeF]

BS. Did you ever read the click-through agreements?
You can't take any vendor to court, since they take no responsibility for the flaws in their code. And you agreed to that by installing it.

Re:as a corporate firewall admin

[Archfeld]

this is very different...this is knowingly hiding a flaw vs a 'code error'. I have not yet spoken to legal but I am willing to bet there is a HUGE difference, and that they will notify their large corporate customers. It is just the small business's and end users that are gonna get Farked on this but I will post in my journal a repsonse if I am allowed on Monday...

A far as click thru agreements go, they've barely been tested in court and as IANAL I'll reserve judgement. We've recently been exploring the legal ramifications of email retention...Lawyers could make falling off a log dificult if there was a dollar to be made at it...

Re:as a corporate firewall admin

[Tony-A]

Don't think the EULA would have anything to do with it.
If they encounter massive loss due to a vendor's lack of disclosure, and they would have been able to readily prevent the loss if the vendor had disclosed, they should have the makings of an "interesting" court case.

"Microsoft Millionaires"

I would like to see you fire a "Microsoft Millionaire"!

He might just cash in his stock options and sell all of his Microsoft stock in a fit of pique! That might start a chain reation with every "Microsoft Millionaire" selling his stock while it is still worth something!

Haven't you noticed the typical scene when some washed-up bigwig quits Microsoft. Everybody is smarmy, luvvy-duvvy, nice, nice, nice! There are many assurances such as, "I just LOVED working at Microsoft and I TOTALLY LOVED all those people I worked with!".

Hell will freeze over before somebody at Microsoft is fired for doing a lousy job. That's why I don't expect to see "Trustworthy Computing" from Microsoft for a long time!

You must be a certified genius!

[cscx]

So, what, you're so smart that you can do it in 10 minutes?

Fucker.

Re:You must be a certified genius!

It's not that hard to avoid in the first place.

Time to get that degree perhaps?

List of previous 5 vulnerabilities to MS PPTP...

Though many companies are setting up better VPN technologies than PPTP.
I have personally seen hundreds of companies of all sizes and market types using PPTP regularly, mainly because overworked under trained administrators, and business managers who don't understand how foolish it is to use MS PPTP. This includes large ISPs as well.
Here's a link to a document going into considerable detail on the MS PPTP vulnerabilities, and 5 ways to do various bad things to it.
http://www.giac.org/practical/Hawke_Robinson_ GCIH. zip
IPSec uses a combination of several technologies.
Currenlty IPSec is rather secure, mostly because of it's complexity in how the various pieces fit together (though setup and administration is not hard, doing cryptanalysis and such on it is another story).
This does not mean that it will stay invulnerable, just that some of it's complexity is making it that much harder to break than it would have been. It's always just a matter of time...

Are you sure?

[xant]

Correct me if I'm wrong, but I think that says the opposite of what you think it says.

"A remote compromise can not be excluded. [emph mine]"

It sounds to me like they're saying, don't rule out remote exploits. I'm too lazy to look up what EDI and EDX are right now, but I think they're the code execution registers on x86.

Re:Are you sure?

[GargoyleMT]

Code execution *registers*?

Code is run based on where the IP register is pointing, though I'm not enough of an x86 assembly programmer to construct enough sequences of code in my head to prove/disprove that overwriting those registers can lead to arbitrary code execution.

Re:Are you sure?

[Theatetus]

IANA x86 assembly programmer, but if I recall, a lot of instructions with a size_t (or whatever its equivalent in Windows is called) param have that in EDX, and a few callback pointers are in EDI. It would take some tinkering with, but if the right instruction was waiting for your new EDX/EDI values you could probably get a real exploit.

Re:Are you sure?

[Tokerat]

I'm in an x86 assembly class right now, so I can tell you what you've said is true. I'm not expert on x86 or assembly in general (I studied 68k and a little PPC assembly years ago). Changing registers through a buffer overflow is a bit of a big deal, as those reside on the processor and not in memory. At this point, however, they haven't been able to change any registers which control program flow, so *for now* things are fine (as far as execution of arbitrary code is concerned).

Re:Are you sure?

[koh]

What they say is that :

- some following code may be a CALL EDX, and

- EDX and EDI may have been used by previous code to store function adresses that will be called later.

In both cases their code will get executed.

Re:Are you sure?

[NetWurkGuy]

The last time I looked at x86 code the 8086 was the state of the art, but isn't there a problem with overwiting the stack location from which values are POP-ed into the IP register?

What do you bet....

[symbolic]

..that another dis-service pack won't be far behind?

POPTOP? (Linux implementation)

[bruceg]

Does anyone have any information regarding the Linux version of PPTP?

Re:POPTOP? (Linux implementation)

[croftj]

Well, if they stayed true to the MS specs, then one can safely assume that your Linux box is vulnerable as well.

Re:POPTOP? (Linux implementation)

I work for a security organization where we've tested it against various (older) somewhat customized versions of pppd used in a firewall PPTP VPN solution.

Pppd doesn't seem to have problems with the exploit. Doesn't crash. It's easy to test yourself with your version. Just go download the code.

These bugs should be avoidable

[zero-one]

Why doesn't Microsoft set up software to run in the appropriate security context? When I log on as me, I might have lots of privileges on my computer and network. This does not mean that every application I run should have those privileges. By default applications like Internet Explorer run in the security context of the current user. That means that code in IE can do anything I can do. That does not make much sense most of the time. Ideally all applications (like those in these bug reports) should run with the absolute minimum of security rights. It should then be possible for me to grant applications more security rights as they need it. The problem here is not the technology - that is all there and working - it is the way defaults are set up and the UI for all of this stuff.

Better Security Disclosure

[BeeazleBub]

We need to set up server in some country that is not subject to MS or US legal control(since MS obviously owns the US govt.) Then disclose every MS Security Bug along with the exploits and tools to make use of them. If Billy Gates wants war then lets give it to him. Hack everything, everyday on every MS server, product and os. Make sure that everything gets shutdown or so corrupted that nothing functions. But of course in AmeriKa that is now terrorism so be careful or a 1kt bomb will fall on your head. Freedom requires all so I've got an unhackable copy of FreeBSD I'll donate to the project. Anyone else ready to pony up and bring the Billy Gates and MS down?

Re:Better Security Disclosure

Perhaps before you take over the world with FreeBSD you should apply this patch for buffer overflow. http://www.kb.cert.org/vuls/id/259787

Re:Better Security Disclosure

Sorry I guess you aren't vulnerable to that one, but how about these:
http://www.kb.cert.org/vuls/id/809347
htt p://www.kb.cert.org/vuls/id/943633
http://www.kb. cert.org/vuls/id/192995
etc.

Consider how many people waist their time trying to hack this system compared to Microsponge.
None are perfect certainly not Microspew but when someone comes out with the perfect system I will happily switch. Perhaps you should all work with some other commercially available software for a while and find out EVERONE makes crap. Try running Oracle Apps for a while. Perhaps we should all switch to Mac's (laugh)

Re:Better Security Disclosure

What's sad is that FreeBSD is now attracting the same "1337" idiots as Linux does as per www.linuxisforbitches.com.

Re:Better Security Disclosure

[BeeazleBub]

Obviously a windows fan.

if phion is a german firm...

[DrStrangeLoop]

then hitler must have been a german too.

This overflow was discovered by the German security firm Phion; they have posted more info on this page.
contrary to popular believe, austria [the country in which innsbruck [the city where phion is located] is located] is no longer a part of germany, nor has the German government made any plans for a re-annexation in the near future.
--strangeloop

Re:if phion is a german firm...

[dweezz]

why did you have to use hitler, its a tasteless comparition, why didn't you use mozart instead?

dweezz

Re:if phion is a german firm...

[DrStrangeLoop]

why did you have to use hitler, its a tasteless comparition, why didn't you use mozart instead?
because i think that there are a lot of people who think of mr. hilter as having been german, and because it always bothers me when some place in austria or poland [or some other place which was part of/ invaded by germany at some time] is refered to as being german. because there are ultra righwingers in germany who would regard a company from innsbruck as being german.
--strangeloop

Another?

Jesus, I just updated my operating system yesterday. Just when I think i'm secure I'm shown once again how vulnerable my pooter is. Is two firewalls enough, or should I just disconnect from the internet and starve my /. addiction?

Microsoft makes the highest quality software.

[rice_burners_suck]

All software products made by Microsoft have always sucked, currently suck, and will continue to suck forever and ever. That is because at Microsoft, there are about five really excellent programmers who know their stuff, and they are swamped doing 0.000000001% of the work. The remainder of the software is written by 20,000 monkeys sitting at 20,000 keyboards.

Why does this situation exist? It's quite simple: Instead of thoroughly planning and implementing software using good, thorough programming practices and constantly auditing and maintaining that software to the highest standard in the business, Microsoft goes inventing a zillion and one things each day that nobody needs or wants, implements them in a quarter of the time it took for the idea to pass through someone's head, with absolutely

NNN.....NNN......OOOOOO
NNNN....NNN.....OOOOOOOO
NNNNN...NNN....OOO....OOO
NNNNNN..NNN...OOO..... .OOO
NNN.NNN.NNN...OOO......OOO
NNN..NNNNNN...OO O......OOO
NNN...NNNNN....OOO....OOO
NNN....NNNN .....OOOOOOOO
NNN.....NNN......OOOOOO

(no) regard for quality, efficiency, reliability, security or size WHATSOEVER. And then, they market it like it's the most secure, stable, feature-packed, inexpensive, high quality piece of software around. And then, it's discovered that the whole software is built like a treehouse attached to a dead tree by a single nail, in a boat in a swimming pool balanced on a tightrope that's held up by two termite-eaten 2x4s which are balancing against a bunch of ping-pong balls stacked on each other 300 high.

Software made by Microsoft is GARBAGE! It's a FACT, not an opinion. DO NOT BUY MICROSOFT'S ERROR-RIDDEN VIRUS-INVITING GARBAGE! USE FREE SOFTWARE INSTEAD!

Re:Microsoft makes the highest quality software.

[Master+of+Transhuman]

That was funny! I'm saving that one. I may print it and hand it out to people at the next IT conference at Moscone here in San Francisco...

Re:Microsoft makes the highest quality software.

Everybody look at me! I'm a linux idiot!

Re:Microsoft makes the highest quality software.

Gotten over yourself yet?

Idiot!

After SSH, OpenSSL..

[m0i]

Now this! Funny how things supposed to protect us are requiring a so much more complex technology that bugs bite back and achieve exactly the opposite of what's it's supposed to add in the first place, security. Actually, I always wondered what was the fuss about network sniffing, when you're connected to an ISP: who has so much time to waste to look for several mbit/s? And gbit/s on backbones? Eventually if your ISP got hacked by a SSL/PPTP hole, that's another story ;)

Just now noticing that PPTP is insecure?

[FuryG3]

http://www.counterpane.com/pptp-faq.html

some good points:
What did Bruce Schneier and Mudge actually do?
They found security flaws in Microsoft PPTP that allow attacks to sniff passwords across the network, break the encryption scheme and read confidential data, and mount denial of service attacks against PPTP servers.

How bad is it?
Very. Microsoft PPTP is very broken, and there's no real way to fix it without taking the whole thing down and starting over. This isn't just one problem, but six different problems, any one of which breaks the protocol.

I especially like the comment about "kindergarten cryptographer" mistakes

Re:Lawsuit, Linux VPN (details)

[tzanger]

I would really like to hear more about how you set this up.

It's pretty straightforward but you must (through PPP negotiation) tell your PPTP clients where the WINS server is or you will not be able to go anywhere by name. We use PoPToP fairly regularly but are migrating to IPSec with certificates since Win2k supports it and it's a much better standard.

Yeah! Microsoft Sucks!

Informative = +5 please...

Everyone knows Microsoft security is GOOD

Id expect this kind of crap from you linux bigots. Everyone knows MS has the best security and IS the most WIDELY used O/S. So what, occasionaly things slip by, this is a fact of the programming life cycle. Look at how bugging most of the Linux distros are. I would never run a business or anything on that crap. So just FUCK OFF.

Re:Everyone knows Microsoft security is GOOD

I couldnt agree with you more. Im tired of all this stupid MS bashing. Some people really need to look at how worthless some linux distrubtions r. And dont get me started on FreeBSD....yeeech!

Re:Everyone knows Microsoft security is GOOD

What the fuck do you know? FreeBSD is awesome. Have you ever worked with it dickwad.

Re:Everyone knows Microsoft security is GOOD

bwahahahhha. luser.

Re:time to start firing/ reducing pay JAVA TROLL

I thought you only bothered the BSD people, but no, here you are spreading your caffeinated crap on a Microsoft post.

Re:Hmmm...you mean MSCSE

MicroSoftCertifiedSystemsEngineer
Makes a real engineer scream.

Non Disclosure

[gnovos]

The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals by not giving them an exploit on a plate.

Skript kiddies are not the problem. Let this message be shouted from the hills. A sckript kiddie scrawls his name on your corporate web page and leave a little egg on your face. They are harmless. The person you need to worry about a LOT is the hacker who knows what he is doing, who already knows your flaws, and is looking for your company secrets, your pre-patent diagrams, your strategy memos and he wants to sell to the highest bidder.

This is news?

[druse]

Bruce Schnier of Counterpane systems wrote an article for the ieee computer society that described exactly why PPtP was a steaming pile. I think it was back around 1999.

ms pptp

what a bunch of lamo clitheads you all are. Sit around whining about how biased the media is one way or another, and when it comes to your turn to be part of the media, why, you are just as full of flem as they are.

A responsible newsitem would mention what are the other competing programs, what is market share for each, and what are known exploits for each.

This heinous belief that Microsoft is the enemy will be your undoing in Hell.

Re:Slashdot Exclusive: Software Not Perfect

[SirSlud]

This just in: People kill each other. I guess its just a fact of life, eh? ;)

Seriously tho, if you want to be the biggest player on the block, you'd better be prepared for more scrutiny. If you wanna be #1 in a market, you'll be the one wearing the biggest bullseye.

Just like bugs are a consequence of life, so are bullseyes. They have 40 billion in the bank to fight bugs with; most other companies do not. Where as other companies deserve some slack because they dont have these resources, MS does not.

Any MS code out there without security bugs?

Seems like almost each program they put out that connects to the Internet has had one or more security-related bugs.

I must be missing something, but even though there have been some bugs in apache, openssl/openssh, libz too, they have been far less numerous and the fixes have been available much faster (same day, or in the case of ssh, before the bug was publicized). All that even though MS has been pushing people very hard to delay public bug reporting, such as asking people/companies to wait 30 days between reporting security problems to MS and reporting them publicly...

Now somebody explain to me why this is all really normal for a company betting its operating system future on 'trustworthy computing'. Can we really trust that software? Unix had their carnage of buffer overflows in the ftpd's, sendmail, etc, at five to ten years ago, but by now that has subsided to the current stability. Who's behind here? So what can we expect from this misterious new clustering software that will 'outsmart' beowolf, mosix, UML, vservers, MPI/PVM, etc? Tell us Coach? Will this all go away with a new slogan or dance?

slashdot == bugtraq for Microsoft

if I want to hear about exploits etc I'll subscribe to bugtraq and visit neworder.box.sk occasionally, but when a Microsoft vulnerability is discovered expect an announcement on slashdot - and when an apache vulnerability is discovered expect to hear how quick it was patched up and how good open source is.

PowerPoint Sermons

Instead of wasting my time on more problems at Microsoft why aren't we talking about ways to get churches using anything other than PowerPoint?
Do a search on google.
powerpoint sermons is a burgeoning cottage industry. theres a guy in lubbuck selling cds for 20 bucks a pop.

hmmm...

oops, i did it again. ...

thats all i got...

Re:Slashdot Exclusive: Software Not Perfect

[jon_c]

I don't think that is true, clearly Microsoft has improved enormously in the last year or so as there are far more bug fixes. It's not as if Microsoft, now concerned with security started producing software that was more defective then before.

I think there are two variables at play; one being that security is a larger field and more people are looking for defects in Microsoft's code, and not just Microsoft, you'll notice that there are not more exploits in other operating systems, such as Linux and even OpenBSD. Two, Microsoft has been MORE responsive to fixing the bugs, XP now comes with an auto updater and sends fixes out automatically (if configured to do so).

It seems clear that Microsoft is more focused on security now then ever before, this doesn't mean we'll be hearing more about bugs, it means will be hearing about them more!

-Jon

NT4 Patches Will Be Released Until at LEAST 2004

[Nintendork]

How do you know that they are going to stop releasing patches for NT4? Are you in upper management at Microsoft? Probably not. I did however support NT4 networking, security, and setup for Microsoft for over a year (2000-2001). From experience, I'll assume that if NT4 is vulnerable (RAS and/or RRAS), they'll fix it. There's still a lot of NT4 servers out there because of the cost to upgrade the server OS and CALs. Hell, they supported NT 3.51 up until about a year ago. They drop client side OS support after so many years without thinking twice because they have a stranglehold on the consumer OS market. The server market is a whole different story though. Why would they piss off corporate customers? Corporations realize that end users aren't going to be sitting in front of servers, so it makes little difference how familiar it is to the whole staff. Corporations aren't as afraid to switch server platforms. Microsoft needs to provide a lot of incentive to get people to stick with their server suite and they know it.

Look at the link that Tweek posted. They are being very careful not to piss off the server market. Windows 95 support started to disappear without warning. Compare that decision to the page Tweek referenced and you'll see the difference in attitude.

Re:Lawsuit, Linux VPN (details)

[phorm]

I don't really need server names, the main purpose is just for sharing certain files and/or IPX/SPX connections (for LAN games). No need for domain names as nobody will be using this connection to go anywhere but in.

but are migrating to IPSec with certificates

What are you doing to implement this? Is there something written to do it, or are you trying to do this manually with custom apps and ipchains voodoo?

Re:Lawsuit, Linux VPN (details)

[GigsVT]

or sharing certain files and/or IPX/SPX connections

Realize there is not-inconsiderable overhead with something like SSH tunnels, that doesn't exist with a lower level solution.

IPX/SPX->PPP->SSH->TCP->IP

It may work well enough for you, but if it winds up not being fast enough, you know you need something better.

I don't think so, Otis

[Mr.+Firewall]

Actually, I HAVE done my homework, and it appears that you have not done yours.

Among other problems, Micro$oft's implementation of IPSec uses weak encryption.

So which one of us is still in Kindergarten? (hint: Kindergartners don't do homework)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Lawsuit, Linux VPN (details)

[tzanger]

I don't really need server names, the main purpose is just for sharing certain files and/or IPX/SPX connections (for LAN games). No need for domain names as nobody will be using this connection to go anywhere but in.

I mean you need to send the WINS server info so you can get NetBIOS resolution. i.e. \\someserver instead of \\server.ip.address.here.

What are you doing to implement [Win2k x509 IPSec]?

This is where I got started. I was most confused when creating the certificates, and later (on win2k) when I realized that the software it asks you to install is just a wrapper for the code win2k already has.

K.I.S.S.

[Tony-A]

Funny how things supposed to protect us are requiring a so much more complex technology that bugs bite back and achieve exactly the opposite of what's it's supposed to add in the first place, security.
It's very easy, and almost predictable, to "out-smart" yourself.
I'm not sure of the origin, but I think KISS originated in Lockheed's Skunkworks. The original "stupid" was probably something like a 19-year-old PhD from MIT. The real battle is against Mother Nature, and she's got enough tricks up her sleeve so that, comparatively, *everybody* is stupid.

I'm sure the PR people are working on a fix!

[Mike+McCune]

"Microsoft treats security vulnerabilities as public relations problems" Bruce Schneier.

IF Terrorist information were handled ...

the way Micrsoft and its cronies want to handle their software bugs and security holes, the government would outlaw any mention of terrorist activities and censor any attempts warn the public. The public would go about their lives blissfully unaware of the dangers. Even nearest relatives of family members killed in terrorists attacks would be 'informed' of 'accidents' which took their lives and/or destroyed their property.
Meanwhile, the DOJ, FEMA, the FBI and the CIA would have daily public service ads praising their own efforts at "keeping the public safe" from attacks.

Of course, when Saadam's suitcase nuke goes off in Washington DC it will be attributed to faulty power reactors and the owners and management will be sent to prison.

Don't you just love that catch phrase, "Internet Safety"? As if not reporting bugs and security holes will prevent software from crashing or crackers from breaking in.

Fools.

Re:Thank God Linux is unhackable.

No, you weren't.

The dream is the belief that Microsoft will secure their code.

It's a trivial issue

Nobody still runs that Microsoft shit for serious business apps any more. Every IT manager with even half a clue has switched to something else by now. After all those virus infestations and stability issues, nobody takes MS seriously. It's just a home/hobbyist OS these days, so security issues with Windoze don't really matter.

it's better than SuSE and Red Hat anyway

M$ came out with the last fix for the SSL vulnarability portable for your auntie to install. SuSE and Red Hat did not.

Holy Moly... We've got a worm in wide-spread Linux systems, but M$ didn't.

Slashdot has to become less biased one day...
Not today, maybe, tomorrow

Re:Slashdot Exclusive: Software Not Perfect

[mpe]

Two, Microsoft has been MORE responsive to fixing the bugs, XP now comes with an auto updater and sends fixes out automatically (if configured to do so).

This is simply a method of sending out updates. It may or may not have anything to do with fixing bugs. Indeed it could just as easily ensure that buggy code gets distributed quickly.

Phion is _NOT_ a german company

phion information technologies GmbH
eduard bodem gasse 6
6020 innsbruck
austria
fon ++43 512 394545
fax ++43 512 394545 20
office@phion.com

its an AUSTRIAN Company!

Remind me of a conversation I had with my employer

[Rogerborg]

IT guy: Since you keep pestering us about network issues, we've decided to let you trial our new teleworker VPN.
Me: 'kay, what are we using?
IT guy: eSmith VPN
Me: Which is? PPTP VPN? IpSec?
IT guy: What? Use Windows 2K VPN to connect.
Me: Uh, right. I'll be using PPTP on my linux box, is that all right?
IT guy: No way!
Me: Why not?
IT guy: It's not on the approved software list, therefore it's a potential security risk.
Me: Uhhh... all right. Then I'll use Win2K VPN.
IT guy: Really?
Me: Sure, as far as you know.

Which pretty much sums up commercial IT. Better the devil you know than the devil you don't.

Phion is Austrian

[anno1602]

Phion is Austrian, not German.

Windows 3 was written in assembler

[DrSkwid]

but there's no excuse these days

Re:Windows 3 was written in assembler

[Jonathan+the+Nerd]

Are you sure about that? I seem to remember reading an account from a former MS programmer that said Billg wouldn't let them use assembler in Windows because he intended for Windows to run on a bunch of different platforms and he wanted to maximize portability. Am I misremembering?

Re:Windows 3 was written in assembler

With the proliferation of APIs these days, higher level languages are actually less portable. I have ported some ASM programs and it was remarkably simple. The commands are all fundamentaly the same, so all you really need to do is adjust the constants for screen size, screen memory location, keyboard input buffer location, and such. I can see C being almost as easy to port before Win3.1, but definately not easier.

AUSTRIA!

[sluggie]

Phion is an AUSTRIAN company. Yes, this is a huge difference.

http://www.phion.com/contact/

Re:AUSTRIA!

Right, but as long as they don't tell us it's an Australian company ...
Didn't thought the guys in Innsbruck are that smart ;)

Re:And its a good thing! (sorry)

[koh]

Please disregard previous post and moderate it into oblivion. I was obviously on crack and lacking sleep. That's what you get by being a developper. Sorry for the waste of disk space.

Back to the point, what you want to do is :

1) have a process listen on privileged port 21
2) upon connection, accept() it then pass the socket to an fork()ed unprivileged FTP daemon
3) watch the daemon scream and die when trying to open its data transfer connection on a privileged port.

You may be able to tell ftpd to create its data connection on an unprivileged port, or inetd/xinetd may be able to handle this.

Microsoft software ALWAYS contains bugs

I never known a single Microsoft product to be bug-free.

An authenication flaw is very very serious problem. Microsoft software isn't engineered for security at all for sure.

Rotten Reading

[NetWurkGuy]

An old Red Skelton gag was "I can read reading and I can read writing but this writing is rotten". The significance of your example is that some reading is rotten.

The practice in C is to rely heavily upon NUL terminated strings. For just about any machine architecture this is just about optimal speedwise but it carries a risk of buffer overflows. Since the lenght of a source string is not known ahead of time overflow of a destination buffer area can be guarded against only at the cost of regular tests inserted inside the loop. The alternative is to represent strings as structures consisting of an integer field specifying the stringlenght followed by the actual string data. This way source and destination sizes can be compared at small overhead cost before beginning a transfer loop. This has the drawbacks of the slight pre-looping overhead, a slightly greater memory requirement for each string and an absolute upper bound imposed on string lenght. Some extra logic can work around this last difficulty. In the old days when memory was more expensive and processors slower these disadvantages were more significant. Today, I think the tradeoffs favor greater security. We need a new low level adept language to replace C that implements strings consistently as structures.

Re:Rotten Reading

There is no need to replace C.

'\0' terminated strings are part of the C library. You can (and people have) written pascal style string libraries for C. Use them.

Replacing a whole language to replace one small part of the standard library seems like overkill.

erratum

[arnonym]

phion is located in innsbruck, AUSTRIA. not germany. it's a HUGE difference, you know..

This is Microsoft's ugliest error yet!

I mean it, when a Pee-Pee Tee-Pee gets overflowed, it is a really UGLY problem for all the campers!

can't be sure but I htink it's the 3 that's wrong

[DrSkwid]

I've been trawling the history pages to try and get a confirmation.

I think it's the 3 part I'm wrong with not the Windows bit.

I've held the "windows was assembler" bit in my head for some time, maybe I'm passing on something that someone told me.

Last Post!

[alpg]

The buffalo isn't as dangerous as everyone makes him out to be.
Statistics prove that in the United States more Americans are killed in
automobile accidents than are killed by buffalo.
-- Art Buchwald

- this post brought to you by the Automated Last Post Generator...