Slashdot Mirror
Microsoft PPTP Buffer Overflow; VPNs Vulnerable
An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.
Somebody ought to compile a list of every unfixed MS security related bug, and mail that, every single day, to any congress[person,critter,droid] that is consulting with microsoft on 'security'.
TODO: Something witty here...
isnt great that the community debugs microsoft's security software for free? they probably dont event try to test it anymore since they can rely on everyone finding the holes and reporting it immediately on slashdot.
In a stunning revalation, a string of recent articles indexed by Slashdot.org, an internet news resource for the technically inclined, declares that software is not perfect.
"For years people have believed that commercial software works flawlessly," said Slashdot editor Timothy. "We always believed that bugs in commercial software were just a myth - the kind of stories open source programmers told their children around late-night campfires."
Comments from Slashdot readers indicated the level of surprise. "It's unbelievable. Every operating system, word processor, web browser and game I've ever purchased has always worked flawlessly out of the box. And now they're telling us that there are bugs, and even security flaws? It's unbelievable!" commented one user.
"If software really does have flaws, this could really put the future of computing in jeapordy," added another. He continued, "Will people be willing to use software that saves them or their company thousands or millions of dollars a year if it's possible that an unlikely buffer overrun might release a credit card number? People will go back to writing documents with real pens and checking spelling with actual paper dictionaries!"
One apparently young poster thought there might be a little overreaction. "I don't know what a buffer overrun is, but as long as I can still IM girls to ask if they'll be my girlfriend and play counterstrike, I don't care either."
paintball
Who needs an exploit to crash a Windows server?
"We can't solve problems by using the same kind of thinking we used when we created them."
What's an MSCE?
mstyne: real name, no gimmicks
The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.
You mean like VA Software Corporation?
WTF, I just patched that box 3 minutes ago!!
Yea, so what? They won't have a patch ready for weeks. I'm going to play golf.
It is acting kinda strange. You better reboot, just to be sure.
The server's down? Again??
It can't be down. I rebooted it 5 minutes ago.
Naw, they won't bother us. It's not like we're the DOD or something.
Don't bug me now. I've almost got high score on Pinball.
Sure, I've heard of Linux. It sucks!
It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.
;)
Maybe the short-term fix would be to run in Safe Mode. Then we're ok, right?
Its called Blue Screen of Death.. We're currently on tour with Buffer Overflow and Malicious Code.
Coming to a VPN near you...
"I love California. I practically grew up in Phoenix." -Dan Quayle
They were arresting hackers.
>>The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.
Hello, RIAA. We have a business opportunity for you...
Only on Slashdot would people complain about this. Didn't your mom ever complain about leaving the iron or stove on, and she had to drive all the way home to turn it off? This is obviously a remote shutdown mechanism put in place to allow sysadmins to turn their machines off if necessary, from home. No more late night runs to your cube! It's kind of like an "Easter Egg", if you will.
Man, we praise Tivo for allowing a certain series of keystrokes to allow 30-second fast-forwarding (or is that ReplayTV, I don't remember). But when MICROSOFT has secret, useful features in place.... we rip them apart! Come on people!
(yes, it's humor, calm down)
The initials are the same! It's not a bug - it's an example of embrace and extend!
> These vulnerabilities only allow DoS attacks, not intercepting data.
Couldn't a hostile party use your server's pattern of up and down times as Morse code, to send secret messages or something?
Sheesh, evil *and* a jerk. -- Jade
So, by running Linux, I am using Windows less, therefore I am causing a dip in M$ profits (poor them. I feel soooo bad). By not having any problems, I cause you to lose money, and when you and M$ lose money, the shareholders loose money. When the share holders lose money, then people begin to cut back on M$ product purchases, thereby causing less work for you and leading to a profit loss, which in turn causes the stock price to fall again which....
So basically, I am causing the downfall of capitalism by using Linux? I feel so powerful! I wonder how far down the stock market will go if I can get all of my friends on Linux.
Me: 'kay, what are we using?
IT guy: eSmith VPN
Me: Which is? PPTP VPN? IpSec?
IT guy: What? Use Windows 2K VPN to connect.
Me: Uh, right. I'll be using PPTP on my linux box, is that all right?
IT guy: No way!
Me: Why not?
IT guy: It's not on the approved software list, therefore it's a potential security risk.
Me: Uhhh... all right. Then I'll use Win2K VPN.
IT guy: Really?
Me: Sure, as far as you know.
Which pretty much sums up commercial IT. Better the devil you know than the devil you don't.
If you were blocking sigs, you wouldn't have to read this.