Slashdot Mirror
Weekly Microsoft Critical Security Issue
An anonymous reader sent in linkage to a zd story discussing the latest Windows Security Patches including an especially nice hole letting Java apps gain total control of your machine and assist you in reclaiming disk space by, say, reformating your drive.
... that my Java skills can be used for evil, rather than good. ;-)
which virtual machine is it that caused this? The one before or after Microsoft added their own extensions? (which caused the whole MS-Sun lawsuit)
Suicide Booth: You are now dead! Thank you for using Stop and Drop, America's favorite since 2008.
OK, so I hate MS for building unsafe software. But this time, I have to give them credit. I woke up this morning to my computer telling me that there was a critial update waiting to be installed, and it was this one. I read about the vulnerability on the web *after* installing the patch, so I am kinda glad that MS shoves updates down my throat.
That'll work out great. I just downloaded the RH9 ISOs.
Toronto-area transit rider? Rate your ride.
Couple of remote roots in Samba, a local ptrace in the kernel and a few OpenSSL probs to get you on the system initially.
Get your own free personal location tracker
They don't run sendmail! Can you imagine having to keep up with patching Windows AND sendmail?!
Doesn't it seem just a little strange that the Java VM, which MS removed from XP until it was forced to reinclude it by court order (still under appeal, I believe), has a critical security hole found?
The timing seems a little too good to be true...
Good thing Microsoft JRE is so broken, that all exploits ended up not working!
Write once, debug everwhere.
Ok well Linux users have been hammering on the "Windows is insecure" thing for what -- 6 years now? And Windows' market share is as good as it ever was, perhaps even a bit better. Time to try a new strategy? This one is getting boring!
In the second paragraph:
The three warnings, all issued on Wednesday, involve the Microsoft Virtual Machine for running Java applets on Windows
So it's Microsoft's VM implementation...
More *bad* flaws in winblows!!
Mo money for me! Everytime this happens I go out and patch up my customers. Cha-ching, cha-ching!
And I always offer and *suggest* that they go with Linux but they are *afraid* of change.
They would rather live in fear and subserviance than live in security freedom...
Go figure..
I don't agree with the intention of the message. While it is true that this bug allows the execution of commands, it does this only with the rights of the owner of the user account. In Unixian, this is not a remote root exploit.
Nevertheless, my last sentence becomes quite irrelevant, as Windows user tend to work as $root.
Actually the court order is to put Sun's version of the JVM into Windows - exactly to fix this type of stupid problem.
/* sarcasm */
Finally someone wrote something to get rid of all that spyware thats installed itself on my system! Thank you MS!
Just curious. I mean, if the intent is to inform.
Geez guys, why can't you go a day without publishing anti-MS crap! Don't you think that if this were really a problem that people'd be aff.... K(R*AB(*D [NO CARRIER]
One of the vulnerabilities in the VM if exploited could allow your hard disk to be formatted. Well, that takes care of that problem.
Open source development is my way of competing with the low-cost programmers in India...
So I now have two options.
* Let baddies in at their will.
* Run Windows Update, expose my machine to Msoft, sign away my soul through the patch EULA.
Help!
From the office of Iraqi Information Minister Mohammed Saeed al-Sahhaf (aka Baghdad Bob):
"Lies all Lies! The infidel Linux computers are not secure. The coilation will fall in the wake of the mighty secure Microsoft operating system!"
More at 11.
Karma: The shiznight, mostly because I am the Drizzle.
As the main post points out this is pretty much a weekly news release from Microsoft. It's interesting because in some ways I get suprised by the severity of the bugs such as allowing a huge hole in the Java VM, that would allow someone to format your hard drive or a bug in Proxy Server that would allow a single mal-formed packed to max the CPU at 100%. On the other hand I'm suprised Microsoft doesn't have more of these bugs.
I think this is where the philosophical differences of Open Source Software really make a big difference. Even though OSS still has bugs, the live testing cycle is un-paralleled. However I think the biggest difference boils down to this: there is no one saying we have to have this product out the door by XX date. Rather it becomes stable when it's ready, but you can use the development version if you need or want.
As the lines of code in software grows and the complexity increases, I think we will see a greater number of more sever bugs in closed source systems. Ultimately I believe this will be one of the critical factors leading to OSS's long term success.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
Big difference. Apps have total control by default, while applets are supposed to be harmless.
I can honestly say that it baffles me as to why Microsoft continues to hold such a huge stake in most of the computing world. I don't understand why people continue to digest what is carelessly tossed out of Redmond, WA.
I can understand the need for an array of software unavailable on any other platform (though, what percentage of that software is actually GOOD software?), and the platform standardization issues, maybe even "ease" of use, but honestly, the security and ridiculousness of the MS platform, ideology, and disregard of standards make me sick.
What is the continuing allure? Do you really not mind running machines that are completely insecure? And how can they not fix their own NT 4.0 code? That's absurd. They pitch this solution for years, and bail when the cost to fix their crap gets too high.
I'm not trolling, I'm baffled. Someone tell me why this continues?
It's only when we've lost everything, that we are free to do anything...
"...and assist you in reclaiming disk space by, say, reformating your drive."
Well, that takes care of the wicked-long step 1 in uninstalling windows and installing linux!
That is, of course, if this vulnerability affects the version I'm running - Windows Herpes Edition.
How are you going to keep them down on the farm once they've seen Karl Hungus?
Let me save many of us some time:
"Well here we go again. A gaping security hole in Microsoft [ Operating System ]. This never would have happened if Bill Gates weren't just trying to make more money so he could buy more [ plural noun ] to fill up his mansion in [ place ]
This is just one more reason why [ circuit court ] should [ verb ] that [ expletive ] company once and for all.
[ Unix-based operating system ] only had this problem [ number ] in it's entire history, and there was a patch posted in under [ number ] minutes!
[ Text-based word processor ] rulez! Micr- [ Insulting variation on 'soft' ] is the [ Traditional evil diety ]!"
-----
Believe me, I'm as surprised by my comment as you are.
see, this is why i print out all of the data on my hard drives in binary every weekend.
track7.org has all kinds of interesting stuff!
<reality check>
Until someone actually writes a massivily spreading virus/worm that jumps from Windows PC to Windows PC doing precisely that (formatting hard drives) - people are just going to patch it and not even think about changing OS.
Hell, most people probably won't even patch it. What doesn't affect them, they don't care about.
</reality check>
Avantslash - View Slashdot cleanly on your mobile phone.
Well, it is now officially Thursday. Aa I've said before, I think there should be an
Official
So
Happy
It's
Thursday for announcing MS holes.
www.eFax.com are spammers
"...assist you in reclaiming disk space by, say, reformating your drive." I've been looking for a good disk partitioning tool, and along comes Microsoft to help me out. Anyone know if a Linux port is in the works?
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
This clearly is a bug of 'Mass Destruction', the only thing a responsible democracy can do is invade Redmond, and pull down Bill Gates statue, Is the 10th infanty div still busy? MM
...security freedom...
Not that I love M$, but it seems that your bashing Micro$haft unjustly. Linux seems to be pumping out even more fixes and patches than old Billy boy's crappy product.
It seems like for the last month or so I have received at least 2 RedHat erratas a day, and the majority of them are for security reasons.
For my RedHat email server, there have been 98 updates put out by RedHat and the Linux community. Of those 98, 16 were bug fixes, 4 were enhancements, and 78 were for security concerns. On my W2K workstation, I have installed 12 hotfixes and 3 service packs
Linux enthusiasts like you that bash Microsoft without knowing what you are saying make the entire Linux community look bad. Instead of bashing them, we should at least praise them for responding quickly (this time), once the bug was found.
People who throw stones....
The offending applet would have to set the evil bit in its packets anyway... ;-)
You're right... Last year Readhat issued nearly twice as many security bulletins as Microsoft.
I'm sure the above is a troll, but I'll answer anyways. When you install windows, you get, well, windows. And internet explorer, and freecell. That's about it.
When you install linux from RedHat (or Mandrake or...) you get the OS, severl browsers and mail clients, 2+ office suites, 4+ text editors, java, perl, c, python, 25+ games, 3+ window manages, etc (not that you have to install all that - but they're available in the install).
I'd say Redhat is doing great to only have 2x the security bulletins as microsoft considering they supply 4x or 5x the software on their cd's.
Plus, it's been documented many times before that bugfixes are available much quicker in the OS world than the MS world.
I'm increasingly convinced that Linux is dying off. The lies and distortions we are seeing on slashbot have become more and more desperate over the past two years.
Name one "lie" regarding linux that you've seen on slashdot that's demonstratable not true (articles only, not posts). Remember, nobody is going to agree with all the opinions expressed on this site.
Personally its not God I dislike, its his fan club I cant stand (bash.org)
Open source has the potential to be more secure than closed source
Well, thats kind of a silly statement. I could say closed source has the potential to be more secure than open source and still be correct.
Heck in this case, MSFT found their own hole and patched it. If it was an OS JRE with this flaw, then chances are equally good it would be found by a "blackhat" first.
I don't need no instructions to know how to rock!!!!
I thought about this a lot too over the last year or so, and based on my experience, it's simply that despite all of the security risks, most companies aren't losing that much money on lack of security.
I work for a company that has a good bit of Microsoft, some Sun and some linux deployed. Now, without getting into any religious wars over who's more secure, I'll simply say that the Microsoft servers have been compromised on more than one occassion. The Microsoft servers also got hit very hard by Code Red and Nimda.
When I see stuff like that, I just shake my head, because it seems insane to me that the company considers that acceptable. But then I thought about it, and here's why I think they're okay with it: with all of the exploits, all of the headaches, and all of the patching, it really didn't affect anybody above the admin level one iota. We didn't lose any money because of the compromises (sure, we served up a lot of movies and so forth), we didn't pay extra money to clean up afterward, and we didn't lose any data. As far as management was concerned, we got hit full on with evil crackers, and it just didn't matter that much.
Now, I'll grant you that some companies have a lot to lose with poor security. Anybody who's stocking personal information or credit card numbers or whatnot should be very concerned. Financial institutions and military organizations (people who are being specifically targetted for their data) should be more concerned. But I think the majority of companies who are just serving up information on corporate websites, running some basic services, etc. just haven't been hit by security holes hard enough for it to warrant a change in their philosophy.
I think it's much the same for desktop users. There are a lot of Windows vulnerabilities out there and a lot of unpatched machines, but I don't know of anybody who's really felt any pain because of microsoft security holes. I'm certain there are some, but actual exploits are not nearly as epidemic as the vulnerabilities they exploit.
Now, if one of these things ever got any legs and started wiping out hard drives or corrupting data, and if millions of people were affected, and if millions of actual, tangible dollars (not time, effort, etc.) were lost, I think it would suddenly become a very different ballgame. But the fact is, at least for now, that despite the rampant security problems, the business community as a whole isn't suffering enough to worry, and neither are the home users.
I'm not saying it's right, but I know that my boss and his boss don't care if it doesn't cost the company anything.
There's a huge difference between a flaw like this in the VM that microsoft ships that can be used to format your HD by viewing a web site and some bug in a library that can impact maybe a handful of people.
You have to compare the SEVERITY and NATURE of the bugs. Sure, there are bugs with whatever OS, but as to this level of Severity and of this Nature, you're just wrong, there are not that many with Linux, Apple or Solaris or whatever. Windows takes the cake.
If you think this is all overblown hogwash, your'e delluding yourself.
This is not a bug :
d on .launch/index.html
From CNN, October 25, 2001:
http://www.cnn.com/2001/TECH/ptech/10/25/xp.lon
"The system promises fewer computer crashes and will allow users to delete data from their hard drive. "
If you don't want to run Windows Update, or don't want to use Internet Explorer 5+ in order to use Windows Update, here is a list of recent security related patches that you can download individually.
Of course, you should realize that you have already signed your soul over to Microsoft by having Windows on your machine. You might as well close your eyes and agree to the EULA for Windows Update.
Could you go back and check the SEVERITY and NATURE of those bugs? Do any of them let a HD be wiped out just by surfing to a web page?
You're delluding yourself and you're not employing a correct analysis and comparison of the problems.
Apparently, Slashdot and its editors have never been taught how news reporters/sites gain respectability.
/. is an editorial site, and maybe get away with it, but as such it will never really be able to sway opinion very well.
In order to report the news well, objectivity and a lack of bias should be maintained. When you start taking pot shots at what you report, you turn into the national enquirer, and people start to not take you seriously. What the people in the peanut gallery say is one thing, but what you put up in the story is another. Now you can say
I'm expecting to see how aliens took over MS soon, and Bill Gates having an affair with .
Anyone who needs Java, for applets, webstart, applications, should install Java directly from Sun. You'll get the latest and greatest implementation (for Windows anyway) and it will integrate seamlessy with IE so you'll never notice any difference (other than the time to download the damn thing).
Looks like windowsupdate is heavily slashdotted :-)
Microsoft intentionally extended the core API by introducing additional instructions to access the underlying Win32 operating system. Had they done this by providing a separate API, there would not have been any problems.
Unfortunately, Microsoft chose to take a different approach and introduced new operators into the core byte-code interpreted by the Virtual Machine. As these additional instructions were only valid within Microsoft's version, users were effectively left with no choice but to use the exact VM for which the code was compiled. This decision by Microsoft to modify the base instruction set of the Java language made it impossible to port code from one platform to another, thereby ensuring that users would have to remain on the Windows platform. In fact, Java programs compiled for MS's VM would not even work on the same OS if another vendor's VM was used to run it. This is why some applets wouldn't work with the JVM shipped with Netscape (which was Sun's JVM).
The instruction set supported by a Java VM is determined and maintained by Sun. In order to implement your own VM, you must agree to a license with Sun stating that you will not modify the core instruction set. In adding direct support for OS access (such as formatting a hard drive), Microsoft violated this license agreement. Microsoft also added their own keywords to the core language (delegate and multicast) which further ensured incompatibility.
The Java byte code is a single byte in size and, as a result, the Java VM spec supports up to 256 op codes. Not all of them are used, however. Out of those potential 256 opcodes, only 200 valid operators are specified. Opcode 186 is not used, opcode 201 is used for debugging, and codes 254 and 255 are used for trapping and tracing. The remaining opcodes are reserved for future use. Clearly, if a compiler introduces new opcodes, the other compilers won't know about them and won't be able to run programs built with those opcodes. This is in direct violation of the VM specification and is exactly what Microsoft did. This was the basis for the Sun v. Microsoft lawsuit, for which Microsoft was found in willful violation.
So, it would seem as if Microsoft did intentionally break their own version of Java.
If you still do not understand how Microsoft did this on purpose, I suggest that you take a look at the Java Virtual Machine Specification, as well as a nice book on general compiler theory.
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".
The Virtual Machine (VM) flaw is the most serious, meriting a "critical" rating from Microsoft.
This jumped off the page at me. Could someone explain the value of Microsoft's merits of their own flaws?
Speak truth to power.