Slashdot Mirror
Windows Vulnerabilities Revealed, Patched
Saint Aardvark writes "A big MS Windows remote vulnerability has just hit BugTraq. It concerns a buffer overflow in MS' DCOM, and affects Win2k through Server 2003; here's the security advisory from Microsoft. This is in addition to an earlier vulnerability concerning conversion from HTML to RTF - there's a separate security advisory from Microsoft for this one, and it affects Win98 and NT 4.0 through Server 2003. Patch early, patch often." There's also a CNET News story with a little more explanation on the newest vulnerability.
So much for homeland security ;)
... discloded after they got the Homeland security account. >_
You know it makes sense, a little reminder from jointm1k.
Such a common problem, that stack.
More info here, here and here. Here internetnews.com state that 3 vulnerabilities (not 2) where patched.
Here is the report from the people who found the vulnerabilities (or at least one of them) which includes a proof-of-concept paper and code.
Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
Sounds like we'll haev winnuke2003 sometime soon.
<disclaimer>I know that winnuke uses OOB data vs this which does something on the application layer.
-
ping -f 255.255.255.255 # if only
im just downloading the patch before reading the slashdot story even. microsofts possibly getting better?
But if you keep port 135 open on your DMZ boxes, you deserve to be hanged with a piece of CAT-5 cable.
They hid this one until they patched it, but in light of the previous post about the US government relying so much on MS software, it makes me uneasy. This exploit let the attacker take control of the PC. Not good if you're running the bad guy database.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Can you hear me now?
Proof of concept? >:)
We just had a story about a security vulnerability in WIndows!
Dragonfly BSD's corpse will crush it!
The guys that found this vulnerability have an amusing web site. It looks rather professional for the underground (?) community. I bet the wear white coats while they hack.
Article
so finally the first unpatchable bug for NT4 is here.
i know i'm not the only greyhat who smiled when they heard of the patching-stop for NT4
aaaah, the joys of an nonsupported, yet still heavily used platform
happy cracking y'all
why would anyone not block this port on their firewall? ive had it blocked for years. i think you can also find out peoples shares with this port but am not 100% sure.
blocking this port should be as common sense as password protecting shares.
It's a shame. I really like using windows, and I would like to patch my machine, but I don't trust Microsoft anymore. Their 'patches' come with new licensing terms and spyware. :(
Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing
They are right to attribute such great importance to trustworthy systems -- and I do believe they are trying -- but 30,000,000 lines of code necessarily lead to opaque semantics. Good luck, MS, I think this will be one of many such deficiencies in Server 2003. Repeated claims of security and "trustworthiness" from their higher-ups will place the company in a boy-who-cried-wolf marketing scenario; at that point they're up a creek.
the answer is in the post
Why does MS come out with patches so often?
Probably similar reasons as to why Linux-contributors release patches so often.
Because software has bugs. That's what software is for.
Dacels Jewelers can't be trusted.
Too bad you installed an entirely NEW set of vulnerabilities!
Wholesome patch can be downloaded by ftp from your closest mirror: The Windows Fix
Not that any of your possibilities are necessarily wrong, but you left out the obvious. :)
4. Because Windows is a piece of shit.
SIGFEH
Thank you Microsoft. I was beginning to feel for a minute there that the security holes were becoming less and less frequent and that Windows might not be such a dangerous platform after all. I really thought that trustworthy computing was starting to live up to its name. I was sure that I was getting a sincere vibe from Redmond that ol' Stevie boy had really decided to make a genuine effort to not have his users' data be preyed upon by script kiddies and cracker freaks. I would like to express my deepest gratitude to you for shaking me out of this delusional reverie, bringing me back to reality, and reinforcing my intention to never to use your operating system ever again.
-You may license this sig for only $6.99.
The only thing that works correctly in Windows ME has finally been discovered.
Why does the open source movement come out with patches so often?
1. Because they're all unemployed amateur hobbyists churning out sub-par code in the first place?
2. To appear to be constantly updating, because their products are so laughably inferior and dated.
3. Because they have no money to spend on testing.
How many major flaws can winOS's have? They know they can patch it to death and the weak outcry from the public fades in a couple days.
Since we have to pay out the ass for most of their software how about a rebate system for serious exploit/holes/flaws? I say for every exploit/hole/flaw found that can give the bad user on the other end total control of the box Microsoft should issue a "I'm Sorry" rebate check in the amount of $50 or an instore credit for some other piece of shit software they sell that I have no use for. They can afford to do this and it might make them go over the code a little better and possibly employ some people to try to hack the shit out of it to find the weaknesses. It always seems to be the same type of exploit just done in a different manner.
WTF do I know I'm just a customer...
You aren't free to do anything, until you've lost everything.
Oh, I dunno. I guess I just like the fact that I can play something other than TUX RACER on a WinBox. All joking aside, I've used both Linux and Windows, and if there were more native applications and driver support for Linux, I'd switch to it. So, like, go hound developers and stuff.
"Do not hold strong opinions about things you do not understand."
*News Flash!! A new vulnerability through buffer overflow has been found on computers. The new vulnerability does not appear to affect Unix, Linux, BSD, or Mac users. This of course only leaves very few commercial operating systems left, but we will not tell you right out which OS that this buffer overflow directly relates to. Thank you and have a nice day.
Much as I hate to give MS any ground on security, it does seem their lag time between vulnerabilities and patches is getting shorter recently. Amazing what some fear of competition will do :-)
....Reports confirm that the sun does, indeed, rise and set everyday.
....Reports show that tomorrow with be Thursday the 17th of July.
....Reports illustrate that humans need Oxygen to breath.
....Reports describe that this is OLD Microsoft news and is something to be expected and is not front page news-worthy.
Creating brand new bugs with every "stable" Linux kernel release! Anyone even LOOK at the issues lists for releases or pay attention to the kernel mailing list? If the contents of those "documents" were made public, Linux would lose every corperate/government contract they had! The file system/hardware/security bugs that get INTRODUCED as well as patched with each version is frightening.
This article is so completely pot/kettle/black that most regulars here should be getting pretty tired of it by now.
goatse, GGNA, and now this clown. Getting harder and harder to browse at -1, damnit!
Take you ha off and deal ALL (yes ALL) Software has bugs, Exploits or problems. Before you show your Ignorance compare how many realeases your favorite distro has had and compare it to MS. No I am not a ms Zealot but dude Chill out and reasearch. I really hope you do not have anything to do with ANY network i deal with.
I see this as a cross between trustworthy computing and homeland security. Now that the deal has been set, I figure there's not much else to be said there.
We now need on ensure that our homeland is trustworthy. Whether that means full disclosure and a decrease in FUD, I don't know. (political implications intended)
As for operating systems and security vulnerabilities, holding back information regarding possible security threats until they're fixed (knowingly exposing systems in the meantime) DEFINITELY isn't trustworthy.
"allow an attacker to take control of computers running any version of Windows except for Windows ME."
all you people who said i was stupid for running windows me, look who's laughing now!
No Borg icon? No wise cracks? What gives?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Discloded? That sounds painful.
4) ????
5) PROFIT
Yeah, yeah we know, you can't configure any system you use. Everything takes 20 minutes to copy. This same post (different OS) keeps coming up and keeps its 0 rating.
Products Affected by This Update
e ti ns/ms03-023.asp
The following products require updating:
Microsoft Windows NT® 4.0
http://www.microsoft.com/security/security_bull
======================================
Writers get in shape by pumping irony.
Then again, the gap between responsible Redhat techs, and responsible Windows techs is still widening... Ease of use = ease of stupid.
Not that there can't be 2k&2k3 admins who patch frequently, but there's sure a lot more of em who just don't care or don't have time, whatever.
This is slightly off-topic, I apologise. I have several Windows machines (specifically, Win2k and several XP machines). They are all set to download updates automatically and notify me when they are ready to be installed. However, despite me clicking to install the patches, none of them ever do.
And when I go to windowsupdate.com and try that way, I see the updates and tell the system to go ahead. The updates are downloaded (though some are obviously already in the cache) and the install starts. Part way through, it aborts and I'm told none of the installs were successful and to try again.
Now, this worked in the past. I currently have 'only' 5 critical vulnerabilities to patch. But it's not working now. I've tried removing the download cache area and that didn't help. Is it really time to reformat?
Oceania has always been at war with Eastasia.
Given that no one else has this problem, you might consider that you or someone else hosed up that machine. I can site an example where a version of OpenOffice when opening a MS Excel file crashed a Sun machine running solaris such that it rebooted consistantly. To fix the problem we had to install a new video card.
Because software has bugs. That's what software is for.
Hmm, and all this time I thought software was for doing work, silly me!
I stole this Sig
10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40
How many of those RedHat vulnerabilities were remotely exploitable (no client action needed)? How many of them were in the operating system instead of applications that you may or may not run on that operating system? My count show RedHat up by one.
this guys deserves to have his karma set at -1, mod down plz
Debian issued security patches many times this month. What's so newsworthy about a MS bug?
Jonathan Frakes explores the seedy world of Windows Vulneralbilities, on Windows Vulnerabilities Revealed, Patched!
Tonight on Fox!
Remember Panama and/or Iraq?
We couldn't extradite Noriega so we invaded. What's to stop the US from just grabbing people?
Sure it would piss off governments but at the moment we don't seem to care too much about that.
In addition we can now class hackers as terrorists, and refuse to even admit they are in our custody.
Plus we can now hold them indefinately or prosecute them via secret court proceedings.
Thus noone will ever know their fate......
Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
two patches that fix how many things again? Clumping all of your patches together and releasing them all at once doesn't mean your software is better than someone elses...but if everything is tied together it does make upgrading less buggy.
Is this bit'o'news overblown? Probably. Will a lot of /.s generate a bunch of banner ad hits posting a lot of noise over it? Definately. But your example does not compare apples to apples.
I don't want knowledge. I want certainty. - Law, David Bowie
https://rhn.redhat.com/errata/rh9-errata-security. html
l t. asp?url=/technet/security/current.asp
33 patches and counting since March 31.
http://www.microsoft.com/technet/treeview/defau
18 patches and counting since March 31.
Nobody's immune. Even the BSD distros send out the occasional notice.
You can never go home again... but I guess you can shop there.
please. windows vulnerabilites are commonplace. we've all grown to know, love, and expect them. like death and taxes, if you will. are you shocked? not me?
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Spoken like a true TacoBell lobby cleaner. Hey pal, you wouldn't know good code if it jumped up and bit you on the ass. Know why? It's 'cause you're a fucking idiot, understand? No, I'm sure you don't with that single digit IQ of yours.
From the article here
But four Polish researchers, known as the "Last Stage of Delirium Research Group," said they discovered how to bypass the additional protections Microsoft added, just three months after the software went on sale.
Even the Poles are able to exploit Windows now! What is the world coming to?
DISCLAIMER: I love Poles, I married one! I love the Polish jokes too!
Windows seems to have some security issues. Well, I'm sure that Microsoft fixed it.
You know, when Apple spots a vulnerability in OSX and updates fairly promptly (and this isn't exactly a rare occurance), they're commended on their quick turnaround time for a patch. When Microsoft does the same thing, they're demonized as fixing Yet Another Bug(tm). Is it really impossible to give them credit where credit's due?
-- the opinions stated above aren't those of my employer. in fact, they're probably not even my own. you know what, ju
Could not check the MS one but I am guessing more than 3 of them were OS level patches since there were three just today.
Every one has security vulnerabilities but lets compare apples to apples here.
seSales, Point of Sale software for OS X.
Yes, I run Windows on my desktops. And yes, I've stopped patching. I refuse. What's installed is exactly what comes off the CD. Got a problem with that, Microsoft?
*hides*
" a critical security hole that could allow an attacker to take control of computers running any version of Windows except for Windows ME. "
So When will they upgrade Win ME ?
First, MS has it's DRM defeated on yet-to-be released WM9 using it's own freely available tools for developers. Now this . . . sheesh!
The patch for nt4 is here: http://microsoft.com/downloads/details.aspx?Family Id=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylan g=en
lsd-pl are the most elite motherfuckers in the world
Do you really want to bring apple into this?
"The software giant issued a patch Wednesday morning to plug a critical security hole that could allow an attacker to take control of computers running any version of Windows except for Windows ME."
Hell, even legitimate users of Windows ME can't take control of their computers...
Your new here aren't you?
seSales, Point of Sale software for OS X.
... from them. They only said so. And obviously changed their mind.
As if hackers would want anything to do with ME.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Buffer Overrun In RPC Interface Could Allow Code Execution
Security Update for Windows XP (823980)
Download size: 1.2 MB, ~ 1 minute
A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
Unchecked Buffer in Windows Shell Could Enable System Compromise
821557: Security Update (Windows XP)
Download size: 5.1 MB, ~ 1 minute
An identified security issue in Microsoft Windows could allow an attacker to compromise a Microsoft Windows-based system and then take a variety of actions. For example, an attacker could execute code on the system. By installing this update, you can help protect your computer. After you install this item, you may have to restart your computer.
Could someone get them a copy of Secure Programming and highlight all of chapter 6 Avoid Buffer Overflow.
Whenever the offence inspires less horror than the punishment, the rigour of penal law is obliged to give way...
P.S. I know enough about UNIX (but still not much) to know that I would switch to a *nix machine before I EVER went back to a windows machine.
The Cnet story mentions that a group of independent security consultants discovered the problem and worked with Microsoft to resolve it. Can this be interpreted to mean that they negotiated with Microsoft for financial compensation for resolution of the problem?
Does that mean that we now have a class of professionals who act as freelance quality assurance for popular commercial software? (Or less charitably as software kidnappers?)
RTFA.
Mod parent down.
What's wrong is it's 2003 and people are still writing software, in C, that does not check buffers.
Definately. But your example does not compare apples to apples.
Even if we compared apples to apples, Linux would still lose.
Why does slashdot post this to the front page, but ignores all of the Linux vulnerabilities listed there? That is the question that you fear answering.
Yeah. What is wrong with my computer!!!!! I'm getting headaches from all this patching over and over and over and over and... Oh wait.., It's not my computer, it's my windows 98 that's sitting on my head.
Could not check the MS one but I am guessing more than 3 of them were OS level patches since there were three just today.
I don't see how, they all releated to subsystems outside of the kernel.
I just patched my XP machine.
Now Norton fails on startup, and I can't seem to access System Restore to roll back my system to the point before the patch.
Thanks Microsoft....
Yes. Every program I run now and will ever want to run. ...and before you suggest it, The windows emulators for *nix are not the answer. I like my framerates, thankyouverymuch.
This is probably why my next box will be a WinBox, and this one will become a *nix server.
"Do not hold strong opinions about things you do not understand."
This is comparing Apples to Apples for the most part. Saying Apache doesn't count, but IIS does is not comparing correctly. One reason MS appears to have so many more bugs is that their OS includes a lot more components that are thought of as part of the OS. Whever there is a problem with anything that ships with Windows, it is considered a Windows bug by most people. Yet when there is a Linux bug, people tend to saying it's an X bug (be it Apache, or Sendmail, or FTP, etc).
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Mod parent up!
I also updated NT4 just now. Right before I read about it on slashdot.
Shed a tear...
Does this mean it's not affected, or does it just mean that since Windows 98 is no longer supported they wouldn't make a patch anyway, so mentioning it would be moot?
Just wondering if I would need to upgrade some old PCs on my home network to be safe... Any idea?
"Shared pain is lessened; shared joy is increased. Thus we refute entropy" - Spider Robinson
I don't think you noticed that MS Patches are only for Windows itself, internet explorer and outlook while RH patches are for the whole system, wich includes many window managers, browsers, and other software. So really you're trying to compare apples and oranges.
My good sir, of course this was for the backend and not for the desktop. In the future, kind anonymous gentleman, I ask that you prove your assertations. If you cannot do that, please do not participate in this educated discussion.
Yours,
A. Coward.
Which you counted as part of Red Hat...
Red Hat has _far_ more software bundled into it then any version of Windows... far many more lines of code...
Which was the point he was trying to make.
Alright, let's do it your way, take the ms bundled software patches and compare it with the linux equivalents patches, and then you also count the unpatched bugs. And then you'll see that comparing apples to apples isn't what was in the parent post in first place.
firebird. fucknut.
I agree. I subscribe to BugTraq and the ratio of free/opensource software submissions to proprietary software submissions is something on the order of 10:1. I have no problem telling people this because, if the same ratio were applied to units of time for a response and a fix, the inverse seems to be the case.
Of course all reasonably sophisticated software has bugs; it's an indisputable fact. The problem with proprietary software is that their business depends upon (downplaying|denying|obfuscating) this fundamental fact. It's like the caretakers of the Hoover Dam denying cracks that are pointed out by obsvervant visitors because they're paid to keep it solid.
I have a theory about why free/opensource software gets fixed so much more quickly than most proprietary software: I think that when someone's reputation is on the line, they strive harder to fix their code but when their paycheck (and perhaps even future employment) is at stake, the same pressure doesn't exist because they are shielded from public scrutiny and are probably busy earning their paycheck writing more propietary code at the behest of their employer.
In other words, I think the actual programmers at companies like Microsoft are really talented, clever people but the business droids make them look bad. I have never met a real programmer that was able to look at code they wrote weeks/months/years ago and say "Wow, that is truly perfect." I doubt proprietary programmers at the bigger firms have the freedom to peruse and improve their code like those who do it for fun. And, since they're nameless and shielded, I suppose it would be easy to become complacent and shrug off all but the most serious complaints. So when it comes to Microsoft, I have some respect for their coders and reserve most of my vitriol for the people that manage them.
--K.
Sig: Bad people happen. Try to avoid being one of them.
If Microsoft release a patch it's them being sloppy and realizing there's a problem with xyz code. They will be patronized for not having the foresight to fix the problem 3 years ago even though an exploit is not written yet.
If Linux releases a patch it's them taking the initiative to fix a problem before it's a problem. This somehow makes Microsoft look bad in the eyes of a delusional *nix user. No one would ever think that a patch for a *nix OS was fixing a nasty exploit. It could never happen.
Welcome to the biased world of Slashdot.
I guess a fair breakdown would be:
.ogg files shouldn't count the same as a bug that enables remote control of a SQL Server...or a Media Player buffer overrun that can allow code execution.
1) vulns that can be exploited remotely
2) vulns that get you 0wn3d
3) vulns that get you DoS'ed
4) minor annoyances
Sure, a bug is a bug...but severity has to count. I doub't you'd disagree that a bug in XMMS's ability to play
If your best argument to save face for MS is Redhat's General Advisories list, you truly are sad, pathetic and unejimacated!
douche.
Saying Apache doesn't count, but IIS does is not comparing correctly. One reason MS appears to have so many more bugs is that their OS includes a lot more components that are thought of as part of the OS.
Actually it is comparing correctly because of the way the different systems are architected.
Apache is usually run in userland with limited privledges on a Unix machine while IIS.sys is a kernel mode device driver on a Windows machine. There result is a compromise in IIS presents a system wide security issue while a similar security issue in Apache only represents a user level security issue.
This sort of thing is very common in comparing Windows vs Unix/Linux security. The Windows code runs with admin level access or as part of the kernel, while the Linux application runs with much more restricted access.
If they stalled announcing this for a while, that would likely be the number 1 reason -- to give us a reason to buy a newer version of their faulty products. If anyone comes up with a patch, let us know. Of course, copyright owner has absolute control of modifications to his work, so it would be illegal to distribute a patch without their consent. Jeez.
It'd be easy to denigrate Microsoft for all of the security announcements they've had, but it really does seem like positive fruit of their new focus on security in their products. The more of these things Microsoft catches and fixes, the happier I am.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Responsibility has nothing to do with the OS itself. Attention to detail is something born within you and will never improve based on your job function.
The problem is most Windows admins make less than half of a Unix admin. This is feeding from the bottom of the pool so no shit they aren't going to patch their systems. If you aren't getting paid they won't care. They get fired and you hire another worthless bum who just joined the IT industry because they heard it pays well! The problem isn't windows or redhat. It's the dedication to your job to do the right thing!
it already is the 17th of July, you insensitive clod!
I think it's obvious that people should sign for for official email notifications from the OS vendor of the latest patches and updates or at least monitor the OS update site at least three-four times per week. I think people will be surprised how many people need to update their OS for security reasons because they haven't bothered to check for such updates on a regular basis.
This news item on the same Slashdot page as the news on M$ and Homeland Security. I'm glad I don't live in the US.
[Windows]18 patches and counting since March 31
This actually worries me.. about Linux. Not only did MS have fewer patches, but there's more people trying to break MS than Linux out there. Even if one only considers the OS ones, and assumes that all of MS's are OS patches (doubtful) and only 3 of the RedHat ones are OS patches, we still need 6X more people looking for MS holes than Linux ones. That still seems too low a ratio to me.. but what do I know... maye even the bad guys are switching to Linux :-)
Welcome to the net of 1000 lies. Upgrades are scheduled soon that should bring us to the 10,000 lies mark.
No, beat them with the CAT-5 o' nine tails instead!
I checked my incoming logs and am already seeing quite a few more tickles at port 135 than usual. Where from, you ask? Somewhere in china mostly.. ips in the range 218.15.192.xxx coming from somewhere beyond blahblah.gd.cn.net. Here's one of the ips (its a phony drug sales place) 218.15.192.84... nice little e-com site :)
Ugh, isn't the net fun?
StrategyTalk.com, PC Game Forums
I would have thought best practice would have been not to use Windows?
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
The news.com article had one interesting quote that is different than the usual "time-to-patch-again" article, from Jeff Jones at MS:
"It was primarily a process issue," he said. "We will be updating our automated scanning tool to make sure this type of issue is detected in the future."
Last week, there were two patches released - both termed "buffer overruns". Nice semantics, because it's not made clear whether one could call this a buffer overflow, or an UNDERflow. It was just two weeks ago when the details about getting Linux to run on the XBox were released, and how the buffer underflow trick was used. Makes me wonder if MS took notice of that trick, and is now busy scanning the rest of their code looking for underflows, as opposed to the overflows they've already had their automated tools earmarking?
DING DING DING
It's because MS has shown in the past that they would rather have security through obscurity, and have intentionally not released information about existing vulnerablilities to the general public. While some would say that this prevents hackers from using the exploit, most here would say it prevents administrators from protecting themselves from the few smart hackers that already know about the exploit. Do we really know how long MS has known about this bug? They could have released information saying "Hey, block port 135 on all machines until we finish working on a patch". But they didn't. And this is a bug that has been in their OS's since NT! It would be equivalent to finding a bug in Linux that has been around since the 1.0 days.
Linux has a history of being VERY open about their problems. The practically advertise them! This allows users of Linux to know exactly where there are problems and what to avoid.
Space for rent, inquire within
hahahaha! it seems, 'pal', you wouldn't know a good troll if it jumped up and bit you on the ass. because it just did. go back to cleaning taco bell lobbies or doing whatever the fuck you were rabbiting on about. fucking loser.
"A heap-based buffer overflow in Netscape and Mozilla allows remote attackers to execute arbitrary code via a jar: URL referencing a malformed .jar file, which overflows a buffer during decompression. This issue affects versions Mozilla packages for Red Hat Linux 7.1, 7.2, 7.3, and 8.0."
There where updates for nfs-util, VNC, Ethereal, WindowMaker, and Gnome released earlier this month as well.It seems ironic that the Microsoft alerts generate news but other software does not.
MS has had the DRM defeated on yet-to-be released WM9 using it's own freely available tools for developers. Just a few days agom, too.
More patches doesn't neccesarily mean more bugs, but means more bugs that are fixed.
One reason MS appears to have so many more bugs is that their OS includes a lot more components that are thought of as part of the OS.
That's the biggest load of hooey I've ever heard.
First of all, it is easily demonstrable that any open source distro has more reported bugs than MS Windows. This is for a number of reasons:
1. A Linux distro comes with so much more than a windows install does (windows comes with IE, linux comes with mozilla, galeon, konqueror; linux comes with koffice, abiword, openoffice, windows doesn't; etc etc etc. There's a reason that debian is 8+ CDs and Windows is 1 CD).
2. The whole bit about the code being open and easier to scrutinize, thus easier to find and report the existing bugs. The openness also makes it easier to fix the bugs.
Like the BIND patch. Lest you forget there was, a year ago, that affected all versions. Somehow, despite the fact that it is open source, very old, very widely used and reviewed, a bug still managed to slip through.
When you must expose software to an infinently unknown amount of combinations (of OS, software, hardware but most important user input), you just cannot gaurentee that there will be no unexpected results. The biggest problem is the vairablity of user input. People will try and use things in unexpected, unapproved and malicious ways. Well, when this happens, it is possable an unforseen problem will crop up, despite your best efforts to prevent it.
What I find funny is how outraged people get about this in the computer world, when it is so prevliant elsewhere, with much higher stakes. For example: It is a known flaw with basically every consumer automibile that high speed impacts will result in sever injury or death of the operator. Now, this is an unintended method of operation, you are't SUPPOSED to slam into a brick wall doing 80, but it is a KNOWN problem, and remains un fixed. Further, they could fix, or at least improve, the problem in a large way. The first step would be to install an 8-point racing harness. Those little shoulder strap belts just don't cut it, you need to belt yourself in tighter and have more points of contact to dissapate the force over a larger area. Then there is the car itself. It needs a much better frame and much better break away points, as seen in race cars. Finally, there is other safety gear such as a helmet. Well, as race cars demonstrate, these do work. They make extremely high speed collisons, generally with only minor injuries to the driver.
So, why don't we have this? Two big reasons: Cost and inconvenience. Building a car to race car specs is EXPENSIVE, and not just because teh engine is high performance. That frame is NOT cheap. Then there are other safety measues that are a huge pain in the ass. An 8-point harness is an ordeal to get in and out of and noone want to wear a helmet inside a car. Thus, we consider it acceptable to allow the flaw to exist since it is one resultant of behavious that should not happen.
This is also akin to the computer siutation in that we could drasticly increase reliablity, but only by sacraficing cost and convienece. The cost would come form needing a verified design. Thing would move slowly because each part would need to eb extensively tested to insure there were no problems. This appiles to hardware and software. Kiss $1000 computer goodbye and figure on $10,000 or up. Then there is the inconvienence. They can't have you fiddling with this verified design, so you are going to be able to run only the apps tey ahve preapproved on the hardware they preapprove.
Unless you are willing to accept that (and people do make systems like that, contact IBM) then unforseen bugs and exploits WILL happen. And please don't act like it doesn't happen to OSS, go read SANS or Security Focus some time. There are more than plenty of exploits for both closed and open software.
There's a major difference here: two of the three vulnerabilities were in 2000 and NT as well as 2003. As long as NT4 has been around (since '96 IIRC) people are still finding bugs in it. They clearly know the software is crap, but they're still making new operating systems based on said crap, i. e. "Built on NT Technology".
Sounds kinda familiar actually:
"Listen, lad. I built this kingdom up from nothing. When I started here, all there was was swamp. Other kings said I was daft to build a castle on a swamp, but I built it all the same, just to show 'em. It sank into the swamp. So, I built a second one. That sank into the swamp. So, I built a third one. That burned down, fell over, then sank into the swamp, but the fourth one... stayed up! And that's what you're gonna get, lad: the strongest castle in these lands!"
Yes, my only tool is a hammer. And you're starting to look like a nail.
My friends tell me, "a win2k/XP can stay up as long as a linux box." I told them, "only if you don't patch it." This is the 3rd time in the last 2 weeks I think I've brought down my windows boxes to patch critical vulnerabilies.
I do security
Why does MS come out with patches so often?
Seriously, because:
1) University Grad students think that Microsoft security problems are good Thesis topics.
2) It is the most prevalent OS on desktop machines, so it gets more attention.
3) Unlike other software vendors, they actually fix issues and distribute the patches instead of forcing customers to sign a NDA to get the known flaw in their enterprise class machine fixed (SUN).
4) They create complex software to provide the user with a better experience, but complex software is hard to test.
And we'll keep seeing more. Film at 11:00
It's not a bug, it's a feature!
"Windows Vulnerabilities Revealed, Patched"
With M$ handling 'Homeland Security (tm)' this latest newsflash
gives me a warm, fuzzy feeling, knowing that M$ is protecting me from
evil terrorist by keeping the super-duper Windows based,
global spy computers up-to-date and all patched up...
(lays head on pillow and closes eyes in peaceful bliss)
"The announcement came one day after the Department of Homeland Security announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency."
http://www.sfgate.com/cgi-bin/article.cgi?file=/ne ws/archive/2003/07/16/national1725EDT0732.DTL
that last quote is on the bottom..
Robert
Okay let's do a side-by-side comparison, show its Linux analog and see if your argument holds water:
MS03-028 : Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack (816456)
ISA Server is like Squid. Not OS level.
MS03-027 : Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)
OS Level, WinXP SP1 only.
MS03-026 : Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
OS Level.
MS03-025 : Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation (822679) Not OS Level. Must be running the program locally to exploit.
MS03-024 : Buffer Overrun in Windows Could Lead to Data Corruption (817606)
OS Level. Windows Server 2003 not affected. You must be authenticated by the server to exploit this.
Side note: "Microsoft thanks Jeremy Allison and Andrew Tridgell, Samba Team for reporting this issue to us and working with us to protect customers." Holy crap did I just read that?
MS03-023 : Buffer Overrun In HTML Converter Could Allow Code Execution (823559) Yes. See below about gtkhtml.
MS03-022 : Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343) Not OS level. The flaw is actually in an IIS ISAPI DLL (think "Apache module" or CGI scipt) that's used for multicast loggin.
MS03-021 : Flaw In Windows Media Player May Allow Media Library Access (819639) Not OS level.
MS03-020 : Cumulative Patch for Internet Explorer (818529) Nope.
MS03-019 : Flaw in ISAPI extension for Windows Media Services could cause denial of service (817772) Nope.
MS03-018 : Cumulative Patch for Internet Information Service (811114) No.
MS03-017 : Flaw in Windows Media Player Skins Downloading Could Allow Code Execution (817787) Nope
Now let's look at the Redhat one:
2003-07-14 RHSA-2003:206 Updated nfs-utils packages fix denial of service vulnerability
Could be considered OS level just like SMB is on Windows.
2003-07-03 RHSA-2003:203 Updated Ethereal packages fix security issues No.
2003-07-02 RHSA-2003:204 Updated PHP packages are now available No.
2003-07-01 RHSA-2003:199 Updated unzip packages fix trojan vulnerability I'm gonna say no.
2003-06-25 RHSA-2003:173 Updated ypserv packages fix a denial of service vulnerability DEFINITELY OS LEVEL.
2003-06-18 RHSA-2003:196 Updated Xpdf packages fix security vulnerability No.
2003-06-03 RHSA-2003:047 Updated kon2 packages fix buffer overflow No.
2003-06-03 RHSA-2003:187 Updated 2.4 kernel fixes vulnerabilities and driver bugs Yes.
2003-05-30 RHSA-2003:181 Updated ghostscript packages fix vulnerability No.
2003-05-28 RHSA-2003:186 Updated httpd packages fix Apache security vulnerabilities No.
2003-05-27 RHSA-2003:171 Updated CUPS packages fix denial of service attack Yes, CUPS is the print spooler.
2003-05-20 RHSA-2003:175 Updated gnupg packages fix validation bug No.
2003-05-16 RHSA-2003:169 Updated lv packages fix vulnerability No.
2003-05-15 RHSA-2003:174 Updated tcpdump packages fix privilege dropping error No.
2003-05-14 RHSA-2003:172 Updated 2.4 kernel fixes security vulnerabilities and various bugs Yes.
2003-05-13 RHSA-2003:160 Updated xinetd packages fix a denial-of-service attack and other bugs
Uh, yeah, xinetd is providing necessary services to every linux box.
2003-05-12 RHSA-2003:002 Updated KDE packages fix security issues
If the Windows Shell is OS level, this is OS level too.
2003-05-02 RHSA-2003:093 Updated MySQL packages fix vulnerabilities No
2003-04-24 RHSA-2003:112 Updated squirrelmail packages fix cross-site scripting vulnerabilities No.
2003-04-24 RHSA-2003:142 Updated LPRn
1. A Linux distro comes with so much more than a windows install does (windows comes with IE, linux comes with mozilla, galeon, konqueror; linux comes with koffice, abiword, openoffice, windows doesn't; etc etc etc. There's a reason that debian is 8+ CDs and Windows is 1 CD).
You are correct, but when was the last time you heard someone refer to a Mozilla bug as a Linux bug? If there is a bug in IE, it is usually considered a windows bug (even ones where you must be actively running and surfing with IE). No one ever says "there is a bug in IE, but that shouldn't count against windows", whereas every Mozilla bug is counted as completely seperate from a Linux bug. A true comparison would be to take everything that comes with windows and compare it the most popular version of the same app that runs on Linux. That means Windows would include IIS, IE, mail, ftp, etc, but that Linux would also include Apache, Mozilla, Sendmail, ftp, etc. That would be a fair comparison. To compare every app that comes with Windows versus only the base Linux install isn;t a fair comparison at all.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Not that this is big news, but apparently you can't access Windows Update if you're using Mozilla Firebird like me... Back to IE...
"Luck is the residue of design" -- Branch Rickey
windows comes with IE, linux comes with mozilla, galeon, konqueror; linux comes with koffice, abiword, openoffice, windows doesn't; etc etc etc
Yeah, it's a shame isn't it? What a mess.
The whole bit about the code being open and easier to scrutinize, thus easier to find and report the existing bugs. The openness also makes it easier to fix the bugs
This is completely theoretical and doesn't actually make tiddly-squat difference in reality.
Since I use Linux and apparently many others here too, wouldn't stories about critical Linux bugs be nice to have? Last time I ran up2date I had 10 patched applications to download but I don't know how severe they were or if I really needed to bother.
'Same speed C but faster'
Doing a quick scan through /. just to see what's up...
Windows vulnerability... Yadda Yadda Yadda... I better do my laptop because I need it hang it behind someone else's firewall. Okay, nothing really new. I keep a minimal install on my laptop for just such occasions - there really isn't much (other than the data) that can get buggered by adding the patch anyhow.
So since I'm on a patching spree anyhow, I might as well check my Mandrake box.
"The list of updates is void. This means that there is either no available update for the packages installed on your computer, or you already installed all of them."
WTF??
C'mon, Mandrake... Throw me a few bugs here!
Seriously, I EXPECT to have a bunch of small updates from Mandrake and to have few and far between major updates for my Windows systems.. I'm most disappointed with this ratio today...
(sigh)
Posted from the only computer that isn't rebooting.
- Zarquil
If your car had a 30% chance of bursting into flames while you were driving it, would you rather know about it now or wait for the recall?
Knowing about a problem even if no solution exists allows you to take measures, like perhaps blocking outside access on certain ports for some time or filtering traffic in specific ways.
Information always beats no information when you are trying to keep something secure.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Oh wait! This week's security flaw arrived a day early.
I had my Outlook Calendar set to sync on the Windows patches, now tomorrow's schedule will be all messed up. I wonder if I can convince my boss that tomorrow is really Friday?
The real hypocracy is the fact that what made the 'richest man in the world' has a proven track record of being the 'world lousiest software products', over and over and over. Then they tell us their market dominance came thru 'free consumer choice' and not pc monopoly leveraging, illegal bundling, tying and overbearing anticompetitive terms with pc vendors.
Yeah, right.
About all those consumers stuck in the Windows trap, it like a customer told me once about a deal gone sour: "I didn't buy it, you sold it to me".
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Yes, this is /.
Yes, hardly anyone here likes MS and people here love to bash MS whenever they can.
That's fine with me. But almost all software has bugs, and in particular bugs that could be exploited to breach the security of the program. Just because MS has a bug in the RPC code doesn't mean that no one should use their software, or in particular the federal gov't should not.
If this same criterion were required of any software the gov't bought, they would have NO software. Linux is not bug free. Software written for Linux is not bug free. The main difference is, Windows is a much bigger target of attack by every hacker and "security group" in the world because it is the most popular operating system in the world. How would any Linux distribution fare if it and its components were used as widely as Windows, and people spent hours every day _trying_ to pass garbage strings of data to all of its external functions in order to find a buffer overrun? I bet it wouldn't do so hot either, and even if it didn't, that doesn't mean that no one should by that Linux distribution, does it?
PROGRAMS HAVE BUGS. And the more complex the programs, the more they interact with other components, often in ways the original programmers never thought of _or intended_, the more likely bugs will be found. My opinion is, taking cheap shots at MS is easy, but writing good code yourself is hard. We're all human beings here, and the developers who work on Linux and open source programs are no smarter than most who work at MS. People make mistakes. Sometimes people don't think about every possible bogus string parameter someone could pass in just to screw up their program. Most of the time the bugs I find in my and other's code is from components trying to _correctly_ use our code!
Flamebait, troll, whatever. Just because you don't like MS for all the /. reasons doesn't justify what you say.
Peace,
Devin
You are correct, but when was the last time you heard someone refer to a Mozilla bug as a Linux bug? If there is a bug in IE, it is usually considered a windows bug
Yes, because MS stated, under oath, that IE is part of the OS. Why shouldn't the bugs count towards Windows?
If there's a critical bug in Mozilla, I can easily strip it out. Now try the same with IE.
If you put the computer with Windows 2k on it, in a box, turned it on, and closed up and sealed the box while the bios was turned on, would you have two computers in the box, one running, one BSODed? Too bad the working one would not get anything done, it doesn't have any applications on it.
-Rusty
You never know...
but whose fault is that? microsoft designed their systems that way, and should be held accountable for the problems caused by their designs
Too predictable - NT 4.0 Workstation went off support June 30th, now there is a super-critical bug that they must have known before then, with no update for NT 4.0 Workstation. I guess everyone will just upgrade to Windows XP now...
OK, never mind - the NT 4.0 Server patch does support NT 4.0 Workstation. I guess MS is not absolutely as evil as they could be...
Wow. There's something entrancing about that post, and it makes me afraid. So tedious, so horribly wrong, so sad. Somewhat like counting the angels dancing on the head of a pin, where "angel" is defined as anything with more than one wing, and "on" is defined as "within on wingspan of". By which I mean you add pointless complications to an already complicated, and ultimately meaningless question.
It's like the poetry Vogon robots would write, if the Vogons made robots that could write poetry.
Exactly what I'm saying. If it's an IE bug, it's a Windows bug. If it's a Mozilla bug, it's a Mozilla bug.
I find it incredible that this 'vulnerability" have existed for so long without anyone noticing it sooner. Maybe someone has and kept quite... It is issues like these arises that you have to go through your firewall logs and account for every single byte of information that has gone in and out of any network you maintain if there is a Windows machine within it.
At home, I have one mchine in the house which the kids uses to play games on that still runs XP. After this latest "REVELATION" I think I will move them now to linux or FreeBSD. Anyone know where I can purchase some Linux kiddy games?
At work, well I guess I'm going to be busy going through more logs.
If software were properly engineered, it would have far less 'bugs'. You don't see any other discipline like this. An engineer doesn't build a bridge/airplane/car/elevator/building any which way and then say "let's see how it works!" Oops, fell apart...repeat. No, they understand materials science, they do preliminary designs/tests/models, they analyze their design, they make sure their calculations are correct, and THEN they build. Computer programmers today do it as a totally backwards clusterfuck. It doesn't help that the tools they use are not properly engineered either (libraries, etc).
I'm still running Windows 95.
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
I've been seeing overflows run against port 135 on my home network for awhile now. Typically, these requests seem to come from Korea. Fortunately, my pc never had that port open anyway, and port 135 is Samba on my mac, but that is not effected by this exploit, though linux had a samba BO exploit a couple months back as I recall.
So, it may be very possible this sploit has been around for some time now.
It only affect you if you are using IE or Outlook, and it can be easily stopped without patching by renaming a file, HTML32.CNV.
You might loose some functionality.. like looking at RTF's with the browser, or moving text into frontpage.
I run Mozilla, and don't use frontpage, so I renamed the file and did not patch.
"He's lost in a 'floyd hole"
So how is this any better than telnet? I think I'll just stick with SSH.
There is one big difference worth noting, and that is that the Apple hole was a flaw in the screensaver subsystem, which required physical access to exploit(at which point, you should be remembering that a computer is done for if you have physical access anyhow). This flaw on the other hand is a remote exploit, which makes it far easier to exploit than a local exploit, and can be used at any time(versus only when the screensaver is on). I still think we're a bit hard on MS, but something like this should be patched ASAP, even a day is too late.
Bill Gates is not Locutus of Borg. He is Q! All KNOWING ALL SEEING!! BOW DOWN BEFORE HIM.
Note: I'm referring to the old Q... BEFORE the whole Janeway/Voyager incident...
Microsoft's knowledgebase mentions the dcomcnfg.exe utility that lets you turn on and off DCOM. Is there any reason why a regular home user would need DCOM enabled? Are there any other similar services that would be better turned off?
Hmm, and all this time I thought software was for doing work, silly me! ... Says the man on Slashdot ...
You aren't fooling anybody.
Dacels Jewelers can't be trusted.
"We will be updating our automated scanning tool to make sure this type of issue is detected in the future."
Number 3 of Deming's 14 Points for Quality: "Quality is built/designed, not tested into a product."
Were some MicroSoftians sleeping in class?
http://www.umanitoba.ca/campus/ist/security/scty_i nfo/desktop/windows/NT4_default_shares_off.reg
http://www.lbl.gov/ICSD/Security/systems/windows.h tml
That's not a bug. As long as DirectX still works, there's no reason to suspect the patch worked incorrectly.
-Lux
Wonder how much coincedence there is in MS waiting to release this information til after they made their deal?
How many of those are OS level?
Well, I don't know about you, but if one of my machines was rooted because of an unpatched vulnerability, I really wouldn't care at what level the vulnerability was - OS or application, the result is the same.
Furthermore, if a Linux distributor packages an application with their distro, then to my mind, they are responsible for it. If RedHat's apache has a remote root exploit, that's RedHat's look-out, just as for IIS and Microsoft. They have access to the source, they have had ample opportunity to audit it. By including the application, that implies they are happy with it.
Don't think that's fair? Think that there's too much stuff in the average distro to be able to check it all? Well, then, include less stuff - get it down to the point where you *can* check it all.
It's official. Most of you are morons.
You are correct, but when was the last time you heard someone refer to a Mozilla bug as a Linux bug? If there is a bug in IE, it is usually considered a windows bug (even ones where you must be actively running and surfing with IE).
.haeger
Ok. As soon as You show me how to remove IE from Windows altogether as I can do with Mozilla on a Linux box I'll agree with You.
A bug in IE is a windows bug since there is no way to remove IE (I don't cound win98lite) while a bug in Mozilla is a bug in Mozilla.
Choices You know...
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
Back when our little organization had a Windows 2000 server (a couple years ago) I quickly realized that leaving the server unattended for a week was hazardous... some major exploit would undoubtedly be discovered.
:)
We replaced it and are quite happy now. We don't pay anything for our new OS, and I go away for months and nothing bad happens
There are more posts here than I can count (at +5, no less) ranting on about how since there have been bugs in open source software (including recent severe ones like BIND), Microsoft is no worse than the rest. Bullshit. The current vulerability is (stay with me, now) a remote root exploit in a component that can not be removed and thus is installed on every machine in the world that's running a vulnerable OS and that can't be disabled without rendering the machine worthless. When was the last time anybody but Microsoft had a bug that fit those three categories? Personally, I can't think of one. Does this mean open source software doesn't suck? Nope. Does it mean it doesn't have security problems? Nope. Does it mean Microsoft screwed the pooch? Yep.
And using their free Security Update notification, I usually get about 4 or 5 package updates every couple of weeks...
Just letting you know. =)
Karma: Non-Heinous
I have the automatic notiifaction of updates turned on in my Win2K box, and have already downloaded and installed the patch.
You're just angry because your Amiga died, dude.
Please go away. Linux doesn't need a 'First, hate Microsoft' contingent.
OK script kiddies, fire up your right click and Save As because I've got the batch file with the hacks! 0-day sploit
Hey, I get them sent to me all the time! Complete with patch executable. What service! Although I previously didn't know Microsoft was based in Uzbekistan.
Whilst I agree with you in principle, If we properly designed,checked,tested etc we'd be where NASA is now with their shuttles - using 5 programs on 70's era computers.
Those 5 programs would be the most robust, fail-safe programs money could buy, but they'd be the *only* ones you could get too, and the'd probably have all the functionality (and speed) of Pong.
(Please, pedants - spare me the gory details of NASA shuttle design - it's just an Arbitrary Example To Help Prove My Point)
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
They say they will wait a week to install the patch in all the servers. Meantime, the servers can be hacked at any momment... but apparently, if IT doesn't care, why should I care, being a developer?... :/
phaze3000 straight up knocked his ass out. Game, set, MIZ-ATCH!
Or, as the FPS playerz like to say,
gg
Film at 10.
Plus when you build a bridge, you over design by a factor of 5. This lets bridges not fall down when the strength of a few rivets are a SD on the weak side, or somehow the entire bridge gets filled with overloaded semis in bumper to bumper traffic, both ways.
Leaving aside software for a moment, in computer hardware, you'd need not only ECC RAM, but three sets that voted. Probably the same for each computation (hmm, Space Shuttle...)
Another factor is that people are likely to die if a bridge or building collapses. Your blood pressure might go up during a BSOD, but it's not likely to cause a death directly.
Ever notice how software licenses specifically prohibit life support use?
Point is, RedHat's apache CAN NOT have a remote root exploit because RedHat's apache is not running as root.
Of course they are responsible for software they package, but most of non-OS level software do not need to run with total control of host machine, like majority of microsoft programs seem to do.
So yes, I'd say its a fair to not compare, full "root" exploit on windows and someone getting hold of "apache" account on rh are way different on potential damage and other implications.
How many times does this have to happen before soemone at MS realizes that there is a serious deficiency in their designs?
A large number of the vulnerabilities in Windows has been due to "buffer overrun". Isn't it time to fix this? Yeah, it's just stupid programming, but it happens a lot! Isn't it time to fix the underlying design so that stupid programmers can NOT cause vulnerabilties?
Linux/Unix/BSD has also suffered from this: a large number of vulnerabilties has been due to buffer overruns, also. There are specific groups doing something about it (STFW yourself, I gotta get back to work).
The point is this: there are known solutions to this specific problem and MS, if truly serious about security, should have made this a non-issue in Win2003, XP, etc.
Now, this in no way fixes ALL of MS's problems. Many, many, mnay of them have to do with underlying design philosophies and implementation. There are many other things they will have to do to make Windows what I would consider secure, but this is the place to start!
Take your sorry butt to another thread and start over.
I was just reading an old article about how the millenium foot bridge in London was found to be "wobbly", and they had to engineer a very expensive retro-fit to make it safe.
My other car is a 1984 Nark Avenger.
Apache only represents a user level security issue.
This is entirely true, but if we are talking about a machine which is a web server and only a web server, the kernel/userland issue is moot.
If a bank robber gets into the vault, what the hell does it matter that the restrooms are still secure?
Erik
Haven't many of the recent patches applied to InternetExploiter as? In the past MS has said that a web browser is an essential part of the operation system. Do these count as kernal patches or not?
Is this a rhetorical question?
The MS TechNet Article lists the patch URL you provide above as being for NT 4 Server.
In fact, the TechNet article specifically does not list a link for NT 4 Client. Now, it may be that the NT 4 Server patch works on a client machine. I have no idea.
Posting without reading yeah?
e chnet/security/bulletin/MS03-026.asp.
Its here http://www.microsoft.com/technet/treeview/?url=/t
Actually, I think you are the one who didn't read.
The MS Technet article you link to has this to say about affected systems:
Affected Software:
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server(TM) 2003
Not Affected Software:
Microsoft Windows Millennium Edition
And here is the list of available patches:
Patch availability
Download locations for this patch
Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32 bit Edition
Windows XP 64 bit Edition
Windows Server 2003 32 bit Edition
Windows Server 2003 64 bit Edition
Note the lack of a link for an actual PATCH instead of simply a notation in the TechNet article that NT 4 is affected. I think you are correct that the parent did not read the TechNet article, because if they had, they would probably have taken the time to clear up this confusion. I think that you did read it because you caught what you thought was a mistaken post by the parent. I just think that you didn't read it closely enough.
Now, it may actually be that MS has an NT 4 client patch, but they don't list/link to it from their Technet article. It may be that the NT 4 server patch works on NT 4 client, but I do not see anything in the TechNet article that indicates that.
That's just what Ford got lambasted for on the explorer dragging thier feet on notifying users they might just be flipping wiith no cause.
Just because that's what each industry normally does is not a reason to support the practice. Once more, if there is going to be a problem I want to be know about it as soon as possible so I can take steps to mitigate risk.
Companies are reluctant to devulge such information because they worry it makes them look bad. But that's protecting the company, not ths consumer. Since I am a consumer I would naturally sih for the behaviour that best suits my needs - I can't make Ford divulge know issues with cars before they are ready but I CAN subscribe to security alerts and get inside scoops on software security issues. That's why my stance is to release information as soon as something is found, any other behaviour is simply irresponsible.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Maybe you're a little of the mark, eh? I mean, when the started out they had 0% of the market. They have since climbed to 10%, later 50%, all the way up until they had a monopoly. You can't abuse monopoly powers until you have them, so 'free consumer choice' was exactly what got them to the top. So maybe, just maybe, you have a major bias against them, and it's not that they produce the worst software?
nope. Software is for playing Games.
If a bank robber gets into the vault, what the hell does it matter that the restrooms are still secure?
It's a big difference. The apache machine will not become an owned slave doing DDOS attacks, or start port scanning the rest of your DMZ, and if you are carefull you won't even get your site defaced. About all the attackers can do is shut your web server down.
I'm talking about the case where Ford KNOWS that the car will explode if you lean the seat all the way back - in the case of computers, there is no "maybe" about a vulnerability, if a computer is vulnerable then there is an obligation to reveal those details as soon as possible.
If Ford knew something real was up and help back, they would be subject to a class-action suit.
"There is more worth loving than we have strength to love." - Brian Jay Stanley