Slashdot Mirror
Microsoft Sits on Security Flaw for Six Months
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
U Can't Trust This
By: MCSE Hammer
Blaster did ya some harm
We just say, hey, another worm
But thank you, for trusting me
To mind your site's security
It's all good, when your server's downed
Our dope PR will pass blame around
Cuz it's known as such
That this is some software, you can't trust
I told ya Homeland
U can't trust this
Yeah that's why we're giving ya the code
U can't trust this
Check out eEye, man
U can't trust this
Yo let 'em bust more funky system
U can't trust this
Give 'em a string or recvfrom
Like no sweat they got the keys to your kingdom
Now ya know
You talk about eEye, you're talking about holes
Remote and tight
Coders still sweating so someone better write
A book to learn
What it's gonna take in '04
To earn some trust
Legit, either secure or ya might as well quit
That's the word because you know
U can't trust this
U can't trust this
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
http://www.eeye.com/html/Research/Upcoming/index.h tml
Comment removed based on user account deletion
Didn't openssl have a very similar bug that
was disclosed & fixed just about 6 months ago?
Anybody? Buehler?
Looks like MS gets some slack that OSS just
has to fix immediately.
AntiFA: An abbreviation for Anti First Amendment.
Fox News Channel reported that there was a serious flaw in Windows during their 4pm ET news burst. Mainstream media as usual leaves out tech details on stories like these, but this is just an indication of how serious this flaw is.
6 months? 2000's been out for 3 years! If it took them 2.5 year to find the bug, another half is year is no biggie.
Thats the result of Microsofts terrible history on security. Please Mr.Gates, continue to help the Linux community thrive.
People don't exist to serve systems, systems exist to serve people.
If you are Microsoft fundamentalist karma blaster, I meant that in a good way...
Bite my shiny metal... oops... Nevermind!
Didn't openssl have ASN.1 issues recently? Did MSFT copy some of the code ;-) ?
BTW: Interesting timeline of more to come
Better keep checking for updates.
---- join dshield.org Distributed Intrusion Detec
Hang on.. If windows NT / 2000 are affected.. looks like M$ have been sitting on it for a _lot_ longer than 6 months.
On the other hand, if they didn't know about it, I wonder how many systems could have been compromised. When was windows NT released again ?
"ASN.1 is really an extremely deep...technology in Windows itself," he said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."
Name me an instance where "really doing due dilligence" vis-a-vis security is an option, like this guy makes it sound. Just one.
Please tell me Microsoft is not as inept as this. Please?
Soko
"Depression is merely anger without enthusiasm." - Anonymous
Hmmmmm.... what exploits are the MyDoom viruses currently using? (i actually dont know, but i'm curious)
http://github.com/gbook/nidb
I bet there are moderators who would label this whole story as flamebait...
Of course, with some open source projects, if there is a bug or security flaw, not only does the problem not get fixed, there isn't anyone there to fix it!
There are a number of open source projects that are no longer being maintained, but are in fairly wide use. At least with Microsoft, there is someone there saying "yea, yea... I'll get to it!"
True, anyone has the ability to fix the problem, but most of the time the user is not necessarily a developer or admin. And if someone out there DOES fix the problem, there isn't neccessarily a central place to post the fix.
Maybe it is a flaw that the open source community can collectively fix.
didn't The Gates himself said not so long ago that they were "as fast or faster" than opensource in fixing security flaws?
i don't have the quote on hand though...
Open Source software gets critical fixes within days or hours because anyone running the code can potentially fix the problem.
As Micro$oft's ratio of programmers to supported lines of code decreases, their time to fix bugs will increase.
To put it another way, bloat breeds torpor.
I guess its time to start coding isnt it?
People don't exist to serve systems, systems exist to serve people.
That's no bug!
That's Intellectual Property!
"In other news: PanIP has filed suit claiming Microsoft's latest bug violates one or more of their patents."
A feeling of having made the same mistake before: Deja Foobar
Such a serious security flaw could have been noticed by other security experts during that time.
eEye has shown an admirable amount of restraint in not revealing the hole before MS was "ready".
Microsoft's "security initiative" is obviously a bad joke on their users.
A message from the system administrator: 'I've upped my priority. Now up yours.'
Looks like there is another worm out there spreading fast...its spreading through AIM by sending out links to a site at wgutv.com that masquerades as being a news site proclaiming Osama has been captured. The site downloads an executable (which appears to be digitally signed with a cert issued by Thawte) which, at the least, starts propagating to other AIM buddies. Can't find anything on NAI or Symantec--anyone else seen this in the past 3 hours? (since about 2 PM EST)?
"Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
subject says all.
-Grump
Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
Now now, let's be Fair and balanced!
When will the virus writers write a virus that uses new holes as they are published. For example, it could look at public forums, newsgroups, etc to find postings in a specified format which would document exactly how to exploit it. For example, it might say that on port X TCP it can send the following binary data and insert the program executable into the transmission at a given point. Instant buffer overflow attack. Then, the successful spreading methods would keep getting spread to new people, as they were themselves infected by this method.
Really? Then they've gotten better than the last time I've checked.
And what if someone releases a superworm which using this exploit hacks millions of computers in a matter of hours? Microsoft needs to do something about their terrible security.
People don't exist to serve systems, systems exist to serve people.
A flaw was found in AOL Instant Messenger relating to the A/S/L library.
Well, that's taking a bug report to whole new place.
Is there any evidence that this "exploit" has been widely abused? It doesn't matter how long Microsoft sat on the exploit if there was no real harm done.
Of course the "could've, would've, should've,..."-crowd will disagree, but keeping the exploit info in a limited (dare I say, compartmentalized) group of professionals for a limited time will always help to prevent widespread abuse.
The owls are not what they seem
The article mentions that Microsoft is unaware of any computers hacked with this vulnerability. Assuming it wasn't ever used, then not disclosing it until a patch was made worked well in this situation.
But not disclosing the problem has drawbacks, too. Your system is insecure, and you have to hope nobody else knows about the exploit either. And it's Microsoft's decision when to patch it. It will be interesting to hear why it took them six months. What if it was simply PR: do you feel safe knowing you're vulnerable so Microsoft gets good PR (until now)? Or perhaps it's just laziness. If customers don't know about an exploit, how can they apply pressure to counter it?
Every time I see an airport or a power plant affected by windows viruses and/or vulnerabilities I get a bit queasy Will the general public ever realize that if what you are working on is of any importance, nevermind critical importance, then Windows is not the right tool for the job. From the story: "This is one of the most serious Microsoft vulnerabilities ever released," said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif., which discovered the new Windows flaws. "The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks, pretty much any system." Maiffret said some computer systems that control critically important power or water utilities were vulnerable.
While looking at the technical details of the vulnerability, the update disappered from their site. Maybe I didn't need the critical fix after all ;)
Or after 6 months the patch was still not good enough!
News would be Microsoft releasing a product without any bugs or security flaws!
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
"Microsoft Corp. warned customers Tuesday about unusually serious security problems with its Windows software that could let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information." What "usually serious"? Code Red? Nimda?
Also, Microsoft's own document on "Trustworthy Computing" (warning: MS Word format!) establishes as a goal that "[t]he company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company." I suppose that waiting six months before fixing this "unusually serious" problem somehow satisfies that criterion?
So this is very interesting, in that it's the first time that a critical flaw has taken six months to fix that the alert about the fix ALSO was delayed for six months. Yet in that time, we have not seen any significant uptick in these types of exploits, and there do not appear to be any worms like this in the wild.
Does this verify MS's supposition that delayed publication = less exploits?
So for six months, people are left out there running software with a known security problem while Microsoft surpresses the information and spreads FUD about how Linux/Open Source security responsiveness is poorer than Microsoft's? What a crock of shit.
That explains my blue water!
So, if they fix a security flaw sooner than six months, what status does that get? Super Double Critical?
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
It is unfortunate that an otherwise healthy piece of software has been found to have a problem of this scale. However I do have good news for software users everywhere: in two years, there will not be any more buffer overflows.
To understand why buffer overflows are going away, it is important to understand current trends in the software industry. Much has been read and published about what Americans call "outsourcing", which is the practice of hiring more competitive priced labor.
Where I work in Tirupathi India there are approximately 100 paid programmers, including myself. In addition to us, there are approximately 250 unpaid programmers working on the lower floors. They have "read-only" access to our source code, and may browse from the source code repository at will. Because of the abundance of Computer Science graduates here and the scarcity of jobs, only the best are able to move from unpaid to paid labor. As each of the paid programmers checks in code, the unpaid programmers review it, probing for weaknesses and security flaws. If a buffer overflow is found, it is reported to a head programming manager. The programmer who found the security flaw is promoted, often from unpaid to paid. The programmer who made the error is demoted. In the case of buffer overflows, which we are told at the beginning are the worst, worst, worst thing, the offending programmer is removed. This, actually, is how I moved from unpaid to paid. And I spend at least half of each of my days (about six hours) at work inspecting my own code to insure that I cannot be removed. I do not make security mistakes ever. To put it in simple language, I have a family to feed.
There is also the cold room, where the programmers who make buffer overflows go before they are removed. I have not seen it. But I know that they make sure not to leave marks. They put you in a metal room, and there is cold water and a hose. It is motivating. I will not go there.
-Srividya.
A very big deal is going to be made about this. Feel free to correct me (or mod me down) if I'm wrong, BUT:
From my understanding, this is a heap overflow. Given the nature of the heap, I could see this resulting in a DoS condition, but what is the likelihood that a practical exploit can be developed, given that the heap generally contains data in random locations?
akad0nric0
This sentence no verb.
How long will it take LUNIX kids to stop using infantile terms like M$ and stop affecting empty faux-superiority?
Microsoft was notified 6 months ago. Either they didn't know about it before that or they didn't disclose that they did. The bug may have existed for 10 years, but they supposedly sat on it for 6 months. Actually, since it affects all versions of NT and 2000 before service pack 3 it could have existed since about 1985.
Developers: We can use your help.
The BBC published this report on Microsoft security problems. Somehow, the person who wrote this managed to a whole article without including any information on what the bug actually was.
In sort form it reads, there was a security flaw, it is bad, actually it was really bad, maybe the worst ever and it is a security flaw.
at cnn.com and was patching all the machines here at work. interesting article for a few reasons- looks like M$ is still making weekly updates...
I'm so glad I switch to linux and os x for all my personal stuff, it makes me feel so much better.
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
Sadly, I think that a file called "This_is_a_virus_-_do_not_open.exe" would be just as effective as any other.
G
Roll-up, roll-up - come and get Microsoft's new "flawed software" technology!
Just because you can't, doesn't mean you shouldn't.
It's about time!
Windows is insecure. We know this. Partly it is the result of the operating system and partly it is the result of bad applications. And Microsoft knows it too.
.net. This is a huge, huge step toward eliminating buffer overruns and other trivial errors. Tens of thousands of developers are making the move right now. Any bookstore has at least 50 books on .net technologies.
This is why Microsoft is making the bold move of promoting managed langages like C# and VB.net, and a fully managed runtime in the guise of
In short, laugh about it now, let it distract you from what's coming, let it lull you into thinking Linux will always have the security edge, go right ahead. It won't change anything.
I use to work at HP Ft. Collins in the early 90's. At that time, there was a major hole in the network code of the that was going to take about 6 man-months to fix. The local management decided to not fix it as it was decided that few knew about it and it would not be a problem. I would suspect that every major company does the same thinking; MS, Apple, Sun, SGI, IBM, etc.
I have no doubt that all these companies do care a bit more due to the pressure being brought, but it will still be a decision similar to what Ford did with Pinto and who it was did the tires that exploded. If it costs money to fix, but nobody will see it, who cares.
That is one of the advantages of OSS as everything is in the open. Have to fix it or will suffer big.
I prefer the "u" in honour as it seems to be missing these days.
AC's Can't get sick, they are to busy loving Windows, and being scared of what the Mod's will do. If you have something to say, and you feel strongly enough about it to trash nix, get an account
This sig is definitive. Reality is frequently inaccurate.
just have Janet Jackon do a "half-time" concert at the next major Windows conference. The promoters may even get Balmer to play the part of Timberlake.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
eeye.com
When they finally get laid. Which is to say... never.
Bugs do come up in almost every software and OS, with some of these being critical. Waiting 6 months to announce a problem that was identified by some 3rd party (or anyone) is unacceptable. They now have adopted the script-kiddie standard. They will not anounce a flaw until either they know for sure the patch will fix it, or it will come out before every script kiddie can get their little hands on a prebuilt exploit. During the last 6 months, or longer, many compainies and goverments with priceless data could have been exploited. IMO, it is ignorant to think that only security companies and casual hackers are out to find exploits. It really is the unpublished ones that are the most dangerous. I am assuming that this exploit has effected XP since day 1. That is a long time for say a real pirate group or a hostile government to discover it and launch very selective attacks on specific target entities. The media tends to forget about just unplugging the machine with the sensitive data as a viable (even if temporary) security solution. For the last 6 months, MS has knowingly put many in danger by not revealing to them that their systems had a serious exploit. It will probably never be known if this exploit has been used yet. Just because I cannot google and get info on it or dl a prebuilt binary does not mean that it has not been used.
Windows is bad, Microsoft's blue, Security flaws suck And so do you. Signed: Clippy
Bite my shiny metal... oops... Nevermind!
Yeah, subject says it all. What about systems with embedded windows, where patching (if possible) usually proceeds slowly, for example cash machines?
I am one of many. My idea is not unique, nor do I expect my voice alone to sway you. I speak in a chorus of opinion.
6 Months is not too bad. Let me offer this scenario. You have an operating system with something like 300 million lines of code (WINDOWS XP), with some 50000 of those lines written in windows assembly. A bug is reported that allows privilege escalation. You have to go through each line of code and figure out what it does and if it possibly is the one that allows the exploit. That's about 50 million lines per month, or 1.6 million a day. Say you have a security team of 200 programmers examining each line. That means that each programmer needs to look at 8333 lines of code *every day*.
Again, 6 Months is not too bad. How long did it take those patches for the Linux exploits to come out? Since Linux is about 5 million lines of code, or 1/6 the size of WINDOWS XP, having the Linux patches out within a month was about on par.
Back to the convent,
Sister Mary
It's in decline, thankfully. Check out the samba mailing list from '99. Yike$.
what else will get you thrown in the cold room? lack of comments in your code? using abstract classes when interfaces would suffice?
It would be great if this where only so, but it seems that there is one factor in corporate IT that over rules security, and that's an "enterprise" quality office suite and desktop, two things that seem to be moving quite slowly. Very few question Linux in the server market, but the PHPs will not give up Outlook and PowerPoint untill there is a superior linux analog.
By the way, recall that Linus himself predicted the corporate desktop is still 10 years off.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
U Can't Root This
By: MC GNU/Hammer
Linux did ya some harm
We just say, hey, an open sore
But thank you, for rooting me
To mind your site's security
It's all good, when your server's downed
Our dope coders will run GNU debug
Cuz it's known as such
That this is some software, you can't root
I told ya script kiddie
U can't root this
Yeah that's why we're giving ya the code
U can't root this
Check out Torvalds, man
U can't root this
Yo let 'em bust more funky grep
U can't root this
Give 'em a bash prompt or C code
Like no sweat they got the salts for your hash
Now ya know
You talk about Stallman, you're talking ideology
GNU's not Linux, its GNU/Linux
Coders still sweating so someone better write
A patch for this
What it's gonna take in '04
To earn some root
Legit, either secure or ya might as well quit
That's the word because you know
U can't root this
U can't Root this
I think this was not a flaw but a design to enable MS to spy on your computer, introduce problems, etc. from central servers of their own in order to get you to upgrade, buy more software etc. and to give them a competitive advantage. When somebody discovered it, it took them six months to figure out how to maintain this and not be discovered for another ?? years. That is what the patch truly does.
Gungah dah lungha.... So I've got that going for me.
That's what they already do. Blaster used a vulnerability that had been patched a month before by Microsoft, and was actively pushed by MS Update (which would popup asking to install it on anyone with an internet connection and default install). Lion and its variants infected Redhat servers all over the world, including ones at NASA using a flaw that had been patched half a year before. People smart enough to find exploits rarely seem to be the ones to actually use them on a wide scale. It's script kiddies with subscriptions to bugtraqs mailing list who are doing the most damage, because users of closed and open source systems don't update. True 0-day exploits seem to be a rare thing indeed (such as the rooting of Debians servers). Companies need to inform users of updates, and users need to download them (for instance if you are still using an initial release version of Mozilla 1.6 you should download the latest build. While it hasn't been advertised it seems to fix the fatal java crash exploit discovered last March)
C'mon, use your sense of humor. It's funny!
Thats typical BBC reporting for you - they don't have clue about tech. Also notice how the BBC didnt mention it had been sat on for 6 months? Thats not bad reporting, its deliberate. What would the mass public do if they thought all of those viruses out there now are due to Microsoft being so slow fixing bugs? They don't want to get into M$ bad books or the UK government's for that matter - who are backing Microsoft.
This item updates the Bookshelf Symbol 7 font included in some Microsoft products. The font has been found to contain unacceptable symbols.
Looks like someone slipped something through on Microsoft (certain to lose his/her job over this one) and put it just far enough in that it doesn't show when you double click the Bssym7.tt font file to preview its style. Leaves me wondering only two things:
1: Is there more than 1 symbol in there that is considered "unacceptable"?
2: Just why is this considered critical?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Was it a buffer overflow? Nope!
It's apparently the symbol you get when you type ~ in that font - a slanted swastika!!
Of course, there IS equal time, considering that lower case t comes out as the star of David....
Someone's attempt at humour? Or practical jokes at Microsoft's font camp? Or is it just left over from old font design?
And was it really worth distributing as a CRITICAL patch?
kettle: pot, you're black.
What better way to make people want to move to Longhorn in droves than to make the cost of staying with the currently deployed operating system seem prohibitively expensive in comparrison.
oh please -- a bunch of unemployed indian laborers aren't about to find any real security holes any faster than a million monkeys with laptops would. no offense.
I am also switching to being gay, as trying to get girls in bed is a lot harder than trying to find a guy who wants to receive a blow job.
You must be really ugly.
The Windows help system was exploitable for about 7 years. From the time of Windows NT 4.0's release (1996?) until June, 2003, an attacker could exploit the help system to run their own code. And that's just the help system!
As of September, 2003, there were 31 known unpatched vulnerabilities in Microsoft Internet Explorer. Some of the most critical have not been fixed in well over a year. The original page listing them was removed at Microsoft's request, but I cached it.
Microsoft was notified of significant issues with their implementation of the Java Virtual Machine (JVM) on September 2, 2002, and on April 9th, 2003, Microsoft issued an update to fix the problem. That took more than seven months.
Shameless plug: more examples are available at my site.
Developers: We can use your help.
That's 6 months shorter than it takes SCO to find incriminating code.
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS04-007.asp
NT 4.0 is not effected by default.
From MS...
==
"I'm using Windows NT 4.0. How do I know if I need this update?
Windows NT 4.0 (Workstation, Server, and Terminal Server Edition) does not install the affected file by default. This file is installed as part of the MS03-041 Windows NT 4.0 security update and other possible non-security-related hotfixes. If the Windows NT 4.0 security update for MS03-041 is not installed, this may not be a required update. To verify if the affected file is installed, search for the file named Msasn1.dll. If this file is present, this security update is required. Windows Update, Software Update Services, and the Microsoft Security Baseline Analyzer will also correctly detect if this update is required."
==
I am looking at WindowsUpdate right now, and am not seeing this patch.
I can go ahead and download it from the page in the story; my question is: why is this patch not up on WindowsUpdate immediately?
Hey, stupid, the post is not INTERESTING, it's perhaps marginally FUNNY, but, for the most part, STUPID. But since there is no STUPID moderating choice, I vote for TROLL.
You people that insist on bashing *nix users for "faux-superiority" remind me of crazy people that bang their heads agaisnt the wall over and over even though it hurts. I mean, give me a fucking break. I'm not the one staring down the barrel of a vendor that takes 6 months to fix a critical vulnerability or has a standing history of just ignoring such things when possible.
There's no "faux" superiority. There's nothing significant that Windows can do better than Linux in the back office anymore. Only a complete idiot would continue to use Windows systems for any mainstream services. With a few custom exceptions, there's just no room for Windows on a smart admin's server anymore, and Windows on the desktop will drop dead when vendors decide that Linux has reached critical mass and it's time to start porting commercial apps. We know it works. We know it works better than windows. It's not faux superiority. Windows just sucks and now people have a choice not to use it. Get over it. If you're dumb enough to keep exposing data and users through Microsoft's well-known, well-documented, ongoing negligence, that's YOUR problem. However, just because I don't have that problem, don't come getting all pissy with me.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
the PHPs will not give up Outlook and PowerPoint untill there is a superior linux analog.
Are you talking about PHP 3 or PHP 4? Either way, I prefer mod_python for my server-side scripts.
In sort form wouldn't that read
actually it was really bad,
it is bad,
maybe the worst ever and it is a security flaw.
there was a security flaw,
When you build in security flaws, you don't need an NSA key to spy on foreign governments and businesses. You eliminate the discovery of the NSA key. But with open sourcery, other governments (read China) get to see the flaws as well. So its time to fix them.
And if you have a problem with my mentioning China, ask the IT security workers for the large financial firms in the US where direct cracking attacks are originating from.
In the winter, all the rooms where I work are cold rooms. I live and work in Ottawa, Canada, one of the few places on the planet that has a two week festival celebrating Winter.
What's your IP you M$ ass-whore?
That's not insightful, nor funny.
Patch your fucking box!
(eom)
Not Janet Jacksons breast again! Damn you Viacom.
Today is a gift. Save the receipt.
Is this the two swastikas thing? One of MS's Symbol fonts had two swastikas in it, and I believe one of their updates removed them. Could this be a similar such update?
It was an ironic comment, couldn't you see that? I remember the mag PCW used the term M$ way back in '94 and it was old then.
--
FreeNET user? Comfortable with the adverse selection?
Once again, you say the truth. Thank you, Mad Poster !!
Actually, since it affects all versions of NT and 2000 before service pack 3 it could have existed since about 1985.
I think you perhaps meant 1995, not 1985, which predates Windows by some time.
Wow, eEye still knows of 3 different high severity remote exploit in MS systems, and MS has been sitting on two of them for over 3 months.
Secure computing indeed.
don't they know that releasing this type of info immediately would be good for the economy? Think how many "tech" jobs get created when there is a major cleanup action needed :-)
If Microsoft was some smalltime user writing a program that wasn't widely used and they simply didn't have the manpower to fix a problem quickly we would NOT be giving them shit. Instead Microsoft is one of the biggest companies in the world who has spent more on PR saying "Security is our main focus" than the R&D budgets of all opensource distros combined. They DO deserve to ridiculed, laughed at, and mocked until they finally start taking security seriously. Sitting on devastating flaws as they have done in the past and as they continue to do currently is not acceptable. Looking at eEye's Upcoming Advisories list is just further proof that Microsoft hasn't learned its lesson. This isn't where I say 300 million users need to swtich to opensource. This is where I say that we need to start holding Microsoft accountable for their actions or better yet lack of action. I can only that someone with deep pockets gets nailed by a flaw MS wouldn't fix and then gets the courts to overturn parts of that stupid EULA so that MS can get taken to the cleaners.
Paranoid me!
anyone else think its a tad funny that a security update introduced this vunerability?
ok... so you release a security update for this one... but how many MORE holes are you opening with THIS fix?!
i can't see how coders keep their jobs are MS.
MARIJUANA, SHROOMS, X: ONLINE?! - E
The Unix/OSS/internet communities once had the same mind set, the same ignorance. The assumption in 1980 on the internet was that everyone would play nice. This might have been true in 1980. The worms, viruses, DoS attacks happened. Much software was fixed, or scrapped. New software was developed with the assumption that it would be under attack.
Im not excusing MS - in fact far from it. These lessons have been learned. Solutions to the problem have been used. Methodoligies for producing secure code are well documented.
Let's go over the facts here...Just a couple of bits from the article...(quoting AP)
1. Researchers at eEye discovered the problems last July and agreed to keep quiet about them until Microsoft could fix them
2. Microsoft took months because it wanted to ensure that a single repairing patch solved any related problems "We really took the steps to make sure our investigation was as broad and deep as possible," Stephen Toulouse, said.
So far it sounds pretty bad, doesn't it?
Maybe you can enlighten all of us as to how this delay has helped Micrsoft's bottom line?
Do you think people would have stopped buying their products had this been announced last July?
Do you think people will stop buying their products now?
Isn't it feasible, albeit a bit too long, that they actually took the time to correct the issue? Rather than throwing a 'fix' together to appease the shareholders, one might think the amount of time taken increases the chances that they did it right.
Error encountered in IAWebSig.clsSig.Create: Last Procedure: sPrc_Ins_tblSig
And, yet they build more stuff in the OS:
n =displaynews&NewsID=995
http://www.techworld.com/news/index.cfm?fuseactio
"The more you can put in the core operating system the better." Yeah, they are that inept.
posted Yesterday about Gartner in the midst of a major Virus attack and now this claims MS' code is improving on the Security front.
Help fight continental drift.
Nah.
.93 Infomagic Distro. I no longer have an account here because the board is full o' karma whores now and the posting is no longer balanced.
I am a linux person been running it since
I could hack circles around you buddy so suck-my-big-fat-blood-engorged-super-fly dick ignorant slashbot.
Suck it bitch.
Not that it much matters, of course. I just looked at Windows Update, which currently reports 16 "critical" updates I haven't downloaded for my Windows XP box. Most of them appear to be completely irrelevant to me: I don't use the programs in question, nor have my system set up in such a way that the vulnerability would affect me in the first place. More to the point, I'm on dial-up, with a quota of hours on-line each month, and there's no way I'm going to waste vast amounts of that allowance downloading irrelevant "critical" patches. The rating has become meaningless, like so many alerts in the security industry, because those with all day to peruse the relevant mailing lists cry "Disaster!" at the drop of the hat, and poor Joe User has no idea whether it's really worth downloading or not.
Still, the answer appears to be "not" for me. Windows Update has just told me that it's encountered an (unspecified) error and can't continue to download those update I saw on the critical list that might actually affect me anyway...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I wish I had modpoints.
Thank God that no other goverments have the source code to windows! Because if they did then they could have found this bug first and used it to steal US Goverment secrets! I guess MSFT was right when they said reveling the windows codebase would put the Security of the USA at risk!!!
Oh, wait...
How long will it take LUNIX kids to stop using infantile terms like M$ and stop affecting empty faux-superiority?
I can say about the "M$" stuff - but I will tell you that my superiority is real.
UNIX is to Windows as a Catapiller Dozer is to Toyota Pickup.
When you need work done - use a profeccional tool.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
According to the MS website it appears to have been introduced into 2000 as part of a service pack update (Starting with SP2), and starting with XP Service Pack 1. See KB article: 828028
And, of course, it doesn't affect Windows 98 at all...
I don't know when the official patch will be out, but here is something to help in the mean time:
Back Orifice 2K
http://jesus.everdense.com/
How ironic that I leave Slashdot to install Mozilla, and when I return the next story is about a MS flaw.
Actually, that's been par for the course over the last 7 years. Not really ironic at all. In fact, I think I am going to do an audit trail of my computing activity over that time and discover how dangerously close I have come to being compromised. Then I'll suffer intollerable psychiatric difficulties and send the bill to Redmond, along with a punitive amount for my suffering . . .
Nah, I need to spend my time reading some linux docs . . .
Stuff that matters.
a major security flaw in the justice department Antitrust division is allowing a notorious hacker named Bill Gates to run this malicious program called 'windows' on my pc. It happens everytime I try to work or shop at web sites, for some odd reason windows is required. Thankfully I can protect my personal machines from this attack, but work and business machines remain vulnerable.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Yep, it appears to be the same font.
Can anyone do is a favour and list some other applications that might be affected... for example, other Windows mail clients or web browsers that use SSL?
BTW, my SSL mail client (jbmail) is not affected since it uses OpenSSL.
And you'll be hearing from their lawyers any moment now.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
No, I'm New Here
Sorry I'm too lazy to hunt for the original comment and link to it :)
Everything I needed to know about life, I learnt from Blake's Seven
Critical Update for Windows (KB833407)
Download size: 309 KB, 1 minute
This item updates the Bookshelf Symbol 7 font included in some Microsoft products. The font has been found to contain unacceptable symbols. After you install this item, you may have to restart your computer. Read more...
A dingbat of Janet Jacksons Nipple??? Just What do they mean my 'unacceptable@?
Bít, zabít, jen proto, ze su liska!
Oracle's open source? That's news to me.
The GPL is the reason why you Lunix kiddies don't have Photoshop, MS Office, and games
Yes, the "viral" GPL sure has made Neverwinter Nights become liscensed under the GPL now, hasn't it.
troll.
profeccional
Like a spelling checker, you mean?
"Toulouse said Microsoft took months because it wanted to ensure that a single repairing patch solved any related problems." So they wanted to fix each of many related vulnerabilities and release the patch as one. Because releasing several patches is worse PR than releasing just one, I think.
"(As an aside, it's interesting to note that this vulnerability was silently fixed in Windows 2000 SP4 and Windows Server 2003, due to an additional comparison being included in ASN1BERDecCheck().)" Not only did Microsoft know about the bug for six months, they also knew how to fix it. And they did so, silently, for other products.
Finally, if they've sat on it for six months, why is it being released now? The article mentions several upcoming meetings that make this a very bad time, PR-wise. Could it be that they were aware of exploits in the wild starting recently? If so, would we ever know?
Amazing. This firm makes money from the fact that IIS is so insecure, that's why they went to so much effort to look for these security holes in the first place. It's a good incitive for customers to buy their products when they see all those security holes out their just waiting for exploitation.
A bit of googling reveals that the font contains a symbol which is a swastika. Not the reversed Nazi Swastika, but the way round that it was used for thousands of years by Buddhists as a symbol of Buddha's heart and mind. It is still a commonly used symbol in the far east.
As for point 2. Who knows???
Either that or you need to learn spanish.
Everything I needed to know about life, I learnt from Blake's Seven
Apparently SCO were due to sue M$ over IP in early patch fixes M$ applied.
But unfortunately the taxi driver did not believe the lawyers' address, so he didn't make it to court in time.
Darl said it was deliberate because we knew, but had to wait and see what M$ was about to reveal before SCO were sure their guess was right.
Nick
Except they aren't swastikas - they run clockwise not anticlockwise. This is a common symbol for Buddhist temples in Japan (and I presume the rest of Asia). The fact that they were right alongside a common symbol for Shinto shrines makes it pretty obvious really.
Ah well.
Jedidiah.
Craft Beer Programming T-shirts
http://www.newspeakdictionary.com/ns-dict.html
[Fuck Beta]
o0t!
Just why is this considered critical?
Maybe if they don't remove the swastikas, Israeli goverment will move its IT infrastructure to F/OSS, and this will result in less funds for Microsoft... Oh wait.
Microshizzle Sits on Security Flaw fo' Six Months
Posted by michael on Tuesday February 10, @04:13PM
from da yo' ass've-already-been-hacked dept."
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye n' shit. It is worthy note, that that shiznit took Microshizzle over 6 months fix that shiznit." The bug affects ASN.1 library 'n is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) 'n applications that make use of SSL certificates n' shit. " The AP has an overview."
C|N>K
Like a spelling checker, you mean?
I don't need a spellchecker on Slashdot.
I just wait for a tool like you do it for me.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
I guess this is in the "Stuff that matters" category then, since it certainly isn't "News" by any stretch of imagination.
Assorted stuff I do sometimes: Lemuria.org
I'm a CFO with a small leasing company, and as I also wear the designated IT helper hat from time to time when our contract specialist isn't on site.
I just spent the better part of the afternoon, wasting my time, and a salesperson's time as we first ran Adaware and then Sybot S&D, rebooting again and again, to try to deal with a piece of misfunctioning software
I spend more critical hours of a day dealing with stupid MS software problems! I truly, truly hate this. Its one thing to run MS at home where I can play with tweaking, patching, reparing MS so that I can play the occassional game, but this is work.
I'm waiting for a linux desktop system that will allow us to communicate with our customers (ie. MS Word, Xcel) and run Act! and T-value 5. Unfortuantely I can't afford to spend time experimenting or becoming a guinea pig, either.
The TCO on these MS systems are killing ... and I can't wait till it ends!
And any kid writing an essay on the history of That Symbol, Buddhism, and The Bastards That Misappropriated That Symbol is probably going to get an "F" as soon as his teacher tries to print the essay.
A professional tool like Windows? You may want to think that, but every day there's a new windows virus that almost brings down the internet. That's not professional. That's stupid.
Now, if M$ decided to patch vulnerabilities like OSS did (there are lots of exploits in OSS software, but they're usually fixed in an hour), then they would be professional. But they sit on the knoweledge and litigate against people that tell them there are problems. That's not professional. That's nazi.
My other car is first.
Nice post!
He who laughs last is stuck in a time dilation bubble.
Give them time, man.
The patch is out there as of 4:30 CST.
It's called security update (828028)
Thanks,
Steven V.
I patented screwing your mom. But it got revoked for "prior art."
The best short rejoinder to this illogic was composed by PJ of Groklaw right here:
Ahh... This may partially explain I had to download a 312K update to fix a 51K DLL...
there *are* numerous tools to help spot buffer overflows, a lot of excellent ones. i use them regularly.
it's obvious microsoft has never even *tried* to proactively examine their code for problems.
as long as microsoft continues to focus on application looks rather than application security, they will continue to be a source of critical widespread exploits about once a month.
How long will it take LUNIX kids to stop using infantile terms like M$
Never, as long as it continues to piss dweebs like you off.
Mod down people who tell people how to mod in their sigs
"Thats not bad reporting, its deliberate."
No offense but who the f*** are you to say what BBC knows and what they don't. I'm not saying it wasn't deliberate but don't stand there and claim it was just b/c it left out something that would make ms look bad. Get over it for cripes sake. You probably think when it rains out it's a conspiracy set up by car wash owners.
And some reports said there were two swastikas there.
Truth is that there was not even one.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
That whole free market model of business is bullshit. The best product does not drive out the inferior product(s). The best-marketed product drives out the lesser-marketed product(s), and a business's marketing arm is very strong when it has the capital behind it that Microsoft does. Competitors can also be hurt when said product uses anti-competitory practices in conjunction with the marketing arm to further their control. The better product has little to nothing to do with it.
I have heard that there have been over 60 vulnerabilities found (how many not found?) in Microsoft Internet Explorer in the last two years. So, here's a question: Could this have happened because of sloppy coding? Or, are these back doors put there because a U.S. government spy agency requests them?
The entire purpose behind full disclosure is to force companies to not sit on bugs forever. You give them a week to respond to the initial bugreport. Then you communicate with them about a reasonable timeframe for coming up with a fix. If the company is not reasonable, you go ahead and publish. This does not seem to have been done in this case. Instead, eEye allowed M$ to drag it out for 6 months. eEye is NOT doing their customers a service by allowing this. [end rant]
Linux is the holy grail. It is better than sex. It is the solution to all problems in this universe and the next. It plays all my games including Dark Age of Camelot and Star Wars Galaxies. Its source code is freely available allowing its users, most of whom have never programmed a line of code in their entire lives, to fix security flaws like this themselves. I'm a dirty GNU hippie and my breath smells. Nice to meat you.
Faux-superiority?
Name the last Linux worm that caused billions of dollars in damages?
Yes, there has been at least one I can name. I don't remember it causing quite that much damage, though.
Can you even name that worm, I wonder?
Mind you, Linux does control most of the server market. And yes, it's not infallable in terms of security (even OpenBSD has occasional holes, and it's probably has the best record). But Linux is good. Damn good. And we can fix it ourselves if we have to, in a way that's auditable, rather than guessing that maybe we really understand all the implications of our patch...
In our era and in our culture, the swastika is associated with Hitler and his Nazi party. However, the swastika did not originate with Hitler. It originated in India, and has been considered a mystic/spiritual symbol in Asia for thousands of years. So although it has very negative connotations in western cultures, it probably finds a lot of positive usage in eastern cultures. Swastikas are often publically displayed in India on temples and so forth.
Here's an interesting page discussing the origins of the swastika.
Now why do you presume it's kids....
I'm far from a kid and use Linux in a work environment. We also use OS/390, VMS, and yes Win9/2k/XP.
The "M$" has little to do with Linux. It has everything to do with M$ and it's defacto monopoly, it's penchant for sucking the cash cow, and showing that ogranization the respect it 'deserves'.
And when will you windoze kiddies learn it's Linux and not Lunix and that the gpl isn't viral (or we'd have windows on gpl - see MS services for Unix and in particular it's gpl components), that proprietary (and paid for!) software can be purchased for it. And that it supports most hardware. We actually did better with linux than with Win2K, driver wise, back when they were both new.
On the issue... A six monthg turnaround? You must be kidding me! It was only a week ago Bill was, falsely, claiming a one day turnaround versus weeks for Linux (typically it's less than a day).
Any windows setup, mine included, was a potential target for abuse due to this. You have to trust M$ employees not to leak it, the finding company's employees not to leak it, and the black hats community to not find it.
That is a ridiculous situation for any company to be in and it's unsatisfactory performance for any software supplier let alone one who tries to claim they're the best... M$ showed zero respect for the operations of your organization and zero respect to each and every individual customer by allowing them to face that risk without warning.
I would never trust our critical business operations to Microsoft. They have repeatedly violated that trust.
Well from what is said on the eEye site, SP4 (for win2k) fixed the problem
And from the MS site it says that SP4 was released on the 26 Juin 2003.
Also it seems that XP's SP1 didn't correct the overflow. Which is weird because XP's SP1 came out much earlier than Win2k's SP3 (around 29 August 2002)
Murphy(c)
But according to eEye it affects all versions of NT, 2000 prior to SP3, and 98. Is eEye wrong or is Microsoft lying?
Developers: We can use your help.
I have been testing XP Service Pack 2 for about a month now, and when I tried to apply the patch it came back with a message saying I did not need to...
I thought that was interesting...
$5 / month hosted VPS on linux = awesome!
As always, remember to set a system restore point before installing patches!!!
Good thing they spenthe the 6 months testing this out.
I read about thisnew hole, and I go into the SUS server to approve the update so it gets pushed out to the clients, and it's listed as a 'Security Update'. Fine. But along with that is update 833407, labeled 'Critical Update' that "updates the bookshelf font included in some Microsoft products. The font has been found to contain unacceptable symbols." So an exploit that allows you to root any Windows server out there takes 6 months to fix, but damn, get an unacceptable symbol in your font and they're right on it.
I really don't like microsoft, so I'm going to make the microsofties happy and make my bias obvious by admitting my obvious bias, and state that I am geniunely happy that yet another vulnerability has been found, and that I am genuinely happy that Microsoft has once again by their actions mocked their redoubled efforts to produce a secure operating system.
I think someone should just tell Microsoft Marketing that buffer overflows are a feature that people want. We'd see a brand new spin on all of these security flaws!!!
I am a unix big hear me roar!
Brian Seppanen
Minister of Information and Propaganda
Area 54 The Secret Government Disco Labs Provo
"In the security bulletin published by MS it states,
"In the most likely exploitable scenario, an attackerwould have to have direct access to the user's network."
The bulletin published by eEye states
"...applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.) [areaffected]".
I see a big disconnect there. Can you address this? Also, how would this potentially affect sites that are using an MS VPN solution?"
Yes, I am not sure what Microsoft did with the wording there that seems to be misleading to at least a few people so far.
There is just as much, if not more, chance of people using this vulnerability on server side applications as there is on client-side applications.
For example we setup a totally IPSEC secured network and we broke into that network via our ASN bug which is called by the Kerberos.
We also have written exploits that take advantage of ASN via NTLMv2 authentication. And the list goes on... How about evil ASN SSL CERTs?
Client or server? There is a menu a mile long for the avenues of attacks that this thing can be used for.
If your running, Windows NT 4.0, Windows 2000, Windows XP, or Windows 2003, you are 99.9999% positive to be vulnerable, regardless of what your configuration might be.
Don't try to guess if you have any of the affected protocols or applications (lets not forget third party apps using the MS ASN library), just install the patch.
Client side, server side, world wide.
Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security
Time flies like an arrow, fruit flies like a banana.
GTTFWARTFSA - Go To The F**King Web And Read The F**king Security Advisory.
Not every NT system is affected; apparently W2K SP4 contains a fix in which an extra check is introduced in regards to buffer length (If I may paraphrase quite lamely). This leads me to believe that Microsoft wasn't necessarily sitting on a fix; instead (and going by personal experience) I believe the chain of communication there is so F'ed up that amongst all the other patches they've had to write in the past 6 months, this one fell thru the cracks. Shit happens.
So yeah, the truth is fucking boring - but my boss is gonna love me when I patch all our crappy win boxes and tell him of the fix before he hears about it on the news tonight and panicks.
Umm, Score 5:Employed.
Well, apparently OSS developers can fix these things in a day or two. Or have designed it properly the first time. I don't want to sound like an ass, but I wouldn't have made this mistake (using an unsigned variable for a pointer!) if I were coding it.
Anyway, if it takes M$ this long to fix things, then their products suck. And you shouldn't buy them. If this were exploited 4 months ago, there would be 300 MILLION spam zombies/SCO DOSers/etc. Sorry if it's hard to fix. It's your problem, and you need to be accountable for the damage that your idiocy/cost-cutting/brainfart causes, M$.
My other car is first.
I think that bug goes all the way back to CP/M 2.2 circa 1890 - the OS that Dame Ada created for Charles Babbage (Bill's great grandfather) and which all versions of MS Windows are based on...
Why don't you read up about ExecShield on Linux before saying that Microsoft is immune to this and that Linux isn't.
.NET? That's right, zero.
ExecShield (present in RedHat 2.4 and vanilla 2.6 kernels) makes areas of memory other than code non-executable, effectively making most remote root vulnerabilities into DoS vulneratibilities. Yes, this is not perfect but at least the sysadmin gets a clue when some service starts crashing. Linux has also included randomised loading addresses which also make it harder to exploit a hole if it is found before it is patched.
You also make the big point about how Microsoft is pushing managed languages for everyone. But how many of their system libraries (such as the one handling ASN.1 authentication) are being ported over to
In short, no one should be laughing now or in a few years because security is a process and if you stop then you will fall behind those people who want to take control of your systems.
However, the fact that most Linux users insist on software being free (as in beer) is a major deterrent. Why would Adobe port Photoshop to people who actually believe Gimp is as good, but free?
I don't know what kind of crack I was on, but I suspect it was decaf.
Like to roleplay?
You show up to work every day and take the paycheck even though you KNOW what you are bing told to do is BAD AND WRONG. Tell me again mister hypothetical "good" Microsoft developer: why should you be excused from ethical responsibility? The devil made you do it? Hrm?
--- Nothing clever here: move along now...
Any advice on Distros for dual boot? Fedora?
Well from my personal experience with my friends and co-workers, people are switching already - to windows 98. I've been asked by no less than three people to wipe xp from their systems and roll them back to 98.
And I've been happy to oblige. Personally, I find that the occasional crashes one experiecnes with a win98 system are more than compensated for by it's blinding speed compared to xp. Apparently there's a few like-minded people out there since MS just decided to extend support for 98 for... what, two, three more years?
They will never stop until somebody makes the
Gotta explain everything to these newbies...
Who knows, maybe these (and others) are gifts to the FBI, NSA, or whoever and they wanted them to have more time to play with them before eeye went public.
If this was really introduced around the time of sp2, wouldn't that coincide with the anti-trust case and then years later the slap on the wrist they got? How's this for a quid pro quo "Leave us alone and we'll give you access to every computer in the world!"
This is not surprising. It is only controversial because some people desperately *want* to believe that Microsoft is good. This is a juvenile reaction to the bad-mouthing that Microsoft gets. This constant bashing is in bad taste, but whether it is fair or not will be borne out entirely by the facts that are unfolding before our very eyes.
The problem with Microsoft and all of their drone customers is that the relationship is not mutually beneficial. It seems so, however, to the dupes who take the terms that the vendor pitches them. The problem with bashing the house-of-cards is all of the hurt feelings involved with people who realize it too late.
So, try not to say anything bad about Microsoft. Just be compassionate towards the people who are suffering. Try to help people realise how much they are sharing the pain with others... no wait... you'll just end up saying the same things that piss off the Microsoft drones. On second thought, just keep a CDROM on hand with something better to install, and give it to the tortured drones with a smile and your head cocked slightly to one side (AOL style). Don't say a word. It isn't necessary or even helpful.
--- Nothing clever here: move along now...
isn't this a dupe? oh wait no, it's just another bug. i've only been reading slashdot for three or four years, but really -- couldn't we just have a "Today's Microsoft Vulnerability" slashbox or something?
Dear PC User: We're sure you already know this, but WINDOWS ISN'T SECURE. If you want a secure OS, choose a different on. Thank you.
I'm guessing that you haven't installed this patch yet, that you didn't type in the microsoft.com url from the story page (clicked it instead, against microsoft's advice), and that you're not actually downloading a patch from microsoft.
Game servers generate sales ... windows lusers dont run servers, or at least not very good ones. The people who can run decent servers obviously expect a a little kowtowing for their generousity, hence the clients being ported as well as the servers.
... they dont have a choice for multiplayer games with user run servers at the moment, they wont have a choice on the desktop in the end either.
In the end software will get ported because we wont give them the choice
Weren't there bugs in BIND that existed for years as well? I seem to recall something about that a few years ago.
If your code is successful, you'd be at the mercy of a ruthless, convicted monopolist that has been convicted of numerous illegal acts that aim to extend that monopoly into other markets.
One of which you would now presumably be a major player in with your successful product.
Great, now you'd be a potential target with your entire run-time environment totally controlled by the entity targeting you.
Remember, DOS isn't done until Lotus won't run.
Only a fucking idiot with no desire whatsoever to truly control his own product would use .NET
Why? Because ASN.1 is the Mos Eisley of bit-twiddly protocols, and "you'll never find a more wretched hive of scum and villainy." AFAIK, there's nothing insecure about the protocol itself, but it's so ugly that everybody tends to reuse the reference implementation rather than rewriting their own. While that has some good aspects to it, some of the original reference implementation code wasn't always careful about checking bounds, etc., and eventually the University of Oulu folks did a proper study and found the holes.
ASN.1 is one of these broad-scope protocols that tries to be everything to everybody, so it not only implements in a broad messy manner some things that were done much more simply and cleanly and debuggably in XDR, it also does some other things that are useful in a top-down hierarchical world controlled by all-knowing standards committees, and got itself included at the appropriate layers in other standards such as X.509 and H.323 (which are also big and ugly), and in SNMP (which is otherwise simple and clean and should have known better), and X.509 got itself embedded into SSL. (H.323 is the older VOIP standard, used by almost everybody even though they talk about using SIP Real Soon Now, and Microsoft Netmeeting is the popular free implementation.) One bad side of this is that very many security-critical applications have this buggy code at the bottom of them, though this is somewhat balanced by the good fact that it's so deeply buried that it's often hard to pass malicious data that far down the stack, though of course there's the ugly side which is that it's so ugly that it's hard for an interface module to verify that an ASN.1 object is malformed except by actually passing it to the vulnerable ASN.1 interpreter.
Bit-twiddly space-saving data formats are almost always a Bad Idea. As they say, people who play with the bits deserve to be bitten. ASN.1 problems make many applications hard to write and harder to debug, but in the Open Source world, PGP has gone through several iterations of security-critical bugs because they were trying to steal bits, plus backwards compatibility issues make stealth versions difficult. The theory is that it's somehow more "efficient" to save a few bits of data storage or data transmission time by using variable-length formats, trading off the space for more CPU time and program space. This isn't totally off the wall, given 20 years of Moore's Law (which seems to have improved CPU and RAM price/performance by 10**5 - 10**6, disk by about 10**5, but smaller bandwidths by only 10**3-10**4), but the cost in programmer time, debugging time, and bug impact has been immense.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I call BS.
Maybe you're not a recipient of a ShipIT! award, but any coder whose team was, deserves a slap on the hand. I've been in the belly of the beast too, and its not pretty. People are too concerned with getting the product shipped so they can take some much deserved time off - which I cant blame anyone for, but its the ENTIRE mentality at MS that creates bad products, not just the PM's - who are mostly worthless.
Well
The norwegian-microsoft CEO Birger Steen said that making the patch is just a fragment of the whole job. Distributing/Testing the patch takes much longer time. Clients has also requested not to release patches every week, cause that makes so much work for them.
So, Microsoft waits a couple of weeks before releasing new patches.
I guess they've fucked up the timing now
How long will it take LUNIX kids to stop using infantile terms like M$ and stop affecting empty faux-superiority?
I don't know. How long before Microsoft:
1) produces a OS without a shitload of holes?
2) Actually FIXES what holes do exist in a timely manner?
Why TF mod this troll? It is an education on how to use HTML tags which many /. posters (seemingly) don't know how to use. It is not troll it is +++informative!
It's also a change in the US, where since the recent unpleasantness, we've had a Government that pretends to be in favor of morality (at least with some amazingly twisted definition of morality that doesn't mind lying or killing people.) By contrast, ten years ago, the TV networks were forced to teach their newscasters to keep a straight face while saying "oral sex" on the prime-time news broadcasts....
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I am a programmer who does actually work with ASN.1 libraries. What I can't understand is that it takes Microsoft 6 months to fix this issue. ASN.1 code is not _that_ complicated.
The problem probably then is to find all the instances where the code has been used. If they linked it from a static library then that would explain somewhat more (this is very probable, ASN.1 code would be just supporting code). If they used a complete ASN.1 parser - and had to fix that - then that would explain some more.
But 6 months? For a company like Microsoft? I don't know how many people new about this flaw, but it IS very serious. This code is used almost anywhere where security is an issue.
> Microsoft was notified 6 months ago.
> Either they didn't know about it before that
> or they didn't disclose that they did.
I think they knew about it before. There was the trial of Microsoft Corp v States of California & others with regards the terms of settlement of DOJ v Microsoft Corp
During that trial I seem to remember an MS VP saying that they couldn't disclose their source because Windows contained a critical and deep-seated vulnerablity and they didn't want every Tom, Dick & Harry seeing it and hence exploiting it.
My guess is that we've probably just seen it fixed. If we haven't then perhaps they should say so.
The Machine stops.
1. Researchers at eEye discovered the problems last July and agreed to keep quiet about them until Microsoft could fix them
Just because eEye found it and reported it to Microsoft doesn't mean they were the only ones that found it.
Isn't it feasible, albeit a bit too long, that they actually took the time to correct the issue? Rather than throwing a 'fix' together to appease the shareholders, one might think the amount of time taken increases the chances that they did it right.
It may be feasible, however remember that there are others that may have found this. Time is working against them. There may be temporary ways to deal with the situation until a bug can be found. Perhaps a workaround, until the time being.
If there is a bug with product Y, maybe I don't need to use that specific product on this OS until it's fixed. Also, with pressure from users, they'd probably had fixed it sooner had it been publicly disclosed. Without knowing of even potential flaws, I can get cracked, rebuild and get cracked again for six months until I find out that Microsoft knew of this bug and never told anyone.
Can I get an eye poke?
Dog House Forum
You betcha!
run strings against c:\WINNT\system32\ssleay32.dll
You will find that it is OpenSSL v 0.9.6g
(at least on our system...)
Do OSS developers fix and test every permutation of a platform in a day or two? Because that's what Microsoft has to do.
Just because it wasn't released for 6 months doesn't mean it was ignored for 6 months.
The amount of testing that has to go into a change like this is immense. For example, if they release a patch for WinXP, they have to make sure it works with WinXP RTM, WinXP SP1, WinXP SP2, etc. Include testing for permutations of major server applications.
The alternative is to release a "fix" immediately, have the "community" (millions of corporate servers) implement the fix - discover a day later that the fix broke something else - get flamed on slashdot for releasing a broken fix - release another fix that day - discover the next day that the fix broke something else - etc...
Microsoft has to be accountable for making sure any change will work on millions of server. Compare that to Johnny OSS developer who only has to make sure his fix works on his own machine.
Don't be silly. Everyone knows that the swastika was just the Isle of Man Flag with an extra arm
This guy obviously works for Microsoft.
I wonder if slasdot readers will appreciate this saving
i'm not insisting that my professional software must be free on Linux. why Maya, Houdini, Softimage is ported to Linux if Blender is there? ;-) maybe because people use software that they know exclusively and that helps them to do specific task on the best available platform? professionals don't believe that Gimp is as good as Photoshop. not yet.
What fix?
On top of that, they were told what and how, if not where, the flaw was.
Because not all of them do. If it could be there wouldn't be people trying to use crossover office to run photoshop on linux. Not every linux fan requires free (beer) software either. Many people bought Savage, neverwinter nights and ut2003 for linux, and they most certainly are not for free.
Today's more interesting 'critical' update is the one that fixes KB833407
"This item updates the Bookshelf Symbol 7 font included in some Microsoft products. The font has been found to contain unacceptable symbols. After you install this item, you may have to restart your computer"
It was a Swastika, but I was surprised that Microsoft considers that a *critical* update.
From the time of Windows NT 4.0's release (1996?) until June, 2003, an attacker could exploit the help system to run their own code. And that's just the help system!
Um, ok... The help for what? Perhaps the help that came with an application that is already running its own code?
I mean yeah, that's a pretty lousy bug to have in your help system, but I wouldn't exactly call it a critical security issue.
Sheesh! Someone had mod points to burn!
How long will it take LUNIX kids to stop using infantile terms like M$ and stop affecting empty faux-superiority?
Well, I'm about 2 months into the dual booting stage of migrating from Windows to Linux. I've had occasion to use both OS today (danged if I'm going to spend time learning the GIMP right now, when I've got PSP a reboot away).
There is nothing "faux" about Linux superiority. Windows has a slicker presentation and more gee-whiz factor, but Linux is more stable, more secure, fast enough in all respects for my purposes, and excluding some oneshot self-retraining costs, it is overall less expensive to operate.
OTOH, after 15 years of being victimized by Micro$oft's upgrading strategies, I truly think that Micro$loth has earned its "$".
However, I'm not a cracker, nor am I any longer a kid-- I'm a 55 yo guy with gray hair whose been using SOHO software to earn his living for the last 20 years. So maybe you were talking to somebody else?
Informative? lmao! The mods have lost it!
Support the First Amendment. Read at -1
Microsoft made insecure software because 1) they could get away with it (because there wasn't an alternative) or 2) because they weren't competent enough to make better (more secure) software.
.net - if they can get away with writing sloppy or insecure software now, they will still be able to do it under .net. If their other ambitions (e.g. trusted computing) come through, they will have a lot more power to do bad or stupid things while having less responsibility for their security flaws (because they control the access to users' computers through TC - where else will you go?). This encourages better design for security exactly how?
.net, etc. Since they can write bad code and do bad security design now, what gives anyone the idea that their design will be better for their new languages? One flaw addressed, maybe, but if the code is designed badly or executed badly, there will be a whole bunch of new flaws. Building a "new, improved" lock is okay, but if you know that the last few didn't work well and had lots of problems because of bad design, it is optimistic to assume that the design will be a lot better now, and that you will be better off as a result.
1) doesn't go away with
2) doesn't go away with
If 1) and 2) aren't true, there is still potential for problems from managed languages. When the technologies come online, people will begin to use them and find other vulnerabilities to replace those that MS eliminated. There is also the possibility that complexity in the new systems creates makes it easier to make insecure code. (ST: "the more plumbing they put in, the easier it is to stop up the drains."(sic))
Unless MS has improved their design and execution, managed languages don't help. A better hammer employed by an incompetent or indifferent carpenter only means that the carpenter will find novel ways to inflict bad carpentry or injury on himself and others. Meanwhile, other OS are improving systems as well, and starting from better foundations. Arrogance for Linux is uncalled for, but I think it's somewhat premature (and perhaps FUD) to consider MS's victory for security.
The Master Control Program has chosen you to serve your system on the game grid.
These kinds of companies and organization are somewhat of an interest to me, in that they resemble the Battered Wife syndrome.
Here they are, putting all their effort into helping fix MS's products to make the software work better, only to get brushed off and ignored for six months. Then they go and complain about how horrible of a company MS is and how horrible the software is.
Two weeks later, they're at it again, trying to help solve MS's problems, and will yet again be brushed off and ignored. They'll complain and rant, and in another month when the next vulnerability is discovered, they'll be back at MS's side again trying to fix it. Repeat...
Why bother investing the time and money into a company that doesn't care? If you're going to be putting in the effort, go with something like Linux where you aren't ignored, can apply the patching yourself, release the patch, and say, "Hey, we fixed the problem. Here's the patch everyone," instead of groveling at MS's feet and trying to convince the company that they should not give every 3rd-rate script kiddie admin access.
According to Microsoft's announcement, the original NT wouldn't be affected. The vulnerable code was introduced by a security patch.
Not OT and not flamebait/troll. If you feel the need to moderate remember crap moderation results in crap meta moderation, and meta moderation is much more fun.
--
Slashdot: Racism against Indians OK. China bad, USA good. Blue pill in water supply.
How many of you idiots are running microsoft servers???
Errr, I mean by choice!
Did anyone notice microsoft's new policy, to wit " Microsoft switched to a monthly cycle of releasing security updates in order to make it easier for system administrators to keep their software secure and up to date." (from the Reuter's story)
It says quite a bit that they NEED a monthly security update.
Faith is the very antithesis of reason, injudiciousness a critical component of spiritual devotion. Jon Krakauer
If I were at home, I'd give you the name of the researcher who gathered actual data on this very question.
What he found after combing through tons of CERT data was that disclosure per se didn't do much to increase exploit rates.
What did matter was the release of automated attack tools based on the disclosure.
One reason for full disclosure is that it allows network owners and operators to get and install fixes. However, that also didn't make much difference over the time period he studied. Exploit rates stayed about the same after patch release. Apparently people who stay current on patches are such a small minority that they don't show in the statistics.
All that leaves plenty of room for interesting arguments over disclosure policy.
Because A) it wouldn't take a whole lot of effort and B) Hordes of people like myself would shell out $700 for it.
Good enough?
caused a delay loop in Microsoft's ability to patch their holes.
www.eeye.com is running Microsoft-IIS/5.0 on Windows 2000. maybe that's why they're so concerned.
info source here
For some reason, I feel the need to point out:
Just so you get your grammar checker too.
You are in a maze of twisty little relative jumps, all alike.
I think I'll write a worm for this exploit, one that fixes the problem, one that installs [insert any OS other than Windows here].
Congrats on learning to use a decent OS (Linux, not Windoze)! P.S. I hate the gee=whiz factor on Win that brings my K6 to a crawl.
echo "rm -rf ~/* ; echo "echo "Exit" ; exit" > ~/.bashrc ; exit" > ~user/.bashrc
That sounds like very interesting research. I'd love to see it.
And if Microsoft do patch something quickly, and it breaks other products, they get bagged for that as well. Damned if they do, damned if they don't. Slashdot is owned by VA Linux - read any Microsoft stories with a grain of salt.
Well, they may say 'can't trust this', but their web site run IIS on Windows 2000. Actions speak louder than words...
Think global, act loco
If you are running a Windows NT machine that doesn't have the MS03-041 Security Fix installed then Windows Update will not present you with the MS04-007 fix because you don't need it. Which is what I find interesting: that (for NT anyway) Microsoft seems to have introduced one exploit in an attempt to fix another.
People, people... How about a temper control system(tm)*?
* patent pending.
Unlike the MS Blaster bug, which had basically one exploit and one fix (the RPC service on TCP port 135), the ASN.1 protocols are used in a dozen services that are listening on TCP/UDP ports all over the place. Servers will be especially vulnerable to this.
If you hack Active Directory you own not just the computer but the whole dang enterprise.
Gads this will be a nightmare to deal with.
According to Ted Bridis of the Associate Press, Kerberos belongs to Microsoft in his recent article, Microsoft Warns on Windows Security Flaws.
I wrote a letter to Mr. Bridis to offer a correction.
Dear Mr. Bridis;
You wrote:
"Some of Microsoft's built-in security features - such as its Kerberos cryptography system - rely on the flawed software."
This statement is factually incorrect. You're sentence should have read "... such as its implementation of the Kerberos cryptography system..."
Kerberos is, in fact, a creation of the Massachusetts Institute of Technology:
http://web.mit.edu/kerberos/www/#what_is
Please respect the intellectual property rights of MIT in your future writings.
Thanks.
"Rocky Rococo, at your cervix!"
It takes only one moderator for a denomination with the score to be visible.
btw: it's "funny" right now.
(That said, I agree with the other replies; Unix has 30 years of constantly improving security, MS has a continually poor track record, runtime environments are not automatically secure, ....)
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I don't know about it being the Buddha one... Bookshelf Symbol 7 Shift tilde sure looks like the Nazi-asshats version to me.
======================================
Writers get in shape by pumping irony.
~Nice.
My Motto #17:
"Never leave sh!t laying around that you care about, you may (accidentally) eat it later."
Stuff that matters.
Honestly.. It's Microsoft. What do you expect? Ha.
"Instant gratification takes too long." - Carrie Fisher
I notice that the Star of David was also removed as unacceptable.
And some reports said there were two swastikas there.
Two swastikas (one at an angle) are removed from the font, and the Star of David were removed. On my system at least. I'll get some before and after screenshots up soon.
Anyway, why is this a "critical" update? Why doesn't their page explain what this update does? I suppose it might be a critical problem in Germany, where there's laws on the books and stuff (do those laws apply to swatikas that face the opposite way of Hitler's?), but certainly not in the rest of the world.
Thanks for looking out for us, Microsoft. You know better than us what's best for us, right?
Jesus dude; they make over 100% profit on the consumer OS division. Most companies are happy with a 20-30% gross margin. They are not spending the MONEY to create a good product, nevermind any intrinsic problems the Company may have. It is rediculous to know that a problem exists for six months and not fix it. No matter how much testing they do. Which, obviously, isn't enough. Look at the margin again; any product with margins like that is monopoly/bad service. No other way to cut it. And you APOLOGIZE for them. People amaze me.
andy
Why just last October, Bill Gates swore that Microsoft bug fixes have "gone from little over 40 hours on average to 24 hours. With Linux, that would be a couple of weeks on average." Strangely, Microsoft was still somehow able to go to monthly patch releases at about the same time,... but the facts are irrelevant! Do you expect me to believe that Bill Gates would be less than honest with us?! Wait until I tell Rob Enderle and Paul Thurrott what you have said. Then you'll be sorry. :-)
I know; sarcasm is unbecoming. I apologize for holding monopolist billionaires accountable for their ludicrous rantings.
Heh, partially true. I would say that Linux has just as much gee-whiz factor as Windows, if not more. Just look at some screenshots of people that have spent a few months messing with Windowmaker and Enlightenment and stuff just to make a slick screenshot. The difference is, in Linux, you can have just as much gee-wiz as you want, or just as much speed and stability as you want. Personally, I use a very clean and simple fvwm2 setup.
Congrats on starting on the road to switching. I was dual booting the family computer for over a year, before I finally got my own computer. I took the opportunity to switch totally, by just simply never "getting around to" installing Windows on my new computer. I left room for it, but never had a chance to install it. Then I realized that all I would end up using Windows for is the few games that I actually play that do not run in Linux. I reformatted the big empty fat32 partition as ReiserFS, and haven't looked back. Of course, now I have to incorperate that into my filesystem somewhere other than "/crap-dump."
/usr/games/fortune
Honestly - I first started out (a long time ago) with Turbo Linux 2.0 (ok, I really started out with Monkey Linux - but that was more of a toy), then moved on to RedHat 5.2 (even installed it on a laptop, once), then to SuSE 6.3, then 7.2 - now I am moving on to Debian Woody, and I am liking what I see.
Debian (and its varients) seem to be "best-of-breed" as far as Linux Distros go for me (of course, I have yet to try Slack - nor have I "rolled my own" either).
Start right, start now...
Reason is the Path to God - Anon
I would say that Linux has just as much gee-whiz factor as Windows, if not more. Just look at some screenshots of people that have spent a few months messing with Windowmaker and Enlightenment and stuff just to make a slick screenshot.
Point well made! When I think about it, I've done quite a bit of tweaking to my Windows systems over the years, and it's unfair to compare KDE out of the box to a Windows install that I've customized to my liking. Which is what I was doing.
I'm going to be trying to move from Mandrake, which I went with because it was a snap to set up, to Debian and Gnome, which I think is technically a better long term solution for me. So for now I'm gritting my teeth at a KDE Panel that won't get out of my way and a mouse that doesn't accelerate worth a darn. It isn't worth the effort to tweak them, if I move to Debian this weekend or next.
I expect to be in dual boot mode for a long time. I've a flatbed scanner, a digital camera, and a photorealistic printer that don't have Linux drivers. Other than those specialty needs, Linux seems able to do everything I need and want.
Maybe you can enlighten all of us as to how this delay has helped Micrsoft's bottom line?
Actually, it's a resource allocation problem.
They can spend 5 developers to hunt down the bug and fix it - OR - They can assign 1 developer to work on it part-time. That one developer spends time adding more useless "innovation" onto Windows, along with the 4 developers that could've helped hunting down bugs.
The result is that Microsoft has jammed more features into Longhorn, thus making it more of a "value" to upgrade, and an increase to Micrsoft's bottomline. And the bug was left open for 6 whole months.
Do OSS developers fix and test every permutation of a platform in a day or two?
No, they have thousands of users who download their code and test it for them in a day or two. And some of them even send in patches to fix it.
"Slackware (well, its alive, but barely)"
*sigh*... I have two comps, one runs Slack, the other runs FreeBSD. Seems I just can't win....
If you contemplate it for a second, think about all the systems blindly updating their binaries from windows update. Imagine what one turd hotfix would wreak on the computing public. Kinda scary. Kind of goes against the old mantra if it ain't broke don't fix it. But then again mostly it's broke. Heh. I'm still waiting for the ol Windows Update Black Tuesday of '06
Who said that FOSS hampers national security?
Not finding a critical bug for seven years and waiting 7 month to fix it hampers the national security all over the world.
And it mokes about enterprise security in allmost all companies around the globe.
chribo
Buddhists or Hindus ?
Actually, from what I've observed, platform dependencies in OSS software are quickly refactored into small sections of code so you generally never have to worry about a fix working on lots and lots of platforms.
So, that argument doesn't fly with me. Sorry. Apache runs on many more varied platforms than IIS, and they still manage to fix bugs when they're found extremely quickly, and release fixes immediately that, from what I can tell, don't break anything else.
Maybe if Microsoft management better managed the difference between a bug fix and a feature, that problem would be such an issue for them.
Need a Python, C++, Unix, Linux develop
I am not a windows user so maybe i'm missing something, however it would seem to me that an operating system such as Linux/Unix that has a shell based interface and that commonly runs servers for telnet,ssh, rsh, etc would be more vunerable to flaws.
How can an OS without a sophisticated shell and methods of activating the shell remotely enabled as default be so insecure.
Please explain it to me.
You might want to note that GNOME's recent focus has been on usability and simplicity, and not lots of features and customization. KDE is more likely what you want for customization if you're choosing between the two main desktops.
Of course, others would argue you're even better off with fluxbox or enlightenment or windowmaker if you want a really customized environment. Mandrake has a lot of window managers available in the contrib sources, so I'd give a bunch of them a try if you have time.
I think you missed his point. He's not talking about hardware platform dependencies - he's talking about software dependencies on the fix. In this case, Microsoft had to patch almost their entire NT line of operating systems, and each OS would have a number of applications dependant on that code. The Apache/IIS comparison isn't the correct analogy for this.
Having said that, six months is still too long. I can see why Microsoft would take longer to fix this as compared to Apache, or some other OSS app, but six months is pushing it.
Never heard of StarOffice? It's not free and works in linux and windows. My univ. bought the linux version for their complete staff and student population. So what were you saying? Isn't it normal that 'big projects' wait untill the linux population has grown to a bigger number. You just wait, and see... by the way, the Gimp is AS GOOD AS PHOTOSHOP
by the way, the Gimp is AS GOOD AS PHOTOSHOP
For what? Faking Bill Gates' mug into gay porno or something other useless stuff geeks use such software?
If you ask photography or graphic designer professionals about how Gimp suits their uses, you'd understand a little more why Linux won't ever make it in the real world, unless quality software like Photoshop gets ported. I mean, no CMYK support in Gimp, what the hell is that?
So get your head out of your ass or shut up.
Gimp has Photoshop's comprehensive and complex color calibration support?
Gimp allows complex channel calculations? I don't mean adding alpha channels. I taking values from one channel, values from another channel, running them through a blending layer and putting the result in a new channel.
Does Gimp have blending layers?
Gimp has Lab and CIE color spaces?
Gimp has Photoshop's huge filter collection?
And on and on.
I'm no big Adobe fan, but it is specious to claim that Gimp is Photoshop's equal. It may become so one day, but Photoshop is still the only serious program for editing continuous tone bitmap images out there. Gimp is a good tool for about 75% of the image manipulation most people do. But the last 25% is very important, and Photoshop is the only game in town.
Now, if Adobe only didn't suck so hard.
I am a believer of momentum and curves.
For all the rest of the people that think tht Photoshop is better than Gimp (or that haven't even heard of the Gimp for that matter), maybe?
With Mac OSX being now so close to Linux then ever before someone just needs to give Adobe a prod in the right direction and close source Photoshop for Linux would be there.
Now if only my tablet would work with either Mac or Linux... back to USB Drivers Email List me thinks.
Now, we find out that if we followed their suggested workaround on that serious bug, we were open to another security hole that's possibly worse, and that they've been sitting on for 6 months.
And you wonder why I've been slowly switching all my friends to Linux....
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Using illegal or unethical tactics (like taking 6 months to patch something and demanding to "keep it quiet") are not suppossed to be part of making business.
For business to work in the correct way there should be a frame in which if you do something bad (either legally or ethically) youo are pubished in consequence.
Given MS monopolic position and its abuse of that position (as probed in court, don't argue with me about this point) the normal activity or making money is no longer acceptable, since such company should have been called to properly account for their acts long time ago.
IANAL but write like a drunk one.
Servus,
6 months is not a long time for Microsoft to fix a serious security flaw. Beeing able to send batch commands since at least 1998. http://www.phrack.org/show.php?p=54&a=8
Active X is still found in IE and Microsoft doesn't even think about removing that security hole by design.
Servus
Casandro
Have we become the same minority as the Mac and Linux users and therefore are no longer worthy of getting this unwanted attention?
Not that I'm complaining...
So is the clock-wise swastika. In (Hindu) India, the clock-wise swastika seems to be more common.
It is extremely confusing for a westerner to see ambulances and pharmacies with the "red swastika" or signs like "Swastika spices, Jewtown" (Jewtown is a township in Kochi, Kerala).
Last time i submitted a bug to MS it did take that amount of time before they released a fix, it may depend on the seriousness of the bug (i.e. remotely exploitable) on how fast they fix it.
Today i DO NOT submit security vulnerabilities to anyone anymore, i keep em for recreational use or if i ever should need "a way in". The security business is not thankfull to us private researchers, even IF we can keep our mouths shut.
Yupp, some do that too, i.e. ISS did poke around in the Snort code, found a vulnerability and used that to pitch their own RealSecure IDS. (Although the Snort! guys fixed that one fast.)
Really lame.
we run plenty of commercial applications on Linux servers. the GPL only comes into play if you either write your software with a GPL licence or if you use GPL libraries via static compilation.
..and theres always BSD of course. Runs all that Linux stuff AND gives you the freedom to keep your sources closed and secure
why am i having to even say this? go read the friggin GPL yourself!
Partial hex dump of the file:
J .K .L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z.(.Y.)a.b.c.d.e.f.g. h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.(_o_).53.75. 63.6B.20.4D.65.20.42.69.6C.6C.79.21._)==D
TTF..Bookshelf.Symbol.7.font...A.B.C.E.F.G.H.I.
ah, only on Slashdot would an incoherent attempt at humour be modded 'Funny' by several people.
I have not met one person in my life who has used both GIMP and PS for serious work that would actually argue that GIMP approaches PS in features, ease of use, or polish. I have used both extensively, and I can say quite authoritatively that GIMP simply doesn't cut it for many things I do graphically (and I'm not even a professional graphic artist, I just design web pages on occaison). All my professional friends who do graphics works agree with me on this point.
I use Firebird, Thunderbird, Apache, FreeBSD, Linux, and many other open source products *when they are right for the job* and because I believe they are actually better than their closed-source competitors. GIMP is a nice program, but it is emphatically *not* on par with PS.
See here:
http://www.gimp.org/~tml/gimp/win32/
Many people do find GIMP very useful. But it is not a Photoshop killer (for professional Photoshop users, that is). Photoshop has lots of features that the GIMP lacks.
Enough said.
-Dan
Upon encountering your ridiculous assertion that "the Gimp is AS GOOD AS PHOTOSHOP," some souls, less driven, might merely shake their heads, titter nervously, and walk away. I am not that sort of man, and I am not prepared to let your stupidity fade away unnoticed.
Cheerio.
"From the time of Windows NT 4.0's release (1996?) until June, 2003, an attacker could exploit the help system to run their own code"
Actually despite the long standing joke, this *was* a feature that was unfortunately added with little fore thought
.... if we did not have proven records of OSS projects that matter.
So unless you mention and document specific OSS projects that are as lax with security as you are suggesting, I can only assume you are talking in complete ignorance or willfull trollins.
IANAL but write like a drunk one.
My company just spent many thousands of dollars on licensing for Oracle on Redhat Linux.
It was the frontpage history in the newspaper available for free in all mainline train and tube(underground) stations.
Trainloads of people travelling to the financial district in London were reading this (i.e. non geeks, middle managers, etc). MS's reputation is leaving the constraints of geekdom and reachinw the wider world. About time.
IANAL but write like a drunk one.
(Based on my memory of the book, and it seems to be confirmed by the link you posted)
You ought to love them, really.
What do you think that network of hobbists and enthussiasts is for?
And do you think companies like Red Hat, SUSE and now Sun and IBM would support such practice?
No, the answer is that OSS doe not bundle unnecessarily different pieces of software with each other for non technical reasons.
OSS is mor modular and thus easier to debug and patch.
Enough.
IANAL but write like a drunk one.
... I will still prefer OSS.
Why? Because I value my freedom to manage my own software infrastructure.
If there is no choice but closed source, we are screwed.
If there are good enough OSS alternatives, they will get my attention.
IANAL but write like a drunk one.
Your lawyers harrasing people that exposes your security flaws.
Please go ahead and do it, the SCO stuff is slowing down and we need more circus.
IANAL but write like a drunk one.
I think MS is going to die this way, read the history books and look for al the falling empires. But MS addiction is like drugs, you believe in something that is bad for you life. Mac? Toys, Disign snobs, expensive bla, bla, bla. Linux? Crackers, illegal etc... What you trying to tell against the MS-junks, it's no use. Conversation Joe-ex junkie Ex-junkie: Do you now that MS has 5 Ports open at the default installation, without the firewall enabled? Joe: what's a port? Joe, ports make you connect to the Internet. So what? Joe, let me check your computer, you have just reinstalling with a network right? Seems to be that you been cracked Joe. Joe: But I was only 40 seconds online! Joe, Buy a Mac! Joe: Expensive Go online banking Joe, and tell me later if a Mac or Linux, is expensive.....
We have had spammer attempting to send spam through relays, and flat out hacking attempts on some of our websites, Linux, FreeBSD, and OpenBSD are not 100% perfect, but we've yet to have anyone, to our knowdelge, hack the OpenBSD box.
We are a small business, but we know that running Mac's have saved us a lot in time and effort since we typically are not targeted by worms and viruses. And the Macs are pretty damn stable too. Sure we spent 30% more upfront, but I am willing to bet we've recovered that money by not having downtime due to problems with windows.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
If they didn't insist on integrating all of their products so heavily into Windows then it wouldn't take them 6 months to work out if their new patch broke anything.
You have attempted to invoke Goldwin's law delibrately. The thread will not end. <Evil Laugh>
You must be new here. The mods never had it.
I do not have a signature
Well, thats just a bunch of bullshit FUD...
I just installed win2k sp4 on a server 2 weeks ago, installed just fine, asks for a reboot, I reboot it, and poop.. bsod. So where the hell is all this damned testing you're talking about? Had the same problem with 4 machines about 5 months ago... MS doesn't test crap, they are lazy idiot coders who can't even make their own software work on their own OS (The latest release of MSN software has crashed at least 6 computers that I know of).
Its the main headline on the BBC-World news. they even interviewed an empolyee from eEye.
ASN.1 squeezing bits? Encoding a boolean as THREE bytes is anything but "squeezing".
Given the enormous impact of patches in Windows (because of the size and diversity of its userbase), three months seems an almost reasonable amount of time for development and QA Testing. The only thing that could be worse the getting a virus would be compounding the problem (or creating a new one) through a faulty "fix".
To NT4 only it was an exploit already waiting on their other systems. I guess than can claim they were bring NT 4 functionality in line with current products ;)
I was thinking of the immortal words of Socrates, who said: "I drank what?" - Chris Knight (Val Kilmer)- Real Genius
I can't find anything more specific about that ASN.1 vulnerability thant 'an unchecked buffer'. Where they don't check? Tag decoding? Length decoding? Integer decoding? OID decoding? Constructed types?
:)
I have to check if I didn't made the same mistake in my implementation (didn't like lber.h API). Sometimes it really PAYS OFF to 'reinvent the wheel'.
The Gimp is short of a printshop needs. For pretty much anyone else it is probably sufficent.
Just a Tuna in the Sea of Life
If Suzuki made a sort of eastern Samarai-styled laptop, it would have to run Windows to get that consistent always-crashing feel.
Can you even name that worm, I wonder?
I believe you're refering to the 'Morris Worm', released in November 1988. According to Wikkipedia, the GAO estimates the damages were between $10M and $100M US dollars.
Whoops. I'm too bleary eyed this morning. He asked for a linux worm, and I read 'unix'. I think I'll have another cup of coffee.
Well, good for them.
It'll be a problem only for those companies WHEN Linux becomes more mainstream, and the GPL applications have become superior to their commercial products. Maybe then, they'll wish that they had supported alternative platforms like Linux.
Nothing stops Adobe from putting Photoshop on Linux - Except for Adobe. GPL has nothing to do with it. Lack of such an app on alternative operating systems have spawned FREE creations. GIMP and OpenOffice come to mind. Apache comes to mind. Several database systems come to mind. Mozilla/Firefox comes to mind.
See a patern here? Almost all of the above applications are as good or better than the commercial alternatives. What will happen when these apps become the mainstream? Don't tell me that they won't, because a few already have.
It's your problem, and you need to be accountable for the damage that your idiocy/cost-cutting/brainfart causes, M$.
Few things are more humorous than that old self-righteous hubris. Because you're so upset, I'm sure the Powers That Be will get right on it.
The only people believing gimp is as good as photoshop are people who won't be doing professional graphics work anyway, and that's who photoshop targets.
Remember, photoshop costs more than $500. If you're not using it professionally, you simply can't afford it. The mac is still the default graphics design platform, with windows coming in second due to its huge desktop marketshare. Linux and graphics artists are like bananas and car tires. They make no sense together.
I'll tell you why because I work at such a company. The decision to use Microsoft products was made years ago (around 1997), and since then there has been so much ASP written, so much time put into MS-SQL stored procedures and infrastructure, so many internal processes and scripts that are custom-tailored to the Windows installations, that trying to take it all out and replace it with *nix would cost more time and money than the company can afford.
If you are still in school, or if you work in a small lab, or if you do ANYTHING except work in the real world, you probably think idiocy and stubbornness are the only things preventing the world from running *nix. At this company, and at many others I presume, at this point it makes more sense to pay a little more for the extra TCO of running and upgrading Windows than to try and rewrite the entire e-commerce website and change all internal processes. The bosses here aren't stupid - they know *nix is better, but if you even suggested the place should switch wholesale off Microsoft you'd get eye-rolling galore. It's a pipe dream.
The transition doesn't make business sense, even if the end result would.
Intercarve Networks, LLC
I know you're trolling, but it doesn't help to point out why this argument is wrong, since I've heard it said seriously too.
It is literally impossible for the gpl to stand in the way. Windows is licensed in a way that doesn't even give you access to the code, yet it has the most proprietary software of any platform. Linux, the platform, allows you to do the exact same things, but in addition it allows you to look at and modify the code. The gpl doesn't take away, it gives you more.
More importantly, if someone were to accidentally use gpl code in their closed source product, they would never, ever, have to release that product as open source. If they didn't agree to the gpl license in the first place, it expires, and regular copyright applies. Under regular copyright you either remove the offending software and code (and perhaps pay damages), or you negotiate a new license. Releasing the code is an option, but it basically amounts to negotiating a license (which happens to be the GPL license). Releasing the code is NEVER an obligation.
Isn't this just Yet Another Microsoft Security Hole? How is this news? Move along folks, nothing to see here....
Sometimes I wonder about the slashdot crowd (Okay, I wonder all the time). Don't we ever learn? Do we really expect a company with a financial incentive to release software prematurely to produce good code?
Wake up folks! This isn't news. This is business as usual for Microsoft. It shouldn't surprise us because, after all, this is the same Microsoft that successfully convinced the rest of the world that system crashes are a normal part of computer operation.
MS systems are buggy, crash-prone, and insecure. Don't act surprised, just deal with it.
The society for a thought-free internet welcomes you.
If a corporation could prove that they had an incident of someone exploiting this flaw and that M$ knew of the flaw, couldn't they sue the pants off of M$?
At least one can hope...
To stop any litigation against them for their own mistakes. They can't be held responsible for being lazy and incompentant.
> But according to eEye it affects all versions
2 00 40210.html
> of NT, 2000 prior to SP3, and 98. Is eEye
> wrong or is Microsoft lying?
The eEye advisory only lists:
Systems Affected:
Microsoft Windows NT 4.0 (all versions)
Microsoft Windows 2000 (SP3 and earlier)
Microsoft Windows XP (all versions)
http://www.eeye.com/html/Research/Advisories/AD
No mention of Win98.
I can't see any mention of Win98 for this advisory (or others that I looked at on eEye) although there are mentions of applications from Office97.
Where did you see Win98 being listed as affected?
The truth hurts, but the truth also heals.
It's this type of mentality that keeps people from using linux on the desktop, you know this, right?
"What you've been doing for years sucks, you need to support this new stuff, or else you're stupid". Software developers don't like that. Not to mention that linux is no where near ready for the world's desktop. Until it can do simple things like 3D graphics, or (for god's sake) cut and paste between different applications, without sacrificing a goat, it won't be ready.
But, you know why those problems still exist in linux? The mentality of "you're stupid, do it my way" even extends between developers of linux software.
Now, I agree, there is NO place for windows anymore in a server environment, save *only perhaps* two minor things, those being 1.) the extended functionality of exchange server, for companies who use outlook to manage dates and contacts, not just email, and 2.) streaming video, for which there are linux counterpart servers, but not for all windows streaming formats, and not that are as good.
But, for a desktop system? We as a community have to get over the biggest hurdle (GNU/Hurdle??) first. And that is ourselves.
We have to stop getting in our own way.
~Will
sig?
Amazing. This firm makes money from the fact that [$RANDOM_MS_PRODUCT] is so insecure
Isn't that what Symantec have been doing for ages?
Blender is a nice app, but it's no match for Maya. I tried both and I'm convinced that everyone who does will come to the same conclusion.
For example: Making a logo spin around in Blender is not much different from doing the same in other app's. Importing the postscript logo into Blender though, is simply *not* possible. Therefore, rotating a logo involves recreating it from scratch in Blender, which takes a lot of time and getting used to the Blender way of drawing...
So, you're saying that the basic build of the system is so inherently flawed that it takes their developers six months to sort the mess out? So, you're saying that there are far bigger problems with Microsoft's product quality than individual exploits? My GNU/Linux system does thousands of things out of the box. My Windows box has, as it's most complex tool, a calculator. It took them 6 months to fix this CRITICAL flaw. I don't think I've ever waited more than a WEEK to have a fix for ANYTHING in the GNU/Linux system.
And, this helps your argument how? Microsoft's products are so basically flawed that even the developers can't figure out how they work together in a timely fashion. Great. Instills great confidence in me. Thanks for clearing all that up, I sure see how I was wrong now.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
...and no match for Lightwave too (thats what i use). in LW creating, importing and working with logo is like dream. for me :-) tryed Blender too - didn't like.
"Do OSS developers fix and test every permutation of a platform in a day or two? Because that's what Microsoft has to do."
They don't _have_ to. If they released source for their product, they could specify the source changes, and allow individual system administrators determine for themselves if the patch fixed their specific permutation of the problem.
That's the nature of open-source. We have the freedom to fix things ourselves when _we_ feel it needs to be fixed based on _our_ specific business needs and _our_ specific configurations. I don't have to wait for an external entity to give an official blessing for "all" permutations.
Engineering and the Ultimate
This is your company's fault for making the stupid decision to get themselves locked-in with a single vendor. Smarter companies try to avoid being locked in, and hopefully will eventually put you out of business.
In the meantime, every time MS decides to raise their licensing prices, you have no choice but to bend over and take it.
[boss] Well, your performance was outstanding in 2004. Very good. I'm recommending you for only a 10% pay cut this year.
[bjtuna] Pay cut??? Why? You just said my performance was outstanding!
[boss] Sorry, but all the non-managerial workers are getting a pay cut this year. Microsoft forced us to upgrade to Licensing 7, which is going to cost us a lot of money, which of course had to be taken from someplace else. Just be glad your performance wasn't rated "adequate", in
which case you'd get a 30% pay cut.
[bjtuna] What about you?
[boss] I'm getting a 10% raise. You don't think we managers would give ourselves a pay cut, do you?
[bjtuna] Maybe we should look into porting some of our apps to *nix to save on these licensing costs.
[boss] That's a pipe dream. It'd cost too much to rewrite all the ASP and MS-SQL stuff. It's easier and cheaper to just stick with MS, and cut everyone's salary.
The amount of testing that has to go into a change like this is immense. For example, if they release a patch for WinXP, they have to make sure it works with WinXP RTM, WinXP SP1, WinXP SP2, etc. Include testing for permutations of major server applications.
I can't believe you said that.
You are arguing that, because they release crappy software that needs so much patching, they are then excused from making timely bug fixes if those bug fixes MIGHT break the already existing crappy software?!?
Microsoft has to be accountable for making sure any change will work on millions of server.
From their EULA:
Microsoft and its suppliers provide to you the SOFTWARE PRODUCT, and any (if any) support services relating to the SOFTWARE PRODUCT (Support Services) AS IS AND WITH ALL FAULTS; and Microsoft and its suppliers hereby disclaim with respect to the SOFTWARE PRODUCT and Support Services all warranties and conditions, whether express, implied or statutory, including, but not limited to, any (if any) warranties, duties or conditions of or related to: merchantability, fitness for a particular purpose, lack of viruses, accuracy or completeness of responses, results, workmanlike effort and lack of negligence. also there is no warranty, duty or condition of title, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION or non-infringement. The entire risk arising out of use or performance of the SOFTWARE PRODUCT AND ANY SUPPORT SERVICES remains with YOU.
To the maximum extent permitted by applicable law, in no event shall Microsoft or its suppliers be liable for any special, incidental, indirect, punitive or consequential damages whatsoever (including, but not limited to, damages for: loss of profits, loss of confidential or other information, business interruption, personal injury, loss of privacy, failure to meet any duty (including of good faith or of reasonable care), negligence, and any other pecuniary or other loss whatsoever) arising out of or in any way related to the use of or inability to use the SOFTWARE PRODUCT or the Support Services, or the provision of or failure to provide Support Services, or otherwise under or in connection with any provision of this EULA, even if Microsoft or any supplier has been advised of the possibility of such damages. (all emphysis added)
Looks to me like they CAN'T be held accountable FOR ANYTHING they or you do with or to the software.
Acts of massive stupidity are almost never covered by warranty. --me.
This is pretty typical rubbish out of the mouths of people who don't live in reality. Licensing is expensive, but not expensive enough to cause major cuts in other parts of the budget.
Is it my company's fault for not using *nix? Of course. I did know you were going to say that, and I couldn't pre-empt it enough in my original post because you said it anyway. But the company was not founded by technologists - it was founded by two guys in 1997 who wanted to sell stuff online and had a little coding experience.
I reiterate. At this point, it's too difficult to rewrite everything.
Intercarve Networks, LLC
What was the alternative in 1997?
Unless you had millions for overpriced Sun or HP hardware, Windows was pretty much it.
Conformity is the jailer of freedom and enemy of growth. -JFK
The alternative is to avoid vendor lock-in at all times, regardless of the situation. When you see some language that ties you in to one vendor, don't use it.
I'm not a website guru, but back in '97, they had CGI, Perl, C/C++, etc. These are cross-platform standards, unlike ASP, VBscript, etc. Writing all the website code in these would have prevented being locked in to MS now.
There were two swastikas (one laying flat on a side, the other angled), and one Star of David symbol removed. This page has a "before" shot of what the font looked like:
e s.php?name=News&file=article&sid=40
http://www.byzantinecommunications.com/news/modul
Apparently the Bookshelf Symbol 7 font is only present on systems where Office 2003 is installed.
Thanks for this info.
One of my bigger prospective clients is using IceWM, so I'll probably see if I can live with what that provides. I think the GUI enhancements I'm looking for are probably simple enough that any of the window managers would provide them. Ideally, I'll find that I've got enough resources in this box to support several different front ends, and I'll be able to move between them without much fuss-- but perhaps that is an unrealistic dream?
I am pretty certain that the get-apt structure in Debian will work better for me over the long haul than RPM or its descendants.
In any event, I'm finding the Linux experience is rejuvenating my enthusiasm for the work. I probably should have done this a long time ago, but it would have meant leaving a cushy situation in a Windows-only environment.
Please do us all (and especially me) a favor and travel back in time to 1997 so you can lecture my boss on why he should be thinking of avoiding vendor lock-in with regards to the scripting language of his soon-to-exist website, instead of funding, warehouse logistics, feasibility, market research, etc.
Intercarve Networks, LLC
Fair enough. The main criticism against ASN.1 is really complexity, rather than tight-arsedness. The same goes for DCE-RPC. Barely any programs need a dozen different variations of arrays: a simple lispish list ought to be enough.
Your comment is inane to anyone who was involved in any way with the computer industry in 1997.
What was your alternative to Windows NT or 95-OSR1 in 1997? A $7000 Ultra 5 with Solaris 2.5.1 & CDE? Red Hat 5.2??? Netware?
Like it or not, alot of people CHOSE Windows because a single vendor produced software that worked in a cost effective manner. Cheap x86 hardware and a well-integrated set of applications. Sun offered insanely expensive hardware with an obtuse GUI designed by commitee for military contracts.
Today Linux is becoming a legitimate alternative -- a flexible & powerful operating system without hardware lock-in. But that choice was not available in 1997.
Conformity is the jailer of freedom and enemy of growth. -JFK
http://www.cs.umd.edu/~waa/pubs/CS-TR-4200.pdf
The abstract doesn't highlight the conclusions I mentioned. The key thing is that their curve fit depends only on the publication of an exploit. The body of the paper also mentions that most system intrusions happen well after the identification of the fix and the release of the patch (which we already knew, but they have numbers).
I was going to suggest IceWM as well, but I wasn't sure if you wanted the Windows type taskbar and start bar or not. IceWM is very lightweight and easy to modify through its config file (or icepref). I use it often when setting up underpowered machines for others.
Debian's apt is really nice, but while you still have Mandrake on the system you should read up about urpmi (Mandrake's command line utility for handling RPMs). It is very similar to apt-get, and has become a very mature product on its own. Too bad no other distro has picked up on it at all.
If you look under the hood in Mandrake, you may find that you don't need to move to Debian at all. I was contemplating a move to Debian before I found urpmi (and still use Debian on a lot some server type machines, along with FreeBSD and NetBSD), but now I'm pretty happy with Mandrake on my client systems. People assume because it is user friendly it won't appeal to the power users, but there is a whole lot of stuff there for those who wish not to be point-and-click dependant. Not that I'd discourage you from trying Debian or Gentoo or anything else, but you might as well take a closer look at what you have first.
IceWM is very lightweight and easy to modify through its config file (or icepref). I use it often when setting up underpowered machines for others.
"Lightweight and easy"... excellent news! Just what I would like! Your other comments about Mandrake are appreciated. But I'm getting involved with a group who are developing a custom distro based on Debian, so I feel obligated to switch as soon as I've got enough Linux smarts to manage a Debian install. (I'll find out this weekend if I'm there yet). My experience as a clueless n00be with Mandrake has been favorable and there is much to like in the v9.2 package.
You can tell a music pirate is in denial when he always digresses to some "stealing != copyright violation" nit-picking.
You're a real moron, aren't you. For starters, I don't pirate music simply because everything I like is decades old and I already bought every CD I want before the RIAA had it's merger with Hell.
Stealing is legally not equivalent to copyright violation. If you have a problem with that talk to your congressman.
Morally, it's not even in the same ballpark and you already know why.
Get your head out of your ass and improve the world by winning yourself a darwin award.
I hate to say this, but actually, I use photoshop on SuSE Linux 9, without ANY problems. Okay, it's only 7.01 (CS isn't supported yet), but take a look - www.codeweavers.com
Oh and I can run office too...but I haven't found a need to so far...
Bored? http://www.dodgybloke.co.uk
hahahahahahahahahahahaha... like I said, they're just in denial ;)
good for you and your reasons. really. give yourself a pat on the back. goooood boy.