Slashdot Mirror
Microsoft Sits on Security Flaw for Six Months
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
U Can't Trust This
By: MCSE Hammer
Blaster did ya some harm
We just say, hey, another worm
But thank you, for trusting me
To mind your site's security
It's all good, when your server's downed
Our dope PR will pass blame around
Cuz it's known as such
That this is some software, you can't trust
I told ya Homeland
U can't trust this
Yeah that's why we're giving ya the code
U can't trust this
Check out eEye, man
U can't trust this
Yo let 'em bust more funky system
U can't trust this
Give 'em a string or recvfrom
Like no sweat they got the keys to your kingdom
Now ya know
You talk about eEye, you're talking about holes
Remote and tight
Coders still sweating so someone better write
A book to learn
What it's gonna take in '04
To earn some trust
Legit, either secure or ya might as well quit
That's the word because you know
U can't trust this
U can't trust this
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
Comment removed based on user account deletion
6 months? 2000's been out for 3 years! If it took them 2.5 year to find the bug, another half is year is no biggie.
Thats the result of Microsofts terrible history on security. Please Mr.Gates, continue to help the Linux community thrive.
People don't exist to serve systems, systems exist to serve people.
If you are Microsoft fundamentalist karma blaster, I meant that in a good way...
Bite my shiny metal... oops... Nevermind!
That's no bug!
That's Intellectual Property!
"In other news: PanIP has filed suit claiming Microsoft's latest bug violates one or more of their patents."
A feeling of having made the same mistake before: Deja Foobar
I dunno, hard to say. But you'd think if Microsoft would go so far as to copy the code they'd be smart enough to copy the patch, too, instead of sitting on it for six months :-)
I remember when legal used to mean lawful, now it means some kind of loophole. - Leo Kessler
subject says all.
-Grump
Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
A flaw was found in AOL Instant Messenger relating to the A/S/L library.
When was windows NT released again ?
Most recently, Windows NT was released again as Windows Server 2003. Before that it was released again as Windows XP and before that by the loveable name of W2K.
Hmmm. You asked when. Sorry, I don't know the dates.
Why would they want to report on a computer flaw that could affect millions when they could be filling us in on the latest happenings of the Jayson Blair, Kobe Bryant, Scott Peterson, and Martha Stuart trials; plus news on what Janet Jackson's nipple is up to today.
slashdot, news for crazed liberal socialist zealots
So, if they fix a security flaw sooner than six months, what status does that get? Super Double Critical?
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Sadly, I think that a file called "This_is_a_virus_-_do_not_open.exe" would be just as effective as any other.
G
It's about time!
if it was released without bugs or security flaws how would the product ever get into the news?
just have Janet Jackon do a "half-time" concert at the next major Windows conference. The promoters may even get Balmer to play the part of Timberlake.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
When they finally get laid. Which is to say... never.
Windows is bad, Microsoft's blue, Security flaws suck And so do you. Signed: Clippy
Bite my shiny metal... oops... Nevermind!
Okay, so this is the least relevant post in the history of mankind, but tell me "vis-a-vis" wouldn't be the best word EVER for ebonics:
"A prime exampizzle of racizzle can be seen vis-a-vizzle the ethnizzlicity of the indigenizzle pizzles of South Afrizzle."
Well, that does it for me, karma be damned.
U Can't Root This
By: MC GNU/Hammer
Linux did ya some harm
We just say, hey, an open sore
But thank you, for rooting me
To mind your site's security
It's all good, when your server's downed
Our dope coders will run GNU debug
Cuz it's known as such
That this is some software, you can't root
I told ya script kiddie
U can't root this
Yeah that's why we're giving ya the code
U can't root this
Check out Torvalds, man
U can't root this
Yo let 'em bust more funky grep
U can't root this
Give 'em a bash prompt or C code
Like no sweat they got the salts for your hash
Now ya know
You talk about Stallman, you're talking ideology
GNU's not Linux, its GNU/Linux
Coders still sweating so someone better write
A patch for this
What it's gonna take in '04
To earn some root
Legit, either secure or ya might as well quit
That's the word because you know
U can't root this
U can't Root this
I think this was not a flaw but a design to enable MS to spy on your computer, introduce problems, etc. from central servers of their own in order to get you to upgrade, buy more software etc. and to give them a competitive advantage. When somebody discovered it, it took them six months to figure out how to maintain this and not be discovered for another ?? years. That is what the patch truly does.
Gungah dah lungha.... So I've got that going for me.
kettle: pot, you're black.
But you'd think if Microsoft would go so far as to copy the code they'd be smart enough to copy the patch, too, instead of sitting on it for six months
You don't need to be that smart to copy someone else's code, and that may be the problem.
Karma cannot be described by words alone.
None, other than the Stupid User Who Runs Untrusted Executable Files vulnerability, for which the only patch is a baseball bat.
All's true that is mistrusted
Not Janet Jacksons breast again! Damn you Viacom.
Today is a gift. Save the receipt.
It was an ironic comment, couldn't you see that? I remember the mag PCW used the term M$ way back in '94 and it was old then.
--
FreeNET user? Comfortable with the adverse selection?
Just because you're paranoid, doesn't mean they're not after you - Kurt Cobain quoting Woody Allen.
Any minute now SCO is going to claim that they own Woody's IP and sue Kurt. When informed that Kurt is dead they'll claim IP rights to suicide technology, double their claim and add Dr. Kevorkian to their suit.
When they hear of this exploit they'll blame it on Linux terrorists, point and shout "Look, Janet's nipple!" and then run the other way when everyone looks.
KFG
Thank God that no other goverments have the source code to windows! Because if they did then they could have found this bug first and used it to steal US Goverment secrets! I guess MSFT was right when they said reveling the windows codebase would put the Security of the USA at risk!!!
Oh, wait...
No, I'm New Here
Oracle's open source? That's news to me.
The GPL is the reason why you Lunix kiddies don't have Photoshop, MS Office, and games
Yes, the "viral" GPL sure has made Neverwinter Nights become liscensed under the GPL now, hasn't it.
troll.
profeccional
Like a spelling checker, you mean?
C|N>K
Like a spelling checker, you mean?
I don't need a spellchecker on Slashdot.
I just wait for a tool like you do it for me.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
I guess this is in the "Stuff that matters" category then, since it certainly isn't "News" by any stretch of imagination.
Assorted stuff I do sometimes: Lemuria.org
You forget that the U.S. was founded by people who left Europe to find a level of self imposed repression not available to them in the old world.
A professional tool like Windows? You may want to think that, but every day there's a new windows virus that almost brings down the internet. That's not professional. That's stupid.
Now, if M$ decided to patch vulnerabilities like OSS did (there are lots of exploits in OSS software, but they're usually fixed in an hour), then they would be professional. But they sit on the knoweledge and litigate against people that tell them there are problems. That's not professional. That's nazi.
My other car is first.
How long will it take LUNIX kids to stop using infantile terms like M$
Never, as long as it continues to piss dweebs like you off.
Mod down people who tell people how to mod in their sigs
supprising as both men and women have nipples.
Another version: The U.S. was founded by people so staid and uptight that England threw them out.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
The Master Control Program has chosen you to serve your system on the game grid.
These kinds of companies and organization are somewhat of an interest to me, in that they resemble the Battered Wife syndrome.
Here they are, putting all their effort into helping fix MS's products to make the software work better, only to get brushed off and ignored for six months. Then they go and complain about how horrible of a company MS is and how horrible the software is.
Two weeks later, they're at it again, trying to help solve MS's problems, and will yet again be brushed off and ignored. They'll complain and rant, and in another month when the next vulnerability is discovered, they'll be back at MS's side again trying to fix it. Repeat...
Why bother investing the time and money into a company that doesn't care? If you're going to be putting in the effort, go with something like Linux where you aren't ignored, can apply the patching yourself, release the patch, and say, "Hey, we fixed the problem. Here's the patch everyone," instead of groveling at MS's feet and trying to convince the company that they should not give every 3rd-rate script kiddie admin access.
In the time it took you to whine about the non-link you could have copy and pasted the text into your browser.
Upon encountering your ridiculous assertion that "the Gimp is AS GOOD AS PHOTOSHOP," some souls, less driven, might merely shake their heads, titter nervously, and walk away. I am not that sort of man, and I am not prepared to let your stupidity fade away unnoticed.
Cheerio.
This is your company's fault for making the stupid decision to get themselves locked-in with a single vendor. Smarter companies try to avoid being locked in, and hopefully will eventually put you out of business.
In the meantime, every time MS decides to raise their licensing prices, you have no choice but to bend over and take it.
[boss] Well, your performance was outstanding in 2004. Very good. I'm recommending you for only a 10% pay cut this year.
[bjtuna] Pay cut??? Why? You just said my performance was outstanding!
[boss] Sorry, but all the non-managerial workers are getting a pay cut this year. Microsoft forced us to upgrade to Licensing 7, which is going to cost us a lot of money, which of course had to be taken from someplace else. Just be glad your performance wasn't rated "adequate", in
which case you'd get a 30% pay cut.
[bjtuna] What about you?
[boss] I'm getting a 10% raise. You don't think we managers would give ourselves a pay cut, do you?
[bjtuna] Maybe we should look into porting some of our apps to *nix to save on these licensing costs.
[boss] That's a pipe dream. It'd cost too much to rewrite all the ASP and MS-SQL stuff. It's easier and cheaper to just stick with MS, and cut everyone's salary.