Slashdot Mirror
Microsoft Sits on Security Flaw for Six Months
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
"ASN.1 is really an extremely deep...technology in Windows itself," he said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."
Name me an instance where "really doing due dilligence" vis-a-vis security is an option, like this guy makes it sound. Just one.
Please tell me Microsoft is not as inept as this. Please?
Soko
"Depression is merely anger without enthusiasm." - Anonymous
I bet there are moderators who would label this whole story as flamebait...
Of course, with some open source projects, if there is a bug or security flaw, not only does the problem not get fixed, there isn't anyone there to fix it!
There are a number of open source projects that are no longer being maintained, but are in fairly wide use. At least with Microsoft, there is someone there saying "yea, yea... I'll get to it!"
True, anyone has the ability to fix the problem, but most of the time the user is not necessarily a developer or admin. And if someone out there DOES fix the problem, there isn't neccessarily a central place to post the fix.
Maybe it is a flaw that the open source community can collectively fix.
didn't The Gates himself said not so long ago that they were "as fast or faster" than opensource in fixing security flaws?
i don't have the quote on hand though...
Last year, a sendmail bug was found that had been in the code for over 10 years. Does that mean sendmail was sitting on it for 10 years?
They were only sitting on it for the time they *knew* about it! Doesn't matter when NT came out if they only discovered it 6 months ago........
Wow - two more bugs that have been overdue for over 3 months. That's really nice to know that there are 300 million computers with gaping holes just waiting to be found...
There's an overflow in the stupidity of the users, who are willing to unzip and run unexpected EXE files from strangers.
Seriously.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
"Microsoft Corp. warned customers Tuesday about unusually serious security problems with its Windows software that could let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information." What "usually serious"? Code Red? Nimda?
Also, Microsoft's own document on "Trustworthy Computing" (warning: MS Word format!) establishes as a goal that "[t]he company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company." I suppose that waiting six months before fixing this "unusually serious" problem somehow satisfies that criterion?
So this is very interesting, in that it's the first time that a critical flaw has taken six months to fix that the alert about the fix ALSO was delayed for six months. Yet in that time, we have not seen any significant uptick in these types of exploits, and there do not appear to be any worms like this in the wild.
Does this verify MS's supposition that delayed publication = less exploits?
So for six months, people are left out there running software with a known security problem while Microsoft surpresses the information and spreads FUD about how Linux/Open Source security responsiveness is poorer than Microsoft's? What a crock of shit.
A very big deal is going to be made about this. Feel free to correct me (or mod me down) if I'm wrong, BUT:
From my understanding, this is a heap overflow. Given the nature of the heap, I could see this resulting in a DoS condition, but what is the likelihood that a practical exploit can be developed, given that the heap generally contains data in random locations?
akad0nric0
This sentence no verb.
How long will it take LUNIX kids to stop using infantile terms like M$ and stop affecting empty faux-superiority?
Microsoft was notified 6 months ago. Either they didn't know about it before that or they didn't disclose that they did. The bug may have existed for 10 years, but they supposedly sat on it for 6 months. Actually, since it affects all versions of NT and 2000 before service pack 3 it could have existed since about 1985.
Developers: We can use your help.
The BBC published this report on Microsoft security problems. Somehow, the person who wrote this managed to a whole article without including any information on what the bug actually was.
In sort form it reads, there was a security flaw, it is bad, actually it was really bad, maybe the worst ever and it is a security flaw.
OSS doesn't HAVE to fix it immediately. The community and/or developers DO fix it immediately because, unlike Microsoft, they care about writing good code and having some respect. All Microsoft as an entity gives a crap about is money. It's easier to just stick a fork in the consumer's eye than fix problems, so that's what they do. They don't care what anyone thinks of them for it because they're the status quo which keeps morons who buy a new PC ever 5 weeks buying Microsoft's tired old garbage.
That's the difference - Good OSS projects care about writing good code which is how they get recognized as good OSS projects. Microsoft doesn't care about having any respect, it just wants money.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I use to work at HP Ft. Collins in the early 90's. At that time, there was a major hole in the network code of the that was going to take about 6 man-months to fix. The local management decided to not fix it as it was decided that few knew about it and it would not be a problem. I would suspect that every major company does the same thinking; MS, Apple, Sun, SGI, IBM, etc.
I have no doubt that all these companies do care a bit more due to the pressure being brought, but it will still be a decision similar to what Ford did with Pinto and who it was did the tires that exploded. If it costs money to fix, but nobody will see it, who cares.
That is one of the advantages of OSS as everything is in the open. Have to fix it or will suffer big.
I prefer the "u" in honour as it seems to be missing these days.
Bugs do come up in almost every software and OS, with some of these being critical. Waiting 6 months to announce a problem that was identified by some 3rd party (or anyone) is unacceptable. They now have adopted the script-kiddie standard. They will not anounce a flaw until either they know for sure the patch will fix it, or it will come out before every script kiddie can get their little hands on a prebuilt exploit. During the last 6 months, or longer, many compainies and goverments with priceless data could have been exploited. IMO, it is ignorant to think that only security companies and casual hackers are out to find exploits. It really is the unpublished ones that are the most dangerous. I am assuming that this exploit has effected XP since day 1. That is a long time for say a real pirate group or a hostile government to discover it and launch very selective attacks on specific target entities. The media tends to forget about just unplugging the machine with the sensitive data as a viable (even if temporary) security solution. For the last 6 months, MS has knowingly put many in danger by not revealing to them that their systems had a serious exploit. It will probably never be known if this exploit has been used yet. Just because I cannot google and get info on it or dl a prebuilt binary does not mean that it has not been used.
This is going off-topic, but is MyDoom really illegal then? If I send you a legitimate program, it's legal. So shouldn't the USER be held liable for attacks this time? It's entierly their fault. (If I run while /bin/true; do wget sco.com & done; that's MY fault. How is MyDoom any different*?)
* The user doesn't know what happens. But so what. I didn't know that firing a gun at your head would kill you.
My other car is first.
That's not true at all. Users *use* a particular
distribution (or OS for the BSD's). They look to
that particular distibution for the patch.
The major distributions have been *very* speedy to
release patches through their normal, established
update channels.
In short, I call FUD.
The corollary is the SCO theorem:
Linux does not innovate code. Linux copies code.
It would be great if this where only so, but it seems that there is one factor in corporate IT that over rules security, and that's an "enterprise" quality office suite and desktop, two things that seem to be moving quite slowly. Very few question Linux in the server market, but the PHPs will not give up Outlook and PowerPoint untill there is a superior linux analog.
By the way, recall that Linus himself predicted the corporate desktop is still 10 years off.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
There is a runtime associated with these. It will also have bugs and openings. The question is will MS release often with the bug fixes. Based on their past and current record, how do you think that they will do?
Do not get me wrong. OSS (including Linux) has its warts. But due to competition, it is kept up and at a quick rate.
I prefer the "u" in honour as it seems to be missing these days.
This item updates the Bookshelf Symbol 7 font included in some Microsoft products. The font has been found to contain unacceptable symbols.
Looks like someone slipped something through on Microsoft (certain to lose his/her job over this one) and put it just far enough in that it doesn't show when you double click the Bssym7.tt font file to preview its style. Leaves me wondering only two things:
1: Is there more than 1 symbol in there that is considered "unacceptable"?
2: Just why is this considered critical?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
You people that insist on bashing *nix users for "faux-superiority" remind me of crazy people that bang their heads agaisnt the wall over and over even though it hurts. I mean, give me a fucking break. I'm not the one staring down the barrel of a vendor that takes 6 months to fix a critical vulnerability or has a standing history of just ignoring such things when possible.
There's no "faux" superiority. There's nothing significant that Windows can do better than Linux in the back office anymore. Only a complete idiot would continue to use Windows systems for any mainstream services. With a few custom exceptions, there's just no room for Windows on a smart admin's server anymore, and Windows on the desktop will drop dead when vendors decide that Linux has reached critical mass and it's time to start porting commercial apps. We know it works. We know it works better than windows. It's not faux superiority. Windows just sucks and now people have a choice not to use it. Get over it. If you're dumb enough to keep exposing data and users through Microsoft's well-known, well-documented, ongoing negligence, that's YOUR problem. However, just because I don't have that problem, don't come getting all pissy with me.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
When you build in security flaws, you don't need an NSA key to spy on foreign governments and businesses. You eliminate the discovery of the NSA key. But with open sourcery, other governments (read China) get to see the flaws as well. So its time to fix them.
And if you have a problem with my mentioning China, ask the IT security workers for the large financial firms in the US where direct cracking attacks are originating from.
Would you continue holding an account with a bank, whose ATM machines were infact totally neglecting PINs , even though no one actually tired it ?
I don't think, the microsoft bashers are saying that microsoft makes crappy s/w and open source makes great s/w. But what they are saying is, dispite making mistakes after mistakes, microsoft is not accountable to any of its mistakes. Neither are large corporations or end users bothering to try alternatives merely because of intertia
So what is the incentive for Microsoft to improve its security track record ?
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
So, you're happy that eeye - a company you don't have any relationship with - has had access to your computer for the last six months? And that's fine with your customers, too?
Ok, what about someone else who found the hole independently? Or, what if someone has broken into eeye's systems and has been monitoring their email for a "heads up" on unreleased flaws. (or the home computer of a microsoft security person). Or someone at their ISP or on their cablemodem monitoring their email. You're happy to give all these people access to your computer, too, right? Compartimentilization is very hard to do outside a rigorous structure (like the NSA) which has very strict rules, procedures, and punishments to allow enforcement.
A virus or worm that takes advantage of this flaw is only one indicator - people using the flaw for other purposes are probably not going to tell the world about it. The point is that it's impossible to tell if no harm has been done.
HIV Crosses Species Barrier... into Muppets
Now wait a minute here.
Don't lump the actual developers at Microsoft in with management's decisions. You're implying that the developers do not want to do a good job or write good code. This is simply untrue, and I know that from personal experience.
Just because management decided not to allow a developer to fix this bug six months ago, does not mean the developer does not want to! Blame management, don't blame the developers.
The Unix/OSS/internet communities once had the same mind set, the same ignorance. The assumption in 1980 on the internet was that everyone would play nice. This might have been true in 1980. The worms, viruses, DoS attacks happened. Much software was fixed, or scrapped. New software was developed with the assumption that it would be under attack.
Im not excusing MS - in fact far from it. These lessons have been learned. Solutions to the problem have been used. Methodoligies for producing secure code are well documented.
Let's go over the facts here...Just a couple of bits from the article...(quoting AP)
1. Researchers at eEye discovered the problems last July and agreed to keep quiet about them until Microsoft could fix them
2. Microsoft took months because it wanted to ensure that a single repairing patch solved any related problems "We really took the steps to make sure our investigation was as broad and deep as possible," Stephen Toulouse, said.
So far it sounds pretty bad, doesn't it?
Maybe you can enlighten all of us as to how this delay has helped Micrsoft's bottom line?
Do you think people would have stopped buying their products had this been announced last July?
Do you think people will stop buying their products now?
Isn't it feasible, albeit a bit too long, that they actually took the time to correct the issue? Rather than throwing a 'fix' together to appease the shareholders, one might think the amount of time taken increases the chances that they did it right.
Error encountered in IAWebSig.clsSig.Create: Last Procedure: sPrc_Ins_tblSig
And, yet they build more stuff in the OS:
n =displaynews&NewsID=995
http://www.techworld.com/news/index.cfm?fuseactio
"The more you can put in the core operating system the better." Yeah, they are that inept.
There are good OSS projects and bad OSS projects. OSS is not about having to produce good code. The whole free beer/free speech thingy has nothing to do about quality of code.
REPEAT: I can write the worst, most insecure "Hello World" program and still be an OSS project.
You can talk about "Good OSS projects do this" but then thats like saying "Good hockey goaltenders have winning records".
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
- Blame the developer for creating the bug.
- Blame QA for inadequate testing.
- Blame management for not accepting responsibility and getting it fixed ASAP.
- Blame marketing and account reps who don't recognize this will hurt sales.
- Then, when you're almost done, blame the developers again for their lack of pride to not demand the right to fix their code.
Just because you find someone to blame does not make everyone else on the team blameless.Bít, zabít, jen proto, ze su liska!
"Toulouse said Microsoft took months because it wanted to ensure that a single repairing patch solved any related problems." So they wanted to fix each of many related vulnerabilities and release the patch as one. Because releasing several patches is worse PR than releasing just one, I think.
"(As an aside, it's interesting to note that this vulnerability was silently fixed in Windows 2000 SP4 and Windows Server 2003, due to an additional comparison being included in ASN1BERDecCheck().)" Not only did Microsoft know about the bug for six months, they also knew how to fix it. And they did so, silently, for other products.
Finally, if they've sat on it for six months, why is it being released now? The article mentions several upcoming meetings that make this a very bad time, PR-wise. Could it be that they were aware of exploits in the wild starting recently? If so, would we ever know?
Amazing. This firm makes money from the fact that IIS is so insecure, that's why they went to so much effort to look for these security holes in the first place. It's a good incitive for customers to buy their products when they see all those security holes out their just waiting for exploitation.
It is not an issue of not wanting to do a good job. It is an issue of not being able to do a good job...either through lack of skill, lack of responsibility and ownership of the code, or lack of the intestinal fortitude to fight the good fight when management decides to do the slimy thing.
I have no sympathy for the developers at Microsoft.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Why do a good job when you can do a standard job and get great benefits, stock options which mature quickly, great pay, and feeling secure until you decide you have had enough and cash out, as a wealthy person. (Can you tell i lived near MS for a while?)
Stop the Slashdot effect! Don't read the articles!
the way of Business that you are talking about does not further the cause of the culture or industry. it is incestuous and unproductive. They just steal good ideas and overlap the functionality over what they previously had. Where is the innovation? Where is the adaptation? It is not like several species working to survive, they are more like a cancer devouring a body, taking over systems and spreading influence.
The best short rejoinder to this illogic was composed by PJ of Groklaw right here:
OSS is not about having to produce good code.
Yes, it is. Open source software is about leveraging the bazaar model to improve software reliability and decrease cost.
Perhaps you are talking about Free Software, which is an entirely different concept that revolves around user's rights.
Faux-superiority?
Name the last Linux worm that caused billions of dollars in damages?
Yes, there has been at least one I can name. I don't remember it causing quite that much damage, though.
Can you even name that worm, I wonder?
Mind you, Linux does control most of the server market. And yes, it's not infallable in terms of security (even OpenBSD has occasional holes, and it's probably has the best record). But Linux is good. Damn good. And we can fix it ourselves if we have to, in a way that's auditable, rather than guessing that maybe we really understand all the implications of our patch...
Now why do you presume it's kids....
I'm far from a kid and use Linux in a work environment. We also use OS/390, VMS, and yes Win9/2k/XP.
The "M$" has little to do with Linux. It has everything to do with M$ and it's defacto monopoly, it's penchant for sucking the cash cow, and showing that ogranization the respect it 'deserves'.
And when will you windoze kiddies learn it's Linux and not Lunix and that the gpl isn't viral (or we'd have windows on gpl - see MS services for Unix and in particular it's gpl components), that proprietary (and paid for!) software can be purchased for it. And that it supports most hardware. We actually did better with linux than with Win2K, driver wise, back when they were both new.
On the issue... A six monthg turnaround? You must be kidding me! It was only a week ago Bill was, falsely, claiming a one day turnaround versus weeks for Linux (typically it's less than a day).
Any windows setup, mine included, was a potential target for abuse due to this. You have to trust M$ employees not to leak it, the finding company's employees not to leak it, and the black hats community to not find it.
That is a ridiculous situation for any company to be in and it's unsatisfactory performance for any software supplier let alone one who tries to claim they're the best... M$ showed zero respect for the operations of your organization and zero respect to each and every individual customer by allowing them to face that risk without warning.
I would never trust our critical business operations to Microsoft. They have repeatedly violated that trust.
However, the programmer do often have the choice of writing good code or bad code. Since writing bad code is often easier than good code, and since few people know the difference, many will take the lazy way out and do a crummy job for the paycheck. Even in this case, since it is human nature to be lazy, one can only blame the proccess for not make such behavior undesirable.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Well, apparently OSS developers can fix these things in a day or two. Or have designed it properly the first time. I don't want to sound like an ass, but I wouldn't have made this mistake (using an unsigned variable for a pointer!) if I were coding it.
Anyway, if it takes M$ this long to fix things, then their products suck. And you shouldn't buy them. If this were exploited 4 months ago, there would be 300 MILLION spam zombies/SCO DOSers/etc. Sorry if it's hard to fix. It's your problem, and you need to be accountable for the damage that your idiocy/cost-cutting/brainfart causes, M$.
My other car is first.
However, the fact that most Linux users insist on software being free (as in beer) is a major deterrent. Why would Adobe port Photoshop to people who actually believe Gimp is as good, but free?
I don't know what kind of crack I was on, but I suspect it was decaf.
Who knows, maybe these (and others) are gifts to the FBI, NSA, or whoever and they wanted them to have more time to play with them before eeye went public.
If this was really introduced around the time of sp2, wouldn't that coincide with the anti-trust case and then years later the slap on the wrist they got? How's this for a quid pro quo "Leave us alone and we'll give you access to every computer in the world!"
Or it took that long to test it properly, since it is involved in such a core part of the OS (authentication).
Do OSS developers fix and test every permutation of a platform in a day or two? Because that's what Microsoft has to do.
Just because it wasn't released for 6 months doesn't mean it was ignored for 6 months.
The amount of testing that has to go into a change like this is immense. For example, if they release a patch for WinXP, they have to make sure it works with WinXP RTM, WinXP SP1, WinXP SP2, etc. Include testing for permutations of major server applications.
The alternative is to release a "fix" immediately, have the "community" (millions of corporate servers) implement the fix - discover a day later that the fix broke something else - get flamed on slashdot for releasing a broken fix - release another fix that day - discover the next day that the fix broke something else - etc...
Microsoft has to be accountable for making sure any change will work on millions of server. Compare that to Johnny OSS developer who only has to make sure his fix works on his own machine.
i'm not insisting that my professional software must be free on Linux. why Maya, Houdini, Softimage is ported to Linux if Blender is there? ;-) maybe because people use software that they know exclusively and that helps them to do specific task on the best available platform? professionals don't believe that Gimp is as good as Photoshop. not yet.
There is enough blame to go around in these situations:
* Blame management for forcing tight deadlines on the developer who writes shoddy code, creating the bug.
* Blame management for limiting the time and resources for QA to develop and execute test cases which results in inadequate testing.
* Blame management for prioritizing new sales to support, thereby not accepting responsibility and getting it fixed ASAP.
* Blame management for structuring sales compensation so that marketing and account reps don't care about what happens after the sale, and so don't recognize this will hurt sales.
* Then, when you're almost done, blame the developers for needing food, clothing and shelter, and getting beat down when they say anything, which gives them lack of pride to not demand the right to fix their code.
I'm sure this is what you meant to say, right?
How long will it take LUNIX kids to stop using infantile terms like M$ and stop affecting empty faux-superiority?
Well, I'm about 2 months into the dual booting stage of migrating from Windows to Linux. I've had occasion to use both OS today (danged if I'm going to spend time learning the GIMP right now, when I've got PSP a reboot away).
There is nothing "faux" about Linux superiority. Windows has a slicker presentation and more gee-whiz factor, but Linux is more stable, more secure, fast enough in all respects for my purposes, and excluding some oneshot self-retraining costs, it is overall less expensive to operate.
OTOH, after 15 years of being victimized by Micro$oft's upgrading strategies, I truly think that Micro$loth has earned its "$".
However, I'm not a cracker, nor am I any longer a kid-- I'm a 55 yo guy with gray hair whose been using SOHO software to earn his living for the last 20 years. So maybe you were talking to somebody else?
Well, they may say 'can't trust this', but their web site run IIS on Windows 2000. Actions speak louder than words...
Think global, act loco
Jesus dude; they make over 100% profit on the consumer OS division. Most companies are happy with a 20-30% gross margin. They are not spending the MONEY to create a good product, nevermind any intrinsic problems the Company may have. It is rediculous to know that a problem exists for six months and not fix it. No matter how much testing they do. Which, obviously, isn't enough. Look at the margin again; any product with margins like that is monopoly/bad service. No other way to cut it. And you APOLOGIZE for them. People amaze me.
andy
Maybe you can enlighten all of us as to how this delay has helped Micrsoft's bottom line?
Actually, it's a resource allocation problem.
They can spend 5 developers to hunt down the bug and fix it - OR - They can assign 1 developer to work on it part-time. That one developer spends time adding more useless "innovation" onto Windows, along with the 4 developers that could've helped hunting down bugs.
The result is that Microsoft has jammed more features into Longhorn, thus making it more of a "value" to upgrade, and an increase to Micrsoft's bottomline. And the bug was left open for 6 whole months.
Do OSS developers fix and test every permutation of a platform in a day or two?
No, they have thousands of users who download their code and test it for them in a day or two. And some of them even send in patches to fix it.
Actually, from what I've observed, platform dependencies in OSS software are quickly refactored into small sections of code so you generally never have to worry about a fix working on lots and lots of platforms.
So, that argument doesn't fly with me. Sorry. Apache runs on many more varied platforms than IIS, and they still manage to fix bugs when they're found extremely quickly, and release fixes immediately that, from what I can tell, don't break anything else.
Maybe if Microsoft management better managed the difference between a bug fix and a feature, that problem would be such an issue for them.
Need a Python, C++, Unix, Linux develop
I think you missed his point. He's not talking about hardware platform dependencies - he's talking about software dependencies on the fix. In this case, Microsoft had to patch almost their entire NT line of operating systems, and each OS would have a number of applications dependant on that code. The Apache/IIS comparison isn't the correct analogy for this.
Having said that, six months is still too long. I can see why Microsoft would take longer to fix this as compared to Apache, or some other OSS app, but six months is pushing it.
I'll tell you why because I work at such a company. The decision to use Microsoft products was made years ago (around 1997), and since then there has been so much ASP written, so much time put into MS-SQL stored procedures and infrastructure, so many internal processes and scripts that are custom-tailored to the Windows installations, that trying to take it all out and replace it with *nix would cost more time and money than the company can afford.
If you are still in school, or if you work in a small lab, or if you do ANYTHING except work in the real world, you probably think idiocy and stubbornness are the only things preventing the world from running *nix. At this company, and at many others I presume, at this point it makes more sense to pay a little more for the extra TCO of running and upgrading Windows than to try and rewrite the entire e-commerce website and change all internal processes. The bosses here aren't stupid - they know *nix is better, but if you even suggested the place should switch wholesale off Microsoft you'd get eye-rolling galore. It's a pipe dream.
The transition doesn't make business sense, even if the end result would.
Intercarve Networks, LLC
I think that developers who issue statements that management is always doing the wrong thing, should remember that they too manage, a software development project for example.
I feel so sig.
This is pretty typical rubbish out of the mouths of people who don't live in reality. Licensing is expensive, but not expensive enough to cause major cuts in other parts of the budget.
Is it my company's fault for not using *nix? Of course. I did know you were going to say that, and I couldn't pre-empt it enough in my original post because you said it anyway. But the company was not founded by technologists - it was founded by two guys in 1997 who wanted to sell stuff online and had a little coding experience.
I reiterate. At this point, it's too difficult to rewrite everything.
Intercarve Networks, LLC