Slashdot Mirror


Microsoft Sits on Security Flaw for Six Months

pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.

26 of 741 comments (clear)

  1. quote by Feyr · · Score: 5, Insightful

    didn't The Gates himself said not so long ago that they were "as fast or faster" than opensource in fixing security flaws?

    i don't have the quote on hand though...

  2. AP article starts with... by lamont116 · · Score: 5, Insightful

    "Microsoft Corp. warned customers Tuesday about unusually serious security problems with its Windows software that could let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information." What "usually serious"? Code Red? Nimda?

    Also, Microsoft's own document on "Trustworthy Computing" (warning: MS Word format!) establishes as a goal that "[t]he company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company." I suppose that waiting six months before fixing this "unusually serious" problem somehow satisfies that criterion?

  3. Six Months! by Goo.cc · · Score: 4, Insightful

    So for six months, people are left out there running software with a known security problem while Microsoft surpresses the information and spreads FUD about how Linux/Open Source security responsiveness is poorer than Microsoft's? What a crock of shit.

  4. heap overflow? by akad0nric0 · · Score: 5, Insightful

    A very big deal is going to be made about this. Feel free to correct me (or mod me down) if I'm wrong, BUT:

    From my understanding, this is a heap overflow. Given the nature of the heap, I could see this resulting in a DoS condition, but what is the likelihood that a practical exploit can be developed, given that the heap generally contains data in random locations?

    --
    akad0nric0

    This sentence no verb.
    1. Re:heap overflow? by BillyBlaze · · Score: 4, Insightful

      The AP article mentioned that "eEye had successfully tested the method to break into its own computers." So the probability that it's possible is 1.

  5. Service Packs by truthsearch · · Score: 4, Insightful

    Microsoft was notified 6 months ago. Either they didn't know about it before that or they didn't disclose that they did. The bug may have existed for 10 years, but they supposedly sat on it for 6 months. Actually, since it affects all versions of NT and 2000 before service pack 3 it could have existed since about 1985.

  6. Re:Wait a minute... by the_mad_poster · · Score: 4, Insightful

    OSS doesn't HAVE to fix it immediately. The community and/or developers DO fix it immediately because, unlike Microsoft, they care about writing good code and having some respect. All Microsoft as an entity gives a crap about is money. It's easier to just stick a fork in the consumer's eye than fix problems, so that's what they do. They don't care what anyone thinks of them for it because they're the status quo which keeps morons who buy a new PC ever 5 weeks buying Microsoft's tired old garbage.

    That's the difference - Good OSS projects care about writing good code which is how they get recognized as good OSS projects. Microsoft doesn't care about having any respect, it just wants money.

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  7. Re:Proof that publishing the fix enables crackers? by LostCluster · · Score: 4, Insightful

    Yep. It's clear. If there's no public discussion of a flaw, the likelyhood of an exploit is lower because the would-be hacker has to discover the flaw on their own.

    Some of the worst viruses have come from already-patched flaws that users have just neglected to apply said patch.

  8. Re:And this is better than open source... how? by 00420 · · Score: 5, Insightful

    Your post seems like FUD to me. Now I'm no expert, so I could be wrong, but are there not several proprietary programs that are no longer supported? The key difference of course being that with a non-supported proprietary app you have no chance of getting support. With OSS you could get the source code and either learn programming or hire a programmer to add support for you.

  9. It is not just MS by WindBourne · · Score: 5, Insightful

    I use to work at HP Ft. Collins in the early 90's. At that time, there was a major hole in the network code of the that was going to take about 6 man-months to fix. The local management decided to not fix it as it was decided that few knew about it and it would not be a problem. I would suspect that every major company does the same thinking; MS, Apple, Sun, SGI, IBM, etc.

    I have no doubt that all these companies do care a bit more due to the pressure being brought, but it will still be a decision similar to what Ford did with Pinto and who it was did the tires that exploded. If it costs money to fix, but nobody will see it, who cares.

    That is one of the advantages of OSS as everything is in the open. Have to fix it or will suffer big.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  10. Millions switch to Linux: Not likely soon. by Saeed+al-Sahaf · · Score: 4, Insightful
    "Thats the result of Microsofts terrible history on security. Please Mr.Gates, continue to help the Linux community thrive."

    It would be great if this where only so, but it seems that there is one factor in corporate IT that over rules security, and that's an "enterprise" quality office suite and desktop, two things that seem to be moving quite slowly. Very few question Linux in the server market, but the PHPs will not give up Outlook and PowerPoint untill there is a superior linux analog.

    By the way, recall that Linus himself predicted the corporate desktop is still 10 years off.

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  11. The Rest of the Update - Remove Unacceptable Symbo by Nom+du+Keyboard · · Score: 4, Insightful
    Have you seen the other critical update they're trying to slip through with this one?

    This item updates the Bookshelf Symbol 7 font included in some Microsoft products. The font has been found to contain unacceptable symbols.

    Looks like someone slipped something through on Microsoft (certain to lose his/her job over this one) and put it just far enough in that it doesn't show when you double click the Bssym7.tt font file to preview its style. Leaves me wondering only two things:

    1: Is there more than 1 symbol in there that is considered "unacceptable"?
    2: Just why is this considered critical?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  12. Re:Note to crackers by the_mad_poster · · Score: 4, Insightful

    You people that insist on bashing *nix users for "faux-superiority" remind me of crazy people that bang their heads agaisnt the wall over and over even though it hurts. I mean, give me a fucking break. I'm not the one staring down the barrel of a vendor that takes 6 months to fix a critical vulnerability or has a standing history of just ignoring such things when possible.

    There's no "faux" superiority. There's nothing significant that Windows can do better than Linux in the back office anymore. Only a complete idiot would continue to use Windows systems for any mainstream services. With a few custom exceptions, there's just no room for Windows on a smart admin's server anymore, and Windows on the desktop will drop dead when vendors decide that Linux has reached critical mass and it's time to start porting commercial apps. We know it works. We know it works better than windows. It's not faux superiority. Windows just sucks and now people have a choice not to use it. Get over it. If you're dumb enough to keep exposing data and users through Microsoft's well-known, well-documented, ongoing negligence, that's YOUR problem. However, just because I don't have that problem, don't come getting all pissy with me.

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  13. Re:My system's patched now by frodo+from+middle+ea · · Score: 4, Insightful
    Would you prefer to buy locks from a company whose locks previously had a flaw , which enabled anyone with a hairpin to open the lock, although the company now claims all such flaws are now removed ?
    Would you continue holding an account with a bank, whose ATM machines were infact totally neglecting PINs , even though no one actually tired it ?
    I don't think, the microsoft bashers are saying that microsoft makes crappy s/w and open source makes great s/w. But what they are saying is, dispite making mistakes after mistakes, microsoft is not accountable to any of its mistakes. Neither are large corporations or end users bothering to try alternatives merely because of intertia

    So what is the incentive for Microsoft to improve its security track record ?

    --
    for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
  14. Re:My system's patched now by morcheeba · · Score: 5, Insightful

    So, you're happy that eeye - a company you don't have any relationship with - has had access to your computer for the last six months? And that's fine with your customers, too?

    Ok, what about someone else who found the hole independently? Or, what if someone has broken into eeye's systems and has been monitoring their email for a "heads up" on unreleased flaws. (or the home computer of a microsoft security person). Or someone at their ISP or on their cablemodem monitoring their email. You're happy to give all these people access to your computer, too, right? Compartimentilization is very hard to do outside a rigorous structure (like the NSA) which has very strict rules, procedures, and punishments to allow enforcement.

    A virus or worm that takes advantage of this flaw is only one indicator - people using the flaw for other purposes are probably not going to tell the world about it. The point is that it's impossible to tell if no harm has been done.

  15. Re:Wait a minute... by nvrrobx · · Score: 4, Insightful

    Now wait a minute here.

    Don't lump the actual developers at Microsoft in with management's decisions. You're implying that the developers do not want to do a good job or write good code. This is simply untrue, and I know that from personal experience.

    Just because management decided not to allow a developer to fix this bug six months ago, does not mean the developer does not want to! Blame management, don't blame the developers.

  16. Re:Wait a minute... by Anonymous Coward · · Score: 5, Insightful
    There is enough blame to go around in these situations:
    • Blame the developer for creating the bug.
    • Blame QA for inadequate testing.
    • Blame management for not accepting responsibility and getting it fixed ASAP.
    • Blame marketing and account reps who don't recognize this will hurt sales.
    • Then, when you're almost done, blame the developers again for their lack of pride to not demand the right to fix their code.
    Just because you find someone to blame does not make everyone else on the team blameless.
  17. Re:Note to crackers by Fancia · · Score: 5, Insightful
    How can software companies port their apps when the viral GPL stands in the way? The GPL is the reason why you Lunix kiddies don't have Photoshop, MS Office, and games. If you'd stop sucking Richard Stallman's cock and *think* for yourself once in your life, you'd realize why your OS is unsupported.
    Which is why there's already closed-source commercial software for Linux, right? The GPL doesn't keep developers from making closed-source software for Linux.
    --

    Bít, zabít, jen proto, ze su liska!
  18. Re:Depressing thoughts by edxwelch · · Score: 4, Insightful

    Amazing. This firm makes money from the fact that IIS is so insecure, that's why they went to so much effort to look for these security holes in the first place. It's a good incitive for customers to buy their products when they see all those security holes out their just waiting for exploitation.

  19. Re:Wait a minute... by Geek+of+Tech · · Score: 5, Insightful
    All the developers at Microsoft very well may have a heart of gold, but by virtue of the fact that Microsoft is a business (no, it's no the government... yet...), they will naturally do whatever it is that brings in the most money to them and their shareholders (read "Bill"....). It may not be the best for the consumer, but they don't sell Windows for us. They sell it for them. (Not flamebait...)

    --
    Stop the Slashdot effect! Don't read the articles!
  20. Re:Note to crackers by oldgeezer1954 · · Score: 5, Insightful


    Now why do you presume it's kids....



    I'm far from a kid and use Linux in a work environment. We also use OS/390, VMS, and yes Win9/2k/XP.



    The "M$" has little to do with Linux. It has everything to do with M$ and it's defacto monopoly, it's penchant for sucking the cash cow, and showing that ogranization the respect it 'deserves'.



    And when will you windoze kiddies learn it's Linux and not Lunix and that the gpl isn't viral (or we'd have windows on gpl - see MS services for Unix and in particular it's gpl components), that proprietary (and paid for!) software can be purchased for it. And that it supports most hardware. We actually did better with linux than with Win2K, driver wise, back when they were both new.



    On the issue... A six monthg turnaround? You must be kidding me! It was only a week ago Bill was, falsely, claiming a one day turnaround versus weeks for Linux (typically it's less than a day).



    Any windows setup, mine included, was a potential target for abuse due to this. You have to trust M$ employees not to leak it, the finding company's employees not to leak it, and the black hats community to not find it.



    That is a ridiculous situation for any company to be in and it's unsatisfactory performance for any software supplier let alone one who tries to claim they're the best... M$ showed zero respect for the operations of your organization and zero respect to each and every individual customer by allowing them to face that risk without warning.



    I would never trust our critical business operations to Microsoft. They have repeatedly violated that trust.


  21. Re:Say it ain't so... by IamTheRealMike · · Score: 4, Insightful

    Well, Microsoft always claim that the reason it takes them so long to get security fixes out is because they have to QA it, make sure they don't break apps etc - but I really don't understand this. It's a buffer overrun. Change the code to calculate the size then use dynamically allocated memory and it's fixed, right? Worst case, put bounds checking in there. How on earth could this possibly even affect public API? How could this cause regressions in apps? If there are apps out there that break because of security fixes like this, why should we care? Isn't the security of millions more important than those crack-ridden apps?

  22. Re:Note to crackers by diamondsw · · Score: 4, Insightful

    However, the fact that most Linux users insist on software being free (as in beer) is a major deterrent. Why would Adobe port Photoshop to people who actually believe Gimp is as good, but free?

    --
    I don't know what kind of crack I was on, but I suspect it was decaf.
  23. Re:Note to crackers by neko9 · · Score: 4, Insightful

    i'm not insisting that my professional software must be free on Linux. why Maya, Houdini, Softimage is ported to Linux if Blender is there? ;-) maybe because people use software that they know exclusively and that helps them to do specific task on the best available platform? professionals don't believe that Gimp is as good as Photoshop. not yet.

  24. Re:Wait a minute... by AWhistler · · Score: 5, Insightful

    There is enough blame to go around in these situations:

    * Blame management for forcing tight deadlines on the developer who writes shoddy code, creating the bug.
    * Blame management for limiting the time and resources for QA to develop and execute test cases which results in inadequate testing.
    * Blame management for prioritizing new sales to support, thereby not accepting responsibility and getting it fixed ASAP.
    * Blame management for structuring sales compensation so that marketing and account reps don't care about what happens after the sale, and so don't recognize this will hurt sales.
    * Then, when you're almost done, blame the developers for needing food, clothing and shelter, and getting beat down when they say anything, which gives them lack of pride to not demand the right to fix their code.

    I'm sure this is what you meant to say, right?

  25. But www.eEye.com runs on Microsoft by shis-ka-bob · · Score: 4, Insightful

    Well, they may say 'can't trust this', but their web site run IIS on Windows 2000. Actions speak louder than words...

    --
    Think global, act loco