Slashdot Mirror


Microsoft Sits on Security Flaw for Six Months

pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.

15 of 741 comments (clear)

  1. 6 Months but... by Anonymous Coward · · Score: -1, Troll

    Whats the chance a malicious cracker would be using the exact same exploit? Information about the exploit didn't come out until it was patched.

  2. Time to code the next Winnuke/Scriptkiddie Toy. by Adolph_Hitler · · Score: 1, Troll

    I guess its time to start coding isnt it?

    --
    People don't exist to serve systems, systems exist to serve people.
  3. Re:Note to crackers by RealityMogul · · Score: 0, Troll

    Really? Then they've gotten better than the last time I've checked.

  4. THIS IS NOT NEWS!!!! by mustangsal66 · · Score: 0, Troll

    News would be Microsoft releasing a product without any bugs or security flaws!

    --
    Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
    Sig changed for readability by G.W.
  5. omg m$ is teh sux0r! by Anonymous Coward · · Score: -1, Troll

    lololol!!!!!!!!!111

  6. Unfortunate, but unlikely in the future. by Srividya · · Score: 2, Troll

    It is unfortunate that an otherwise healthy piece of software has been found to have a problem of this scale. However I do have good news for software users everywhere: in two years, there will not be any more buffer overflows.

    To understand why buffer overflows are going away, it is important to understand current trends in the software industry. Much has been read and published about what Americans call "outsourcing", which is the practice of hiring more competitive priced labor.

    Where I work in Tirupathi India there are approximately 100 paid programmers, including myself. In addition to us, there are approximately 250 unpaid programmers working on the lower floors. They have "read-only" access to our source code, and may browse from the source code repository at will. Because of the abundance of Computer Science graduates here and the scarcity of jobs, only the best are able to move from unpaid to paid labor. As each of the paid programmers checks in code, the unpaid programmers review it, probing for weaknesses and security flaws. If a buffer overflow is found, it is reported to a head programming manager. The programmer who found the security flaw is promoted, often from unpaid to paid. The programmer who made the error is demoted. In the case of buffer overflows, which we are told at the beginning are the worst, worst, worst thing, the offending programmer is removed. This, actually, is how I moved from unpaid to paid. And I spend at least half of each of my days (about six hours) at work inspecting my own code to insure that I cannot be removed. I do not make security mistakes ever. To put it in simple language, I have a family to feed.

    There is also the cold room, where the programmers who make buffer overflows go before they are removed. I have not seen it. But I know that they make sure not to leave marks. They put you in a metal room, and there is cold water and a hose. It is motivating. I will not go there.

    -Srividya.

  7. Re:And this is better than open source... how? by jkmiecik · · Score: 1, Troll

    Hey, why not more?

    http://sourceforge.net/projects/pound/

    http://sourceforge.net/projects/yabause/

    http://sourceforge.net/projects/jxmas/

    http://sourceforge.net/projects/modp-driver/

    http://sourceforge.net/projects/cdctl/

    2002? 2000?! Shut your trap. All software everywhere has bugs and problems that may go ignored. Linux is not some sort of fucking holy grail of operating systems, immune to all bugs.

    Linux zealot mods, the drop-down by this post should read "Underrated" or "Intresting" but instead reads "Troll" or "Flamebait".

  8. Re:Love the poem... by Mod+Me+God · · Score: -1, Troll

    d15 1z w07 4pp3n5 wh3n d33 5ub5 sm0k34 d4 l0ck3y

    --
    --

    FreeNET user? Comfortable with the adverse selection?
  9. Re:Note to crackers by Anonymous Coward · · Score: -1, Troll

    Whatever fuck nut. Have you gotten a good whiff of a Microsoft geek lately? Hell, their commander in chief was/is known for his olfactory nerve damaging aroma. Not to mention that M$ geeks are typically useless mouse jockeys anyhow.

  10. Re:Note to crackers by Anonymous Coward · · Score: -1, Troll

    With a few custom exceptions, there's just no room for Windows on a smart admin's server anymore, and Windows on the desktop will drop dead when vendors decide that Linux has reached critical mass and it's time to start porting commercial apps.

    How can software companies port their apps when the viral GPL stands in the way? The GPL is the reason why you Lunix kiddies don't have Photoshop, MS Office, and games. If you'd stop sucking Richard Stallman's cock and *think* for yourself once in your life, you'd realize why your OS is unsupported.

    Get over it. If you're dumb enough to keep exposing data and users through Microsoft's well-known, well-documented, ongoing negligence, that's YOUR problem. However, just because I don't have that problem, don't come getting all pissy with me.

    Ohh! Look at me! Lunix is teh greatest, M$ suXors!!111~~

  11. Ok, who's the dumb ass by Anonymous Coward · · Score: -1, Troll

    Who is the dumb ass that rated this INFORMATIVE.

    1) with a given exploit I _doubt_ they have to go through the ENTIRE Windows source code and its tree. I know they have spaghetti code, but come on!

    2) typically any major security vulnerability is fixed within 24 hours on most the of the Un*x's I've ever used. A MONTH? Sure, maybe for a BUG FIX, but we're talking SECURITY here. Go back and play with your blocks and Windows box -- because you OBVIOUSLY have absolutely NO FUCKING CLUE about security.

    Dumb ass. Probably Catholic too.

  12. Re:Note to crackers by Anonymous Coward · · Score: -1, Troll

    And how much money are they going to make with that stunt?

    Companies do not port to Linux because Linux users do not want to pay for software.

    So good luck.

  13. Re:Another dead/dying OS? by stor · · Score: 0, Troll

    *sigh*... I have two comps, one runs Slack, the other runs FreeBSD. Seems I just can't win....

    Hey man,

    Do you like, have bets on which OS will die first? 8)

    Cheers
    Stor

    --
    "Yeah well there's a lot of stuff that should be, but isn't"