Slashdot Mirror
Microsoft Sits on Security Flaw for Six Months
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
U Can't Trust This
By: MCSE Hammer
Blaster did ya some harm
We just say, hey, another worm
But thank you, for trusting me
To mind your site's security
It's all good, when your server's downed
Our dope PR will pass blame around
Cuz it's known as such
That this is some software, you can't trust
I told ya Homeland
U can't trust this
Yeah that's why we're giving ya the code
U can't trust this
Check out eEye, man
U can't trust this
Yo let 'em bust more funky system
U can't trust this
Give 'em a string or recvfrom
Like no sweat they got the keys to your kingdom
Now ya know
You talk about eEye, you're talking about holes
Remote and tight
Coders still sweating so someone better write
A book to learn
What it's gonna take in '04
To earn some trust
Legit, either secure or ya might as well quit
That's the word because you know
U can't trust this
U can't trust this
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
http://www.eeye.com/html/Research/Upcoming/index.h tml
Comment removed based on user account deletion
Didn't openssl have a very similar bug that
was disclosed & fixed just about 6 months ago?
Anybody? Buehler?
Looks like MS gets some slack that OSS just
has to fix immediately.
AntiFA: An abbreviation for Anti First Amendment.
Fox News Channel reported that there was a serious flaw in Windows during their 4pm ET news burst. Mainstream media as usual leaves out tech details on stories like these, but this is just an indication of how serious this flaw is.
6 months? 2000's been out for 3 years! If it took them 2.5 year to find the bug, another half is year is no biggie.
Thats the result of Microsofts terrible history on security. Please Mr.Gates, continue to help the Linux community thrive.
People don't exist to serve systems, systems exist to serve people.
If you are Microsoft fundamentalist karma blaster, I meant that in a good way...
Bite my shiny metal... oops... Nevermind!
Didn't openssl have ASN.1 issues recently? Did MSFT copy some of the code ;-) ?
BTW: Interesting timeline of more to come
Better keep checking for updates.
---- join dshield.org Distributed Intrusion Detec
Hang on.. If windows NT / 2000 are affected.. looks like M$ have been sitting on it for a _lot_ longer than 6 months.
On the other hand, if they didn't know about it, I wonder how many systems could have been compromised. When was windows NT released again ?
"ASN.1 is really an extremely deep...technology in Windows itself," he said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."
Name me an instance where "really doing due dilligence" vis-a-vis security is an option, like this guy makes it sound. Just one.
Please tell me Microsoft is not as inept as this. Please?
Soko
"Depression is merely anger without enthusiasm." - Anonymous
didn't The Gates himself said not so long ago that they were "as fast or faster" than opensource in fixing security flaws?
i don't have the quote on hand though...
Open Source software gets critical fixes within days or hours because anyone running the code can potentially fix the problem.
As Micro$oft's ratio of programmers to supported lines of code decreases, their time to fix bugs will increase.
To put it another way, bloat breeds torpor.
That's no bug!
That's Intellectual Property!
"In other news: PanIP has filed suit claiming Microsoft's latest bug violates one or more of their patents."
A feeling of having made the same mistake before: Deja Foobar
Looks like there is another worm out there spreading fast...its spreading through AIM by sending out links to a site at wgutv.com that masquerades as being a news site proclaiming Osama has been captured. The site downloads an executable (which appears to be digitally signed with a cert issued by Thawte) which, at the least, starts propagating to other AIM buddies. Can't find anything on NAI or Symantec--anyone else seen this in the past 3 hours? (since about 2 PM EST)?
"Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
A flaw was found in AOL Instant Messenger relating to the A/S/L library.
There's an overflow in the stupidity of the users, who are willing to unzip and run unexpected EXE files from strangers.
Seriously.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
The article mentions that Microsoft is unaware of any computers hacked with this vulnerability. Assuming it wasn't ever used, then not disclosing it until a patch was made worked well in this situation.
But not disclosing the problem has drawbacks, too. Your system is insecure, and you have to hope nobody else knows about the exploit either. And it's Microsoft's decision when to patch it. It will be interesting to hear why it took them six months. What if it was simply PR: do you feel safe knowing you're vulnerable so Microsoft gets good PR (until now)? Or perhaps it's just laziness. If customers don't know about an exploit, how can they apply pressure to counter it?
Every time I see an airport or a power plant affected by windows viruses and/or vulnerabilities I get a bit queasy Will the general public ever realize that if what you are working on is of any importance, nevermind critical importance, then Windows is not the right tool for the job. From the story: "This is one of the most serious Microsoft vulnerabilities ever released," said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif., which discovered the new Windows flaws. "The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks, pretty much any system." Maiffret said some computer systems that control critically important power or water utilities were vulnerable.
"Microsoft Corp. warned customers Tuesday about unusually serious security problems with its Windows software that could let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information." What "usually serious"? Code Red? Nimda?
Also, Microsoft's own document on "Trustworthy Computing" (warning: MS Word format!) establishes as a goal that "[t]he company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company." I suppose that waiting six months before fixing this "unusually serious" problem somehow satisfies that criterion?
So this is very interesting, in that it's the first time that a critical flaw has taken six months to fix that the alert about the fix ALSO was delayed for six months. Yet in that time, we have not seen any significant uptick in these types of exploits, and there do not appear to be any worms like this in the wild.
Does this verify MS's supposition that delayed publication = less exploits?
So for six months, people are left out there running software with a known security problem while Microsoft surpresses the information and spreads FUD about how Linux/Open Source security responsiveness is poorer than Microsoft's? What a crock of shit.
So, if they fix a security flaw sooner than six months, what status does that get? Super Double Critical?
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
It is unfortunate that an otherwise healthy piece of software has been found to have a problem of this scale. However I do have good news for software users everywhere: in two years, there will not be any more buffer overflows.
To understand why buffer overflows are going away, it is important to understand current trends in the software industry. Much has been read and published about what Americans call "outsourcing", which is the practice of hiring more competitive priced labor.
Where I work in Tirupathi India there are approximately 100 paid programmers, including myself. In addition to us, there are approximately 250 unpaid programmers working on the lower floors. They have "read-only" access to our source code, and may browse from the source code repository at will. Because of the abundance of Computer Science graduates here and the scarcity of jobs, only the best are able to move from unpaid to paid labor. As each of the paid programmers checks in code, the unpaid programmers review it, probing for weaknesses and security flaws. If a buffer overflow is found, it is reported to a head programming manager. The programmer who found the security flaw is promoted, often from unpaid to paid. The programmer who made the error is demoted. In the case of buffer overflows, which we are told at the beginning are the worst, worst, worst thing, the offending programmer is removed. This, actually, is how I moved from unpaid to paid. And I spend at least half of each of my days (about six hours) at work inspecting my own code to insure that I cannot be removed. I do not make security mistakes ever. To put it in simple language, I have a family to feed.
There is also the cold room, where the programmers who make buffer overflows go before they are removed. I have not seen it. But I know that they make sure not to leave marks. They put you in a metal room, and there is cold water and a hose. It is motivating. I will not go there.
-Srividya.
A very big deal is going to be made about this. Feel free to correct me (or mod me down) if I'm wrong, BUT:
From my understanding, this is a heap overflow. Given the nature of the heap, I could see this resulting in a DoS condition, but what is the likelihood that a practical exploit can be developed, given that the heap generally contains data in random locations?
akad0nric0
This sentence no verb.
Microsoft was notified 6 months ago. Either they didn't know about it before that or they didn't disclose that they did. The bug may have existed for 10 years, but they supposedly sat on it for 6 months. Actually, since it affects all versions of NT and 2000 before service pack 3 it could have existed since about 1985.
Developers: We can use your help.
Then that would be silly.. Surely posting this story is one of the better ways to alert thousands of geeks that they need to patch their servers / machines to fix a critical flaw.
The BBC published this report on Microsoft security problems. Somehow, the person who wrote this managed to a whole article without including any information on what the bug actually was.
In sort form it reads, there was a security flaw, it is bad, actually it was really bad, maybe the worst ever and it is a security flaw.
at cnn.com and was patching all the machines here at work. interesting article for a few reasons- looks like M$ is still making weekly updates...
I'm so glad I switch to linux and os x for all my personal stuff, it makes me feel so much better.
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
Sadly, I think that a file called "This_is_a_virus_-_do_not_open.exe" would be just as effective as any other.
G
>Maybe it is a flaw that the open source community can collectively fix.
;-)
That is a flaw that you can fix for yourself. Just use software that you can maintain yourself or that is very well supported (e.g. gcc, openssl, openssh, Apache etc.)
As you see, going with high-profile projects is "safer" just as it is "safer" to go with high-profile vendors like IBM or Microsoft.
But of course, none of these solutions is perfectly safe
if it was released without bugs or security flaws how would the product ever get into the news?
Of course, with some open source projects, if there is a bug or security flaw, not only does the problem not get fixed, there isn't anyone there to fix it!
There are a number of open source projects that are no longer being maintained, but are in fairly wide use. At least with Microsoft, there is someone there saying "yea, yea... I'll get to it!"
True, anyone has the ability to fix the problem, but most of the time the user is not necessarily a developer or admin. And if someone out there DOES fix the problem, there isn't neccessarily a central place to post the fix.
Maybe it is a flaw that the open source community can collectively fix.
Why was that message moderated down? (Oh yea, this is slashdot) Don't moderate it down just because you don't agree with it. It is a legitmate problem with open-source! Slashdot is best when it is a level headed forum for reasoned arguement, not a once sided diatribe against all things capitalist.
Your post seems like FUD to me. Now I'm no expert, so I could be wrong, but are there not several proprietary programs that are no longer supported? The key difference of course being that with a non-supported proprietary app you have no chance of getting support. With OSS you could get the source code and either learn programming or hire a programmer to add support for you.
Have you tried Linux yet?
Windows is insecure. We know this. Partly it is the result of the operating system and partly it is the result of bad applications. And Microsoft knows it too.
.net. This is a huge, huge step toward eliminating buffer overruns and other trivial errors. Tens of thousands of developers are making the move right now. Any bookstore has at least 50 books on .net technologies.
This is why Microsoft is making the bold move of promoting managed langages like C# and VB.net, and a fully managed runtime in the guise of
In short, laugh about it now, let it distract you from what's coming, let it lull you into thinking Linux will always have the security edge, go right ahead. It won't change anything.
I use to work at HP Ft. Collins in the early 90's. At that time, there was a major hole in the network code of the that was going to take about 6 man-months to fix. The local management decided to not fix it as it was decided that few knew about it and it would not be a problem. I would suspect that every major company does the same thinking; MS, Apple, Sun, SGI, IBM, etc.
I have no doubt that all these companies do care a bit more due to the pressure being brought, but it will still be a decision similar to what Ford did with Pinto and who it was did the tires that exploded. If it costs money to fix, but nobody will see it, who cares.
That is one of the advantages of OSS as everything is in the open. Have to fix it or will suffer big.
I prefer the "u" in honour as it seems to be missing these days.
just have Janet Jackon do a "half-time" concert at the next major Windows conference. The promoters may even get Balmer to play the part of Timberlake.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
Not every MS user updates once a year, you idiots.
Assuming you didn't mean that as a joke...
The entire point of this article centers on the very fact that no fix existed, despite MS knowing about the problem for over six months.
So, even the most attentive network admin in the world, applying every fix within an hour of release, would not have had the ability to remove this vulnerability from his systems.
Personally, I find it more interesting that MS has the same problem that OpenSSH had, dating from the same time period. Time for a few folks to start comparing the relevant libraries for similarity... Wouldn't that look just great for MS's PR, getting caught not only in a copyright infringement, but using that nasty GPL'd software they so hate...
eeye.com
When they finally get laid. Which is to say... never.
Bugs do come up in almost every software and OS, with some of these being critical. Waiting 6 months to announce a problem that was identified by some 3rd party (or anyone) is unacceptable. They now have adopted the script-kiddie standard. They will not anounce a flaw until either they know for sure the patch will fix it, or it will come out before every script kiddie can get their little hands on a prebuilt exploit. During the last 6 months, or longer, many compainies and goverments with priceless data could have been exploited. IMO, it is ignorant to think that only security companies and casual hackers are out to find exploits. It really is the unpublished ones that are the most dangerous. I am assuming that this exploit has effected XP since day 1. That is a long time for say a real pirate group or a hostile government to discover it and launch very selective attacks on specific target entities. The media tends to forget about just unplugging the machine with the sensitive data as a viable (even if temporary) security solution. For the last 6 months, MS has knowingly put many in danger by not revealing to them that their systems had a serious exploit. It will probably never be known if this exploit has been used yet. Just because I cannot google and get info on it or dl a prebuilt binary does not mean that it has not been used.
This is going off-topic, but is MyDoom really illegal then? If I send you a legitimate program, it's legal. So shouldn't the USER be held liable for attacks this time? It's entierly their fault. (If I run while /bin/true; do wget sco.com & done; that's MY fault. How is MyDoom any different*?)
* The user doesn't know what happens. But so what. I didn't know that firing a gun at your head would kill you.
My other car is first.
Yeah, subject says it all. What about systems with embedded windows, where patching (if possible) usually proceeds slowly, for example cash machines?
I am one of many. My idea is not unique, nor do I expect my voice alone to sway you. I speak in a chorus of opinion.
It would be great if this where only so, but it seems that there is one factor in corporate IT that over rules security, and that's an "enterprise" quality office suite and desktop, two things that seem to be moving quite slowly. Very few question Linux in the server market, but the PHPs will not give up Outlook and PowerPoint untill there is a superior linux analog.
By the way, recall that Linus himself predicted the corporate desktop is still 10 years off.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
U Can't Root This
By: MC GNU/Hammer
Linux did ya some harm
We just say, hey, an open sore
But thank you, for rooting me
To mind your site's security
It's all good, when your server's downed
Our dope coders will run GNU debug
Cuz it's known as such
That this is some software, you can't root
I told ya script kiddie
U can't root this
Yeah that's why we're giving ya the code
U can't root this
Check out Torvalds, man
U can't root this
Yo let 'em bust more funky grep
U can't root this
Give 'em a bash prompt or C code
Like no sweat they got the salts for your hash
Now ya know
You talk about Stallman, you're talking ideology
GNU's not Linux, its GNU/Linux
Coders still sweating so someone better write
A patch for this
What it's gonna take in '04
To earn some root
Legit, either secure or ya might as well quit
That's the word because you know
U can't root this
U can't Root this
I think this was not a flaw but a design to enable MS to spy on your computer, introduce problems, etc. from central servers of their own in order to get you to upgrade, buy more software etc. and to give them a competitive advantage. When somebody discovered it, it took them six months to figure out how to maintain this and not be discovered for another ?? years. That is what the patch truly does.
Gungah dah lungha.... So I've got that going for me.
And FMA is widely used on what planet? Hardly on the same scale as, say, Apache, is it? Troll.
Tubal-Cain smokes the white owl.
This item updates the Bookshelf Symbol 7 font included in some Microsoft products. The font has been found to contain unacceptable symbols.
Looks like someone slipped something through on Microsoft (certain to lose his/her job over this one) and put it just far enough in that it doesn't show when you double click the Bssym7.tt font file to preview its style. Leaves me wondering only two things:
1: Is there more than 1 symbol in there that is considered "unacceptable"?
2: Just why is this considered critical?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
kettle: pot, you're black.
What better way to make people want to move to Longhorn in droves than to make the cost of staying with the currently deployed operating system seem prohibitively expensive in comparrison.
The Windows help system was exploitable for about 7 years. From the time of Windows NT 4.0's release (1996?) until June, 2003, an attacker could exploit the help system to run their own code. And that's just the help system!
As of September, 2003, there were 31 known unpatched vulnerabilities in Microsoft Internet Explorer. Some of the most critical have not been fixed in well over a year. The original page listing them was removed at Microsoft's request, but I cached it.
Microsoft was notified of significant issues with their implementation of the Java Virtual Machine (JVM) on September 2, 2002, and on April 9th, 2003, Microsoft issued an update to fix the problem. That took more than seven months.
Shameless plug: more examples are available at my site.
Developers: We can use your help.
I am looking at WindowsUpdate right now, and am not seeing this patch.
I can go ahead and download it from the page in the story; my question is: why is this patch not up on WindowsUpdate immediately?
You people that insist on bashing *nix users for "faux-superiority" remind me of crazy people that bang their heads agaisnt the wall over and over even though it hurts. I mean, give me a fucking break. I'm not the one staring down the barrel of a vendor that takes 6 months to fix a critical vulnerability or has a standing history of just ignoring such things when possible.
There's no "faux" superiority. There's nothing significant that Windows can do better than Linux in the back office anymore. Only a complete idiot would continue to use Windows systems for any mainstream services. With a few custom exceptions, there's just no room for Windows on a smart admin's server anymore, and Windows on the desktop will drop dead when vendors decide that Linux has reached critical mass and it's time to start porting commercial apps. We know it works. We know it works better than windows. It's not faux superiority. Windows just sucks and now people have a choice not to use it. Get over it. If you're dumb enough to keep exposing data and users through Microsoft's well-known, well-documented, ongoing negligence, that's YOUR problem. However, just because I don't have that problem, don't come getting all pissy with me.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Would you continue holding an account with a bank, whose ATM machines were infact totally neglecting PINs , even though no one actually tired it ?
I don't think, the microsoft bashers are saying that microsoft makes crappy s/w and open source makes great s/w. But what they are saying is, dispite making mistakes after mistakes, microsoft is not accountable to any of its mistakes. Neither are large corporations or end users bothering to try alternatives merely because of intertia
So what is the incentive for Microsoft to improve its security track record ?
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
So, you're happy that eeye - a company you don't have any relationship with - has had access to your computer for the last six months? And that's fine with your customers, too?
Ok, what about someone else who found the hole independently? Or, what if someone has broken into eeye's systems and has been monitoring their email for a "heads up" on unreleased flaws. (or the home computer of a microsoft security person). Or someone at their ISP or on their cablemodem monitoring their email. You're happy to give all these people access to your computer, too, right? Compartimentilization is very hard to do outside a rigorous structure (like the NSA) which has very strict rules, procedures, and punishments to allow enforcement.
A virus or worm that takes advantage of this flaw is only one indicator - people using the flaw for other purposes are probably not going to tell the world about it. The point is that it's impossible to tell if no harm has been done.
HIV Crosses Species Barrier... into Muppets
None, other than the Stupid User Who Runs Untrusted Executable Files vulnerability, for which the only patch is a baseball bat.
All's true that is mistrusted
Not Janet Jacksons breast again! Damn you Viacom.
Today is a gift. Save the receipt.
It was an ironic comment, couldn't you see that? I remember the mag PCW used the term M$ way back in '94 and it was old then.
--
FreeNET user? Comfortable with the adverse selection?
Wow, eEye still knows of 3 different high severity remote exploit in MS systems, and MS has been sitting on two of them for over 3 months.
Secure computing indeed.
Just browse through Freshmeat. I'd say 1/8 of the projects there have not been updated since 2001.
Or search Google for no longer under development. See how many hits are open source projects.
Here is my list of apps that I want to see under development:
Big Sister for Windows (this one is the one I want updated most of all)
Slackware (well, its alive, but barely)
NCSA Server
In all cases I found that they were unsupported and had to switch to a different solution.
And remember, just because YOU don't use it, doesnt mean there aren't a lot of other people that use it and depend on it.
The Unix/OSS/internet communities once had the same mind set, the same ignorance. The assumption in 1980 on the internet was that everyone would play nice. This might have been true in 1980. The worms, viruses, DoS attacks happened. Much software was fixed, or scrapped. New software was developed with the assumption that it would be under attack.
Im not excusing MS - in fact far from it. These lessons have been learned. Solutions to the problem have been used. Methodoligies for producing secure code are well documented.
Let's go over the facts here...Just a couple of bits from the article...(quoting AP)
1. Researchers at eEye discovered the problems last July and agreed to keep quiet about them until Microsoft could fix them
2. Microsoft took months because it wanted to ensure that a single repairing patch solved any related problems "We really took the steps to make sure our investigation was as broad and deep as possible," Stephen Toulouse, said.
So far it sounds pretty bad, doesn't it?
Maybe you can enlighten all of us as to how this delay has helped Micrsoft's bottom line?
Do you think people would have stopped buying their products had this been announced last July?
Do you think people will stop buying their products now?
Isn't it feasible, albeit a bit too long, that they actually took the time to correct the issue? Rather than throwing a 'fix' together to appease the shareholders, one might think the amount of time taken increases the chances that they did it right.
Error encountered in IAWebSig.clsSig.Create: Last Procedure: sPrc_Ins_tblSig
And, yet they build more stuff in the OS:
n =displaynews&NewsID=995
http://www.techworld.com/news/index.cfm?fuseactio
"The more you can put in the core operating system the better." Yeah, they are that inept.
Both OpenSSH and OpenSSL (what you really meant) are available under BSD licenses. Microsoft hasn't said anything bad about BSD-licensed software and has admitted to using it for years.
Dewey, what part of this looks like authorities should be involved?
According to the MS website it appears to have been introduced into 2000 as part of a service pack update (Starting with SP2), and starting with XP Service Pack 1. See KB article: 828028
And, of course, it doesn't affect Windows 98 at all...
Yep, it appears to be the same font.
Can anyone do is a favour and list some other applications that might be affected... for example, other Windows mail clients or web browsers that use SSL?
BTW, my SSL mail client (jbmail) is not affected since it uses OpenSSL.
Bít, zabít, jen proto, ze su liska!
Oracle's open source? That's news to me.
The GPL is the reason why you Lunix kiddies don't have Photoshop, MS Office, and games
Yes, the "viral" GPL sure has made Neverwinter Nights become liscensed under the GPL now, hasn't it.
troll.
profeccional
Like a spelling checker, you mean?
"Toulouse said Microsoft took months because it wanted to ensure that a single repairing patch solved any related problems." So they wanted to fix each of many related vulnerabilities and release the patch as one. Because releasing several patches is worse PR than releasing just one, I think.
"(As an aside, it's interesting to note that this vulnerability was silently fixed in Windows 2000 SP4 and Windows Server 2003, due to an additional comparison being included in ASN1BERDecCheck().)" Not only did Microsoft know about the bug for six months, they also knew how to fix it. And they did so, silently, for other products.
Finally, if they've sat on it for six months, why is it being released now? The article mentions several upcoming meetings that make this a very bad time, PR-wise. Could it be that they were aware of exploits in the wild starting recently? If so, would we ever know?
Amazing. This firm makes money from the fact that IIS is so insecure, that's why they went to so much effort to look for these security holes in the first place. It's a good incitive for customers to buy their products when they see all those security holes out their just waiting for exploitation.
A bit of googling reveals that the font contains a symbol which is a swastika. Not the reversed Nazi Swastika, but the way round that it was used for thousands of years by Buddhists as a symbol of Buddha's heart and mind. It is still a commonly used symbol in the far east.
As for point 2. Who knows???
C|N>K
Like a spelling checker, you mean?
I don't need a spellchecker on Slashdot.
I just wait for a tool like you do it for me.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
I guess this is in the "Stuff that matters" category then, since it certainly isn't "News" by any stretch of imagination.
Assorted stuff I do sometimes: Lemuria.org
Actually it was used by many people including Buddists, but it is now widely believed that it was a Jewish symbol, that was taken from a twist on an acient Sun God. http://www.manwoman.net/swastika/swastika.html "There are even Jewish swastikas found in ancient synagogues side-by-side with the star of David!"
Mod +5 Drunk
As far as I know, there were swastika wingdings in the package. Why MS would put a swastika in it to begin with is beyond me, but that is the case.
The bigger question is why it is necessary to remove them. Although they are offensive to most people because of what they represent, they do have a place in history. There are probably legitimate reasons for using them in many documents. IE. A school report on WW2 or Nazi Germany.
This is my Sig.
I'm a CFO with a small leasing company, and as I also wear the designated IT helper hat from time to time when our contract specialist isn't on site.
I just spent the better part of the afternoon, wasting my time, and a salesperson's time as we first ran Adaware and then Sybot S&D, rebooting again and again, to try to deal with a piece of misfunctioning software
I spend more critical hours of a day dealing with stupid MS software problems! I truly, truly hate this. Its one thing to run MS at home where I can play with tweaking, patching, reparing MS so that I can play the occassional game, but this is work.
I'm waiting for a linux desktop system that will allow us to communicate with our customers (ie. MS Word, Xcel) and run Act! and T-value 5. Unfortuantely I can't afford to spend time experimenting or becoming a guinea pig, either.
The TCO on these MS systems are killing ... and I can't wait till it ends!
A professional tool like Windows? You may want to think that, but every day there's a new windows virus that almost brings down the internet. That's not professional. That's stupid.
Now, if M$ decided to patch vulnerabilities like OSS did (there are lots of exploits in OSS software, but they're usually fixed in an hour), then they would be professional. But they sit on the knoweledge and litigate against people that tell them there are problems. That's not professional. That's nazi.
My other car is first.
The best short rejoinder to this illogic was composed by PJ of Groklaw right here:
How long will it take LUNIX kids to stop using infantile terms like M$
Never, as long as it continues to piss dweebs like you off.
Mod down people who tell people how to mod in their sigs
And some reports said there were two swastikas there.
Truth is that there was not even one.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
In our era and in our culture, the swastika is associated with Hitler and his Nazi party. However, the swastika did not originate with Hitler. It originated in India, and has been considered a mystic/spiritual symbol in Asia for thousands of years. So although it has very negative connotations in western cultures, it probably finds a lot of positive usage in eastern cultures. Swastikas are often publically displayed in India on temples and so forth.
Here's an interesting page discussing the origins of the swastika.
Now why do you presume it's kids....
I'm far from a kid and use Linux in a work environment. We also use OS/390, VMS, and yes Win9/2k/XP.
The "M$" has little to do with Linux. It has everything to do with M$ and it's defacto monopoly, it's penchant for sucking the cash cow, and showing that ogranization the respect it 'deserves'.
And when will you windoze kiddies learn it's Linux and not Lunix and that the gpl isn't viral (or we'd have windows on gpl - see MS services for Unix and in particular it's gpl components), that proprietary (and paid for!) software can be purchased for it. And that it supports most hardware. We actually did better with linux than with Win2K, driver wise, back when they were both new.
On the issue... A six monthg turnaround? You must be kidding me! It was only a week ago Bill was, falsely, claiming a one day turnaround versus weeks for Linux (typically it's less than a day).
Any windows setup, mine included, was a potential target for abuse due to this. You have to trust M$ employees not to leak it, the finding company's employees not to leak it, and the black hats community to not find it.
That is a ridiculous situation for any company to be in and it's unsatisfactory performance for any software supplier let alone one who tries to claim they're the best... M$ showed zero respect for the operations of your organization and zero respect to each and every individual customer by allowing them to face that risk without warning.
I would never trust our critical business operations to Microsoft. They have repeatedly violated that trust.
But according to eEye it affects all versions of NT, 2000 prior to SP3, and 98. Is eEye wrong or is Microsoft lying?
Developers: We can use your help.
I read about thisnew hole, and I go into the SUS server to approve the update so it gets pushed out to the clients, and it's listed as a 'Security Update'. Fine. But along with that is update 833407, labeled 'Critical Update' that "updates the bookshelf font included in some Microsoft products. The font has been found to contain unacceptable symbols." So an exploit that allows you to root any Windows server out there takes 6 months to fix, but damn, get an unacceptable symbol in your font and they're right on it.
"In the security bulletin published by MS it states,
"In the most likely exploitable scenario, an attackerwould have to have direct access to the user's network."
The bulletin published by eEye states
"...applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.) [areaffected]".
I see a big disconnect there. Can you address this? Also, how would this potentially affect sites that are using an MS VPN solution?"
Yes, I am not sure what Microsoft did with the wording there that seems to be misleading to at least a few people so far.
There is just as much, if not more, chance of people using this vulnerability on server side applications as there is on client-side applications.
For example we setup a totally IPSEC secured network and we broke into that network via our ASN bug which is called by the Kerberos.
We also have written exploits that take advantage of ASN via NTLMv2 authentication. And the list goes on... How about evil ASN SSL CERTs?
Client or server? There is a menu a mile long for the avenues of attacks that this thing can be used for.
If your running, Windows NT 4.0, Windows 2000, Windows XP, or Windows 2003, you are 99.9999% positive to be vulnerable, regardless of what your configuration might be.
Don't try to guess if you have any of the affected protocols or applications (lets not forget third party apps using the MS ASN library), just install the patch.
Client side, server side, world wide.
Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security
Time flies like an arrow, fruit flies like a banana.
Well, apparently OSS developers can fix these things in a day or two. Or have designed it properly the first time. I don't want to sound like an ass, but I wouldn't have made this mistake (using an unsigned variable for a pointer!) if I were coding it.
Anyway, if it takes M$ this long to fix things, then their products suck. And you shouldn't buy them. If this were exploited 4 months ago, there would be 300 MILLION spam zombies/SCO DOSers/etc. Sorry if it's hard to fix. It's your problem, and you need to be accountable for the damage that your idiocy/cost-cutting/brainfart causes, M$.
My other car is first.
However, the fact that most Linux users insist on software being free (as in beer) is a major deterrent. Why would Adobe port Photoshop to people who actually believe Gimp is as good, but free?
I don't know what kind of crack I was on, but I suspect it was decaf.
Who knows, maybe these (and others) are gifts to the FBI, NSA, or whoever and they wanted them to have more time to play with them before eeye went public.
If this was really introduced around the time of sp2, wouldn't that coincide with the anti-trust case and then years later the slap on the wrist they got? How's this for a quid pro quo "Leave us alone and we'll give you access to every computer in the world!"
This is not surprising. It is only controversial because some people desperately *want* to believe that Microsoft is good. This is a juvenile reaction to the bad-mouthing that Microsoft gets. This constant bashing is in bad taste, but whether it is fair or not will be borne out entirely by the facts that are unfolding before our very eyes.
The problem with Microsoft and all of their drone customers is that the relationship is not mutually beneficial. It seems so, however, to the dupes who take the terms that the vendor pitches them. The problem with bashing the house-of-cards is all of the hurt feelings involved with people who realize it too late.
So, try not to say anything bad about Microsoft. Just be compassionate towards the people who are suffering. Try to help people realise how much they are sharing the pain with others... no wait... you'll just end up saying the same things that piss off the Microsoft drones. On second thought, just keep a CDROM on hand with something better to install, and give it to the tortured drones with a smile and your head cocked slightly to one side (AOL style). Don't say a word. It isn't necessary or even helpful.
--- Nothing clever here: move along now...
Why? Because ASN.1 is the Mos Eisley of bit-twiddly protocols, and "you'll never find a more wretched hive of scum and villainy." AFAIK, there's nothing insecure about the protocol itself, but it's so ugly that everybody tends to reuse the reference implementation rather than rewriting their own. While that has some good aspects to it, some of the original reference implementation code wasn't always careful about checking bounds, etc., and eventually the University of Oulu folks did a proper study and found the holes.
ASN.1 is one of these broad-scope protocols that tries to be everything to everybody, so it not only implements in a broad messy manner some things that were done much more simply and cleanly and debuggably in XDR, it also does some other things that are useful in a top-down hierarchical world controlled by all-knowing standards committees, and got itself included at the appropriate layers in other standards such as X.509 and H.323 (which are also big and ugly), and in SNMP (which is otherwise simple and clean and should have known better), and X.509 got itself embedded into SSL. (H.323 is the older VOIP standard, used by almost everybody even though they talk about using SIP Real Soon Now, and Microsoft Netmeeting is the popular free implementation.) One bad side of this is that very many security-critical applications have this buggy code at the bottom of them, though this is somewhat balanced by the good fact that it's so deeply buried that it's often hard to pass malicious data that far down the stack, though of course there's the ugly side which is that it's so ugly that it's hard for an interface module to verify that an ASN.1 object is malformed except by actually passing it to the vulnerable ASN.1 interpreter.
Bit-twiddly space-saving data formats are almost always a Bad Idea. As they say, people who play with the bits deserve to be bitten. ASN.1 problems make many applications hard to write and harder to debug, but in the Open Source world, PGP has gone through several iterations of security-critical bugs because they were trying to steal bits, plus backwards compatibility issues make stealth versions difficult. The theory is that it's somehow more "efficient" to save a few bits of data storage or data transmission time by using variable-length formats, trading off the space for more CPU time and program space. This isn't totally off the wall, given 20 years of Moore's Law (which seems to have improved CPU and RAM price/performance by 10**5 - 10**6, disk by about 10**5, but smaller bandwidths by only 10**3-10**4), but the cost in programmer time, debugging time, and bug impact has been immense.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
> Microsoft was notified 6 months ago.
> Either they didn't know about it before that
> or they didn't disclose that they did.
I think they knew about it before. There was the trial of Microsoft Corp v States of California & others with regards the terms of settlement of DOJ v Microsoft Corp
During that trial I seem to remember an MS VP saying that they couldn't disclose their source because Windows contained a critical and deep-seated vulnerablity and they didn't want every Tom, Dick & Harry seeing it and hence exploiting it.
My guess is that we've probably just seen it fixed. If we haven't then perhaps they should say so.
The Machine stops.
Do OSS developers fix and test every permutation of a platform in a day or two? Because that's what Microsoft has to do.
Just because it wasn't released for 6 months doesn't mean it was ignored for 6 months.
The amount of testing that has to go into a change like this is immense. For example, if they release a patch for WinXP, they have to make sure it works with WinXP RTM, WinXP SP1, WinXP SP2, etc. Include testing for permutations of major server applications.
The alternative is to release a "fix" immediately, have the "community" (millions of corporate servers) implement the fix - discover a day later that the fix broke something else - get flamed on slashdot for releasing a broken fix - release another fix that day - discover the next day that the fix broke something else - etc...
Microsoft has to be accountable for making sure any change will work on millions of server. Compare that to Johnny OSS developer who only has to make sure his fix works on his own machine.
i'm not insisting that my professional software must be free on Linux. why Maya, Houdini, Softimage is ported to Linux if Blender is there? ;-) maybe because people use software that they know exclusively and that helps them to do specific task on the best available platform? professionals don't believe that Gimp is as good as Photoshop. not yet.
The Master Control Program has chosen you to serve your system on the game grid.
These kinds of companies and organization are somewhat of an interest to me, in that they resemble the Battered Wife syndrome.
Here they are, putting all their effort into helping fix MS's products to make the software work better, only to get brushed off and ignored for six months. Then they go and complain about how horrible of a company MS is and how horrible the software is.
Two weeks later, they're at it again, trying to help solve MS's problems, and will yet again be brushed off and ignored. They'll complain and rant, and in another month when the next vulnerability is discovered, they'll be back at MS's side again trying to fix it. Repeat...
Why bother investing the time and money into a company that doesn't care? If you're going to be putting in the effort, go with something like Linux where you aren't ignored, can apply the patching yourself, release the patch, and say, "Hey, we fixed the problem. Here's the patch everyone," instead of groveling at MS's feet and trying to convince the company that they should not give every 3rd-rate script kiddie admin access.
"Slackware (well, its alive, but barely)"
New release in September, previous release only 6 months prior to that, a changelog in current at the ftp site that shows continuous update including 11 new/updated packages in the last 4 days ?
Explain to me in what way you think this is "barely" alive ?
If I were at home, I'd give you the name of the researcher who gathered actual data on this very question.
What he found after combing through tons of CERT data was that disclosure per se didn't do much to increase exploit rates.
What did matter was the release of automated attack tools based on the disclosure.
One reason for full disclosure is that it allows network owners and operators to get and install fixes. However, that also didn't make much difference over the time period he studied. Exploit rates stayed about the same after patch release. Apparently people who stay current on patches are such a small minority that they don't show in the statistics.
All that leaves plenty of room for interesting arguments over disclosure policy.
Well, they may say 'can't trust this', but their web site run IIS on Windows 2000. Actions speak louder than words...
Think global, act loco
Unlike the MS Blaster bug, which had basically one exploit and one fix (the RPC service on TCP port 135), the ASN.1 protocols are used in a dozen services that are listening on TCP/UDP ports all over the place. Servers will be especially vulnerable to this.
If you hack Active Directory you own not just the computer but the whole dang enterprise.
Gads this will be a nightmare to deal with.
According to Ted Bridis of the Associate Press, Kerberos belongs to Microsoft in his recent article, Microsoft Warns on Windows Security Flaws.
I wrote a letter to Mr. Bridis to offer a correction.
Dear Mr. Bridis;
You wrote:
"Some of Microsoft's built-in security features - such as its Kerberos cryptography system - rely on the flawed software."
This statement is factually incorrect. You're sentence should have read "... such as its implementation of the Kerberos cryptography system..."
Kerberos is, in fact, a creation of the Massachusetts Institute of Technology:
http://web.mit.edu/kerberos/www/#what_is
Please respect the intellectual property rights of MIT in your future writings.
Thanks.
"Rocky Rococo, at your cervix!"
Maybe you can enlighten all of us as to how this delay has helped Micrsoft's bottom line?
Actually, it's a resource allocation problem.
They can spend 5 developers to hunt down the bug and fix it - OR - They can assign 1 developer to work on it part-time. That one developer spends time adding more useless "innovation" onto Windows, along with the 4 developers that could've helped hunting down bugs.
The result is that Microsoft has jammed more features into Longhorn, thus making it more of a "value" to upgrade, and an increase to Micrsoft's bottomline. And the bug was left open for 6 whole months.
All you have found is that your box has OpenSSL for windows installed. AFAIK, ssleay32.dll not distributed by Microsoft, it's built from the OpenSLL source.
Actually, from what I've observed, platform dependencies in OSS software are quickly refactored into small sections of code so you generally never have to worry about a fix working on lots and lots of platforms.
So, that argument doesn't fly with me. Sorry. Apache runs on many more varied platforms than IIS, and they still manage to fix bugs when they're found extremely quickly, and release fixes immediately that, from what I can tell, don't break anything else.
Maybe if Microsoft management better managed the difference between a bug fix and a feature, that problem would be such an issue for them.
Need a Python, C++, Unix, Linux develop
I think you missed his point. He's not talking about hardware platform dependencies - he's talking about software dependencies on the fix. In this case, Microsoft had to patch almost their entire NT line of operating systems, and each OS would have a number of applications dependant on that code. The Apache/IIS comparison isn't the correct analogy for this.
Having said that, six months is still too long. I can see why Microsoft would take longer to fix this as compared to Apache, or some other OSS app, but six months is pushing it.
Servus,
6 months is not a long time for Microsoft to fix a serious security flaw. Beeing able to send batch commands since at least 1998. http://www.phrack.org/show.php?p=54&a=8
Active X is still found in IE and Microsoft doesn't even think about removing that security hole by design.
Servus
Casandro
Upon encountering your ridiculous assertion that "the Gimp is AS GOOD AS PHOTOSHOP," some souls, less driven, might merely shake their heads, titter nervously, and walk away. I am not that sort of man, and I am not prepared to let your stupidity fade away unnoticed.
Cheerio.
Can you even name that worm, I wonder?
I believe you're refering to the 'Morris Worm', released in November 1988. According to Wikkipedia, the GAO estimates the damages were between $10M and $100M US dollars.
The only people believing gimp is as good as photoshop are people who won't be doing professional graphics work anyway, and that's who photoshop targets.
Remember, photoshop costs more than $500. If you're not using it professionally, you simply can't afford it. The mac is still the default graphics design platform, with windows coming in second due to its huge desktop marketshare. Linux and graphics artists are like bananas and car tires. They make no sense together.
I'll tell you why because I work at such a company. The decision to use Microsoft products was made years ago (around 1997), and since then there has been so much ASP written, so much time put into MS-SQL stored procedures and infrastructure, so many internal processes and scripts that are custom-tailored to the Windows installations, that trying to take it all out and replace it with *nix would cost more time and money than the company can afford.
If you are still in school, or if you work in a small lab, or if you do ANYTHING except work in the real world, you probably think idiocy and stubbornness are the only things preventing the world from running *nix. At this company, and at many others I presume, at this point it makes more sense to pay a little more for the extra TCO of running and upgrading Windows than to try and rewrite the entire e-commerce website and change all internal processes. The bosses here aren't stupid - they know *nix is better, but if you even suggested the place should switch wholesale off Microsoft you'd get eye-rolling galore. It's a pipe dream.
The transition doesn't make business sense, even if the end result would.
Intercarve Networks, LLC
This is your company's fault for making the stupid decision to get themselves locked-in with a single vendor. Smarter companies try to avoid being locked in, and hopefully will eventually put you out of business.
In the meantime, every time MS decides to raise their licensing prices, you have no choice but to bend over and take it.
[boss] Well, your performance was outstanding in 2004. Very good. I'm recommending you for only a 10% pay cut this year.
[bjtuna] Pay cut??? Why? You just said my performance was outstanding!
[boss] Sorry, but all the non-managerial workers are getting a pay cut this year. Microsoft forced us to upgrade to Licensing 7, which is going to cost us a lot of money, which of course had to be taken from someplace else. Just be glad your performance wasn't rated "adequate", in
which case you'd get a 30% pay cut.
[bjtuna] What about you?
[boss] I'm getting a 10% raise. You don't think we managers would give ourselves a pay cut, do you?
[bjtuna] Maybe we should look into porting some of our apps to *nix to save on these licensing costs.
[boss] That's a pipe dream. It'd cost too much to rewrite all the ASP and MS-SQL stuff. It's easier and cheaper to just stick with MS, and cut everyone's salary.
This is pretty typical rubbish out of the mouths of people who don't live in reality. Licensing is expensive, but not expensive enough to cause major cuts in other parts of the budget.
Is it my company's fault for not using *nix? Of course. I did know you were going to say that, and I couldn't pre-empt it enough in my original post because you said it anyway. But the company was not founded by technologists - it was founded by two guys in 1997 who wanted to sell stuff online and had a little coding experience.
I reiterate. At this point, it's too difficult to rewrite everything.
Intercarve Networks, LLC