Latest SP2 News

Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"

Where is SP2...

For some reason SP2 doesn't show up in Windows Update for me, I already have SP1. My friend gets this same problem.

Re:Where is SP2...

[Jasperke]

Problem? Problem? How can you call that a problem?

You just don't realize how lucky you are...

Re:Where is SP2...

[Hungry+Student]

SP2 isn't available through Windows Update, only through Automatic Update. There is a difference. Automatic Update runs in the background, checking your patch status against MS and downloading as required, its set up from Control Panel > Automatic Updates. Windows Update is the on-demand website visit. SP2 won't be available through Windows Update until the 25th August.

Re:Where is SP2...

[pmcc]

I remember hearing that Service Pack 2 will not be available manually via Windows Update until sometime around August 25. Until then you need to get it via automatic update or an external installer. However these external installers are somewhat harder to come by than previously, as Microsoft has shut many of them down - which is a shame since they were very fast torrents. Oh well.

Re:Where is SP2...

Thanks.

This seems like odd though, why would it only be available automatically? Wouldn't it be pretty easy for them to have it on Windows Update too?

Re:Where is SP2...

[nacturation]

Until then you need to get it via automatic update or an external installer. However these external installers are somewhat harder to come by than previously, as Microsoft has shut many of them down - which is a shame since they were very fast torrents. Oh well.

Yes, those external installers are very hard to come by indeed! But hopefully downloading directly from Microsoft's gigabit backbone qualifies as being fast enough for ya.

Re:Where is SP2...

[pmcc]

Ahh, for a while that Microsoft link wasn't working, and a couple of Torrents of it were around on the net (which I used to get SP2 for my XP Box).

Re:Where is SP2...

[Tim+C]

They're probably trying to spread the load, and avoid having their servers bogged down by lots of people all trying to download it at once. I read somewhere that they're going to do a geographically-targetted rollout via automatic updates, eg one country will get it, then a couple of days later another, and so on.

Also, for modem users, getting it via automatic updates is a much better idea, as that can (I believe) handle resuming downloads, which using windows update probably can't do.

Re:Where is SP2...

[Rufus211]

actually it's not available through Windows Update OR Automatic Update (yet). It's only available as a direct download from here

Re:Where is SP2...

[Stauf]

You can also get it from Microsoft as a 266 meg download if you're impatient.

Re:Where is SP2...

[Hungry+Student]

It should be out today:

- August 18: Release to Automatic Updates for users running XP Home only
- August 25: Release to Automatic Updates for all XP users, including those running XP Pro, and to Windows Update for interactive user installations

Re:Where is SP2...

[ElderKorean]

Well then I don't know what my computer has been running since yesterday then.

SP2 for me has already been downloaded and installed as part of Automatic Updates. It took a while amongst the other downloads though.

August 17 in Australia.
XP Pro.

Re:Where is SP2...

I thought that said Xbox then... I need sleep

Re:Where is SP2...

Does anyone happen to know the link for buying it on CD?

Re:Where is SP2...

[mr_z_beeblebrox]

actually it's not available through Windows Update OR Automatic Update (yet). It's only available as a direct download from here

Actually it is available both ways. The auto update method is kind of neat because it does not show up as an available download but downloads as a background download. Eventually the computer advertises updates to install and SP2 is one of them. I do not know if there is a special way to cause this behavior or not. I administer about 70 PCs and of those SP2 has appeared on around 20 of them?

Re:Where is SP2...

[Davak]

XP SP2 is not yet available on CD

Dial-up killing you? :)

Davak

Re:Where is SP2...

[Davak]

Lucky, heck... until these problems are figured out, we are suggesting to our users not to allow Microsoft to install this puppy.

Microsoft has released an executable and there is a registry hack to prevent SP2 from being automatically updated to SP2.

It's bad enough to install this thing for yourself; you know to be looking for bugs.

However, if this thing rolls across several users' systems in the middle of the night, admins are going to have a bitch the next morning.

I'm not saying that we are not going to ever install SP2. We just want to be able to control and how and when...

Re:Where is SP2...

But hopefully downloading directly from Microsoft's gigabit backbone qualifies as being fast enough for ya.

But I'm only getting 1500KB/s from Microsoft's site! That is too slow for me. I mean, it takes a whole 5 minutes to download SP2. :-(

Re:Where is SP2...

[ManxStef]

XP SP2 was definitely made available on the 16th (Monday) for Software Update Services (SUS - soon to be called WUS), 'cause it shows up in my list of downloaded updates (and there was a big spike of incoming traffic in my MRTG logs on Monday morning) - not that I'll be approving it just yet ;) Whether they've pulled it from this distribution channel I'm not sure, but given that most SUS installs update daily it's probably too late to bother.

BTW, for any small NT network admins I'd highly recommend SUS. It's basically the same as Automatic Updates but centralized to one (or more) of your servers, saving you bandwidth and allowing control of which patches are approved for internal distribution (so can hold back until you've done your testing), amongst other things. For more info see the link above; it's remarkably easy to set up and roll out.

Re:Where is SP2...

[WuphonsReach]

I've seen rumors that MS is throttling the number of systems that can download SP2 automatically. So only a limited number of systems per day will receive SP2 as a download.

Re:Where is SP2...

I work for MS thus the AC (so you can choose to believe me or not, whatever). I know the guys managing the project (the distribution, not the actual SP2 development, don't know those guys), they planned for 2 million a day via auto update and for the first few days were doing that. I haven't spoken to them this week so not sure if they have stuck to that or not, but that was definitely the plan.

Re:Where is SP2...

[I(rispee_I(reme]

Or maybe he was referring to this.
Nice metatroll.

Re:Where is SP2...

No, the price for broadband was so I got rid of it :-)

Re:Where is SP2...

[HermanAB]

I tried to download it using Firefox on a Linux machine and it won't work. It there a way to do this so I can distribute it to my Windows boxen without exposing them to the eeevull internet?

sp2

[zxflash]

SP2 for Windows XP isn't as secure as Microsoft touts it to be you just blew my mind :)

Yeah? So?

They were there before SP2, how does this place the SP2 at fault?

'Flaws' Not that big of a deal

[Novanix]

These "flaws" are not really that big of a deal. The idea of warning is so that files are not run afterwards by mistake. They give an exploit in which someone opens cmd.exe, then drags the file into it. Well if the user will follow along and execute some command they suggest, then things are already out the window. In addition the other exploit talks about overwriting a current file and it not showing a warning, once again if they can get you to overwrite a file on your hard drive with their file then you are already gone.

Re:'Flaws' Not that big of a deal

[MonTemplar]

They're working on a fix for this - Microsoft Clue for Users* :)

-MT.

* Pronounced with a silent L.

Re:'Flaws' Not that big of a deal

[asciono]

One thing is when Slashdot covered the SCO stuff, when it was hot, about five times per day. But SP2? C'mon! Microsoft just loves beeing in the spotlight.

Until CodeWeavers comes up with a nice patch for wine to make SP2 work, please stop the presses!

Re:'Flaws' Not that big of a deal

[Spy+Hunter]

Yeah, these "flaws" are retarded. Telling people to open a command line and run a command with several arguments is much more complex than simply telling them "click yes on the security dialog to run the program". Clicking yes on dialog boxes is something users do all the time and don't think twice about. In fact, if Microsoft really wanted to make it difficult to run programs downloaded from the Internet, they could have *required* that users perform heise's procedure to run them. It would probably be more effective than a simple warning dialog.

Re:'Flaws' Not that big of a deal

[Sancho]

I think it's a bigger deal than you think.

The issue at hand is that there exists a way to execute programs without checking the ZoneIDs. That's less secure than desirable. All methods of execution should be secured. There are bound to be scenarios where this could be exploited that don't involve the user opening up a cmd window and typing the command.

That said, yeah yeah yeah, Windows isn't secure, blah blah blah, Linux rules, etc.

Re:'Flaws' Not that big of a deal

[alex_tibbles]

It depends. The 'flaw' here is that certain actions that *sound* OK are not. In a perfect system, all insecure actions would be *obviously* insecure (like "open a root shell and type the command '0wnme'").
It's like the social engineering attack: "Can I have your username?". People are told not to dish out their passwords, but usernames should be fine, right? Attacker then calls tech support (at the same company) saying: "Hi, I've forgotten my password. My username is . Please reset it for me."

Re:'Flaws' Not that big of a deal

[phobonetik]

Yes - agreed - to be exact; "With Service Pack 2, Microsoft introduces a new security feature which warns users before executing files that originate from an untrusted location (zone) such as the Internet. There are two flaws in the implementation of this feature: a cmd issue and the caching of ZoneIDs in Windows Explorer. The Windows command shell cmd ignores zone information and starts executables without warnings. Virus authors could use this to spread viruses despite the new security features of SP2. Windows Explorer does not update zone information properly when files are overwritten. So it can be tricked to execute files from the internet without warning."

Re:'Flaws' Not that big of a deal

You can also execute applications under linux in the console.
Hey wait, linux has that bug too!

Re:'Flaws' Not that big of a deal

[Svennig]

Completely off topic, I admit, but I've seen your sig before and cant work out what it does. What does it print out?

Re:'Flaws' Not that big of a deal

[IchBinEinPenguin]

yet another 'internet zone' bug.

Does anyone use/trust these things anymore?

Re:'Flaws' Not that big of a deal

Indeed. Just more anti-MS FUD.

Perhaps I should release one for GNU/Linux distros... something like...

"Commands run from command prompt execute commands" or more generally "Platform intended for executing arbitrary commands capable of executing arbitrary commands"

I mean really... what's next? Someone sends a vulnerability warning about "users able to be duped into adding new user accounts by malicious hackers"? Or maybe "Computer in the 'on' state runs code"

*sigh*

some people...

Re:'Flaws' Not that big of a deal

[BarryNorton]

Telling people to open a command line and run a command with several arguments

Sorry, who's telling people to do that? The point made was, rather, that compromised machines can still be made to bypass this mechanism since it's not been built into the command line interface.

Re:'Flaws' Not that big of a deal

[Shirotae]

The specific flaws may not be big deal today, but Jürgen Schmidt's article Microsoft: A matter of trust makes some very good points about what the response says about Microsoft's attitude to the problem. One of the biggest obstacles to security it the "it hasn't been exploited yet so it isn't a problem" attitude in those who hold the purse strings. It is a recipe for always doing too little, too late.

Re:'Flaws' Not that big of a deal

[BarryNorton]

Does anyone use/trust these things anymore?

If people here don't, is it really a problem of flaws in the initial implementation (which is usually the case with any new idea) or is it just plain 'not invented here' syndrome?...

Re:'Flaws' Not that big of a deal

[Saint+Stephen]

The cmd.exe social engineering: run this gif through cmd.exe, is a very interesting one. In all my nefarious machinations I'd never thought of that one.

On the contrary I think these are some very interesting bugs.

Re:'Flaws' Not that big of a deal

[EpsCylonB]

Microsoft just loves beeing in the spotlight.

I think you have too high an opinion of Slashdot. Why would microsoft care one way or the other about a website whose readers are 1) a minority of windows users and 2) heavily biased towards linux.

On the other hand it makes sense for slashdot to post these stories because there is almost certainly some admins here who want to hear the latest news about sp2.

Re:'Flaws' Not that big of a deal

[kaschei]

Still, it should check to make sure that you don't give a file permissions it doesn't have. A thousand different installation programs use "setup.exe"-- authorizing one of them shouldn't authorize every installer that comes along using that filename. Agnitum Outpost warns me every time I click on an installation that uses setup.exe, or when I patch games that require network access, to make sure some bogey program hasn't messed with my executables. If every virus had to have an "OK?!" dialogue to install, a few of the less-clueless might think to hit "cancel."
Granted, the article made it seem like microsoft should be most concerned about idiotproofing, when there is a point past which all you are doing is making life more difficult for the powerusers.

Re:'Flaws' Not that big of a deal

[LiquidCoooled]

I don't know about you, but just being Open Source fan unfortunately does not mean I can stay away from Windows.

In the real world, we have jobs and PHBs and spouses who don't want to disrupt things or break working apps (Sims for the missus, god help me if I break that one!).

I think the SP2 stories are required reading at the moment, and at the same time, I am glad the comments are littered with cynical remarks and questions. We need to question the motives of these companies, and we need to test SP2 to breaking point.

We want Linux to "take over the desktop", but at this point, as a compromise I am happy running Firefox and OO.org.

I won't try and say I dual boot, I find the thought of having to reboot an entire computer just to run one program absolutely stupendous, but when I get my linux bug I always have a knoppix disk lying around :)

Re:'Flaws' Not that big of a deal

[laa]

Similarly completely out of topic:

Me neither, so I compiled it
(11:48) nagu ~/temp > sig

#
# #
# ` #
# # # #
# ` ` ` #
# # ` ` # #

Re:'Flaws' Not that big of a deal

a minority of windows users

Bzzt! Wrong, bucko.

"Curiously, a poll on Slashdot suggests that approximately half of all Slashdot visitors actually use a Microsoft Windows operating system with only a third using some form of Linux".

There is also a quote by CmdrTaco that I can't find at the moment.

Re:'Flaws' Not that big of a deal

Well, the problem with your example is with tech support, not with the user. The username should be okay to hand out (and when it is the basis of the person's email address at the company it is handed out on a regular basis).

The user shouldn't have to worry about tech support not verifying their info correctly. Sounds like you should fire the people at that company's helpdesk and institute some proper controls if that is enough to get a Kevin Mitnick-wannabe access.

Re:'Flaws' Not that big of a deal

[EpsCylonB]

Bzzt! Wrong, bucko.

"Curiously, a poll on Slashdot suggests that approximately half of all Slashdot visitors actually use a Microsoft Windows operating system with only a third using some form of Linux".

There is also a quote by CmdrTaco that I can't find at the moment.

I don't want to get all pedantic but did you read what I said ?, I already knew that the majority of slashdotters run windows.

I said that the slashdot readership makes up a minority of all windows users.

You said that the slashdot readership makes up the majority of the all windows users.

Think about what you are trying to say.

Re:'Flaws' Not that big of a deal

[jkrise]

A more fundamental question: will this SP2 make XP more secure. The simple answer is NO. So, why bother installing it?

-

Re:'Flaws' Not that big of a deal

No, the zone stuff is inherently flawed. The only really good security is via capabilities (see eros) (and note that windows and linux BOTH SUCK in that respect... though linux with rsbac mightn't one day - but unfortunately, the also flawed grsec has LKML's ear instead of rsbac.)

Re:'Flaws' Not that big of a deal

[Sancho]

That's a very interesting point. "Zones" in Windows seem to be a feature slightly too technical for your average user (the ones who might really benefit if it was implemented well) but completely useless and potentially burdensome to people with even a moderate level of computer knowledge. That makes it an almost worthless feature, in my book. The novices won't know how to use it, and the experts won't care to.

Re:'Flaws' Not that big of a deal

Exactly! Why bother installing any patches or service packs anyways.

Re:'Flaws' Not that big of a deal

[BarryNorton]

The only really good security is via capabilities (see eros)

By which I assume you mean this:

EROS is a pure capability system. A capability uniquely identifies an object and a set of access rights. Processes holding a capability can perform the operations permitted by those access rights on the named object. Holding a capability is a necessary and sufficient condition for accessing the associated object with the authority granted by that capability. There is no other way to perform operations on an object.

One advantage to the capability approach is that the EROS kernel does not need to support any notion of user identity. The login agent hands each user their initial authorities, from which they can access whatever objects are (transitively) reachable.

Most capabilities can be rescinded. For example, a process holding access to a terminal port loses its authority on that port each time the system is restarted. This is necessary to ensure that connections are re-established when appropriate.

A common confusion about capabilities is that they are incompatible with more conventional protection models. While the EROS kernel knows nothing about capabilities, user domains (processes) are free to implement whatever authentication mechanisms they wish. The EROS unix emulator, for example, implements the customary unix semantics based on user identity.

(http://www.eros-os.org/project/novelty.html#cap abilities)

But, clever as that may be (and subject, one hopes, to a thorough implementation in Eros and possibly in Linux via rsbac), it doesn't clarify how one goes about gaining the capability to run a new file downloaded from the Internet.

In that regard (unless I've missed something) it's orthogonal to Microsoft's approach (or, rather, this aspect of it)...

Re:'Flaws' Not that big of a deal

[alex_tibbles]

Yes. The system as a whole is vulnerable. I don't see how the individual tech support person can help though. How would they verify that they are talking to the right person? Asking them to remember some secret piece of information to prove their identity is exactly what they have just proved they cannot do. What are the other options?

Re:'Flaws' Not that big of a deal

[vk2]

What part of the poll disclaimer you don't understand ?

This whole thing is wildly inaccurate. Rounding errors, ballot stuffers, dynamic IPs, firewalls. If you're using these numbers to do anything important, you're insane.

Re:'Flaws' Not that big of a deal

[Ilgaz]

I run Intego netbarrier on OS X (yep, shoot me) and man, these days I am on 56k k (shoot again)... :)

Getting 3 kb/sec and continuous alert sounds, I wondered what the heck happened, checked logs.

A new stupid lamer virus checking my port 135. I am on OS X right? FreeBSD based? Got firewall? nothing helps. I am effected by STUPID windows and some jerks opening attachments.

So, I really hope SP2 will work as advertised, at least stopping viruses coding in VISUAL BASIC for Gods sake... I am not making any sarcasm. I hope it works and guess what? Only owning Macs, I watch all stories about SP2 with Yahoo alerts etc.

Re:'Flaws' Not that big of a deal

[Jarnis]

Heh.

SP2 makes XP a lot more secure. Critically more secure, if we are talking about updating a system that has not been fed it's daily ration of hotfixes from windows update.

Re:'Flaws' Not that big of a deal

[caswelmo]

I have notice a nice little trend in our family that popped out of SP2. My wife now actually attempts to make an effort at security "smarts". The browser seems to be much better, and with the little info pop-up toolbar, it makes it easier for me to set "high" security settings and explain to my family how to get what they want by clicking correctly on trusted sites.

I see the update as more of a helper to less savvy users than those of us who were already security bots.

Re:'Flaws' Not that big of a deal

[red+tiger]

I agree that these flaws are really only for those kids who don't think, just do what is said. Why should a thinking man think that descrambler has a name like cmd?? Unfortunately, there are many of people like this among Windowsers... :-/

<offtopic>
Ha! My machine has more bits!
The last line has 16 #'s!
</offtopic>

Re:'Flaws' Not that big of a deal

[rseuhs]

Telling people to open a command line and run a command with several arguments is much more complex than simply telling them "click yes on the security dialog to run the program".

Is it really?

On the phone it's great to be able to say "Press Alt-F2 and then P-R-O-G-R-A-M", it's much more efficient and straightforward than "Press Start, then go to that submenu, then go to that submenu, then search for PROGRAM, then click it"

Re:'Flaws' Not that big of a deal

That's a very interesting point. "Zones" in Windows seem to be a feature slightly too technical for your average user

Hmmmm if zones are too technical to configure, then linux must be impossible for people and then /.'s wonder why people are still using freakin windoze.

Re:'Flaws' Not that big of a deal

[Xerp]

Yes - agreed - to be exact; "With Service Pack 2, Microsoft introduces a new security feature which warns users before executing files that originate from an untrusted location (zone) such as the Internet. There are two flaws in the implementation of this feature:

1. It doesn't work
2. It doesn't work

Now, I know technically speaking this is just one flaw, but it was such a big one I thought it was worth mentioning twice.

(Thanks Red Dwarf!)

Re:'Flaws' Not that big of a deal

[f0rt0r]

Interesting. Did this poll give the option for 'both'? Or for 'windows at work, linux at home'? I use Windows and Unix at work, and Linux at home. Well, splitting hairs I do have Windows running in a VMWare virtual machine as I haven't found a good replacement for my client/server backup software that works under Linux yet, but I am looking.

Just checking browser strings would be misleading as they are often faked on purpose, but you mentioned a poll. Is the poll still available for viewing?

Re:'Flaws' Not that big of a deal

[recharged95]

Yes, the problem itself is trival, but it's a big deal, like millions and millions of [lazy to install hotfixes] windows users.

Strength in numbers does work both ways.

Re:'Flaws' Not that big of a deal

[pboulang]

Run it. Obviously it only prints things out to screen, so not exactly a security concern.

pretty, it's a fractal.

Re:'Flaws' Not that big of a deal

[Phisbut]

Why should a thinking man think that descrambler has a name like cmd??

Because cmd stands for Common Machine-code Descrambler

Re:'Flaws' Not that big of a deal

But...

2) heavily biased towards linux.

So we are heavily biased towards linux, but still using windows. Right...

Re:'Flaws' Not that big of a deal

[Spy+Hunter]

Heise is! Didn't you even notice the "sample email worm" given by heise? How did this get modified informative? Stupid crack-smoking mods. Aren't you familiar with the oh-so-popular "email with executable attatched that the user must manually run to start the virus"? Once the machine is compromised, the game is already over, because the virus can run whatever code it wants regardless of WinXP's new security features.

Re:'Flaws' Not that big of a deal

[slandis]

I work as a local Support Tech, but on occasion I have to call our corporate IT people to get password changes for users (central Novell system). The solution to this is that I can call and have a password changed, and so can anybody; but the new temporary password is left ONLY on the voicemail box of whichever user is getting the password change. Even I don't get told the new password.

This assumes the voicemail boxes are fairly secure, of course. But it mostly prevents random asshat from grabbing your username and calling up to get it cleared or a new temp one generated.

Re:'Flaws' Not that big of a deal

[Senzei]

So suddenly having information that semi backs up a point on a slashdot discussion is something important? In that case why is the poll even posted, I can think of few things of less impact on my life than slashdot.

Now back to the slashdot article that is serving as my current distraction from work.

Re:'Flaws' Not that big of a deal

[Arkaein]

Why would microsoft care one way or the other about a website whose readers are 1) a minority of windows users and 2) heavily biased towards linux.

Well, they seem to care enough to advertise their development tools on a pretty much permanent basis here.

Re:'Flaws' Not that big of a deal

[Senzei]

"Computer in the 'on' state runs code"

They do? I better shut down the work servers before someone puts some code on there. I'd hate for our systems to be hacked by some mali

Re:'Flaws' Not that big of a deal

[EpsCylonB]

But...

2) heavily biased towards linux.

So we are heavily biased towards linux, but still using windows. Right...

How are the two mutually exclusive ?

Linux is a very successful server operating system but so far it's desktop penetration is relatively low. Many people may be reading slashdot at work where they have no choice of what operating system is run on the desktop.

I personally run WinXP (cause I like games) but have used a Linux box as router in the past. So technically I use both windows and linux.

In fact there are many reasons to explain the windows desktop dominance even in a techie demographic like the slashdot readership.

Re:'Flaws' Not that big of a deal

[BarryNorton]

Didn't you even notice the "sample email worm" given by heise?

This one?

attached you find the copy of your access data you requested. For security reasons, the file is scrambled and can only be viewed with cmd. To view it, save the attached file, execute "cmd" from the start menu, drag&drop the file into the new window and hit return. cmd will descramble the file for you.

Which bit, exactly, has them typing in "several arguments"?

This bit:

cmd /c evil.exe

executes the file evil.exe without warning, regardless of its ZoneID. Even worse: If an executable file is saved as evil.gif, the command

cmd /c evil.gif

Is not intended to be an exploit.

As for:

Once the machine is compromised, the game is already over, because the virus can run whatever code it wants regardless of WinXP's new security features.

Perhaps I've misunderstood, but I completely disagree with you. As far as I understand it, it's quite a common thing to do to transfer an executable to a compromised machine in order to run it. If such a thing cannot be done without visible user interaction that would be significant.

Re:'Flaws' Not that big of a deal

[Alsee]

I dunno about you, but I think the fact that Windows XP will merrily EXECUTE A TEXT FILE (.txt) is absolutely appaling and horrifying!

Whoever did that should receive a brain reformat.

-

Re:'Flaws' Not that big of a deal

[sqlrob]

chmod a+x readme.txt

Re:'Flaws' Not that big of a deal

I think you raise the more general point that none of these security models -- multiuser or capabilities -- are really designed for the Personal Computer user. Instead every system is still designed around organizational configurations.

Nobody has a real solution for mixing 'trusted' files and programs with the stuff from email, www, and kazaa.

Re:'Flaws' Not that big of a deal

[mcbain942]

Actually not true. What microsoft doesnt understand is small vulns can be combined with other small vulns that can create one big problem. For example lets say a vuln comes out (again) where you can execute cmd.exe from a webpage. Thanks for microsoft ignoring small vulns like known location of temp files for outlook, all one would have to do is run cmd /c shell:profile/temp/pic[1].jpg So please, even minute vulns need to be patched!!

Re:'Flaws' Not that big of a deal

[js3]

no components of the system are vulnerable. It's like running a program with a buffer over that listens on ports under LOCAL_SYSTEM. What is happening here is IE firmly plants itself as an administrator and adds an insecure layer of its own protection. By taking advantage of this you can gain system level access. If you don't run IE you won't have these problems but as IE is almost part of the system it is unavoidable..

Re:'Flaws' Not that big of a deal

[alex_tibbles]

Not bad policy, perhaps. Are voice mail boxes remotely accessible? Externally remotely accessible? Does anything enforce the temporary nature of the password?

Re:'Flaws' Not that big of a deal

[Alsee]

chmod a+x readme.txt

Yes, execute attributes are handled differently between Windows systems and *nix. The windows equivalent of that command would be "rename readme.txt readme.exe". If you want to make that comparison then it's more like recompiling your kernal to ignore the x flag.

-

Re:'Flaws' Not that big of a deal

[Wile_E_Peyote]

The end user doesn't need to know how to use it. If a file is not safe they receive a warning.

Re:'Flaws' Not that big of a deal

usernames should be fine, they are the first half of your e-mail address and generally are fairly easily guessable. If them being public is dangerous than you are in serious trouble.

Re:'Flaws' Not that big of a deal

[borgboy]

Actually, NTFS does have an execute permission.
Traverse folder / Execute file

Re:'Flaws' Not that big of a deal

I think you have too high an opinion of Slashdot. Why would microsoft care one way or the other about a website whose readers are 1) a minority of windows users and 2) heavily biased towards linux.

Somebody may want to link to the recent Slashdot Poll, which stated around half of /.ers were indeed full-time Windows users.

As for being "heavily biased", I attribute it to insanely vocal zealots. Unfortunately, most MS-positive posts get modded down, so we really arent getting to 'see' the whole picture.

Re:'Flaws' Not that big of a deal

[RzUpAnmsCwrds]

"That's a very interesting point. "Zones" in Windows seem to be a feature slightly too technical for your average user (the ones who might really benefit if it was implemented well) but completely useless and potentially burdensome to people with even a moderate level of computer knowledge. That makes it an almost worthless feature, in my book. The novices won't know how to use it, and the experts won't care to"

It's actually quite useful. If you download an executable and then later try to run it, it gives you a second warning that the file might be dangerous.

These two "flaws" change nothing. The second flaw really is one, and it should be fixed. The first is a design feature.

If a hacker can get a user to download a file, ignoring the first security dialog, launch a command prompt, drag the file in, and run the file, is it really Microsoft's fault that the file executes like it's supposed to?

Re:'Flaws' Not that big of a deal

[Spy+Hunter]

That "exploit" is not worded very well (to work it would have to explain more thoroughly how to run "cmd" since most users won't know you have to use the "run" start menu item), requires users to type in two places (granted, they're not typing arguments), requires users to save the executable and locate it afterwards, and requires users to correctly manage the input focus between several windows (users are likely to simply drag the file from Explorer to the cmd window, which leaves the focus on the executable's icon in Explorer, meaning that pressing Enter will display the warning dialog as usual. An extra click is required to focus cmd before pressing Enter, but this is non-obvious). Also it doesn't work with the .gif trick, so it requires a mail system that accepts executable attatchments and a mail client that allows you to save executables (unlike the last several versions of Outlook). In other words, this virus is DOA.

Also, if you think a puny dialog box is going to stop a running virus from executing whatever it likes, you must not have a very good grasp of what it means to have compromised a machine. Once a machine is compromised, the virus can do *anything it wants* that is within the capabilities of the user account it has compromised. The virus could press the "yes" button on the security dialog automatically before the user sees it. It could remove the NTFS stream that marks the executable as downloaded from the Internet. It could use the same system call "cmd" uses to run the code without the warning dialog. It could read the code directly into memory and execute it in its own process, bypassing any Windows restrictions on executable files. It could do any of a million other things to execute code.

Re:'Flaws' Not that big of a deal

[BarryNorton]

[...]requires users to type in two places (granted, they're not typing arguments), requires users to save the executable and locate it afterwards, and requires users to correctly manage the input focus between several windows (users are likely to simply drag the file from Explorer to the cmd window, which leaves the focus on the executable's icon in Explorer, meaning that pressing Enter will display the warning dialog as usual. An extra click is required to focus cmd before pressing Enter, but this is non-obvious).

Type? You seem to have conceded the point that typing arguments is not necessary, but then you keep digging! None of this requires typing!

As far as your assertion:

The virus could press the "yes" button on the security dialog automatically before the user sees it

That would seem (as far as I've understood recent stories on /. - IANAH, so to speak) to require the transfer of a VNC server, which itself should (not that I'm saying the implementation is right yet) be 'Internet zone' executable code and subject to the same check... hence circularilty and no progress... no?

It could remove the NTFS stream that marks the executable as downloaded from the Internet

Could it? So using this is not built into the command shell, but manipulating it is?...

It could use the same system call "cmd" uses to run the code without the warning dialog

That's rather the point I was making...

It could read the code directly into memory and execute it in its own process, bypassing any Windows restrictions on executable files

As I concede above, this may be possible, but clearly that ought to be subject to the same restriction...

As I said on other threads, I'm quite sure the implementation of this idea is not yet thorough... but that doesn't mean that the idea is wrong. Firstly, one has to admit, no operating system has arrived at a good security mechanism getting it right first time. Secondly, while one might disagree with this kind of thing being tested on the whole user base (or, at least, those who keep up with OS versions and their SPs), at least it hasn't made the situation worse - even if there are ways to bypass this (which will take time to learn), the effect of the bypass is no worse than would be the absence of the mechanism.

Re:'Flaws' Not that big of a deal

[Spy+Hunter]

In the start menu run dialog, you must type "cmd" and then either type enter or click run. Then after you drag the file, you must focus the command window and type enter again. Is that not typing? Thank you. It may not be a lot of typing, but you must switch from mouse to keyboard at least twice during this process. Every added step reduces the number of people who will follow the procedure, reducing the virus's efficacy dramatically.

IANAH, so to speak

Obviously YANAH. Are you even a programmer at all? Yes, a virus could click the "yes" button, that doesn't require downloading a separate VNC server. How do you think the VNC server does it? The VNC server is just another program, it calls Windows API functions to do its job. The virus can call the same functions the VNC server does, and it doesn't need to download anything to do it.

You just don't get it. Once the virus is running on your computer under your user account, it can do anything YOU can do, and anything that any program you _might_ run could do, automatically. It has COMPLETE CONTROL. It can call whatever functions it likes, run whatever programs it likes, read or write whatever files it likes, change whatever settings it likes, and control other programs as it sees fit. Windows doesn't limit the virus after you have run it, because it isn't smart enough to know the difference between a program you wanted to run and a virus you ran by accident.

That's rather the point I was making...

No, you were making the point that cmd allowed users to easily bypass the protection and run a downloaded exe, and I was refuting it by pointing out that it really wasn't so easy for users. Programs running on the computer will always be able to bypass the protection and run arbitrary code, because Windows has no direct control over what code a program executes or where that code came from. The key is stopping users from running viruses in the first place because once the virus is running you're toast. This security warning dialog is only intended to help stop users from running downloaded viruses through Windows Explorer. It does not, cannot, and was never intended to serve as a defense against running virus code.

Actually I think the dialog is a good idea and it may even be effective at reducing the number of viruses of the "user downloads and runs it manually" type. For the reasons stated in previous posts, I sincerely doubt that large numbers of users will be both willing and able to follow a multi-step procedure involving typing and command lines, simply on the advice of a random email. If a new virus proves me wrong, then MS should add the warning dialog to cmd as well. But there's nothing MS can do to prevent a running virus from downloading and executing whatever it likes.

Re:'Flaws' Not that big of a deal

[BarryNorton]

Obviously YANAH. Are you even a programmer at all?

Twice you've been wrong and this is how you come back? Petty, man!...

Yes, a virus could click the "yes" button, that doesn't require downloading a separate VNC server. How do you think the VNC server does it?

Yes, that is a good point. You can see I've not programmed at the system call level for a long time... All the same (changing my argument, I admit), the system could simply refuse you a handle on that window (though how that would play out with terminal server or third party VNC s/w, given your point, isn't clear).

No, you were making the point that cmd allowed users to easily bypass the protection and run a downloaded exe

Sorry, my fault - you're quite right, I didn't write that (or rather deleted it from what I was posting since it didn't support my point - feel free to not believe me on this)

and I was refuting it by pointing out that it really wasn't so easy for users

Well indeed, but you were visibly incorrect in how you expressed that (twice over) and, what's more, we were looking at the initial warning - I'm quite sure there are some more advanced exploits to come than the mock-up in the article (at the very least a scripting exploit - based either on an unpatched mail client or a new vulnerability - could surely invoke the command line).

But there's nothing MS can do to prevent a running virus from downloading and executing whatever it likes

I just can't agree with that: the operating system controls what's data and what's executable in memory - it's laudible to explore how a requirement for user interaction can be used to control the latter (imho).

Re:'Flaws' Not that big of a deal

[ViolentGreen]

That's different though. The chmod defines a file as being an executable and allows someone to execute it. Windows determines whether or not a file is an executable by the extension. The permission mearly allows (by default) or disallows someone to run it.

Re:'Flaws' Not that big of a deal

[Spy+Hunter]

I've only been wrong about one thing in this discussion, and in a way that doesn't even affect the validity of my argument. I was mistaken when I said that users had to type arguments. I was not wrong about users having to type, or about the process Heise suggests being invoncenient and difficult for users. You, on the other hand, have been wrong about nearly everything you've said in the latter half of this discussion. You were wrong when you said I was wrong about viruses being able to bypass XP's security. You were wrong when you thought viruses had to download and execute a VNC server to press buttons. You were wrong when you intimated that I was wrong about viruses being able to remove NTFS streams. And furthermore you are wrong again about the operating system controlling what's executable and what's not. Only on the new AMD 64-bit processors with NX is this the case. On regular x86, almost everything is executable all the time. Windows can't even control what gets executed in the processes of programs that are cooperating with it; buffer overflow exploits and the like often allow arbitrary code execution despite attempts to prevent it. How could Windows possibly control the code in a malicious program if it can't even control the code of programs that cooperate?

I sincerely doubt that this "exploit" will lead to more advanced ones. If a scripting exploit has access to cmd and also can have a file downloaded to a known location with content chosen by the script (required for this "exploit"), that script already has enough power to erase the user's hard drive, send their stored personal data and passwords to Russia, or do any number of other nasty things. Executing arbitrary machine code from there is simply a matter of using a suitable buffer overflow in any program on the user's hard drive, regardless of any restrictions Windows puts on launching downloaded exe files.

Re:'Flaws' Not that big of a deal

[BarryNorton]

"Your argument" - I'd check your original post.

As far as trying to claim I've been wrong more than conceded, you're simply putting words in my mouth and then refuting them. I'm not prepared to waste more time discussing this, but I'd just point out the difference (apparently absent in your head) between the concept of an operating system (and its roles) and what is implemented in Windows! I stand by (and your argument that hardware support can be added merely reinforces the point):

the operating system controls what's data and what's executable in memory - it's laudible to explore how a requirement for user interaction can be used to control the latter

Re:'Flaws' Not that big of a deal

[Spy+Hunter]

I don't know what you believe my original argument is, but it has always been that Heise's so-called "flaws" aren't really flaws because the process of getting around the dialog box is too complex. I argued that users are more likely to follow instructions to click "yes" on the security dialog than to follow Heise's instructions, rendering the "exploit" useless. Later I argued that the "exploit" is useless for currently running viruses as well because there are better ways of running arbitrary code that can't be prevented by Windows. My argument has never been that the dialog box itself is bad; on the contrary I think it is a fine implementation of a reasonably good idea. It is unlikely to be that effective due to the propensity of users to click "yes" whenever asked, but it is a good idea nonetheless. Any improvement helps, no matter how small.

This discussion is about Windows; the things an imaginary secure operating system could do are not relevant. Microsoft cannot give up backwards compatability with older programs and this limits the security they can implement considerably. Windows does not and can not control what's executable in memory on plain x86. As for the last bit about laudability, I completely agree and have not argued otherwise. As I have explained, the dialog is a reasonably good idea.

Microsoft's response:

[tpgp]

From the end of the second page:

"We have investigated your report, as we do with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."

*Shrugs*

Re:Microsoft's response:

In other words: It's not a programming bug, it's a design flaw.

Re:Microsoft's response:

[jkrise]

Joe ServicePack to boss: I've got this dazzling new CD and some sound-bytes from Microsoft. Shall I install this stuff anyway?

Boss: The CD looks very attractively packaged. Let's try...

-

Re:Microsoft's response:

[Senzei]

Honestly I think they are right in this as well. The point of the command prompt is to be available for system administrators. Your normal computer-stupid user shouldn't have it. They shouldn't need it. If they do need it then more than likely they are smart enough to use it well.

Linux is different. It was built around the terminal. When linux became more GUI enabled it did not ditch the terminal environment the way microsoft ditched the dos box for windows. Trying to compare the linux terminal to the windows console, and that is the implicit comparison here, is really comparing two environments designed around distinctly seperate purposes. For what the command prompt is supposed to do it currently does fall in line security-wise with microsoft's plan. The real issue is not security of the command prompt, its access to the command prompt.

That said i'm really not a microsoft fanboy. I don't like the idea of having to ensure that a computer is not connected to the internet just to install an os. I hate having to go through tons of GUIs just to get something done that in linux takes a few console commands .... in a script .... with a loop. I'm just saying that these "flaws" are in line with the design philosophy of windows, i'm not saying that I agree with that philosophy in any way.

is it serious enough?

is this flaw serious enough to be used to write some worm?

Re:is it serious enough?

[tpgp]

RTFA.

No.

The attack vectors described are:

Exploiting this issue requires the ability to overwrite existing files which have a trusted or non-existant ZoneID. Right now there is no known way to achieve this in an attack mounted from the Internet.

and (in an email)

attached you find the copy of your access data you
requested. For security reasons, the file is scrambled
and can only be viewed with cmd. To view it, save the
attached file, execute "cmd" from the start menu,
drag&drop the file into the new window and hit
return. cmd will descramble the file for you.

Neither seem likely to be able to self-replicate without use intervention. So no worm then.

Re:is it serious enough?

[BenjyD]

Except that they are pretty silly mistakes.

If they are prepared to sacrifice security for the sake of start-up performance by caching the ZoneID and not checking the file-modified date, which I guess is why the second flaw is present, it doesn't bode well for the future security of SP2.

Re:is it serious enough?

I'm sorry, but from what I am reading, this is not a big deal.

No OS is capable of preventing the users from being stupid. If the user has the rights to run ANY program, and someone can convience him to run said program, then it will run.

In Linux I could send the user a file, tell them to right click on the file and mark Executable rights. Then have the user run the program. The first thing I would do is su (super user) to own the box. The user sees the familuar password box they have to enter to install software et al, and so the just enter it by habit.

FreindCard poped up two messages asking for permission to install. The license actually said that the software will send a copy of itself to everyone in your contacts. If you canceled out of the first message, the software did not install.

My users started clicking OK on that license agreement, and then saying they were infected with a virus.

Stupid is as stupid does. It is not OS specific, nor is it computer specific.

Re:is it serious enough?

[BenjyD]

My point wasn't that these are particularly serious flaws in themselves, or that they will lead to some huge increase in trojans etc.
My point was that they are indicative of the level of security that MS is prepared to add. Cmd.exe doesn't check for the zoneID, the only check for what zoneID a file is from is based on its filename, irrespective of its content or modified date. To me that indicates that they clearly favour convenience and speed over security, even in a Service Pack that's supposed to be dedicated to improving security. It's an insight into the mindset at MS.
That said, the ZoneID system is definitely a step in the right direction.

Re:is it serious enough?

So lets send this to Joe Desktop Linux User JDLU for short.

This update requires you to be logged in as root. Once logged in, run the update by typing sh update.sea at the shell prompt.

The problem described with SP2 is not a programming mistake, or insecurity, its a matter of stupid user syndrome. Linux is no better, get linux on the desktop and give JDLU root access (like most desktop linuxes do) and you've got the same kind of problem as with SP2. Okay so programs run from a command prompt don't get thier signatures checked, next hotfix. But now guess what, windows does something linux CANT EVEN DO AT ALL, and thats verify the origins of executables.

So what is everyone whining about? That MS is only halfway to where Linux isn't even going yet? Pffttt.... Now I know why my linux machine is turned off in the basement and I'm running Windows XP. I'm a smart user, i know what im doing, and im secure through various levels of defense combined with using my head. As far as a desktop system goes (the majority of windows users) I'm just as secure as any linux user, because I know what I'm doing. I have a hardware firewall backed up by software firewall, sp2, spybot, NAV2004, and some tighted IE settings. I run as a limited user, and when i need to install something or such, i log in as administrator to do what i must then go back to limited user mode...

Put linux on the desktop as things stand now, with the majority of users out there, and we'd probably be just as bad or worse off than we are now. The problem isn't as much insecure software as stupid users.

Then again the deeper issue is that there are malicious people out there at all, but lets not get into religion :P

Isn't it normal?

Surely, it's normal to release patches. Why is this news?

So they patch up to SP2 and they continue to patch. I would hope so.

So there's issues with SP2. I dare you to do a similar number of changes and then have no issues with the resulting code.

Yet another slow news day we we see headlines like "Ask Slashdot; I want to install a text editor, what do slashdot recommend?"

Re:Isn't it normal?

Linux releases a bimonthly +0.0.1 update to the kernel: Slashdot posts a story. Lots of "do we REALLY need to hear about every little kernel update?" comments.

Microsoft releases a yearly +0.1 update to Windows: Slashdot posts a story. Lots of "do we REALLY need to hear about every little windows patch?" comments.

Apple releases a yearly +1.0 update to Mac OS X: Slashdot posts a story. Lots of "Do we really need to hear about an Apple OS? How is this news for nerds?" comments.

CONCLUSION: Slashdot users, as a group, do not believe in upgrading software.

Re:Isn't it normal?

[beuges]

exactly

from kernel.org:
ChangeLog-2.6.8 13-Aug-2004 23:02 883K
ChangeLog-2.6.8.1 14-Aug-2004 04:12 263

was 2.6.8.1 not a fix to 2.6.8? wow, was this a fix, released a day after 2.6.8? why wasnt this front page news? why were there no snide comments like 'Of course, who would be surprised by this?'

Re:Isn't it normal?

[jg_elliott]

I recently went to a presentation by Microsoft and the representative told us that recently Mcrosoft told all their developers to stop coding and read some big book on security. Once they had read the book, they could continue. Anyone not complying to what the book said about secure code was sacked.
If the story is true, SP2 should have been developed looking out for common security problems during development, meaning that this great new secure development process they have going on, isn't that great after all.
On the otherhand, this is Slashdot and kicking Microsoft is the thing to be done!

Re:Isn't it normal?

[logic+hack]

"... I want to install a text editor, what do slashdot recommend?"

Do you have any idea what you have done?! You have unleashed the demon that we have feared for nearly 3000 years!

Really?

[AEton]

It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be

In other news:
Pope renounces Judaism, admits he is devout Catholic
Bear community overwhelmingly rejects $25m latrine levy
CmdrTaco reveals longstanding heterosexual relationship

Re:Really?

OMFG, the irony of it all, LOL. A post stating that this is post is redundant, is marked...redundant. In Soviet Russia, The only thing that's made redundant is YOU!

Re:Really?

[mewphobia]

pamela anderson sleeps on her back.

Sensible Color Scheme

is avaliable here

Re:Sensible Color Scheme

really guys fix the colours they suck

Re:Sensible Color Scheme

[Master+of+Transhuman]

They can't - they're color blind.

Re:Sensible Color Scheme

[D'Sphitz]

bookmarklet here

Service Patch 2

[rvw]

Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application.

I'm curious how long it takes them to release Service Patch 2 for SP2...

Re:Service Patch 2

Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application.
I'm curious how long it takes them to release Service Patch 2 for SP2...

It's quite natural that there were post-SP2 updates available at the time SP2 was released.

SP2 is a massive update that has gone through a rigorous, time-consuming testing procedure. Any problems that were found/addressed after SP2 went into "feature freeze" for final testing would have to be dealt with as post-SP2 updates.

So, it's not a question of "fixing SP2", but rather to understand the development process of such a massive project. .m

Re:Service Patch 2

[EtherNetFreak]

ATM, I am bound by issues of Symantec vs Windows XP SP2. This is a good thing, in some cases. This will give us time to watch other companies and the IT industry as a whole, in their attempts to apply SP2. Watching and waiting for the bugs to roll out from under the carpet (Read: SP2) I beleive is a wise idea if you already have a generally stable computing platform. If your network folks are managing the network borders properly, firewalls and such... waiting to apply SP2 may be a wise idea. We have a contract with Symantec for a few of there products and they have told us they will be shipping new products to us for distribution. So.. wait for symantec + wait for bugs in SP2 to show themselves = safe time frame to evaluate XP SP2. That said... I am of course, like many of you testing it on a few not-so-critical workstations.

Re:Service Patch 2

[drinkypoo]

I have symantec corporate 9 on my winxp sp2 system and sp2's security features claim that my system is not being watched for viruses. Why on earth is the latest greatest version of symantec antivirus not recognized?

Re:Service Patch 2

[jerw134]

It's not a matter of Symantec's program not being recognized, it's that the program isn't reporting it's status to the Security Center. You need to download a patch from Symantec to fix that.

Re:In general, Microsoft seems sloppy.

[MonTemplar]

Great, someone used Sweeping Microsoft Generalisations #423 and #587, and gets modded up as Funny.

Come on, guys, if you're going to bash the Beast of Redmond, at least put some effort into it!

-MT.

Re:In general, Microsoft seems sloppy.

[log2.0]

Why is that funny? The initial article cracked me up...but the parent post was more like +informative ;)

The thing is

I dunno, the software *I* use, the idea of "well I'll wait to hear from other people to see what happens, in case it breaks something" for an upgrade is absolutely absurd. What on earth is this? I posit that you windows users think upgrades acting like this "SP2" does is normal is not because it is normal, but because Microsoft has convinced you to drastically lower your expectations.

Re:In general, Microsoft seems sloppy.

[polecat_redux]

On the other hand, it might be that they don't give their QA people enough time to adequately test their products before release. I would think it's cheaper and more efficient for them to let their customers to find the bugs.

Outsourcing a problem?

[jhoegl]

I really would like to know if Microsoft has an outsourcing company working on this project. They openly admit they outsource parts to outsourcing companies, why not this?

If this is the case, it is very easy to see why Microsoft has so many problems with security. They have no control over the hires, no control over the code (you can review it, but thats a lot of code), you have no control over security of the code.

I sometimes wonder if people purposly put in backdoors or buffer issues to allow this to happen. A unhappy coder is a dangerous coder, and lets face it, if you work for an outsource company, you probly are not too happy. I sure wasn't.

Re:Outsourcing a problem?

[Kris_J]

I sometimes wonder if people purposly put in backdoors or buffer issues to allow this to happen. A unhappy coder is a dangerous coder, and lets face it, if you work for an outsource company, you probly are not too happy. I sure wasn't.

So... What backdoors have you written?

Re:Outsourcing a problem?

Microsoft doesn't outsource the coding of the OS. They outsource some of the app testing and test tool authoring but even these are watched over by MS employees to verify the results. Would you trust a company in India of testing applications for compatibility issues and then release the product on their word? No. Would you let the same people write the new firewall? No. What makes you think MS would? Their large pile of cash that they lucked into? or maybe its the core OS code that Linux has been copying for years and is finally starting to catch up on?

Re:Outsourcing a problem?

[ggvaidya]

No wonder Windows '95 was so nice and stable, huh? Happened long before the bad new days of outsourcing ...

Re:Outsourcing a problem?

Nice way to throw out some wild speculation for Microsoft bashing. You've got no proof that Microsoft outsourced any of SP2 or even XP. Why not just say that Microsoft outsourced to terrorists, virus writers, and spammers so that's why security is so bad?

Re:Outsourcing a problem?

[TheQuantumShift]

The main question is: Would Microsoft outsource all software support, (the biggest part of MS's business) to india, argentina, and anybody else willing to work for a dollar an hour to read a script and follow the same five Knowledge Base articles...

Re:Outsourcing a problem?

[rikkards]

This is insightful?
I have found XP to be way more stable than 95. Granted there are more security issues but the OS itself has been rock solid even after SP2.

Re:Outsourcing a problem?

Windows '95? stable? What crack are you smoking?

When all there was available was 95 (or even 98, first/second edition) I ran Linux on my desktop. But once Windows 2000 came out I switched back because I knew that 95 was a complete piece of shit that had no stability. Sure, it ran alot of games or other applications that I liked, but it sucked if you wanted a machine to stay up for more than a few days at a time. On the other hand, XP is the same or better than Windows 2000 for stability, in my experience, and can run for days or weeks at a time without worries.

I can see how this might be considered "funny" (95 stable har har), but I think the moderators got some of that crack that ggvaidya is smoking.

Re:Outsourcing a problem?

[Lehk228]

your XP install may be stable but your sarcasm detector seems to have BSOD'd

Re:Outsourcing a problem?

ohhhhhh, so if the OS makers have others working on their code, it is a source of the problems and potential hole for trojans and other spyware type code being added...and this is different for linux in what way??? (I google and find tons of problems with linux sources being comprimised, so much for that sense of superiority of the linux-drone)

Re:Outsourcing a problem?

[jhoegl]

Im pretty sure I never stated, nor implied that MS had outsourced this. I asked if they did. Nice over reacting by an MS supporter. Too bad MS didnt do this on security issues.

Re:In general, Microsoft seems sloppy.

[MonTemplar]

I would think it's cheaper and more efficient for them to let their customers to find the bugs.

Microsoft have been implementing that system for some time now. :)

-MT.

Managing large projects

[nboscia]

This makes me wonder how Microsoft, as well as many other large software corporations, manage security patches and quality assurance of their software. Is the problem with there being so many people working on different projects that they do not communicate and therefore things get overlooked, or is it due to the complexity of the software, or something else entirely? I couldn't imagine how someone could manage 'security' for Windows (or any similarly large project) and be 100% sure of what all the technical staff do. Does it come down to having more meticulous software engineers and rigorous testers? How would people recommend this be done? I'm sure the typical "make it open source!" answer will be given, but if that is not an option, how do companies who are more successful at this do it?

Re:Managing large projects

[wastingtape]

I saw somewhere a quote (probably on slashdot) that went something like "Programming is like sex. Make one mistake and you'll end up supporting it for the rest of your life." If i'm not mistaken Microsoft maintains a test machines/image for each combination of service packs, hot fixes, and updates. If you had previously released 60-something hot fixes then that amounts to... what, about 3500 different configurations to test?

Reguardless, I think you do make a point about the way these things work. I've thought for a while that one of the areas largly lacking in the computer world is specialized input and output devices. The keyboard and monitor are fine, for typing a word document, but maybe lacking for software development. (here goes one of my fantasy worlds...) What if instead of programming by typing in "code", programs were created by assembling building blocks in a special computer controller, much like putting together an erector set or using lego technics. The end result is security could be exampled from a "physical access" viewpoint, much like it is in real life (ie. can i move this ladder to get over here, or push this block to get up here). I know that's wierd and abstract, but I believe it's an area that's largly lacking in IT today. Keyboards? Hah.

Re:Managing large projects

[Ev0lution]

Based on my experience, I don't think anybody manages it well. I work on a Big product for a Big IT company, and in the past i've found (or, to be more honest, stumbled across) security problems that have been there for years. In Windows they would probably have been exploited, but our advantage, as such, is just that the product doesn't have the same level of exposure - so we're certainly no better at managing this stuff than MS, just lower profile...

Re:Managing large projects

Great structures need good foundations.
Well, the critera, 'we want this one to be secure' can't be the prime deliverable. If the design (XP) is broken, they should fork some code to cater to corporate client needs. MS has enough money and resources to get it right, and hire good people, but in the wind, is the image that they have failed to get it right, and foundation fixing is not their cup of tea.

Re:Managing large projects

If you've ever read Raymond Chen's blog, Old New Thing, its not surprising how broken Windows is. They go to extrodinary lengths to maintain backwards compatibility. Seems to me, that the lengths they go to, to make users happy, would break any OS. Its just not possible to manage that sort of thing.

Like many others, I don't know why this sort of thing makes /. anymore.

Re:Managing large projects

[megarich]

I agree with you, its a huge task. And I think more successful companies cope with it better because they can focus on one product. They dont have to worry about i.e. making the next best gaming console, or even creating their own freakin programming language. Of course organization too is a HUGE part of the success part it sure does help if you have one project to focus on and not 100.

Re:In general, Microsoft seems sloppy.

[Jasperke]

I think it's funny, because it happens very often...

Developers vs Rest-of-company:

Pre-release-phase:
Rest-of-company : Come on, we _need_ SP2 now!
Developers : But it isn't finished yet...
Rest-of-company : If we don't get it NOW, we will ... (Fill in some very good reason, like getting fired ;))
Developers : Oke, but there are too many problems with SP2...
Rest-of-company : We'll release some hotfixes, just give it to us _NOW_!
Developers : *shrugs* Oh well... Just don't forget we warned you guys...

Post-release-phase:
Rest-of-company : WHOA, There is a problem with xxx. How is that possible?
Developers : Well, SP2 just isn't quite finished yet...
Rest-of-company : Not finished? What the f**k?!
Developers : We told you so, before the release, but...
Rest-of-company : I don't want to hear that, just go and work on the hotfix...
Developers : *shrugs* Oh well...

Re:In general, Microsoft seems sloppy.

The parent is not flamebait! Microsoft software is sloppily thrown together, especially from a developer's perspective. To start off with, too many poorly designed features (such as allowing executable code within Word documents and email messages) exist in the company's products. Microsoft apparently has marketers, not engineers, for software architects. The development environments we have to work with have generally been lackluster.. poor documentation, things don't work the way the should, etc. Dealing with anything Microsoft is frustrating.

SP2a

[Graabein]

I think I'll wait for SP2a, thanks all the same.

Re:SP2a

[Sumocide]

That'll leave you with the exact same 'vulnerabilities'.

Re:SP2a

[dave420]

Why? SP2 is fine, and all these bugs aren't even slightly severe, let alone show-stoppers.

Get rid of that "fuck micrsoft" attitude, start thinking for yourself, and actually take a look at it. It's a great addition to XP, and those who say it isn't have an alterior motive.

Re:SP2a

[SparklingClearWit]

Man, there's a flashback. SP2a for Windows NT 4.0 was rife with problems... we had to rebuild a primary domain controller after that bad boy. Yick. That being said, my XP Professional box is running flawlessly after SP2.

Re:SP2a

[the+unbeliever]

How this was modded as "insightful" I'll never understand.

SP1a for XP was SP1 without the Microsoft JVM. There were no other differences to my knowledge between SP1 and SP1a.

Re:SP2a

[Graabein]

Yowza. dave420, in his "thinking for himself" mode, postulated thusly:

> SP2 is fine

Surely.

Lessee: 200 incompatible applications, some of them Microsoft's own, a hotfix released before the SP has even reached the masses (through Windows Update and localization to non-US locales), a much-hyped firewall that doesn't check outgoing connections (but pops up misleading dialogs that confuse the user into thinking it does) and quite a few people complaining about much strangeness after installing it.

This is your definition of fine, is it? After, as you say, having taken a look at it while clearly not being at all biased by "alterior"(sic) motives?

Well, I give in. Your eloquent arguments and unbiased outlook won me over. SP2 is fine. And the emperor's clothes are magnificent in their splendor.

Now go away and exercise that brain you imply having through allusions to thinking for yourself, before I have to get sarcastic on your ass.

Re:SP2a

[Graabein]

the unbeliever wrote:
> SP1a for XP was SP1 without the Microsoft JVM

And your point is?

It's not like there's ever been "a" releases of service packs before, that were bug fixes and were released not long after the service pack itself, right?

Re:SP2a

[megarich]

This is the me approach, unless i'm experimenting, I dont get anything when its first release because there's always problems.. ANYTHING. be it linux/microsoft ps2, etc.

I'm not found of microsoft, but for me its just a make sense issue because there always seems to be a slew of problems when something(this goes for any software) is realised, no matter what it is and i would prefer to wait when they have time to sort of most of the issues

Re:SP2a

Captain Spelling strikes again!
ULTERIOR motives. Alterior isn't even a word.

Re:SP2a

[m_pll]

Lessee: 200 incompatible applications, some of them Microsoft's own

And most of them can be made "compatible" simply by configuring an exception in the firewall. What's the big deal?

a hotfix released before the SP has even reached the masses

OK, so that's one legitimate (but low impact) bug discovered so far. Given the huge number of changes to the OS I'd say this is not that bad.

a much-hyped firewall that doesn't check outgoing connections (but pops up misleading dialogs that confuse the user into thinking it does)

The dialog says: "Windows Firewall has blocked this program from accepting connections from the Internet or a network". What's misleading here?

Not to mention the fact outgoing connection blocking can be trivially bypassed by malware. Implying that a software firewall can reliably prevent malware from calling home is what I'd call misleading.

quite a few people complaining about much strangeness after installing it

How many is "quite a few"? How many of these problems are because of bugs in SP2 as opposed to bugs in 3rd party software?

Personally, I haven't had any problems on my two XP machines.

New Poll

[cesman]

Perhaps a new poll is in order.
Which will get released first?
XP SP2
Longhorn

Re:New Poll

[DA-MAN]

Might want to add "Kernel 2.6" to that. Not released to the public, just pried from Torvald's clutches and handed to the official 2.6 maintainer . . .

Re:New Poll

it's been out for a year now, fuckwit.

Re:New Poll

[DA-MAN]

Hey Fucknut, you do realize that I said released from Linus' clutches to the 2.6 Maintainer (Andrew Morton) not released to the public. I know it's released to the public.

The point I was making is that Linus has yet to start working on Kernel 2.7 and it is seriously about time. . .

mod parent -1 flamebait

let's be fair... it IS certainly flamebait, as it denigrates microsoft while offering no useful information at all.

Re:mod parent -1 flamebait

Your comment offers no useful information either, hypocrite.

Re:mod parent -1 flamebait

"...it denigrates microsoft while offering no useful information at all."

Golly, this is the way that Microsoft interacts with the rest of the world, "They denigrate everybody but microsoft while offering no useful information at all."!

The Heisenberg Patch

[Graabein]

Is it there or isn't it? What is it? It's the Heisenberg Patch!

Re:The Heisenberg Patch

[johannesg]

No, that's Schrodingers patch. The one you are thinking of is where you either don't know if it has been installed, or on what machine.

Re:The Heisenberg Patch

[zonix]

Is it there or isn't it? What is it? It's the Heisenberg Patch!

Well, I'm glad my OS comes with Heisenberg Patch Compensators. :-)

z

Re:The Heisenberg Patch

Is it there or isn't it? What is it? It's the Heisenberg Patch!

The problem is that they determined exactly how fast the patch was moving... Now they can't tell where it is. ;-)

Re:The Heisenberg Patch

[numbski]

Ah, but you see a little script kiddie work...

diff /etc/heisenberg/comp1 /etc/heisenberg/comp2 >heisenberg
mv /etc/heisenberg /etc/heisenberg-old
mv heisenberg /etc
heisenberg-reload

cp /dev/null/chair ~
ls -als chair :)

Lame Microsoft bashing

[City+Jim+3000]

These 'flaws' are of the same type as posting a script in your .sig that executes "rm -rf /" on a *nix system.

The best security measure would be some device that read the mind of the user and warned if you were too stupid. Or maybe even easier:

if(spywareCount > 20) stupidUser = true;

Re:Lame Microsoft bashing

[chendo]

So, why would a linux user run this as root?

Sure, you could tell them to run the command as root...

Re:Lame Microsoft bashing

[LiquidCoooled]

Hey!

You missed out a whole branch of users.

If (xpLite)
{
//BUG: xplite app_limit=3, following was always false
//if(spywareCount > 20) stupidUser = true;
//FIX: not conclusive, but should catch 99.9%
stupidUser = true;
}
else
{
if(spywareCount > 20) stupidUser = true;
}

Mind you, if your runnin xpLite, you wont be running any other code.

Re:Lame Microsoft bashing

[CowboyBob500]

Shouldn't that be:-

if (spywareCount > 20)
{
disableInternetAccess=true;
blowRasberry();
}

Bob

Re:Lame Microsoft bashing

[Senzei]

Someone get on this immediately. I suggest we integrate the already implemented Bill Engval system for demarking those lacking in mental competence. All we would need is a camera connected to each computer that checks for their "sign"

Re:Lame Microsoft bashing

[sharkey]

No, that's

if exists(ntldr)
{
disableInternetAccess=true;
blowRasberry();
}

Who's coming first?

secretly, i was expecting some comment relating XP SP2, Longhorn and DukeNukem Forever...

Vapourware?

[Fuzzums]

I would like to suggest XP-SP2 as the no.1 vapourware project for 2004 ;)

Re:Vapourware?

[davmoo]

The problem with that suggestion is that SP2 has been out for at least a week. The only thing that has been delayed is its appearance on the Windows Update site for Joe Average User. You can in fact get the full service pack at this Microsoft link.

Re:In general, Microsoft seems sloppy.

[wastingtape]

"exit" Haha i do that too much in IM windows. :P

I'd actually be surprised if there are no bugs in

[melted]

in SP2. They've gone through pretty much everything, re-hashed a lot of stuff, sometimes on a very deep level. Tons of bugs were fixed. There's not a software company in the world that could release something like this with zero bugs. Not even demi-god Linus Torvalds is capable of such a monumental technological feat as releasing code without bugs.

Having said that, it's all about risk management. If you're willing to postpone SP2 roll out in your org you've got to estimate the risks of not rolling it out, too. As I said it fixes a lot of issues, and if there's a bug or two the benefits still outweigh the risks by a wide margin.

Execute.me

[lastberserker]

How's sending .gif and asking to run cmd on Windows XP system is any different from sending .gif and asking to execute perl on Linux or BSD?

Re:Execute.me

[arivanov]

It is different in the sense that:

If SP2 has introduced as standard blocking execution based on ADS data, it has to be uniform across the OS. The fact that CMD does not do the check means that the check is not on kernel level. It is a userland check, most likely in explorer libraries which are universally used by MSFT software at the moment. This means that there is likely to be a way to do this without asking and this protection is not likely to apply to any 3rd party executables that do not rely on IE. This also means that SP2 enforces the use IE to access filesystem and launch executables

So MSFT did one of its usual stunts - it decreased the security of the system, screwed the competition while getting some publicity of for a security feature. Good marketing...

Re:Execute.me

[sporty]

In a unix system, you don't "run" the gif. Withi windows, it brings up the association handler and what not no? In unix, you execute an explicit open.

Re:Execute.me

[dave420]

Because it's microsoft! That's the great thing on slashdot. If microsoft does something (or windows), it's instantly bad. If linux does the exact same thing, it's not only good, but was intentional, and here's umpteen million tenuous reasons as to why.

I hear ya. I just wish for a little objectivity here. If we can't accept the good and bad in every operating system, how can we forward ourselves? Imagine if evolution was unfair in its selection (if it could be) - we'd get crappy favoured creatures crapping out their lungs through poor design, while excellent creatures get wiped off the face of the earth for no good reason. Kind of a strange analogy, but you see what I mean.

Re:Execute.me

[David_W]

it decreased the security of the system

(Emphasis mine.)

OK, I can agree that putting this in Explorer instead of in the kernel is an inferior solution, as well status quo for Microsoft (witness the hack known as "shortcuts"). BUT, how could this decrease the security of the system, when the feature was not present in any form prior to SP2?

Re:Execute.me

[curious.corn]

Because a false sense of security is worse than no security at all. Imagine yourself at a cyberlounge browsing on a Win98 machine. Would you dare trust it to login into anything like your webmail or bank-online? Now imagine yourself in front of a WinXP SP2 public terminal, warm, fuzzy, safe? Do you still trust it for your webmail or bank? Perhaps a /.er wouldn't in any case but the avg. user would think it safe enough because of all the marketing and talk about this SP2 thing and Trusted Computing Initiative.
Specifically MS simply brushed up the security zones in IE without planting the MAC mechanism in-kernel; perhaps to post-hoc make IE an intrinsic part of the OS and get people to beleive TCPA is a mandatory technology to overcome the limitations of current computing models that don't allow more security than MS's "state of the art" implementation in SP2. That's bull, we all (hopefully) know that, but the computer "consumer" doesn't and might be convinced to swallow the red pill. Goebbels, Nazi propaganda mastermind, said that a repeated and mass deployed lie would soon be perceived as truth.
I smell a fish here, either MS was too cheap to call in their kernel team on the issue choosing to give IE security zones a liftup or there's a scheme behind this choice. Otherwise they would be total utter fools to risk so much of the crediblity invested in this new "Starting Today, Microsoft plays it Safe" into something that anyone with a decent understanding would call inadequate.

Re:Execute.me

[bushidocoder]

There was actually alot of chat about where this protection should be placed prior to SP2 RC1 and the general consensus amoung developers (both in and out of MS was that it should be placed in explorer). The problem with making it kernel level is that applications which use web auto-update methods to retrieve new binary versions of executables or dlls would block on an exec or CreateProcessEx and prompt the user. This would be such a pain in the ass and confusing in user space that it appeared most developers would rather invent their own auto-update strategies than take advantage of the strategies MS is beginning to push on the market. In the end, its more beneficial to end users to have a uniform update model - a uniform update model means that in the next generation of Windows Update Services, enterprises will be able to deploy updates and patches to all types of software regardless of vendors from a centralized repository. Also, it helps consumers in future versions of Windows Update when MS begins to allow third party signed binaries to be hosted on Windows Update itself.

Re:Execute.me

[BSDCoder]

*BSD and Linux users usually aren't stupid enough to execute commands from an unsolicited e-mail.

Re:Execute.me

[GSloop]

I'm no mondo expert here, so this is more theory than anything...

Granted I see your points about userland confusion...however if this can be exploited in combination with other flaws as we've seen in the past, the "convienience" of keeping userland confusion down will result in a rash of exploits that makes SP2 largely a loss.

Time will tell, but IMHO, often taking the easy road out is a bad decision. Often we create larger problems than simply ripping it all out and doing it right the first time.

I suspect the rub comes from wanting to do it quickly and relatively cheaply. MS wanted an uber patch to point to, to bolster their standing. (I thought XP was the most secure system ever - when it came out...) So it wanted it quickly and for it to be mostly a flawless transition - at least for MS - it seems they were not as concerned with impacts on *other* vendors' software.

Quick, cheap, well-done - pick any two. I think we can see which two were chosen.

Anyway, I'm not basing MS really. I just think this is the group-think of the oganization. I don't think it's going to change in any comprehensive way anytime soon, and the result will ultimately be that MS will pay the piper big-time for its short-sightedness.

Cheers,
Greg

Re:Execute.me

[Flexagon]

What concerns me much more than the minor exploits described in the article is Microsoft's sloppy attitude in handling out-of-band data like this in general. Microsoft seems to be grabbing ADS in a very ad hoc way without thinking (or at least without caring) about consequences. A few examples:

• The article mentiones "Windows built-in ZIP utilities honor ZoneIDs" (by, among other things, preserving ADSes?), implying that Windows' ZIP capability is now incompatible with other ZIP applications (though I can't find any details on this, and I can't confirm that XPSP2 preserves ADSes in ZIP folders (it appears not to)).
• The switch from using ADSes in Win2K for image metadata to using Microsoft proprietary EXIF fields (yet another bad idea, and not even backwardly compatible with Win2K) and thumbs.dbl in WinXP. After switching away from ADSes for this application, it's surprising to find them using ADSes for the new ZoneID.
• The total lack of bundled ADS tools (including really basic info like disk usage).
• Increasing complaints at adm sites that ADSes are a security issue on their own.

Certainly another reason to use Mozilla, but also another reason to track down tools to find and expunge a large class of ADSes from files; more work ahead.

Re:Execute.me

[bushidocoder]

I don't think Microsoft did this wrong. I do wish the zone carried over when you copied the file on the same machine, but the cmd "vulnerability" is silly. Most enterprises have cmd supressed for non-power users because the windows command line is useless. Could the cmd binary itself be modified to obey the new warnings? Probably, but it'd probably break a good slew of maintenance scripts, and the lack of strong scripting support in Win32 as is makes it hard to script workarounds.

In the end, this feature is a last line of defense "Do you know what you're clicking on" feature of explorer. Smart zoning and code access security ARE built in at the kernel level for the .NET runtime, and I think anyone who has web-deployable apps that don't run on a managed runtime needs to reevaluate what they're doing. Microsoft is putting their foot down with .NET, whether you agree with .NET or not, and saying "This is how Windows development should be done". I think going back and completely revamping the system by which binaries are run would be too much effort for not enough gain.

Besides, if you as an attacker can socially engineer a user to copy an executable into the commandline to run it after a cmd statement, its not a stretch to also get them to click "Yes" when they're prompted. If users fall for that, you've already lost.

Re:Execute.me

[GSloop]

The point isn't that the exploit is contrived in the example given.

The point is, however, that I exepect someone to come up with a much less contrived way to exploit the user and this whole "zone" defense thing will revert to the old days of click and infect.

Further, there is a whole host of software that isn't usable for accounts not logged in as admin.

Lastly, many non enterprise networks run each station with local admin privs. To not do this is a pretty big PITA.

In short, the "zone" defence is broken and badly implimented. I almost guarantee that it will be further exploited so that the real exploit will require much less user co-operation than the given example and that further there will likley be wide-spread use of it.

Cheers,
Greg

Re:Execute.me

[Wile_E_Peyote]

How did it _decrease_ the security? I didn't get that conclusion from what you said... Sure, there is a way to do it without asking, but it requires a user to put the software on their system. There is no security patch that will cure stupidity.

Re:Execute.me

[jakobgrimstveit]

How's sending .gif and asking to run cmd on Windows XP system is any different from sending .gif and asking to execute perl on Linux or BSD?

The permissions of the user executing the code in question, of course. Most XP users run with administrator privileges, which make the consequences of a n00b mistake a bit more devastating...

Actually what happened was the Divx codec thing

was too hot.
I mean come on. Here's MS trying to push WM9 on all the media companies saying how they promise to play nice and then suddenly they shut out Divx. That didn't look good at all.
I'm not saying Divx is the greatest codec, but it looked bad.

Re:Currect track record

[phobonetik]

Actually, to be honest XP is quite good. The masses really mainly seem to understand how to use it. My mum can write CDs, scan photos and so on :P ... which previously with Win98 was always a sure way for a phone call to me for support. I really enjoy the fact hardware is finally really plug n play. No stuffing around finding the drivers. I slapped it on an old Pentium 500 recently and it detected everything, breathing new life into the box. And yes, while I say this, I prefer (and are browsing on) Firefox, and we have a bunch of linux servers. (Its a shame I have to justify any decision to use anything which aint a "postgres server on some box where i have personally contributed into a branch of a kernel i compiled mysel" when on slashdot. ah well).

But does SP2 take out the trash as well?

[CRC'99]

Ok, correct me if I'm wrong, but isn't a Service Pack supposed to add security fixes, and patches to operate more 'as expected'...

Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.

Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?

You can only do so much to protect the user. If you go out of your way to bypass security measures, then the OS should not be expected to protect you.

Re:But does SP2 take out the trash as well?

[CoolVibe]

I wouldn't call this "out of my way" to bypass the feature. They could have closed it off a little better.

Wrt single user booting, sure, no system is secure when an attacker has physical access to the hardware. But I can see how these flaws are remotely exploitable, which is much worse. The first flaw is more a social engineering issue, but I can see how flaw #2 can cause real problems.

Re:But does SP2 take out the trash as well?

[Steeltoe]

Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.

How about a .cmd or .bat file? I bet that is also vulnerable since this "security fix" is only in Explorer, a stupid decision. Security should be at the foundation, not tacked over the windows (pun intended). So all you need is the user to get a bad file to run, and off they go..

Bad security is worse than no security, because the users think they're more secure. Even a clueful admin may mistake this patch for a real security patch and think he's invulnerable to certain attacks just because he made the exe-file "non-executable". That's REALLY bad..

Re:But does SP2 take out the trash as well?

[Q+Who]

Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?

If you can do this on your system, it doesn't mean you can also do it on a properly administered publicly accessible system.

Re:But does SP2 take out the trash as well?

[Tenebrious1]

Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro? If you can do this on your system, it doesn't mean you can also do it on a properly administered publicly accessible system.

And in a properly administered publicly accessible Windows system you don't have access to the command prompt. So what's your point? If any system is properly administered, by default there's no vulnerabilities.

Re:But does SP2 take out the trash as well?

[ticktockticktock]

Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?

Interesting. In SuSE Linux 9.0, when I add "single" to the boot options, it merely asks me for a root password and won't let me do anything on my system until I enter it right. What distro out there actually gives you root privileges when adding single to the boot line?

Re:In general, Microsoft seems sloppy.

Would you like some cheese with that whine?

Only 2 for a new OS release?

[OffTheLip]

From my perspective based on the size of SP2 I'd say it's a new OS. Two patches/flaws in a MS OS is darn good. Kudos to Redmond.

Re:Only 2 for a new OS release?

[PsychoSid]

Well two that have been identified and disclosed to the public in a week (betas not withstanding).

Re:Only 2 for a new OS release?

[gamgee5273]

It's not a new OS in any way, shape, or form. Go to the Run command on an XP SP2 box, type in "winver" and you'll see this is still Windows NT 5.1, just as all versions of Windows XP have been since they first came out. This is one of those many cases where size does not matter.

Re:Only 2 for a new OS release?

[jargonCCNA]

/me opens winver

Let's see..
Microsoft Windows
Version 5.1 (Build 2600.xpsp2.030422-1633 : Service Pack 1 )

Doesn't look like NT to me at all. I'd say it's version 5.1 of the standard Windows kernel, not the NT kernel. They're very similar at this point, don't get me wrong.. but I think NT has become the Server Edition.

Re:Currect track record

[Jedi+Alec]

XP SP2 ... disappointing (may as well be WinXPSE much like Win98SE was)

XP SP2. Websites go out of their way to find security flaws and come up with this in a feeble attempt to keep the anti-MS flow going...sorry, but if this is the worst exploit they can manage to dig up from SP2 perhaps they need to point their arrows elsewhere...

I detect an infinite loop. Danger Will Robinson!

Nor does yours. Nor does mine. Nor do half the posts here. Nor does the next reply to my post. Nor does the reply to that one. Nor do any tomorrow. Nor ...

*head explodes*

SP2 Borks iPODS it seems...

[spineboy]

There are many, many reports on iPODLounge (the main iPOD support forum) of people who install SP2, lose their iPOD functionality, and then need to roll back their XP system to pre-SP2 in order to get their iPODS to function again.

I just got a new 4th gen iPOD, which I can write to on Linux, but can't get to work on my XP-SP2 Windows dual boot machine.

Guess what I'll be uninstalling next...

Re:SP2 Borks iPODS it seems...

Guess what I'll be uninstalling next...

Windows?

Re:SP2 Borks iPODS it seems...

[Val314]

my 3rd Gen iPod works fine with SP2

Re:SP2 Borks iPODS it seems...

So why blame Microsoft?
Blame Apple!

Re:SP2 Borks iPODS it seems...

[easyfrag]

This happened to me, I just re-installed iTunes and all was fine again. I recall reading something about some issues with firewire under SP2, not sure if the two issues are related. Anyone using an iPod with USB 2.0 having any issues with SP2?

Re:SP2 Borks iPODS it seems...

[stonedonkey]

There are many, many reports on iPODLounge (the main iPOD support forum) of people who install SP2, lose their iPOD functionality, and then need to roll back their XP system to pre-SP2 in order to get their iPODS to function again.

I can confirm this. My iPod Mini will not sync with iTunes. Further, iTunes cannot be uninstalled or re-installed. Each of these activities is blocked by an (unhelpfully cryptic) error notification. Attempting to manually install the InstallShield script...produces an error notification. Had to roll back to SP1 to get functionality back.

This does not appear to be a general USB issue, as I'm attempting to sync with FireWire as well, and I have other USB devices connected without issue.

Re:Currect track record

WinNT ... usable, not disappointing

Spreading the load...

[RenatoRam]

If you did not notice, MS normally uses the services of Akamai to auto-distribute the load of their DNS AND their content servers. The images, media and download files are hosted on (linux) akamai servers, and are auto-mirrored to practically every ISP in the known world(s).

So the bandwith excuse is not an option...

Functionality vs Control

[Skiron]

The trouble is, M$ do not have the luxury of coding a free, open system as per Linux and are more concerned with the 'control' of the code in what it allows a user to do (or more importantly, what they are not allowed to do!!). Basically, the whole design from bottom up of windows is a bad legacy and will always cause problems

BTW, here is the SP2 fix list SP2 fix list

Some great stuff here e.g. -> 823830 Your Windows XP computer stops responding after you log on :D

Re:Functionality vs Control

All the KB titles sound like that. If you actually RTF(KB)A, the problem is merely that you get some warnings about access violations (since that's the cause of the problem) or you can't mount remote shares to drives. The origin of the alarmist title is presuambly that your computer will stop responding to remote machines on the network.

This is directly analagous to starting up your Unix system and getting a SIGSEGV when trying to start the RPC portmapper. Because the portmapper failed to start, NFS will be nonresponsive. Depending on the flavor of NFS you're running, you may be able to get some level of functionality, but on most Unix systems nothing will work right - it will just time out after like 5 minutes of waiting. And, by the way, if you try to kill -9 mount while that's happening, it generally hangs in an uninterruptible sleep or turns into an unkillable zombie.

Re:Functionality vs Control

[dave420]

But then MS has the luxury of over $60bn in cash in the bank, which linux doesn't. Free, open source software isn't a luxury. It's not even better than closed source. It's like comparing religions. Saying Windows has a bad legacy is as valid as saying Linux has a bad legacy. Grow up, please.

Re:Currect track record

Win95 ... Neo-Rio-101 finds it disappointing
Win98 ... Neo-Rio-101 finds it disappointing
WinME ... Neo-Rio-101 finds it disappointing
Win2000 ... Neo-Rio-101 finds it expensive but somewhat usable
WinXP ... Neo-Rio-101 finds it expensive, disappointing, but somewhat usable
XP Starter Edition ... Neo-Rio-101 finds it disappointing
XP SP2 ... Neo-Rio-101 finds it disappointing (may as well be WinXPSE much like Win98SE was)
Longhorn ... (Neo-Rio-101 can't bear to look)

Another potential remote exploit found!!

[hedge_death_shootout]

*Yet* another flaw in XP SP2 has been found:
Even with the service pack applied, Windows does nothing to guard against the user revealing their password to a complete stranger in a train station in exchange for some crappy pen.

MICROCRAP WINBLOWS!!!!!!!

Re:Another potential remote exploit found!!

[mcbevin]

I think that about summarizes what I've read of these flaws. If anything, the 'exploits' are simply disagreements with the philosophy regarding how the changes should have been implemented - i.e. at what level.

Microsoft has added protection to some things, but not others, so its a 'flaw' that the protection only protects these certain things. But it most likely a design decision - you have the security stopping the dumb user from accidentally opening something in explorer without realising what it is, without handicapping advanced users using cmd or having say security pop-ups every time a program internally invokes another etc.

Re:Another potential remote exploit found!!

how many smart users lie about their password to get a free pen?

Re:Another potential remote exploit found!!

How does Linux guard against this?
Nevermind this is slashdot, as long as it bashes microsoft, it's ok, even if Linux does the same thing.

Re:Another potential remote exploit found!!

[budcub]

I got you beat. Shortly after Windows 95 came out, I saw a usenet rant by an irate user about what that awful M$ did to him.

He deleted an important file, then emptied his recycle bin, waited two weeks, and that stupid win95 wouldn't let him recover the file! Can you believe that? Curse that Bill Gates and his Microsoft!!!

Mod article down

[Ceriel+Nosforit]

In my humble opinion, this article is about as useful as a troll. Many /. readers have already pointed out that these aren't much of flaws.

Mircrosoft is finally playing the right tunes, but someone on a vendetta can't accept this, so they nitpick after _anything_ to pin on SP2.
For Christ's sake, Sendmail. Sendmail had a brand new remote execution (That's translates to your unpatched box being rooted.) exploit posted a week or two ago, and not a word was said.

This isn't news. This is hypocrisy.

--

Re:Mod article down

The Sendmail issue you speak of was related to MS^T^TSCO's version of sendmail...

By SearchSecurity.com staff
02 Aug 2004 | SearchSecurity.com

SCO fixes two critical flaws in Sendmail
The SCO Group of Lindon, Utah has issued a fix for two old vulnerabilities in Sendmail that malicious people could use to launch a denial-of-service attack or compromise a vulnerable system. IT security firm Secunia of Copenhagen, Denmark calls the flaws "extremely critical." The first problem can be exploited to cause a denial-of-service attack and could allow a remote attacker to execute arbitrary code with the privileges of the Sendmail daemon, typically root, according to SCO's advisory. The second problem is in the prescan function in Sendmail 8.12.9, which allows remote attackers to execute arbitrary code via buffer overflow attacks. The vulnerabilities affect OpenServer 5.0.6 and 5.0.7. The SCO recommends users install the latest packages.

Re:Mod article down

[Ceriel+Nosforit]

No, that's not the one. This was on bugtraq. Maybe a bit older than two weeks.

Re:Mod article down

[rozz]

This isn't news. This is hypocrisy.

actually, this is slahdot

Re:Mod article down

[BarryNorton]

No, that's SCO's belated response to an 'old' (as you quoted!) advisory CA-2003-25 (http://www.cert.org/advisories/CA-2003-25.html)

Re:Mod article down

dont you mean sloshdat?

Re:Mod article down

This trash should be modded down as the author of this post is completely misinformed and should be shot on sight.

But hey, they mentioned SCO and MS in the same post!

Re:Mod article down

Yeah, whatever. I got so fed up with all the hassles from XP and dumped it months ago. Originally it had all the drivers I needed so it seemed convenient. But later when stuff started freaking out I found out I could get better hardware recognition with Knoppix for crying out loud. That's so incredible. I wiped out that XP partition and went with SUSE.

Re:Mod article down

[beuges]

Finally a voice of reason.

Where was the /. outcry when linux 2.6.8.1 was release a day after 2.6.8? Couldn't those linux programmers get it all right first time around?

Where were the 'Of course, who would be surprised by this?' snide comments in response to that?

Re:Mod article down

This isn't news. This is hypocrisy.

actually, this is slahdot

Same thing

Low tech

Sending an email and instructing a user to do something more than "click here"? What's next, "Hello. To see nude pictures of Natalie Portman, please: go to insecure.org and download nmap, go to arin.net and find ip ranges for several major calbe internet providers, search for vulnerable Windows XP systems that you can use exploits on (use Google to find Windows compiled versions of the exploiting tools), and use the exploits to inform the remote user of this method. If you infect 10 people and get them to pass it to 5 of their friends, Bill Gates will send you a check for $50 for every person that references you. It's true! I did it and you can to! K THX!"

DeMe

Re:Low tech

It looks like cmd.exe does not check security. So imagine this:

A program runs cmd.exe that runs itself. The program does a check to see what is running it (the parent process). If it is not cmd.exe, then it runs a benign program. If it is cmd.exe, then it runs the rootkit.

So now you have what looks like a benign program but has a rootkit hidden in it.

Re:Low tech

[tonydiesel]

Dude? You have nude pictures of Natalie Portman?

What do I have to do again?

Re:I'd actually be surprised if there are no bugs

[Steeltoe]

n SP2. They've gone through pretty much everything, re-hashed a lot of stuff, sometimes on a very deep level. Tons of bugs were fixed. There's not a software company in the world that could release something like this with zero bugs. Not even demi-god Linus Torvalds is capable of such a monumental technological feat as releasing code without bugs.

It can't be very deep when you allow this "bug" to go through a command-window. Then it's just a patch to explorer, and explorer-alternatives like Litestep and others will still be vulnerable.

I think it's all hype, and an afterthought to security when you allow these kinds of "bugs". It's not a bug, it's a fundamental wrong way of fixing things.

And so fantastically predictable too!!

Re:I'd actually be surprised if there are no bugs

How dare you question Linux! Linux has no bugs as OSS' "many eyes" allows no bugs!

Unfortunately, some idiot on /. will probably claim that Linux is better at releasing non-buggy software. Just ignore that 2.6.8.1 kernel over there.

News at 11...

[Reteo+Varala]

At the top of the hour, we'll bring you Microsoft's latest battle to ensure Security in their Service Pack 2 Upgrade, but first, this message from your sponsor...

*cue the Microsoft ad* ...Okay, Microsoft the #1 manufacturer of software in the US has announced that it will not be shipping its Service Pack 2 upgrade on time. We have an operative at Microsoft headquarters who can bring you the scoop. Stan?

*cut to Microsoft Windows ad*

Mr. Ballmer, how does this delay affect your company's efforts to ensure the security of your customers? What does this mean in your plans to release the Longhorn operating system?

"Well, Stan, we here at Microsoft have been long at work making things safe and secure for every single person, and we don't plan to change that now. As for Longhorn, that will be put on delay until we can secure what we have now. Beyond that, I can't comment."

Do you give any credence to the rumors that more and more of your customer base might be slipping to Windows?

"Yes, but they'll be back, when they discover that the costs of going to Linux is higher than staying with us. Our plans of world... ...security are coming along just fine. Hang in there, and we'll show you that Microsoft is the only company in the world that can offer you security from all manners of Internet threats, from pirates to hackers, and of course, file-sharers."

Thank you, Mr. Ballmer. Back to you, Charlie.

*cut to Charlie*

Thank you, Stan. When we come back, a look at your money, and a surprising look at SCO's evidence, proving once and for all, it's ownership of UNIX and Linux...

*cut to MSN Ad*

Darl McBride, CEO of the SCO Group, uncovers an amazing discovery that could turn the tables in their court case against IBM, who they allege had taken UNIX code, the recipe for a computer to work, as they provided this evidence this afternoon in court...

*cut to scene where Darl is in a straitjacket, screaming that Linux is his and if he can't have it, no one will* ...oops, sorry, wrong footage...

*cut to scene where SCO lawyers present the Chewbacca Defense*

No question, IBM's claims make no sense. So, here we have conclusive evidence that Linux rightly belongs to the SCO Group.

In an unrelated incident, Darl McBride, surprised at the effectiveness of the maneuver, lost his sanity, and shouted about his ownership of Linux.

*whisper: Do you think they'll buy that? What?* *looks at camera* Oh, when we return, we'll cover your money, and it's safety in MS-backed stocks.

Re:Currect track record

The error didn't sound so bad when reading about it in the article. Not until reaching the part where they called Microsoft... The Microsoft person basically admitted that this is not just two minor bugs, it's a design flaw (look for the word "design", then re-read that sentence). Much worse than it sounded at first.

Enough already...

[Ghostgate]

I mean, let's be serious. I'm not defending Microsoft because let's face it, they have allowed some pretty serious security flaws to get into Windows in the past. But the article does mention "social engineering" and I ask you, isn't this at the root of many, many security issues? I'm not saying Microsoft is never to blame - not at all. But what I wonder is how much damage has to be done before the typical user just sits down and LEARNS a little about security. I am honestly appalled at the number of computers I see that are on the internet without ANY form of anti-virus protection - much less a firewall. Computers are certainly much more complex to operate than say, a car - and we make people go through a whole course and take a test before they're even legally allowed to drive one. Why? Because they can end up killing someone, or themselves, if they don't do it right. With a computer, it's not that severe, but you can still do some major damage (or have it done to you).

Put it this way. If the average user took the time to learn just a little more about this device that is a BIG part of their lives, and how to keep it and their private information secure, would security really be as massive of an issue as it is today? I will say this, though - I'm glad Microsoft has turned the firewall on by default in SP2. I know it's going to cause a lot of headaches, but think about it - a lot of people are hearing about a firewall for the first time thanks to SP2. Hearing about it, and being FORCED to deal with it, is a big step for the average user towards learning more about security.

Re:Enough already...

The car thing brings up a good point, people just expect things to work without having to put in any effort to know how or maintain them. Consider how many people actually know how to maintain their cars; it's not just computers that people are so stupidly clueless about.

I have a '90 civic that has never broken down on me, and I don't expect it to any time in the foreseeable future. But if I just drove it without ever putting a thought into keeping it maintained I certainly wouldn't expect that. But that's exactly what most people do with everything. I was helping program someone's all-in-one remote to work with his TV, VCR, and DVD player...after doing so he said, holding the manuals for all three, "OK, I guess I won't need to read these." and so he threw them out. Depressing.

People are just so damn clueless.

I have problems too since SP2

After installing SP2 i received an email from a person i don't really know, but he somehow had found a Word document with a lot of personal information about me online and was worried i might have misplaced it. He was so nice to send it to me, so i tried to open the document to see what was in it but Word wouldn't start properly and nothing seemed to happen. So it seems SP2 breaks Word. And on top of that my computer is really slow lately and sometimes messages appear on my screen like, 1 0wn j00! WhaAHAHa 5uck3R!!
kinda funny but i don't remember installing that...

seriously, if a user is dumb enough to follow instructions to do something he never asked for from somebody (he probably doesn't even know) he got an email from, you might just as well ask them to install backdoor.exe because it will make their computer faster.

Re:I have problems too since SP2

hey! thats guys not the wallet inspector!

Re:I have problems too since SP2

Where can I find this backdoor.exe file you speak of? I want my computer to be faster...

Re:In general, Microsoft seems sloppy.

[DA-MAN]

Am I alone in picturing J. Jonah Jameson (Peter Parker's boss) when reading dialogue like this?

Re:In general, Microsoft seems sloppy.

[Jasperke]

Where I work software is created only (99%) by the ideas of marketers...

If you can make a feature that makes money, just do it! (And if you can get a customer to pay for all the develop time of that feature, then you're a genius ;))

Executing code within Word documents or email seems insane from our perspective, but it's a _really_ awsome feature you can sell. So ...

... shutup and go make that feature!

PS: I worked for another company that was driven by technologie instead of marketers, it was a programmers heaven... but I went broke. (Geez, how come?)

Have they fixed this?

[ceeam]

In SP1 (and XP original I think) there is a certain time during system startup when it is on the network already but the "Personal Firewall" is not yet started. This time is long enough for some exploit to "own" the machine. Pisses me off.

Re:Have they fixed this?

Yes, they fixed that you fuck-nut.

Re:Have they fixed this?

[knewman_1971]

AKAIK, yes. That was one of the biggies. The firewall loads before the IP stack.

News for Nerds. Stuff that matters.

[Numen]

That tag is starting to wear awful thin.

Why is it harmful to stoop to clutching at any desperate cheap swipe at MS ignoring any similar commentary on OSS software?.... because there's a large number of NERDS that miss a lot of useful "stuff that matters" on Slashdot because they're not prepared to deal with the rabid hypocrisy of articles like this one.

Secondly it makes the OSS comunity look like a bunch of immature fanboys rather than the dedicated professionals most of the community is made up for... that directly impacts adoption of OSS by business.

If you've ever wondered why OSS struggles for credibility in many businesses, bullshit like this article and the culture it encourages are a significant factor.

Articles like this one hurt the OSS community way way more than they ever hurt MS and feed back into the fact that the OSS community itself is all the advertising MS needs.

"News for OSS Nerds. Any desperate shot at MS."

Grow the hell up.

Get back to news for ALL nerds, and stuff that genuinley does matter. Because **gasp** there are Nerds that also develop on the MS platform, and not suprisingly they're more likely to hear the OSS side of the argument if they're actually around rather than on the other side of the room rolling their eyes at you... and maybe... just maybe... you have as much to learn from them as they have to learn from you.

Re:News for Nerds. Stuff that matters.

[nagora]

So, you're saying that there's nothing wrong with SP2? Or are you saying that everyone, including those that do know better, should carry on giving MS a free pass on their shit products for another 20 years? What does that achieve?

TWW

Re:News for Nerds. Stuff that matters.

So, you're saying that there's nothing wrong with SP2?

Numen didn't say anything relating specifically to SP2 other than the fact that Slashdot editors try to find any small piece of information regarding Microsoft, and put their little slant into it just to bash Microsoft. Its easy to tell, just look at all the anti-SP2 articles that Slashdot has been posting in the past few weeks. First they complain about security problems in Windows (and how MS uses backward-compatibility as an excuse to not fix them), then they complain about Microsoft delaying SP2 (holy shit, you mean they test this stuff?), and then they complain about some old stuff not working after SP2 is installed (because of backward compatibility issues), and they complain about the firewall features. It just goes on and on.

Not hard to see unless you are completely biased. But hey, what am I saying, this is Slashdot right?

Or are you saying that everyone, including those that do know better, should carry on giving MS a free pass on their shit products for another 20 years?

If you know better, you will use the product that helps you complete your task - use the best tool for the job. Linux is great for certain tasks, but on the desktop it does not compare to Windows on many fronts. If you want to call Microsoft products shit, atleast at the desktop level, then I would hate to see how Linux products are compared.

Re:News for Nerds. Stuff that matters.

[tesmako]

At least I have not seen anything terribly wrong with SP2 as of yet. This particular flaw is unfortunate, but the security feature it is a flaw in is still very much useful in my humble opinion.

For those who have missed it, the flaw is this;
When a file is downloaded from the internet or received in mail Windows will tag the file (with aregistry entry I'd imagine) so that when the user executes it the first time a warning dialog will pop up and inform the users about the potential harm of executing untrusted programs. The flaw is that it is the shell that checks for the tag, cmd.exe has not been updated to check for such tags and thus if the program is executed in cmd.exe the warning dialog will not show.

While this surely is an unfortunate flaw I must say that I feel that the basic feature is useful, even despite the flaw allowing you to avoid the dialog. For all practical purposes the mail could just as well say "Just click 'OK' in the dialog that pops up to run", far more likely to catch the careless user than the complex walkthrough of running cmd.exe ("What? I have no cmd on my start menu?!").

Kudos to MS on a nice feature that I hope we see in Linux distributions some day.

Re:News for Nerds. Stuff that matters.

Mod this mother. I know whining about rejected submissions is poor form, but I just had an article rejected about Yahoo Search's first hit for "messenger" bringing you to a sponsored web page with a trojan dialer. But it's seems there always enough space for another MS-bashing article on Slashdot.

P.

Re:News for Nerds. Stuff that matters.

[dave420]

Good points, dude!

I'm one of those developers. I write OSS on Windows, because Windows does for me what I want. I'm not starting a windows vs. linux debate, but a maturity vs. immaturity debate. I can totally understand why people use linux. I really can. I even use it myself (tho not on my own desktop). I'd defend someone's right to use linux with all my might. Why do I get the feeling that sentiment wouldn't be reciprocated by the /. community? It's called objectivity, folks. If you want OSS to be respected, start respecting other operating sytems. Start respecting closed-source apps and developers, and they'll start respecting you more (they already respect you, but this cheap pot-shot name-calling only hurts that).

I find it increasingly difficult to talk to people who don't know about OSS and tell them how cool it is, because the community behind it is cheap. Really cheap. Are you all proud that you're bashing an operating system that your favourite OS is aspiring to replace? If linux had 95% of the desktop share, would you love it if people bashed it without any reason what-so-ever? Of course not. So don't do it to windows. Sure, pick up on the truly bad stuff, but also pick up the good stuff. Do the same for linux, as well. Be fair, that's all. Objectivity. It's your friend.

Anyway, I'll be called a troll for this. I don't care any more. I waste so much time wading through people talking out of their asses on here, it's hard to get to the actual stuff that matters.

Re:News for Nerds. Stuff that matters.

[goldspider]

So you're saying there's nothing wrong with Linux, or any other OSS out there? Or are you saying that everyone, including those that do know better, should strictly limit themselves to OSS even though it likely isn't the best tool for the job? What does that achieve?

Zealots like you are EXACTLY what the grandparent is refering to. You grapple for the tiniest scrap of a "flaw" that nobody but the most creatively stupid of users could only stumble upon, and use it to bolster your "M1cr0$0ft 15 t3h 5ux0rz" argument.

Nothing can abate your hatred of Microsoft, so do us all a favor and keep your rabies away from the rest of us.

Re:News for Nerds. Stuff that matters.

[simong_oz]

Possibly the most insightful, informative and interesting post I've seen on slashdot for the last few weeks - I just wish I had mod points. Couldn't agree more with everything you've said.

Re:News for Nerds. Stuff that matters.

[nagora]

So you're saying there's nothing wrong with Linux, or any other OSS out there?

No, I'm saying that /. reports flaws in Bind, Sendmail, Mozilla etc., so why should it not report flaws in Windows? Just because they're more common? What sort of sense does that make?

TWW

Re:News for Nerds. Stuff that matters.

I honestly don't think that closed-source developers have that much to worry about. Those who are mature enough to be kernel developers or major program contributors are generally mature enough to avoid operating system "holy wars" publicly, imho.

The problem is making sure everyone realizes that the majority of /. readership is actually NOT developers, but retail sales, tech support, etc...

Re:News for Nerds. Stuff that matters.

[maximilln]

If you want OSS to be respected, start respecting other operating sytems

What the crowd of zealots lack in objectivity they make up in history. Microsoft and closed source vendors have never had any respect for other architectures or operating systems. Could you say Mac back in the mid-90s without catching a snicker from suit-and-tie businessmen? Could you ever say Amiga, even when it was producing 1024x768x24 bit color in '85, without catching either a blank stare or a put-down about Commodore? For that matter, what system could even match the capabilities of Commodore--with the 6502 SID and the BASIC v2 interpreter? The C64 was the closest that the average consumer could get to the t/csh+C combo. Yet, for years, anyone with an interest in those technologies has been ridiculed and subject to derisive attack by the vast majority of the business world. They could dish it out for all those years and now we're to have sympathy when they can't take it? We lived through it. How tough are they?

because the community behind it is cheap. Really cheap

Are we cheap because we can do it ourselves? Society has truly taken a turn for the worse when the do-it-yourself enthusiast is stuck playing second fiddle to Richie Rich with a few purchased paper certifications.

Are you all proud that you're bashing an operating system that your favourite OS is aspiring to replace?

Enthusiasts and developers endured that bashing for years--and it came from the vantage point of Microsoft featureware. We finally have an opening to point out the technical deficiencies in Windows and, due to lack of historical knowledge, the public perceives this as negative bashing.

You're right in that the OSS movement needs a better PR campaign but I see no reason to compromise on the steadfast ideals that have allowed F/OSS enthusiasts and developers to weather the storm of derision that we've endured for 15 years.

Re:Currect track record

[Guppy06]

"WinME - ABSOLUTE TRASH."

Now now, an old copy of WinME might be handy to hang onto for one reason: MS-DOS 8.0. They hid the bajeezus out of it, but it's still the final version of MS-DOS. Since then, all you've got is FreeDOS and maybe future iterations of IBM's PC-DOS 2000.

Execute!

In the fact that files with the extension gif should not be executable? These days, in Nautilus, you get a warning message when you try to open a file of which the extension does not correspond with the actual file contents. It will even prevent you from running it by just double clicking on it.

Microsoft and Lucasarts

[tod_miller]

if(Lucasarts)
post.replace("SP", "EP", 0);

Look, SP2 sucked, noone liked it, we are all waiting for SP3, although most of us have this feeling that it will be more of the same. ...

It gets complicated with SP4-6 due to something called the time-space continuum.

Re:Microsoft and Lucasarts

Talking about the Version Number of the SP.
I was thinkin it should have been "SP 10-101."
Okay back to my radio tweeking, 10-4? 24.8150Mhz , 24.7150, 24.6150, 24.5150, 24.4150Mhz "Hello skipland?!"

10-100 = 5-Min. Brk, Commonly RestRoom
10-101 = Serious Weight Loss Program (p00p0r), Restroom PAPERWORK (tp for the bunghole), etc.

10 Codes

I notice most 10 code lists don't have 10-101. I think they have it they just don't say what it is, or they mysteriously leave it off the list[s] due to vuulgarity.

Should be Pretty Clear What I am Driving At Now. Yes, install that SP10-101 and have an OS that works like (what's that smell?)

IF I was using XP. (I ain't, I do got 2k3, which is starting to have quite a collection of patches on it's own now) I would firewall it off, or not use it online.

IMO- the SINGLE most important thing Microsoft Can do is fix the catch 22 (update/patch/download method/website/ftp/md5sum/online/offline/firewall) problem

WU is broken like the USPTO is broken!

This is getting ridiculous...

Whether or not this article is just picking on Microsoft, there really is a need for Microsoft to seriously evaluate the future of its code base.

I mean, they could start with a BSD kernel/minimal tools, the old BSD licensed wine code, start hooking their upper APIs in and probably be back up to WinXP compatibility in similar amounts of man power. (They would avoid the 'evil' GPL, have probably better performance, an unbelievable jump in security, and be in a great place to embrace/extend Unix.)

Re:In general, Microsoft seems sloppy.

+5 REDUNDANT

I wouldn't laugh about this too much

[beh]

Yes, I couldn't suppress a first smirk upon seeing this article. But then again, there are two major reasons we shouldn't be laughing too much about this:

a) While uncertainty about Micro$oft brings some more people to Linux (which is touted to be more secure, but then again - it can just as well be penetrated by hackers), it also turns people away from using the Internet because they get too scared of what's going on there. The latter are mostly elderly people, but nevertheless - even they should be free to use the Internet, something which a number of them dread now because they feel their privacy (through spyware) and/or financial background (due to phish scams) may be at risk. And this is not a good thing.

b) Staying still, laughing about Micro$ofts misfortune here has to more immediate effects: (a) it will spurn M$ developers even more to deliver better software - and (b) has Linux people potentially stay back and enjoy M$'s misfortune (and hence giving M$ more time to catch up, security-wise, that is). Do you want to sit at the "other" end of the story in a year or two - once M$ has sorted out most of its security issues, while linux might be more and more negligent of these issues (because everyone "knows" that it's Windows that's insecure).

Personally, I've had some of my machines broken into about 2 years ago - and that was out of negligence (thinking Linux would be safe enough on its own). In the end, it probably was just a couple of script-kiddies breaking into the box to install - of all things - an IRC proxy/cache/logger on the machine. I don't know how the originally got into the machine, as I am not even quite sure WHEN it happened. But it went far enough that they even replaced the system's own ps/netstat/... to make sure those wouldn't display the "wrong" processes. I only noticed a problem when I inadvertently stumbled across it...

Since that time, I've done some more work trying to secure the box as far as (with MY knowledge) possible - but I'll no longer think my machines are inherently better than a M$ server might be. M$ *will* catch up - and they DO have the money they need to fix these kinds of problems.

The question is - do WE have the idealism to hunt down every single bug? (M$ people don't need the idealism for it - they get well PAID to do it).

Re:I wouldn't laugh about this too much

You are so cool to say it like Micro$soft

Re:I wouldn't laugh about this too much

Spelling Microsoft "Micro$oft" and M$ is sophmoric and you lose any points you may have gained from the rest of your post. Grow up.

Re:I wouldn't laugh about this too much

Posting anonymously is being kindergartenic and you lose any points you may have gained from the rest of your post. Grow some balls.

Of course, this also applies to me, and so on, ad infinitum...

Re:I wouldn't laugh about this too much

[LilMikey]

In that case the old people got it right. If you aren't technically competent enough to take care of yourself on the internet then staying off is a good idea. I wish they used the same logic with their vehicles. Remember, it's a privelage and not a right :)

Re:I wouldn't laugh about this too much

[emidln]

Your points are on shaky ground to start out with. We'll go from the bottom up, for my convenience:

The question is - do WE have the idealism to hunt down every single bug? (M$ people don't need the idealism for it - they get well PAID to do it).

While idealism is there, there are many open source developers paid very well to work on Linux. I'm not discounting idealism, it is a driving force behind linux, but I am saying there are professionals who are paid by companies to improve Linux.

Staying still, laughing about Micro$ofts misfortune here has to more immediate effects: (a) it will spurn M$ developers even more to deliver better software

This is an all around good thing. The more high quality software available, the better.

has Linux people potentially stay back and enjoy M$'s misfortune (and hence giving M$ more time to catch up, security-wise, that is). Do you want to sit at the "other" end of the story in a year or two - once M$ has sorted out most of its security issues, while linux might be more and more negligent of these issues (because everyone "knows" that it's Windows that's insecure).

This isn't going to happen for several reasons. First off, Linux developers are largely not competing with Microsoft. You may be personally, and the loudest, most vocal users of Slashdot may be, but most Linux developers are not. They code because they like to, because they see something that needs to be fixed, or because they're paid to. Idealism, which you talk about in this same comment, is a major reason why Linux won't fall to this level.

The developers that are paid also have different agendas. It seems to me that the only developers competing directly against Microsoft are large distributors like Red Hat, Mandrakesoft, Novell, Linspire, Xandros, etc and perhaps the Samba team. Almost all other developers are in it for different reasons. Many Linux installations take the place of Solaris, AIX, HP-UX, Alpha, IRIX and other machines. A lot of Linux work is also done in the embedded space, with appliances being developed as well as real-time versions of Linux (both soft and hard real-time).

While uncertainty about Micro$oft brings some more people to Linux (which is touted to be more secure, but then again - it can just as well be penetrated by hackers)

Frustration with Microsoft products bring more people to Linux than uncertainty about Microsoft in my experience as a consultant. Also, a properly secured Linux machine can offer a much more controlled environment, going as far as to completely remove unnecessary code from the kernel and utilities if it is not needed, and the effort deemed required. Stripping down the NT subsystems, into the kernel/servers (I think NT is a microkernel isn't it?) and modifying the fundamental security policies of NT is not possible without an extremely expensive source license (which you probably won't get anyway unless you are a government, at least not a license to modify the code).

As a side note, Windows can be well-secured, but it is a multi-layer approach that requires other software, in fact other operating systems. This is not a flaw of Windows as much as an admission that no software is perfect, and the more variety in a network, the harder it is for a multitude of attacks. Your friendly neighborhood emidln.

Re:I wouldn't laugh about this too much

[HermanAB]

MS sure has the money to fix their security problems, but they do not have the will to do so. To fix windows, they need to hire a couple hundred more people and they simply would not spend that kind of money. That is what opensourcerers have against them - they make crappy software, sell it a ridiculous price, promise people that they will eventually fix their bugs, but they are such cheapskates that they never make good on their promises. Any fixes are only done as marketing stunts, not due to good engineering principles and rigorous quality assurance. Basically, MS is a One Sigma company and with that I may be giving too much credit, since it supposes that someone there knows what Six Sigma is.

Re:I wouldn't laugh about this too much

[Darkangael]

There's another reason not to smirk:

c) Although there are a couple of minor issues (yes they are minor) with SP2, there are still many other improvements which are very good. It isn't perfect, but it's most likely still far better than SP1.

The bigger flaw...

[jkrise]

is that Microsoft has released a Service Pack way behind schedule, and can't guarantee the fixes work. Why should poor Joe ServicePack install this SP2 if he isn't confident it will reduce his risks? If at all, SP2 could convince Joe to remain unpatched until crisis time.

-

MOD PARENT UP...

This is not a troll. WTF?? Are all mods like this?

Cracked Mod?

[tarunthegreat2]

Hey, the above post is hardly offtopic. Grandparent says Linux Rules becoz Win XP needs an SP2 which also seems to be teh sux0r, however parent explains why s/he'd rather stick to XP, despite flawed SP2... don't see how this is offtopic...and now I suppose I'll be modded offtopic too eh?

Have you considered...

> It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be.
No kidding? SP2 is written and distributed by a corporation known to lie, cheat, and steal! They were even caught trying to fake evidence in court. They have no morals. It's only a matter of time before they begin screwing over their customers - more than they already do, that is. Come on, people... we're talking about Microsoft. Sheesh!

Attention Windows Haters: SP2 Is NOT a pub release

Dear insightful and thoughtful readers:

SP2 is *NOT* I repeat *NOT* a PUBLIC RELEASE. It is currently in BETA testing and is not currently promoted by Microsoft as an OFFICIAL release.

So please stop the moaning: It is for developer release ONLY, and the fools currently downloading it and acting like guinea pigs (read: Beta Testers) should stop bitching about a .xx beta. ...Especially those of you who DONT EVEN USE WINDOWS!!!

Now we're talking...

Now, here's a nice piece of reality. See the truth in this article. You'll love it.

2.6.8 kernel so buggy...

[dioscaido]

... Linus and crew are at work with yet another version of the kernel, this time numbered 2.6.9! Those people are so sloppy, having to upgrade the kernel every few months to fix all the issues. Doesn't sound quite right now does it? Change the tag to SP2 and Windows, and we have a slashdot headline! Mod me as troll if you like, I'm just trying to make a point.

Re:2.6.8 kernel so buggy...

[slaughts]

But you chose the wrong example to make a point. If a critical security flaw is found in the kernel, a new kernel is released as soon as the flaw is fixed and not when it is convienent. Most of the changes in 2.6.8 to 2.6.9, for example, are related to drivers, not security.

Re:2.6.8 kernel so buggy...

[mcbevin]

Hell, even Linus doesn't claim the 2.6.x series is stable or even intended to be :).

Re:2.6.8 kernel so buggy...

[mcbevin]

RTA. Or better, read a non-trolling article. These aren't critical security flaws by any stretch, and in any case Microsoft already released a patch for one.

Re:2.6.8 kernel so buggy...

[Chiisu]

it's called early development; the 2.6.x kernel is very different from 2.4.x, and they're quickly working on issues. you rarely see patches for 2.4.x anymore, since it has had alot more time to mature. the same will happen for 2.6.x, and then eventually 2.8.0 will come out and start over. welcome to Linux

Re:2.6.8 kernel so buggy...

[mattyrobinson69]

the linux kernel is upgraded every few months. the windows kernel is upgraded at least every few days:

windowsupdate.microsoft.com

I'm in the process of installing a 270mb fix called SP2 for my dad's computer.

This explains it...

This article explains a lot.

DoS

[Waltre]

Microsoft is insisting that everyone install SP2 via Automatic update,

The default time set on Automatic Update is 3:00am, in your (wherever you are) timezone

Everyone in any given timezone will be attempting to download a 200Mb patch at the same time.

...So, Microsoft have scheduled DoS attacks on themselves.

Re:DoS

[dueydotnet]

Actually, no, not a 200 MB patch. What you will download from Windows Update is supposed to be only the fixes you need. That's one of the reasons why they haven't put it up on WU (or so I've heard).

But, still, you are correct. They are going to DDoS themselves. I have no idea why they couldn't have setup a random time or defaulted to the current time for Auto Updates.

Re:DoS

I think it is, actually. It's now on SUS - the patch is 272391KB. SUS, as you probably already know, is a way of running your own automatic update server, distributing patches to domain machines according to group policy. XPSP2 replaces a lot of stuff - they can't magically make it any smaller. The "fixes you need" is the whole shebang.

NX protection off by default in SP2

This is the scariest thing I've seen about SP2. Especially the MS guy's attitude about it. This is from Paul Thurrott, News Editor, "Windows & .NET Magazine UPDATE".

One reason why Microsoft has had to update the documentation so
often is that XP SP2 has changed, over time, in somewhat subtle ways.
For example, the no execute (NX) feature, which helps prevent certain
buffer-overrun errors, was triggering errors on poorly written
applications. "It turns out that there are a lot of poorly written
apps out there," Goffe told me (sorry, he refused to name names).
"Many of these have bad pointer handling. When you run them on strict
hardware, [the applications crash]. Our initial approach in SP2 was to
leave NX on across the OS, which we implemented in RC1, and you could
use an exception list for opting apps out of NX. This functionality
was triggered when an app crashed because of NX. But it turns out that
a large chunk of apps that people wanted to use were crashing. So we
decided to turn off NX for user-mode apps but leave it turned on for
system components. So all the Microsoft bits are protected [by NX],
which we think is a great thing. But by default it's off for user-mode
apps." Goffe also noted that users could optionally cause applications
to run with NX enabled, on an application-by-application basis.

Re:NX protection off by default in SP2

[Dogers]

"off by default for usermode apps"

the only computers that can currently use this right now are those with Athlon64's or Opteron servers.

Whats so scary, exactly?

Re:NX protection off by default in SP2

Whats so scary, exactly?

The attitude, which you apparently share, that a security feature "off by default" is okay.

Re:NX protection off by default in SP2

[lowe0]

And if those applications were just allowed to bomb out, /. would be raking MS over the coals for breaking compatibility.

Ever heard someone complain about a computer problem and blame MS, even if it has nothing to do with Windows or Office? It's easier for lay users to just blame the biggest target instead of understanding the machine, tracing the fault, and blaming the people who caused the problem (sometimes MS, sometimes not.)

MS has to balance turning on security features, which could break compatibility, against keeping their users happy. It's not like MS can always do what is best for security - if the users aren't going to like it, then MS isn't going to get paid, and that's the end of the story.

Re:NX protection off by default in SP2

Hmm... Interesting. They call the first thing an "issue"? Well, I assume format is an issue too. If you mail someone and tell him he needs to type "format c:" in a dosbox in order to read the message... Come on, give me a break. Nothing is that idiot proof. If believe people should be shot for less...

Re:NX protection off by default in SP2

[PitaBred]

Because when I turn it on, many default MS applications break? I have an Athlon64, so I can tell the feature is working as it's supposed to, but hell, rundll32.exe won't even run when trying to access control panel stuff. And yes, I have a clean copy of the program.
WTF is the point of putting in that security if the system doesn't work afterwards?

Re:NX protection off by default in SP2

[Dogers]

thats odd.. MS claim to have recompiled pretty much everything! :)

I found SP2 worked much smoother when i reinstalled using a sp2 XP cd, might be worth a try for you and the NX problems?

Zero Mission

[Graymalkin]

In the past few Windows XP SP2 threads there have been several people complaining about slashdites seemingly "picking" on Microsoft and celebrating any and all flaws the update has. I don't feel bad for Microsoft in the slightest at this point. They've been touting the security of Windows XP for years now and have done little to actually back up their claims. Sure some Windows XP system on a managed network with double filtered internet access and nightly reimaging might be pretty secure. In the home however Windows is simply a distaster waiting to happen.

While SP2 is more secure than the original release and SP1 that doesn't reduce the number of Blaster hits my firewall blocks. It also doesn't affect the 50% of Windows users that will never download the update and will continue to be hammered by viruses and worms. Microsoft's delays and incompatibility problems just exacerbate the matter.

It's good to see Microsoft taking real heat from the industry press over their problems in SP2. The industry as a whole rolling over for Microsoft is what led to the situation as it stands now. The original release of Windows XP was riddled with holes and and was summarily exploited. No one seriously called Microsoft on this fact and SP1 was little more than a collection of security patches and minor bug fixes. The changes made in SP2 should have come out years ago. Maybe then you could plug a Windows system into a cable modem and last more than twnety minutes without being exploited.

Linux is improving in the usability and management arena and MacOS X is gaining mindshare as Apple improves its hardware. Both of these OSes are designed much more securely yet have a high level of technical capability. I really hope people begin to see there are alternatives to Windows and they're not nearly as bad as Microsoft would have you believe. SP2 is going to teach their management a hard lesson; despite being a monopoly power in the industry they still have to improve and maintain their OS.

Re:Zero Mission

[sehryan]

Did you ever think that it hasn't reduced the number of blaster hits your firewall blocks because it hasn't been rolled out for general consumption yet?

Re:Zero Mission

[delus10n0]

It also doesn't affect the 50% of Windows users that will never download the update and will continue to be hammered by viruses and worms.

I can totally see how this is Microsoft's fault.

Oh wait, it's not. It's the idiot end-user.

I'm glad SP2 is finally treating people like morons, because that's what 99% of the computer-owning world is. No one wants to take the time to learn how to use or maintain their computer properly. They want it to work like a toaster or a vacuum -- plug it in and go. It's not that simple, guys and gals.

Re:Zero Mission

[Graymalkin]

The idiot end-users shouldn't need an MCSE to run their computer without a metric assload of worms exploiting their computers and internet connections. People should be able to just fire up their web browser and go without the need for advance training beforehand. Some people have better things to do than learn the intricacies of Internet Zone settings on Internet Explorer or how best set up their firewall. Windows should be taking care of this stuff for people.

Re:Zero Mission

[RzUpAnmsCwrds]

"It also doesn't affect the 50% of Windows users that will never download the update and will continue to be hammered by viruses and worms."

Oh, so now it's Microsoft's fault that their users aren't downloading the free service pack. Or ordering the free CD that's soon to come out.

"SP2 is going to teach their management a hard lesson; despite being a monopoly power in the industry they still have to improve and maintain their OS."

WHAT THE HELL DO YOU THINK SP2 IS? Microsoft is basically GIVING AWAY a whole new OS.

Since XP has shipped, we've gotten:
- New firewall
- New IE with whole new zones model, popup blocking, ActiveX blocking
- Windows Media Player 9
- Windows Movie Maker 2
- PowerToys
- New WiFi configuration
- Built-in Bluetooth support
- Security Center
- "Compliance" API
- New Windows messenger
- NX support
- Completely recompiled modules with buffer-overrun protection
- 1000s of bugfixes and security patches

If that's not improving and maintaining the OS, what is?

Slashdot users keep bitching that Longhorn has been delayed. Do you know WHY Longhorn was delayed? Because many of the new features were moved to XP SP2.

Microsoft decided to give away a bunch of new features instead of making you pay for Longhorn to get them.

Microsoft finally releases an upgrade, for free, that signifigantly improves their OS, particularly in regards to security. Slashdot is trying it's hardest to make this look like a bad thing, but, quite frankly, we know bullshit when we smell it.

Re:I'd actually be surprised if there are no bugs

Good point about ignoring the 2.6 kernel. I know I do. 2.4 FOREVER, BABY!

Re:Currect track record

[GrandMJ]

You forgot WinNT: usable and I would add also: WinXP: usable on a very new (fast, expensive) system with a lot of memory.

+5 Insightful

This would never happen at my office.
As if our staff would even remember what their password was...

Well, if at first you don't succeed...

Hire some shills to say that you did anyway. Also attack your competitors products as a diversion. Look at the monkey. See the silly monkey?

Re:'Flaws' Not that big of a deal but

[checkup21]

first of all :

besides the whole zone-concept is a big laugh, and besides it is an even more big laugh (which is nearly impossible to achieve) to "expand" this paradigm to the filesystem (what in fact has not been done, but will not be communicated either), we get to a point we're talking.

So now that we pointed out that all this is absolute crap anyway, the article on heise shows up that the concept has no flaws, but in fact hard bugs.

if a programm uses this mechanism to determine the "safety" of a file, it could get wrong data.
Period.

This has absolutely nothing to do with "will not be exploited from remote".

another windows security problem

[chrisranjana.com]

So here it is another windows problem

Making it small is the trick

[Oestergaard]

What you do when you want a large system to be secure:

You implement a very small "core" or "security kernel" or "call it what you like". It is called a "reference monitor" in TCSEC. It is a piece of code that will be asked "can subject X do operation Y on object Z", whenever a user or program attempts any operation on any object (like a file or a network connection). This piece of code is so small and simple that you can inspect it and possibly even formally *prove* it to be correct.

The operating system kernel will then guarantee that the reference monitor is consulted on all such operations. This is, after all, what operating system kernels do, among other things.

Now; you can write a simple security policy for each subsystem in your operating system. One policy for your browser, one for your word processor, one for your regular secretaries, one for your accountants, etc. (a real OS with these features will of course have the majority of all policies set up and ready by default).

The system will now enforce the security policies on everything that goes on in the system. Because the OS is enforcing these policies, and because the subsystems cannot magially change the security policies set up for them, this is called "Mandatory Access Controls", or MAC for short.

MAC ensures that a bug in, say, your browser, cannot be exploited to, say, go thru your documents and harvest e-mail addresses. Simply because the system policy does not allow a browser with internet access to access local documents. Just an example.

This is how secure systems are built. This is what SELinux is trying to do, and this is what Trusted Solaris has done for a while. This is what is required if you want a TCSEC certification in the B (or A) class, not the kindergarten-security of the C class.

Or, under the common criteria, this is what you need to get certification against the LSPP (as Trusted Solaris has), instead of the kindergarten-security CAPP (as Win2000 can have in certain restricted setups), or even the home-grown "security targets" (which SuSE got).

This is old and well known technology. Too bad big businesses and governments never put pressure on the vendors to actually have real security built in.

Good to see SELinux coming along nicely, and Sun moving Trusted Solaris features into Solaris 10.

All is not lost - but trust me, they will be selling snow-cones in hell before you see MAC in Windows.

Re:Making it small is the trick

[bushidocoder]

MS has taken the concept of MAC and rebranded it CAS (Code Access Security), and its an integral part of the .NET runtime. In Longhorn and beyond, CAS rules will apply basically all software running on the machine (including user-level drivers) regardless of whether they were written in managed code or not, because the underlying Win32 framework is being rebuilt to .NET stubs encapsulating the function calls - therefor, even legacy C apps attempting kernel or IO operations in Longhorn will have to run through the CAS authentication cycle and can have security policy filters applied to them.

Re:Making it small is the trick

[anomalous+cohort]

MS has taken the concept of MAC and rebranded it CAS

Wrong. CAS has the semantics of demand, assert, deny, and permitonly which is very different from MAC.

MPAA and illegal file sharing?

How do sites like this still manage to exist? Surely people like the MPAA should have caught on to them, being illegal and all.

Re:Currect track record

[fistynuts]

Asshole.

Re:Slashdot...

Where is the -1 "Telling the truth but nobody wants to hear it" option?

Don't confuse SP2 RTM and Final (Gold) Versions.

[kc_cyrus]

Please don't misunderstand. The version offered early this month by MS was a RTM version.

The RTM releases are mainly for buisneses and corporate customers even though they are publicly available.

However, It's not the final version.

Once SP2 CD is available for order and MS is officially stateing on its main XP Pages that SP2 is here, there will be another SP2 Release.

They did this same thing with SP1 however they never mentioned that the RTM SP1 was slightly different from the GOLD SP.

Once the SP2 GOLD is released the RTM tag will not be on your MS About/version windows. It will just be SP2.

Good news both ways

[mr_z_beeblebrox]

We could sit here and criticize everything but I just want to point one thing out. SP2 is the single biggest improvement MS has ever made to one of their OSes. Additionally, it is great that people like this find these things and bring them to their attention and further bring their market speak responses out to the 'public' (if /. et al can be called that).
I would like to see MS make a security programming kit which could access their APIs to a greater level. Even if this were only available to BIG select 'gold' partners. You would have options other than MS to report bugs to. Yes, that is somewhat a theft from the OSS movements model. But it would really improve security. Imagine this article if that were the case "Microsofts position was that this is a feature, however IBM released a patch early this morning that corrects the behavior for thos who don't share Windows design goals with MS"

corporate and code bloat

[rctay]

MS hires very talented young programmers and traps them in corporate bloat and arrogance. The current XP problems are mostly due to the insistence on backwards compatibility and constant recycling and cobbling of code. I can't imagine how longhorn will not continue this trend. It's regrettable no competition is in sight. Capitalism can't seem to embrace open source, thus the problem with Linux. Apple can afford to be a little more daring due to the mindset of their user base, but MS is mired in conservative practices.

Re:corporate and code bloat

Funny, I'm pretty sure the "List of Programs that may not work correctly with SP2" is ridiculed to death every time someone brings it up in these types of articles. But I shouldn't be surprised, this is Slashdot.

Re:In general, Microsoft seems sloppy.

Maybe Microsoft isn't sloppy!

Maybe Windows has simply become impossible to fix?!

And if it's impossible to fix, it must logically be impossible to add any more "Microsoft features" (ah well, the good with the bad)!

If Microsoft is to be considered "sloppy", the sloppiness must have occurred decades ago when top Microsoft management (i.e., Bill), laid down by decree the philosophy of design of Windows (or maybe the philosopy of lack of design)!

First thing I did

[na2rboy]

The first thing I did on this page is Ctrl-F, type Micro$oft, and hit Enter. Second post down! New record!

Awwwww, FUUUUUDGE!

[Asprin]

Well, I learned something. Apparently, for some time now, Windows XP has been completely willing to execute executables that do not have an executable file extension. For example, if you rename notepad.exe to notepad.gif, you can "CMD /C NOTEPAD.GIF" and it will pop right open. Not sure yet if explorer will do this the same way: One test I ran (notepad.exe -> notepad.xxx) prompted for a program, while another program (nestor.exe -> nestor.xxx) just ran normally. Maybe it has something to do with the origin of the file, or whether the file extension is registered or not. I noticed that Windows replaced notepad.exe with a new copy a few seconds after I renamed it.

The point?

Those of us using RENATTACH on our mail servers to filter out malware and viruses now have another hole to plug.

Thanks, Microsoft.

Dorks.

Re:Awwwww, FUUUUUDGE!

[srenker]

Those of us using RENATTACH on our mail servers to filter out malware and viruses now have another hole to plug.

Duh. They should always have been checking the attachment contents for an executable header, rather than relying on the extension. Users can be socially engineered into changing the extension to make the "k3wl screensaver", or whatever, run.

Re:Awwwww, FUUUUUDGE!

[sqlrob]

Decode the first three encoded characters. If the first two are MZ, don't deliver the attachment. Don't worry about the name.

Re:Awwwww, FUUUUUDGE!

[John+Sully+(I+hate+a]

Jeez, and the linux shell won't do this? The shell looks at the magic number (and the executable bit) and then runs the file with the appropriate interpreter (perl, sh, python, yada yada yada). In Unix(es) the file extension means *nothing*.

Whatever

[rjdohnert]

This requires some physical access to a system to be infected should someone try to write a virus. This is not a critical issue. Saying that a massive virus attack will come from this is like saying that Single User Mode on a Linux or UNIX installation is a security risk. If someone else has access to your system, its not your system anymore.

Are they actually insane?

[argent]

With Service Pack 2, Microsoft introduces a new security feature which warns users before executing files that originate from an untrusted location (zone) such as the Internet.

One definition of insanity is trying the same thing again when you know it won't work.

Attention, Microsoft: you have been trying to make this fatally flawed "integrated browser" concept work reliably for over seven years, by adding twist after twist to this flawed "zones" model. The only component of the system that can know whether a document should be trusted is the application that requested it. THAT is the component that needs to be responsible for deciding how to handle its content.

Remove the access components from the HTML control and make it purely a rendering tool. Use a mechanism like callbacks to the application to handle embedded objects, links, and helper applications, and make that application responsible for its documents. This is a security model that works, the one you're trying to create to shore up your original design flaw doesn't, and can't.

People have been telling you this for years, you've been in denial for years, GET OVER IT.

Re:Are they actually insane?

"One definition of insanity is trying the same thing again when you know it won't work."

That's also Thomas Edison's version of genius.

Isn't that the ideal of OpenBSD

[SmallFurryCreature]

Or one of the BSD's at least? Not sure as I don't use it.

Anyway linux isn't anymore secure or insecure then windows. It is just that most linux users got a tiny bit of a clue. But a cluefull person could also be able to setup a secure windows machine.

I keep waiting for MS to be really smart and adopt a more gentoo like approach to new windows installations. A very real problem is that a new "legal" installation is unpacthced and will not survive long enough to download patches. But this is only because MS doesn't have "download latest software" stage in its installation.

Let me explain. The entire windows problem is that it has software with security holes in listening mode before you are fully patched. When you install gentoo you download a sorta up-to-date CD with a very basic linux install. If you boot the CD you got a working linux cli but nothing extra it won't be running any listening services. So even if the machine is connected directly to the internet there is no way to attack it. No software listening to ports == no way to attack. Only way to install a listening piece of software is to download the latest fully patched software and run it by choice.

So why does MS not do this as well. A new Windows install doesn't open any listening ports UNTIL it has downloaded the latest patches.

Well the answer is of course probably very simple. It would make windows look "hard" to use. MS loves to promote the image of a click and drool OS. While the unpatched listening software is a problem just as big a problem is that the average windows user will click and drool on anything.

Note my use of "legal" installations. If you bought XP then you got a CD that when installed will give you a totally insecure system. If you pirated XP then just download a version with the Service Packs included. Yet another case where piracy really pays.

Re:Isn't that the ideal of OpenBSD

[Viol8]

"Anyway linux isn't anymore secure or insecure then windows."

Not strictly true. A normal user in unix/linux can't totally screw up the system (unless the admins have deliberatly reset all the privs) whereas in windows they can in all sorts of ways: eg deleting various system files such as explorer.exe

Re:Isn't that the ideal of OpenBSD

[skiman1979]

deleting various system files such as explorer.exe

That may be a bit misleading. Explorer.exe is set (on my system at least) so users in the Everyone group and the Power Users group can only read and execute this file. Members of the Administrators group and the SYSTEM account have full control. I'm sure other key files on the system are set this way as well.

The problem with Windows XP (and 2000?) isn't really that it allows users to delete key files, but that the default installation (at least in XP) makes the user a local administrator. Since the user is a local admin, he or she can delete these files. Most average Windows users are not aware of this, so they don't know that they can (or should) switch it. Running a Windows system as a normal user would cut down a bit on these problems and others.

Any installation manual on linux I've seen informs the user that he or she should create a regular user account. Even the graphical installers (e.g., Mandrake) have a screen to create a normal user account. This way, linux users do not run the entire system as root (unless they purposely do not create a user account or choose not to log in with it.

Re:Isn't that the ideal of OpenBSD

[zenpiglet]

Normal users in Windows can't do the things you say. Granted many Windows users run as Admin, but this is just their stupidity and not a problem with Windows - these same people would run as Root in Linux if given the chance.

Anyway, Windows 2000, 20003 and XP all come with Windows File Protection (WFP), which would prevent tampering with system files being a problem.

Any protected file (such as Explorer.exe) can be deleted assuming the user has correct permissions (which rules out non-admin users) and the file is not currently in use. However, WFP kicks in almost instantly and replaces the file from a cached version (or from original source if needed).

This is on by default and there is no built-in mechanism for permanently turning it off.

Re:Isn't that the ideal of OpenBSD

[delus10n0]

You (and the parent poster) are forgetting Windows File Protection, which prevents users or applications from deleting system-required files on XP/2003.

So your discussions are semi-pointless.

Re:Isn't that the ideal of OpenBSD

[Lehk228]

the problem is that windows is near useless on a limited user account, you cannot install or remove stuff, untill windows permits the installation of software to user accounts and beefs up local security it will remain insecure.

Re:Isn't that the ideal of OpenBSD

[skiman1979]

Actually, I wasn't aware of the WFP service. However, from what I read on the site you linked to, if the WFP service cannot locate the correct file to restore (because the file is not in the dllcache folder or the CD-ROM/network is unavailable, it will display a dialog asking the user to supply this medium. There is a note on that site stating

If an administrator is not logged on, WFP cannot display either of these dialog boxes. In this case, WFP displays the dialog box after an administrator logs on. WFP also records an event to the system event log, noting the file replacement attempt. If an administrator cancels the WFP file replacement, an event noting the cancellation is logged. Note that WFP is not a replacement for having properly restricted user accounts and appropriate security policies.

Since most home users of XP run as administrator, they will see these dialogs and have the option to cancel them. Many users may do just that if they don't understand what the dialog box is saying. I've seen users ignore zonealarm/norton internet security dialogs asking to block/allow some app accessing the internet because they didn't know what it meant.

My main point was that a majority of average XP users run the system as administrator, which defeats the purpose of most OS protections. You don't normally see UNIX/Linux users running their systems as root, especially when connected to the net.

Re:Isn't that the ideal of OpenBSD

[Shulai]

My own (not so large, I'm happy with Linux and escape from Bill stuff as hard as possible) experience says that besides the "Administrator as default" issue, certain tasks are difficult to do if you are not Administrator or at least Power User.
So, having admin rights all the time is still a must for most Windows non-gurus.

Re:Isn't that the ideal of OpenBSD

[skiman1979]

Yes, I can completely understand the point that being a non-administrator or non-power-user on XP can make the system difficult to use for the average user. From my experience, the main problem with running as a non-administrator comes when you try to install an application. Your average user expects to be able to just open Install_me.exe and hit next a few times to install the latest application. As a normal user, you cannot take the defaults because your permissions do not allow you to write to certain areas (e.g., C:\Program Files). However, during the install process of that application, you can tell the installer to install it off of your home folder instead (Documents and Settings\).

It's not necessarily the OS's fault, as application installers can be written to install in different location instead. Also, since users like to have that luxury of installing any application with the ease of next... next... done, that opens them up to malicious websites installing the latest and greatest spyware. I'm sure spyware could be written to install in the user's home folder instead, but at least then it wouldn't have access to the entire OS.

I'm currently running my XP Pro system at home as a normal user and haven't had any troubles so far. Granted, I've only installed one application as that user (trillian). I just told the installer to put it in C:\Documents and Settings\ and everything went fine. If that doesn't work, there's always "run as..." Perhaps this can be changed to something similar to the way KDE/Gnome does it in the linux world. I.E., if you run an app that needs admin privileges, prompt the user for the password with any applicable warnings so the user doesn't have to remember to right click the icon and select run as.

Re:Isn't that the ideal of OpenBSD

[0racle]

You should take a look at the 'Power Users' Local group. You can indeed install software as a Power User, I do it all the time and have done since NT. XP by default asks if you want to run the installer as Administrator if its named setup.exe but the default selected choice is to run as the currently logged in user. The only software that you can not install as a Power User is most of Microsofts own software and others that modify system files or system areas of the registry, but then again, if I want to upgrade KDE or GNOME on Linux, I have to do it as root or at the very least sudo or su to install it because its more then likely changing files in /usr which is the same as system protected files in Windows. Windows is not 'near useless' with underprivileged accounts.

Re:Isn't that the ideal of OpenBSD

Nice idea but then there's the issue of deploying that in a corporate enviroment where you certainly dont want users to see "enter admin password" pop up.

Could probably be easily controlled by GPO but still, its definitely not how Windows goes about things and for quite good reasons.

Re:Isn't that the ideal of OpenBSD

[Lehk228]

is that available under XP Home? I was under the impression that only XP Pro allowed power users.

Heise Security, Eh?

[Renaissance+2K]

If Microsoft is so "concerned" about security in Service Pack 2 and a firm like Heise Security is so quick to not only discover the flaws, but announce them as well... Wouldn't it make sense for Microsoft to submit their major updates to a security firm before making it available to the public, and suffering the subsequent criticism?

Depends on the condition of the PC at the time.

[Vandil+X]

My wife and I both own 3G iPods (connected via Firewire) and using the latest firmware.

No problems under Service Pack 2 whatsoever, though Windows Firewall did fuss about iTunes wanting to connect o the Internet.

From my experience, many of the times when an OS/feature breaks from a service pack installation, it's because the user's PC was already damaged by corrupt files, registry entries, or"tweaks". The Service Pack simply exposed them.

Patch it

[fok]

Is the patch compatible?

People aren't keeping up with the news, so...

Here are a few items that Microsoft Windows users really need to read:

• What the US government has to say about IE security
• About Windows security vs. Linux security
• About 'Total Cost of Ownership' (TCO) statistics

How much more proof do you need to stop using Windows?

Re:People aren't keeping up with the news, so...

[Senzei]

How about proof that everything I currently do in windows is possible in linux? Or proof that all of my files from windows will at least open, if not function exactly the same as they do in linux? Convincing someone to make a change usually involves two parts: at least one reason to leave the current state, and at least one reason to accept the new state. Until linux can play people's games, open their proprietary word/excel/whatever documents, and do anything else they need to most people won't switch.

I know that's where I am. I like linux, but I would rather go through the hassle of attempting to secure my windows box than give up my games for a more secure system. It's called acceptable risk.

Re:People aren't keeping up with the news, so...

Until all new games are released on linux security and TCO mean nothing to me and millions of other gamers.

Re:People aren't keeping up with the news, so...

First of all, how about some "Proof" that isn;t from such O.S. biased sources?!?!?

There are just as many articles of "Proof" from the other side of the fence that "Proove" the exact opposite!

Re:People aren't keeping up with the news, so...

[linguae]

Those are all good and valid points, but how many Windows users are going to switch to *nix or Mac OS? For a lot of people, with a firewall, some anti-(virus|spyware|adware) apps, (Mozilla|Firefox|Opera|anything except IE), the latest patches installed, and some common sense about security (e.g., don't click on e-mail attachments, don't log in as "Administrator," and if a program needs Admin access, just change your user settings to allow you to use the program) Windows works fine, especially in its 2000/XP incarnations. It runs all of the programs that most users need without much hassle. Unfortunately, a lot of users don't do this, but that can be solved with some education.

Don't get me wrong, I like Linux, and I currently run Windows 98 (yes, I know, I can't afford XP) with a form of Slackware called ZipSlack. (I will move completely to Linux in about a month). Linux, IMO, can be used as a desktop operating system. However, the desktop environment isn't refined yet, and some little things that us *nix geeks don't mind (like installing X11, getting your sound to work, compiling applications) would drive the heck out of less computer-savvy users. For them, a properly secured Windows installation (especially in its 2000/XP forms) would do fine.

v5 Windows Update

[Digz]

Is anyone else experiencing problems with the Windows Update v5 site? I've tried using it on a SP1 machine and two SP2 machines, and the only one it works on is the SP2 machine that was just reloaded and had SP2 applied.

Re:v5 Windows Update

[alchemistkevin]

works fine on my WinXP Pro SP1 machine.

Re:I'd actually be surprised if there are no bugs

Risk management? If you are at all worried about security or IT costs, you quit running Windoze years ago.

This "deep" work is pathetic. In more than a year, all they can offer up is 80MB worth of binary improvements? An organization like KDE can produce that kind of change in a week with real feature changes. M$'s little service pack is poorly reimplemnting band-aids that other people, like Zone Alarm, made two years ago. No real changes are involved here and no real increase in security will be had. It's just another annoying user inconvenience in the never ending upgrade train.

Good!

"it also turns people away from using the Internet because they get too scared of what's going on there"

Good. I still maintain (no troll, no joke) that the internet was better off without AOL connected to it. That was the beginning of the end AFAIC.

So what? SP2 still rocks

[diegocgteleline.es]

I'm surprised. I'm mean, why wouldn't you expect that SP2 would have new vulnerabilities? Any system has flaws, SP2 is not less. It was a matter of time. What is *important* about the SP2 is what it does to *solve* the security issues. Automatic update. Firewall enabled by default (no worms for those system services which are always open). When a program tries to "listen" in a port, a windows popups to ask yoy what to do with it (this means you can't have a trojan wiath a remote shell in your system without noticing it - how many linux distros / BSD systems take this approach, eh?) Well I don't need to list all features. It was quite clear (at least for me, not for the slashdot crow though) that SP2 was going to have vulnerabilities. What is important about the SP2 is that it solves them instead of leaving you a big hole.

Let me get this straight

[HangingChad]

The post service pack exploits are coming out before the service pack? Day 0 exploits are one thing but this is like a day -14 exploit.

Pretty soon we'll have Longhorn exploits coming out.

Re:Let me get this straight

Very funny. Thank you :) :)

Re:Let me get this straight

Please to be shutting the fuck up.

SP2 has been in beta for at least a few months if not more, and has been available for download from MS themselves for weeks now.

We get the joke but it's not funny anymore.

Re:Let me get this straight

[Ahnteis]

Read article. No exploit.

Re:Currect track record

[dave420]

Whatever, buddy. Seriously. Think for yourself.

Win95 - ground-breaking. Paved the way for the GUIs in use in every subsequent windows version, and lots of *nix guis
Win98 - great for games (still is), supports the latest DirectX (still), has a very small footprint, boots fast and offers great hardware support
WinME - disappointing for some, exceedingly usable for most others. Say what you will, lots of people loved it
Win2000 - fantastic. Offered stability, great driver support, great networking, easy installs, perfect for the corporate environment (hence most places still using it)
WinXP - incredible. We're talking excelleng games/multimedia support, almost unlimited software catalogue, integrated auto-updating, visual themes, etc. etc. etc.
XPSP2 - a great step in the right direction, executed very well. If you can find fault in it, you can find fault in anything
2003 - One of the best server operating systems out there. Exceedingly fast, secure, stable, yet with great driver support, lots and lots of software, etc. Again, if you think it's bad there's something wrong.

At least get your arguments straight. Just because you label something as "disappointing" doesn't instantly wipe out the popular history that it was anything but. I know you have your head in the clouds, but even that shouldn't stop you from recognising truly important software.

sb have more info on the behave differently list

[marcovje]

I've several games and apps on this list:

http://support.microsoft.com/default.aspx?kbid=8 84 130

However info about it is scarse. Apparantly this list doesn't include the "open the firewall" programs, but does sb know what the problems are exactly? (UT, UT2003, Nero)

Microsoft is a bit scarse in info.

No problems here

[LazyPhoenix]

Just took the plunge and installed SP2 on my lin/win dual boot box last night and everything appears to be working just fine, and does seem to be "snappier" as some suggest. Fixed my WMP9/DivX video playback lock-up, too. I've got my family off the IE and Outlook teat, and onto Firefox/Thunderbird, but still can't quite get the Mrs. to give Linux a fair shot (when it's up and running on the box, she has figured out how to logout and reboot back into XP, though!) -- so as for me and my house, SP2 does seem to be an improvement speed and functionality wise over SP1. Even played nice right off the bat with ZoneAlarm suite. And if it can get more people to run a firewall, then, really, even for slashdot, how is this a bad thing?

Re:Currect track record

[funkydom]

Win95 wasn't all that ground breaking if you'd been using Amiga Workbench for years before. Most of the stuff 95 did was already done, and 95 still didn't do some of it as well (e.g. pre-emptive multitasking).

I didn't really take windows seriously until Win2K, which is simply incomparable with any of the 9X/Me versions.

Oh? I can't run linux as root?

[SmallFurryCreature]

Check out Lindows. I dare you :P

Under windows you don't have to run as admin.

Under linux you can run everything as root. (actually a few programs detect it and refuse to run but that is besides the point.)

About the only difference is that it is a whole lot easier under linux to work as a user and if and when you need root to simply open a terminal and become one. Please note that this may be out of date but I remember that in windows if you need admin privileges you need to logout and switch to the admin user. You can't open an admin session within your user session.

But just as windows has a lot of programs that don't "work" when you are not the admin there are a few to many linux programs that like to have sudo. If a clueless person was told that cool new game needed sudo do you think that would stop him and ask, hmmm why?

So apart from making it easier to run as a user and root only when needed and without having to close your current desktop (think about how importance this is. I browse a website for some admin help. I find out how to do it. but learn that I need to become root/admin to do it. On linux I simply leave the browser open running as a user and open a terminal and become root then do the instructions from the webpage. On windows I gotta logout/switch loosing me the webpage and then log in as admin. I then gotta reopen the webpage the BROWSER RUNNING AS ADMIN and then do the instructions. But NOW THE BROWSER IS RUNNING AS ADMIN.)

But a clueless person can still screwup his linux install. Never underestimate stupidity.

Re:Oh? I can't run linux as root?

[LurkerXXX]

You are out of date. In 2000 and XP, as a normal user, if you want to run a program as admin (or any other user), just shift-right-click on the program, a option menu pops up with one of the choices being "run-as". You can type in the account you want the program to run under, and bam, your done.

Like most things with computers, it's a matter of user-education. (Including users of other OS's which bash it because they don't know how to properly run it)

Re:Oh? I can't run linux as root?

[_xeno_]

Ever try doing that on a Windows machine?

For a while, I had my primary accout be a restricted user and was using Run As... to get adminstrator privileges for programs that needed that. After realizing that basically every single program I used required administrator rights, I gave up, and made my account an administrator account. (Most annoying was WinAmp - it turned out it required "Power User" privilege levels (or higher) to operate properly.)

(To be fair, I primarily use Windows for playing games, and most games for some stupid reason require you to be an administrator, including several of Microsoft's games. I don't really understand why - you can use DirectX as a normal user, and it isn't for the network portion. But the developers programmed them to check if you're an administrator and not run if you're not.)

The thing with Windows is that a ton of developers just assume that you'll be running as an administrator (probably because they're coming from writing for Windows 98 or the like), making it a real chore to be running Windows as anything but Administrator. Yeah, you can do it - but it rapidly becomes too much of a hassle to explain.

(Besides, who else thinks that even if you did teach people to run as non-admin and only use the admin account when needed, you'll still have users downloading trojan-program.exe and running it as admin when it tells them they have to? Maybe Microsoft should make it so that IE always runs as an unprivileged account. :))

Re:Oh? I can't run linux as root?

[numbski]

Except for one minor detail...

You see, there's a whole load of software out there that will simply NOT function without admin privs.

What would you do if most of the software on linux required you to edit /etc/group and add your uid to group 0? You'd think it was nuts and stupid, right?

Well, a HUGE amount of windows software requires the user to have local admin privelages to run reliably. You just added yourself to group 0 to make your computer more user-friendly.

I've seen companies where every user has to have local admin privs to do anything.

Let's throw another iron in the fire.

Windows Update requires local admin rights. Won't run without it.

Re:Oh? I can't run linux as root?

[LurkerXXX]

Uhhh, right. And that was why I explained how to run applications that need administrative rights while logged in as a regular user. That was the discussion. What's your point? Some applications under Linux or *BSD won't run without root privledges either.

If the program says it requires root privlidges to run and you think it shouldn't, bitch at the manufacturer to fix it to work with standard permissions. But windows DOES let you run those while logged in as a regular user. Just use 'runas' like you would use 'suser' in *nix. That was what the whole preceding discussion was about.

Re:Oh? I can't run linux as root?

Games I understand shouldn't have to run as root...
Your word processor, okay...
Internet Explorer, absolutely shouldn't have to... ...but Windows Update? As in, "We're going to be updating (writing to) your kernel and other important system files" Windows Update?

That most definately should require administrative permissions. I don't want a non-admin touching system files!

Re:Oh? I can't run linux as root?

[numbski]

So what do you do in a corporate environment of hundreds of machines, all of which want a 'root' password to run windows update, and even automatic update requires manual authentication before updating?

Re:Oh? I can't run linux as root?

[bedroll]

SUS Server is the answer to that.

Of course, that still doesn't change the fact that they never should have integrated windows update into IE. They'll also probably never learn from their mistakes and make it a separate product, either.

Re:Don't confuse SP2 RTM and Final (Gold) Versions

[David_W]

Alright, now if I understood previous statements, the RTM version that's out now gets sent to OEMs like Dell and such. Now, if your statement is correct, wouldn't that mean people who buy a new Dell would have something like-but-not-quite SP2, whereas someone who waits for the gold version will have the "real" SP2? (Yes, I know those terms are kinda loose, but the entire notion, if correct, is boggling. It's one thing to have beta/release candidates, but once you release something, whether you call it RTM, gold, whatever, it has to be frozen, otherwise you can't be sure what you've got.)

Pay Money for Crap?

[PhYrE2k2]

Here's what people tend to overlook- if you get the same quality software for free, why are people paying $200-$350 for WindowsXP? The saying 'you get what you pay for' doesn't appear to hold true in software.

When I make software for other companies as a part of my line of work, every check possible is done to ensure that the software is secure is possible. There are tens of thousands of dollars on the line, and customers demand quality coding and care taken to ensure that their data is safe.

With open source, there is no incentive- nobody to answer to when you screw up. Many projects seem to stem out of the 'I made a utility for my own purposes that...' and grows from there.

Now back millions of copies of XP with hundreds of dollars a piece. People are paying you for a reason- to take care of security and usability and hardware support for them! Can't even do that right.

So I'm going to pay you to build me a kitchen, but you can't seem to put my shelves in straight... yes it works as a shelf- just as long as nothing rolls. You should be coming back to fix my shelf post-haste, as it never should be like that in the first place.

Re:Pay Money for Crap?

[Lehk228]

except microsoft kitchen has doors for burglers to get in when you are asleep

It is not bashing to discuss real problems.

[Futurepower(R)]

Read Microsoft: A matter of trust from the same author mentioned in the Slashdot story. He reported a bug, and Microsoft told him it was a feature.

Re:It is not bashing to discuss real problems.

[MonTemplar]

If you're going to discuss real problems, please do. But the vague, generalised statement you made earlier is not going to advance the conversation very far.

-MT.

Remember folks

[ShadowRage]

Linux is buggier than windows! it never gets patched! Microsoft says so, so it must be true!

Seriously, though, This just shows microsoft doesnt do thorough testing, or any testing at all, they dont try to use hacker tactics to break a system, they need to hire a few good crackers and hackers to blast a system they patch to see what happens before releasing it.

The only time this happened with linux was a while back and it happened (the whole 2.4.20 - 2.4.26 release thing because the same bug kept showing up) I havent seen it since.. though the linux devel team is beginning to become like M$, merging development crap with the stable kernel producing unknown results, like how microsoft releases buggy quickfixes to their system with obvious little testing or regard for the user's system.

ok bad analogy but you get my point.

Re:Remember folks

[bcs_metacon.ca]

It's not that they don't do enough testing... it's that they can't. Proprietary software, with limited beta releases (even public betas) can never be tested as thuroughly as OSS.

Security Flaws?

[brufleth]

I'm sure some real security holes will turn up but the two flaws mentioned in the post are pretty lame. One requires that a user save an attachment, open a command prompt window and drag and drop the file into said window. I help people with their computers over the phone all the time and they have trouble openning a command prompt (run>cmd) and probably wouldn't accept that as a reasonable thing to do with a file they've been emailed. Maybe I'm giving too much or too little credit to most users but the second "flaw" doesn't even have a valid attack vector according to the article. These sound to me like ways someone might screw up a computer if they TRY but they certainly don't seem like OS problems since both would require the user to do some pretty dumb things.

First Bug... They never tested it with win2k ?

[damas]

Steps to reproduce:
1.Install SP2 on a windows xp machine, part of an AD domain.
2.Access and modify some group policy objects ... so that the *.adm files get updated - e.g. ENABLE domain-wide apply to all network connections in Network Connections / Windows Firewall, on the patched machine, as
3.Try to do the same on the domain cotroller, a Win2k machine...
4.Watch mmc truncating about 500.000 help strings, cause this version of mmc (win2k- sp4) only takes 256 characters in a help string.
Press OK about 500.000 times.
5.Give Up. CTRL + ALT + DEL. End TASK NOW. Go Home.

Re:First Bug... They never tested it with win2k ?

[Senzei]

So you're saying you can make use of all the new features of a brand new linux desktoop on a linux server that is four years out of date? Sure win2k server has been patched, but my point is that you are trying to use a win2k3 domain feature in a win2k domain. Of course you'll have problems.

Funny thing is if this was brought up in a comparable linux situation the solution would be "Go download kernel version xxx and install it." Yet somehow upgrading to win2k3 is not seen as the same solution to the problem. Yes it costs you money to do the windows upgrade, probably lots of money, but that's the cost of doing business with microsoft.

Re:First Bug... They never tested it with win2k ?

[damas]

GPO is a 2k feature. What "feature" are you talking about? Using more than 256 characters in a help string?

"That's not a 2000 bug, it's a 2003 feature" line?

Missed the point

[Skiron]

As usual, missed the point.

Linux kernel coders don't have to worry if the user is going to play downloaded p2p muzic - or watch a hooky dvd - or even care if they play it on whatever player - all they worry about is coding a solid kernel with all working.
Now look at M$ coders, and 50% of their objective is the CONTROL of the users so that he can't play DRM'ed music or can't use a DVD player or use this bit of software or don't use it due to this * etc. etc.

Because Linux is 'free' (as in the user is allowed to use the thing for whatever purpose he/she sees fit), the actual coders only have to concentrate on making it work _all correctly_...

Re:Missed the point

[dave420]

And 100% of open source's developers are persuing their own agendas through their software. That's a huge issue. Without someone standing behind them dictating software direction (and PAYING them to follow), OSS projects drift. They fracture. It's just human nature.

Saying 50% of their objective is to block users from bypassing DRM is just plain silly. Can you cite where you got that figure from (your ass is not a good source ;)).

The Linux coders have to work on creating something that appeals to the mass-market, not just themselves. As it is, Linux is an OS predominantly for developers. Sure, anyone can use it, but it's geared towards developers. I'd say that's a huge problem.

Difference between CLIs in OSes

[SilentChris]

I think some UNIX vets are confusing the Windows implementation of the command line and UNIX's. In UNIX they're pretty much identical in terms of functionality. In Windows that's not the case.

Example: yesterday I tried to FTP from a Windows 2003 server to another box. For the sake of speed, I tried using IE as my FTP client. Windows 2003 locked down the box by default, so that client wouldn't work without tweaking IE settings. However, I tried the Windows FTP command line app and it worked fine.

The "safeguard" described in the article really isn't meant to be a safeguard at all. It doesn't follow any of the low-level security features that the system provides (like permissions). It's just a quick tag for Joe User to remember that a file was downloaded and not placed by them.

So Far

[KarmaOverDogma]

So far.

But I agree with the premise behind your point.

.

The runas command

[EXrider]

Actually there is something kind of like sudo that's been in windows since 2000 called runas. It doesn't always work as expected, but for the most part it is useful. Open a command line and type runas /? to see how it works. I just wish it was more consistent across the system. Sometimes you can right-click on an executable or shortcut and you get the runas context menu item, then sometimes you don't! In those cases you have to execute it from them command line. I've actually even seen some installers prompt you for login info if you're trying to install it under a normal user account.

I use it to control services that like to crap out all the time on users machines, like the print spooler service; said user has their printer shared, and like 50 different applications open, and of course they've went on break without saving anything, and everyone's too lazy to use the printer in the print room, so I right-click on the services icon in the control panel and login as myself to run the services control panel under the user's account (whew! longest sentence evar!).

Sometimes I launch iexplore.exe using runas to do various tasks like changing file permissions and stuff. Just don't try to launch explorer.exe using runas!

Re:The runas command

[NaDrew]

I just wish it was more consistent across the system. Sometimes you can right-click on an executable or shortcut and you get the runas context menu item, then sometimes you don't! In those cases you have to execute it from them command line.

If a right-click doesn't display "Run As...", try shift-right-click. This works for some Start Menu and Desktop shortcuts. Also, have a look at SANUR, which lets you script RunAs by piping the password in automatically.

confusing...

[sauvaget]

I don't get it. The guys at microsoft want at least 99 euros for the XP Home Edition. Obviously this is for HOME users, without a company administrator to look after them. Nevertheless XP's handbook consists of a short quickstart manual on how to install the os. shouldnt microsoft *admit* that they know that the internet can be dangerous for inexperienced users and offer a short guide on what to look out for and how to configure XP to be as safe as it gets?

Re:confusing...

People won't read it, they'll just throw it out. Don't think I'm exaggerating. People don't read instructions for anything.

Re:In general, Microsoft seems sloppy.

[mdielmann]

Well, like the Good Book says, it's all been done before. What it doesn't say is, MS makes it easy.

That's what he said.

[LordPixie]

Why didn't you get a '-1 redundant' mod ?


--LordPixie

I have respect for ...

[kabdib]

I have respect for folks who can find buffer-overruns, heap-mangling attacks and so forth. These people are smart, hard-working and diligent. They give evil a good name.

I have nothing but contempt for someone with an axe to grind whose only response is the "exploit" in the linked article. It's pretty lame. Come back when you've written enough of your own code to present an attack surface. :-/

Grow up. Sheesh.

Re:I have respect for ...

[PitaBred]

Just because I haven't written an exploitable product doesn't mean that the flaws don't exist, nor that I am unable to succumb/exploit them.
This is stuff that people need to know about, one way or another.

Re:Currect track record

[dave420]

Amiga Workbench?? Are you serious? :)

Sure, it was a good OS, but it wasn't anything special. It definitely didn't step on 9X's toes :)

Multi-part exploits

[Beryllium+Sphere(tm)]

>Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.

You're right, of course, but it's still useful to know the limits of a security feature, and I can imagine a situation where Juergen's discovery would make a practical difference.

Imagine another vulnerability getting discovered that allows an attacker to make a user think that an executable is a JPEG. Then SP2 would protect against the social-engineering attack of "Save this picture of Anna Kournikova and double-click!".

What Juergen discovered is that this protection may not be there when you need it, e.g. if the social engineer says "Copy this picture of Anna Kournikova over your current 'wallpaper' file and double-click!".

Bad guys today are using chains of vulnerabilities to bridge our moats. The attacks are called "blended" but a chain is a better metaphor. Juergen found a way to add one link to a chain of exploits.

>if a normal user does this, then they are beyond help that we can expect an OS to provide.

Ridiculing Microsoft over this would certainly be inappropriate. But it's worth knowing that the warning on downloaded executables is bypassable.

We can only expect an OS to help if we abandon Discretionary Access Control.

If you are a programmer, the problems are obvious.

[Futurepower(R)]

The problems are obvious if you are a programmer. If you are a programmer, the problems are so obvious that you may fail to mention them. Microsoft has known for years that their Command Line Interface has not been updated to the standards of the OS. Yet they continue to put out tools that ignore the new standards, as they did in the case discussed in this Slashdot story.

The Win XP Command Line Interface is not fully integrated. The lack of integration of the CLI is extremely serious. In some cases, there are commands that take you inside 16 bit code, where the OS loses control. There are many, many bugs. For example NET USE LPT1: [printer share name] does not work for users with limited rights. Not only does it not work, it fails in several ways that show that there are multiple problems. This was reported months ago, but it has not been fixed.

See my comment in another story for more about this: Many command line tools are not fully integrated.

Microsoft knew there was a problem, but did nothing. There is another extremely serious problem here. Microsoft programmers knew that the information is cached (See the story.), and that the method of caching introduces a bug, yet they did nothing about it. (If you are a programmer, it would be impossible not to notice.) That is something I've seen many, many times: Microsoft accepts code that everyone can see is not finished.

My original comment, In general, Microsoft seems sloppy is correct, and should not have been modded down. It is definitely not "Off Topic", as it is moderated now.

When was the last time you went to an important meeting and said nothing? This is an example of problems with Slashdot moderation. When was the last time you went to a meeting or a party, and said nothing? Generally, if there is a discussion that is important to you, you will want to contribute. This Slashdot story is of interest only to people who understand Window XP and security risks. But moderators cannot moderate stories of interest to them. They must moderate stories in which they have so little interest that they have nothing to say. That's how my great-grandparent comment could be modded down as "Off Topic", and the "Microsoft bashing" reply is +5 Funny.

Another problem with Slashdot moderation is that by covering issues about games that are of interest only to players and spectators, and not programmers, Slashdot attracts people who have no real interest in computing. Look at the beginning comments of most Slashdot stories. Many of the comments are from people who have no interest in the story, but are trying to be funny. Humor is wonderful, but not at the expense of the quality of the discussion.

What REALLY happened with Windows...

[Spy+der+Mann]

Actually, what REALLY happened was:

Evil Hackers: Hmmm take a look at this. MUAHAHAHAHAHAH!
All the world's hobbits, ignorant of their approaching doom (singing): *La la la la la!*
Whitehat guys: Hey, there's a security vulnerability here!
Microsoft: *whistling* what? I didn't hear you!
Whitehat guys: I TOLD YOU THERE'S A VULNERABILITY!
Microsoft: It's not a vulnerability. You're exaggerating.
White hat guys (screaming): HEY EVERYONE! THERE'S A VULNERABILITY IN WINDOWS!!!
The Media: We've heard some rumors of some vulnerability in Windows...
Microsoft: It's just rumours. Anyway, it's those linux cheapstakes, would you believe them?
Evil Hackers: MUAHAHAHAHAHAH!!!!

(couple of months later...)

All the world: My computer's been infected!
Evil Hackers: MUAHAHAHAHAHAH!!!!!!
Microsoft: OK, OK, so there WAS a vulnerability! But now's been fixed!!
All the world: Yay!! Hooray for Bill Gates! (they put him in a pedestal, and proclaim him savior of the universe)

(Two weeks later...)

Evil Hackers: Hmmm take a look at this. MUAHAHAHAHAHAH!
Whitehat guys: Hey, there's a security vulnerability here!
Microsoft: *whistling* what? I didn't hear you!

Billy Joel (singing): *We didn't start the fire...*

And Slashdot's obsessive smear compaign continues

[rd_syringe]

This is what, the fourth SP2 article in two days? Look, we get it already, OSDN wants you to disregard SP2. Every single other place on the web, feedback has been extremely positive. If you come to Slashdot, it's almost entirely negative. This place is like a bizarro-Fox News of the tech sector.

Re:Currect track record

[cbiltcliffe]

I really enjoy the fact hardware is finally really plug n play. No stuffing around finding the drivers. I slapped it on an old Pentium 500 recently and it detected everything, breathing new life into the box.

And if you slapped Windows Me on an old P-166, it would detect everything, too.
It's got nothing to do with Windows XP's plug n play at all. You ever tried swapping out a motherboard with a different model on an XP system? Frequently, if not most of the time, it craps out, and won't even boot properly. You'll need to do a system repair with the CD to get it to work.
Windows 9x actually handled this situation a lot better than 2K/XP does.
And incidentally, Linux (but Linux isn't plug n play....hack around...text configuration files....modprobe drivers....cryptic....CLI...difficult) seems to handle it the best of anything I've ever tried.

Software has bugs. Deal with it.

[drdink]

It never ceases to amuse me to see the continual bashing of Microsoft on Slashdot. Yes, Microsoft has some major security issues to work out. However, they are making a fairly good faith effort to do this now. Service Pack 2 was a decent attempt. Yes, there were bugs introduced by Service Pack 2. But even Linux has bugs every once and a while after a new release.
If you really must discredit Microsoft, at least do it on fair ground and acknowledge that the operating system(s) you hold dear also have some bugs. And please, do not call them Micro$oft, M$ and other lame variants. It is Microsoft Windows, not Micro$haft Windblowz. If you can't even have the common decency to refer to somethign by the proper name, then nobody worth listening to is evey going to take you seriously.
If you want your community to be seen in a decent light, then you must behave decently.

Re:Software has bugs. Deal with it.

[louden+obscure]

bite me. i have free beer. ooh, i have free speech as well. i can't just run "linux," i need the contribution of the GNU people, XF86, debian (my distro choice) and countless others. i don't have to buy anti-virus software. i'm ahead of the game cuz i can read. go cry somewhere else. uh, for me to spend money onna OS, it had better be bug free or else no thanks. and yes, i have an m$ xbox but it's dual bootable cuz i can. do you see my middle finger sticking upright? do you understand why? i don't think so...

Re:Software has bugs. Deal with it.

so 1337 it hurts. lol. can you see me ignoring your fanboy antics?

Before you disagree, read this:

[Futurepower(R)]

More about the Windows XP printer redirection command NET USE. There are many people who have intense ego involvement in seeing themselves as people who understand Windows software, but who have little real interest in computing.

After re-reading my comment above, I realize, from past experience, that it is likely that there will be extremely strong replies that give the impression that the writer knows a lot, but which are completely uninformed.

By design, the NET USE LPTx [printer share name] printer redirection command works only for users with administrator rights. This is fine. There are three ways that a command can be executed with administrator rights for the context of a user with limited rights. All of them fail. The failures are not clean; the failures are such that they indicate that there is a mess.

Re:If you are a programmer, the problems are obvio

[MonTemplar]

OK, now we've got something to discuss.

The problems are obvious if you are a programmer. If you are a programmer, the problems are so obvious that you may fail to mention them. Microsoft has known for years that their Command Line Interface has not been updated to the standards of the OS. Yet they continue to put out tools that ignore the new standards, as they did in the case discussed in this Slashdot story.

The Win XP Command Line Interface is not fully integrated. The lack of integration of the CLI is extremely serious. In some cases, there are commands that take you inside 16 bit code, where the OS loses control. There are many, many bugs. For example NET USE LPT1: [printer share name] does not work for users with limited rights. Not only does it not work, it fails in several ways that show that there are multiple problems. This was reported months ago, but it has not been fixed.

I think that the problems stem from the command line, and the DOS heritage that it represents, being shoved behind the scenes where most users will not see it, as well as being sealed inside its own little virtual machine for the most part. Slowly but surely, as Windows 9x gave way to 2000/XP, and in turn to 2003 Server, the gap between the command line environment and the rest of the Windows subsystems has gotten wider and wider, either because nobody though to try and reintegrate the two, or because they assumed nobody other than a few power-users and admins bothered with the command line anymore.

To be honest, a complete overhaul is required - a lot of the old DOS utilities are redundant at best, downright dangerous if misused.

Microsoft knew there was a problem, but did nothing. There is another extremely serious problem here. Microsoft programmers knew that the information is cached (See the story.), and that the method of caching introduces a bug, yet they did nothing about it. (If you are a programmer, it would be impossible not to notice.) That is something I've seen many, many times: Microsoft accepts code that everyone can see is not finished.

*shrug* So no change there, then, in spite of all the talk about improving security and fixing bugs in Microsoft code over the last few years. No disagreement with you there.

When was the last time you went to an important meeting and said nothing? This is an example of problems with Slashdot moderation. When was the last time you went to a meeting or a party, and said nothing? Generally, if there is a discussion that is important to you, you will want to contribute. This Slashdot story is of interest only to people who understand Window XP and security risks. But moderators cannot moderate stories of interest to them. They must moderate stories in which they have so little interest that they have nothing to say. That's how my great-grandparent comment could be modded down as "Off Topic", and the "Microsoft bashing" reply is +5 Funny.

Sadly, a majority of Slashdot users (and moderators) understand neither Windows XP nor security. :(

Another problem with Slashdot moderation is that by covering issues about games that are of interest only to players and spectators, and not programmers, Slashdot attracts people who have no real interest in computing. Look at the beginning comments of most Slashdot stories. Many of the comments are from people who have no interest in the story, but are trying to be funny. Humor is wonderful, but not at the expense of the quality of the discussion.

And the trolls, mustn't forget the trolls - another fine Slashdot tradition... :)

Sorry if I appear to be rushing this, it's nearly time for me to pack up and go home. Talk to ya again some time.

-MT.

In related news...

[mythosaz]

Asking the user delete folders still causes them to be deleted. What sort of exploit is this, anyway?

Re:Currect track record

[funkydom]

Win9X borrowed a lot from Workbench. I was just pointing out that its hardly groundbreaking when what it did had been done before.

It only seemed "groundbreaking" because Win3.X was so hilariously crap ;)

Re:Currect track record

[TrancePhreak]

Heh.... Where I come from Amiga was never available. It seems to me that the Amiga failed because it wasn't very widespread, something that Windows had over Apple.

Re:Currect track record

Yes all 5 amiga users were very happy.

For a i386 PC, Windows 95 was groundbreaking. Kludgy, yeah, but miles ahead in interface, stability, and multitasking from Windows 3.x.

Please limit your comparisons to OS's released within 2 years of Win95, and having a market share at least one tenth of Windows (see I give the MacOS, which is great, but was kinda languishing at that time)

Re:Currect track record

[runderwo]

And incidentally, Linux (but Linux isn't plug n play....hack around...text configuration files....modprobe drivers....cryptic....CLI...difficult)

Try discover+hotplug. Works fine for me. Only things it doesn't pick up are ISA cards without PNP. Unfortunately there's no "add new hardware" detection wizard for Linux, but that's okay because this hardware is increasingly hard to find these days.

2.6 not stable? Uh...

Funny, kernel.org has looked something like this for months now:

The latest stable version of the Linux kernel is:2.6.8.1

Re:2.6 not stable? Uh...

[mcbevin]

So this slashdot article - http://developers.slashdot.org/article.pl?sid=04/0 7/22/0138244&tid=106 - is just wrong then?

Re:If you are a programmer, the problems are obvio

[coronaride]

ok, you challenged for a conversation, so here it is. i'll start off by telling you that while i do develop software, i'm not an expert and you probably know more than me. however, upon reading the article i think that the author blew the issue (not about adodb stream) way out of proportion and i can absolutely see why that would not be a high priority fix. if it was transversed and Explorer was allowing unsecure applications to run as secure because at some point in time the same name/signature was cached for a secure program, then yes, they should fix that, but that's not what the article said. now, granted that i really don't know a whole lot about the specifics of Explorer's operation, i'm completely willing to concede that this is an a=b therefore b=a situation, but the article did not mention that. the focus was on secure programs running as unsecure due to caching. does this make any sense? probably not, but oh well..i'm still learning.

And remember...

[Snaller]

...the main reason to install SP2 is because you have too much harddrive space, and wish to use some of it. Not because you'll get something you couldn't get it a tenth of the space.

Let's Share The Blame

[rebel47]

All this discussion about the failings, past & present, of Microsoft are relevant but fail to miss one big issue...the users. You can lock down a system as much as you like and make it harder to get into than Fort Knox but if there is a way, any way, for clueless users to screw things up they will find it. Writing secure code, issuing patches and updates etc will help alleviate the problem but until we can educate users to take security seriously we will still have problems. Despite all the reports about viruses, malware, trojans and other nasties there are still too many users running insecure systems. The best we can hope for is that closing the security holes as they become known is that it will stop these infected machines from infecting other systems. Sure, developers have a duty to write secure code and not leave holes that can be exploited but they cannot program for every act of user stupidity. Just when you think you have an 'idiot proof' OS or application a bigger idiot comes along and proves you wrong.

HAHAHAHAHA

[KJKHyperion]

The command shell cmd.exe ignores the ZoneID of files

In other news, the ability to execute programs leaves you open to malware. The hole is in the article author's head

AND YOU ARE A COMPLETE AND TOTAL IDIOT

Re: feed the fire...

[pacman+on+prozac]

Sendmail isn't installed on >90% of the worlds desktops.

Sendmail isn't advertised and sold as a secure and straightforward system for home users.

Sendmail bugs are hardly news for anyone, particularly not nerds.

I'd call this news, SP2 is being hailed by Microsoft for its security features so it seems fair to report any issues with it.

Re: feed the fire...

[pacman+on+prozac]

Actually sorry, I'd misread it as being something other than a lame social engineering hack. On second readings I agree its hardly news.

Re:Currect track record

[CrossChris]

Win 95 - nearly achieved the same level of usability that Apple did five years earlier.

Win 98 - OS starting to grow - makes greater demands on hardware, requiring upgrades.

Win 98SE - nearly right - fixed many of the flaws in the original, and at least they had the guts to admit the first edition was a disaster.

Win ME - best forgotten - too many flaws to list, obviously rushed to market.

Win 2000 - NT4 with knobs on. Pretty OKish, but too insecure for serious use, and had many driver issues.

Win XP - nearly works out of the box. Too many security flaws to list, and inherently unstable. Might be OK for the casual home user, but the business user needs something more reliable.

XPSP2 - broke both my standard XP Pro installs to the point of no return. Now deleted!

Server 2003 - don't go there. The subject of much litigation from disgruntled MS clients. Insecure, unstable, overpriced, not scalable.

THERE HAS TO BE A BETTER WAY......

The linux equivalent would be:

One of these SP2 "flaws" involves sending the user an email with instrucitons on running an attachment from cmd.exe. Well, if we follow the logic to its end, no OS can ever be secure. All you have to do is send the user intructions on disabling their OS's security features and wham! The OS is compromized. These "flaws" are a joke.

The linux equivalent would be sending an email and suggesting the user login as root and run the attached script. Uh oh, Linux is just as insecure as windows!!! Panic!!

Give me a break. According to this article, I'd say linux users are much more vulnerable because it'd be much easier to convince a Linux newbie to run arbitrary_command and do whatever you'd like to their system.

Re:Currect track record

Get out of your cabin more often.

SP2 Release Date

Its getting released on Wednesday 25th August.

Who cares....

stuff breaks, it's going to happen. if it was perfect what would you do?

Bad feelings...

[Fantasio]

With the flaws presented on www.heise.de, I'm discovering that Microsoft has based one security features on the (so far) little know ADS, implemented in NTFS but never used before. To me this looks like a very bad kludge. The ADS allow the association of data to files, it's invisible only to the average user, but it's not a secure feature ! (probably a reason why is has not been used for DRM ). I don't think it won't be long before malware writers will not only irremediably defeat the security feature, but even use it for hiding stuff on their victim's PCs.

Re:Don't confuse SP2 RTM and Final (Gold) Versions

[Drestin]

You could not be more completely wrong. The RTM (release to manufacture) code IS the fine "Gold" code. That's it. Period. One SP2.

RE:Lindows

To update a poster.

I read a few posts about permissions and how the distro lindows runs everything as root. That is incorrect since that never was the case. The earleir versions of lindows alowed you to create an end user for your machines. It juts has become more notesible during the install processess.

I've never seen nor been on nor seen any user run EVERYTHING as root.

and yes Linux is secure compared to windows by default.

Stupidity or not. You can't always use

its the endusersbadhardwaresoftwares fault. Especially when its M$ that keeps making the same mistake over and over again.

But if you want to talk about stupidity, all you have to do is look appon the many that still believe that M$ is still doing a 'good job' with the amount of evedence against them.

Re:Don't confuse SP2 RTM and Final (Gold) Versions

[kc_cyrus]

My Friend, RTM is RTM and GOLD is with "RTM" removed from the About Windows in start/run winver.

The same procedure happened to WinXP SP1.

People like you give other people the wrong idea, no disrespect but that's the way it is.

Re:And Slashdot's obsessive smear compaign continu

[MonTemplar]

No, you got it wrong - you're supposed to install SP2 and bash Microsoft for producing insecure, buggy software. :)

Look on the bright side, at least on Slashdot you don't have to actually see the editors. From what I've heard, this may well be a good thing... :D

-MT.

Re:Don't confuse SP2 RTM and Final (Gold) Versions

[kc_cyrus]

Yes, despite your great unbelief, This IS the procedure, that is why MS encourage end-users to turn Automatic Updates Service and Background Intelligent Transfer Service on by default so they recieve the latest update as fast as possible.

RTM version is offered to OEMs so they can start the production line. By the time the real pc is on the desktop of end-user, There are other minor additions in designated SP.

Which will be updated as soon as end-user connects his pc to internet by Automatic Updates Service which will notify Windows Updates V5 Website of RTM label, then Windows Update Website V5 will adjust the updates level to comply with RTM Standards and finally will remove RTM version from winver and this means PC is upgraded to Full SP and from then on will be treated by Windows Update Website V5 accordingly.

Re:Currect track record

#1) Commodore had a huge market share back in the day. The largest market share at the time.

#2) The Amiga OS is still being developed: http://os.amiga.com/

#3) It took years for the competition to catch up with the Amiga. The last Commodore Amiga release was October 1993. Amiga is now owned by someone else, but they are still around. It was a kick but system.

XP is better than the Amiga, imo. But my next system will be a Mac. I will keep my W2k station, but I am tired of playing the patch/firewall/hardware firewall/antivirus/patch/spybot/adaware/patch game.

Re:Don't confuse SP2 RTM and Final (Gold) Versions

[Drestin]

Despite your great enthusiasm, this is just plain wrong. SP2 has been released and it's code is final. It is NOT still being working on or tweaked. The version on MSDN and RTM and RTW and sent to premiere customers and automatic update is identical. If you install a MSDN version and go to Windows Update it will NOT attempt to update you again, nor will automatic updates.

Re:Don't confuse SP2 RTM and Final (Gold) Versions

[Drestin]

I'm sorry but you are wrong. SP2 is done. The code is final. They are working on SP1 for 2003. You are discussing release times.

Re:Currect track record

[cbiltcliffe]

I know all about it. The bracketed objection list was the random rants you hear from anti-Linux FUDsters about why you shouldn't run Linux. It was not my opinion.....

Re:Don't confuse SP2 RTM and Final (Gold) Versions

[kc_cyrus]

SP2 has been released and it's code is final. It is NOT still being working on or tweaked.

SP2 WILL be final when u can order a WinXP SP2 CD. Before that, there are builds and builds.

Re:Don't confuse SP2 RTM and Final (Gold) Versions

[kc_cyrus]

SP2 IS Final When you can order a SP2 CD. Before that there will be other builds to come.

On User vs. Administrator for the clueless.

[danielsfca2]

When I set up my grandma's PC (running WinXP), I set her as a User and setup an Administrator called "Installing Software" for occasions when I would have to let her have admin. "Installing Software," designed after a great idea I saw on here, has a bright red background (locked with policies), reading "WARNING! WARNING! WARNING! Only use this account for installing software! Click Start, then "LOG OFF" NOW!" All the UI elements are white/red, or yellow/black, and about one size bigger than would be comfortable. Every system sound event is mapped to the "Critical Battery Alert" sound (which sounds like a computer's version of "OMG") so that every menu click, opening or closing program, etc. triggers the noise. iexplore.exe is also chmod 000--even if she could stand using that account any longer than necessary, no iexplore! (Firefox is her default browser, but I've got all the bases covered anyway).

Oh, and the Video Poker game I got her at Kmart (which has a Linux version on the same CD, so you'd think the developers would have a clue) crashes on opening if you're not an administrator. I worked around that using runas.exe.