Slashdot Mirror
Latest SP2 News
Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"
These "flaws" are not really that big of a deal. The idea of warning is so that files are not run afterwards by mistake. They give an exploit in which someone opens cmd.exe, then drags the file into it. Well if the user will follow along and execute some command they suggest, then things are already out the window. In addition the other exploit talks about overwriting a current file and it not showing a warning, once again if they can get you to overwrite a file on your hard drive with their file then you are already gone.
Surely, it's normal to release patches. Why is this news?
So they patch up to SP2 and they continue to patch. I would hope so.
So there's issues with SP2. I dare you to do a similar number of changes and then have no issues with the resulting code.
Yet another slow news day we we see headlines like "Ask Slashdot; I want to install a text editor, what do slashdot recommend?"
Problem? Problem? How can you call that a problem?
You just don't realize how lucky you are...
On the other hand, it might be that they don't give their QA people enough time to adequately test their products before release. I would think it's cheaper and more efficient for them to let their customers to find the bugs.
I really would like to know if Microsoft has an outsourcing company working on this project. They openly admit they outsource parts to outsourcing companies, why not this?
If this is the case, it is very easy to see why Microsoft has so many problems with security. They have no control over the hires, no control over the code (you can review it, but thats a lot of code), you have no control over security of the code.
I sometimes wonder if people purposly put in backdoors or buffer issues to allow this to happen. A unhappy coder is a dangerous coder, and lets face it, if you work for an outsource company, you probly are not too happy. I sure wasn't.
The parent is not flamebait! Microsoft software is sloppily thrown together, especially from a developer's perspective. To start off with, too many poorly designed features (such as allowing executable code within Word documents and email messages) exist in the company's products. Microsoft apparently has marketers, not engineers, for software architects. The development environments we have to work with have generally been lackluster.. poor documentation, things don't work the way the should, etc. Dealing with anything Microsoft is frustrating.
I think I'll wait for SP2a, thanks all the same.
And remember kids: Never trust a computer you can actually lift.
These 'flaws' are of the same type as posting a script in your .sig that executes "rm -rf /" on a *nix system.
The best security measure would be some device that read the mind of the user and warned if you were too stupid. Or maybe even easier:
if(spywareCount > 20) stupidUser = true;
Actually, to be honest XP is quite good. The masses really mainly seem to understand how to use it. My mum can write CDs, scan photos and so on :P ... which previously with Win98 was always a sure way for a phone call to me for support.
I really enjoy the fact hardware is finally really plug n play. No stuffing around finding the drivers. I slapped it on an old Pentium 500 recently and it detected everything, breathing new life into the box.
And yes, while I say this, I prefer (and are browsing on) Firefox, and we have a bunch of linux servers. (Its a shame I have to justify any decision to use anything which aint a "postgres server on some box where i have personally contributed into a branch of a kernel i compiled mysel" when on slashdot. ah well).
Ok, correct me if I'm wrong, but isn't a Service Pack supposed to add security fixes, and patches to operate more 'as expected'...
Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.
Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?
You can only do so much to protect the user. If you go out of your way to bypass security measures, then the OS should not be expected to protect you.
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
The trouble is, M$ do not have the luxury of coding a free, open system as per Linux and are more concerned with the 'control' of the code in what it allows a user to do (or more importantly, what they are not allowed to do!!). Basically, the whole design from bottom up of windows is a bad legacy and will always cause problems
:D
BTW, here is the SP2 fix list SP2 fix list
Some great stuff here e.g. -> 823830 Your Windows XP computer stops responding after you log on
In my humble opinion, this article is about as useful as a troll. Many /. readers have already pointed out that these aren't much of flaws.
Mircrosoft is finally playing the right tunes, but someone on a vendetta can't accept this, so they nitpick after _anything_ to pin on SP2.
For Christ's sake, Sendmail. Sendmail had a brand new remote execution (That's translates to your unpatched box being rooted.) exploit posted a week or two ago, and not a word was said.
This isn't news. This is hypocrisy.
--
All rites reversed 2010
That tag is starting to wear awful thin.
Why is it harmful to stoop to clutching at any desperate cheap swipe at MS ignoring any similar commentary on OSS software?.... because there's a large number of NERDS that miss a lot of useful "stuff that matters" on Slashdot because they're not prepared to deal with the rabid hypocrisy of articles like this one.
Secondly it makes the OSS comunity look like a bunch of immature fanboys rather than the dedicated professionals most of the community is made up for... that directly impacts adoption of OSS by business.
If you've ever wondered why OSS struggles for credibility in many businesses, bullshit like this article and the culture it encourages are a significant factor.
Articles like this one hurt the OSS community way way more than they ever hurt MS and feed back into the fact that the OSS community itself is all the advertising MS needs.
"News for OSS Nerds. Any desperate shot at MS."
Grow the hell up.
Get back to news for ALL nerds, and stuff that genuinley does matter. Because **gasp** there are Nerds that also develop on the MS platform, and not suprisingly they're more likely to hear the OSS side of the argument if they're actually around rather than on the other side of the room rolling their eyes at you... and maybe... just maybe... you have as much to learn from them as they have to learn from you.
It is different in the sense that:
If SP2 has introduced as standard blocking execution based on ADS data, it has to be uniform across the OS. The fact that CMD does not do the check means that the check is not on kernel level. It is a userland check, most likely in explorer libraries which are universally used by MSFT software at the moment. This means that there is likely to be a way to do this without asking and this protection is not likely to apply to any 3rd party executables that do not rely on IE. This also means that SP2 enforces the use IE to access filesystem and launch executables
So MSFT did one of its usual stunts - it decreased the security of the system, screwed the competition while getting some publicity of for a security feature. Good marketing...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Yes, I couldn't suppress a first smirk upon seeing this article. But then again, there are two major reasons we shouldn't be laughing too much about this:
a) While uncertainty about Micro$oft brings some more people to Linux (which is touted to be more secure, but then again - it can just as well be penetrated by hackers), it also turns people away from using the Internet because they get too scared of what's going on there. The latter are mostly elderly people, but nevertheless - even they should be free to use the Internet, something which a number of them dread now because they feel their privacy (through spyware) and/or financial background (due to phish scams) may be at risk. And this is not a good thing.
b) Staying still, laughing about Micro$ofts misfortune here has to more immediate effects: (a) it will spurn M$ developers even more to deliver better software - and (b) has Linux people potentially stay back and enjoy M$'s misfortune (and hence giving M$ more time to catch up, security-wise, that is). Do you want to sit at the "other" end of the story in a year or two - once M$ has sorted out most of its security issues, while linux might be more and more negligent of these issues (because everyone "knows" that it's Windows that's insecure).
Personally, I've had some of my machines broken into about 2 years ago - and that was out of negligence (thinking Linux would be safe enough on its own). In the end, it probably was just a couple of script-kiddies breaking into the box to install - of all things - an IRC proxy/cache/logger on the machine. I don't know how the originally got into the machine, as I am not even quite sure WHEN it happened. But it went far enough that they even replaced the system's own ps/netstat/... to make sure those wouldn't display the "wrong" processes. I only noticed a problem when I inadvertently stumbled across it...
Since that time, I've done some more work trying to secure the box as far as (with MY knowledge) possible - but I'll no longer think my machines are inherently better than a M$ server might be. M$ *will* catch up - and they DO have the money they need to fix these kinds of problems.
The question is - do WE have the idealism to hunt down every single bug? (M$ people don't need the idealism for it - they get well PAID to do it).
I think that about summarizes what I've read of these flaws. If anything, the 'exploits' are simply disagreements with the philosophy regarding how the changes should have been implemented - i.e. at what level.
Microsoft has added protection to some things, but not others, so its a 'flaw' that the protection only protects these certain things. But it most likely a design decision - you have the security stopping the dumb user from accidentally opening something in explorer without realising what it is, without handicapping advanced users using cmd or having say security pop-ups every time a program internally invokes another etc.
... Linus and crew are at work with yet another version of the kernel, this time numbered 2.6.9! Those people are so sloppy, having to upgrade the kernel every few months to fix all the issues. Doesn't sound quite right now does it? Change the tag to SP2 and Windows, and we have a slashdot headline! Mod me as troll if you like, I'm just trying to make a point.
If you've ever read Raymond Chen's blog, Old New Thing, its not surprising how broken Windows is. They go to extrodinary lengths to maintain backwards compatibility. Seems to me, that the lengths they go to, to make users happy, would break any OS. Its just not possible to manage that sort of thing.
/. anymore.
Like many others, I don't know why this sort of thing makes
The RTM releases are mainly for buisneses and corporate customers even though they are publicly available.
However, It's not the final version.
Once SP2 CD is available for order and MS is officially stateing on its main XP Pages that SP2 is here, there will be another SP2 Release.
They did this same thing with SP1 however they never mentioned that the RTM SP1 was slightly different from the GOLD SP.
Once the SP2 GOLD is released the RTM tag will not be on your MS About/version windows. It will just be SP2.
This requires some physical access to a system to be infected should someone try to write a virus. This is not a critical issue. Saying that a massive virus attack will come from this is like saying that Single User Mode on a Linux or UNIX installation is a security risk. If someone else has access to your system, its not your system anymore.
With Service Pack 2, Microsoft introduces a new security feature which warns users before executing files that originate from an untrusted location (zone) such as the Internet.
One definition of insanity is trying the same thing again when you know it won't work.
Attention, Microsoft: you have been trying to make this fatally flawed "integrated browser" concept work reliably for over seven years, by adding twist after twist to this flawed "zones" model. The only component of the system that can know whether a document should be trusted is the application that requested it. THAT is the component that needs to be responsible for deciding how to handle its content.
Remove the access components from the HTML control and make it purely a rendering tool. Use a mechanism like callbacks to the application to handle embedded objects, links, and helper applications, and make that application responsible for its documents. This is a security model that works, the one you're trying to create to shore up your original design flaw doesn't, and can't.
People have been telling you this for years, you've been in denial for years, GET OVER IT.
Anyway linux isn't anymore secure or insecure then windows. It is just that most linux users got a tiny bit of a clue. But a cluefull person could also be able to setup a secure windows machine.
I keep waiting for MS to be really smart and adopt a more gentoo like approach to new windows installations. A very real problem is that a new "legal" installation is unpacthced and will not survive long enough to download patches. But this is only because MS doesn't have "download latest software" stage in its installation.
Let me explain. The entire windows problem is that it has software with security holes in listening mode before you are fully patched. When you install gentoo you download a sorta up-to-date CD with a very basic linux install. If you boot the CD you got a working linux cli but nothing extra it won't be running any listening services. So even if the machine is connected directly to the internet there is no way to attack it. No software listening to ports == no way to attack. Only way to install a listening piece of software is to download the latest fully patched software and run it by choice.
So why does MS not do this as well. A new Windows install doesn't open any listening ports UNTIL it has downloaded the latest patches.
Well the answer is of course probably very simple. It would make windows look "hard" to use. MS loves to promote the image of a click and drool OS. While the unpatched listening software is a problem just as big a problem is that the average windows user will click and drool on anything.
Note my use of "legal" installations. If you bought XP then you got a CD that when installed will give you a totally insecure system. If you pirated XP then just download a version with the Service Packs included. Yet another case where piracy really pays.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
If Microsoft is so "concerned" about security in Service Pack 2 and a firm like Heise Security is so quick to not only discover the flaws, but announce them as well... Wouldn't it make sense for Microsoft to submit their major updates to a security firm before making it available to the public, and suffering the subsequent criticism?
Win95 - ground-breaking. Paved the way for the GUIs in use in every subsequent windows version, and lots of *nix guis
Win98 - great for games (still is), supports the latest DirectX (still), has a very small footprint, boots fast and offers great hardware support
WinME - disappointing for some, exceedingly usable for most others. Say what you will, lots of people loved it
Win2000 - fantastic. Offered stability, great driver support, great networking, easy installs, perfect for the corporate environment (hence most places still using it)
WinXP - incredible. We're talking excelleng games/multimedia support, almost unlimited software catalogue, integrated auto-updating, visual themes, etc. etc. etc.
XPSP2 - a great step in the right direction, executed very well. If you can find fault in it, you can find fault in anything
2003 - One of the best server operating systems out there. Exceedingly fast, secure, stable, yet with great driver support, lots and lots of software, etc. Again, if you think it's bad there's something wrong.
At least get your arguments straight. Just because you label something as "disappointing" doesn't instantly wipe out the popular history that it was anything but. I know you have your head in the clouds, but even that shouldn't stop you from recognising truly important software.
I have respect for folks who can find buffer-overruns, heap-mangling attacks and so forth. These people are smart, hard-working and diligent. They give evil a good name.
:-/
I have nothing but contempt for someone with an axe to grind whose only response is the "exploit" in the linked article. It's pretty lame. Come back when you've written enough of your own code to present an attack surface.
Grow up. Sheesh.
Any sufficiently advanced technology is insufficiently documented.
People won't read it, they'll just throw it out. Don't think I'm exaggerating. People don't read instructions for anything.
It never ceases to amuse me to see the continual bashing of Microsoft on Slashdot. Yes, Microsoft has some major security issues to work out. However, they are making a fairly good faith effort to do this now. Service Pack 2 was a decent attempt. Yes, there were bugs introduced by Service Pack 2. But even Linux has bugs every once and a while after a new release.
If you really must discredit Microsoft, at least do it on fair ground and acknowledge that the operating system(s) you hold dear also have some bugs. And please, do not call them Micro$oft, M$ and other lame variants. It is Microsoft Windows, not Micro$haft Windblowz. If you can't even have the common decency to refer to somethign by the proper name, then nobody worth listening to is evey going to take you seriously.
If you want your community to be seen in a decent light, then you must behave decently.
Beware, Nugget is watching... See?
Yes all 5 amiga users were very happy.
For a i386 PC, Windows 95 was groundbreaking. Kludgy, yeah, but miles ahead in interface, stability, and multitasking from Windows 3.x.
Please limit your comparisons to OS's released within 2 years of Win95, and having a market share at least one tenth of Windows (see I give the MacOS, which is great, but was kinda languishing at that time)