Slashdot Mirror
Latest SP2 News
Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"
These "flaws" are not really that big of a deal. The idea of warning is so that files are not run afterwards by mistake. They give an exploit in which someone opens cmd.exe, then drags the file into it. Well if the user will follow along and execute some command they suggest, then things are already out the window. In addition the other exploit talks about overwriting a current file and it not showing a warning, once again if they can get you to overwrite a file on your hard drive with their file then you are already gone.
These 'flaws' are of the same type as posting a script in your .sig that executes "rm -rf /" on a *nix system.
The best security measure would be some device that read the mind of the user and warned if you were too stupid. Or maybe even easier:
if(spywareCount > 20) stupidUser = true;
Actually, to be honest XP is quite good. The masses really mainly seem to understand how to use it. My mum can write CDs, scan photos and so on :P ... which previously with Win98 was always a sure way for a phone call to me for support.
I really enjoy the fact hardware is finally really plug n play. No stuffing around finding the drivers. I slapped it on an old Pentium 500 recently and it detected everything, breathing new life into the box.
And yes, while I say this, I prefer (and are browsing on) Firefox, and we have a bunch of linux servers. (Its a shame I have to justify any decision to use anything which aint a "postgres server on some box where i have personally contributed into a branch of a kernel i compiled mysel" when on slashdot. ah well).
Ok, correct me if I'm wrong, but isn't a Service Pack supposed to add security fixes, and patches to operate more 'as expected'...
Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.
Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?
You can only do so much to protect the user. If you go out of your way to bypass security measures, then the OS should not be expected to protect you.
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
In my humble opinion, this article is about as useful as a troll. Many /. readers have already pointed out that these aren't much of flaws.
Mircrosoft is finally playing the right tunes, but someone on a vendetta can't accept this, so they nitpick after _anything_ to pin on SP2.
For Christ's sake, Sendmail. Sendmail had a brand new remote execution (That's translates to your unpatched box being rooted.) exploit posted a week or two ago, and not a word was said.
This isn't news. This is hypocrisy.
--
All rites reversed 2010
That tag is starting to wear awful thin.
Why is it harmful to stoop to clutching at any desperate cheap swipe at MS ignoring any similar commentary on OSS software?.... because there's a large number of NERDS that miss a lot of useful "stuff that matters" on Slashdot because they're not prepared to deal with the rabid hypocrisy of articles like this one.
Secondly it makes the OSS comunity look like a bunch of immature fanboys rather than the dedicated professionals most of the community is made up for... that directly impacts adoption of OSS by business.
If you've ever wondered why OSS struggles for credibility in many businesses, bullshit like this article and the culture it encourages are a significant factor.
Articles like this one hurt the OSS community way way more than they ever hurt MS and feed back into the fact that the OSS community itself is all the advertising MS needs.
"News for OSS Nerds. Any desperate shot at MS."
Grow the hell up.
Get back to news for ALL nerds, and stuff that genuinley does matter. Because **gasp** there are Nerds that also develop on the MS platform, and not suprisingly they're more likely to hear the OSS side of the argument if they're actually around rather than on the other side of the room rolling their eyes at you... and maybe... just maybe... you have as much to learn from them as they have to learn from you.
Yes, I couldn't suppress a first smirk upon seeing this article. But then again, there are two major reasons we shouldn't be laughing too much about this:
a) While uncertainty about Micro$oft brings some more people to Linux (which is touted to be more secure, but then again - it can just as well be penetrated by hackers), it also turns people away from using the Internet because they get too scared of what's going on there. The latter are mostly elderly people, but nevertheless - even they should be free to use the Internet, something which a number of them dread now because they feel their privacy (through spyware) and/or financial background (due to phish scams) may be at risk. And this is not a good thing.
b) Staying still, laughing about Micro$ofts misfortune here has to more immediate effects: (a) it will spurn M$ developers even more to deliver better software - and (b) has Linux people potentially stay back and enjoy M$'s misfortune (and hence giving M$ more time to catch up, security-wise, that is). Do you want to sit at the "other" end of the story in a year or two - once M$ has sorted out most of its security issues, while linux might be more and more negligent of these issues (because everyone "knows" that it's Windows that's insecure).
Personally, I've had some of my machines broken into about 2 years ago - and that was out of negligence (thinking Linux would be safe enough on its own). In the end, it probably was just a couple of script-kiddies breaking into the box to install - of all things - an IRC proxy/cache/logger on the machine. I don't know how the originally got into the machine, as I am not even quite sure WHEN it happened. But it went far enough that they even replaced the system's own ps/netstat/... to make sure those wouldn't display the "wrong" processes. I only noticed a problem when I inadvertently stumbled across it...
Since that time, I've done some more work trying to secure the box as far as (with MY knowledge) possible - but I'll no longer think my machines are inherently better than a M$ server might be. M$ *will* catch up - and they DO have the money they need to fix these kinds of problems.
The question is - do WE have the idealism to hunt down every single bug? (M$ people don't need the idealism for it - they get well PAID to do it).
I think that about summarizes what I've read of these flaws. If anything, the 'exploits' are simply disagreements with the philosophy regarding how the changes should have been implemented - i.e. at what level.
Microsoft has added protection to some things, but not others, so its a 'flaw' that the protection only protects these certain things. But it most likely a design decision - you have the security stopping the dumb user from accidentally opening something in explorer without realising what it is, without handicapping advanced users using cmd or having say security pop-ups every time a program internally invokes another etc.
Get rid of that "fuck micrsoft" attitude, start thinking for yourself, and actually take a look at it. It's a great addition to XP, and those who say it isn't have an alterior motive.
Win95 - ground-breaking. Paved the way for the GUIs in use in every subsequent windows version, and lots of *nix guis
Win98 - great for games (still is), supports the latest DirectX (still), has a very small footprint, boots fast and offers great hardware support
WinME - disappointing for some, exceedingly usable for most others. Say what you will, lots of people loved it
Win2000 - fantastic. Offered stability, great driver support, great networking, easy installs, perfect for the corporate environment (hence most places still using it)
WinXP - incredible. We're talking excelleng games/multimedia support, almost unlimited software catalogue, integrated auto-updating, visual themes, etc. etc. etc.
XPSP2 - a great step in the right direction, executed very well. If you can find fault in it, you can find fault in anything
2003 - One of the best server operating systems out there. Exceedingly fast, secure, stable, yet with great driver support, lots and lots of software, etc. Again, if you think it's bad there's something wrong.
At least get your arguments straight. Just because you label something as "disappointing" doesn't instantly wipe out the popular history that it was anything but. I know you have your head in the clouds, but even that shouldn't stop you from recognising truly important software.
I have respect for folks who can find buffer-overruns, heap-mangling attacks and so forth. These people are smart, hard-working and diligent. They give evil a good name.
:-/
I have nothing but contempt for someone with an axe to grind whose only response is the "exploit" in the linked article. It's pretty lame. Come back when you've written enough of your own code to present an attack surface.
Grow up. Sheesh.
Any sufficiently advanced technology is insufficiently documented.
It never ceases to amuse me to see the continual bashing of Microsoft on Slashdot. Yes, Microsoft has some major security issues to work out. However, they are making a fairly good faith effort to do this now. Service Pack 2 was a decent attempt. Yes, there were bugs introduced by Service Pack 2. But even Linux has bugs every once and a while after a new release.
If you really must discredit Microsoft, at least do it on fair ground and acknowledge that the operating system(s) you hold dear also have some bugs. And please, do not call them Micro$oft, M$ and other lame variants. It is Microsoft Windows, not Micro$haft Windblowz. If you can't even have the common decency to refer to somethign by the proper name, then nobody worth listening to is evey going to take you seriously.
If you want your community to be seen in a decent light, then you must behave decently.
Beware, Nugget is watching... See?