Slashdot Mirror
Latest SP2 News
Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"
These "flaws" are not really that big of a deal. The idea of warning is so that files are not run afterwards by mistake. They give an exploit in which someone opens cmd.exe, then drags the file into it. Well if the user will follow along and execute some command they suggest, then things are already out the window. In addition the other exploit talks about overwriting a current file and it not showing a warning, once again if they can get you to overwrite a file on your hard drive with their file then you are already gone.
These 'flaws' are of the same type as posting a script in your .sig that executes "rm -rf /" on a *nix system.
The best security measure would be some device that read the mind of the user and warned if you were too stupid. Or maybe even easier:
if(spywareCount > 20) stupidUser = true;
Actually, to be honest XP is quite good. The masses really mainly seem to understand how to use it. My mum can write CDs, scan photos and so on :P ... which previously with Win98 was always a sure way for a phone call to me for support.
I really enjoy the fact hardware is finally really plug n play. No stuffing around finding the drivers. I slapped it on an old Pentium 500 recently and it detected everything, breathing new life into the box.
And yes, while I say this, I prefer (and are browsing on) Firefox, and we have a bunch of linux servers. (Its a shame I have to justify any decision to use anything which aint a "postgres server on some box where i have personally contributed into a branch of a kernel i compiled mysel" when on slashdot. ah well).
Ok, correct me if I'm wrong, but isn't a Service Pack supposed to add security fixes, and patches to operate more 'as expected'...
Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.
Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?
You can only do so much to protect the user. If you go out of your way to bypass security measures, then the OS should not be expected to protect you.
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
In my humble opinion, this article is about as useful as a troll. Many /. readers have already pointed out that these aren't much of flaws.
Mircrosoft is finally playing the right tunes, but someone on a vendetta can't accept this, so they nitpick after _anything_ to pin on SP2.
For Christ's sake, Sendmail. Sendmail had a brand new remote execution (That's translates to your unpatched box being rooted.) exploit posted a week or two ago, and not a word was said.
This isn't news. This is hypocrisy.
--
All rites reversed 2010
That tag is starting to wear awful thin.
Why is it harmful to stoop to clutching at any desperate cheap swipe at MS ignoring any similar commentary on OSS software?.... because there's a large number of NERDS that miss a lot of useful "stuff that matters" on Slashdot because they're not prepared to deal with the rabid hypocrisy of articles like this one.
Secondly it makes the OSS comunity look like a bunch of immature fanboys rather than the dedicated professionals most of the community is made up for... that directly impacts adoption of OSS by business.
If you've ever wondered why OSS struggles for credibility in many businesses, bullshit like this article and the culture it encourages are a significant factor.
Articles like this one hurt the OSS community way way more than they ever hurt MS and feed back into the fact that the OSS community itself is all the advertising MS needs.
"News for OSS Nerds. Any desperate shot at MS."
Grow the hell up.
Get back to news for ALL nerds, and stuff that genuinley does matter. Because **gasp** there are Nerds that also develop on the MS platform, and not suprisingly they're more likely to hear the OSS side of the argument if they're actually around rather than on the other side of the room rolling their eyes at you... and maybe... just maybe... you have as much to learn from them as they have to learn from you.
I have respect for folks who can find buffer-overruns, heap-mangling attacks and so forth. These people are smart, hard-working and diligent. They give evil a good name.
:-/
I have nothing but contempt for someone with an axe to grind whose only response is the "exploit" in the linked article. It's pretty lame. Come back when you've written enough of your own code to present an attack surface.
Grow up. Sheesh.
Any sufficiently advanced technology is insufficiently documented.