Slashdot Mirror
Latest SP2 News
Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"
SP2 for Windows XP isn't as secure as Microsoft touts it to be you just blew my mind :)
All the torrents you could want.
These "flaws" are not really that big of a deal. The idea of warning is so that files are not run afterwards by mistake. They give an exploit in which someone opens cmd.exe, then drags the file into it. Well if the user will follow along and execute some command they suggest, then things are already out the window. In addition the other exploit talks about overwriting a current file and it not showing a warning, once again if they can get you to overwrite a file on your hard drive with their file then you are already gone.
*Shrugs*
My pics.
Surely, it's normal to release patches. Why is this news?
So they patch up to SP2 and they continue to patch. I would hope so.
So there's issues with SP2. I dare you to do a similar number of changes and then have no issues with the resulting code.
Yet another slow news day we we see headlines like "Ask Slashdot; I want to install a text editor, what do slashdot recommend?"
Problem? Problem? How can you call that a problem?
You just don't realize how lucky you are...
I'm curious how long it takes them to release Service Patch 2 for SP2...
Great, someone used Sweeping Microsoft Generalisations #423 and #587, and gets modded up as Funny.
Come on, guys, if you're going to bash the Beast of Redmond, at least put some effort into it!
-MT.
-MT.
SP2 isn't available through Windows Update, only through Automatic Update. There is a difference. Automatic Update runs in the background, checking your patch status against MS and downloading as required, its set up from Control Panel > Automatic Updates. Windows Update is the on-demand website visit. SP2 won't be available through Windows Update until the 25th August.
I remember hearing that Service Pack 2 will not be available manually via Windows Update until sometime around August 25. Until then you need to get it via automatic update or an external installer. However these external installers are somewhat harder to come by than previously, as Microsoft has shut many of them down - which is a shame since they were very fast torrents. Oh well.
On the other hand, it might be that they don't give their QA people enough time to adequately test their products before release. I would think it's cheaper and more efficient for them to let their customers to find the bugs.
I really would like to know if Microsoft has an outsourcing company working on this project. They openly admit they outsource parts to outsourcing companies, why not this?
If this is the case, it is very easy to see why Microsoft has so many problems with security. They have no control over the hires, no control over the code (you can review it, but thats a lot of code), you have no control over security of the code.
I sometimes wonder if people purposly put in backdoors or buffer issues to allow this to happen. A unhappy coder is a dangerous coder, and lets face it, if you work for an outsource company, you probly are not too happy. I sure wasn't.
No.
The attack vectors described are:
and (in an email)
Neither seem likely to be able to self-replicate without use intervention. So no worm then.
My pics.
This makes me wonder how Microsoft, as well as many other large software corporations, manage security patches and quality assurance of their software. Is the problem with there being so many people working on different projects that they do not communicate and therefore things get overlooked, or is it due to the complexity of the software, or something else entirely? I couldn't imagine how someone could manage 'security' for Windows (or any similarly large project) and be 100% sure of what all the technical staff do. Does it come down to having more meticulous software engineers and rigorous testers? How would people recommend this be done? I'm sure the typical "make it open source!" answer will be given, but if that is not an option, how do companies who are more successful at this do it?
Except that they are pretty silly mistakes.
If they are prepared to sacrifice security for the sake of start-up performance by caching the ZoneID and not checking the file-modified date, which I guess is why the second flaw is present, it doesn't bode well for the future security of SP2.
Until then you need to get it via automatic update or an external installer. However these external installers are somewhat harder to come by than previously, as Microsoft has shut many of them down - which is a shame since they were very fast torrents. Oh well.
Yes, those external installers are very hard to come by indeed! But hopefully downloading directly from Microsoft's gigabit backbone qualifies as being fast enough for ya.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I think it's funny, because it happens very often...
... (Fill in some very good reason, like getting fired ;))
Developers vs Rest-of-company:
Pre-release-phase:
Rest-of-company : Come on, we _need_ SP2 now!
Developers : But it isn't finished yet...
Rest-of-company : If we don't get it NOW, we will
Developers : Oke, but there are too many problems with SP2...
Rest-of-company : We'll release some hotfixes, just give it to us _NOW_!
Developers : *shrugs* Oh well... Just don't forget we warned you guys...
Post-release-phase:
Rest-of-company : WHOA, There is a problem with xxx. How is that possible?
Developers : Well, SP2 just isn't quite finished yet...
Rest-of-company : Not finished? What the f**k?!
Developers : We told you so, before the release, but...
Rest-of-company : I don't want to hear that, just go and work on the hotfix...
Developers : *shrugs* Oh well...
Is it there or isn't it? What is it? It's the Heisenberg Patch!
And remember kids: Never trust a computer you can actually lift.
They're probably trying to spread the load, and avoid having their servers bogged down by lots of people all trying to download it at once. I read somewhere that they're going to do a geographically-targetted rollout via automatic updates, eg one country will get it, then a couple of days later another, and so on.
Also, for modem users, getting it via automatic updates is a much better idea, as that can (I believe) handle resuming downloads, which using windows update probably can't do.
It's official. Most of you are morons.
These 'flaws' are of the same type as posting a script in your .sig that executes "rm -rf /" on a *nix system.
The best security measure would be some device that read the mind of the user and warned if you were too stupid. Or maybe even easier:
if(spywareCount > 20) stupidUser = true;
actually it's not available through Windows Update OR Automatic Update (yet). It's only available as a direct download from here
You can also get it from Microsoft as a 266 meg download if you're impatient.
in SP2. They've gone through pretty much everything, re-hashed a lot of stuff, sometimes on a very deep level. Tons of bugs were fixed. There's not a software company in the world that could release something like this with zero bugs. Not even demi-god Linus Torvalds is capable of such a monumental technological feat as releasing code without bugs.
Having said that, it's all about risk management. If you're willing to postpone SP2 roll out in your org you've got to estimate the risks of not rolling it out, too. As I said it fixes a lot of issues, and if there's a bug or two the benefits still outweigh the risks by a wide margin.
How's sending .gif and asking to run cmd on Windows XP system is any different from sending .gif and asking to execute perl on Linux or BSD?
My other Beowulf cluster is... er...
Actually, to be honest XP is quite good. The masses really mainly seem to understand how to use it. My mum can write CDs, scan photos and so on :P ... which previously with Win98 was always a sure way for a phone call to me for support.
I really enjoy the fact hardware is finally really plug n play. No stuffing around finding the drivers. I slapped it on an old Pentium 500 recently and it detected everything, breathing new life into the box.
And yes, while I say this, I prefer (and are browsing on) Firefox, and we have a bunch of linux servers. (Its a shame I have to justify any decision to use anything which aint a "postgres server on some box where i have personally contributed into a branch of a kernel i compiled mysel" when on slashdot. ah well).
Ok, correct me if I'm wrong, but isn't a Service Pack supposed to add security fixes, and patches to operate more 'as expected'...
Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.
Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?
You can only do so much to protect the user. If you go out of your way to bypass security measures, then the OS should not be expected to protect you.
Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
From my perspective based on the size of SP2 I'd say it's a new OS. Two patches/flaws in a MS OS is darn good. Kudos to Redmond.
It should be out today:
- August 18: Release to Automatic Updates for users running XP Home only
- August 25: Release to Automatic Updates for all XP users, including those running XP Pro, and to Windows Update for interactive user installations
XP SP2 ... disappointing (may as well be WinXPSE much like Win98SE was)
XP SP2. Websites go out of their way to find security flaws and come up with this in a feeble attempt to keep the anti-MS flow going...sorry, but if this is the worst exploit they can manage to dig up from SP2 perhaps they need to point their arrows elsewhere...
People replying to my sig annoy me. That's why I change it all the time.
I just got a new 4th gen iPOD, which I can write to on Linux, but can't get to work on my XP-SP2 Windows dual boot machine.
Guess what I'll be uninstalling next...
..........FULL STOP.
If you did not notice, MS normally uses the services of Akamai to auto-distribute the load of their DNS AND their content servers. The images, media and download files are hosted on (linux) akamai servers, and are auto-mirrored to practically every ISP in the known world(s).
So the bandwith excuse is not an option...
Ciao, Renato
The trouble is, M$ do not have the luxury of coding a free, open system as per Linux and are more concerned with the 'control' of the code in what it allows a user to do (or more importantly, what they are not allowed to do!!). Basically, the whole design from bottom up of windows is a bad legacy and will always cause problems
:D
BTW, here is the SP2 fix list SP2 fix list
Some great stuff here e.g. -> 823830 Your Windows XP computer stops responding after you log on
*Yet* another flaw in XP SP2 has been found:
Even with the service pack applied, Windows does nothing to guard against the user revealing their password to a complete stranger in a train station in exchange for some crappy pen.
MICROCRAP WINBLOWS!!!!!!!
In my humble opinion, this article is about as useful as a troll. Many /. readers have already pointed out that these aren't much of flaws.
Mircrosoft is finally playing the right tunes, but someone on a vendetta can't accept this, so they nitpick after _anything_ to pin on SP2.
For Christ's sake, Sendmail. Sendmail had a brand new remote execution (That's translates to your unpatched box being rooted.) exploit posted a week or two ago, and not a word was said.
This isn't news. This is hypocrisy.
--
All rites reversed 2010
The problem with that suggestion is that SP2 has been out for at least a week. The only thing that has been delayed is its appearance on the Windows Update site for Joe Average User. You can in fact get the full service pack at this Microsoft link.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Sending an email and instructing a user to do something more than "click here"? What's next, "Hello. To see nude pictures of Natalie Portman, please: go to insecure.org and download nmap, go to arin.net and find ip ranges for several major calbe internet providers, search for vulnerable Windows XP systems that you can use exploits on (use Google to find Windows compiled versions of the exploiting tools), and use the exploits to inform the remote user of this method. If you infect 10 people and get them to pass it to 5 of their friends, Bill Gates will send you a check for $50 for every person that references you. It's true! I did it and you can to! K THX!"
DeMe
At the top of the hour, we'll bring you Microsoft's latest battle to ensure Security in their Service Pack 2 Upgrade, but first, this message from your sponsor...
...Okay, Microsoft the #1 manufacturer of software in the US has announced that it will not be shipping its Service Pack 2 upgrade on time. We have an operative at Microsoft headquarters who can bring you the scoop. Stan?
...security are coming along just fine. Hang in there, and we'll show you that Microsoft is the only company in the world that can offer you security from all manners of Internet threats, from pirates to hackers, and of course, file-sharers."
...oops, sorry, wrong footage...
*cue the Microsoft ad*
*cut to Microsoft Windows ad*
Mr. Ballmer, how does this delay affect your company's efforts to ensure the security of your customers? What does this mean in your plans to release the Longhorn operating system?
"Well, Stan, we here at Microsoft have been long at work making things safe and secure for every single person, and we don't plan to change that now. As for Longhorn, that will be put on delay until we can secure what we have now. Beyond that, I can't comment."
Do you give any credence to the rumors that more and more of your customer base might be slipping to Windows?
"Yes, but they'll be back, when they discover that the costs of going to Linux is higher than staying with us. Our plans of world...
Thank you, Mr. Ballmer. Back to you, Charlie.
*cut to Charlie*
Thank you, Stan. When we come back, a look at your money, and a surprising look at SCO's evidence, proving once and for all, it's ownership of UNIX and Linux...
*cut to MSN Ad*
Darl McBride, CEO of the SCO Group, uncovers an amazing discovery that could turn the tables in their court case against IBM, who they allege had taken UNIX code, the recipe for a computer to work, as they provided this evidence this afternoon in court...
*cut to scene where Darl is in a straitjacket, screaming that Linux is his and if he can't have it, no one will*
*cut to scene where SCO lawyers present the Chewbacca Defense*
No question, IBM's claims make no sense. So, here we have conclusive evidence that Linux rightly belongs to the SCO Group.
In an unrelated incident, Darl McBride, surprised at the effectiveness of the maneuver, lost his sanity, and shouted about his ownership of Linux.
*whisper: Do you think they'll buy that? What?* *looks at camera* Oh, when we return, we'll cover your money, and it's safety in MS-backed stocks.
The Penguin Producer
I mean, let's be serious. I'm not defending Microsoft because let's face it, they have allowed some pretty serious security flaws to get into Windows in the past. But the article does mention "social engineering" and I ask you, isn't this at the root of many, many security issues? I'm not saying Microsoft is never to blame - not at all. But what I wonder is how much damage has to be done before the typical user just sits down and LEARNS a little about security. I am honestly appalled at the number of computers I see that are on the internet without ANY form of anti-virus protection - much less a firewall. Computers are certainly much more complex to operate than say, a car - and we make people go through a whole course and take a test before they're even legally allowed to drive one. Why? Because they can end up killing someone, or themselves, if they don't do it right. With a computer, it's not that severe, but you can still do some major damage (or have it done to you).
Put it this way. If the average user took the time to learn just a little more about this device that is a BIG part of their lives, and how to keep it and their private information secure, would security really be as massive of an issue as it is today? I will say this, though - I'm glad Microsoft has turned the firewall on by default in SP2. I know it's going to cause a lot of headaches, but think about it - a lot of people are hearing about a firewall for the first time thanks to SP2. Hearing about it, and being FORCED to deal with it, is a big step for the average user towards learning more about security.
After installing SP2 i received an email from a person i don't really know, but he somehow had found a Word document with a lot of personal information about me online and was worried i might have misplaced it. He was so nice to send it to me, so i tried to open the document to see what was in it but Word wouldn't start properly and nothing seemed to happen. So it seems SP2 breaks Word. And on top of that my computer is really slow lately and sometimes messages appear on my screen like, 1 0wn j00! WhaAHAHa 5uck3R!!
kinda funny but i don't remember installing that...
seriously, if a user is dumb enough to follow instructions to do something he never asked for from somebody (he probably doesn't even know) he got an email from, you might just as well ask them to install backdoor.exe because it will make their computer faster.
That tag is starting to wear awful thin.
Why is it harmful to stoop to clutching at any desperate cheap swipe at MS ignoring any similar commentary on OSS software?.... because there's a large number of NERDS that miss a lot of useful "stuff that matters" on Slashdot because they're not prepared to deal with the rabid hypocrisy of articles like this one.
Secondly it makes the OSS comunity look like a bunch of immature fanboys rather than the dedicated professionals most of the community is made up for... that directly impacts adoption of OSS by business.
If you've ever wondered why OSS struggles for credibility in many businesses, bullshit like this article and the culture it encourages are a significant factor.
Articles like this one hurt the OSS community way way more than they ever hurt MS and feed back into the fact that the OSS community itself is all the advertising MS needs.
"News for OSS Nerds. Any desperate shot at MS."
Grow the hell up.
Get back to news for ALL nerds, and stuff that genuinley does matter. Because **gasp** there are Nerds that also develop on the MS platform, and not suprisingly they're more likely to hear the OSS side of the argument if they're actually around rather than on the other side of the room rolling their eyes at you... and maybe... just maybe... you have as much to learn from them as they have to learn from you.
if(Lucasarts)
...
post.replace("SP", "EP", 0);
Look, SP2 sucked, noone liked it, we are all waiting for SP3, although most of us have this feeling that it will be more of the same.
It gets complicated with SP4-6 due to something called the time-space continuum.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Yes, I couldn't suppress a first smirk upon seeing this article. But then again, there are two major reasons we shouldn't be laughing too much about this:
a) While uncertainty about Micro$oft brings some more people to Linux (which is touted to be more secure, but then again - it can just as well be penetrated by hackers), it also turns people away from using the Internet because they get too scared of what's going on there. The latter are mostly elderly people, but nevertheless - even they should be free to use the Internet, something which a number of them dread now because they feel their privacy (through spyware) and/or financial background (due to phish scams) may be at risk. And this is not a good thing.
b) Staying still, laughing about Micro$ofts misfortune here has to more immediate effects: (a) it will spurn M$ developers even more to deliver better software - and (b) has Linux people potentially stay back and enjoy M$'s misfortune (and hence giving M$ more time to catch up, security-wise, that is). Do you want to sit at the "other" end of the story in a year or two - once M$ has sorted out most of its security issues, while linux might be more and more negligent of these issues (because everyone "knows" that it's Windows that's insecure).
Personally, I've had some of my machines broken into about 2 years ago - and that was out of negligence (thinking Linux would be safe enough on its own). In the end, it probably was just a couple of script-kiddies breaking into the box to install - of all things - an IRC proxy/cache/logger on the machine. I don't know how the originally got into the machine, as I am not even quite sure WHEN it happened. But it went far enough that they even replaced the system's own ps/netstat/... to make sure those wouldn't display the "wrong" processes. I only noticed a problem when I inadvertently stumbled across it...
Since that time, I've done some more work trying to secure the box as far as (with MY knowledge) possible - but I'll no longer think my machines are inherently better than a M$ server might be. M$ *will* catch up - and they DO have the money they need to fix these kinds of problems.
The question is - do WE have the idealism to hunt down every single bug? (M$ people don't need the idealism for it - they get well PAID to do it).
Well then I don't know what my computer has been running since yesterday then.
SP2 for me has already been downloaded and installed as part of Automatic Updates. It took a while amongst the other downloads though.
August 17 in Australia.
XP Pro.
... Linus and crew are at work with yet another version of the kernel, this time numbered 2.6.9! Those people are so sloppy, having to upgrade the kernel every few months to fix all the issues. Doesn't sound quite right now does it? Change the tag to SP2 and Windows, and we have a slashdot headline! Mod me as troll if you like, I'm just trying to make a point.
In the past few Windows XP SP2 threads there have been several people complaining about slashdites seemingly "picking" on Microsoft and celebrating any and all flaws the update has. I don't feel bad for Microsoft in the slightest at this point. They've been touting the security of Windows XP for years now and have done little to actually back up their claims. Sure some Windows XP system on a managed network with double filtered internet access and nightly reimaging might be pretty secure. In the home however Windows is simply a distaster waiting to happen.
While SP2 is more secure than the original release and SP1 that doesn't reduce the number of Blaster hits my firewall blocks. It also doesn't affect the 50% of Windows users that will never download the update and will continue to be hammered by viruses and worms. Microsoft's delays and incompatibility problems just exacerbate the matter.
It's good to see Microsoft taking real heat from the industry press over their problems in SP2. The industry as a whole rolling over for Microsoft is what led to the situation as it stands now. The original release of Windows XP was riddled with holes and and was summarily exploited. No one seriously called Microsoft on this fact and SP1 was little more than a collection of security patches and minor bug fixes. The changes made in SP2 should have come out years ago. Maybe then you could plug a Windows system into a cable modem and last more than twnety minutes without being exploited.
Linux is improving in the usability and management arena and MacOS X is gaining mindshare as Apple improves its hardware. Both of these OSes are designed much more securely yet have a high level of technical capability. I really hope people begin to see there are alternatives to Windows and they're not nearly as bad as Microsoft would have you believe. SP2 is going to teach their management a hard lesson; despite being a monopoly power in the industry they still have to improve and maintain their OS.
I'm a loner Dottie, a Rebel.
"off by default for usermode apps"
the only computers that can currently use this right now are those with Athlon64's or Opteron servers.
Whats so scary, exactly?
I am a viral sig. Please copy me and help me spread. Thank you.
What you do when you want a large system to be secure:
You implement a very small "core" or "security kernel" or "call it what you like". It is called a "reference monitor" in TCSEC. It is a piece of code that will be asked "can subject X do operation Y on object Z", whenever a user or program attempts any operation on any object (like a file or a network connection). This piece of code is so small and simple that you can inspect it and possibly even formally *prove* it to be correct.
The operating system kernel will then guarantee that the reference monitor is consulted on all such operations. This is, after all, what operating system kernels do, among other things.
Now; you can write a simple security policy for each subsystem in your operating system. One policy for your browser, one for your word processor, one for your regular secretaries, one for your accountants, etc. (a real OS with these features will of course have the majority of all policies set up and ready by default).
The system will now enforce the security policies on everything that goes on in the system. Because the OS is enforcing these policies, and because the subsystems cannot magially change the security policies set up for them, this is called "Mandatory Access Controls", or MAC for short.
MAC ensures that a bug in, say, your browser, cannot be exploited to, say, go thru your documents and harvest e-mail addresses. Simply because the system policy does not allow a browser with internet access to access local documents. Just an example.
This is how secure systems are built. This is what SELinux is trying to do, and this is what Trusted Solaris has done for a while. This is what is required if you want a TCSEC certification in the B (or A) class, not the kindergarten-security of the C class.
Or, under the common criteria, this is what you need to get certification against the LSPP (as Trusted Solaris has), instead of the kindergarten-security CAPP (as Win2000 can have in certain restricted setups), or even the home-grown "security targets" (which SuSE got).
This is old and well known technology. Too bad big businesses and governments never put pressure on the vendors to actually have real security built in.
Good to see SELinux coming along nicely, and Sun moving Trusted Solaris features into Solaris 10.
All is not lost - but trust me, they will be selling snow-cones in hell before you see MAC in Windows.
actually it's not available through Windows Update OR Automatic Update (yet). It's only available as a direct download from here
Actually it is available both ways. The auto update method is kind of neat because it does not show up as an available download but downloads as a background download. Eventually the computer advertises updates to install and SP2 is one of them. I do not know if there is a special way to cause this behavior or not. I administer about 70 PCs and of those SP2 has appeared on around 20 of them?
The RTM releases are mainly for buisneses and corporate customers even though they are publicly available.
However, It's not the final version.
Once SP2 CD is available for order and MS is officially stateing on its main XP Pages that SP2 is here, there will be another SP2 Release.
They did this same thing with SP1 however they never mentioned that the RTM SP1 was slightly different from the GOLD SP.
Once the SP2 GOLD is released the RTM tag will not be on your MS About/version windows. It will just be SP2.
Well, I learned something. Apparently, for some time now, Windows XP has been completely willing to execute executables that do not have an executable file extension. For example, if you rename notepad.exe to notepad.gif, you can "CMD
The point?
Those of us using RENATTACH on our mail servers to filter out malware and viruses now have another hole to plug.
Thanks, Microsoft.
Dorks.
"Lawyers are for sucks."
- Doug McKenzie
This requires some physical access to a system to be infected should someone try to write a virus. This is not a critical issue. Saying that a massive virus attack will come from this is like saying that Single User Mode on a Linux or UNIX installation is a security risk. If someone else has access to your system, its not your system anymore.
With Service Pack 2, Microsoft introduces a new security feature which warns users before executing files that originate from an untrusted location (zone) such as the Internet.
One definition of insanity is trying the same thing again when you know it won't work.
Attention, Microsoft: you have been trying to make this fatally flawed "integrated browser" concept work reliably for over seven years, by adding twist after twist to this flawed "zones" model. The only component of the system that can know whether a document should be trusted is the application that requested it. THAT is the component that needs to be responsible for deciding how to handle its content.
Remove the access components from the HTML control and make it purely a rendering tool. Use a mechanism like callbacks to the application to handle embedded objects, links, and helper applications, and make that application responsible for its documents. This is a security model that works, the one you're trying to create to shore up your original design flaw doesn't, and can't.
People have been telling you this for years, you've been in denial for years, GET OVER IT.
Anyway linux isn't anymore secure or insecure then windows. It is just that most linux users got a tiny bit of a clue. But a cluefull person could also be able to setup a secure windows machine.
I keep waiting for MS to be really smart and adopt a more gentoo like approach to new windows installations. A very real problem is that a new "legal" installation is unpacthced and will not survive long enough to download patches. But this is only because MS doesn't have "download latest software" stage in its installation.
Let me explain. The entire windows problem is that it has software with security holes in listening mode before you are fully patched. When you install gentoo you download a sorta up-to-date CD with a very basic linux install. If you boot the CD you got a working linux cli but nothing extra it won't be running any listening services. So even if the machine is connected directly to the internet there is no way to attack it. No software listening to ports == no way to attack. Only way to install a listening piece of software is to download the latest fully patched software and run it by choice.
So why does MS not do this as well. A new Windows install doesn't open any listening ports UNTIL it has downloaded the latest patches.
Well the answer is of course probably very simple. It would make windows look "hard" to use. MS loves to promote the image of a click and drool OS. While the unpatched listening software is a problem just as big a problem is that the average windows user will click and drool on anything.
Note my use of "legal" installations. If you bought XP then you got a CD that when installed will give you a totally insecure system. If you pirated XP then just download a version with the Service Packs included. Yet another case where piracy really pays.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
If Microsoft is so "concerned" about security in Service Pack 2 and a firm like Heise Security is so quick to not only discover the flaws, but announce them as well... Wouldn't it make sense for Microsoft to submit their major updates to a security firm before making it available to the public, and suffering the subsequent criticism?
XP SP2 was definitely made available on the 16th (Monday) for Software Update Services (SUS - soon to be called WUS), 'cause it shows up in my list of downloaded updates (and there was a big spike of incoming traffic in my MRTG logs on Monday morning) - not that I'll be approving it just yet ;) Whether they've pulled it from this distribution channel I'm not sure, but given that most SUS installs update daily it's probably too late to bother.
BTW, for any small NT network admins I'd highly recommend SUS. It's basically the same as Automatic Updates but centralized to one (or more) of your servers, saving you bandwidth and allowing control of which patches are approved for internal distribution (so can hold back until you've done your testing), amongst other things. For more info see the link above; it's remarkably easy to set up and roll out.My wife and I both own 3G iPods (connected via Firewire) and using the latest firmware.
No problems under Service Pack 2 whatsoever, though Windows Firewall did fuss about iTunes wanting to connect o the Internet.
From my experience, many of the times when an OS/feature breaks from a service pack installation, it's because the user's PC was already damaged by corrupt files, registry entries, or"tweaks". The Service Pack simply exposed them.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Get rid of that "fuck micrsoft" attitude, start thinking for yourself, and actually take a look at it. It's a great addition to XP, and those who say it isn't have an alterior motive.
Pretty soon we'll have Longhorn exploits coming out.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Win95 - ground-breaking. Paved the way for the GUIs in use in every subsequent windows version, and lots of *nix guis
Win98 - great for games (still is), supports the latest DirectX (still), has a very small footprint, boots fast and offers great hardware support
WinME - disappointing for some, exceedingly usable for most others. Say what you will, lots of people loved it
Win2000 - fantastic. Offered stability, great driver support, great networking, easy installs, perfect for the corporate environment (hence most places still using it)
WinXP - incredible. We're talking excelleng games/multimedia support, almost unlimited software catalogue, integrated auto-updating, visual themes, etc. etc. etc.
XPSP2 - a great step in the right direction, executed very well. If you can find fault in it, you can find fault in anything
2003 - One of the best server operating systems out there. Exceedingly fast, secure, stable, yet with great driver support, lots and lots of software, etc. Again, if you think it's bad there's something wrong.
At least get your arguments straight. Just because you label something as "disappointing" doesn't instantly wipe out the popular history that it was anything but. I know you have your head in the clouds, but even that shouldn't stop you from recognising truly important software.
Like most things with computers, it's a matter of user-education. (Including users of other OS's which bash it because they don't know how to properly run it)
I think some UNIX vets are confusing the Windows implementation of the command line and UNIX's. In UNIX they're pretty much identical in terms of functionality. In Windows that's not the case.
Example: yesterday I tried to FTP from a Windows 2003 server to another box. For the sake of speed, I tried using IE as my FTP client. Windows 2003 locked down the box by default, so that client wouldn't work without tweaking IE settings. However, I tried the Windows FTP command line app and it worked fine.
The "safeguard" described in the article really isn't meant to be a safeguard at all. It doesn't follow any of the low-level security features that the system provides (like permissions). It's just a quick tag for Joe User to remember that a file was downloaded and not placed by them.
Actually there is something kind of like sudo that's been in windows since 2000 called runas. It doesn't always work as expected, but for the most part it is useful. Open a command line and type runas /? to see how it works. I just wish it was more consistent across the system. Sometimes you can right-click on an executable or shortcut and you get the runas context menu item, then sometimes you don't! In those cases you have to execute it from them command line. I've actually even seen some installers prompt you for login info if you're trying to install it under a normal user account.
I use it to control services that like to crap out all the time on users machines, like the print spooler service; said user has their printer shared, and like 50 different applications open, and of course they've went on break without saving anything, and everyone's too lazy to use the printer in the print room, so I right-click on the services icon in the control panel and login as myself to run the services control panel under the user's account (whew! longest sentence evar!).
Sometimes I launch iexplore.exe using runas to do various tasks like changing file permissions and stuff. Just don't try to launch explorer.exe using runas!
grep -iw skynet
I have respect for folks who can find buffer-overruns, heap-mangling attacks and so forth. These people are smart, hard-working and diligent. They give evil a good name.
:-/
I have nothing but contempt for someone with an axe to grind whose only response is the "exploit" in the linked article. It's pretty lame. Come back when you've written enough of your own code to present an attack surface.
Grow up. Sheesh.
Any sufficiently advanced technology is insufficiently documented.
Funny thing is if this was brought up in a comparable linux situation the solution would be "Go download kernel version xxx and install it." Yet somehow upgrading to win2k3 is not seen as the same solution to the problem. Yes it costs you money to do the windows upgrade, probably lots of money, but that's the cost of doing business with microsoft.
Slashdot: Where anecdotes and generalizations can be freely substituted for facts, logic, or intelligence
Actually, what REALLY happened was:
Evil Hackers: Hmmm take a look at this. MUAHAHAHAHAHAH!
All the world's hobbits, ignorant of their approaching doom (singing): *La la la la la!*
Whitehat guys: Hey, there's a security vulnerability here!
Microsoft: *whistling* what? I didn't hear you!
Whitehat guys: I TOLD YOU THERE'S A VULNERABILITY!
Microsoft: It's not a vulnerability. You're exaggerating.
White hat guys (screaming): HEY EVERYONE! THERE'S A VULNERABILITY IN WINDOWS!!!
The Media: We've heard some rumors of some vulnerability in Windows...
Microsoft: It's just rumours. Anyway, it's those linux cheapstakes, would you believe them?
Evil Hackers: MUAHAHAHAHAHAH!!!!
(couple of months later...)
All the world: My computer's been infected!
Evil Hackers: MUAHAHAHAHAHAH!!!!!!
Microsoft: OK, OK, so there WAS a vulnerability! But now's been fixed!!
All the world: Yay!! Hooray for Bill Gates! (they put him in a pedestal, and proclaim him savior of the universe)
(Two weeks later...)
Evil Hackers: Hmmm take a look at this. MUAHAHAHAHAHAH!
Whitehat guys: Hey, there's a security vulnerability here!
Microsoft: *whistling* what? I didn't hear you!
Billy Joel (singing): *We didn't start the fire...*
It never ceases to amuse me to see the continual bashing of Microsoft on Slashdot. Yes, Microsoft has some major security issues to work out. However, they are making a fairly good faith effort to do this now. Service Pack 2 was a decent attempt. Yes, there were bugs introduced by Service Pack 2. But even Linux has bugs every once and a while after a new release.
If you really must discredit Microsoft, at least do it on fair ground and acknowledge that the operating system(s) you hold dear also have some bugs. And please, do not call them Micro$oft, M$ and other lame variants. It is Microsoft Windows, not Micro$haft Windblowz. If you can't even have the common decency to refer to somethign by the proper name, then nobody worth listening to is evey going to take you seriously.
If you want your community to be seen in a decent light, then you must behave decently.
Beware, Nugget is watching... See?
For a while, I had my primary accout be a restricted user and was using Run As... to get adminstrator privileges for programs that needed that. After realizing that basically every single program I used required administrator rights, I gave up, and made my account an administrator account. (Most annoying was WinAmp - it turned out it required "Power User" privilege levels (or higher) to operate properly.)
(To be fair, I primarily use Windows for playing games, and most games for some stupid reason require you to be an administrator, including several of Microsoft's games. I don't really understand why - you can use DirectX as a normal user, and it isn't for the network portion. But the developers programmed them to check if you're an administrator and not run if you're not.)
The thing with Windows is that a ton of developers just assume that you'll be running as an administrator (probably because they're coming from writing for Windows 98 or the like), making it a real chore to be running Windows as anything but Administrator. Yeah, you can do it - but it rapidly becomes too much of a hassle to explain.
(Besides, who else thinks that even if you did teach people to run as non-admin and only use the admin account when needed, you'll still have users downloading trojan-program.exe and running it as admin when it tells them they have to? Maybe Microsoft should make it so that IE always runs as an unprivileged account. :))
You are in a maze of twisty little relative jumps, all alike.