GDI Vulnerabilities: An Open Letter to Microsoft

UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."

Hate to quote a quote but...

[diginux]

which he calls 'worse then useless'

So it gets worse, _then_ it is useless? :)

Re:Hate to quote a quote but...

[BlueThunderArmy]

Still a step up from other MS products, which have to get *better* to become useless.

Re:Hate to quote a quote but...

[LMCBoy]

Kidding aside, the linked article spells 'than' correctly, so it's a misquote.

Re:Hate to quote a quote but...

[LittleGuy]

which he calls 'worse then useless'
So it gets worse, _then_ it is useless? :)

With 40+ subvariants of the patch, just saying "there's a vunerability on this here machine" without giving the source of the vunerability and the solution to patch said vunerability is dangerous, bordering on the criminally neglient concerning network security.

Re:Hate to quote a quote but...

[42sd]

I think it should be 'worse than useless'
Their you go.

Just a simple grammar error.

(..yes it was intentional.. laugh)

Re:Hate to quote a quote but...

[iocat]

No, if it gets better then it will be useless. The idea is that it's so harmful, it's worse than just not existing. You've probably worked with some poeple like that.

Re:Hate to quote a quote but...

[pbranes]

I totally agree with the 'worse than useless' statement. In my office, I had to disable it on the corporate SUS server because all it did was pop up and worry users. It gives no meaningful information. It does not patch all the dll's that it may or may not find. It merely scares users into thinking they had a virus. This is the only thing in my SUS list that is not approved and it will stay that way forever as far as I am concerned.

Re:Hate to quote a quote but...

[IANAAC]

After reading his letter, I think I would have preferred the error. Anybody remember the SNL skit of Martha Stewart and her affected speech (Wassiling, anyone)?

Kind of reminds me of it.

Re:Hate to quote a quote but...

[danheskett]

bordering on the criminally neglient concerning network security.
Please back up your assertion that this is "bordering" on criminally neglient.

Do you claim there are some laws regarding network security that are applicable, or this just a verbal flourish gone one step to far.

Re:Hate to quote a quote but...

[flibuste]

One bug (typo IS a bug...) in 3 lines of headlines. Now let's see how much slashdotter are going to grunt about the amount of M$ bugs in Vindoze again

Re:Hate to quote a quote but...

[ReTay]

Your right they have crossed that line a long time ago.....

Re:Hate to quote a quote but...

[KilobyteKnight]

which he calls 'worse then useless'

So it gets worse, _then_ it is useless? :)


So far, everyone else responding seemed to have missed your point. The article correctly uses "worse than usless". It is the submitter and/or our ever so thorough Slashdot editors to blame for the "worse then useless" grammar mistake.

And for all of you that missed the grammar mistake and are debating the meaning of "worse than useless", yes, things can be worse than useless. Things can be harmful. They can cause additional harm or frustration, as opposed to a useless item which just does not do anything useful.

Re:Hate to quote a quote but...

[micromoog]

If not, then your co-workers currently do.

Re:Hate to quote a quote but...

[SilentChris]

Saw that pop up in SUS too (not sure why), but honestly: didn't you test the thing first? The first thing I do when I see something show up in SUS is test it on a workstation off the domain. If it works, I then test it on a few domain workstations, then finally roll it out to the entire domain.

In the case of this "tool", I immediately recognized it'd be useless to users. No sense rolling it out.

Re:Hate to quote a quote but...

[pbranes]

Well, I didn't mean to imply that I didn't test it. I meant to say that if I had pushed it out, I would have had non-stop phone calls about it for the rest of the day.

In general though, I don't test hotfixes before I push them out just because I don't have time to extensively test every hotfix, but I will test service packs (win xp sp2, office 2003 sp1, etc.)

Re:Hate to quote a quote but...

[diginux]

Who knows, maybe I meant a superposition of both meanings? ;)

Re:Hate to quote a quote but...

Check out the SUS newsgroup, it is full of references to this "tool" and issues with it. I have seen several patch reissues for this and all kinds of problems.

Re:Hate to quote a quote but...

[LittleGuy]

Please back up your assertion that this is "bordering" on criminally neglient.

Analogy: there's a part of your car which could explode at anytime. It's been a long-standing part of your car. This part can manifest itself in different sections of the car or in different accesories added to your car. You which might be able to track down the part(s) if you are an adequate mechanic and you've kept track on where the parts have been put.

You go back to the manufacturer who says, "Well, we can tell you if you have the part, but we're not sure where on the car, or how many different parts of the car, but you should really get the parts replaced or else the car will blow up".

Re:Hate to quote a quote but...

[Master+of+Transhuman]

Thankfully, we're not running ./ code.

Re:Hate to quote a quote but...

[Paradise+Pete]

No, if it gets better then it will be useless.

He was picking on the use of then rather than than.

(in the submission. The author of the open letter wrote it properly.)

Re:Hate to quote a quote but...

[the0ther]

It is truly incredible how many other replies to this comment seem to have missed the point of the comment. This makes me very sad. I certainly hope that is not a quote from the paper because if you can't keep "then" and "than" straight I have a hard time believing in your ability to do anything requiring critical thought.

Re:Hate to quote a quote but...

[sir99]

worse thæn useless?

Re:Hate to quote a quote but...

[Elwood+P+Dowd]

From Microsoft Security Bulletin MS04-028:

I use Software Update Services (SUS) to deploy security updates in my enterprise. Should I deploy the GDI+ Detection Tool to all of my systems?

The GDI+ Detection Tool was available via SUS but has been removed. This tool is not designed for use or supported in enterprise environments.

Hopefully they won't ever do that again. I'd consider this an admission that their tool was worse than useless. Even before they removed the detection tool from SUS, they said that they did not recommend it for corporate networks, so it seems that they already knew it was useless.

Re:Hate to quote a quote but...

[ztirffritz]

I think that the problem is that it leads you to believe that you're safe, when in reality you are not. What is worse than not working at all?-->Thinking that it is doing something when it is actually not doing much. It would be better to say "there is a problem and you are on your own to fix it", than to release a half-a$$ed tool to half-fix it and then tell you that it is all fixed.

Re:Hate to quote a quote but...

[brianosaurus]

You're almost there, but...

You take their word for it, put your car in the shop, then when you go pick it up, the mechanic tells you "OK. We did something, but we won't tell you what we did, and your car may still blow up."

But that still doesn't answer the grandparent post's question of whether there is an actual law... Not that it matters, but its hard to take MS's focus on security seriously when their patching tools won't tell you whether or not you are vulnerable (just that you MAY be vulnerable). How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)

main() {
printf("Scanning for vulnerabilites...\n");
sleep(5);
printf("Your computer may be vulnerable. Please update.\n");
}

Re:Hate to quote a quote but...

[DA-MAN]

How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)

main() {
printf("Scanning for vulnerabilites...\n");
sleep(5);
printf("Your computer may be vulnerable. Please update.\n");
}

Your right, it is cross platform
$ uname -a
Linux totoro 2.4.21-20.ELsmp #1 SMP Thu Sep 2 17:07:30 PDT 2004 i686 i686 i386 GNU/Linux

$ ./foo
Scanning for vulnerabilites...
Your computer may be vulnerable. Please update.

Yikes, I'll be back, gotta update my system . . .

Re:Hate to quote a quote but...

[PeterHammer]

IANAL but I it seems to me that any programmer writing C code in this day and age who leaves a buffer unchecked in their code should be guilty of criminal negligence if that buffer can be used to execute malicious code. The dangers of unchecked buffers have been documented well enough to the point that it seems reasonable to argue it is a gross deviation of accepted professional standards of software development to allow such sloppy coding to pass through.

Re:Hate to quote a quote but...

[zsau]

'Then' and 'than' used to be the same word (admittedly with an a rather than an e). They were temporarily given a distinct life, but apparently speakers of the language don't think it's worth the effort to maintain a distinction. Fortunately, there's no Academie Anglais, so if you don't like it, keep them distinct in your own speech and writing.

Re:Hate to quote a quote but...

Wow, I didn't know the sleep(5) function could scan for vulnerabilities! I've got to put that in all of my programs, as a public service.

Re:Hate to quote a quote but...

[maximilln]

Please back up your assertion that this is "bordering" on criminally neglient.

Yes, yes. We all know how apologists will assert to their death that there is no negligence or violation of expected product quality unless there's death and dismemberment.

Microsoft has been charging money for a product which has demonstrated it's ability to be substandard for over a decade. Open source software, at the very worst, is on par AND it gives customers infinite flexibility.

Re:Hate to quote a quote but...

I think English should collapse a whole bunch of vowels. There's only a handful in the alphabet, why do there need to be over 20 different pronounciations?

Re:Hate to quote a quote but...

[TheTray]

IANAL, but I don't think you are one either. How can you not see this? Follow these questions: Has M$ responded to pervious situations like this? Do the actions in the case reflect their current standard? Does this situation have any possible risk? Are the actions of M$ in this case being modified to ensure that the risks are minimized? Then compare this action with the industry at large, was M$ following the established path to solve such an action? Answers... Yes. No, in the past they have mentionted what files were affected in most cases, and in general handled the problems differently. Yes the risk to computers everywhere is astronomically high, the chances of a virus spreading through this hole are really high. Maybe, we do need to understand that M$ could be hiding the relevant information to protect us lets leave it to the courts to decide. As for the general software industry they do normally hide information though the specific systems compromised are almost always listed so I guess we shall count his as a maybe. Doing the math on my answers I see two "maybe" and plenty of "yes" answers. So yes I would say that this could be bordering on criminally negligent. The fact the Microsoft's bugs can affect millions of people makes this possibly criminal if they are not taking the proper care. That is IMO, though as IANAL.

Re:Hate to quote a quote but...

[hendrix69]

How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!) ...

A ha! But your cross platform code could not have been compiled with the holy golden flag of security. I speak of course, of none other than /GS! (Which, needless to say, stands for Great Security).

Re:Hate to quote a quote but...

[mrsev]

Im not sure that I understand you here:
> 'Then' and 'than' used to be the same word (admittedly with an a rather than an e).

So you mean 'Than' and 'than'. (Maybe I missed the point)

To me the words can not be confused. They are spelt differently and have several distinct and different meanings.

Example:

"A is better than B"
"Then we should do this"

Re:Hate to quote a quote but...

[pyrrhonist]

Wow, I didn't know the sleep(5) function could scan for vulnerabilities! I've got to put that in all of my programs, as a public service.

$ man 5 sleep
No entry for sleep in section 5 of the manual
$

I don't have that function. Shit, how am I going to scan for vulnerabilities now? Noooooooooo!

Re:Hate to quote a quote but...

> (and mine works cross-platform, too!)

Sadly, sleep() is not an ANSI function, and is not available on Win32. You require Sleep(ms) which takes milliseconds as argument, and is located in the windows.h header.

Re:Hate to quote a quote but...

Wow, I didn't know the sleep(5) function could scan for vulnerabilities! I've got to put that in all of my programs, as a public service.

shows how little you know . . .

Re:Hate to quote a quote but...

[Sputum]

This tool is not designed for use or supported in enterprise environments.

I see. The tool wasn't designed for use. They just made it available for download so we could all see what a tool would look like if one were available.

Re:Hate to quote a quote but...

well, actually the original quote in the article says 'than' not 'then'. The person who submitted this to slashdot needs to go back to grade school english methinks.

Re:Hate to quote a quote but...

[G-funk]

Also, in all english speaking countries that aren't bordering with the US, they're pronounced totally differently.

Re:Hate to quote a quote but...

[satans_advocate]

Please learn to use

Re:Hate to quote a quote but...

[zeugma-amp]

I see. The tool wasn't designed for use. They just made it available for download so we could all see what a tool would look like if one were available.

Yours is definitely the best reply so far. You comment actually had a Douglas Adams flavor to it. Thanks!

Re:Hate to quote a quote but...

[WWWWolf]

The 5 was obviously meant to be the argument, not manual section. In some proprietary C libraries, sleep(n) will sleep for specified number of seconds, sleep(5) call will sleep for 5 seconds and scan for vulnerabilities. Regrettably, GNU libc doesn't implement this, as it has never been correct according to any conceivable standard (it's not in BSD either, it was removed in the ancient times before POSIX and even the BSDI lawsuits and all). Since it's a proprietary extension, it's obvious that the poster was referring to Microsoft C library and not UNIX (MS operating systems don't have manpages, so this notational difference is completely understandable!)...

Nowadays, this exceptional behavior is considered extremely deprecated and it will not necessarily work the way it used to. For example, it does work in win16 but not in any win32 platform, not in any modern release of any proprietary UNIX, and (as mentioned) not in GNU or BSD. Or any POSIX-compliant system anyway.

And the example code was rubbish anyway because it didn't check the return value before printing the message, and effectively printed it in any case, which (I believe) was the point of the whole exercise - a security scanner is no good if it scans for vulnerabilities and then prints the same ambiguous message in any case. In historic UNIXes, sleep(5) returned negative number if vulnerabilities were found (modern C libraries define sleep()'s return value as unsigned int to specifically discourage this weird behavior).

er,

[LurkerXXX]

Sooooo, how exactly is MS responsible for all 3rd party DLLs?

Re:er,

[chill]

They are actually 3rd party products that distribute Microsoft DLLs as part of the runtime code. The argument is that these companies need permission from MS, who should then have a master list of who asked for permission and why.

Re:er,

[diginux]

They are responsible for informing you that 3rd party DLL's might infected, in my opinion.
Also, if you write a program for searching out infected DLL's, why not do it for all libraries on the system?

Re:er,

Sooooo, how exactly is MS responsible for all 3rd party DLLs?

They just are, okay. Now quit asking questions or you'll be forced to hand in your /. UID...

Re:er,

[White+Roses]

Because it's not a 3rd party DLL? Because it's a MS DLL distributed by a 3rd party? It's still MS's code. RTFA.

Re:er,

[Zambarra]

er, by creating a fucked up homogenous environment which encourages or rather beats 3rd parties into writing crappy software?

Re:er,

[cephyn]

so does it follow that if it were an open source DLL and the 3rd party could alter it, then it wouldn't be MS' problem and security would therefore suffer?

Interesting logical trap there...

Re:er,

Heh... sounds like you had the party line beat into you quite well...

Re:er,

[zygote]

Responsible? Microsoft? "er," is right.
Can't MS establish and enforce guidelines for third-party libraries so that they don't essentially break the OS (or parts thereof)? If one doesn't conform, the scanning tool from MS should warn the user: "Hey, we don't like this file because [insert reason.]
The downside for Redmond would be this tool barfing on their own code.

Re:er,

[LurkerXXX]

So, is Linus going to put out an advisory that there may be some random explit in the Gimp that allows user level access to hackers? I know there must be some random buffer overflow in the Gimp somewhere. Linus should point this out according to your logic, shouldn't he?

Kinda silly eh?

Of course 3rd party apps might have exploits. It's up to those 3rd party vendors to supply patches. Even if the code is originally based on MS code, the 3rd party vendor may have modified it in any variety of ways and MS has no idea if those will be dangerous versions or not. MS has identified the bad code, the 3rd party vendors have been notified about it. It's up to them to tell you if their version is bad or not, and patch their software.

Re:er,

[danheskett]

Yeah, thats' great until it detects a possible flaw in a darling project of OSS, and then suddenely every news site including Slashdot writes about MS's "gravely threatening and disturbingly shrill monopoly practices".

I think MS is right here.

Re:er,

[diginux]

So, is Linus going to put out an advisory that there may be some random explit in the Gimp that allows user level access to hackers? I know there must be some random buffer overflow in the Gimp somewhere. Linus should point this out according to your logic, shouldn't he?
Kinda silly eh?

Not really.
What I am saying is, if you have a program that looks for a specific exploit, why not look for it in all pertinate files?
Also, it is not a good idea to give a false sense of security(which no window user probably has, but..) to users of a program, who think it is going to fix whatever the vulnerability is.

Re:er,

[Spoing]

1. Sooooo, how exactly is MS responsible for all 3rd party DLLs?

While Microsoft isn't responsible for 3rd party DLLs, this is a different situation. They are partially responsible, and if they were interested in making the client systems secure they would handle things differently for what is really a simple file update.

Reasons: They designed a system that requires 3rd parties to distribute DLLs that Microsoft created. If the DLLs were set in a well organized location, the updates of the system DLLs would automatically 'fix' the other programs. Versioning -- something that Windows DLLs support and programs can take advantage of -- would handle compatability issues that are not directly incompatable with this fix.

Re:er,

+100 insightful

Re:er,

[slipstick]

Huh?

The flaw is in a Microsoft DLL which is possibly distributed by 3rd parties. Whether it comes attached to an OSS project don't enter in to it.

Re:er,

[julesh]

So, is Linus going to put out an advisory that there may be some random explit in the Gimp that allows user level access to hackers? I know there must be some random buffer overflow in the Gimp somewhere. Linus should point this out according to your logic, shouldn't he?

If Linus wrote the code, and told the application authors that they were only allowed to use it by accessing a .so file (installed into a special directory for each application that uses it, for no good reason that anyone could gather, and Linus insists that they aren't allowed to modify it in any way), and there was then an update to that .so file, I would expect the update that Linus issued to fix all copies of it, yes.

Of course, nobody behaves like this in the Linux world. Shared libraries are installed to /lib or /usr/lib and you only have one copy of each of them. An update would ensure that the single copy you depended on had the vulnerability eliminated.

Re:er,

[flushtwice]

So, is Linus going to put out an advisory that there may be some random explit in the Gimp...

OK, let's get a few things straight: You start with Linux as the kernal, and Linus wrote that... Then other people (like RMS) came along and started bundling it with an OS, and we call them GNU/Linux, then still more people customized those things into distros with additional software written by completely separate entities (such as "The Gimp"), so to make a long story short: Linus is not responsible for programs like "The Gimp" ever!

It's not like Microsoft. The various distros contain software written by litterally thousands of contributors, and Linus is just one of them. He really can't even stop people from releasing modified versions of his own code so long as they follow the guidelines of the GPL.

Re:er,

[LurkerXXX]

And MS had notified all the vendors about the error in the original code. MS however, has ZERO idea how the vendor modified the code, or how the rest of their app interacts with it, and if it is a security risk or not. The vendors DO know. They are the ones that should patch their own app.

This is liked saying the since some Linux code may have been used in some 3rd party app like the Gimp (of course following the strictures that the code was correctly licensed accoring to the GPL) Linux should be responsible for checking the Gimp and any of a million and one other 3rd party apps, for any problematic code. Even tho he has no idea how the code was modified for that specific app.

Re:er,

[Compenguin]

Some of these third-parties are third parties within microsft. For instance, Microsoft Research ships a vulnerable gdiplus dll with WWMX. I was not aware of this until using this tool.

Re:er,

[LurkerXXX]

I had that straight. But as Linus has no control over exactly how some snippit of code from the kernal might be taken out an used in a 3rd party app, MS has no control over how some snippit of their code is taken and used by someone else. They are just paid for use of said snippit, just as Linus get's his return-of-the-code via GPL. Neither one knows exactly what someone else has done with the code, or if it's used in a vulnerable matter. As long as they have passed on any discovered vulnerabilities to the code-users, they have done what they were responsible for.

Re:er,

and that isn't even why the MS should be responsible, it isn't that 3rd parties wrote bad code, it's that 3rd parties used bad tools to write their code that include MS's bad dll. It's a fininte set of DLLs, just use that handy search feature looking for the dll named gdiplus.dll, check the version, do a md5sum or something, and if you find a match, call it bad.

it isn't that the 3rd party wrote the dll, it's that MS handed out the dll in software development kits.

Re:er,

[Spoing]

[rubs eyes, shakes head]

1. And MS had notified all the vendors about the error in the original code. MS however, has ZERO idea how the vendor modified the code, or how the rest of their app interacts with it, and if it is a security risk or not. The vendors DO know. They are the ones that should patch their own app.

Did the vendors have the ability to change these DLLs or were they given binaries or restrictions on what changes (if any) were allowed?

1. This is liked saying the since some Linux code may have been used in some 3rd party app like the Gimp (of course following the strictures that the code was correctly licensed accoring to the GPL) Linux should be responsible for checking the Gimp and any of a million and one other 3rd party apps, for any problematic code. Even tho he has no idea how the code was modified for that specific app.

You're talking about source code modifications. Is that the case here? (Why would there have to be source modifications on a shared library? It makes no sense!)

The analogy you use is also not the way that things are typically done on *nix systems (Linux or not).

A more similar analogy would be if two applications that were similar but from the same code base -- say Sodipodi and Inkscape -- used a PNG manipulation routine that was defective. In that case under Linux (and *BSD and likely all other *nix) would not have any security issues -- though libPNG would! Fix libPNG, and the issue goes away for Sodipodi, Inkscape, and all other applications that use libPNG.

Re:er,

[flushtwice]

Well, yes, I kind of figured you were hinting along those lines, but where as GNU/Linux is GPL'ed, MS is not, and their code is tightly wrapped up in copyrights and licenses that prohibit unauthorised use/modification/distribution of their code.

Yes, I know that the same could be said of the GPL, but you actually have to specifically get permission from MS in order to use their stuff in that manner in your 3rd party applications.

Now you can argue that something written in VB and is distributed doesn't necessarily have MS's blessing, but it will either use MS's DLLs or it won't. They cannot modify an MS DLL and redistribute it without MS's explicit consent. You can do that under the GPL, so the same argument cannot apply, and if you read your License agreements, then you are very well aware of the difference.

Re:er,

if 3rd parties modified the DLL, then they(3rd) should check back with the source of their code from time to time to see if there have been bug fixes and then incorperate that into their own modified version. that would be how OpenSource would work.

and that is how you get out of THAT logic trap.

MS would still be to blame for the unmodified DLLs, but 3rd party once they edit the DLLs claim some responsibility.

If i take the linux kernel and edit it to include drivers for a hood-welded-shut box, it would be up to me to then check in on the linux kernal too see if there are known bugs/exploits that should be fixed that may or may not affect my version of the kernel.

Re:er,

[pjrc]

Of course, nobody behaves like this in the Linux world.

I believe you missed the zlib buffer overflow, which turned out to be staticly linked into many applications, as well as in the shared library.

Yeah, not quite the same, since static linking is different (perhaps worse) than having lots of copies of the DLL in different directories, as far as updating is concerned. Also, a different situation because developers had the option to link the way they wanted.

But to say this sort of thing never happens in the "linux world" and that all library security bugs are easily cured for all apps by updating the shared libs neglects some really unfortunate occurances like the zlib buffer overflow.

Re:er,

[danheskett]

Yes, it does. Let's say that an OSS project linked to this system dll. Let's say MS took the drastic step of fixing the DLL, and breaking binary compatibility, which would cause an error in the OSS app.

All the sudden you have choas.

Re:er,

[grendelkhan]

Even if the code is originally based on MS code

Except that this isn't based on MS code, it is MS code in the form of a library that can only be redistributed in binary form. So there are multiple copies of the MS-created binary floating around on your hard drive that MS knows about but does nothing to fix.

Re:er,

[say]

so does it follow that if it were an open source DLL and the 3rd party could alter it, then it wouldn't be MS' problem and security would therefore suffer?

Nitwit. If it was an open source DLL, Microsoft would not have any responsibility to fix it - you are correct. But the only possible project maintainer/patcher of this security problem is Microsoft - because it is closed source.

They can obviously opt to not fix it. That would hopefully lead to a situation where no software company dares to use Microsofts SDKs without seeing the sources themselves. That's, AFAIC, a rather terrible business strategy.

Re:er,

[slipstick]

No you wouldn't, the OSS project would just recompile and rerelease. Besides it wasn't a question of replacing the DLL, they don't even make a reasonable attempt at finding the DLL and reporting what it might be attached to.

If someone without MS's resources can make a better tool, why can't MS?

Re:er,

[say]

MS however, has ZERO idea how the vendor modified the code, or how the rest of their app interacts with it, and if it is a security risk or not. The vendors DO know. They are the ones that should patch their own app.

Sanity check: can you modify Microsoft SDK libraries? No. They are distributed in binary, not source.

this is liked saying the since some Linux code may have been used in some 3rd party app like the Gimp [...] Linux should be responsible for checking the Gimp and any of a million and one other 3rd party apps, for any problematic code.

Not it is not. I don't even bother explaining why. Or maybe I'll do it anyway.

This situation is the equivalent of a car company getting parts (let's say the tires) from another company, and the tire company suddenly discovers that the tires might explode if you use them on asphalt. Who's responsible? Should the car company make the changes to the tires?

You need to re-read your book en elementary logic.

Re:er,

[ClosedSource]

"They designed a system that requires 3rd parties to distribute DLLs that Microsoft created."

I've created many Windows applications and I've never distributed any MS DLLs.

Re:er,

[maximilln]

So, is Linus going to put out an advisory that there may be some random explit in the Gimp that allows user level access to hackers?

If we were paying $200/copy for Linus' work, I bet he would.

Kinda silly eh?

The only thing that's silly is dismissing quality controls for paid products on the grounds that we don't expect the same standards from completely free products.

You get what you pay for: Microsoft is overcharging. How many millions of American 401(k) investment dollars has Bill Gates run off with? How many millions has Linux run off with? We have a right to expect more from Bill. We paid for it.

Re:er,

[ClubStew]

...and do you do everything you're told? People are using unlicensed files all the time *cough* mp3s *cough*.

Besides, 3rd party vendors are using a lot more than just gdiplus.dll. They may use mfcxx.dll, msvbvm60.dll (VB6 runtime), and a myriad of other modules. Few programs like cygwin don't touch modules installed by the OS.

It's rediculous to think Microsoft is somehow responsible for every third-party application, whether it's using licensed components or not. But then again, the minions of /. are also often rediculous in their expectations, like that the world is better with free software since money grows on trees and all.

Get real. The companies should know about vulnerabilities - and don't give me that crap that *nix and their apps don't have them - because they write software for that OS or use a particular library, and are responsible for updating their libraries.

If the companies used the modules how they were intended (using shared components installed into the proper place in the system), then they wouldn't have to worry about it. But when companies start introducing local modules, then they're responsible for updating them. It would be no different in the *nix world is developers didn't follow guidelines (and sometimes don't either).

The true blame here lies with the 3rd party vendors. They need to be responsible for not only their code but the code they use if they're not following guidelines about where the file should go, etc.

On XP, for example, gdiplus.dll is not to be redistributed and is to be installed into the Win32 side-by-side cache (WinSxS). If companies are distributing this it's their problem to work out.

Re:er,

[SoSueMe]

Please don't forget that this is not a random exploit in a "snippit of code". It is a vulnerability in a Microsoft DLL that is not subject to modification or "improvement" by anyone except Microsoft.

Re:er,

[danheskett]

Laziness, that's all. But that doesnt mean its criminal negligence. That's a specific legal term with specific meanings.

Re:er,

[JebusIsLord]

good point - the zlib exploit isn't to my knowledge even mentioned on the zlib page - its up to the individual software vendors who statically link to their library to fix. Hell, they didn't even release a fixed version - the latest zlib available still has the problem! No biggie though, right; anyone using zlib is responsible for patching their own applications. Why should Microsoft, who has comparatively been way MORE responsible, be blamed for this one??

Re:er,

[slipstick]

Huh?

Granted I fall asleep sometimes and have been known to miss obvious points but where did "criminal negligence" enter this discussion, except above?

Re:er,

[pod]

The GDI library is not a 'snippit' of code. It is a stock DLL file, free for developers to include with their app and distribute.

The analoguous situation you are looking for is:

Linus wroties some code, distributes it with standard applications he wrote.
Someone found a bug in it.
Linus wrote a tool to scan a system for his code and alert user that his copy is vulnerable. But only the copies of the code that came with his applications.

This is as far as MS went. With an extra couple of lines of code they could have had a tool that would go through the ENTIRE system looking for their vulnerable code, whether belonging to one of their apps or a 3rd party app.

Re:er,

And MS had notified all the vendors about the error in the original code.

ALL the vendors, hmm? How exactly would they do that?

Re:er,

[RiffRafff]

Sooooo, how exactly is MS responsible for all 3rd party DLLs?

Because the programing rules that MS sets down allows third party authors to take a Microsoft library, alter it, keep the same name and allow it to continue life as if nothing ever happened, regardless of how other programs, dependant upon that original library, may react.

Even the Amiga, back in the 80's, knew better.

Once again MS reaps what it sows.

Re:er,

[dubstar]

The point is not that MS should be responsible for all third party usage of their DLL files. The point is that there is a trivial difference between having your scanner look in a few pre-determined directories for the DLL files and having it scan and list any known vulnerable DLL files. Instead it just gives a false sense of security. The post was about the MS released 'security tool' being useless, which it is.

Besides, MS doesn't follow their own guidelines half the time, how can you expect any else to? For instance, having a downloadable file right on their website for something that is so obviously marked "not to be redistributed" on your computer. I rest my case..

p.s. ridiculous

Good try

[Tebriel]

Well, it's a nice try, but I doubt they'll do anything because of this letter. Hopefully, I'm dead wrong.

Re:Good try

...stop treating your customers like idiots...

As soon as I read something like the above the letter goes straight into the circular file.

Re:Good try

Yes, Bill, we know.

In case it gets Slashdotted....

http://isc.sans.org//diary.php?date=2004-09-26

Handlers Diary September 26th 2004
Updated September 27th 2004 13:11 UTC (Handler: Tom Liston)
GDI Vulnerabilities : An open letter to Microsoft

GDI Vulnerabilities: An open letter to Microsoft

Dear Redmond Folks:

When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past resident's demise. I hated that basement.

My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brother's voice wafting down from above: "It's cooooooooming..... It's cooooooooming to get you......."

And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.

Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.

MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I've read through it far too many times, and I still understand far too little.

Your "GDI Scanning Tool" is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.

[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]

What about those old gdiplus.dll files that we're all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)

When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

Please stop treating your customers like idiots and give us information; information that we can use.

In other words: Turn on the lights and open the door. We're ready to come back upstairs now.

-TL

Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )

Re:In case it gets Slashdotted....

[PitaBred]

Hrm... the Internet Storm Center... slashdotted... that'd be interesting. Somewhat poetic. But doubtful.

Re:In case it gets Slashdotted....

[Sekoku]

>> Your "GDI Scanning Tool" is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat. I fail to see how that's not useful. EVERYONE should be going to Windows Update to install patches! (Attempt at +1, Funny. Failed! =( )

Re:In case it gets Slashdotted....

[gcaseye6677]

This seems to be a trend for the "trustworthy computing initiative". I noticed that the much-hyped security features of XP SP2 consist mostly of the new firewall and popup blocker (which many people already had), along with more visible security reminders like that stupid shield that pops up when you download a file, visit an activeX using website, etc. It seems like they are trying to make the focus on security as visible as possible, without providing any real, useful details. I get the idea that it's more of an illusion of security rather than some massive overhaul of the operating system like they want us to believe. I have a feeling that this won't be the last of the MS security illusions that we see.

Re:In case it gets Slashdotted....

[dustinbarbour]

Look.. I'm all for this "copy all the text and save everyone the hassle of waiting on a /.ed server" bit, but I'm getting freakin' tired of seeing these posts. If the idea was to put everything here at Slashdot, the editors would do so right at the outset. Stop doing this pre-emptive crap.. especially with a page hosted by the ISC!

Re:In case it gets Slashdotted....

No kidding. Don't you just hate those karma whoring AC's

Re:In case it gets Slashdotted....

[LilMikey]

Creating an idiot program that just pops up a webpage that says 'Go to Windows Update' is very much stretching the definition of useful. It analgous to our 'terror threat level' color-code shit. Oh, bloody hell, it's red. Be afraid... be very afraid. We're not gonna tell you what to be afraid of, but do it, damnit!

And yes, I see that your post was a joke but I had to take a stab at the beautiful rainbow of terror we have here in the States.

Re:In case it gets Slashdotted....

[bombastinator]

At the risk of being simultaneously off topic and political, this bears significant similarity to the whole homeland security thing.
[curmudgeonly rant]
Perhaps this is just what folks do when they have to protect a group, to whom they are theoretically but not actually responsible to, from something but have little actual capability to do so without causing themselves significant difficulty:

Make lots of noise and display all your actions very visibly, but don't do anything that would actually obstruct your own personal business. And maybe you can find a bit of candy for yourselves around the edges as well. [/curmudgeonly rant]

Re:In case it gets Slashdotted....

[jcr]

Please stop treating your customers like idiots and give us information;

I don't think this complaint is entirely fair: it presupposes that MS *has* information that customers can use.

-jcr

Re:In case it gets Slashdotted....

Yeah it's pretty frustrating when they give you all these little warnings with no context or meaningful choices.

Re:In case it gets Slashdotted....

[Fantasio]

Right on: XP SP2 is one of these "worse than useless" piece of software from Microsoft, for giving a false sense of security.

SP2 better than nothing : Yes, but nowhere near what was expected from Microsoft, nowhere near what Microsoft should have done, nowhere near what Microsoft claims to have done, and, most damaging, nowhere near where the average XP user thinks he is now with SP2.

Dear Tom

When you need this tool, we will tell you and provide it for you. Until then, please continue buying our other tools.

Bill

Re:Dear Tom

Amen. Starting the letter with 'when I was a wee lad' was a big tip-off that the cutesiness/explaining what the fucking point is ratio was going to be pretty high.

Disabled this tool in SUS

[pbranes]

In my SUS server at my corporation, I disabled this stupid tool because all it does it pop up with some confusing error message that the end user does not understand. Then they would all just call me asking about a weird popup they got on their screen. I am deploying the windows patch via SUS and the office pack via scripts, so there is nothing for the end user to do anyways.

Re:Disabled this tool in SUS

[Eraser_]

What I love, is our "company" does not have a SUS server, we do updates by hand, uphill both ways, in the snow.

My job involves doing a lot of clean installs of Windows 2000/XP after failed hard drives, etc. A lot of times I set up Windows Update when I need to go do something else, get SP4 rolling, do something else, get IE6SP1 rolling, do something else, all with minimal time staring at the updating screen itself. When I come back and things went smoothly, I've been "twice" as productive.

Now the third set of updates including all the "reccomended" ones is the big one that takes a while, so as usual, I set ~4 computers downloading the 70 megs of updates, and go to lunch. Come back to find them all stuck, 2 updates in or whatever, on that damned GDI+ screen saying that nothing has been found. I push OK and it continues on it's merry way. My "productive" lunch is shot to hell.

To make matters worse, my XP SP2 machine at home said I have vulnerabilities and to check this website out. I run the built-in ActiveX thing and it says nope only windows 2000 gets this tool, check windows update, which says theres no updates, same with office update.

To make matters worse (2.0), I had a windows 2000 machine I ran updates on, it said I had vulnerable software, but another update claimed I needed to reboot, which do you believe? Knowing Windows and seeing "based on NT technology" I rebooted. I spent 15 minutes searching microsofts website trying to get that same page back up to no avail. I found others, but not the one with the GDI+ detection toolActiveX thing.

Whenever I saw a comments page or feedback form I told them my precise thoughts on their tool, mostly similar to what I said here.

Dosn't know any better.

[nempo]

'Please stop treating your customers like idiots and give us information'

I'm afraid that Microsoft dosn't know any better, they can't give you what they don't have.

Re :peoplesprimary

Do not go to the peoplesprimary.com site.

Last time I looked they had a javascript in place that automatically posts the contents of your "Copy" buffer to a remote server... and then displays it for everyone to see. Not good.

Re:Yeah, right.

[PitaBred]

No, MS IS checking third party software, but not updating it, and still warning you about it. And warning you without telling you exactly what is wrong, the worst kind of error message, one that Windows is quite fond of.

letter

weirdest.. open letter.. ever

It's actually a tough job even on Linux

[shoppa]

Scanning your own systems for vulnerabilities, especially when you have third-party stuff on it, is a tough job.

You don't even need third-party stuff or an application to make it hard under Linux. Typical cycle is: kernel version x comes out in March. It's in a Red Hat release in July. Vulnerability found in September, with an immediate release of version x+1 on kernel.org (which also has a lot of changed/evolved drivers etc.) Red Hat back-patches the fix to version x and makes a new funny version number to signify this. They might include a couple other things from x+1 in the back-patch to version x. Except that the funny redhat version number doesn't signify much to anyone on the surface.

Similar things happen for Red Hat (and other branded linux binary distributions) of Apache, SSL, etc., things that are all quite critical and you'd hope would be crystal-clear as to which patches your version has or doesn't have.

Now finding whether version X of a library or application has a vulnerability patched usually isn't too hard. And Red Hat does a pretty good job of keeping on top, way better than say Microsoft.

Disclaimer: I'm no fan of Microsoft, but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).

Re:It's actually a tough job even on Linux

[null_session]

...but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).

Well, say that it's hard on one of those commercial distros then. For MY choses Linux setup, it's generally condensed down to:
$ apt-get update
$ apt-get upgrade

Re:It's actually a tough job even on Linux

[EnronHaliburton2004]

That's assuming that you get all of your products via apt. Does 'apt-get upgrade' fix all of those Third Party issues?

What if you compile a third party product from a tarfile? Third party products are as common on Debian as they are on any other distro.

Re:It's actually a tough job even on Linux

[Red+Alastor]

How hard is it to just write :

yum update

as root in a console ?

Re:It's actually a tough job even on Linux

[rhenium75]

In this context the last zlib vulnerability comes to mind. Apps which linked dynamic to it were easily updated, but unfortunately there were also some static linked ones.

Re:It's actually a tough job even on Linux

[mastergoon]

Theres different solutions on different distrobutions. Gentoo actually has (IMHO) one of the best. In gentoolkit there is a utility called `glsa-check` which will search your computer for vulnerable software and tell you about it.

I think they plan on adding more security related updating code into portage in future version.

Re:It's actually a tough job even on Linux

[sEEKz]

I don't think so!

It's a complete different world...

Normally you can see on security lists like bugtraq what kind of vulnerabilities are discovered, or patches which are available.

Now you have different options.
1. fix it yourself (you have the source)
2. wait for maintainer of the program or library to release a patched version
3. wait for your linux distro to release a patched version

What I mean to say is, in Linux or other Open Source projects, it's pretty obvious what to fix or where the problem itself exists.
Worst case scenario, you can fix it yourself.

In case of Microsoft or other closed sources, you have to wait for the main distributer to get a fix of the program or library. And even then you're not 100% sure if the problem is fixed.

Re:It's actually a tough job even on Linux

[hackstraw]

Red Hat back-patches the fix to version x and makes a new funny version number to signify this.

Yeah, RH does this all the time, and it sucks. The thing that sucks is that they do an x+1 revision on the RPM, but they often do not do any kind of increment in the announce string (like when you do ssh -v or telnet HOST 80; HEAD / HTTP/1.0).

I know that your "supposed" to register with RH and do all your updates from there, but its not worth the time for me. Especially since many of my boxes are on DMZs and I would have to go through a proxy or NAT configuration. Also, I have many machines that are the same, so I just copy an RPM from one to another or even rsync them.

This has been a gripe for some time.

Re:It's actually a tough job even on Linux

[caluml]

I've always wondered if it would be best if all .tar.bz2/rpms/exe/whatever files of ANY packages affected by security flaws should be deleted, and removed from all mirrors.
This would prevent anyone from installing an insecure version again, and anyone that really insisted on keeping an old version around (for special systems on isolated networks for example) would keep their own copies of the software that they installed on the system.
What do you people think of that idea?

Re:It's actually a tough job even on Linux

And some folks still insist on linking things static...

Re:It's actually a tough job even on Linux

[brianosaurus]

I don't use Windows, so I haven't been able to experience this firsthand, but I don't think the point of the article was that scanning was easy. It isn't. That's why Red Hat's system is a pain in the ass. However if you follow their procedure, you can (eventually) get to a point where you are confident that you have eliminated the vulnerability.

The problem with Microsoft's system is that even after you follow their patching procedure, you still don't know if the problem is fixed, and they give you no way to be sure. The scanner says to update. Update says no new patches. But the scanner still says you "may be vulnerable". Leaving the user in an endless loop of wonder is not a sufficient solution.

The article's author's scanner, i gather from its site, does a better job of informing the user where the problem is and how to fix it (software update, then delete "these" files, and ignore "these" files). After running his scanner and performing the suggested steps, a subsequent run should say "its all good", or again give a specific list of things to do, eventually resulting in "you are not affected."

Microsoft should be offering tools and patching procedures that get you to a "you are not affected" state. Their increased focus on security should not depend on third-party tools and patches.

Re:It's actually a tough job even on Linux

[LincolnQ]

Bad, and for several reasons:

- It doesn't resolve the issue raised by your parent. If you execute your distribution's 'upgrade all new packages' function, after it has updated its repositories, you will get the new package. The problem is that the distributions don't update their repositories in a useful or regular way, and it's often difficult to execute this function.

- What if the new code has serious flaws that make it worse to use than the old? You would prefer to regress. Especially if the security flaw is something minor like "local user is allowed to use the cd-burner even though he's not supposed to" -- if the new version comes out with all sorts of other features that break it, you would much rather use the old one that didn't have a flaw that you cared about, than many that you do.

- What authority do you have to say 'nobody should ever install an insecure program again'? I'll admin my own system, and install what I want, thanks.

- Infeasible to implement on such a scale as you suggest.

- It's against some of the principles of Open Source software development, where you can always look at the past versions of software.

Re:It's actually a tough job even on Linux

[Demonspawn]

It is bad form for another crutial reason. Say you heard about security bug ABC in version X of some software that was fixed in version Y.

wget x
wget y
diff x y

Oh! So that's what the bug was and how I avoid it!! (not really that simple, but it gives you a place to start looking.)

--Demonspawn

Re:It's actually a tough job even on Linux

[jargoone]

So to summarize:

Red Hat provides a perfectly acceptable way to do things. It makes some of the details confusing on the backend, but if you use RHN, it works fine.

You decide to try to circumvent it, and complain that it's a pain. What do you expect?

You need to either a) look into their Proxy or Satellite Architecture available with the management module of RHEL 2.1 AS, or b) find a new distro.

Re:It's actually a tough job even on Linux

Would you do that if your setup was this:

www.mymissioncriticalsite.com$ apt-get update
www.mymissioncriticalsite.com$ apt-get upgrade ...and without 99.9% uptime you lose thousands of dollars?

Re:It's actually a tough job even on Linux

Well I'd do it on my test server, and once that was okay, either update my production server, or take my production server offline and switch in the backup server.

Re:It's actually a tough job even on Linux

[grcumb]

"Red Hat back-patches the fix to version x and makes a new funny version number to signify this. They might include a couple other things from x+1 in the back-patch to version x. Except that the funny redhat version number doesn't signify much to anyone on the surface."

I'm probably missing something from your description of the problem, but having worked three years for a company that uses older RH-based kernel versions in the business server we sell, we've never had any particular difficulty keeping track of security issues at the kernel level.

Keeping track of the reliable sources of security information, watching for new patches and reading the changelogs generally gives you a very clear picture of what is in the patch.

It is true that RH has sometimes bundled batches of mixed value in the same update. If we had the time and the energy, we'd likely have rolled our own patches on about 3 occasions.

Re:It's actually a tough job even on Linux

[pod]

Well, as another poster mentioned, you circumvent and perfectly good system and then complain about it.

There are far better ways to remotely determine the version of something running on your network (as you seem to be trying to do with ssh -v and HEAD; do you not update any packages that do not listen to a socket and return version info?). You can either read the RPM database or execute rpm -qi and check out the exact version of what's installed, then push out the updated RPM if a newer one exists on your local repository. It's a poor man's RHN, but can easily get the job done just as well.

Re:It's actually a tough job even on Linux

[Dr+Rick]

If you ever want Linux to be mainstream, options 1 and 2 are not really options. As a result it comes down to the same issue you have with MS, this is, waiting for the distro vendor to release a patch.

Re:It's actually a tough job even on Linux

[hesiod]

> yum update

Does that update programs that were installed from source?

Re:It's actually a tough job even on Linux

[Red+Alastor]

No. But you are seeking trouble if you install stuff from source on Red Hat. Get a source distro (a lot exists) if you want to install from source.

Security is Microsoft's number 1 priority...

[Foofoobar]

...to ignore.

Re:Security is Microsoft's number 1 priority...

Don't you mean:

"For me to POOP ON!"

Dear Tom

Dear Tom,

Next time, less cutesiness and more explaining what the fucking point is.

HTL. HAND.

Likely no master list

[isn't+my+name]

The argument is that these companies need permission from MS, who should then have a master list of who asked for permission and why.

But, I'll bet that MS gives developers permission to distribute these with Visual Studio, which would mean there is no way that MS has a master list--moreover, much of the software may be for internal applications and the developer is long gone.

So, any VB program that does image manipulation may be poetentially vulnerable.

Re:Likely no master list

[julesh]

But, I'll bet that MS gives developers permission to distribute these with Visual Studio,

Its worse than that, the DLL in question is distributed (with permission to redistribute) in the free Platform SDK download.

So, any VB program that does image manipulation may be poetentially vulnerable.

I've used the DLL in question from C++ and Java/JNI programs before now. _Anything_ might be vulnerable. Check for "GDIPLUS.DLL" in your applications' install directories. Or use the tool linked from the article.

Re:But Microsoft customers are idiots

The funny thing is.. no slashdotters are windows users until a cool tool like that NASA world wind one comes up.. then suspiciously its slashdoted. .

Re:Yes, Microsoft can fix everybody's code!

Yes, Microsoft should be responsible, when those people who wrote the code using Microsoft dlls are distributing a vulnerable version of the dll. Microsoft approved the distribution of the dll, so they should know who did. It's a nightmare for Microsoft, but it is their job as the creator of the mess in the first place.

Like We're Not Idiots?

[MankyD]

Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this.

Yes, the slashdot crowd and others might do well to receive more information regarding vulnerabilities and fixes for them, but the average user would be overwhelmed.

I once mentioned to a gentleman that the standard encryption on an 802.11b WAP wasn't entirely secure and he panicked. He asked if hackers would steal his credit card and social security numbers. I asked if he ever shopped online or transmitted those numbers across the internet to which he replied emphatically no (he didn't even store them on his computer for that matter). He still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place. He promptly switched to using a ethernet based network.

Most people are too stupid to be told even the fisrt thing about security. Better a patch is provided that works and they use it. Seeing as how the patch was not complete in this case, that'd differenty, yet the users should still be treated like morons.

Re:Like We're Not Idiots?

[GlassUser]

still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place.

That's probably because WAP is a way of using web pages on cell phones. Perhaps you meant AP? Don't be so fast to call people idiots . . .

Re:Like We're Not Idiots?

[ConceptJunkie]

And all this approach does is scare the idiot users, because the typical computer-phobe will assume his machine's been infected with a virus.

So really, the tool doesn't serve anyone well.

Re:Like We're Not Idiots?

[value_added]

"Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this."

So ...

Windows is made for idiots?

Re:Like We're Not Idiots?

[MankyD]

that's not quite what i said... but that doesn't mean it's not true :-P

Re:Like We're Not Idiots?

"...Most users ARE idiots. It seems completely appropriate that they should be treated this way...."

That's a little harsh especially considering your example. You can, of course, be a very smart person and not know much about wireless networking. That "gentleman" could be, for example, the lead scientist in a bio research project and if he asked you a question about something he had detailed knowledge of and you didn't know the answer he, too, could conclude most people are idiots.

The world is full of technology that no one person can, or has the time, to absorb it all.

Re:Like We're Not Idiots?

[MankyD]

Perhaps I should amend to say that they are idiots with regards to the technologies involved. But yes, he was an idiot (for other reasons as well) - he was worried that his credit card would be stolen without it ever being present in any form on his computer (or ever being present in the future.)

Re:Like We're Not Idiots?

Dude. SHUT UP.

Re:Like We're Not Idiots?

[satoshi1]

WAP = Wireless Access Point. Don't be so fast to correct people.

Re:Like We're Not Idiots?

Moreover, most credit card transactions are done via SSL. Breaking WEP doesn't get a cracker anywhere as long as the application-level encryption is in force.

Re:Like We're Not Idiots?

[maxpublic]

Most users ARE idiots.

Everyone's an idiot in a field they know little or nothing about. Computer users want their machines to work; they don't want to know how they work, and why should they? You regularly use devices, or the products of devices, that you can't even begin to describe the manner in which they function, yet I don't see engineers or factory workers or mechanics standing up and calling you an idiot for not knowing how these things work, or for not wanting to learn how these things work.

Computers don't get a special exemption to this rule. They're just tools like any other tool, nothing more.

Max

Re:Like We're Not Idiots?

[MankyD]

exactly

Re:Like We're Not Idiots?

It doesn't take much questioning to conclude that most people are idiots. What is it about people NOT willing to admit to idiocy? I AM an idiot. Now what?

Why must we defend idiots anyway? Why can't we just go "I'm not well-versed in this sort of thing borderlining stupid...but I have experience and knowledge to bring to the table. Educate me. I'm willing to learn." That's a lot better than "don't treat me like an idiot, I know what I'm doing" then screwing up royally.

Hasta das

Re:Like We're Not Idiots?

[GlassUser]

Misapplication of acronym. Don't be so reluctant to accept correction.

Re:Like We're Not Idiots?

[Paulrothrock]

Difference: I don't have to make sure software patches in my car work for my airbag to deploy. And when it doesn't deploy I or my beneficiaries can sue the hell out of the car company.

I'm not saying you're wrong, but computers are totally different from factory machines or cars.

But, really, you're arguing semantics. Idiots isn't the best word to use to describe users. Unknowledgable is better. They don't know about the system they're using, and they shouldn't have to. We trust car designers and vacuum cleaner designers and toaster designers to make a system that's easy to use, and that protects us as much as possible from danger. We also trust business models, like banks, to keep things secure. (Probably a better analogy.)

Example: There's a process you have to go through to withdraw money from your bank: Fill out a slip, walk to the cashier, show her ID, and then have her verify it and give you the money. People do this because it's the system that's in place for getting your money out, and it's pretty much secure.

However, there are no systems for computer programs, at least that people can see. So instead of letting someone else verify your identity and give you the cash, you have to have an intimate knowledge of how to work the bank vault or you have an insecure transaction.

So, no, users aren't idiots. But the systems in place don't allow for much human error, or protect users from it. Maybe UL should start certifying operating systems?

Re:Like We're Not Idiots?

Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this.

Ugh. I have met some idiots in my life, and it's my opinion that the vast majority of computer users are NOT idiots. Modern life is so much more complicated than it needs to be, and, as a result, people just do not have the time (or the energy) to accustom themselves with every aspect of their personal computer, its operating system, and whatever software they need to run. How many times--especially in Linux!!--have you just wanted to DO something, without it turning into a goddamn research project? I, for one, think that computers can be versatile, easy to use, AND secure--all at the same time. Who's with me?! Step one is: idiot programmers need to get a clue and start writing software that WORKS*. I've written some of my own, so I know it can be done. It just takes a little more thought, a little more effort.

* Is secure and easy to use.

P.S. If I hear about one more buffer overrun exploit, I'm going to kill a man.

Re:Like We're Not Idiots?

dude, it isn't a pissing contest. you jumped the gun on correcting someone. the least you could do is admit you were wrong and move on. really, it's ok to be wrong once in a while.

Re:Like We're Not Idiots?

[MankyD]

You're right, it would be very nice if computers just worked and it should be the first priority of every programmer out there - but that's the the issue and hand here.

I'm going to say this in the nicest way possible because I really don't mean any ill will towards your intentions, but you are wrong about the idiot part - most users are very dumb. The number of tech savvy users is increasing and, depending on who you associate yourself with, you may find yourself surrounded by individuals who at least have a clue or maybe even an understanding - but this, like it or not, is not the norm.

I've worked with plenty of individuals who weren't savvy, but knew how to stem a virus and patch a vulnerability, and for every one of them, I met five more people who didn't have a clue. Will this ever change? Hopefully, and I most definately would think it will improve.

Re:Like We're Not Idiots?

[john_anderson_ii]

I strongly disagree. Most users are not idiots. By this statement I mean most users have the capacity, if not the desire, to learn quite a bit about technical security. My best friend and former roomate is fireman who can barely handle his remote control. However in a few Q & A sessions I've successfully taught him the concepts behind memory paging, how buffer overflows execute "arbitrary" code, and he's familiar in three seperate ideas of implementing SQL database load balancing. He picked up on these concepts through casual conversation. He's not some phenomenon, this occurance has come to pass often within my friends and family. Why? Well, when their computers break they call me, and I fix them. When they ask "what happened?" I friggin' tell them. I tell them in a way that they can understand it. Funny how they are having to call me less and less these days. I'm willing to bet it's not because of AOL's hammer-mouse fixer thingy.

Those aren't easy subjects to gain an understanding of....even if you background knowledge under you belt.

Microsoft knows damn well it can present detailed information on the nature of these flaws, what parts of the OS are affected, etc. in a way a great deal of it's costomers can understand.

For christ sake if "ass-crack" Bob down at GM Goodwrench or whatever can explain to me the concepts behind fuel-injector deterioration and how the balance between detergents and octane in gasoline affects their lifecycle, then MS can sure as hell explain a buffer overflow to a 33 yr old housewife.

Re:Like We're Not Idiots?

[Zen+Punk]

The issue wasn't that the gentleman didn't know much about wireless networking (heck I don't too much about it myself), It was that he had no fucking sense.

It was as if you had told him, "You know, the hinges on that model of safe are easily broken," and he freaked.

"Oh no, does that mean someone could break in and steal my diamonds?!!"

"Well sir, do you have any diamonds in the safe?"

"No."

WTF?

Re:Like We're Not Idiots?

[MankyD]

I would agree that many people can have computing concepts explained to them, but this is neither Microsoft's job, nor any technical companies forte. Most people don't want to spend time reading anything more than that title of the patch for that matter.

The one counter-example would be what you presented - when an individual has a technically savvy friend or family member readily available during a few free moments, they will often ask about what exactly is going on, and I am often very successful in explaining it to them. But when Im not there, I know they would rather just have the problems go away via a patch. If they were that interested in computing, they wouldn't have needed my help in the first place.

Re:Like We're Not Idiots?

[black+mariah]

Difference: I don't have to make sure software patches in my car work for my airbag to deploy.

So you've never heard of a product recall, I take it. *EVERY* large system has problems.

Re:Like We're Not Idiots?

[black+mariah]

The word you're searching for and failing miserably in finding is ignorant. Most users are ignorant, and don't want to be anything else.

Re:Like We're Not Idiots?

[brianosaurus]

Exactly. If I were developing a tool for idiot (though I prefer the more accurate term "ignorant") users, it would work something like this:

- run the scanner
- it says "your computer is vulnerable. do [this] to fix it.", where [this] could be anything from "click here", to "run software update", to pages of command lines... whatever it takes.
- they do [this]
- run the scanner again
- it says "your computer is not vulnerable." *
- user sends email to their entire addressbook forwarding the virus alert adding "i tried it, and it really works!" at the top.

* If the user makes an error when applying the fix, the scanner would again tell them to perform the fix. If most users cannot perform the fix on the first try, then it is too hard. Running the Software Update is not too hard and, in my experience, doesn't leave much room for user error.

having the program output a legal-safe "your computer may be vulnerable" before and after the user applies the "fix" can only lead to more general confusion for an idiot, and more general pissed-offedness for a clueful user.

Re:Like We're Not Idiots?

[orcus]

Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this.

Hmmm - I think it would be more accurate to say:

Most users ARE ignorant.

There is a difference.

It is a shame that Windows does not attempt to educate - but merely stoops to their current comprehension level.

Re:Like We're Not Idiots?

Mady by idoits for idoits. Sounds like a new ad compain for MS!

Re:Like We're Not Idiots?

It's not harsh. It's purely based on reason. It has NOTHING to do with wireless. How can something be stolen from whence it does not exist? You have to be a moron to be afraid of that. What would you call someone who, upon hearing that their bicycle lock was easy to pick, became frightened that someone could empty their bank account? I hope you'd think they were rather dim at best.

Re:Like We're Not Idiots?

[CausticPuppy]

Most people are too stupid to be told even the fisrt thing about security.

Since when is knowledge of computer security an indicator of one's intelligence?

Re:Like We're Not Idiots?

Since... always?

Re:Like We're Not Idiots?

[Cee]

The world is full of technology that no one person can, or has the time, to absorb it all.

Except that's what one expects from a sysadmin, I would guess ;-)

Re:Like We're Not Idiots?

yet I don't see engineers or factory workers or mechanics standing up and calling you an idiot for not knowing how these things work

How often are you around engineers and factory workers? I bet they make fun of lots of idiots. Not to mention that you don't have to worry about how to operate that bridge or skyscraper the engineer built (not to mention needing to update it for security), and you probably would look like an idiot trying to use any specialized factory tool that any three-month veteran was quite capable with. The fact is computers are more complex than any other tool, but also used for more than any other tool. Therefore there is an abundance of idiots.

Re:Like We're Not Idiots?

[ConceptJunkie]

You're right. Most computer users are not idiots, I was echoing the parent post's term.

In fact, as a software developer, I am acutely embarrassed at the state of software usability with respect to non-savvy computer users. There is still way too much voodoo involved in setting up for and performing basic tasks.

Re:Like We're Not Idiots?

Dude give it up.

Just try to keep your acronyms straight in future OK?

Re:Like We're Not Idiots?

[Paulrothrock]

Difference: *I* don't have to make sure the software patches work. They'll find the problem and offer to fix it for free. With Windows, I'd have to download and install the patch.

Oh, and I don't have to worry about an airbag recall making my after-market stereo inoperable.

Re:Like We're Not Idiots?

[daijo78]

So you've never heard of a product recall, I take it. *EVERY* large system has problems.

Next slashdot story:

Microsoft recalls all their operating systems. Users supplied with alternative OS of choice free of charge.

Re:Like We're Not Idiots?

[Tony-A]

Bah. Treat 'em like idiots and they'll behave like idiots.

Smart humans, stupid computers is the way to play it.
The dumber the human and the smarter the computer, it more important it is to play it that way.
Just because the computer wants something doesn't mean that you do or should want that something. After all it just a computer. What's the price on zombied computers these days? A few hundred dollars for a few thousand computers, IIRC. That should help put things into perspective.

Other ways

[globring]

Any valid points the author has about the uselessness of the tool, or the general state of affairs with security at Microsoft, are dimished by his pompous attitude and snide remarks.

Why not write a technically detailed letter about the code you find (since he read it so many times) and perhaps offer some constructive alternatives to improve it?

Not only would it be more interesting to read, but they might actually be more willing to consider it.

Re:Other ways

[JohnnyNoSPAM]

Yes, remember to keep correspondence cordial, professional, and to the point. Letters - especially open letters such as this - ultimately serve more to entertain an audience then to persuade a corporation.

This letter brings up an interesting point, but it will most likely be diregarded by the corporation to whom it is directed.

Re:Other ways

[slipstick]

The man wrote a scanner for the vulnerability better than the one Microsoft distributes, how much more constructive do you want him to be? All MS have to do is pick up his version and distribute it or ask if they can distribute it. They could also ask for and/or license the source code(it doesn't appear to be opensource).

I see no problem in him writing a letter(which was funny) deriding MS when he was able to write a better scanner himself. Especially since MS are supposed to have put security first, and is a company with Billions in assets and cash. In other words, MS had effectively infinite resources compared to this guy and they didn't do their job. They should get slapped in the face for it.

Re:Other ways

[Tenebrious1]

The man wrote a scanner for the vulnerability better than the one Microsoft distributes, how much more constructive do you want him to be?

A little button at the bottom of his program that says "FIX!", that copies and registers new versions of the DLL so I can send this to my non-technical friends?

Re:Other ways

Any valid points the author has about the uselessness of the tool, or the general state of affairs with security at Microsoft, are dimished by his pompous attitude and snide remarks.

I assume you mean "diminished" - that is simply not possible. The uselessness of the tool stands on its own - provided his description of the tool's operation is accurate. I could write a simple VB application that pops up the message box advising user to go to MS Update and repeat ad infinitum - it would be as useful as this tool.

The general state of affairs with security at Microsoft is exemplified by this half-hearted, worthless response to what many (myself included) consider a very serious security hole.

Why not write a technically detailed letter about the code you find (since he read it so many times) and perhaps offer some constructive alternatives to improve it?

This approach has been tried for years - hasn't worked. Perhaps the tone of the article that you object to so much has been fueled by years of frustration with Microsoft's lackadaisical response to any and all security issues with Windows code.

As for his lack of constructive alternatives, what can you say to these two?
1. MS04-028 is, perhaps, the epitome of bad technical writing Oh yes! Just reading the FAQ section, I had to re-read it three times to make sense of it. Really poorly written. You try it: read the answer to "If I use versions of Internet Explorer that are earlier than Internet Explorer 6 Service Pack 1, am I vulnerable to this issue?" and see if you can really decipher whether or not you are vulnerable.
2. We already discussed the scanner they provided above. The uselessness of the tool stands on its own.
The only correct alternative to both of these is REWRITE THEM! Did he have to spell it out?

Not only would it be more interesting to read... Speak for yourself; I enjoyed it.
...but they might actually be more willing to consider it. See above; they haven't been willing to consider them before, why start now?

Re:Other ways

[slipstick]

Sure that would be nice. But it's FREE and he's a 4th party contributor to this issue. It's also possible he would be in legal trouble for doing so(just making this up as I doubt it but it's possible).

Re:Other ways

[ElvenMonkey]

I see no problem in him writing a letter(which was funny) deriding MS when he was able to write a better scanner himself. Especially since MS are supposed to have put security first, and is a company with Billions in assets and cash. In other words, MS had effectively infinite resources compared to this guy and they didn't do their job. They should get slapped in the face for it.

But how do you think MS will view the letter? As stated in the parent, this letter is just self serving. No corporation would give it even half the time of day it deserves because the first thing it does is insult the reader and the company he works for. Companies I've worked for tend to just throw abusive letters into the waste paper recycling bin and ignore the content. If you can't make the effort to write a decent letter, they can't be bothered to read it

The author of this letter has not written this letter to Microsoft. He's written it to serve as a boot licker, to promote himself in geek culture as yet another person beating MS at their own game, and taking cheap pot-shots at the in the process. If he had any serious thoughts about their work it would have been formal, well written and concise whilst remaining descriptive enough to be of use. It would also have been rather boring for an open letter, and probably wouldn't have made slashdot. As it is he's succeeded rather admirably in his real goals

Re:Other ways

[aws4y]

Microsoft was not going to listen to him anyway. As long as the majority of people cannot tell the diffrence between microsoft "security updates" and real security then microsoft has no reason to change unless they are emberased into changing, lets be clear there are serious bugs in MS word that they haven't fixed.

Re:Other ways

[slipstick]

As a way of getting Microsoft's direct attention the letter admittedly sucks.

However, I would argue that the guys point wasn't to garner browny points with geeks as much as to get the frustration off his chest AND get geeks to recognize once again the flaws in MS's security protocols.

Furthermore it isn't a "cheap pot-shot". He's venting, he's not bootlicking. He's saying "for crying out loud, you guys have Billions of dollars, resources up the wazoo and you can't get it right, damn I'm mad and I'm going to vent(but I'm going to be humorous in doing so)!" Haven't you EVER felt that way. The beauty of the web is that he can post that and hopefully feel better about it.

So, your right, this isn't for MS, it's for the masses, including the press and geeks who might read it, giggle a bit, and maybe as a group hold MS's feet to the fire on this.

Re:Other ways

[dmullenaux]

Not only would it be more interesting to read
I don't know, I thought the story about the basement was rather engaging, and brought back memories of my childhood.

Re:Other ways

[TheAwfulTruth]

"Why not write a technically detailed letter..."

"This approach has been tried for years - hasn't worked."

So acting like a colicy baby will work then?

Sorry, a level headed and informative tone is ALWAYS better then coming off like a brat, spoiled or otherwise.

Re:Other ways

So acting like a colicy baby will work then?

"colicy baby"? Jeeez, lighten up dude!

Don't you understand: none of what is said makes any damned difference to Microsoft! So why not have a little fun with it?

Re:Yes, Microsoft can fix everybody's code!

Okay, everyone. One...More...Time...

RTFA!

How old is this guy?

[freeze128]

I thought the LaBrea Tarpit had been around for millions of years....

Re:How old is this guy?

Even Bugs Bunny was looking for it, and ended up playing golf with a scott

My Bunny Lies Over the Sea (1948)

I second that "information we can use" point

[Asprin]

I spent about 45 minutes reading docs at MSDN/MSKB trying to find an explicit statement that IE6SP1 on Win98 is vulnerable, and I swear that they don't actually state that fact (explicitly) anywhere! I eventually was able to read between the lines and conclude that Win98 isn't vulnerable, but Win98 + IE6 is, so you should run Windows Update to DL the patch.

Am I certain? No. Like I said, it's very difficult to find answers to very simple questions in their docs sometimes. I especially hate reading their security bulletins because it's like they were written by very technical lawyers who are trying to maintain the illusion of releasing information without actually doing so. As often as is possible, I try wait a day or two for the DHS CERT to issue their bulletins because they do a slightly better job of relaying useful information.

Re:I second that "information we can use" point

[M-G]

Yup. Lousy job of this whole thing. They show a patch available for Win2K with IE6 SP1, yet scanning said system with their tool says there is no vulnerability. Or did the fix magically get added into a different update that was already run?

Another system claims that there 'may' be vulnerabilities. Installed all the patches that would apply. The tool still says the same thing.

Another pretty stupid thing is that they have this run as part of Windows Update, but they really need to be able to have a way for the average user to run it multiple times. After all, if Joe User sees that he has vulnerabilities, and then goes off to do other updates, he's going to have to find the download page for the tool later to recheck. This one has disaster written all over it.

Re:I second that "information we can use" point

[Asprin]

Oh, yeah, great point about being able to run the GDI tool anytime - I completely forgot about the frustration around that! Last week, when I was running down that all this stuff, it occurred to me, too, that I might just want to run that thing in the future. So, after looking in the docs on MS's web site and finding nothing, I turned to Google and it turns out MS *DOES* have a version you can run whenever you want. You can get to it by starting here.

Good luck finding that page linked from the standard docs, though. I had to Google for "standalone gdi tool" or some such to find out it was even available. It's like Microsoft's own web site managers just doesn't get that whole "linking documents" thing. They create zillions of useless links and no actual information. Stupid, stupid, stupid. (obTongueInCheek: They might want to think about getting this whole 'linking' issue straightened out before trying to take on Google's search engine. :)

Re:I second that "information we can use" point

Surely we could do with some info... it apears that at least some Windows XP SP2 computers are vunerable despite the fact that microsoft says that they are safe and that there is no update availeble for SP2 users!
The only thing to do is a scan and a manual replacement with a good dll from another computer.

Re:Yes, Microsoft can fix everybody's code!

[BeerCat]

Actually, according to TFA, your analogy should be:

"My home-built kit car has a Ford engine. There's a problem with the engine. Ford needs to fix it"

No Warranty Implied

[Sneeper]

I like how the sans.org GDIscan (http://isc.sans.org/gdiscan.php) has the following warranty in all caps:

HIS APPLICATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ....

His letter might as well read:

Dear Microsoft,
How dare you take no responsibility for the code you write? I am handing out a much better version.
P.S. I take no responsibility for the code I write.

Re:No Warranty Implied

Go read Section 11 of the GPL.

Re:No Warranty Implied

Microsoft does not take warranty for their code, either.
Fot not a single one of their products (and you shell out loads of money for)!

This is a tool written to help and he cannot give warranties (in USA this may prove expensive...), because he is also a 3rd party and cannot know anything about this fricking hole.
So take it or leave it.

Re:No Warranty Implied

But he's not charging for it, is he?

Re:No Warranty Implied

[gl4ss]

would you give warranty for something you give for free?
i don't think so.

well, maybe he'll give you your money back!

Re:No Warranty Implied

[Zebbers]

You dumbass. MS SELLS THEIRS. As A PRODUCT. His is a free gift, a tool. There is a fundamental difference.

Re:No Warranty Implied

[Jeff+DeMaagd]

I'm not sure if anyone takes any responsibility for the code they write. Maybe if people demanded it, but that requires a turnaround in consumer expectations of software and possibly either legislation or judicial action that nullifies EULAs as we know them. I suppose if there was a sufficient constituent demand, legislation would be enacted, although grudingly, I imagine.

Frankly, I figure the responsibility for a product I make is limited to the amount paid for said product.

Free software probably would get nowhere if the writers thought that they'd have to pay damages if it causes problems.

Re:No Warranty Implied

How it works, is that you get to know exactly what the ISC fixer does, and what it intends to fix, and precisely how it shall do that. After running their tool, you may still be vulnerable to be exploited otherwise - maybe even through a separate hole in the same library, which is not fixed by them. The ISC tool may work for you, but it is up to you to determine if it solves your specific problem - fixing what isn't broken, solves nothing. MS, on the other hand, evidently doesn't know what holes may exist in their own code, and similarly can only vouch that their patch will fix what it is intended to fix.

Re:No Warranty Implied

[CTalkobt]

>> HIS APPLICATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ....

The only problem with his code 'tho is the initial jpeg display that pops up runs the virus which then consumes your system before you get a chance to run his tool to protect against jpeg's that are in your system so that you can run tools to protect your systems against things like that.

*big gulps of breath* That was hard to say....

Re:No Warranty Implied

[An+Onerous+Coward]

There's a difference between the authors of a free utility covering themselves against lawsuits, and Microsoft's consistent pattern of giving crappy/misleading information about vulnerabilities in the software its customers paid for.

If you reported an important bug in GDIscan, the author would most likely fix it quickly and thank you. That is what it means to take responsibility for your software. Whether the author refuses to plaster a "SUE ME" sign on his own back is not the issue.

Re:No Warranty Implied

[Richard_at_work]

Redhat sells linux distributions, their software comes without any inherent warrenty.

Re:No Warranty Implied

[GreyWolf3000]

They're not liable if their distribution screws up your data, but their viability as a business is hingent on people trusting that they won't cause damage.

Their software does come with support, which implies accountability, which is what their customers are looking for anyway.

Re:No Warranty Implied

[slipstick]

And your point is?

The grandparent supposedly found irony in someone complaining about a commercial product having no "real" support while distributing a free product without warranty. Your response? Here's another COMMERCIAL product without warranty.

Re:No Warranty Implied

[MaskedKumquat]

You missed the fundamental point that Red Hat (and any distribution) is not really selling the underlying code they are distributing. They are selling the results of their bundling all of these disparate free packages together, so the difference in the original ancestor post is quite valid. Their only obligation to the consumer would be to maintain the integrity of the bundle, which ultimately relies upon the free software of which it was comprised.

Re:No Warranty Implied

[Trailer+Trash]

would you give warranty for something you give for free?

Sure! If it doesn't work, they can have their money back...

Re:No Warranty Implied

[vida]

so you're flying on a plane, the plane falls and you die... all your family can claim is the $$ you paid for the ticket?

Re:No Warranty Implied

Really. Why does that make a difference in any way?

Re:No Warranty Implied

[GSloop]

The bullshit is that IE and all the other GDI library crap *WAS NOT* free.

IE was rolled into the cost of the OS.

The dev tools with the libraries were not free either.

If I designed a flawed version of AutoCAD and you used it to design a building, and just as part of the design threw in a balcony that ended up collapsing and killing a dozen people, would you claim that I didn't bear any responsibility? (Perhaps because the people impacted by the collapse didn't pay me directly for AutoCAD?)

Sheesh,
Greg

Re:No Warranty Implied

that's a lame cop-out.
fine, then don't claim yours is better than theirs.

Re:No Warranty Implied

His letter might as well read:

P.S. Sorry for copying your EULA.

Re:No Warranty Implied

[dcam]

If I designed a flawed version of AutoCAD...

My experience is that people generally leave this to Autodesk. There hasn't been a stable release of AutoCAD since 2000.

Either way you choose...

[Vexler]

It seems that Microsoft, for all its blustery and arrogant, dismissive attitudes toward end users, manages to find itself in a quandary. If it releases too much vulnerability information, it could very well help exploits be written at a faster clip; if too little, then it risks being irrelevant. The timing is tricky too in this case.

Another problem, though, may have something to do with the audience. Trying to be "all things to all people" (including less-than-clueful admins), it is likely that they decided to "dumb down" the announcement, in short proclaiming that your computer "may be vulnerable". Some could argue that it is language of FUD, but I would say that they are trying to impress on as many people as possible that this is not just another "critical" update. This one is really, really critical.

Re:Either way you choose...

[HermanZA]

Well, it certainly doesn't look like anybody needs help finding vulnerabilities in MS code. New exploits are coming out every week. My guess is that if MS would publish the source of Windoze on-line, exploits will still appear at the same rate, since all exploit writers are 100% loaded as is...

Re:Either way you choose...

[AlexeiMachine]

You don't need any "vulnerability information" to write an exploit. The best source of info is to compare the patched code to the previous code and then, using various tools, see what has changed and how. Then you figure out the problem in the "before" code and find a way to exploit it. The patched code itself is a lot more useful than any description.

The GDIscan tool worked fine for me.

[garcia]

I guess I am too smart for my own good... It told me to only check Office update as it seemed to know that I was already up-to-date on the OS side.

So I go over there and download/install the updates. The only problem I saw with it was that I had to supply my Office CDs during the install (and it warned that might include a key -- luckily I had both in close proximity). If MSFT fucks up I shouldn't be the one that has to produce the CDs/Key to fix it. MSFT should happily go about the update without needing either of those two things. They shouldn't be allowed to check for piracy during a security fix.

That's at least how I saw it.

So I was all patched up according to the Windows Update and the Office Update sites and I figured I was done. Maybe I was too smart for my own good?

Re:The GDIscan tool worked fine for me.

[kerrle]

No, but you could still be vulnerable - as the letter points out, many third party programs distribute dll's that are potential vectors, and the Windows/Office update sites will not find those.

Re:The GDIscan tool worked fine for me.

[julesh]

So I was all patched up according to the Windows Update and the Office Update sites and I figured I was done. Maybe I was too smart for my own good?

Hmm. Perhaps you haven't thought about any of those other applications that you may have installed that use the library, all of which need an update?

I'd download & try the tool linked from the article. It _does_ do a much better job.

Re:The GDIscan tool worked fine for me.

Strange. I ran the Office update and wasn't ssked to insert the Office CD.

Re:The GDIscan tool worked fine for me.

They shouldn't be allowed to check for piracy during a security fix.

It's not a piracy check.

So I was all patched up according to the Windows Update and the Office Update sites and I figured I was done. Maybe I was too smart for my own good?

Or maybe you should RTFA: there's a Microsoft-provided DLL distributed with countless third-party applications that is also vulnerable, requiring separate updates of each of those applications.

Re:Yes, Microsoft can fix everybody's code!

[AceCaseOR]

Funny, but irelevant. Microsoft wrote the DLL's in question, but distributed them through third parties (as has been mentioned by other posters).

For a better analogy, Microsoft is refusing to pay Child Support for its bastard child.

This whole open letter business

Has anyone ever sent a closed letter?

Re:This whole open letter business

[happyfrogcow]

I have. I'd show it to you and the rest of the world, but then I'd be forced to kill you. It details the linux kernel code that SCO has stolen.

Oops, there I go.

Prepare to die.

Re:This whole open letter business

[grifter7]

Has anyone ever sent a closed letter?

The damn things show up in the mailbox all the time! What the @#$%@ am I supposed to do with them? I know from /. that only bad H@xoRs try to break into closed source, so i've just been throwing the little suckers away. But can someone please make them stop??

Re:This whole open letter business

[That's+Unpossible!]

Ever heard of an envelope?

Re:This whole open letter business

[Blakey+Rat]

Yes, but the original poster is asking, "has anybody actually sent it to Microsoft?"

A lot of time people on the Internet rant about some product, but they never bother to actually contact the company about it. If this guy actually sent the less to Microsoft that's one thing; if it's just a pointless rant it's not.

Re:This whole open letter business

[ClosedSource]

Only when they're more interested in communication with the supposed recipient than they are with getting publicity for themselves.

Re:This whole open letter business

[owlstead]

Dunno. That would be a bit like Schroedinger's cat...

Re:This whole open letter business

[DraKKon]

Yea sure dude, all the time, its in an envelope.

MS needs to warn developers

[isn't+my+name]

Yes, Microsoft should be responsible, when those people who wrote the code using Microsoft dlls are distributing a vulnerable version of the dll. Microsoft approved the distribution of the dll, so they should know who did.

No, MS should not be responsible for fixing code that third parties distributed using their code libraries. Just as no F/OSS code library project should be resonsible for trackind down anyone who might have used their code library.

However, MS should do a better job of making it clear to third party developers that the DLL may be included in their project (often without the knowledge of the project. Visual Studio does a great job of hiding the relevant DLLs that get loaded into a project.) None of the MS advisories on this that I have seen have included any recommendation to developers or consumers that they need to take additional steps after patching their system.

MS should, though, have produced the tool that Tom Liston did. His scanner is 7k. Surely MS could have come up with something like that--and if you run Tom's GDI scanner, you'll note some places where it identifies possible problems. MS would be in a much better position to be know if that is the case and thus able to provide better information.

So, I disagree with what you are faulting MS for, but not the fact that MS should be faulted.

An open letter to Tom Liston

[daVinci1980]

Please stop treating your customers like idiots and give us information; information that we can use.

Please look up what the semi-colon is used for; it should be used in place of a period for emphasis.

Apologies for my grammar correction, but is seriously irks me when someone decides to send *an open letter* to a company and doesn't check for grammar, punctuation, and spelling mistakes. Or does OpenOffice not support these features? :-p

Re:An open letter to Tom Liston

[tuffy]

More specifically, a semicolon should be use to link two independent clauses not joined by a coordinating conjunction. In this case, "information we can use" is not a complete sentence. An em dash or plain comma would be better, such as:

Please stop treating your customers like idiots and give us information - information that we can use.

Re:An open letter to Tom Liston

[lakcaj]

"but is seriously irks me"

Is it? Is it seriously irk you?

lol, might want to do a quick spellcheck before you get on your soapbox, or does MS notepad not have a spellchecker? And also, if you find any errors in this post... I don't give a shit... so HA!

Re:An open letter to Tom Liston

... but is seriously irks me ...

Or does OpenOffice not support these features?

Apparently, Microsoft Word doesn't have a grammar checker either.

Re:An open letter to Tom Liston

[micromoog]

And, to nitpick even yet still further, a dash is typically typed as two hypens -- but I'm sure you knew that.

Also vulnerable from Microsoft...

The Microsoft tool also misses several of Microsoft's own products, including the Office Viewers like Word viewer, Excel, Powerpoint, and Visio, all of which are vulnerable to the jpeg vulneraility.

Re:Also vulnerable from Microsoft...

And you know this how?

Re:Also vulnerable from Microsoft...

Do you have a source for this information?

Re:Also vulnerable from Microsoft...

[Master+of+Transhuman]

Heh, leaving aside the jpeg vulnerability, any tool that misses the ENTIRE WINDOWS OPERATING SYSTEM when looking for vulnerabilities is obviously useless.

Mod this flamebait, mod this troll. Is that all you got, huh? Are you nuts? Come at me!

Re:Also vulnerable from Microsoft...

Scan your system for gdiplus.dll
Look at the version numbers of the file.
Then consult the list here of vulnerable versions of this file:
http://www.microsoft.com/technet/security/b ulletin /MS04-028.mspx (scroll down to FAQ section)

The viewers for Microsoft products (which are based on Office versions) are all vulnerable.

Re:Also vulnerable from Microsoft...

[DraKKon]

Exactly.. I just installed Word Viewer for 97/2000 and looked at all of the dependant dll's that are required for the exe.. and gdiplus.dll, sxs.dll, wsxs.dll and mso.dll are NOT required.

humidifier

[trailerparkcassanova]

My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

Uh, an extension cord perhaps?

Re:humidifier

[laird]

" My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

Uh, an extension cord perhaps?"

Or, to invert the problem, a hose? :-)

Re:humidifier

My parents, in a vain attempt to rid the basement of its malodorous "twang"

I imagine many parents of slashdotters tried to get rid of their malodorous twangs who spend most of their time in the basement! Dehumidifier? Oh...

Full text of TFA:

Here is the full-text of the fucking article, since it's coming-in slow already:

GDI Vulnerabilities: An open letter to Microsoft

Dear Redmond Folks:

When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past residents demise. I hated that basement.

My parents, in a vain attempt to rid the basement of its malodorous twang purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brothers voice wafting down from above: Its cooooooooming..... Its cooooooooming to get you.......

And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.

Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.

MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. Ive read through it far too many times, and I still understand far too little.

Your GDI Scanning Tool is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.

[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]

What about those old gdiplus.dll files that were all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)

When a third party vendor wants to distribute a Microsoft DLL with their product, dont they have to get permission from you? Wouldnt there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

Please stop treating your customers like idiots and give us information; information that we can use.

In other words: Turn on the lights and open the door. Were ready to come back upstairs now.

-TL

RULES OF SLASHDOT

[JoeBar]

Rule #1 You do not talk bad about Linux Rule #2 You do not talk bad about Linux

Re:RULES OF SLASHDOT

ok just to save the nerdlings some work --

rule #3: Dont forget your HTML formatting

bla bla bla

Re:RULES OF SLASHDOT

[JoeBar]

lol mod parent up!

Re:RULES OF SLASHDOT

[JoeBar]

goddamnit wrong thread

Re:RULES OF SLASHDOT

[subterfuge]

and what, exacly is wrong with this thread?

I'm sick and tired of you people coming in here and stirring up the sh*t.

Why don't you just take whatever it is you have against what I think this thread is about and go somewhere where people care about whatever is was that YOU thought this thread was about?

= ; ^ ) >

In "How not to write an open letter 101"...

[strAtEdgE]

... first class on day one, they would cover off not including some pointless story about your childhood home which comprises half of the letter and has absolutely no relivence to the point of the letter, other than to say that windows users are "in the dark".

Don't get me wrong, the letter itself was justified, and the author is right about the tool by microsoft I'm sure. But why is that story in there, to make sure that someone at Microsoft doesn't actually read it?

Re:In "How not to write an open letter 101"...

[discord5]

and has absolutely no relivence to the point of the letter

How to write a slashdot comment 101:
don't ever bother to check your spelling ;)

Re:In "How not to write an open letter 101"...

[Master+of+Transhuman]

"How to write a slashdot comment 101:
don't ever bother to check your spelling ;)"

No, that belongs in "How To Write A Slashdot Headline". /. comments REQUIRE bad spelling.

Oops, just violated the rules. Let me korrect that.

Re:In "How not to write an open letter 101"...

Let me korrect that.

Cool. Is that the new text editor from KDE?

NEWS FLASH!!

[Mastadex]

This just in! Massive security flaw found in microsoft copyrighted code, which lests the hacker take over the users machine:

int main(){
printf("Hello World!");
}

Microsoft recommends heading over the windows update to patch this flaw.

Re:NEWS FLASH!!

[crabtech]

Well hell, no wonder!
Main is declared to return an int and there's no "return 0;"

Re:NEWS FLASH!!

[Master+of+Transhuman]

Right - typical Microsoft coding practice.

Re:NEWS FLASH!!

[RAMMS+EIN]

Excuse my ignorance; can someone explain why this is funny? Other than the fact that it is written in C and does not explicitly return an int, what's the security flaw here?

Re:NEWS FLASH!!

and that actually compiles, for you?

try

int main() {
printf("Returning zero");
return(0);
}

Re:NEWS FLASH!!

Because it is buggy code.. and the number#1 reason why MS will not open it's code, because it all looks like this. ;P

No kidding!

That was a strange letter. The site was already /.ed, so I read the letter in an AC comment, and kept waiting to get to the part about CmdrTaco. Never happened though.

Well...

with a letter like Tom wrote, he'd kind of deserve that response. What is he, thirteen? Microsoft will probably push it around in a little circle of their corporate bureaucracy but with little in the way of enthusiasm. How can you not put that letter in the angry, political, CS major pile?

I'm as antisocial as the next /.'er but come on, even I can an effective letter critical of a companies product. Even as a lame attempt to curry favor with the disaffected masses, it manages to be rambling despite its brevity.

Re:Well...

Pandering. Others. Simple mongers.

Make the world stop. Brick-up the windows.
Cows. Once again softly leaping the moon. Junebugs.
Sheep in the fold. Sleep.

Then what ? DARPA. " Doors of Perception. " Juice-up on the Orwellian parts. Sensible. Ordinary people turn on you.

I know what. I'll complain.
Out of the way. It should work. It won't work. It never will.
Linux. Solaris. Windows. FreeBSD. OS X. BeOS. AIX.
Life is dynamic.
It won't work. Have a wonderful day.

Re:Well...

...even I can an effective letter critical of a companies product

As long as grammar doesn't count.

Re:Well...

Batteries are running low in my cordless keyboard. Happens. And I don't catch every mistake. Now when I write a letter, and personally sign it, there's a proof-reading process.

But unlike you and Tom, I don't consider something I crapped out on a webforum like slashdot to be the equivalent of a well written letter.

What I want to know is...

[vrt3]

MS has written lots and lots of proza about this vulnerability, but I still don't know how to download the new updated gidplus.dll to redistribute. I've applied the update from windowsupdate.com to my computer, but I guess it would be a good idea to distribute an updated version to our customers. I just can't seem to find it anywhere.

Re:What I want to know is...

[bushidocoder]

http://www.microsoft.com/downloads/details.aspx?Fa milyId=6A63AB9C-DF12-4D41-933C-BE590FEAA05A&displa ylang=en

Yes

It's called an envelope.

Nero?

[gad_zuki!]

Anyone else getting this from the current version of Nero:

C:\Program Files\Ahead\Nero Toolkit\gdiplus.dll
Version: 5.1.3097.0 -- Vulnerable version

It said something was vunerable....

Thats like saying there is some country out there with a nuke that doesn't like the US. Do we just start randomly blowing $h!t up and hope that solves the problem?

Okay, bad analogy.

Re:It said something was vunerable....

Thats like saying there is some country out there with a nuke that doesn't like the US. Do we just start randomly blowing $h!t up and hope that solves the problem?

Okay, bad analogy.


Bad analogy maybe, but you nailed down US foreign policy succinctly.

F--- that

I'd have been happy if their "list of affected applications" was even remotely accurate. They say Office 2003 and .NET Framework 1.1 were vulnerable, but if you had applied PREVIOUSLY AVAILABLE updates to either of those products, then, in fact, they weren't. Mentioned anywhere in the KB article? Nope, the user has to figure out for themselves that even though they haven't installed any patches for this vulnerability for their products on the "affected" list, they're not actually vulnerable.

Not to mention that their client scanner for the Windows vulnerability didn't even correctly identify vulnerable machines until several days AFTER the initial patch was release.

This was a badly handled security update, even by Microsoft standards. I think Microsoft should start focusing at least SOME of their efforts on some sort of security initiative or something.

Re:F--- that

[Master+of+Transhuman]

"I think Microsoft should start focusing at least SOME of their efforts on some sort of security initiative or something."

They did that in 2001 and again this year.

This is the result.

Depressing, isn't it?

Re:F--- that

[Keeper]

Office 2003 and .NET Framework 1.1 were vulnerable, but if you had applied PREVIOUSLY AVAILABLE updates to either of those products, then, in fact, they weren't

Office 2003 and .Net Framework 1.1 are vulnerable. Office 2003 SP1 and .Net Framework 1.1 SP1 are not (the service packs are your 'previously available update'). Microsoft refers to service pack levels when specifying which products are and are not vulnerable. Lack of a sp level indicates a product without a service pack applied.

Re:F--- that

I believe I mentioned I figured it out. I also believe I mentioned that it's not explained anywhere in the KB article. How much effort would it have taken to write "Office 2003 with SP1 is not affected"?? Would they have to do this for every update where some service pack levels are more vulnerable than others? Yes, as long as the vulnerable service pack level is recent enough to be supported at all.

This is NOT just a Microsoft bug!

[Ryu2]

Microsoft did not write their own JPEG code; rather they used the freely available implementation from the Independent JPEG group. The flaw is actually in the IJG code, not any Microsoft code.

Indeed, Netscape, which also uses that code for its JPEG decoding had that flaw (but it was fixed earlier, and of course, it did not make the news nearly as much as this Microsoft issue, owing to its much smaller market share.)

http://www.openwall.com/advisories/OW-002-netscape -jpeg/

Re:This is NOT just a Microsoft bug!

[Asprin]

Interesting. So, are the current Gecko browsers vulnerable, too, or can we assume that this patch has been maintained through to current versions? Has anyone done any testing?

Re:This is NOT just a Microsoft bug!

[T3kno]

Yeah, the point is that Netscape fixed the bug without having the media hype. Microsoft is continually caught with their pants down because they refuse/can't fix critical bugs before the sh*t hits the fan. If Netscape with their small market share proactively fixed the bug, why can't Microsoft with their billions of dollars? I personally think it's because they're too busy using Paint to draw sketches for their comercials.

Microsoft's other problem is the atrocity that is Windows update, but that is another issue entirely. I agree with the populace that it is the users responsibility to update, but it should be a joyfull (for the most part) thing like emerge -vu world, apt-get upgrade or up2date instead of the pain that is Windows Update.

Re:This is NOT just a Microsoft bug!

[Master+of+Transhuman]

"Microsoft did not write their own JPEG code"

And they obviously never looked at it either, right?

Not during their last "security initiative" and not during their PREVIOUS "security initiative" either.

Anybody remember the "code freeze to tighten up security" several years back?

Re:This is NOT just a Microsoft bug!

Why? All Open Source is 100% secure and unreproachable. Right? So there's no need to do that.

Re:This is NOT just a Microsoft bug!

If you read the article you linked, it contradicts your claim that the vulnerability originated from the IJG library.

Netscape browsers use the Independent JPEG Group's decoder library
for JPEG File Interchange Format (JFIF) files. However, they install
a custom handler for processing the COM (comment) marker that stores
the comment in memory rather than just skip it like the library would
do.

Netscape introduced their own vulnerability (it was fixed in 2000, in the Mozilla source as well), and apparently Microsoft did the same thing years later. It's a mistake that's easy to make because of the way the JFIF format works.

Re:This is NOT just a Microsoft bug!

[ummit]

The openwall page says that the vulnerability in Netscape's copy of the IJG code was in a Netscape modification to the code, not in the base code. So was there another vulnerability in the IJG code (meaning that everyone else inherited it, too), or did Microsoft introduce their own vulnerability with one of their own mods?

Re:This is NOT just a Microsoft bug!

[Frizzle+Fry]

http://it.slashdot.org/article.pl?sid=04/09/15/175 8239&tid=172&tid=128&tid=154&tid=2 18?
Or is that an unrelated (but similar) vulnerability?

Re:This is NOT just a Microsoft bug!

[michaelhood]

(from link)

+++ mozilla/modules/libimg/jpgcom/jpeg.cpp Wed May 24 17:24:03 2000

they managed to patch this four years before microsoft? and microsoft knew they were using the same IJG codebase?

Re:This is NOT just a Microsoft bug!

[solardiz]

The flaw is not and never was in the IJG library.

It was in Netscape (at least 3.0 through Mozilla M15 which was current at the time I found the bug in 1999). And that bug was patched in response to my report in Netscape and Mozilla in 2000. I then published the advisory.

Apparently, Microsoft independently introduced the same bug into their code around two years later. It was reported to them in 2003, and we saw them fix and announce it now.

Re:They don't treat their customers like idiots

Feminist-Mom is an obvious troll. Check out some of "her" other posts. Someone with the power to do so needs to get proactive and take obvious trolls such as Feminist-Mom and set them to automatically post at -1 Troll. Otherwise slashdot is going to continue to go downhill as it has been doing for quite some time now.

pissing in the wind

an open letter to microsoft?! wow, that'll show'em.

Re: Your quote

[ConceptJunkie]

Liberal (adj.): Free from bigotry; open to progress; tolerant of others.

So you're saying most lefties really aren't liberals, and a lot of conservatives are? That would be my conclusion.

what is the work around?

Okay so the tool found some problems.

What is the best current work around for this?

(or is the point there is no good work around?)

Re:what is the work around?

[Master+of+Transhuman]

One word.

Guess which word.

This one is a real beauty

Correct me if I'm wrong, but doesn't using shared libraries the way linux does avoid exactly this problem of having one library installed a dozen times on one machine and thus being virtually unable to fix serious security holes?

And can I use this story everytime someone tells us that software installation on linux should be the same as on windows?

Internet Explorer DLL's

[Llynix]

I've been trying to clean the system from spyware and other mallicious goodies. Finally firefox works with pogo.com so IE is now not in use at all. I managed to find a site that posted ALL of the startup locations for XP. And this has stopped the lurking spyware in the background.

However I'm still looking for a site that can direct me on how to delete the malicious DLL's that are loaded up with IExplore. Anyone have any tips?

Re:Internet Explorer DLL's

[greenegg77]

1) Backup data
2) Insert Windows CD and reboot
3) Delete existing partition and create a new one.
4) Format C:
5) Reinstall Windows
6) Restore data

Alternative: 1) Backup data
2) Install Redhat, Mandrake, Slackware, Debian, whatever
3) Restore data

Re:Internet Explorer DLL's

SysInternals has a tool that allows you to see (almost) all of these locations; see http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml

The SysInternals tool apparently misses a few of the items. But it has a nice GUI for showing the items and for disabling them (though some spyware re-enables itself, but that's another story).

Re:Internet Explorer DLL's

[arkhan_jg]

Try HijackThis
, I've found it effective at removing BHO embedded in IE. Combined with Ad-aware, I've found it clears off pretty much everything.

Re:Internet Explorer DLL's

Why not just go back and ask the folks at bleeping computer Just went there and looks like they have a help forum

Re:Yeah, right.

[DavidTC]

Is that what is going on?

I got that message, did everything it said, got the message again, and figured MS was on crack, reporting problems that didn't exist.

It's good to know, instead of them being on crack, they're just failing to actually solve any problems, present any logical ways to solve them yourself, or even tell you exactly what is wrong, but there is actually a problem.

I guess you're supposed to search for the filename you weren't told and check and see if the version is higher than the vulnerable version you weren't told, so you can go and download updates from Microsoft's website at the URL that you weren't told.

It's certainly an interesting defination of 'Automatic Updates'. It's like a giant idiot light for your computer saying CHECK ENGINE, but it says UPDATE SOMETHING.

Should have used libjpeg!

[Temporal]

A vulnerability in libjpeg would be a planet-killing event, akin to the Earth being hit by an asteroid the size of Texas. Yet, no vulnerability has been found in over six years since the last release, despite the source code being freely available. Too bad Microsoft apparently decided to write their own decoder.

Re:Should have used libjpeg!

[LurkerXXX]

As another poster earlier in the thread mentioned, Microsoft were hardly the only ones doing this. Netscape/Mozilla were also affected.

Re:Should have used libjpeg!

As pointed out they are using libjpeg. It is libjpeg library that had this vulnerbility in it. So it would affect any program using this libjepg code base for jpeg support.

Re:Should have used libjpeg!

[Temporal]

According to the link the guy posted, Netscape was using a slightly modified libjpeg, and it was in their added code that the bug was found.

If libjpeg itself has a vulnerability, I would have expected to have heard about it, because that would be a serious problem and certainly not something that could be blamed on Microsoft. If I'm wrong please correct me.

Re:Should have used libjpeg!

[Deviate_X]

As another poster pointed out, Microsoft didn't actually write the vulnerable jpg code.

They used the OpenSource implementation by IJG

Re:Should have used libjpeg!

[Temporal]

OK, um.

(1) The IJG implementation is what I refer to as "libjpeg". I realize now that I spoke without really knowing what I was talking about, and probably shouldn't have made that post.

(2) However, I have yet to see any evidence that libjpeg actually had a flaw. When Netscape supposedly had the "same flaw", it was NOT in libjpeg's code, but in a piece of code they added. If you read this link in detail, you find this (emphasis mine):

"Netscape browsers use the Independent JPEG Group's decoder library for JPEG File Interchange Format (JFIF) files. However, they install a custom handler for processing the COM (comment) marker that stores the comment in memory rather than just skip it like the library would do. Unfortunately, the new handler doesn't check whether the length field is valid, and subtracts 2 from the encoded length to calculate the length of the comment itself. It then allocates memory for the comment (with one additional byte for its NUL termination) and goes into a loop to read the comment into that memory."

Microsoft apparently later made the same modification with the same mistake, being an easy mistake to make. Can you quote me any source that actually says libjpeg itself has a security hole?

Color Vulnerabilities: An Open Letter to Slashdot:

http://shit.slashdot.org/article.pl?sid=04/09/27/1 649256

Re:Yes, Microsoft can fix everybody's code!

If your Ford had a Harley engine in it (which compared to my truck, might as well be the case), then yes, Harley Davidson SHOULD be able to fix it. Also, next time you need something that doesn't have a lame engine, buy a real truck, dipshit.

Re:Yes, Microsoft can fix everybody's code!

[Fulcrum+of+Evil]

My home-built kit car has a Ford engine. There's a problem with the engine. Ford needs to fix it

Well, yes. If Ford has a manufacturing defect in their engine, they do need to fix it. In keeping with the analogy, this Ford engine may well reside in a Saleen car.

Re:Yes, Microsoft can fix everybody's code!

[julesh]

Yes, when my Ford pick-up is having engine trouble, I always drive it to the nearest Harley Davidson to get it fixed.

You might if it was a Harley manufactured component that was failing.

Or, more accurately, if you have a Ford car which you've installed a Kenwood stereo in, but that stereo uses a special Ford component to integrate with the car; then if that component failed, who would you expect to fix it?

Re:Wrong quote

[Rob+the+Bold]

Learn how to spell!

I think "learn how to cut-n-paste" would be the appropriate admonition.

Re: Your quote

[ConceptJunkie]

You aren't willing (or able) to back up your claims? Come clean, are you really Dan Rather?

Let's talk basements...

[ElBorba]

I have serious doubts that this 'open letter' will draw a response of any kind from our pals at Microsoft. If it takes more than 15 seconds to get to the point, it's going to get scanned in Redmond. I have heard repeatedly of management and strategic meetings (particularly those run by contracts, vendors or other "outsiders") wherein people will simply stand up and walk out if they aren't implicated in the first two minutes. The travails of a boy terrorized by a sibling won't keep a busy exec from his IM session with the Portuguese yacht firm that's fitting out his troller. Live and learn, eh? Too bad though, it's really a rather compelling tale of deceit and greed. I wasn't expecting the part at the end about the snake.

Is this a Microsoft first?

[corporatemutantninja]

Intentionally spreading FUD about their _own_ products?

I wrote a letter to Gill G "Unit" Gates

[Wedge1212]

he said he likes purple flowers with sprnkles on top.

Getting rid of Internet Explorer DLL's

http://litepc.com/

Abridged for the Slashdeft impaired

[Sophrosyne]

Open Letter to Micr0$haft, I had a basement which smelt, and my brother would lock me in and yell at me saying: "It's cooooooooming..... It's cooooooooming to get you.......". And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water. This is exactly like Windows. I can't read your code because it is spaghetti code. Your "GDI Scanning Tool" is worse than useless. stop treating your customers like idiots. Windows sucks, I hate you x 10, -TL

Re:Abridged for the Slashdeft impaired

[Master+of+Transhuman]

That's better.

This is more on Ballmer's level. The original version used too many big words - and none of them had to do with money.

OSS libraries sometimes bundle, too...

Moin,

other OSS libraries also sometime bundle libraries like libzip, libpng etc. A prominent example (but not the only one, don't want to pick on them!) is Irrlicht:

Thread
I voiced my concerns in the linked threat, so far they were not compelling enough. I hope that the IrrlichtNX developers (and maybe also Nico then :) revese their decision and do not bundle libs but require them.

This is also directed towards other libraries that simple include some version of a library they need instead of linking against the installed version.

Best wishes,

Tels

Dumb Question

[ewhac]

I have a dumb question. I admit it's a dumb question, because I've spent the last twenty years of my career working with non-Microsoft operating systems and products. The answer may be obvious to someone with that kind of experience, but not to me. So here goes:

Why the hell are there multiple copies of the same, critical, shared system library floating around on the machine?

See, where I come from, you have one copy of shared system libraries -- the latest one, with all the latest patches. This library is fully backward-compatible with all its predecessors. Further, the shared system libraries are all in the same place, so you know where to go looking to drop in updates or, if needs be, regressions. (On very, very rare occasions, there'll be a copy of a specific version living alongside the (by definition, broken) application that needs it.) This approach leads to clean system maintenance and ensures that all applications are using the same, up-to-date, best performance, most secure version of the system libraries.

So why is Windows different? Why are there a zillion copies of GDI+ laying around? And why would you want it that way?

Schwab

Re:Dumb Question

[quantum+bit]

So why is Windows different? Why are there a zillion copies of GDI+ laying around? And why would you want it that way?

Because Windows programmers are stupid (think VB kiddies) and don't understand the concept of backwards compatibility / versioning of shared libraries. Different incompatible versions of shared system libraries replacing each other == DLL Hell. Rather than fix the problem they just took the quick fix and bundled copies of the ones they wanted with their app.

Re:Dumb Question

[greendot]

Back in the day, it was recommended to put all system DLLs into the main system folder and all your custom DLLs into the app folder. But, Windows' awkward design and poor installation utilities led to many system DLLs being overwritten with old or broken versions. You would find yourself with a broken app and really no way to tell what caused it.

So, to stop the headache, we started putting system DLLs locally, thanks to the path priority built into Windows - it always checks local folders first. And it worked, most of the time. If you asked for a DLL by name and another app was using an incompatible version, you would get still the stinky one. But, if you were first to the call then you knew you would get yours.

But, the trend had taken root and like any good weed it is hard to get rid of.

I don't even think this tool is checking for the other sneaky developer trick of renaming the DLLs, either to hide the fact that it's not licensed or other legal yet obscure reasons.

Re:Dumb Question

"Why the hell are there multiple copies of the same, critical, shared system library floating around on the machine?"

'cause you tested your app with version X of the library and it was solid. So you want your users to use the same version. When you have later to diagnose problems of your app in user installations you know which versions of the library is used and have an exact same setup available. Sure, version X+n is supposed to be backwards compatible with X but fewer unknowns is better.

Another reason is that there any moron can write an installation that will put version X-m of the shared library over your X. So it can be safer to keep you libraries where morons will not overwrite them.

Having said that, it is common practice (that I follow) to install shared libaries in the windows system folder for the reasons you wrote about.

Re:Dumb Question

[Nevo]

Actually, that's an excellent question. And believe it or not, the answer actually kinda makes sense.

The file in question is gdiplus.dll. This file was included in Windows XP and Windows Server 2003, but was not part of previous operating systems.

Therefore, apps that used this .dll (like Internet Explorer) when installed on previous operating systems (like Windows 2000) had to ship their own copy of the .dll.

So some apps ship with their own copy, then along comes WinXP/2K3, and they add a second, system-supplied copy.

Re:Dumb Question

[KidSock]

Why the hell are there multiple copies of the same, critical, shared system library...

I don't think they mean the same JPEG library is installed in multiple places. I believe a third party DLL can be statically linked against another library such as the JPEG library. I don't know if that's true in this case but that wouldn't be entirely unreasonable. The vendor may want to try to minimize the impact of future releases or simplify packaging.

The real question is; is this exploit triggered by kernel code and thus runs effectively as SYSTEM? Mentioning GDI seems to insinuate that is the case but I doubt GDI code actually parses JPEG files.

Re:Dumb Question

[ad0gg]

Only works if the libraries are binary compatible, if a new version comes out thats not binary compatible, and you replace it. All the other apps that reference the dll will break. Microsoft solution for this comes with .net with implements a global assembly cache, where you can store multiple versions of the same DLL. Working with DLLs for many years, DLLs are fucking hell.

Re:Dumb Question

[ewhac]

Only works if the libraries are binary compatible, if a new version comes out thats not binary compatible, and you replace it. All the other apps that reference the dll will break.

Again, forgive my naïveté, but what kind of idiot would do that sort of thing?

The whole point of a shared library is transparent binary compatibility among clients. If it's not binary-compatible, then it's not really the same shared library, is it? And if you absolutely must break binary compatibility, then you should either change the major revision number and make applications explicitly ask for the version they need (not so hot, but workable), or change the library name entirely (better).

I mean, this is flipping obvious to me. Surely, if these ideas were sound, The Finest Software Engineers In The World would do it the same, or in a similar, way. The fact that The Finest Software Engineers In The Industry seem not to do it this way suggests that my ideas may, in fact, be utterly crazy. But if I am crazy, I'm unable to see it. So, who's crazy here?

Schwab

Re:Don't go for pretty software

[Skye16]

No, software should work AND look pretty. Just because form follows function doesn't mean it should be completely disregarded.

Piracy Check

[nurb432]

And why cant they enforce a piracy check on EVERY update? Eventually they will anyway..

its their software, they can make it expire each month and force you to renew.. Don't laugh, I had to deal with software like that.. every month it had to phone home to verify we were current with our nearly 1000$ a month maintenance contract.. or it would die. .. 2 day grace period for weekends, and without it, we couldn't do business.. no alternative choices).. It also required admin rights, so once a month I had to login to the damned machine and do the process, manually.. And god help you if you need to reinstall... what a nightmare..

That said, it *would* be annoying to have microsoft do this, and might be a problem with enterprise installs. prompting users for things they shouldn't know..

But hey, make it too hard to use their products, people will start looking for alternatives..

Why not offer a common jpeg DLL?

[AaronW]

I am surprised that Microsoft does not do what Linux does and have a common DLL provide all the JPEG functionality. At least in Linux, most, if not all apps, use libjpeg.so.

Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.

We saw this with png and other shared libraries. Also, offering many of these common libraries as DLLs helps reduce code bloat since every app no longer needs to reinvent the wheel.

Re:Why not offer a common jpeg DLL?

[retro128]

Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.

What about programs that have been compiled statically? It wouldn't be a good thing to patch the library and then assume all of your apps are fixed. I realize that not many people do static compilations when they can avoid it, but it does happen in the name of portability, or maybe in the odd binary package where the packager didn't feel like writing in dependencies. I would think that unless you know FOR SURE your program is relying on the external library, it would be bad to put your faith in the fact that your programs are protected after updating it.

OSS libraries also bundle libs...waiting problem

arg forgot the link:

Moin,

other OSS libraries also sometime bundle libraries like libzip, libpng etc. A prominent example (but not the only one, don't want to pick on them!) is Irrlicht:

Thread

I voiced my concerns in the linked threat, so far they were not compelling enough. I hope that the IrrlichtNX developers (and maybe also Nico then :) revese their decision and do not bundle libs but require them.

This is also directed towards other libraries that simple include some version of a library they need instead of linking against the installed version.

Best wishes,

Tels

Re:Don't go for pretty software

[zeath]

My college classmates and I had a term for this. We called them "flashy people". As you described them, they're the people who value looks over functionality. There's a small bit of play on words with Flash there, too, since flashy people (usually a part of management and/or graphics design) are the ones responsible for demanding the Flash animations for a corporate/product page that prevent a more straightforward display of content.

I know I'm not the first to think...

[kulakovich]

... NOD is going to love this!

kulakovich

So how do I repair?

[Compenguin]

What's the procedure for updating third party gdi installations?

And at a fundamental issue, why does my system need multiple copies of this gdiplus library? Isn't the whole purpose of DSOs to avoid needing multiple copies?

Re:So how do I repair?

[Bill+Kendrick]

I need. ISC's checker found one 'vulnerable' copy of gdiplus.dll on my system.

Great! Now what?

-bill!

Re:So how do I repair?

To answer your question:

1. Back up any of your data that you haven't foolishly stored in a proprietary format
2. Install Linux (don't bother to leave a Windows partition behind).

Re:So how do I repair?

[bogie]

see the post a little above for the link to the redistributable version then just copy it over gdiplus.dll where needed. btw if your doing an sp2 slipstream update might as well copy gdiplus.dll over any versions of it in the service pack once expanded.

Re:So how do I repair?

[Compenguin]

Is it safe to replace v6 gdi dlls with the v5 redistrubtable? Is there a v6 redistributable?

Re:So how do I repair?

I had a few, one in Adobe Premeire 1.5, one in Canopus Edius, and in Realviz ImageModeller anyway, what I did was copy from the redistributable package.

I renamed each existing file to gdiplus.dll.not then I copied this

ATTRIBUTES for file: gdiplus.dll 1,645,320 .a.. 5-04-04 11:53:40

to the location of each problem drive\directory\file detected

I tried each program, and make sure they working, BEFORE continuing on. e.g. do it ONE AT A TIME fix, re-scan. etc.

Having a gdiplus.dll.not as emergency to continue to work is the obvious benefit, but I too desire for this problem to be sorted CORRECTLY!?

I got the file here:
http://download.microsoft.com/download/a/b/c/abc45 517-97a0-4cee-a362-1957be2f24e1/gdiplus_dnld.exe

A short description...
Good Luck everyone.

===========
Gdiplus.dll
===========

For Windows XP use the system-supplied gdiplus.dll. Do not install a new gdiplus.dll over the system-supplied version
(it will fail due to Windows File Protection).

For Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98, install gdiplus.dll into the private
directory of the application not into the system directory.

In addition to the rights granted in Section 1 of the Agreement ("Agreement"), with respect to gdiplus.dll for Windows
2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98, you have the following non-exclusive, royalty free
rights subject to the Distribution Requirements detailed in Section 1 of the Agreement:

(1) You may distribute gdiplus.dll solely for use with Windows 2000, Windows Millennium Edition, Windows NT 4.0 and
Windows 98.
"

Re:So how do I repair?

[hobo2k]

There is no v6 that I know of.

The strange thing is that the latest gdiplus redistributable is version "5.1.3102.1360 (xpsp2.040109-1800)". But the final release of SP2 contains a NEWER version: "5.1.3102.2180 (xpsp_sp2_rtm.040803-2158)".

and static linking?

remember the zlib vulnerability and static linking? you had no shared library to detect, the vulnerable code was in zillions of apps, inside them! (and could still be in many old binaries, without people realizing)

Amusing, but...

[JustNiz]

I bet he won't get a response from anyone at Micro$oft who matters...

The reason the basement always smelled funny...

...is that when you're small, scared, and alone in the dark armed only with a bucket of water, you have an uncontrollable urge to pee.

M$ users must be idiots

Micro$oft has based its business model on just that assumption; screw the customers and they keep coming back for more, complaining all the way. Ironically, most of them even brag about how good a screwing they got! Meanwhile, M$ just laughs all the way to the bank! SUCKERS!

Needed to patch his brother

[randyflood]

He just needed to patch his brother.

I think he could have used an extension cord and the bucket of water...

Re:Re :peoplesprimary

What site do they post to? I want to see! although I suspect most of them will be "peoplesprimary.com". Also, for those that have not gone there yet, there's a loud background sound that repeats "hey everybody I'm watching gay porno", and hundreds of popups appear, and no, firefox does not block them.

So security by obscurity is best?

[redelm]

Think "users are idiots" through: In the unlikely event MS releases a patch, it won't get installed, so probably should not have been released. Anyone know if patches have been used by exploit writers?

CERT and Bugtraq also MUST be shutdown if users don't use this info. Might as well just write the software authors when a bug is found. Quiet-like. MS would approve."

The problem with this scenario is that exploits would be less public, and more private and nasty. No public pressure to fix. Those who wanted to protect themselves really couldn't.

The bulk may be [l]users, but the few who are not drive the business, and to some extent, protect everyone.

Re:So security by obscurity is best?

[MankyD]

They hopefully do get installed, because we treat users like morons and install it for them a la windows update :-P

At least that's the way it should work.

Please stop treating your customers like idiots...

shutup, IDIOT!

Hi Tom...

[feloneous+cat]

Hi Tom,

I remember back in the day when I used to rat-race CAT's just for jollies and hack on CP/M systems for the money. Those were good times.

But, frankly, as I have aged, a couple of things have come up: one, I know have a helluva' property-tax to get out of...er... pay, yeah, pay. And you think we can send all those poor kids in Africa medicine with cheap software? No sir, buckeroo, it requires a lot of dough.

As for treating our customers "like idiots", I take umbrage at the remark. We treat everyone exactly the same. No favoritism. Except for Michael.

We have responded to the problem. After all, we have said security is job #1. Well, actually, we said profits, didn't we? Okay, let's call it job #2. Or maybe #3? We can't forget all those poor African children. Or do you have something against African children, now?

Again, I hope for the best for you. Perhaps this is merely a subject you and I can agree to disagree.

Your pal,

Bill

Yes, BUT ...

It's actually a tough job even on Linux

It's a tough job if you want the absolute highest currently available level of security.

The Linux problems that get found (and usually fixed within a very short time indeed) are mostly theoretical vulnerabilities that nobody would even bother to report on Windows. For example, last month there was a vulnerability (now fixed) that could, theoretically, enable an ordinary user to get root access.

Nobody would ever report a flaw like this in Windows, because everybody knows it is trivial to do on Windows. (E.g. the shatter attacks.)

For reasons like this, any reasonably recent Linux distro is more secure than the latest patched version of Windows.

Vulnerable program thread

[whovian]

Did a file search and found 13 *gdi*.ddl files on my XP Home + SP2 system. Liston's scanning program reported the following warnings:

C:\Program Files\RecordNow!\gdiplus.dll
Version: 5.1.3097.0 -- Vulnerable version

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus* \G diPlus.dll
Version: 5.1.3097.0 -- Possibly vulnerable (Windows Side-By-Side DLL)

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus* \G diPlus.dll
Version: 5.1.3101.0 -- Possibly vulnerable (Windows Side-By-Side DLL)

Re:Vulnerable program thread

[whovian]

Sorry, yeah, the WinSxS ones don't count.

Amen.

[neilb78]

Another Amen. Judging by the tone of Tom's letter, he apparently doesn't want to be taken seriously.

Worse than useless....

[hcob$]

Assume: Microsoft Windows is useless, Scanners are less code than Microsoft Windows

GDI Scanning utility is a Microsoft Windows Scanner
All Microsoft Windows scanners are less than Microsoft Windows
Therefore, GDI Scanning utility is less than useless.

Re:Yeah, right.

[sirshannon]

No, this is incorrect. MS is not checking 3rd party software and warning the user. MS is only checking MS software, but not all MS software on the computer, and then giving a message that, for instance, MS Office 2003 may be vulnerable and that you should update via this link (insert link to office update). However, after getting there, you may scan for updates and see that there are none. Running the GDI scan will give you the same message.

MS' GDI vulnerability scan tool does not mention 3rd party software.

DOH, that's why the ADVANCED button is for!

[Spy+der+Mann]

Microsoft PPL think we're idiots because they're idiots, too. They can't seem to distinguish that there are VARIOUS KINDS of users. Dummies, informed, advanced, experts, and superpower users.

They may not want to confuse a user with bloated information he doesn't need. But they should provide the info for us advanced users, anyway!

Wouldn't you like in MS apps to give you access to "advanced" information when you click a button?

i.e.
BEFORE: "The current application has terminated abnormally"
(advanced)

AFTER: "The current application, process executed by filename.exe tried to read at address xyz. This address is currently in use by process mnop."

Or in this particular case
"The following DLL's were found defective:
c:\program files\yaddayadda\yatta\gdiplus.dll" which was installed as part of application "Yatta Plus!".

(Finishes list)

Do you want to?
a) Replace defective dll's with fixed ones whenever possible
b) Delete defective dll's and render applications unusable (but safe)
c) Nothing.

Hey, how about other vulnerabilities in the MS knowledge base?
"A vulnerability has been found that permits a user take control of the system" (Hey, big deal! We already know that. Why don't they tell us:

"A workaround would be to disable X and Y service from windows XP. Click here for more info."

The same when i accidentally delete some file that is used by the system (hey i didn't know netmeeting was required!)

I only get something like:
"Warning! You idiot deleted some critical file. Insert the CD before the next reboot OR ELSE!"

Instead of:
"You deleted critical file xxxxxxx.yyy. Please insert the CD, or try to specify an alternative directory.

This is something that's ALWAYS bothered me. That Windows takes ALL the decisions for me.

TiVo Software uses gdiplus.dll

[antdude]

According to NTBugtraq's article, TiVo has software package that allows a user to setup an Image and Audio server on their PC. When connected to the same LAN as the TiVo it allows the image and audio files to be viewed on a TV via the TiVo DVR. The software uses gdiplus.dll file that has a JPEG parsing engine.

Re:Yes, Microsoft can fix everybody's code!

It's not Microsoft's code, it was written by the IJG - independendt JPEG group.

Rules for this story

[rd_syringe]

I feel the need to lay out some ground rules before we go on:

1.) Microsoft is somehow responsible for all third-party DLLs on a system. Their scanner must contain a self-sufficient, learning AI that just "knows" which DLLs to scan on any system in existence.

2.) Mozilla was affected by this same vulnerability, but it's okay because it's Mozilla and not Microsoft.

3.) When Mozilla's XUL bug was marked "Confidential" since 1999 only to be revealed earlier this year when exploits came out for it, that's okay too. There won't be any "open letters" to Mozilla over it, because it's Mozilla and not Microsoft.

I hope we can all follow these simple ground rules in the discussion to follow. Thank you.

Re:Rules for this story

[Q2Serpent]

Hold on a second.

1.) Microsoft is somehow responsible for all third-party DLLs on a system. Their scanner must contain a self-sufficient, learning AI that just "knows" which DLLs to scan on any system in existence.

Scan them all. Does a good virus scanner only scan the files it installed?

2.) Mozilla was affected by this same vulnerability, but it's okay because it's Mozilla and not Microsoft.

Mozilla's vulnerability was, afaik, only for local files. Even so, mozilla didn't put out a scanner that scanned a few select shared libraries, and then declared that you did or did not need updates for your system.

Re:Rules for this story

[Allen+Zadr]

May I be the first to agree, except all of the DLLs complained about are Microsoft DLL files. Regardless of what 3rd party re-distributed the Microsoft DLL, I would hope that Microsoft's own scanning tool would be able to find and identify DLLs that Microsoft wrote (whether written for redistribution or core-os).

Beyond that, if I find out that my Windows version of "The Gimp" is also vulnerable, I know enough to go to the author of that program and find a patch.

If, on the other hand, 'The Gimp' told me that GTK may be vulnerable, and the 'GTK' folks told me that 'The Gimp' may be vulnerable, I would surely be the first person to stand up and write a singularly upset letter to those projects.

On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...

So long as Microsoft can fix the issues that are theirs (as opposed to point me in a circle), I have no qualms with spending more of my fine earned money to them for a really nice gaming OS.

Re:Rules for this story

[SoSueMe]

"1.) Microsoft is somehow responsible for all third-party DLLs on a system. Their scanner must contain a self-sufficient, learning AI that just "knows" which DLLs to scan on any system in existence."

Please read the letter again (assuming you read it once).

When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

As for the "...but Mozilla is vulnerable too!" defence, Yes I imagine Mozilla on Windows certainly is.

As for the "we're not the only ones" plea, this is not a very adult response to any form of critique.

Re:Rules for this story

[maximilln]

On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...

This is also my final point of contention when people attack the security vulnerabilities in open source software.

I didn't pay $200 for it, I can assume responsibility for keeping it patched and secure. But jay-HEE-zus, if I pay $200 for something, I expect them to fix it before every script kiddie with a Google hit can poison it!

Re:Rules for this story

[guitaristx]

2.) Mozilla was affected by this same vulnerability, but it's okay because it's Mozilla and not Microsoft.

Although I have no familiarity with Mozilla's architecture, I have a suspicion that it was written using Microsoft's libraries that deal with the GDI. Sorry if I'm wrong, but if Mozilla exhibits a bug that's the fault of the underlying OS (or an extension/API/whatever thereof), would it be Mozilla's problem, or the underlying OS?

Re:Rules for this story

[rd_syringe]

Interesting that you completely disregarded point #3.

Re:Rules for this story

[rd_syringe]

I read the letter. It still doesn't refute the point that Microsoft doesn't have to scan for every third-party DLL installed on the system. That's the same thing as blaming Microsoft when people don't patch their systems. Anything to bash Microsoft on this OSTG-owned website (interesting, isn't it?).

Incidentally, no, a company DOESN'T have to get permission to distribute a Microsoft DLL with their software. Get it? Hell, have you even used Visual Studio? It ships with almost all of them. But, why summon common sense and logic when we can post an emotive "open letter to Microsoft" on the front pages of an OSTG-owned geek site?

As for the "...but Mozilla is vulnerable too!" defence, Yes I imagine Mozilla on Windows certainly is.

No need to "imagine"--Mozilla on all platforms was vulnerable.

As for the "we're not the only ones" plea, this is not a very adult response to any form of critique.

Who is "we?" Oh, I see, an implication that I'm a Microsoftie. That's not a very adult response, either. Incidentally, such a response is used constantly on Slashdot to justify OSS flaws. "At least we're not like Microsoft!"

Re:Rules for this story

[jerw134]

Mozilla doesn't use Microsoft's DLLs. The Mozilla problem was their fault, and affected all platforms.

Re:Rules for this story

[SoSueMe]

Can you write a tool to scan an entire drive for a particular, static DLL? Can it be replaced by a patched version in all instances?

Simple answer: "Yes".

I fail to see where you get the idea that this is a "third party" DLL. It is a DLL redistributed by a third party. It is still one static piece of code.
It is still owned by Microsoft not the ever evil "third parties" that link their programs to it.
Responsibility for this code lies with the owner, the same as it does for any code.

I, personally, don't care who runs the site.
If the facts are clear, the source is immaterial.
I frequently use info from the MSKB site. Does that make me "anti-linux" or "anti-Mac"?
No, that would give me a very narrow point of view.

Re:Rules for this story

Microsoft is somehow responsible for all third-party DLLs on a system?

Oops, surely you meant Microsoft is somehow responsible for all third-party installations of Microsoft produced DLLs on a system?

Well, yes, they should be..

In the same way Firestone were responsible for all the third-party installments of their known defective tyres to vehicles, resulting in 150+ deaths.

In the same way that Ford, knowing their Pinto car had a defective petrol tank, and despite taking the line it was cheaper to simply let a few hundred people die - and pay $200,000 per lawsuit, than actually bother to find a fix for the problem indeed turned out to be actually "responsible"

Microsoft loving twat (VB coder 'oxymoron alert!' by any chance?)

Re:Rules for this story

[Nataku564]

Scan all the DLLs ... dude, have you worked with DLLs at all? What exactly do you expect Microsoft to do ... scan the whole hard disk for anything matching *.DLL and try throwing JPEG at all the functions inside of it and see if exhibits the behavior matching the exploit?

Re:Rules for this story

Many many people pay a fuckload more than $200 for open source software support, and as of now, they're getting the bugfixes at the exact same time you are.

Re:Rules for this story

[geordie_loz]

But the article clearly states, and the post, that they (ISC) have written a useful gdiscan tool.

He's pretty much stating that more intellegent information than "might be/might not, who knows, we don't" and then, certainly for the (hopefully) capable system administrators, something can be done. Better information for the novice even, other than "Wotcha".. something about how, why and should you be afraid, be very afraid?

He's simply remarking on the fear that this induces in a novice, and the lack of info and a decent solution for the more capable users. So if the non-microsoft guy (him/them) can write a better fix, surely the MS team should, given they wrote the DLL in the first place.

Re:Rules for this story

[Q2Serpent]

Scan all the DLLs ... dude, have you worked with DLLs at all? What exactly do you expect Microsoft to do ... scan the whole hard disk for anything matching *.DLL and try throwing JPEG at all the functions inside of it and see if exhibits the behavior matching the exploit?

This is a joke, right? Do you think that's how virus scanners work, too? If they want to see if a DLL contains a copy of the JPEG code, they scan for a fingerprint. They pick a section of the binary JPEG library that is long enough to be useful to scan for, and they look for that. They could also scan for some known strings that appear in the library (like the version string).

It's even easier if the DLL is dynamically-linked to some known JPEG DLLs.

I wrote some code to mimic m$ GDI scanner

public class HelloWorldApp {
public static void main(String[] args){
//System.out.println("Hello World!");
System.out.println("Your computer may be vulnerable!");
}
}

Microsoft users demand to stop being called idiots

In related news, the Las Vegas Prostitution Association has demanded that its female members stop being called "hookers" and "hos". They suggest the replacement term "copulatory assistant".

(Sorry. But, hey, it's Slashdot.)

Stop Whining

[4of12]

and just buy your standard Windows GDI implementation from a different vendor that is more responsive to your needs and more willing to negotiate and work with you on cost discounts for flaws in their product.

I mean, isn't that what you're supposed to do when a supplier feeds you something substandard?

That letter...

[GojiraDeMonstah]

... really seemed to be a lot more about his parents' basement than the Microsoft jpeg vulnerability.

Different rules for a monopoly

[hachete]

Until Microsoft become a profit organisation rather than a tax-harvesting one, then they get all the stick they deserve.

Thankyou,

h

An Expert

[xeon4life]

If anybody knows anything about sticky situations, it's gonna be this guy.

DLL Hell

Big problem with the "one copy only" approach - DLL Hell.

When you have library 'foo' that is used by three different programs, what happens if someone upgrades one of these programs in such a way that one or more of the existing programs are broken. That is why you can install DLLs in a "side by side" manner.

It should be noted that people bitch equally heavily about DLL hell, and the existance of this situation is the downside of a remedy for DLL hell. Cannot have it both ways...

Re:DLL Hell

[ewhac]

Why would upgrading an application also upgrade a shared system library at the same time? If the application needs the later library version, then the system needs upgrading as well (and probably a good thing, too). Only the system vendor, or the user by direct action, should be messing about in the system directories. Applications shouldn't be fscking around in there at all. If they do, then the result is guaranteed to be a complete and utter mess. (This is obvious, right?)

Further, why would upgrading a shared system library break older applications? If the new library isn't backward-compatible, then the library vendor did The Wrong Thing. This can admittedly be a bit dicey when you've fixed a legitimate bug in the library, and dependent applications break. By definition, the applications were broken for relying on broken behavior, but sometimes pragmatism has to win out. However, if you have a well-designed method for establishing library entry points, you can mitigate this problem by just reassigning vectors (new apps bind to the new, fixed vector; and old apps get the old vector, whose bugs are emulated for no more than two major releases).

Schwab

Re:DLL Hell

You don't quite grasp Microsoft software design principles yet. When you release a new version of a DLL, you don't just add new functions to implement new behavior. You redefine all the previously written functions since the original documentation (and implementation?) were contradictory, you change dependancies to new libraries, change the size(!) and arrangment of structures, and do other kind things to application developers. You don't care, because you're a monopoly built on an upgrade cycle anyway. Or maybe you DO care.

Re:DLL Hell

Applications do not do the dirty work; the Microsoft Installer will go an upgrade typically using Microsoft approved merge modules. As for mitigation techniques, Microsoft employs all of the techniques that you describe. That is why Win32 is so cluttered. The problem is when applications do weird things and rely on crappy behavior, and Microsoft is forced to support them.

As for who is at fault, that is a big question. Applications rely on buggy behavior all the time, and whether they like it or not, Microsoft has the burden of supporting applications that do crappy things.

Raymond Chen, a Microsoft developer who does compatibility work in great detail described this process in his blog:

When programs grovel into undocumented structures...
Why not just block the apps that rely on undocumented behavior

The UNIX world does not have this problem as much, because the UNIX vendors can safely force the application vendors to upgrade. Ditto in the open source world. Microsoft does not have this luxury, because they do not own the Win32 API anymore. The Win32 API is owned by the millions of applications that their customers use. The minute they screw them, Microsoft loses its single largest competitive advantage.

GDIScan command line

So can I use the command line to see if my Mandrake 10 is vulnerable? It must be Gimp...oh wait...

i guess he should be writing to Linus for this ...

Linux had similar issue

Or is it ok since it was a linux thing???

the senseless biased story leadins/bashing-baits/troll-foods/zeelot-baits are getting to be a joke. Lets try sticking to worthy IT news item and constructive critique...could be a good thing to have a lot of people actualy HELPING the non IT that visit slashdot, instead of filling their minds full of FUD. ...just a rational thought, ignore it if you can't handle such a thing...

Huh?

[rd_syringe]

What does being a monopoly have anything to do with some vulnerability scanner? Tell me, what exact rules are "different?" You can't, because it was a vague, irrelevant statement that has nothing to do with this. You didn't refute any points.

Was it okay that Mozilla's bug was marked "confidential" for five years?

Re:Huh?

[Yakko]

Yes, it was OK!

I can tell you anything you wish to hear, btw... :o)

the answer

[jonwil]

is that Microsoft should have made this app look for and identify any copies of the vulnerable windows components (including GDIPLUS) stored anywhere on the system. Then there should be a simple way to get the latest version and replace the old copy with it.

Course, that then results in dll hell because breaks with the new version which is why they shipped the old version in their app folder in the first place :P

Not really

"You regularly use devices, or the products of devices, that you can't even begin to describe the manner in which they function"

Speak for yourself. Or, maybe you are. Sorry, not EVERYONE is like that. I look at anything and everything and wonder how it works, what its chemical structure is, how the atoms vibrate and where electrons are. I think about quarks, protons, photons, shadow photons, M theory, spacial travel, and the lot.

You should really say "_Some_ people".

Generalizations suck.

Re:Not really

[maxpublic]

If you think you're some sort of modern version of the Renaissance Man, think again. No human being alive today can master more than a fraction of the knowledge available; the days of being a jack of all trades are long past.

And that includes you.

Max

Anglaise (Académie is feminine) [nt]

[pkhuong]

nt

Bad spelling = Bad!!!

Good point. It's funny how /.ers love to bash Microsoft when they work outside of the standards, but get all defensive when their dyslexic non-standard English is corrected. The only standard they consistently stick to is known as the "double-standard".

Sheesh...

If the shoe fits ?

'Please stop treating your customers like idiots ...'

- well, you said it, not us! :-)

I agree

I say we pull all our people back, and nuke the entire site from orbit.

It's the only way to be sure.

Losers all

You hate Microsoft...so stop using their stuff and stop whining about how bad it is...if you love your crappy Linux so much, please go ahead and use it. If your employer forces you to use Windows, quit your job...after all, principles are more important than money...or so you claim.

Re:What I want to know is...(gdiplus.dll D/L)

[kaplong!]

mod parent up.

Re:Wrong quote

[Nybble's+Byte]

I think "learn how to cut-n-paste" would be the appropriate admonition.

Whatever floats you're boat.

RTFT (Run the f*ing tool)

[ebyrob]

1.) Microsoft is somehow responsible for all third-party DLLs on a system. Their scanner must contain a self-sufficient, learning AI that just "knows" which DLLs to scan on any system in existence.

Yes, this makes perfect sense because the GDI detection tool and surrounding infrastructure as it stands now is so perfect that to enhance it one iota (say, by having it actually do something useful) would be to make it impossibly perfect.

Every time the darn thing runs it merely says you *may be vulnerable* and as far as I can tell it doesn't every do anything else. I've written "Hello World" applications with more pragmatic value. Not only that, but you run it on a Windows XP SP2 system, and then go to MS' website and find out that the tool can do you *no good* and should never have been downloaded because WinXP SP2 is not vulnerable to this problem!! (Or at least, not in a way fixable by this tool)

In my last WinXP SP2 full install, this was a major "head scratcher" I had getting the system up and running. Why would they ask me to download and run a tool that can't possibly do my version of Windows any good? (Only now am I beginning to realize this makes a twisted sense because the tool does my computer as much good as any other...none.) Or, perhaps there's more to the GDI exploit story. But where the heck is the more? Somebody at Microsoft really fell down on this one.

2.) Mozilla was affected by this same vulnerability, but it's okay because it's Mozilla and not Microsoft.

Fixed in Mozilla 1.4.1 In October of 2003. Not even a speedbump, just another patch in the quilt.

3.) When Mozilla's XUL bug was marked "Confidential" since 1999 only to be revealed earlier this year when exploits came out for it, that's okay too. There won't be any "open letters" to Mozilla over it, because it's Mozilla and not Microsoft.

Ya, that was a cover-up worthy of a major corporation... Not the greatest thing to do, but I don't see what this has to do with the current story. (Ie: What does keeping exploits secret have to do with really lousy exploit detection/resolution tools?)

Talk about worse than worthless...

[descil]

What a totally worthless thing to do.

Let's write a completely nonpolitic letter to Microsoft and see if they respond.

Hello? The way to change things is to convince MS that their policies are incorrect, not blaspheme and curse at them. They'll just ignore such letters as hatemail, the same way you or I would.

Knowing is half the battle

[PJ+Kix]

Ok so MS's scanner, tells me I may be vulnerable ... run updates, run scanner again ... still tells me I may be vulnerable, and their "Tool" did nothing to help me. Great!

So now I run this scanner which actually tells me what files may be vulnerable, fantastic! Knowing is half the battle, but now what about the other half like actually fixing the problem?

How do I patch these files? Can I just copy over all affected gdiplus.dll's with good ones? What about the other files it detectes? Do I need to get patches? if so where from? each software manufacturer? If these all came from MS can't they just patch them all and not a few here and there ?

So in the meantime should I just avoid all jpg's and just duck and cover or what?

Re:But Microsoft customers are idiots

[Technician]

no slashdotters are windows users until a cool tool like that NASA world wind one comes up

Two words..

Employer Supplied

Bleeping Computer has a tutorial on this app

[Grinler]

Bleeping Computer recently published a tutorial on how to use this program and interpret its results. You can find it here: http://www.bleepingcomputer.com/forums/topict3077. html

Third parties

...because third party software is really MS's problem.

Join next week when we'll ask Honda to make the Civic more secure because stupid people put modifications on it and then hurt themselves.

Yay Slashdot.

Careful what you wish for

[Sycraft-fu]

Any standard that imposes criminal penalties for software bugs will apply to open source just as it applies to closed source. So if you want criminal charges for a bug that goes unpatched for a certian amount of time or allows full access and so on, be ready to see OSS programers getting charged as well. OSS is NOT free of exploits. They crop up from time to time, even in seemingly safe places, like libpng. Firefox had a XUL venurability that allowed a fake webpage to be creatd that appeared real and secure (/. ran a story on it). It sat unfixed for over a year before someone finally made a practical demonstration of it.

The other problem is that basically every exploit results from using the software in a manner in which it was not designed. Well cars have MANY exploits like that. If you run your car in to a wall at 100kph, you will destroy it and likely kill yourself. This is a known problem with cars, and one that manufacturers take no steps to fix. However it is not how you are supposed to use a car. Coputer exploits are likewise. You are not supposed to send a large amount of meaningless data to an input in an attempt to overflow it's buffer.

So, really, trying to claim that exploits for software should be criminal is just silly and really would stick it to open source. People mistakenly think that because it's free the law wouldn't apply. Nope. If you buy bottled water that is harmful, the company that sold it to you is civily and perhaps criminaly liable. If I provide you with a free glass of water that is harmful to you I am also civily and perhaps criminaly liable. The fact that I'm one guy doing it for free changes nothing.

So if you advocate fines/jail for software bugs, just remember you are advocating it against OSS as well.

Re:Careful what you wish for

[maxwell+demon]

You miss one thing: For security bugs, it's not the owner who operates it in a way he's not supposed to.

Imagine you have a door lock which happens to open if you knock at it a few times. Now the vendor explains you that you are not supposed to knock at your lock, so the lock is working perfectly, you're just operating outside of it's specifications if you knock at it.

Of course I agree that you shouldn't get criminal penalties just for having a bug in your code. After all, if you sell a defective car, you generally don't get criminal penalties either. However, as soon as you get to know about a security related bug, unless you explicitly declared that program as unsupported, you should be obliqued

• to clearly mark distributed software with this bug as having that bug, so that everyone who might install it knows about this risk
• make reasonable efford to inform distributors and users of that product about the problem
• make reasonable efford to solve the problem, and to supply users of the product with the solution as soon as you have it

What such reasonable effort is, would certainly depend on the circumstances. For example, announcing the problem on relevant usenet groups and mailing list as well as on the product home page may be enough to comply with the second point if there's a reasonable expectation that most users of the product read those lists, and you don't have a list of customers to contact directly (as is usually the case with OSS). In that case, giving a patched version to the usual distribution channels and informing about that patch through the same channels would be enough for complying with the last point.

Also, you shouldn't be allowed to sell an unsupported program (although you may give it away for free [as in beer]). Of course you may allow others to sell supported versions of that software even if you don't support it yourself (in that case whoever sells that software would be responsible for appropriate bug treatment).

Re:Careful what you wish for

[Sycraft-fu]

But all locks do have known venurabilities. Your average house lock is a peice of shit, and has many problems. The biggest is simply that they are easy to get key copies of. Someone can grab your key, go to any store, get it copied, and return them. Also the locks are exceedingly easy to pick, a trained person can usually do it in under 5 minutes. Then there's the fact that they don't stand up to stress very well, most will buckle under a few good kicks. The list just goes on.

However these are not things that cannot be resolved, or at least made better. Medeco high security locks do not suffer from most of these problems. Their keys are patented, and distribution is tightly controlled. You cannot get a copy of a Medeco key without being the owner, or some serious bribery. Because of their odd key design, they are also a bitch to pick, and even trained people have trouble (most amatures just can't do it at all). They are also very physically well constructed and can take a real beating, usually more than the door.

Another thing is Microsoft does precisely what you ask, their update software goes so far as to bug you about new updates, or install them automatically (something most other don't) and they regularly release security fixes for products, including old ones. They continued to release patches for NT4 long past its orignal EOL.

I think the problem is people are so overcome by their hatred for MS that they fail to realise that MS does quite a good job of supporting the exploits in their software. They release free patches that will download automatically if you allow them to, and even support illegal copies of their OS.

Now it is arguable that they should have better code that doesn't have the bugs in the first place, but that's a different thing, that's design, not support, and any law that mandidated it would have to mandidated for all software. You can't say it's ok for a certian class of people to get away with something and not others (though congress is known to try that once and awhile, it's not constutional).

About your sig...

[orcrist]

Want to see Kerry's changing positions on Iraq, in his own words?

For a more analytical look with some of Bush's words thrown in for context look here.

Re:About your sig...

YHBT. YHL. HAND.

Love,
rd_syringe (aka Overly Critical Guy aka bonch)

Get Serious

[drpickett]

What an absolutely asenine letter - The author addresses an inportant issue and clouds it with useless analogy - The style of the letter screams "please ignore me, these are the ramblings of someone who should not be taken seriously" - This is a shame, since he eventually makes a very good point - S/N ratio is way too low for this to be a useful letter

Huh?

[Omroth]

Who is Tom Liston and why is he complaining to Microsoft about the gaps in his C&C defense? Just build more AGTs dude. Weird. Omroth

When a third party vendor wants to ...

[DrPizza]

"When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you?"
No.

"Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll?"
No.

"Can you tell us what they are?"
You tell me....

-1, 100% incorrect

Who writes this crap?

When the size of data structures exposed by the API changes, there is usually a versioning mechanism so that the old way to call the function still works. Usually, this is a parameter where you specify the size, or flags so that the old semantics still work.

The Win32 API is not a work of art by any means, but they (for the most part) do a good job with backwards compatibility. Can you give a concrete example so that you can demonstrate you know what you are talking about in the slightest?

Actually, Linux is worse in this regard

How is what you describe different from switching from libc5 to glibc?

Try running an app compiled on Red Hat 1.0 on the latest Debian box. Will it work? No it won't, because the C library has changed, among other libs. However, most line of business DOS apps written in the 80s still work on Windows XP.

OK, so Dreamweaver is vulnerable... WTF DO I DO?!

[monkeyfarm]

I Run GDIScan, I see: C:\Program Files\Macromedia\Dreamweaver MX 2004\gdiplus.dll Version: 5.1.3097.0 -- Vulnerable version I go to Macromedia, NOTHING THERE! So WTF am I supposed to do? It's all wonderful you guys want to throw bricks at M$, but perhaps someone can actually tell a poor, non-programmer, what the hell to actually do to protect my system. And the first one that says use Linux gets modded to -1000(asshat)