GDI Vulnerabilities: An Open Letter to Microsoft

← Back to Stories (view on slashdot.org)

GDI Vulnerabilities: An Open Letter to Microsoft

Posted by michael on Monday September 27, 2004 @06:34AM from the your-call-is-important-to-them dept.

UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."

34 of 444 comments (clear)

Hate to quote a quote but... by diginux · 2004-09-27 06:36 · Score: 5, Funny

which he calls 'worse then useless'
So it gets worse, _then_ it is useless? :)
1. Re:Hate to quote a quote but... by BlueThunderArmy · 2004-09-27 06:41 · Score: 4, Funny
  
  Still a step up from other MS products, which have to get *better* to become useless.
2. Re:Hate to quote a quote but... by iocat · 2004-09-27 06:47 · Score: 2, Funny
  
  No, if it gets better then it will be useless. The idea is that it's so harmful, it's worse than just not existing. You've probably worked with some poeple like that.
  
  --
  Dude, I think I can see my house from here.
3. Re:Hate to quote a quote but... by micromoog · 2004-09-27 07:12 · Score: 4, Funny
  
  If not, then your co-workers currently do.
4. Re:Hate to quote a quote but... by sir99 · 2004-09-27 08:09 · Score: 5, Funny
  
  worse thæn useless?
  
  --
  The ocean parts and the meteors come down
  Laid out in amber, baby.
5. Re:Hate to quote a quote but... by brianosaurus · 2004-09-27 08:30 · Score: 4, Funny
  
  You're almost there, but...
  
  You take their word for it, put your car in the shop, then when you go pick it up, the mechanic tells you "OK. We did something, but we won't tell you what we did, and your car may still blow up."
  
  But that still doesn't answer the grandparent post's question of whether there is an actual law... Not that it matters, but its hard to take MS's focus on security seriously when their patching tools won't tell you whether or not you are vulnerable (just that you MAY be vulnerable). How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)
  main() { printf("Scanning for vulnerabilites...\n"); sleep(5); printf("Your computer may be vulnerable. Please update.\n"); }
  
  --
  blog
6. Re:Hate to quote a quote but... by DA-MAN · 2004-09-27 09:10 · Score: 4, Funny
  
  How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)
  main() { printf("Scanning for vulnerabilites...\n"); sleep(5); printf("Your computer may be vulnerable. Please update.\n"); }
  
  Your right, it is cross platform
  $ uname -a
  Linux totoro 2.4.21-20.ELsmp #1 SMP Thu Sep 2 17:07:30 PDT 2004 i686 i686 i386 GNU/Linux
  
  $ ./foo
  Scanning for vulnerabilites...
  Your computer may be vulnerable. Please update.
  
  Yikes, I'll be back, gotta update my system . . .
  
  --
  Can I get an eye poke?
  Dog House Forum
7. Re:Hate to quote a quote but... by WWWWolf · 2004-09-27 22:54 · Score: 2, Funny
  
  The 5 was obviously meant to be the argument, not manual section. In some proprietary C libraries, sleep(n) will sleep for specified number of seconds, sleep(5) call will sleep for 5 seconds and scan for vulnerabilities. Regrettably, GNU libc doesn't implement this, as it has never been correct according to any conceivable standard (it's not in BSD either, it was removed in the ancient times before POSIX and even the BSDI lawsuits and all). Since it's a proprietary extension, it's obvious that the poster was referring to Microsoft C library and not UNIX (MS operating systems don't have manpages, so this notational difference is completely understandable!)...
  
  Nowadays, this exceptional behavior is considered extremely deprecated and it will not necessarily work the way it used to. For example, it does work in win16 but not in any win32 platform, not in any modern release of any proprietary UNIX, and (as mentioned) not in GNU or BSD. Or any POSIX-compliant system anyway.
  
  And the example code was rubbish anyway because it didn't check the return value before printing the message, and effectively printed it in any case, which (I believe) was the point of the whole exercise - a security scanner is no good if it scans for vulnerabilities and then prints the same ambiguous message in any case. In historic UNIXes, sleep(5) returned negative number if vulnerabilities were found (modern C libraries define sleep()'s return value as unsigned int to specifically discourage this weird behavior).
Dear Tom by Anonymous Coward · 2004-09-27 06:38 · Score: 5, Funny

When you need this tool, we will tell you and provide it for you. Until then, please continue buying our other tools.

Bill
Re:In case it gets Slashdotted.... by PitaBred · 2004-09-27 06:40 · Score: 5, Funny

Hrm... the Internet Storm Center... slashdotted... that'd be interesting. Somewhat poetic. But doubtful.

--
My blog. Good stuff (when I remember to update it). Read it.
Re:er, by Anonymous Coward · 2004-09-27 06:40 · Score: 2, Funny

Sooooo, how exactly is MS responsible for all 3rd party DLLs?

They just are, okay. Now quit asking questions or you'll be forced to hand in your /. UID...
Dosn't know any better. by nempo · 2004-09-27 06:40 · Score: 2, Funny

'Please stop treating your customers like idiots and give us information'

I'm afraid that Microsoft dosn't know any better, they can't give you what they don't have.

--
--- No, english is not my mother tongue.
Security is Microsoft's number 1 priority... by Foofoobar · 2004-09-27 06:42 · Score: 2, Funny

...to ignore.

--
This is my sig. There are many like it but this one is mine.
1. Re:Security is Microsoft's number 1 priority... by Anonymous Coward · 2004-09-27 07:00 · Score: 1, Funny
  
  Don't you mean:
  
  "For me to POOP ON!"
Re:But Microsoft customers are idiots by Anonymous Coward · 2004-09-27 06:44 · Score: 4, Funny

The funny thing is.. no slashdotters are windows users until a cool tool like that NASA world wind one comes up.. then suspiciously its slashdoted. .
Re:er, by zygote · 2004-09-27 06:45 · Score: 2, Funny

Responsible? Microsoft? "er," is right.
Can't MS establish and enforce guidelines for third-party libraries so that they don't essentially break the OS (or parts thereof)? If one doesn't conform, the scanning tool from MS should warn the user: "Hey, we don't like this file because [insert reason.]
The downside for Redmond would be this tool barfing on their own code.

--
the future is here, it is just not evenly distributed - w. gibson
How old is this guy? by freeze128 · 2004-09-27 06:46 · Score: 2, Funny

I thought the LaBrea Tarpit had been around for millions of years....
No Warranty Implied by Sneeper · 2004-09-27 06:47 · Score: 5, Funny

I like how the sans.org GDIscan (http://isc.sans.org/gdiscan.php) has the following warranty in all caps:

HIS APPLICATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ....

His letter might as well read:
Dear Microsoft, How dare you take no responsibility for the code you write? I am handing out a much better version. P.S. I take no responsibility for the code I write.
This whole open letter business by Anonymous Coward · 2004-09-27 06:52 · Score: 5, Funny

Has anyone ever sent a closed letter?
1. Re:This whole open letter business by grifter7 · 2004-09-27 07:15 · Score: 2, Funny
  
  Has anyone ever sent a closed letter?
  
  The damn things show up in the mailbox all the time! What the @#$%@ am I supposed to do with them? I know from /. that only bad H@xoRs try to break into closed source, so i've just been throwing the little suckers away. But can someone please make them stop??
  
  --
  Free GMail invite with Free iPods!
2. Re:This whole open letter business by owlstead · 2004-09-27 09:44 · Score: 2, Funny
  
  Dunno. That would be a bit like Schroedinger's cat...
humidifier by trailerparkcassanova · 2004-09-27 06:53 · Score: 4, Funny

My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

Uh, an extension cord perhaps?
RULES OF SLASHDOT by JoeBar · 2004-09-27 06:58 · Score: 4, Funny

Rule #1 You do not talk bad about Linux Rule #2 You do not talk bad about Linux
1. Re:RULES OF SLASHDOT by Anonymous Coward · 2004-09-27 07:00 · Score: 2, Funny
  
  ok just to save the nerdlings some work --
  rule #3: Dont forget your HTML formatting
  bla bla bla
NEWS FLASH!! by Mastadex · 2004-09-27 06:59 · Score: 2, Funny

This just in! Massive security flaw found in microsoft copyrighted code, which lests the hacker take over the users machine:

int main(){
printf("Hello World!");
}

Microsoft recommends heading over the windows update to patch this flaw.

--
A morning without coffee is like something without something else.
1. Re:NEWS FLASH!! by Master+of+Transhuman · 2004-09-27 07:53 · Score: 2, Funny
  
  Right - typical Microsoft coding practice.
  
  --
  Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Yes by Anonymous Coward · 2004-09-27 07:00 · Score: 2, Funny

It's called an envelope.
pissing in the wind by Anonymous Coward · 2004-09-27 07:06 · Score: 2, Funny

an open letter to microsoft?! wow, that'll show'em.
Re:Yeah, right. by DavidTC · 2004-09-27 07:13 · Score: 2, Funny

Is that what is going on?
I got that message, did everything it said, got the message again, and figured MS was on crack, reporting problems that didn't exist.
It's good to know, instead of them being on crack, they're just failing to actually solve any problems, present any logical ways to solve them yourself, or even tell you exactly what is wrong, but there is actually a problem.
I guess you're supposed to search for the filename you weren't told and check and see if the version is higher than the vulnerable version you weren't told, so you can go and download updates from Microsoft's website at the URL that you weren't told.
It's certainly an interesting defination of 'Automatic Updates'. It's like a giant idiot light for your computer saying CHECK ENGINE, but it says UPDATE SOMETHING.

--
If corporations are people, aren't stockholders guilty of slavery?
Re:Wrong quote by Rob+the+Bold · 2004-09-27 07:22 · Score: 2, Funny

Learn how to spell!

I think "learn how to cut-n-paste" would be the appropriate admonition.

--
I am not a crackpot.
Is this a Microsoft first? by corporatemutantninja · 2004-09-27 07:24 · Score: 3, Funny

Intentionally spreading FUD about their _own_ products?

--
Actually, I was trying to be Insightful, not Funny.
I wrote a letter to Gill G "Unit" Gates by Wedge1212 · 2004-09-27 07:25 · Score: 2, Funny

he said he likes purple flowers with sprnkles on top.

--
See Sig! See Sig Zig! Zig Sig Zig!!!!!
Re:In "How not to write an open letter 101"... by Master+of+Transhuman · 2004-09-27 07:51 · Score: 2, Funny

"How to write a slashdot comment 101:
don't ever bother to check your spelling ;)"

No, that belongs in "How To Write A Slashdot Headline". /. comments REQUIRE bad spelling.

Oops, just violated the rules. Let me korrect that.

--
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Stop Whining by 4of12 · 2004-09-27 09:10 · Score: 2, Funny

and just buy your standard Windows GDI implementation from a different vendor that is more responsive to your needs and more willing to negotiate and work with you on cost discounts for flaws in their product.
I mean, isn't that what you're supposed to do when a supplier feeds you something substandard?

--
"Provided by the management for your protection."