Slashdot Mirror
GDI Vulnerabilities: An Open Letter to Microsoft
UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open
letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
Sooooo, how exactly is MS responsible for all 3rd party DLLs?
You don't even need third-party stuff or an application to make it hard under Linux. Typical cycle is: kernel version x comes out in March. It's in a Red Hat release in July. Vulnerability found in September, with an immediate release of version x+1 on kernel.org (which also has a lot of changed/evolved drivers etc.) Red Hat back-patches the fix to version x and makes a new funny version number to signify this. They might include a couple other things from x+1 in the back-patch to version x. Except that the funny redhat version number doesn't signify much to anyone on the surface.
Similar things happen for Red Hat (and other branded linux binary distributions) of Apache, SSL, etc., things that are all quite critical and you'd hope would be crystal-clear as to which patches your version has or doesn't have.
Now finding whether version X of a library or application has a vulnerability patched usually isn't too hard. And Red Hat does a pretty good job of keeping on top, way better than say Microsoft.
Disclaimer: I'm no fan of Microsoft, but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).
Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this.
Yes, the slashdot crowd and others might do well to receive more information regarding vulnerabilities and fixes for them, but the average user would be overwhelmed.
I once mentioned to a gentleman that the standard encryption on an 802.11b WAP wasn't entirely secure and he panicked. He asked if hackers would steal his credit card and social security numbers. I asked if he ever shopped online or transmitted those numbers across the internet to which he replied emphatically no (he didn't even store them on his computer for that matter). He still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place. He promptly switched to using a ethernet based network.
Most people are too stupid to be told even the fisrt thing about security. Better a patch is provided that works and they use it. Seeing as how the patch was not complete in this case, that'd differenty, yet the users should still be treated like morons.
-dave
http://millionnumbers.com/ - own the number of your dreams
Any valid points the author has about the uselessness of the tool, or the general state of affairs with security at Microsoft, are dimished by his pompous attitude and snide remarks.
Why not write a technically detailed letter about the code you find (since he read it so many times) and perhaps offer some constructive alternatives to improve it?
Not only would it be more interesting to read, but they might actually be more willing to consider it.
which he calls 'worse then useless' :)
So it gets worse, _then_ it is useless?
With 40+ subvariants of the patch, just saying "there's a vunerability on this here machine" without giving the source of the vunerability and the solution to patch said vunerability is dangerous, bordering on the criminally neglient concerning network security.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
I spent about 45 minutes reading docs at MSDN/MSKB trying to find an explicit statement that IE6SP1 on Win98 is vulnerable, and I swear that they don't actually state that fact (explicitly) anywhere! I eventually was able to read between the lines and conclude that Win98 isn't vulnerable, but Win98 + IE6 is, so you should run Windows Update to DL the patch.
Am I certain? No. Like I said, it's very difficult to find answers to very simple questions in their docs sometimes. I especially hate reading their security bulletins because it's like they were written by very technical lawyers who are trying to maintain the illusion of releasing information without actually doing so. As often as is possible, I try wait a day or two for the DHS CERT to issue their bulletins because they do a slightly better job of relaying useful information.
"Lawyers are for sucks."
- Doug McKenzie
Actually, according to TFA, your analogy should be:
"My home-built kit car has a Ford engine. There's a problem with the engine. Ford needs to fix it"
"She's furniture with a pulse"
It seems that Microsoft, for all its blustery and arrogant, dismissive attitudes toward end users, manages to find itself in a quandary. If it releases too much vulnerability information, it could very well help exploits be written at a faster clip; if too little, then it risks being irrelevant. The timing is tricky too in this case.
Another problem, though, may have something to do with the audience. Trying to be "all things to all people" (including less-than-clueful admins), it is likely that they decided to "dumb down" the announcement, in short proclaiming that your computer "may be vulnerable". Some could argue that it is language of FUD, but I would say that they are trying to impress on as many people as possible that this is not just another "critical" update. This one is really, really critical.
For a better analogy, Microsoft is refusing to pay Child Support for its bastard child.
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Microsoft does not take warranty for their code, either.
Fot not a single one of their products (and you shell out loads of money for)!
This is a tool written to help and he cannot give warranties (in USA this may prove expensive...), because he is also a 3rd party and cannot know anything about this fricking hole.
So take it or leave it.
would you give warranty for something you give for free?
i don't think so.
well, maybe he'll give you your money back!
world was created 5 seconds before this post as it is.
... first class on day one, they would cover off not including some pointless story about your childhood home which comprises half of the letter and has absolutely no relivence to the point of the letter, other than to say that windows users are "in the dark".
Don't get me wrong, the letter itself was justified, and the author is right about the tool by microsoft I'm sure. But why is that story in there, to make sure that someone at Microsoft doesn't actually read it?
----- sXe
Indeed, Netscape, which also uses that code for its JPEG decoding had that flaw (but it was fixed earlier, and of course, it did not make the news nearly as much as this Microsoft issue, owing to its much smaller market share.)
http://www.openwall.com/advisories/OW-002-netscape -jpeg/
There's 10 types of people in this world, those who understand binary and those who don't.
This seems to be a trend for the "trustworthy computing initiative". I noticed that the much-hyped security features of XP SP2 consist mostly of the new firewall and popup blocker (which many people already had), along with more visible security reminders like that stupid shield that pops up when you download a file, visit an activeX using website, etc. It seems like they are trying to make the focus on security as visible as possible, without providing any real, useful details. I get the idea that it's more of an illusion of security rather than some massive overhaul of the operating system like they want us to believe. I have a feeling that this won't be the last of the MS security illusions that we see.
Look.. I'm all for this "copy all the text and save everyone the hassle of waiting on a /.ed server" bit, but I'm getting freakin' tired of seeing these posts. If the idea was to put everything here at Slashdot, the editors would do so right at the outset. Stop doing this pre-emptive crap.. especially with a page hosted by the ISC!
What is your penile percentile?
Please back up your assertion that this is "bordering" on criminally neglient.
Analogy: there's a part of your car which could explode at anytime. It's been a long-standing part of your car. This part can manifest itself in different sections of the car or in different accesories added to your car. You which might be able to track down the part(s) if you are an adequate mechanic and you've kept track on where the parts have been put.
You go back to the manufacturer who says, "Well, we can tell you if you have the part, but we're not sure where on the car, or how many different parts of the car, but you should really get the parts replaced or else the car will blow up".
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
No, software should work AND look pretty. Just because form follows function doesn't mean it should be completely disregarded.
I am surprised that Microsoft does not do what Linux does and have a common DLL provide all the JPEG functionality. At least in Linux, most, if not all apps, use libjpeg.so.
Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.
We saw this with png and other shared libraries. Also, offering many of these common libraries as DLLs helps reduce code bloat since every app no longer needs to reinvent the wheel.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
would you give warranty for something you give for free?
Sure! If it doesn't work, they can have their money back...
Do you have ESP?
Beyond that, if I find out that my Windows version of "The Gimp" is also vulnerable, I know enough to go to the author of that program and find a patch.
If, on the other hand, 'The Gimp' told me that GTK may be vulnerable, and the 'GTK' folks told me that 'The Gimp' may be vulnerable, I would surely be the first person to stand up and write a singularly upset letter to those projects.
On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...
So long as Microsoft can fix the issues that are theirs (as opposed to point me in a circle), I have no qualms with spending more of my fine earned money to them for a really nice gaming OS.
Kinetic stupidity has a new brand leader: Allen Zadr.
IANAL but I it seems to me that any programmer writing C code in this day and age who leaves a buffer unchecked in their code should be guilty of criminal negligence if that buffer can be used to execute malicious code. The dangers of unchecked buffers have been documented well enough to the point that it seems reasonable to argue it is a gross deviation of accepted professional standards of software development to allow such sloppy coding to pass through.
Actually, that's an excellent question. And believe it or not, the answer actually kinda makes sense.
.dll (like Internet Explorer) when installed on previous operating systems (like Windows 2000) had to ship their own copy of the .dll.
The file in question is gdiplus.dll. This file was included in Windows XP and Windows Server 2003, but was not part of previous operating systems.
Therefore, apps that used this
So some apps ship with their own copy, then along comes WinXP/2K3, and they add a second, system-supplied copy.
Until Microsoft become a profit organisation rather than a tax-harvesting one, then they get all the stick they deserve.
Thankyou,
h
Patriotism is a virtue of the vicious
As for the "we're not the only ones" plea, this is not a very adult response to any form of critique.
Only when they're more interested in communication with the supposed recipient than they are with getting publicity for themselves.
Please back up your assertion that this is "bordering" on criminally neglient.
Yes, yes. We all know how apologists will assert to their death that there is no negligence or violation of expected product quality unless there's death and dismemberment.
Microsoft has been charging money for a product which has demonstrated it's ability to be substandard for over a decade. Open source software, at the very worst, is on par AND it gives customers infinite flexibility.
+++ATHZ 99:5:80
Why would upgrading an application also upgrade a shared system library at the same time? If the application needs the later library version, then the system needs upgrading as well (and probably a good thing, too). Only the system vendor, or the user by direct action, should be messing about in the system directories. Applications shouldn't be fscking around in there at all. If they do, then the result is guaranteed to be a complete and utter mess. (This is obvious, right?)
Further, why would upgrading a shared system library break older applications? If the new library isn't backward-compatible, then the library vendor did The Wrong Thing. This can admittedly be a bit dicey when you've fixed a legitimate bug in the library, and dependent applications break. By definition, the applications were broken for relying on broken behavior, but sometimes pragmatism has to win out. However, if you have a well-designed method for establishing library entry points, you can mitigate this problem by just reassigning vectors (new apps bind to the new, fixed vector; and old apps get the old vector, whose bugs are emulated for no more than two major releases).
Schwab
Editor, A1-AAA AmeriCaptions
I see. The tool wasn't designed for use. They just made it available for download so we could all see what a tool would look like if one were available.
"What we imagine is order is merely the prevailing form of chaos"
Also, in all english speaking countries that aren't bordering with the US, they're pronounced totally differently.
Send lawyers, guns, and money!