Slashdot Mirror
GDI Vulnerabilities: An Open Letter to Microsoft
UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open
letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
As soon as I read something like the above the letter goes straight into the circular file.
Dear Tom,
Next time, less cutesiness and more explaining what the fucking point is.
HTL. HAND.
I guess I am too smart for my own good... It told me to only check Office update as it seemed to know that I was already up-to-date on the OS side.
So I go over there and download/install the updates. The only problem I saw with it was that I had to supply my Office CDs during the install (and it warned that might include a key -- luckily I had both in close proximity). If MSFT fucks up I shouldn't be the one that has to produce the CDs/Key to fix it. MSFT should happily go about the update without needing either of those two things. They shouldn't be allowed to check for piracy during a security fix.
That's at least how I saw it.
So I was all patched up according to the Windows Update and the Office Update sites and I figured I was done. Maybe I was too smart for my own good?
Yes, Microsoft should be responsible, when those people who wrote the code using Microsoft dlls are distributing a vulnerable version of the dll. Microsoft approved the distribution of the dll, so they should know who did.
No, MS should not be responsible for fixing code that third parties distributed using their code libraries. Just as no F/OSS code library project should be resonsible for trackind down anyone who might have used their code library.
However, MS should do a better job of making it clear to third party developers that the DLL may be included in their project (often without the knowledge of the project. Visual Studio does a great job of hiding the relevant DLLs that get loaded into a project.) None of the MS advisories on this that I have seen have included any recommendation to developers or consumers that they need to take additional steps after patching their system.
MS should, though, have produced the tool that Tom Liston did. His scanner is 7k. Surely MS could have come up with something like that--and if you run Tom's GDI scanner, you'll note some places where it identifies possible problems. MS would be in a much better position to be know if that is the case and thus able to provide better information.
So, I disagree with what you are faulting MS for, but not the fact that MS should be faulted.
bordering on the criminally neglient concerning network security.
Please back up your assertion that this is "bordering" on criminally neglient.
Do you claim there are some laws regarding network security that are applicable, or this just a verbal flourish gone one step to far.
with a letter like Tom wrote, he'd kind of deserve that response. What is he, thirteen? Microsoft will probably push it around in a little circle of their corporate bureaucracy but with little in the way of enthusiasm. How can you not put that letter in the angry, political, CS major pile?
/.'er but come on, even I can an effective letter critical of a companies product. Even as a lame attempt to curry favor with the disaffected masses, it manages to be rambling despite its brevity.
I'm as antisocial as the next
MS has written lots and lots of proza about this vulnerability, but I still don't know how to download the new updated gidplus.dll to redistribute. I've applied the update from windowsupdate.com to my computer, but I guess it would be a good idea to distribute an updated version to our customers. I just can't seem to find it anywhere.
This sig under construction. Please check back later.
In this context the last zlib vulnerability comes to mind. Apps which linked dynamic to it were easily updated, but unfortunately there were also some static linked ones.
I'd have been happy if their "list of affected applications" was even remotely accurate. They say Office 2003 and .NET Framework 1.1 were vulnerable, but if you had applied PREVIOUSLY AVAILABLE updates to either of those products, then, in fact, they weren't. Mentioned anywhere in the KB article? Nope, the user has to figure out for themselves that even though they haven't installed any patches for this vulnerability for their products on the "affected" list, they're not actually vulnerable.
Not to mention that their client scanner for the Windows vulnerability didn't even correctly identify vulnerable machines until several days AFTER the initial patch was release.
This was a badly handled security update, even by Microsoft standards. I think Microsoft should start focusing at least SOME of their efforts on some sort of security initiative or something.
And you know this how?
I have serious doubts that this 'open letter' will draw a response of any kind from our pals at Microsoft. If it takes more than 15 seconds to get to the point, it's going to get scanned in Redmond. I have heard repeatedly of management and strategic meetings (particularly those run by contracts, vendors or other "outsiders") wherein people will simply stand up and walk out if they aren't implicated in the first two minutes. The travails of a boy terrorized by a sibling won't keep a busy exec from his IM session with the Portuguese yacht firm that's fitting out his troller. Live and learn, eh? Too bad though, it's really a rather compelling tale of deceit and greed. I wasn't expecting the part at the end about the snake.
"The Borba"
Ugh. I have met some idiots in my life, and it's my opinion that the vast majority of computer users are NOT idiots. Modern life is so much more complicated than it needs to be, and, as a result, people just do not have the time (or the energy) to accustom themselves with every aspect of their personal computer, its operating system, and whatever software they need to run. How many times--especially in Linux!!--have you just wanted to DO something, without it turning into a goddamn research project? I, for one, think that computers can be versatile, easy to use, AND secure--all at the same time. Who's with me?! Step one is: idiot programmers need to get a clue and start writing software that WORKS*. I've written some of my own, so I know it can be done. It just takes a little more thought, a little more effort.
* Is secure and easy to use.
P.S. If I hear about one more buffer overrun exploit, I'm going to kill a man.
I have a dumb question. I admit it's a dumb question, because I've spent the last twenty years of my career working with non-Microsoft operating systems and products. The answer may be obvious to someone with that kind of experience, but not to me. So here goes:
Why the hell are there multiple copies of the same, critical, shared system library floating around on the machine?
See, where I come from, you have one copy of shared system libraries -- the latest one, with all the latest patches. This library is fully backward-compatible with all its predecessors. Further, the shared system libraries are all in the same place, so you know where to go looking to drop in updates or, if needs be, regressions. (On very, very rare occasions, there'll be a copy of a specific version living alongside the (by definition, broken) application that needs it.) This approach leads to clean system maintenance and ensures that all applications are using the same, up-to-date, best performance, most secure version of the system libraries.
So why is Windows different? Why are there a zillion copies of GDI+ laying around? And why would you want it that way?
Schwab
Editor, A1-AAA AmeriCaptions
You missed the fundamental point that Red Hat (and any distribution) is not really selling the underlying code they are distributing. They are selling the results of their bundling all of these disparate free packages together, so the difference in the original ancestor post is quite valid. Their only obligation to the consumer would be to maintain the integrity of the bundle, which ultimately relies upon the free software of which it was comprised.
Did the vendors have the ability to change these DLLs or were they given binaries or restrictions on what changes (if any) were allowed?
You're talking about source code modifications. Is that the case here? (Why would there have to be source modifications on a shared library? It makes no sense!)
The analogy you use is also not the way that things are typically done on *nix systems (Linux or not).
A more similar analogy would be if two applications that were similar but from the same code base -- say Sodipodi and Inkscape -- used a PNG manipulation routine that was defective. In that case under Linux (and *BSD and likely all other *nix) would not have any security issues -- though libPNG would! Fix libPNG, and the issue goes away for Sodipodi, Inkscape, and all other applications that use libPNG.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Excuse my ignorance; can someone explain why this is funny? Other than the fact that it is written in C and does not explicitly return an int, what's the security flaw here?
Please correct me if I got my facts wrong.
On the other hand, I didn't pay $199 per copy of "The Gimp" and, as a condition of my use of said software, it clearly tells me that I am free to modify the code to my liking. Thus, I don't feel that "The Gimp" and the "GTK" projects owe me merchantability. Microsoft (on the other hand) I do feel owes me - at least - merchantability to perform as advertised...
This is also my final point of contention when people attack the security vulnerabilities in open source software.
I didn't pay $200 for it, I can assume responsibility for keeping it patched and secure. But jay-HEE-zus, if I pay $200 for something, I expect them to fix it before every script kiddie with a Google hit can poison it!
+++ATHZ 99:5:80
Well, as another poster mentioned, you circumvent and perfectly good system and then complain about it.
There are far better ways to remotely determine the version of something running on your network (as you seem to be trying to do with ssh -v and HEAD; do you not update any packages that do not listen to a socket and return version info?). You can either read the RPM database or execute rpm -qi and check out the exact version of what's installed, then push out the updated RPM if a newer one exists on your local repository. It's a poor man's RHN, but can easily get the job done just as well.
"Hot lesbian witches! It's fucking genius!"