Slashdot Mirror
Security Vulnerabilities Discovered in WinXP SP2
SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."
At what point does a story become so routine that it no longer counts as news?
Technology, the cause of and solution to all of life's problems.
What they said: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page"
What they meant: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page with Internet Explorer
Using these vulnerabilities to shill it's products.
This isn't to say that the vulnerabilities aren't real, they might be.
But this is a marketing ploy for Finjan
Security holes being found isn't usually the issue with microsoft though, it's how long it takes for fixes to arrive.
Yeah, and of course we all criticize MS for releasing buggy software. The counter-argument always that of course MS can't fix every single bug. Supporting that, people point to vulnerabilities in apache, mysql, etc.
The problem with the latter is that most Linux-based software is open-source, nonfunded. Whereas Microsoft is the largest business this side of Alpha Centauri.
I'd like to say pshaw, no big deal, but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world. Stop entering new markets and release a stable, secure product in the next millenium please.
Flame on.
P.S. I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.
-- I have fans? Wow.
XP does not come with an SQL server. XP does not come with a PDF viewer. XP does not come with an IRC client. XP does not come with a proxy server. Seeing a pattern here?
I believe that with Linux's usability improving each and every year, and Mac OS X's increasing appeal to computer users, sooner or later, Microsoft will be in deep trouble. No OS is completely secure, but Linux and Mac OS X doesn't suffer from the one main problem that faces Windows security: the integration of web browsers (Internet Exploder), media players (Windows Media Player), and e-mail clients (Outlook Express). Windows has a lot of other security issues too, due to huge amounts of legacy code, a horrible system of user management (why must a user be logged in as Administrator to play a game?), insecure services running, and more.
Windows needs a rewrite. The kernel is fine, but there should be a new set of APIs (get rid of legacy stuff), a better command line (with the option of booting into it), disintegration of IE, WMA, and OE (make them separate programs that can be uninstalled), better user management (similar to Unix's user management), and finally, a secure "blue box" that runs "classic" Win32 and Win16 programs (similar to Mac OS X's classic mode). If Microsoft does this, they'll finally have a secure and stable OS, and who knows, I might even recommend Windows to users. But until then, I'm sticking with FreeBSD.
Windows in an O/S. You just listed 14 vulnerabilities for Applications that just happen to be packaged with RH O/S. Only ONE of above HAVE to be installed to run RH. Whereas, Windows and it's packaged applications, you have no choice but to suck it up when one of it's applications has a flaw, as you cannot uninstall them if something is a serious security threat. I am not saying that any Linux distro, or any O/S for that matter, doesn't have security issues, because they all do, but get better educated before spewing forth you're Linux bashing.
"Please step away from the gun, you are not authorized to use it."
I find it disgusting that Microsoft has plans to sell anti-virus software to plug up the holes they stupidly left in their OS. Shouldn't developers be forced to make secure products?
If it's discovered my model of car has a set of brakes that have a chance of not working after a certain gear shift combination, the car company issues a recall - they don't tell everyone "oh it's not a big deal, if you want go to a mechanic and buy a new set of brakes."
We get patches for free (well kinda...after paying for the software) but they only seem to fix one problem *at best) for a hole found in the wild by people outside MS anyway. That doesn't even begin to cover spyware and viruses.
Its an interseting dillema, because they very likely would _not_ be a $40bil if they didt release awfull software .
If they were to follow a very strict engineering process similar to what defense, nasa, and energy depts follow, their software would cost more then it already does, be years behind on "features", and make it very difficult to have the knee-jerk reactions to market desires it currently does.
I would argue that their success, aside from their edgy, sometimes illegal business practices, came from focussing more on UI and integration (or lock in depending on perspective) then on things people didnt understand at the time (security, stability, standards, interoperability, etc.).
Software has thus far been treated and behaved very differently from traditional engineering and manufacturing as there is no entity like UL (Underwriters Lab), FDA, FCC, DOT, etc. enforcing standrds of safety and allowing users to sue them for selling sub-par products. MS could move quick with a shoddy product and say they clicked "agree" on the EULA, security or stability be damned.
...and its not the fault of Agilent LogicWave logic analyser because?????
rewriting history since 2109
This is an important point. M$ bundles and intertwines so much into the OS that you really are a slave to the system. You can't compare a vulneraiblity in say Apache or Samba or WuFTP to a vulnerability in SP2 for XP or even IE. I can't help but install IE in XP. I CAN, however, choose not to run Apache, Samba, Mozilla, or just about anything in Linux. These apps are not bundled the same way similar apps are in Windows. I wonder how many "studies" are skewed because they ignore this point?
It'd be nice if you could use WinXP without administrator privledges. But there are many programs that simply don't run without Administrator privledges (MusicMatch comes to mind). If people could run without administrator privledges, they might, but if it's a lot of trouble, they won't. Unix users don't run as root if a program doesn't need root privledges, it will run as a non-root user, unlike most XP programs. I know it isn't completely Microsoft's fault, but they need to work with software companies to fix the problem.
...then carefully remove as much Microsoft software from your machine as possible.
Start with MSIE and MS Outlook, then MS-Office (replace them with FireFox, ThunderBird and OpenOffice, respectively). Really dig in and make sure every trace of them has been removed, don't stop at believing what the MS uninstaller tells you about MS Outlook.
Don't offer any shares, even to the LAN (get people to dump stuff elsewhere on the LAN and you pick it up from there), connect to the minimum number of shares (zero if possible) and for the shortest reasonable time.
Run a good firewall.
Pray a lot.
One more option: if you have a modern Linux box around, throw LogicWave at WINE on that and see how far it gets. If it doesn't work outright, maybe you can hack up an interface to the actual analyser in WINE. That'd be a lot of effort for one workstation, but if you have 20 or so it might be worthwhile.
Got time? Spend some of it coding or testing