Slashdot Mirror
Security Vulnerabilities Discovered in WinXP SP2
SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."
from the article:
"By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page,"
gee... why am i not surprised that Internet Explorer once again introduces huge security problems?
in the meantime, a patch can be downloaded here
allthough i must admit... SP2 has had a good run... most of the recent security problems in XP/IE were non-issues in SP2. Too bad it couldn't last longer.
Finjan is not a disinterested party, since it is selling security solutions to the home and enterprise markets, and it profits by being the first --- and so far --- only source to make the claim.
Whereas Microsoft is the largest business this side of Alpha Centauri.
2 -fortune-500-list_x.htm
Hardly. Walgreens is "bigger" than MSFT, based on year 2003 revenue.
http://www.usatoday.com/money/companies/2004-03-2
Wal-Mart's revenue is 8x larger than MSFT's.
IBM's is 2.75x larger, HP's is 2.24x larger. AT&T's revenue is US$2.4B larger than MSFT's.
"I don't know, therefore Aliens" Wafflebox1
Finjan are a dodgy company, and always overhype securtiy "vulnerabilities" such as "a user is able to downloan an .exe and run it, thanks to Windows".. etc.
Its funny, not long ago their site was vulnerable to an old cold fusion exploit. I didnt do anything about it, 'cause frankly they are a two bit company and there seemed no point.
Believe me, when the details of this "exploit" are revealed, it will be pretty pathetic.
I.O.U One Sig.
While I am somewhat inclined to agree with you, MS won't do this because of the time required. Users are too impatient for a new OS release to wait for an entire rewrite. Even with Longhorn, MS has been cutting features to stick to a realistic deadline. And MS is not likely to allow MSIE to be uninstalled unless forced to by legal authority because if they did, it would make them look like hiporcrits after claiming they can't remove MSIE because it is part of the OS. I do beleive MS will continue to add security features to the OS, like they did in SP2. Also, not to be an MS apologist (I run FreeBSD as well as being a slacker), but I think it is difficult for MS to keep track of all the code being appended to the Windows sourcecode repository. MS does try to be strict however (such as not allowing developers to touch the Windows source until they read through a book and such).
Powered by caffeine and sugar; BSD
Well, in a way, you're absolutely right. The very first thing you have to realize before you even do a preliminary security screening/threat assement is that security is always a trade-off. That's the major point that most managers fail to understand.
Basically, there are three elements that you need to balance: security, usability and costs (there a re also lot of other relevant factors like existing infrastructre, resistance to change, scalability, etc. that make real security work, ie. more breaking out the pen test kit and print a report, so damn expensive).
There is no such thing as a 100% secure system. That's the common wisdom and that's true. But you can design a 98% secure system. The only problem is that this system will require a huge overhead and be so cumbersome that your employees will spend most of their time doing anything but actual work. That way they'll either avoid it and use something else (ie. something less secure and more usuable), if given the choice. Or they'll be largely unproductive, which in turn means you'll have to spend a lot of money to even keep things running. Which of course means you'll not be able to compete (that's one of the reasons a lot of secure systems are designed for government use only because they government doesn't really have to compete or be efficient).
Multics implemented usuable security exceptionally well. You could get the job done in a timely but relatively secure manner. For some more information about user centered security check out this paper or "Multics Security Evaluation: Vulnerability Analysis" by Karger & Schell (1974). The latter is available online too.
It's really a shame there's no "Open Multics". I wouldn't really run it in a secure production envionment but I'd sure like to have my own Multics machine.
Not only is it "the matter of time to get the fix", it is if the fix will be held for no other reason then to include it into some package that has somethign to disable pirated copies of thier software. It is unbelivable that a couple of severe threats that could have been Patched before was held over 11 weeks for a service pack release durring SP1 erra.
...but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world.
I'm not a fan nor a hater of Microsoft products (just hate their business practices), but for anyone to be surprised that an OS designed to be run for a single user in a non-networked environment loaded with legacy code to fully (and successfully) port to a multi-user, networked environment shows a lack of understanding about the increasing inertia software products have as they age. (That's not a swipe at the parent, but a comment about the public at large).
The point is, Microsoft is actually trapped by how large they are (!). To "fix" all these issues would require a complete re-write of Windows. But then if they re-write Windows, what they'd be selling the public is not the product that helped make them a mega-corp, but a new and untested one that is only trying to leverage the brand name. Ironically, there's a significant chance that if Microsoft wandered too far from their "flagship" product too quickly, they'd both alienate and lose their customers.
Hate to say it, but they need to take the slow, steady approach to these updates/repairs.
The real question is, will they still be able to change fast enough to stay viable.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
I agree 100%, but you know what?
They won't. Not anytime soon, atleast.
It's not because it's impossible (just take a look at Apple), but becase the mess that it's Windows nowadays is the result of having backwards compatibility prioritized over everything else. Gates and co. are not stupid; they know that the applications are what make the OS. If you introduce a new Windows that need new apps and supports older ones with a VM (performance hit and issues waiting there), all of the sudden other options become much more viable, specially Apple. If you have to replace all your apps to use a new OS, why not switch OSs altogheter?
It is really very very simple. My Win XP machine has been totally 100% protected from virii, et al. I will let my secret out, which I have withheld from the whole world for years, and unlike the software companies selling protection software and services, I am going to give the solution away for free! Here goes... I NEVER LET MY WINTEL BOX ON THE INTERNET! I didn't have to listenup much to understand early on that my Mac did all the internet work I needed without the constant worry and hassle of the MS OS problems. Life is so simple this way.
Using these vulnerabilities to shill it's products.
This isn't to say that the vulnerabilities aren't real, they might be.
But this is a marketing ploy for Finjan
Back in the NT4 days I happened on a major IIS exploit. I did what I could for our code, then reported it to Microsoft. A few email exchanges - reported the bug, gave a few code examples to show the remote privilege escalation (guest to admin), then silence. Noticed the issue was fixed two service packs later.
Not so much as an email saying thank you after providing drivers to demonstrate the issue, much less any type of 'reward'. For those who wear a white hat (even accidentally) I have no problems with these guys showing how clever they are and using it for marketing purposes. That is about all the payback you get when you find something that does not behave like it should.
+++ UGUCAUCGUAUUUCU
Thank you! That struck a chord with me. It blows my mind how the OpenOffice.org suite (in particular OOo Writer) has painstakingly reproduced the frustration in using MS Word. Spelling "corrections" are automatically made, tables contents are automatically assigned different fonts and line spacing, and that bloody lightbulb keeps popping up like some Web ad.
And that splash screen when it starts up, subbornly staying on top and covering the other windows --is Sun *trying* to advertise how bloody long it takes to start up the program?
But you know what the clincher is? I bought the "OpenOffice.org 1.0 Resource Kit", a manual written by Solveig Haugland, and there was this fairly common feature (I forget which one --maybe inserting a static date as text?) that she COULDN'T FIGURE OUT how to do. She basically says, "So far we haven't figured out how to do this yet." This is from someone who's writing a manual for the software.
Good God, Sun, why don't you just get bought out by Microsoft already. Maybe it's time to take another look at AbiWord, see how they're doing on their tables support, and break out the GNOME libraries...
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
That's what I did after feeling for the n'th time the problems you mention. AbiWord isn't perfect, but it loads in a fraction of a second and handles well about 99% of my MS-Word documents.
What's the problem with Star/OpenOffice taking so long to load, anyhow? Is it Java, or is it just badly written software?
why must a user be logged in as Administrator to play a game?
Because clueless devs and shitty game copy prevention tools require it.
Ever played a Microsoft game, say Dungeon Siege? Admin rights are not required, and all per-user stuff (save games, settings, etc) go in your own file area (eg C:\Documents and Settings\username\...)
Compare that with most other games, that often require admin access just so they can use some copy prevention mechanism. That was certainly the case with the original Sims - if you used a no-cd crack, it ran fine as a normal user. Without it, it required admin rights, and just silently failed without them.
Don't blame MS for the failings of third party developers. They may not have helped in the past, but that's changed now. If you have an issue with games requiring admin access, take it up with the developers.
It's official. Most of you are morons.
Windows pocket pc 2003 was re-reitten from scratch, and it's shit.
a te)
As an example, by default is saves documents in volitile ram so you loose them when the battery goes flat.
It keeps applications running but can only display one at once and has no way to efficiently switch between them (menu/settings/memorytab/runningapplication/activ
It installs appliations in vram.
Basicly, it's crap.
If it were running linux I could make sure everything (except tmp) was stored on nvram and I could evens swapon to give me more ram if Iwanted to.
thank God the internet isn't a human right.
I must say that there is reason for Microsoft's operating system keeps breaking down...
Remember, IBM wanted make OS/2 bullet proof because OS market wasn't their main source of profit for the big blue. For a microsoft, it makes sense to have keep putting out the half rotten fish on the plate. If restaurant were right next hospital where owners of both restaurant and hospitals were good pals.
Operating system seldom has real reason for going from verion 1.x to 2.x, and usually companies don't charge for going from version x.1 to x.2(ie. um...patch or service pack - that's something companies put out for it's own good because they've messed up somehow), because innovations which requires entire facelift of the operating system does not happen that often. I would say from dos to windows95 were big milestone and from windows95 to windows 2000. Everything else should have been free...except bill needed more money to burn in his research lab(Whatever happened to Cairo?).
Also, there were unexpected positive side effect from putting out half rotten fish. Often people got problem with windowsblue screen of death or some clever - more or less obvious hack to the huge hole hackers often drove train through), which made microsoft in the public view(headline of lots of media)...got unexpected media coverage. Under the normal business circumstances, this kind of follies would have surly sent company dead in the water for good, but like someone else in the slashdot community porinted, that people just don't care about the security flow or the ever slowing down / memory hungry deranged monster operating system of today's era. Other side effect would be that OS had so much problem that tech support firms and microsoft support actually profit from taking tech support calls from its customer and companies who's often found working together to create stuffs which works with windows.
Bottome line is that microsoft is doing it in purpose so people can keep waiting for that perfect OS which will not break down under normal circumstances like just browsing the web and checking e-mail. That's all my dad does and why did his computer break down with error message the other day? i don't see my father's VCR or Radio stop working with blue screen of death!!!
Um..not to menstion that they must willfully bloat it's os with so much stuffs that eventually their friend intel will be able to happly sell new upcoming pentium 5 running at 6Ghz. First time I bought my ps, standard memory size was at 4MB. Today's standard memory size is something like 256MB and it's on it's way to becoming 512MB... I wonder if 4GB memroy will ever become standard on consumer pc....
Oktokie
PS: can someone tell me why my windows swap when I have 1GB of memory onboard and my windows 2000 things my 750MB or physical memory not being used isn't good for any use....so it goes and merrily creates 200-300MB of virtual memory. This is just too funny.
heh, I bash MS products damn near constantly. I hold a MCSE and MCSD certification.
Microsoft feels I know what I'm talking about when I tell you that MS software cannot be secured to the point where a system running it should EVER be connected to the internet or any other large network.
Further, I've RTFM'd a few windows versions. I've never really found any useful information in the little getting started booklet. I've been looking for further documentation of note but haven't found any yet. Seriously, not much of a manual here.
"get real, no OS is secure unless you config it to the level of security you need/want/forced-to-use (ignorent exec's without a clue making desisions)"
True enough, there are numerous OS's you can do this with. Your just really limited as to what levels security it's possible for a windows configuration to obtain.
"get off the hate-wagon, be constructive"
Every day I go out and help small business owners realise why they should choose linux or at least being migrating their critical systems away from windows. We start small, backend servers, locking down the windows desktops as much as possible, replacing ie with firefox, etc.
not running as root is just part of it. Even if you're not running as root, a virus can still trash your system or be used to proxy spam or attacks over the Internet.
The big difference with Windows is in the first stage, the infection. There are entire classes of security holes on Windows that don't exist on any other widely used operating system. Yes, any system can have a buffer overflow, but only Windows can suffer from a "cross zone attack", because only Windows tries to reconstruct the rights an object should have based only on its URL.
So, like what happens to the writers of the code when a vulnerability is found? Is it someting along the lines of 'oops, better luck next time' or do heads roll?
...