Slashdot Mirror
Security Vulnerabilities Discovered in WinXP SP2
SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."
from the article:
"By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page,"
gee... why am i not surprised that Internet Explorer once again introduces huge security problems?
in the meantime, a patch can be downloaded here
allthough i must admit... SP2 has had a good run... most of the recent security problems in XP/IE were non-issues in SP2. Too bad it couldn't last longer.
Finjan is not a disinterested party, since it is selling security solutions to the home and enterprise markets, and it profits by being the first --- and so far --- only source to make the claim.
Whereas Microsoft is the largest business this side of Alpha Centauri.
2 -fortune-500-list_x.htm
Hardly. Walgreens is "bigger" than MSFT, based on year 2003 revenue.
http://www.usatoday.com/money/companies/2004-03-2
Wal-Mart's revenue is 8x larger than MSFT's.
IBM's is 2.75x larger, HP's is 2.24x larger. AT&T's revenue is US$2.4B larger than MSFT's.
"I don't know, therefore Aliens" Wafflebox1
Finjan are a dodgy company, and always overhype securtiy "vulnerabilities" such as "a user is able to downloan an .exe and run it, thanks to Windows".. etc.
Its funny, not long ago their site was vulnerable to an old cold fusion exploit. I didnt do anything about it, 'cause frankly they are a two bit company and there seemed no point.
Believe me, when the details of this "exploit" are revealed, it will be pretty pathetic.
I.O.U One Sig.
Well, in a way, you're absolutely right. The very first thing you have to realize before you even do a preliminary security screening/threat assement is that security is always a trade-off. That's the major point that most managers fail to understand.
Basically, there are three elements that you need to balance: security, usability and costs (there a re also lot of other relevant factors like existing infrastructre, resistance to change, scalability, etc. that make real security work, ie. more breaking out the pen test kit and print a report, so damn expensive).
There is no such thing as a 100% secure system. That's the common wisdom and that's true. But you can design a 98% secure system. The only problem is that this system will require a huge overhead and be so cumbersome that your employees will spend most of their time doing anything but actual work. That way they'll either avoid it and use something else (ie. something less secure and more usuable), if given the choice. Or they'll be largely unproductive, which in turn means you'll have to spend a lot of money to even keep things running. Which of course means you'll not be able to compete (that's one of the reasons a lot of secure systems are designed for government use only because they government doesn't really have to compete or be efficient).
Multics implemented usuable security exceptionally well. You could get the job done in a timely but relatively secure manner. For some more information about user centered security check out this paper or "Multics Security Evaluation: Vulnerability Analysis" by Karger & Schell (1974). The latter is available online too.
It's really a shame there's no "Open Multics". I wouldn't really run it in a secure production envionment but I'd sure like to have my own Multics machine.
Not only is it "the matter of time to get the fix", it is if the fix will be held for no other reason then to include it into some package that has somethign to disable pirated copies of thier software. It is unbelivable that a couple of severe threats that could have been Patched before was held over 11 weeks for a service pack release durring SP1 erra.
...but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world.
I'm not a fan nor a hater of Microsoft products (just hate their business practices), but for anyone to be surprised that an OS designed to be run for a single user in a non-networked environment loaded with legacy code to fully (and successfully) port to a multi-user, networked environment shows a lack of understanding about the increasing inertia software products have as they age. (That's not a swipe at the parent, but a comment about the public at large).
The point is, Microsoft is actually trapped by how large they are (!). To "fix" all these issues would require a complete re-write of Windows. But then if they re-write Windows, what they'd be selling the public is not the product that helped make them a mega-corp, but a new and untested one that is only trying to leverage the brand name. Ironically, there's a significant chance that if Microsoft wandered too far from their "flagship" product too quickly, they'd both alienate and lose their customers.
Hate to say it, but they need to take the slow, steady approach to these updates/repairs.
The real question is, will they still be able to change fast enough to stay viable.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
It is really very very simple. My Win XP machine has been totally 100% protected from virii, et al. I will let my secret out, which I have withheld from the whole world for years, and unlike the software companies selling protection software and services, I am going to give the solution away for free! Here goes... I NEVER LET MY WINTEL BOX ON THE INTERNET! I didn't have to listenup much to understand early on that my Mac did all the internet work I needed without the constant worry and hassle of the MS OS problems. Life is so simple this way.
Using these vulnerabilities to shill it's products.
This isn't to say that the vulnerabilities aren't real, they might be.
But this is a marketing ploy for Finjan
Back in the NT4 days I happened on a major IIS exploit. I did what I could for our code, then reported it to Microsoft. A few email exchanges - reported the bug, gave a few code examples to show the remote privilege escalation (guest to admin), then silence. Noticed the issue was fixed two service packs later.
Not so much as an email saying thank you after providing drivers to demonstrate the issue, much less any type of 'reward'. For those who wear a white hat (even accidentally) I have no problems with these guys showing how clever they are and using it for marketing purposes. That is about all the payback you get when you find something that does not behave like it should.
+++ UGUCAUCGUAUUUCU
Thank you! That struck a chord with me. It blows my mind how the OpenOffice.org suite (in particular OOo Writer) has painstakingly reproduced the frustration in using MS Word. Spelling "corrections" are automatically made, tables contents are automatically assigned different fonts and line spacing, and that bloody lightbulb keeps popping up like some Web ad.
And that splash screen when it starts up, subbornly staying on top and covering the other windows --is Sun *trying* to advertise how bloody long it takes to start up the program?
But you know what the clincher is? I bought the "OpenOffice.org 1.0 Resource Kit", a manual written by Solveig Haugland, and there was this fairly common feature (I forget which one --maybe inserting a static date as text?) that she COULDN'T FIGURE OUT how to do. She basically says, "So far we haven't figured out how to do this yet." This is from someone who's writing a manual for the software.
Good God, Sun, why don't you just get bought out by Microsoft already. Maybe it's time to take another look at AbiWord, see how they're doing on their tables support, and break out the GNOME libraries...
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
That's what I did after feeling for the n'th time the problems you mention. AbiWord isn't perfect, but it loads in a fraction of a second and handles well about 99% of my MS-Word documents.
What's the problem with Star/OpenOffice taking so long to load, anyhow? Is it Java, or is it just badly written software?
I must say that there is reason for Microsoft's operating system keeps breaking down...
Remember, IBM wanted make OS/2 bullet proof because OS market wasn't their main source of profit for the big blue. For a microsoft, it makes sense to have keep putting out the half rotten fish on the plate. If restaurant were right next hospital where owners of both restaurant and hospitals were good pals.
Operating system seldom has real reason for going from verion 1.x to 2.x, and usually companies don't charge for going from version x.1 to x.2(ie. um...patch or service pack - that's something companies put out for it's own good because they've messed up somehow), because innovations which requires entire facelift of the operating system does not happen that often. I would say from dos to windows95 were big milestone and from windows95 to windows 2000. Everything else should have been free...except bill needed more money to burn in his research lab(Whatever happened to Cairo?).
Also, there were unexpected positive side effect from putting out half rotten fish. Often people got problem with windowsblue screen of death or some clever - more or less obvious hack to the huge hole hackers often drove train through), which made microsoft in the public view(headline of lots of media)...got unexpected media coverage. Under the normal business circumstances, this kind of follies would have surly sent company dead in the water for good, but like someone else in the slashdot community porinted, that people just don't care about the security flow or the ever slowing down / memory hungry deranged monster operating system of today's era. Other side effect would be that OS had so much problem that tech support firms and microsoft support actually profit from taking tech support calls from its customer and companies who's often found working together to create stuffs which works with windows.
Bottome line is that microsoft is doing it in purpose so people can keep waiting for that perfect OS which will not break down under normal circumstances like just browsing the web and checking e-mail. That's all my dad does and why did his computer break down with error message the other day? i don't see my father's VCR or Radio stop working with blue screen of death!!!
Um..not to menstion that they must willfully bloat it's os with so much stuffs that eventually their friend intel will be able to happly sell new upcoming pentium 5 running at 6Ghz. First time I bought my ps, standard memory size was at 4MB. Today's standard memory size is something like 256MB and it's on it's way to becoming 512MB... I wonder if 4GB memroy will ever become standard on consumer pc....
Oktokie
PS: can someone tell me why my windows swap when I have 1GB of memory onboard and my windows 2000 things my 750MB or physical memory not being used isn't good for any use....so it goes and merrily creates 200-300MB of virtual memory. This is just too funny.