Slashdot Mirror
Security Vulnerabilities Discovered in WinXP SP2
SoTuA writes "Few months after SP2 hit windowsupdate.com, Finjan Software reports that security flaws have been found in WinXP SP2, including malicous code execution without user intervention. Finjian has turned over the findings, along with proof-of-concept, to Microsoft."
Just upgrade to Windows XP SP2.
Oh... wait...
It was only a matter of time until a major vuneribility was found in SP2. I'm sure there will be others, but at least they are being found before they are taken advantage of.
waves his hand mysteriously and says "These are not the exploits you are looking for."
"Browsing a web page" can cause you to lose the machine to a malicious hacker.
What - they just discovered Gator?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
Security vulnerabilities in a 250MB update? Never would have guessed!
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
"Security vulnerability discovered in Windows" has become as common as "Britney Spears gets married".
At what point does a story become so routine that it no longer counts as news?
Technology, the cause of and solution to all of life's problems.
"I see you are looking for an exploit..."
from the article:
"By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page,"
gee... why am i not surprised that Internet Explorer once again introduces huge security problems?
in the meantime, a patch can be downloaded here
allthough i must admit... SP2 has had a good run... most of the recent security problems in XP/IE were non-issues in SP2. Too bad it couldn't last longer.
What they said: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page"
What they meant: By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page with Internet Explorer
Using these vulnerabilities to shill it's products.
This isn't to say that the vulnerabilities aren't real, they might be.
But this is a marketing ploy for Finjan
It's that time of the month already?
I tend to find that extremely competent programmers, with a lot of experience, tend to make nearly bug-free software...
:), the vast majority of programmers out there simply suck, bad. Judging by most faults I've seen, and despite what so many people say: MS programmers suck.
Unfortunatly (or fortunatly for some of us
...to express my suprise and dismay at this unprecedented event.
:-)
*re-reads story*
Oh, *this* counts as news?
I say companies can make a good name for themselves dealing with M$ and patches, and then use his name to consult security to companies.
but M$ will start thier own company, find thier own holes, and consult security out...
erm... shiiiiiit you know they will do this, or already have!!!
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Yeah, and of course we all criticize MS for releasing buggy software. The counter-argument always that of course MS can't fix every single bug. Supporting that, people point to vulnerabilities in apache, mysql, etc.
The problem with the latter is that most Linux-based software is open-source, nonfunded. Whereas Microsoft is the largest business this side of Alpha Centauri.
I'd like to say pshaw, no big deal, but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world. Stop entering new markets and release a stable, secure product in the next millenium please.
Flame on.
P.S. I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.
-- I have fans? Wow.
Finjan is not a disinterested party, since it is selling security solutions to the home and enterprise markets, and it profits by being the first --- and so far --- only source to make the claim.
I hate to rant, but this type of poor security checking is pathetic. Surely they should have known that all they would have needed to do was check the evil bit on the remote transfers to see if the data was safe or not. Someone in the OS community would have done this.
You do have to hand it to Microsoft though, the code is very easy to implement and quite elegant if you ask me.
The more complex the plumbing, the easier it is to stop up the works!
My rights don't need management.
I believe that with Linux's usability improving each and every year, and Mac OS X's increasing appeal to computer users, sooner or later, Microsoft will be in deep trouble. No OS is completely secure, but Linux and Mac OS X doesn't suffer from the one main problem that faces Windows security: the integration of web browsers (Internet Exploder), media players (Windows Media Player), and e-mail clients (Outlook Express). Windows has a lot of other security issues too, due to huge amounts of legacy code, a horrible system of user management (why must a user be logged in as Administrator to play a game?), insecure services running, and more.
Windows needs a rewrite. The kernel is fine, but there should be a new set of APIs (get rid of legacy stuff), a better command line (with the option of booting into it), disintegration of IE, WMA, and OE (make them separate programs that can be uninstalled), better user management (similar to Unix's user management), and finally, a secure "blue box" that runs "classic" Win32 and Win16 programs (similar to Mac OS X's classic mode). If Microsoft does this, they'll finally have a secure and stable OS, and who knows, I might even recommend Windows to users. But until then, I'm sticking with FreeBSD.
Whereas Microsoft is the largest business this side of Alpha Centauri.
2 -fortune-500-list_x.htm
Hardly. Walgreens is "bigger" than MSFT, based on year 2003 revenue.
http://www.usatoday.com/money/companies/2004-03-2
Wal-Mart's revenue is 8x larger than MSFT's.
IBM's is 2.75x larger, HP's is 2.24x larger. AT&T's revenue is US$2.4B larger than MSFT's.
"I don't know, therefore Aliens" Wafflebox1
Finjan are a dodgy company, and always overhype securtiy "vulnerabilities" such as "a user is able to downloan an .exe and run it, thanks to Windows".. etc.
Its funny, not long ago their site was vulnerable to an old cold fusion exploit. I didnt do anything about it, 'cause frankly they are a two bit company and there seemed no point.
Believe me, when the details of this "exploit" are revealed, it will be pretty pathetic.
I.O.U One Sig.
I have to hand it to Microsoft. I remember all those virus hoaxes I used to get in my email. "Don't even open this email or you'll get a virus!" Don't look at this image, or your machine will get hacked!" "Don't visit this web page, or your drive will get formatted!" And I used to think, "Gee, why *can't* I hose my machine by doing those things? That sounds like it would be so cool to see!"
Well, thanks to Microsoft and their brilliant innovation, tireless effort, and boundless resources, they finally made all those mid-to-late-90s virus hoaxes a reality. I raise my glass to them.
I did some searching and discovered this:r +scarin g+up+business/2100-1002_3-5449269.html
http://news.com.com/Finjan+Warning+users+o
And this quote by the Finjan CEO pretty much sums up what I thought this was:
"By using Finjan's proactive security solutions...users can enjoy a secure environment that protects them from such vulnerabilities."
Its just a ploy to scare up buisness for this security company. But lets not jump to conclusions, those 10 errors may exist, but the truth is that this security company may not have followed the industry guidelines.
That is the key question, did Finjan give MS these errors 30 days ago like traditionally is done? If they did, then they have every right to publicize the problem, but if not, they are engaging in questionable buisness practices.
I find it disgusting that Microsoft has plans to sell anti-virus software to plug up the holes they stupidly left in their OS. Shouldn't developers be forced to make secure products?
If it's discovered my model of car has a set of brakes that have a chance of not working after a certain gear shift combination, the car company issues a recall - they don't tell everyone "oh it's not a big deal, if you want go to a mechanic and buy a new set of brakes."
We get patches for free (well kinda...after paying for the software) but they only seem to fix one problem *at best) for a hole found in the wild by people outside MS anyway. That doesn't even begin to cover spyware and viruses.
As far as you know.. We really wont know if somone has taken advantage of something 'secret', unless they either get caught, or boast about it..
THOSE are the scary ones..
---- Booth was a patriot ----
Its an interseting dillema, because they very likely would _not_ be a $40bil if they didt release awfull software .
If they were to follow a very strict engineering process similar to what defense, nasa, and energy depts follow, their software would cost more then it already does, be years behind on "features", and make it very difficult to have the knee-jerk reactions to market desires it currently does.
I would argue that their success, aside from their edgy, sometimes illegal business practices, came from focussing more on UI and integration (or lock in depending on perspective) then on things people didnt understand at the time (security, stability, standards, interoperability, etc.).
Software has thus far been treated and behaved very differently from traditional engineering and manufacturing as there is no entity like UL (Underwriters Lab), FDA, FCC, DOT, etc. enforcing standrds of safety and allowing users to sue them for selling sub-par products. MS could move quick with a shoddy product and say they clicked "agree" on the EULA, security or stability be damned.
...but the amount and severity of MS bugs/exploits is deplorable considering that Windows is the flagship product of one the largest corporations in the world.
I'm not a fan nor a hater of Microsoft products (just hate their business practices), but for anyone to be surprised that an OS designed to be run for a single user in a non-networked environment loaded with legacy code to fully (and successfully) port to a multi-user, networked environment shows a lack of understanding about the increasing inertia software products have as they age. (That's not a swipe at the parent, but a comment about the public at large).
The point is, Microsoft is actually trapped by how large they are (!). To "fix" all these issues would require a complete re-write of Windows. But then if they re-write Windows, what they'd be selling the public is not the product that helped make them a mega-corp, but a new and untested one that is only trying to leverage the brand name. Ironically, there's a significant chance that if Microsoft wandered too far from their "flagship" product too quickly, they'd both alienate and lose their customers.
Hate to say it, but they need to take the slow, steady approach to these updates/repairs.
The real question is, will they still be able to change fast enough to stay viable.
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
It is really very very simple. My Win XP machine has been totally 100% protected from virii, et al. I will let my secret out, which I have withheld from the whole world for years, and unlike the software companies selling protection software and services, I am going to give the solution away for free! Here goes... I NEVER LET MY WINTEL BOX ON THE INTERNET! I didn't have to listenup much to understand early on that my Mac did all the internet work I needed without the constant worry and hassle of the MS OS problems. Life is so simple this way.
I was just wondering if you saw the implicit contradiction in your statements.
and
I'm going to establish a charity for those who believe using a dollar sign in Microsofts name does anything other than diminish one's argument.
Your whole post drives at the point that Microsoft is in the business of making money and not making good software, yet you come along and decry those who would say the same thing in a much more concise form, "M$".
< Mode flaming = "off" >
-- The morphemes of your disquisition are ascertainable, but they have eschewed an ambit of transpicuous exposition.
Thank you! That struck a chord with me. It blows my mind how the OpenOffice.org suite (in particular OOo Writer) has painstakingly reproduced the frustration in using MS Word. Spelling "corrections" are automatically made, tables contents are automatically assigned different fonts and line spacing, and that bloody lightbulb keeps popping up like some Web ad.
And that splash screen when it starts up, subbornly staying on top and covering the other windows --is Sun *trying* to advertise how bloody long it takes to start up the program?
But you know what the clincher is? I bought the "OpenOffice.org 1.0 Resource Kit", a manual written by Solveig Haugland, and there was this fairly common feature (I forget which one --maybe inserting a static date as text?) that she COULDN'T FIGURE OUT how to do. She basically says, "So far we haven't figured out how to do this yet." This is from someone who's writing a manual for the software.
Good God, Sun, why don't you just get bought out by Microsoft already. Maybe it's time to take another look at AbiWord, see how they're doing on their tables support, and break out the GNOME libraries...
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
That's what I did after feeling for the n'th time the problems you mention. AbiWord isn't perfect, but it loads in a fraction of a second and handles well about 99% of my MS-Word documents.
What's the problem with Star/OpenOffice taking so long to load, anyhow? Is it Java, or is it just badly written software?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
"By exploiting all vulnerabilities discovered in SP2 by Finjan, attackers can silently and remotely take over an SP2 machine when the user simply browses a Web page..."
So if you're silly enough to surf with will administrator access, you can let someone else take over your machine. No mention if the exploits work as limited users... probably because they don't.
No mention of flaws in background services, but even if there were, what effect would they have with the firewall turned on?
Sounds like a simple enough fix to me: Create a limited user account for yourself and do your work there.
Use Evolution instead of Outlook? Bewa
Per its usual policy, Finjan has no plans to go public with details of the flaws until Microsoft has patches available for them
and
Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2
Why should people who are trying to help just get insulated? It's time to release the exploits to all of us after all, so that we can decide for ourselves who is making erroneous statements.
Microsoft, OTOH, is more like an economic black hole. Huge chunks of the revenue they collect just accumulates in their bank account. They don't seem to be able to figure out what to do with it, even though it's obvious that over the years they should have been investing more of it in improving the quality of their software.
Dear slashdot.
Why must you post these stories on the weekend? You have just ruined the saturday of the whole MS marketing department. Now everyone of them has to cancel their plans, log on slashdot and start making posts about how "no OS is secure" and "it is all the users' fault" and "these guys are just trying to scare up some business". And the ever favourite "if Linux was that popular it would have just as many security flaws".
Well that is their job and they do it well, but why must you force them to do it on the weekend? Why can't they be with their families. Even marketoids have lives (I hear).
Windows pocket pc 2003 was re-reitten from scratch, and it's shit.
a te)
As an example, by default is saves documents in volitile ram so you loose them when the battery goes flat.
It keeps applications running but can only display one at once and has no way to efficiently switch between them (menu/settings/memorytab/runningapplication/activ
It installs appliations in vram.
Basicly, it's crap.
If it were running linux I could make sure everything (except tmp) was stored on nvram and I could evens swapon to give me more ram if Iwanted to.
thank God the internet isn't a human right.
"Tools">""Options">"OpenOffice.org">"General">"H elp Agent">"Activate" (uncheck the little box)
Simple, really.
Slashdot is my Mercer Box.
I must say that there is reason for Microsoft's operating system keeps breaking down...
Remember, IBM wanted make OS/2 bullet proof because OS market wasn't their main source of profit for the big blue. For a microsoft, it makes sense to have keep putting out the half rotten fish on the plate. If restaurant were right next hospital where owners of both restaurant and hospitals were good pals.
Operating system seldom has real reason for going from verion 1.x to 2.x, and usually companies don't charge for going from version x.1 to x.2(ie. um...patch or service pack - that's something companies put out for it's own good because they've messed up somehow), because innovations which requires entire facelift of the operating system does not happen that often. I would say from dos to windows95 were big milestone and from windows95 to windows 2000. Everything else should have been free...except bill needed more money to burn in his research lab(Whatever happened to Cairo?).
Also, there were unexpected positive side effect from putting out half rotten fish. Often people got problem with windowsblue screen of death or some clever - more or less obvious hack to the huge hole hackers often drove train through), which made microsoft in the public view(headline of lots of media)...got unexpected media coverage. Under the normal business circumstances, this kind of follies would have surly sent company dead in the water for good, but like someone else in the slashdot community porinted, that people just don't care about the security flow or the ever slowing down / memory hungry deranged monster operating system of today's era. Other side effect would be that OS had so much problem that tech support firms and microsoft support actually profit from taking tech support calls from its customer and companies who's often found working together to create stuffs which works with windows.
Bottome line is that microsoft is doing it in purpose so people can keep waiting for that perfect OS which will not break down under normal circumstances like just browsing the web and checking e-mail. That's all my dad does and why did his computer break down with error message the other day? i don't see my father's VCR or Radio stop working with blue screen of death!!!
Um..not to menstion that they must willfully bloat it's os with so much stuffs that eventually their friend intel will be able to happly sell new upcoming pentium 5 running at 6Ghz. First time I bought my ps, standard memory size was at 4MB. Today's standard memory size is something like 256MB and it's on it's way to becoming 512MB... I wonder if 4GB memroy will ever become standard on consumer pc....
Oktokie
PS: can someone tell me why my windows swap when I have 1GB of memory onboard and my windows 2000 things my 750MB or physical memory not being used isn't good for any use....so it goes and merrily creates 200-300MB of virtual memory. This is just too funny.
One big problem with running under a limited user account is that a lot of common Windows programs will not run under a limited users account. One such program is QuickBooks. This is even true with W2K.
Linux is not Windows
...then carefully remove as much Microsoft software from your machine as possible.
Start with MSIE and MS Outlook, then MS-Office (replace them with FireFox, ThunderBird and OpenOffice, respectively). Really dig in and make sure every trace of them has been removed, don't stop at believing what the MS uninstaller tells you about MS Outlook.
Don't offer any shares, even to the LAN (get people to dump stuff elsewhere on the LAN and you pick it up from there), connect to the minimum number of shares (zero if possible) and for the shortest reasonable time.
Run a good firewall.
Pray a lot.
One more option: if you have a modern Linux box around, throw LogicWave at WINE on that and see how far it gets. If it doesn't work outright, maybe you can hack up an interface to the actual analyser in WINE. That'd be a lot of effort for one workstation, but if you have 20 or so it might be worthwhile.
Got time? Spend some of it coding or testing
not running as root is just part of it. Even if you're not running as root, a virus can still trash your system or be used to proxy spam or attacks over the Internet.
The big difference with Windows is in the first stage, the infection. There are entire classes of security holes on Windows that don't exist on any other widely used operating system. Yes, any system can have a buffer overflow, but only Windows can suffer from a "cross zone attack", because only Windows tries to reconstruct the rights an object should have based only on its URL.
So, like what happens to the writers of the code when a vulnerability is found? Is it someting along the lines of 'oops, better luck next time' or do heads roll?
...
to install all those things. Just install Windows, surf around like you normally would, and by the end of the week you'll have IRC, web, proxy and all sorts of servers running, with little or no user intervention. With other solutions, it can take weeks to set all that up!
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/