Four New Unpatched Windows Vulnerabilities

peeon writes "Right before Christmas, four new Windows NT/2k/XP vulnerabilities were posted to the Bugtraq list. This story discusses two of the vulnerabilities in the LoadImage function (buffer overflow) and Windows Help program (heap overflow), but the Chinese company discovered two more exploits in the parsing of a specially crafted ANI file (causes DoS). A Bugtraq posting has more details."

YAWN

[tarunthegreat2]

Hmmm, so windows has bugs in it. Surprise surprise. Merry Christmas everyone. In Soviet Russia, Windows Exploits you...oh wait...

Re:YAWN

[cablepokerface]

Hmmm, so windows has bugs in it. Surprise surprise. Merry Christmas everyone. In Soviet Russia, Windows Exploits you...oh wait...

If this gets +5 funny, it must indeed be christmas.

Forced Upgrade.

[datadriven]

Vulnerable:
Windows NT
Windows 2000 SP0
Windows 2000 SP1
Windows 2000 SP2
Windows 2000 SP3
Windows 2000 SP4
Windows XP SP0
Windows XP SP1
Windows 2003
Not vulnerable:
Windows XP SP2

They'll do anything to get you to upgrade.

Re:Forced Upgrade.

[Ramsey-07]

Sorry, too much penguin-eggnog.

Re:Forced Upgrade.

[Ramsey-07]

Shit I did it again.

Re:Forced Upgrade.

[Dekks]

Funny you should mention that, my father still uses Windows 98 and netscape 3, and never runs into any problems. So much for progress eh?

Re:Forced Upgrade.

upgrade to what MS - Vaporware???

and when Longhorn is released it will be the same thing all over again with weekly vulnerabilities & exploits and viruses/trojans & worms...

viruses/trojans & worms, oh my
viruses/trojans & worms. oh my
viruses/trojans & worms, oh my

Toto, i have a feeling were not in Kansas anymore...

Re:Forced Upgrade.

[aurispector]

MS OS's peaked out at DOS 6.22

Re:Forced Upgrade.

[mtenhagen]

Just wait until longhorn comes out. Then XP SP2 will have some exploits aswell. This is just a microsoft consipracy to make us upgrade. Dont believe the people who claim microsoft developers spend more time on new features then on creating good code.

Re:Forced Upgrade.

[MarkByers]

And..... Advisory: [AD_LAB-04006]Microsoft Windows winhlp32.exe Heap Overflow Vulnerability Class: Design Error DATE:12/20/2004 Remote: Yes Vulnerable: Windows NT Windows 2000 SP0 Windows 2000 SP1 Windows 2000 SP2 Windows 2000 SP3 Windows 2000 SP4 Windows XP SP0 Windows XP SP1 Windows 2003 Windows XP SP2 Unvulnerable: UnKnow

Re:Forced Upgrade.

[DrEvil]

It has to be a conspiracy. Anyone who claims that this might be a consequence of the year-long security push for SP2 and that a high-level fix made during this push might prevent certain classes of bugs from being exploitable is clearly evil and has been exposed to too much software engineering. I'd suspect such a person of spreading facts instead of FUD.

Re:Forced Upgrade.

Just like an average slashdot idiot, you accuse every single developer in the world is maliciously implementing bugs to force people to upgrade. On the ohter hand you forgot to mention that slashdot title is a huge lie, just like yourself.

Does anybody listen to you anyway, other than other idiots?

Re:Forced Upgrade.

[bryanp]

a) Nobody's forcing you to upgrade. I still haven't had Steve Ballmer show up on my doorstep with an Uzi yet.

b) The list you give is mostly patches. There are four base OS' on that list and 6 patches, all of which are free.

c) If it bothers you, feel free to run an unpatched OS of your choice, whether it be Windows, MacOS or one of the many *nix variants.

Re:Forced Upgrade.

Something tells me they do not want users going from Windows Server 2003 to Windows XP.

Call me crazy...

Re:Forced Upgrade.

[BESTouff]

Not vulnerable:
Windows XP SP2

You must be wrong: the slahsdot title clearly states that the vulns are unpatched, so SP2 has to be exploitable too.

Re:Forced Upgrade.

[Bert64]

Perhaps other features of sp2 mitigate the vulnerability somewhat, or make it harder to exploit or whatever..

Re:Forced Upgrade.

[Mystic0]

Okay, so Service Pack 2 has some nice security enhancements. But it also has a lot of other stuff that some people may not want. Why do you think they decided to release such a large update in a large batch? Because it allows them to quietly force extra features on you. These tag alongs are allowed to slip by unnoticed in the midst of more important security updates. I would appreciate it if MS would take a more modular approach. For example, they could say, "Click here to download a security update for bug #58273". And, click here to download the Windows Firewall". But no, they just slap it into one big package, and you get the good and the bad.

Re:Forced Upgrade.

unless you have the corporate licensing, then they simply discontinue your software license and you are required to buy a new one. (the new software at that) they can do that now

Re:Forced Upgrade.

Read today's diary at isc.sans.org. Windows Help is vulnerable to buffer overflow even in SP2.

Re:Forced Upgrade.

[DeathByDuke]

Can I buy a tin hat off you?

Re:Forced Upgrade.

GOOD!
No troll, but we should rejoice every time something makes Windows svck more.
If we are IT, we get work, which feeds us.
If we are pro-Linux, then our enemy is shooting his toes off.

Re:Forced Upgrade.

[jerw134]

The Windows Firewall has been included with XP since SP1. If you don't want it, just turn it off.

Re:Forced Upgrade.

[CaptainZapp]

a) Nobody's forcing you to upgrade. I still haven't had Steve Ballmer show up on my doorstep with an Uzi yet

Uzi is fine. But when he shows you his monkey dance then you know youre in deep trouble.

Especially when he sits on you afterwards.

Re:Forced Upgrade.

[Krach42]

Very true... let me weigh in with my experience running an unpatched OpenBSD box.

"Only one remote hole in the default install, in more than 8 years!"

That didn't go ++ when the OpenSSH hole gave some hacker access to my machine remotely. Or was the number fixed after the default install doesn't open any ports?

Either way, it's misleading. Not that I don't *like* OpenBSD, it's just upsetting that they're not more open about it being just as vulnerable unpatched as any OS is.

Re:Forced Upgrade.

I still haven't had Steve Ballmer show up on my doorstep with an Uzi yet.

The Uzi is built into Windows already. You can either upgrade (and pay) or you can continue to suffer with abysmal performance (thru spyware) and allow others to use the bandwidth you pay for to spread more insidious SPAM or to steal any and all data that you store on your computer. I should pay money to Microsoft for this?!?

This is extortion. Make no mistake about it. And if you think that security in Windows is going to get any better just review the continual promises over the last 5 years and their abysmal record at delivering on those promises!

Re:Forced Upgrade.

[bhadreshl]

There are four base OS' on that list and 6 patches, all of which are free.

Actually there are only two BASE OS's.

They are WindowsNT and Windows 2000. Windows 2003 and WindowsXP are children of Windows 2000.

Re:Forced Upgrade.

You must be new here. The title of a slashdot news story may be:

1) inflammatory
2) derogatory towards Microsoft
3) sycophantic towards Apple
4) very loosely related to open source or linux

Titles that are actually factual are not necessary and in many cases will actually cause your story to be rejected.

Re:Forced Upgrade.

It's all about forcing extra features sure. SP2 had nothing to do with marketing the security push, releasing something large enough to warrant spending enough advertising dollars so that end users would take up a security patch that would make their and Microsoft's life easier. No no no, it's all about "forcing features" on users. Please.

Re:Forced Upgrade.

my brother still uses the linux 1.0 kernel. So much for progress

Re:Forced Upgrade.

[Foolhardy]

If you put it that way, Windows 2003 (NT5.2) is an upgraded version of XP (NT5.1) which is an upgraded version of 2000 (NT5.0) and 2000 is an upgraded version of NT4->NT3.51->NT3.5->NT3.1 and NT3.1 was written from scratch using ideas and a team from VMS.
The only other base OS series from Microsoft is the 9x line, based on Win3.1.

Many of the divisions between those OSes were manufactured by the marketing department; 2000 Server has exactly the same files as 2000 Professional, plus a couple of registry entries and extra server-side applications.

Re:Forced Upgrade.

[Neop2Lemus]

I played with your heart?

Re:Forced Upgrade.

[m50d]

Netscape's the key. Stay off IE and you're fine, even in win 3.0.

Re:Forced Upgrade.

[m50d]

And if I don't have the hard disk space for it?

Re:Forced Upgrade.

[m50d]

That's only while he's preparing you. The XP SP2 vulnerabilities will be ones which make your monitor explode, then in Longhorn we'll start seeing ones where an attacker can pull an uzi on you.

Re:Forced Upgrade.

[Evangelion]

Umm, yeah it did. Before the OpenSSH hole, it was at zero.

(Speaking as someone who was rooted while trying to install the patches to that version...)

Re:Forced Upgrade.

Get a bigger hd.

Re:Forced Upgrade.

Hmmm..Wizard of Oz

Re:Forced Upgrade.

[m50d]

oh yeah, that's not a forced upgrade, goodness no.

Re:Forced Upgrade.

For example, they could say, "Click here to download a security update for bug #58273".

You obviously are parrotting the geek mantra and have never used the windows update tool.

Since I started using the windows update, I have always been able to use the custom install option to see what's gonna be downloaded. And to deselect things I don't want. Then maybe that's the problem. If you knew something about computers, you wouldn't be so afraid to venture out of the typical install realm.

humbug?

Re:Forced Upgrade.

[toddestan]

Netscape's the key. Stay off IE and you're fine, even in win 3.0.

I seriously doubt any of the exploits that are currently out there affect Windows 3.0, even if you use IE4 (last 16 bit version, IIRC).

Re:Forced Upgrade.

[Anonymous+Luddite]

You could delete all your pr0n.

just an idea....

Re:Forced Upgrade.

[jerw134]

If you're running that low on hard disk space, then you have bigger problems than the firewall. I'd estimate that the firewall adds maybe 1-2MB worth of stuff to XP. Seriously, find something more important to bitch about.

Re:Forced Upgrade.

Why upgrade......just downgrade. Windows 98 SE anyone?

Re:Forced Upgrade.

[Krach42]

That's the thing though, it was "one in the last ___ years" before the problem too.

Oh well, doesn't matter much anymore.

The funniest thing was that I had patched 4 or 5 other systems against the bug, but I forgot to patch the one system that was running OpenSSH in the environment it was originally designed in.

*sigh* On the other note, I learned about the "system immutable" flag. That was something good to know. It was a little weird not having overridable write permission to my /etc/pf.conf file as root. "WTF? What do you mean permission denied!? I'm _ROOT!_"

Re:Forced Upgrade.

[Evangelion]

Ahem.... archive.org begs to differ.

May 23, 2002

Aug 02, 2002

Re:Forced Upgrade.

[Krach42]

I was hoping someone would provide this information. Thanks for the clarification. I think a lot of it also had to do with the fact that I was just getting into OpenBSD right when the problem was discovered and solved.

Hard to remember what a site said when 99% of your history with the site said one thing.

Looking at my history, I started a new job on June 2002, which is right about when this specific event happened, and thus, would fit perfectly into the space represented by the two archive.org histories.

I'm more surprised that I didn't add any tag-subjunctive or indefinite to the statement. Usually, if I have any doubts at all about the fact of my statement (which I will assure you, I was wishing I could pull up an archive on the sites before making the comment) I'll do something like that.

In fact, it's the most frustrating thing to me when people *don't* use the subjunctive when they should, for instance, Kerry saying "When I'm President..." pretty bold claim about the future that no one is sure of. (Just for the record, I'd be just as bothered by Bush saying "When I'm reelected.") Anyways, I'm getting off-topic.

To get back on topic, thanks, I wanted to see an archive history of the site, and I'm damned to hell surprised that I expressed so much certainty in my wording that said that the site said it before. Like I said, pattern-matching has nasty habits when you only have biased data.

Yeah.. ok..

[El+Icaro]

But does it have a faraday cage so the data doesnt escape? And.. Can it be compiled for SkyOs?

Re:Yeah.. ok..

[isometrick]

See, for one of these types of posts to be funny, you can't just pick two previous articles at random and arbitrarily combine them with elements from the current story. The joke actually has to be funny, ironic, or creative in some way for it to be worth anything. I know getting modded Funny is a great ego (although not karma) booster and all, but come on. Show some class.

Re:Yeah.. ok..

[El+Icaro]

Actually, this requires some inspiration, people should actually be modded up for all the effort an alcohol induced geek puts into trying to say something funny.

Re:Yeah.. ok..

[WizardRahl]

larry sanger yellow dog linux winpatched windows OMG WTF BBQ LOL!

when o when...

[toQDuj]

...Will santa fix it?

Why do these bugs (all 4) at christmas eve in china?

B.

(On Christmas eve, Soviet China bugs you!)

Timing of the post

Could it be these bugs have been published before christmas on purpose? To allow sysadmins to defend against them over the holidays, when corporate computer use is at a minimum?

Re:Timing of the post

[Moth7]

Or for crackers to exploit them given the flood of unpatched machines that will no doubt come online over the Christmas period?

Re:Timing of the post

[tarunthegreat2]

when corporate computer use is at a minimum?

Not in my office... our mailserver just went down due to a large number of 'seasonal' flash attachments coming and going out and PHB OutOfOffice AutoReplies. I can just see the SysAdmin's tears shorting out the domain controller as we speak....

Re:Timing of the post

[Jessta]

Sysadmins should have already fixed this problem. SP2 was available months ago. If you aren't patching your systems when the patches are out then you deserve everything you get.

Re:Timing of the post

[MarkByers]

XP SP2 is also vulnerable to at least one of the exploits. See..

Advisory: [AD_LAB-04006]Microsoft Windows winhlp32.exe Heap Overflow Vulnerability

Re:Timing of the post

[eofpi]

And if you blindly install new patches on everything without testing them first, you deserve everything you get.

Re:Timing of the post

[kuiken]

yeah XP SP2 will do alot of good on this w2k network.

Re:Timing of the post

[1010011010]

How about, "If you use Windows, you deserve what you get." Except that doesn't really sound fair. It sounds like punishing innocent people; people who didn't know any better.

Re:Timing of the post

[DanteLysin]

More reasons to be using SUS or SMS. No one wants to patch user desktops this close to the holiday. For your servers, aren't you already used to monthly patching windows?

Re:Timing of the post

[global_diffusion]

I figured it was a slap at Microsoft. "Merry Christmas, and Happy New Years Developers!"

Now that's not really in the Christmas Spirit! Even if it is Microsoft, that's really mean.

Re:Timing of the post

[Chandon+Seldon]

Windows has been a known security hole for almost 10 years now. Until very recently, you could expect to spend $1000+ on a new computer - that's worth the investment of the amount of time it would take to find out that running Windows is dangerous.

Re:Timing of the post

Or terrible more like it. What do they expect? Patch writers to drudge in to work on Christmas day? Or if the patch is available, for sysadmins to go in and start patching and firefighting any apps it breaks?

This could have waited until after New Years, but I doubt the Chinese security firm really gives a damn.

Re:Timing of the post

Apparently. The demo exploit they've posted doesn't work on non-Chinese language installations of XP SP2.

Re:Timing of the post

SP2 ?

It was available YEARS ago, why do people assume that everyone is using XP ?

Besides, us 2k users are on SP4, our os MUST be better.

And...

Is it digitally signed?

another wonderful holiday season

[jokach]

a time when many companies and home users are least prepared to deal with the problems.

Looks like I know what i'll be doing over the Xmas holiday. If not fixing the problem at work if it becomes a problem, but fixing the problem with my family as well.

But I guess this is only a problem if some genius releases a virus containing the exploit ....

Re:another wonderful holiday season

[northcat]

RTFA. Exploits have already been released. Exploits are enough.

Re:another wonderful holiday season

> Looks like I know what i'll be doing over the Xmas holiday. If
> not fixing the problem at work if it becomes a problem, but
> fixing the problem with my family as well.

Which gives them yet another reason to stay with windows; exploits are someone-elses-problem.

Yours.

Yeah, I know you gotta help family, and I would too. Still, it's a thought... one that I get every few weeks as I help family with their win problems.

The fifth bug

[Cantide]

Ah, this is yet another example of hack journalism. They missed another bug that I just had to fix on an XP box today It's a vunerability in the win.ini file- it runs a harmful program called 'Explorer.exe'. The best kind of horse to beat is a dead one...

Re:The fifth bug

[tarunthegreat2]

explorer? PSHAW! Everybody knows that the Great Satan's name in reverse Mesopotamian is inetinfo.exe. Don't you dare mod me down or I shall curse you with the following: May you be forced to plug a memory leak in a Visual Basic app sharing C++ structs over the Christmas Holidays....

I'm astonished.

They create the file format, they invent the algorythms used to *read* the file format, and yet they can't manage to get it working?

Come on...

Re:I'm astonished.

they invent the algorythms

It's algorithm, we're on /.! And don't forget that there was the same kind of vulnerability in libpng two years ago (which you could compile on Linux).

Re:I'm astonished.

> It's algorithm

Actually, it's Al-Gore-ism.

After all, Al Gore invented the Information Superhighway, and it is by this transmission medium that the viruses, trojans, and worms will travel.

Oddly enough, I tried to confirm this wisdom by flipping through Knuth, but the books got too heavy and I had to put them down again before I could find my proof.

M$ christmast present

[Cen'Rec'Namor]

Its the early microsoft christmas present to all of the world using ms windows. They do love us.

.. posted from newly esspee2d xp abomination

[maharg]

so it's christmas eve 2004, i'm at the in-laws, just spent 3 hours adawaring, spybotting, esspee2ing from a cd burnt on the latest stage 1. go figure.

30 megs of critical/av signatures to be done over diallup another time

damn you micro$hite

Re:.. posted from newly esspee2d xp abomination

this ain't "Score 3, Funny". It's either "Score 5, Insightful" or "Score -1, Pathetic".
This weekend, I'll be "Score -1, Lame" and will __not__ patch any pc. Let them become "Score 5, Wise" and learn to do it themselves.

Re:.. posted from newly esspee2d xp abomination

Here we see another advantage in being an IT professional who only uses *nix and doesn't touch Windoze.
Anybody asks me to help them out with Microshite and I can honestly tell them that I don't know how.

Saves lots of my time being wasted :-)

Re:.. posted from newly esspee2d xp abomination

Don't blame Microsoft because you lack the spine to stand up for yourself. Sounds like you need to learn how to say "No."

Re:.. posted from newly esspee2d xp abomination

[StormReaver]

I recommend just telling them that you no longer support Windows. Then you could actually enjoy your holidays (and every other day in the year).

And leading by example works.

Re:.. posted from newly esspee2d xp abomination

[maharg]

.. yeah, telling them no would help my wife's disabled nephew no end. They find XP challenging enough - they are *not* ready for linux. I think you have possibly misread my frustration at gates and co as resentment that any member of my family would ask for help with their computer. I am loving the holidays with my wife and sons. Leading by example does work, and I heartily recommend that you try it sometime.

Happy Holidays Everyone !!

Re:.. posted from newly esspee2d xp abomination

[harks]

Is the problem Microsoft, or is the problem that people don't feel the need to update? I think its a little of both.

Re:.. posted from newly esspee2d xp abomination

Which is why I travel with a CD wallet and USB key of repair tools, bootable Khauyeung CDs, and my Knoppix CD.
Fixing computers for friends and in-laws while they feed me tasty munchies is an easy way to enjoy the holidays.

Re:.. posted from newly esspee2d xp abomination

[gnu-generation-one]

"so it's christmas eve 2004, i'm at the in-laws, just spent 3 hours adawaring, spybotting, esspee2ing"

So Mepis CDs all around, for christmas presents then?

Re:.. posted from newly esspee2d xp abomination

[upsidedown_duck]

Is the problem Microsoft, or is the problem that people don't feel the need to update?

The only things that people spend as much money on as computers are things like cars and appliances. How would you feel if your dishwasher was badly designed, shipped with flaws, and needed you to take it to a repairman several times a year? The time you would have spent removing the dishwasher from the cabinet, lugging it to your car, and driving to a repairman is comparable to the amount of time people waste with patching their computers. The only reason people put up with this shit is that the novelty of computers hasn't worn off, yet. Basically, this means we are still in the Model T era of computing (cars used to be unreliable shit, too, then they got better, until the 70s, when they sucked again, but they're a lot better, now).

Re:.. posted from newly esspee2d xp abomination

[Psychotext]

Ugh... I know the feeling. Sickeningly enough I just had to do the same for my nephew. The worst thing is that he has firefox, the best antispyware apps, a good virus scanner and an excellent firewall. The little scumbag just keeps loading IE, not updating his virus / adware definitions, downloads trojans and pretty much allows everything to access the net when asked. :(

Oh, and does anyone know how I can stop IE loading? At least that should kill some of the problems.

Re:.. posted from newly esspee2d xp abomination

[gad_zuki!]

>damn you micro$hite

Wait. SO the users aren't using any spyware or virus detector nor are they updating their system and you blame the OS vendor?

Fine, but when you switch them to unix and they run as root 100% of the time and run any shell script emailed to them, then who will you blame?

MS has its faults, the same way my car does, but at least I take my car to get its oil changed and its crappy components changed when they break. I currently cant afford to buy a better car so I'm stuck with what I've got, so I took it upon myself to learn some basic troubleshooting and repair. I've done two repairs on my own that would have cost me a few hundred this year.

I think the in-laws could be taught to double-click the "lavasoft" icon now and again.

Re:.. posted from newly esspee2d xp abomination

[satans_advocate]

Oh, and does anyone know how I can stop IE loading? At least that should kill some of the problems.

I asked the same question, and apparently now there is xplite

Merry Christmas!

Re:.. posted from newly esspee2d xp abomination

[Psychotext]

Hey, thanks for that. Merry Christmas one and all! :)

bugtraq links for the vulnerabilities / demo

[tsager]

Demonstration of exploits:
http://www.xfocus.net/flashsky/icoExp/index.html

http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0387.html
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0360.html
http://www.derkeiler.com/Mailing-Lists/securityfoc us/bugtraq/2004-12/0359.html

(Source: http://www.heise.de/newsticker/meldung/54610 [German])

Re:bugtraq links for the vulnerabilities / demo

[paganizer]

None of the exploits listed did ANYTHING to my Win2kSP4 system running Mozilla 1.7

Re:bugtraq links for the vulnerabilities / demo

[Cylix]

FC3 won't open the HLP files.

Damn you linux... you have hindered me for the last time!

Re:bugtraq links for the vulnerabilities / demo

Windows Server 2003 Enterprise

Ran complete exploits, no effect and no, I haven't been to Windows Update since the last patch day. Go to Windows Update, no updates for these supposed exploits. Okay, was something supposed to happen?

Now as for the comments about having to run around and patch all the user systems out there that aren't under sysadmin protection, that's a lot of bull. Every one of the machines that I visit is set to autoupdate upon connection for virus signatures, Windows Updates, Spyware signature updates, etc. I do this all the time and I get no calls when one of these 'supposed' vulnerabilities occurs. Why? I make it transparent to the user.

What really annoys me is that I am a regular subscriber to the BugTraq mailing list and I see far more vulnerabilties go by every day for *nix systems. Yet oh my, since it's Windows that has a vulnerability, it is the end of the universe!

Give me a break! We sysadmins are already scrambling to patch our php-based systems and any php-dervived software (phpBB anyone? how about phpMyAdmin?) and we're already fighting a worm. Yet these bugs are the final nail in the coffin of Windows. Frankly I'm more worried about php and Java right now 'cause we be talking servers, not Momma's email machine.

If people follow simple guidelines, those Windows home machines won't be a problem. The one's I monitor certainly won't be. I'll be on the couch, having some drinks, enjoying myself. BTW, have a Merry Christmas, I certainly will be.

-Bri

But...

[RAMMS+EIN]

Will they allow me to install Linux once i 0wn the machine?

Don't suppose anyone...

[NoMoreNicksLeft]

Knows where a person could find a pre-compiled, local only 2k/XP administrator access binary? Something that would just open a cmd.exe with the correct privileges, to say, install java on Firefox?

I'm not a script kiddy, just not patient enough to go through the 3 month process of maybe getting it approved to be installed by IT...

Re:Don't suppose anyone...

[tqft]

I know the problem and have thought about it.

http://www.winehq.org/hypermail/wine-users/2004/ 02 /0137.html

http://www.linuxquestions.org/questions/history/ 26 3430

Knoppix (3.7 at least) comes with WINE pre-installed.

Just run the installer under WINE on Knoppix?

Alternatively find the *.reg file and use Knoppix/WINE to add it to the registry.

Might take some mucking around to get it to work properly from what I have seen so far. I haven't decided if my job is worth it.

My current work machine is awesome with Knoppix rather than NT 4.0. But permanently changing the registry may well show up on corporate IT scans - registry change logging, etc.

Re:Don't suppose anyone...

[NoMoreNicksLeft]

I plan on sidestepping the issue by pretending ignorance. I work evening shift in a phone support cube farm, and sometimes people borrow my machine (temporary space for a new trainee, someone else's machine is being worked on by IT, etc).

Especially since I don't think any scans are often enough to pinpoint when it happened, and that it's not any software that a reasonable person could find objectionable (after all, I have to get java working with it, so that our stupid in-house apps will work).

Patch available...

...at least for the color scheme here:

http://shit.slashdot.org/article.pl?sid=04/12/24/0 356204

bad time of year?

[sonictheboom]

It might be a bad time if you had patches to apply, but since this is unlikely to happen anytime soon you might as well relax...

I don't get it....

I tried to crash my win 2K workstation using firefox, no luck. It is also indicated that "needs ie6 to open" ... So if it crashes when you use ie6 and not anything else, how comes this is described as a windows vulnerability??
I mean, If I create a linux tool that opens up all your ports when you send certain code, can we call it a linux flaw??

Re:I don't get it....

[faragon]

The OS itself should not be shout-down just by an user level privilege rights. If ie6 or any other application causes system crash under non-root privilege level, it is an OS fault, as the OS must guarant interprocess safetyness and security, etc.

Re:I don't get it....

So next time my code makes the machine crash, I can blame Windows?? Is this what you mean to say?

Re:I don't get it....

[AndroidCat]

If you don't have any fancy admin rights, you shouldn't be able to anything in code to crash your machine, regardless of the OS.

Re:I don't get it....

[chorns]

The LoadImage API is implemented in kernel-mode for speed so a bug in there can bring down a system.

Re:I don't get it....

[black+mariah]

Could you possibly say something just a LEEETLE BIT more retarded? No? I didn't figure anyone could...

Re:I don't get it....

[AndroidCat]

You managed to.

Re:I don't get it....

[AusG4]

You should remember that, according to Microsofts testimony to the DOJ, Internet Explorer and the Windows OS itself are now inseperably linked.

As much as I think it's idiotic that the two couldn't be decoupled, such deep integration does suggest that a fault in a user-mode application could indeed transcend the user/kernel seperation and bring the whole works down.

Of course, this is fantastically poor design, but what did you really expect from the people who brought us Microsoft Bob?

Re:I don't get it....

[Spacejock]

what did you really expect from the people who brought us Microsoft Bob?

Actually, they tried to bring us Bob but we didn't want it. So now we have Clippy, just because some ideas are too damned good to kill off.

Re:I don't get it....

[AusG4]

Clippy... too funny.

"Goodbye, Cruel World...."

Blip!

"Hi there! It looks like you're writing a suicide letter. May I make the following suggestions:"

Re:I don't get it....

[cnettel]

This doesn't have to apply to kernel stuff. A lot of Windows apps rely on for example the "common controls" API. It handles toolbars, tooltips, listviews and so on. Quite a lot of UI goodies. Most of those are implemented without any kernel side, they're normal user mode controls/"windows" with their own drawing.

Now to the point: This DLL was updated quite a few times with Internet Explorer 3, 4 and 5. The versions in Windows 98, 2000 and XP are/were directly related to the matching (sub-)version of Internet Explorer. If you wrote an app for Win-95 and wanted to use one of those common controls, the recommended redistribution scenario was redistributing IE.

If they simply ripped out anything that is officially part of the "IE codebase", it's completely true that quite a few apps would fail.

This is of course even more true of some of other APIs with a more apparent connection to Internet Explorer, like WinInet for interacting with HTTP/FTP without doing sockets yourself (and using the IE cache and other stuff) or employing the IE HTML/XML parsing and possibly rendering hosted in another application. I chose common controls because they're very frequently used, and some quite significant updates were introduced through IE. These updates are still there in "Win98 lite" and whatever you would do to a Windows system to rip out IE, but retain a reasonable level of compatibility. Just because it's part of the OS and a frequently used API doesn't mean it's kernel mode. And very little IE related code is *in the kernel*.

Now to the point: LoadImage is quite a low level function. Display drivers are allowed to use it on their own and modify its functionality. That makes it belong in kernel mode. Even if they moved back some more UI stuff from the kernel, stuff like this probably belongs there, if you buy the concept of placing display drivers in kernel mode at all.

Re:I don't get it....

[faragon]

Yes, a bug at any kernel trap is a way to crash -or find a back door into- a system. The goal/idea is that the kernel -NT, BSD, Linux or whatever- should be trap call safe. Of course, an OS with high redundancy at his trap level (read Windows NT and derivates) has a higher risk level, as people who program kernels are humans, just like you and I. As example, "commercial and very expesive real time UNIXes" are not bug free, few weeks ago we found at the office that the 'execl' kernel trap did bad his work when the thread number for a process was going above the 80% of his limit; white papers guaranted the operation, but in fact there was no such security, giving system panics and so on, dramatic.

Give this as a gift for the holidays

[Skalek]

Nothing is more annoying about the holidays then going to visit family and friends and then being sucked into fixing their damn computers While everyone is drinking and having a good time we are the schmucks trying to figure out how to remove that damn proces from windows 98!

This year I wash my hands of it and am giving them a printout of a tutorial I found that has helped some friends. It is basic, but they do not bother me as much anymore:

Simple and easy ways to keep your computer safe and secure on the Internet

Re:Give this as a gift for the holidays

[Stevyn]

Yeah, I always get stuck doing this too.

Do people ask plumbers to unclog toilets on holidays? I don't fricken think so!

Re:Give this as a gift for the holidays

[lew3004]

You're lucky. I cherish the moment they want me to fix their PC. That way I don't have to listen to all the other drunken idiots.

Re:Give this as a gift for the holidays

[museumpeace]

I'd suggest either feigning a stroke that has caused you to "forget" everything you ever knew about computers or download the ISO from mepis.org and burn a bunch of live CDs to give out to your clueless friends. My son's old laptop utterly refused to be upgraded to XP and its ME was hosed...it got so bad you couldnt even get a chance to break into the BIOS. I gave him the Mepis CD and just let him fool with it for a while. At breakfast the next morning, he was beaming. He'd figured out how the partion editor worked, wiped the microshit completely off the HD and was enjoying his trip up the KDE learning curve. We have gone from "I think its a doorstop now" to "its a little slow opening files and I think we need to find the right driver for my PCMCIA ethernet card".

Give those friends and relatives an opportunity to experience winning, to experience being just a little bit competant with a computer and there is a chance that they will be both bothering you less and talking to you more intelligently in the future. But for godsake don't let them leave the room if you have to be in the driver's seat for the repair sessions: make'em bring you a drink and make them listen and describe in their own words each step you take at the keyboard

Re:Give this as a gift for the holidays

[MicroBerto]

This has been holiday tradition for me since about 1999.. it's nothing new anymore.

Problem is that people are starting to bring laptops, family members are startin to have kids, and I'm still just one guy who wants to eat too and drink too much and pass out.

Re:Give this as a gift for the holidays

[daveking]

Ha! The parent's linked article is definitely written in the native language of the common Windows user:

Use an AntiVirus Software - It is very important that your computer has an antivirus software running on your machine.

Maybe that's exactly what is called for. The page is only lacking a tiled background image to hold their attention.

Re:Give this as a gift for the holidays

[Krunch]

For French-speaking users, there is also this nice document.

Re:Give this as a gift for the holidays

Just say no, then say that. If they try to bring it up again, just excuse yourself to get a drink.

When you won't even start a discussion with them about it, eventually they'll give up.

It's your life - stop being a slave to others!!!

Re:Give this as a gift for the holidays

[hazah]

Heh... I gave the tutorial a read thinking: "No, it's not possible it can tell me something new." right. But, little did I know. No, really, it does appear very little. Windows is so strange, it seems. I didn't know you needed 5 or so different antivirus programs running concurrently. I mean, this is quite amazing. Your traditional antivirus, spybot, adaware, blah blah blah.... essentiall all search your system for hidden programs that fuck with your hardware. Yes... so strange, and amazing at what it will do to ppl's perception of what computing's all about.

Re:Give this as a gift for the holidays

I just start telling ficticious stories about how the last person I "helped" I blew up their computer and lost all their files etc etc. Then I say I'm a little nevous about getting back in the saddle, I haven't had a single one say go ahead lol.

Spoilt Holidays for Admins

[mahesh_gharat]

Why? Oh Why? they have to do it just one day before the starting of the holidays.
Its happening again this year also. Its very disheartening for all those admins who will be going on holidays to see the vulnerabilites just one day before the holidays and exploits the next day. I was admin couple of year ago and I know these conditions are living hell, when you will spend all your holidays thinking about your servers getting hacked or cracked.
Admins who have taken the backups will be in a better state though.

Re:Spoilt Holidays for Admins

[Whyzzi]

You will pardon my 'xcuse while I backup my servers ...

ANI vulnerability?

Does not surprise me.
Even the code to display ANI cursors is buggy in almost all Windows versions.
The timing values for the single pictures is not evaluated correctly. Best seen with the metronom.ani

Ho Ho Ho

[mslinux]

Merry Christmas... from all the people at Microsoft. Buffer overflows for everyone this year ;)

Honestly,

[deutschemonte]

Is this even news anymore?

Re:Honestly,

[Taladar]

You could use all your mod points to mod every comment in these "news" stories redundant but I don't think it would be worth it.

what ever happened...

[Lord+Bitman]

remember that test someone did where garbage code was thrown at IE and firefox in order to see how they held up and find things like buffer overflows which could be potentially exploited?
What ever happened with that? Were the bugs in firefox fixed? I remember that IE did well in that test, but I dont remember any specifics.
Anyone know?

Re:what ever happened...

[imroy]

IIRC, those tests were done by a lab closely associated with Microsoft. i.e, MS had already fixed up those problems in IE and deliberately got someone to "discover" how it was better in this one tiny area. Just like the infamous Mindcraft tests all those years ago. I don't know if Mozilla has fixed its code yet.

Re:what ever happened...

All bugs have been fixed. And FYI it wasn't done by a lab closely associated with Microsoft.

Re:what ever happened...

[YU+Nicks+NE+Way]

The parent is so wrong it is sickening.

The fuzz tester wasn't written by a lab close to Microsoft.

It isn't a "tiny" area: Browsers read files that contain HTML. No matter what, corrupt files should not crash a browser.

The Linux kernel was rewritten after Mindcraft. There was a serious problem in the way signals were handled under high load.

Mozilla has fixed the three bugs that Zalewski's original posting described. There are still issues in Firefox 1.0 that the tool discloses.

Great

[Segosa]

Stupid question, but does the LoadImage() one affect images which are viewed in FireFox or Thunderbird?

Re:Great

[AndroidCat]

Grap the source and grep. It's a fairly basic call, so it wouldn't surprise me if it was used.

Re:Great

[Myen]

Considering that Mozilla uses its own image decoders, I doubt it. (Mozilla even re-implemented the BMP decoder, so that it can be cross-platform.)

All Windows sees from Mozilla is something like a bunch of decoded 32-bit images or something. Not sure on this, but definately not the original image data (and thus no vulnerability).

Re:Great

[AndroidCat]

Let me amend my comment to: It wouldn't surprise me if they used LoadImage somewhere in their code. Not in the main graphics routines, but somewhere out of the way. If they did, will that cause problems? Who knows. That's the trouble with errors in basic routines. But at least with OSS it's possible to grep, look, and be sure.

Grr

[Alioth]

Why do they have to release this stuff JUST BEFORE we actually get time off? Are they deliberately being bastards to us Bastards who have to herd Redmondware amongst the other less sucky things?

At least I won't have to spend Christmas removing viruses, trojans and spyware from my Dad's computer. I bought him a Mac. Worth every penny in reduced aggro.

Re:Grr

[Gordonjcp]

I put Linux on my Mum's computer. Works great, everything is supported, no adware/spyware/crapware, no patches required, *peace and quiet*....

Re:Grr

Yeah I know how you feel, it will take me at least 24 hours to get an exploit out.
A virus writers work is never done.

Silent Night

[Electronik]

Silent night, holey night,
All is calm, all is bright,
Round yon virgin PC and screen,
Holey computer, so exploitable and keen,
Sleep with spyware downloading,
Sleep with spyware downloading.

Re:Silent Night

I hope you get a dictionary for Christmas.

ouch!

[TouchOfRed]

Just for the hell of it, i tried it with firefox and fedora core 3(updates and all). Resulted in total X lockup :\. I usually dont side with MS, and X lockups arent as bad security wise, but still :\.

Re:ouch!

I must have clicked on the hyperlinks wrong. Mozilla 1.7.5 on Gentoo (AMD64) did nothing but show 123 or 1111111111111111. Woopty doo.. Nasty bug.

I guess not using a 32bit system helps.

Is it really this hard...

[AC-x]

...to write software without buffer overflow problems?

It's not just MS, even plenty of OSS programs have buffer overflow exploits.

I haven't done any lowlevel programming, but can it really be that difficult to do

malloc buffer MAX_BUFFER_SIZE
if(mem_to_copy.length>MAX_BUFFER_ SIZE){
return ERROR_DATA_TOO_LONG
}else{
copy(mem_to_copy,buffer)
}

?

Re:Is it really this hard...

[t0y]

(sigh) Stick with VB.

Re:Is it really this hard...

Do you really want to allocate MAX_BUFFER_SIZE everytime you want some dynamic memory? Then what happens if mem_to_copy.length is negative?

Re:Is it really this hard...

[twiddlingbits]

Nice try, but you should check the return code from malloc(). If it is -1 then there is a problem and you don't need to do the If statement. A lot of times the trouble comes not when allocating memory but when using a pointer to WRITE to memory. It's a C programmer trick to set up a pointer to a block of size X and write to it via the pointer, of course if you lose track of the pointer address you can easily go too far. Common errors are off by one in the count, assuming you are writing 8/16/32 bits without checking the underlying data type first,
or just writing to whatever address the pointer says w/o checking that *p > MAX_MEMORY_ADDRESS. These are errors a beginner programmer would make, and from the looks of how common these errors are in Windows that is the type of folks MS uses. It also says to me that they don't use any sort of Automated Code Analysis tools which can catch these sorts of errors. Or maybe they don't do any indpendant QA at all? It's pretty pathetic when the worlds most popular software is made by a company that probably doesn't meet SEI Level 2 criteria. I only wish that the laws allowed someone to sue for lost time/income from the "basic" errors that shouldn't have been present.

Re:Is it really this hard...

[Gopal.V]

Vulnerabilities are not hard to write - they are hard to detect and often easy to fix.

Most FOSS programs are the result of someone who really wants to write something good. Rarely have I seen someone being forced to write FOSS code to meet a release date schedule or to remain competitive. It's about It'll be done when it's done, sort of Code Poetry. Most of the code was written to run in a hostile environment where black hats can read the code (like the above peice) and screw everyone who runs bad code. The term security in obscurity as far as coding style does not even enter your mind.

Also vulnerabilities are easier to find when you have the source - like that professor who set his students to find vulnerabilities in FOSS. Unlike a corporate setup - you have a practically unlimited number of reviewers if your program is popular (and if it is not, a vulnerability is no big deal anyway, right). Also everyone runs a different binary, slightly different from what everyone else runs (security often needs you to recompile stuff with stack canaries)

So FOSS software evolves (yes, Natural Selection) to avoid these vulnerabilities by dying out or it "adapts" - Someone adds more good ideas and makes it better like.. (s/ideas/genes == Sexual reproduction) . Also the good ones read Wietse's papers.

Re:Is it really this hard...

Or you could write:

memcpy(buffer, mem_to_copy, MAX_BUFFER_SIZE);

Re:Is it really this hard...

[pathological+liar]

Yes.

If the length of the mem to copy is stored in a signed int, you can get an integer overflow that will let it pass your MAX_BUFFER_SIZE check and overflow the buffer. If you're dealing with strings, you should probably be checking for MAX_BUFFER_SIZE - 1, because a handful of string-related functinos (at least in C) like to copy the null terminator over as well.

Re:Is it really this hard...

[Taladar]

I think the release schedule thing has much to do with bad code. You have good intentions but when the deadline is near you drop them to "just get the thing done at all".

Re:Is it really this hard...

[Matt2k]

> I only wish that the laws allowed someone to sue for lost time/income from the "basic" errors that shouldn't have been present.

Be careful what you wish for. Such a law would place the small-time software developer in a highly actionable position.

I for one would quite writing cheap shareware if I could get sued into oblivion for every little bug that was in my software.

Re:Is it really this hard...

[Krunch]

Nice try but if malloc(3) is not too buggy (if it is, you have other problems) it will only return NULL or a valid pointer. If it never supposed to return -1 (unless -1 is a valid pointer) or some value larger than MAX_MEMORY_ADDRESS (from where does this macro come anyway?).

Re:Is it really this hard...

The guy said he'd never done any low-level coding, and apparently neither have you, at least not in C...

The original poster didn't know how to use malloc, so he did this:

malloc buffer MAX_BUFFER_SIZE

This might look like valid syntax if you've never seen C before, but everybody knows the protype for malloc looks like:

void *malloc( size_t size );

So, allocating a buffer:

void *buf = malloc(len);
if( !buf )
some_error_handler();

malloc will never return -1. If it does, your program is probably dead anyway (because -1 is ~0, or, the highest possible memory address. You probably can't access it, and if you could, it's only a byte.), and the best thing to do is just let it catch a SIGSEGV, rather than attempt to handle it.

I believe some Windows API functions that return pointers sometimes return -1 (or 0xffffffff) on failure, but, that's Windows. It doesn't exactly follow the spirit of the C that Unix founders (and the designers of libc, thus malloc) envisioned.

I please advise you, when you start a post with "nice try," at least get the facts straight.

Re:Is it really this hard...

That's why the strlcpy(), strlcat() that OpenBSD pioneered are a good idea. Instead of this sizeof(buffer)-1 and then zeroing the last byte, you can just pass the actual size of the buffer and the strl* functions will know what to do.

True libc reform. Perhaps we need more functions like this. Using snprintf()'s return value to figure out the length of a string, for example, can be a mess. It's not portable across platforms because not everybody conforms to C99, and even ANSI contradicts C99. The GNU behavior of snprintf() makes the most sense, but I have to write my code very differently to make it work with say, Solaris.

/* An snprintf() workaround that works more like GNU's */

int good_vsnprintf( char *buf, size_t len, const char *fmt, va_list ap )
{
char c;
if( !buf )
{
buf = &c;
len = 1;
}
return vsnprintf(buf, len, fmt, ap);
}

int good_snprintf( char *buf, size_t len, const char *fmt, ... )
{
int r;
va_list ap;
va_start(ap, fmt);
r = good_vsnprintf(buf, len, fmt, ap);
va_end(ap);
return r;
}

Re:Is it really this hard...

[upsidedown_duck]

(unless -1 is a valid pointer)

Given that memory addressing starts at zero, the only conclusion of a -1 return value is that MALLOC HAS ACCESSED A PARALLEL UNIVERSE AND THAT THEY KNOW WE EXIST! SAVE YOURSELVES!!!

Re:Is it really this hard...

[yotaku]

Most FOSS programs are the result of someone who really wants to write something good. Rarely have I seen someone being forced to write FOSS code to meet a release date schedule or to remain competitive.

I'm sorry but I think that that is a little naive. An FOSS programmer still likely has desires that someone actually use their product and so they force themselves to work faster to keep up with the market. You are also discounting the fact that a large portion of open source work is done by large companies such as IBM and Sun to combat Microsoft. And you can bet that those programmers have deadlines and release schedules.

Re:Is it really this hard...

[Krunch]

memory addressing starts at zero

AFAIK there is nothing in the ISO C99 standard that says all valid pointers should be > 0. n869 page 58:

Any pointer type may be converted to an integer type. Except as previously specified, the result is implementation-defined. If the result cannot be represented in the integer type, the behaviour is undefined. The result need not be in the range of values of any integer type.

Of course most archs don't use negative pointers but one could invent some weird platform which use pointers that cast to negative integers.

Re:Is it really this hard...

And for a product that does not meet SEI L2, how in the heck is it granted a Security EAL rating??
Does anyone really believe the so call Trusted Security Reference Model (SRM) is not as buggy as the rest of the code? The NX bit copout argument will only be swallowed by fools. Only by revoking the EAL status, will MS be encouraged to do better.

"the Chinese company"?

[wertarbyte]

Is it "the company" or "The Company"?

That depends on how angry your IT dept is.

[rubberband]

Depending on the reaction you'll get, you can always reset the admin password on your box to a new one of your choosing, and install away... Whether or not this is a good idea in your situation is left to your judgement.

A useful utility to accomplish this can be found here:

http://home.eunet.no/~pnordahl/ntpasswd/

While it's kinda overkill in this case, I think I'd trust it over a newly released exploit. Hope that helps a bit.

Re:That depends on how angry your IT dept is.

[NoMoreNicksLeft]

That's not really an option. I can't change anything permanently. Was hoping for an exploit that gives me a temporary admin cmd.exe, I install, and then reboot. No one knows how it was installed then.

Doesn't even have to be a new exploit. Just as long as it works. And as I said, I'm not a script kiddy, so a local-only exploit would be fine too.

Re:That depends on how angry your IT dept is.

OK, do you have your own PC with 2000 or XP?
Good. Make a bartpe (A HREF="http://www.nu2.nu/pebuilder"). Now, you
can back up the SAM (C:\windows\system32\config\sam*) before using ntpasswd.

Re:That depends on how angry your IT dept is.

DreampackPL is exactly what ya need.
Replace sfcfiles.dll with the modified file per the readme.
After you are done there will be no trace and you will not disturb the password file. Log in under any account on the box.
I put it on a BartPE bootable CD for convenience.
It's easy, give it a shot.
http://www.d--b.webpark.pl/dreampackpl_en.h tm
http://www.nu2.nu/pebuilder/

Re:second

[necromcr]

sorry?

Re:Clippy helps you get the most out of your PC

[daniil]

What do you want to steal today?

Santa's sleigh!

Bah!

[rubberband]

Hi, you've missed the point. I hope you're not trolling, because I'm going to bite.

Every box at my workplace is patched with SP2. In this case, it doesn't matter - one of the exploits is still useable.

The problem is not (this time, thankfully) the corporate enterprise deployment of windows. It's friends and family. Every time a new windows exploit like this comes out, jerk spyware/worm/virus writers are on it within 24 hours, populating their zombie networks with your mom's, friends' and families' computers. Manditory regular patching at work is easy. The same for people you see occaisionally who are not computer literate is not. These are the people who it really screws with - for example, all one of my buddies wants to do with his dell is play games, send email and surf. He knows nothing beyond that, and is certainly not going to run down to the basement on christmas eve to make sure his operating system is secure RIGHT NOW.

This business of "patch or you deserve it" is utter BS. I maintain that virus writers should be dragged into the street and beaten with keyboards, followed shortly by geeks who empower them by putting any of the blame on the end user. If I paid thousands for an OS site license, I should not be spending my holidays fixing it. If I spend hundreds for an oem copy at home, the same applies. The only ones who deserve ANYTHING bad here are the exploiters and the providers of the crappy OS in question.

Re:Bah!

If I paid thousands for an OS site license, I should not be spending my holidays fixing it.

Perhaps time to rethink this policy?

I know, I know. Management says to install it. Some apps only run under Windows. End users are scared of Linux.

Maybe its time to rethink working there, or working in that department. Would you would for an employer that made you go through a dark alley to make bank deposits, and every 5th time through you're mugged?

Re:Bah!

[Chandon+Seldon]

You might have had a point 7 years ago when this whole "Windows has a new remote exploit" thing was a little bit more... new and unexpected.

But in late 2004, with almost 10 years of evidence that running Windows is just asking to be exploited, I find it hard to blame anyone but the users.

If you were to travel somewhere known for it's pickpockets during tourist season and kept $1000 in your wallet in the inside pocket of a loose jacket, I'd blame you (not the pickpocket) when you lost your money. The police there would agree with me. Running Windows on the internet is pretty similar, and should be treated as such.

Re:Bah!

[AndroidCat]

I maintain that virus writers should be dragged into the street and beaten with keyboards

No worries there, I have an IBM model M keyboard that'd drop them in their tracks, but it'd never be clean again. And the disposable keyboards just don't pack the wallop to down a full-grown spammer. Your best bet is to set up a ramp to a camouflaged log chipper and lure them in with calls like "I need a mortgage", "I want v14gr4!", "I want to invest in Nigeria". Works like a charm!

Re:Bah!

[YU+Nicks+NE+Way]

I was actually kind of surprised by the repeated allegations that SP2 was vulnerable to the last pair of attacks. I tried to run the exploits, and couldn't get them to open at all. Apparently, they're chinese help files, and I don't have a Simplified Chinese version of SP2 here.

Given that, I'm a little suspicious about the "issue".

Re:Bah!

[rubberband]

I still think the point is valid. Consider that a) That means that the vendor has had 7 years to secure their product. I any other industry they would have litigated into oblivion by now. It is *NOT* the end user's fault that the current world standard for personal computer operating systems is frequently bugged.

Sure, carrying $1000 in cash is dumb, but there are easily accessible alternatives. Credit cards, debit cards, traveller's cheques, travel wallets, etc are all viable alternatives. Carrying cash is like opening attachments from unknown senders. Getting your windows box 0wned without your action because a new exploit came out 8 hours ago is like the jacket manufacturer attaching a big red "steal from me!" sign to the back and cutting a pickpockt access hole out, too. (Except then they take over the world jacket manufacturing business and force you to wear one unless you want to freeze or learn to sew).

To use the token comparison to a vehicle - yes, when you buy a car you should be responsible enough to get it serviced from time to time, and act on any critical recall issues that might arise. You shouldn't however have to open the hood and check the internals 3 times per day to ensuire it doesn't explode and require expensive maintenance the next time you turn the key in the ignition.

Don't get me wrong - I'm not saying sysadmins should have no responsability whatsoever. They are after all paid to deal with systems. But when was the last time you head of a dell salesperson telling an unexperienced buyer that if they wish to have their computer on regularly they'll need to spend 5 minutes every single day, and an hour of two each week making sure they're machine doesn't get destroyed?

Re:Bah!

[Chandon+Seldon]

It's perfectly possible to use a Mac, or even to use desktop Linux. Heck, I bet the average user would be fine on OpenBSD if it supported their hardware.

What software you use is really your choice, and the security implications of Windows make that choice seem pretty sketchy.

If the only jacket manufacturer offered pickpocket access holes and "steal from me" signs, I'm sure that people would activly consider sweaters and coats instead.

Re:Bah!

[Vr6dub]

It's not quite that easy....Perhaps if your company is cut off from the rest of the world and doesn't have to worry about conforming to "standards" (meaning a Windows based platform) or sharing information with outside entities. Let me give an example. I work as a helpdesk/network adminstrator for a particular government contractor whom supports the Marine Corps. While I would love to switch platforms that could possibly be cheaper and more secure its not like flipping a light switch to migrate 22,000 employees to a completely new OS. They (USMC) just spent billions and billions to have their network completely overhauled to one "standard" (Windows). This means all WinXP and Office 2003. So in order for us as a contractor to keep our jobs we MUST stay within those standards, heck, it's bad enough that you can't read most Office2k3 files with prior versions of Office let alone some **nix version of a "compatible office suite". So for us to be able to communicate with our customer efficiently and remain employed, we HAVE to remain "compatible" with our customer otherwise another company will come along and take our jobs. Just my .02

Oh noes

[baadger]

[BLOCKQUOTE]"They are rather serious," Huger said. "Both can be exploited by anything that processes images or reads help files."[/BLOCKQUOTE] Oh noes! Firefox isn't safe. It must be the end of the world.

Re:Oh noes

[intercodes]

Oh yeah, the ANI demo code just hanged my distro [ Fedora core 3 with Firefox 1.0 ] ....

Instant Reboot on windows

[EqualSlash]

Warning: If you are on Windows Don't download
www.xfocus.net/flashsky/icoExp/KERNELBLUE.ani

Instant Reboot. This is a very critical vulnerability. Reminds me of the old exploits that referenced "CON" in the file path inside a webpage to trigger a BSOD.

Re:Instant Reboot on windows

[ergo98]

I wouldn't call a BSOD a very critical vulnerability (it's annoying as hell, but generally you aren't opening ani files on your servers)- very critical is if the exploit can be used to execute malicious code. I still am unsure how this can be used to execute such code.

Re:Instant Reboot on windows

Didn't do anything with me. I even tried loading it as a mouse cursor.

Re:Instant Reboot on windows

[rwise2112]

All I get is "Windows cannot open this file". I'm running XP SP2.

Yes, but...

...are the bugs digitally signed?

On the fourth day of Christmas...

[localroger]

my True Love gave to me,
Four hacked boxen
Three spywares
Two viruses
And another Windows vulnerability.

Re:On the fourth day of Christmas...

my True Love gave to me,
Four hacked boxen
Three spywares
Two viruses
And another Windows vulnerability.

I hope the viruses your True Love gave you were the computer kind, not the STD type.

BWAHAHA!

[El+Gordo+Motoneta]

I've tested all of the vulnerabilities on Windows 2000 and they did nothing!! I'm invincibNOCARRIER

The important question here is...

[gregorio]

...does Internet Explorer use any of these functions to load internet images?

We cal discuss all day about some local API exploit but there is a big difference between a local API bug and a remote bug.

Does IE use these functions to load images? Or does it handle these kind of primitive formats using his own code? After all, is not that hard to "parse" BMPs and ICOs and it would be much better to handle all file formats inside an internal library, thus avoiding conflicting API methodologies.

I'm really curious about this. Does anyone knows the answer for my question? Can anyone test the faulty BMPs and ICOs inside a HTML page?

digital signatures

[antibryce]

It sure is a good thing Microsoft digitally signs everything. Clearly they are lightyears ahead of open-source in terms of security.

Re:digital signatures

If MS is so far ahead on security, why the endless patches?

Re:digital signatures

[Krunch]

What do you mean ? Your distro doesn't provide digitally signed upgrades ? (well Debian doesn't really sign packages but they do sign the list of packages wich contains md5sums of said packages which are checked at installation)

Re:digital signatures

[m50d]

MD5's not really secure enough any more - especially for Debian where more or less anyone can add a package.

Not vulnerable: Windows 98 SE

[stankulp]

Now that it takes less than 5 minutes connected to the Internet for a Windows box to be hijacked, I have gone back to dual-booting Linux with Windows 98 SE.

A lot of Windows viruses simply won't run on it.

All I need is Office, so it's good enough.

Re:Not vulnerable: Windows 98 SE

[Botty]

Actually that figure, for an unpatched windows XP box is more or less 28 seconds depending on which security firm you ask. You're still right, but the actual number is MUCH more scary.

Twas the morn before christmas

[killerface]

Twas the morn be for Christmas and all through the cage.
Not a creature was stirring not even a 10th level mage.
Then Flash, i look at my bookmarks and what did appear!?
A story on slashdot spreading with fear.
"Peril Peril", It screamed with fervor and fight.
"What shall we do about this vulnerability tonight?"

It's christmas eve and in the story lay more,
For this affected Santa and hurt him to the core.
His Server Used Exchange to give and recieve,
a malicious cracker got in to make Santa Grieve.

The clean cut elves said format and reinstall, while the ones with long beards solved it in no time at all.

"There will be no Christmas this year" Santa Said with dismay.
The naughty and nice list was lost in the fray.

And yet with precision and care the elves brought out from back,
santas new gift! a blade server rack!

"It runs Linux in fact!" said the elves in unison
"cron jobs too, back up that old piece of Sh.."
one interupted "Stop it Sam",

So christmas would go on with ease and ablitity, that is until santa went on his killing spree.

The End

IE == Exploit

[HangingChad]

Take one of your gift cards and go buy yourself a copy of Xandros 3.0 (www.xandros.com). It's a good distro if you're a Wincrip. Superior hardware detection, CrossOver Office which can run some of your "must have" Windows apps.

At least dual boot, shhez. What does it take for MSFT users before they finally get enough?

If it gets any worse they're going to have to start including a jar of anal lube with a Windows license. Knowing MSFT they'll try to charge you for it and blame users for not being able to keep a tight bunghole.

Re:IE == Exploit

[SparklingClearWit]

Because most people just want to *use* the computer. They play games they download off zone.com, shockwave, etc. They compose email to family members with smileys, pictures, and sounds - it lets them be more entertaining than just straight text. They want to listen to their CDs, MP3s, watch DVDs, and play Ghost Recon 2 from time to time.

The converse: Have WinXP SP2 installed for use only as a gaming system. Build a hardware profile that disables the network card. Tell your wife[1] that Windows is for games ONLY. Then when she wants to use the 'net, she has to log out and reboot the machine. She logs into $DISTRO[2], and then can use Mozilla to surf the web - oops, sorry, most of your flash games don't work, sorry honey. Oh, no, you can't install your games there; you'll need to reboot into Windows for that. Sorry, no online Age of Empires II. No, you can't play UT2004 online, either, sorry love.[3]

Blah. See where this is going? :) Personally, I support Microsoft products day-in/day-out. Are there things that would do a better job? Sure there are. Without a doubt. HOWEVER - Linux is NOT ready for the desktop. Until it can 100% replace Windows - seamlessly - it won't work. Most people will not accept something that 'kinda works the same way' - hence why people have Windows machines at work and home, and not Macs at home. (For the most part). Over 90% of the Windows-related problems are lack of updates, lack of virus software, and the lack of a good firewall solution. Linux doesn't need these,you say? Wrong. Linux's permissions model and isolated users is much better than Windows', I'll agree with you, but the firewall is ON by default now in most distros. As it is with Windows XP SP2. Yeah, Windows 95/98/NT/2000 are more vulnerable. Would you put an unpatched Red Hat 5.2 box on the 'net? Hell no. You'd patch it, upgrade it, etc. Same with Windows, just much less expensive in initial outlay of cash.

If you're going to take the time to educate someone on how to use Linux, then take that same time to educate them in general on 'safe computer use when you're part of the online community'. Or something like that.

Best Regards, and a very Merry Christmas!

[1] My wife is a very bright, very computer-savvy accountant. She's a typical 'power user' - not MCP or A+ or a MOUS, but she's pretty damn smart.

[2] The distro wars are also a huge holdup for Linux. There's one Windows, one Macintosh -- many people are scared off by the multitude of flavors. C'mon Linux Standards Base! Everyone get behind this, and make the user experience the priority!

[3] And she's good, too. Gotta love a woman with the rocket launcher!

Re:IE == Exploit

[ghoda_x]

What does it take for MSFT users before they finally get enough?

When you can install *nix and plug in your camera and have it work automatically. When you can plug in your wireless card and have it work with little/no knowledge of the inner workings. When you can plug in your joystick and have it work with little fuss. When you can buy a game off the shelf for your joystick and have it work. When you can stick in a floppy disk and write to it without spending hours browsing the net and looking at cryptic /etc/fstab files and long-winded mount commands. Don't get me wrong, *nix is great if, like 99.999% of us here, you're a flaming geek who's driven to tweak every little aspect of your box. However, as far as Joe User is concerned it should just work. Joe sticks his keys in his car, it goes. He sticks his bread in his toaster, it toasts. Why should a consumer-level computer be any different? Until this grade 3 leetist "I run *nix, you M$ lusers are teh suxors" crap stops, this is how it's gonna be.

Re:IE == Exploit

[The+MESMERIC]

Why Xandros?
Xandros is for straight girls.

Just go to any cheap Linux CDs online
order about 6 different distros
order some 3-4 live CDs
and you still get more for your money.

Then play , experiment , learn ...
If you rush - you will be one of those trolling weeping how horrible Linux is - etc etc

Ubuntu seems a very good choice for the utter newbie. absolutely free - and lesbians really love it.

Come to think of it - what is a distro for queers? Lycoris?

Re:IE == Exploit

[HangingChad]

Until it can 100% replace Windows - seamlessly - it won't work.

Bullshit.

Re:IE == Exploit

Ooh, there's a comment laced with intellect. Care to explain *why* the parent post is bullshit, or just wanna whine about it?

My grandmother doesn't care about buffer exploits for viruses or spyware. She wants to use her webcam, play her games, and not fuck around with shit like compiling kernels, etc.

Explain to me why it's bullshit, you fucking mook.

Something I've been wondering...

[kekeruusperi]

I haven't had a Windows machine for a long time, so I don't have much knowledge of the inner workings of the latest Windows versions, so I've been wondering, does XP SP2 have some kind of buffer overflow protection besides NX?

AFAIR, only the latest x86 CPUs have support for NX, yet all the recent buffer overflow exploits in XP don't seem to affect SP2.

If Microsoft found and fixed all these exploits for SP2, wouldn't releasing a complete list of the fixes be less embarrassing than the weekly news about newly discovered vulnerabilities.

Re:Something I've been wondering...

[loyukfai]

As far as I recall, by default, SP2 only enables NX (Called DEP in Windows - Data Execution Prevention) for "essential" Windows components.

The reason is that, many programs will break if NX is enabled for everything.

SP2 also has a "software DEP", but how it works is beyond my knowledge.

Re:Something I've been wondering...

[spectecjr]

does XP SP2 have some kind of buffer overflow protection besides NX?

Yes. The reason SP2 is so huge is because the entire OS was recompiled with their stack canary protection from Visual C++.NET

Unpatched?

[JanusFury]

How can these exploits be unpatched if SP2 isn't vulnerable? Or do they mean that while the other windows versions are exploitable, SP2 just crashes?

Re:Unpatched?

[peeon]

SP2 is vulnerable to the winhlp32.exe Heap Overflow Vulnerability, according to xfocus. Buqtraq posting They dont know if LoadImage is vulnerable in SP2.

Re:Unpatched?

So only one is actually unpatched. Nice use of journalistic license to get your story accepted.

Re:Unpatched?

[peeon]

Quit whining.

Re:Unpatched?

Stating the truth isn't whining. Complaining like a little bitch when you've been pinned for embellishing is.

Merry Christmas.

Umm.

[mindstrm]

If I'm reading the news right, none of these bugs work in XP SP2? I'd hardly call that "Unpatched"

Re:Umm.

Read again.

Re:Umm.

[jamesl]

You are reading it right. SP2 is not vulnerable. No rational person would call it "unpatched" but this is slash... oh, nevermind.

Re:Umm.

[drawfour]

According to the list, Windows XP SP2 is the only OS not to be affected. This means that all flavors of Windows 2000 and Windows 2003 are affected. Win2k has server versions, so you can't upgrade to WinXP (the upgrade packages will NOT upgrade from 2k server to XP Pro), because they're meant for different purposes. Win2k3 was released AFTER XP, and exists only in server form...

So there are plenty of systems in use everywhere that are affected.

i wonder...

[hitmark]

why in this day and age, 99%-100% of automated exploits still happens to be some kind of overflow. why do we keep thinking that we dont have to check the sizes when moveing data about as its defined by a standard anyways? its like not checking to see if you have room for something in your house or car before buying it at the very least.

Re:i wonder...

The reasons are very simple:

1. the C standard library uses NULL-terminated strings. Although later additions to the library include routines to specify a maximum length, many coders still use sprintf/strcpy instead of snprintf/strncpy, etc.
2. (a) The off-by-one error is one of the most common mistake in all of programming. and (b) coders don't understand the difference between signed/unsigned variables. You'd be surprised how much code assumes (unsigned)-1 is less than zero or that INT_MAX + 1 is greater than INT_MAX. These two types of mistakes usually results in dead code, an infinite loop or a buffer overflow.
3. Some people just refuse to stop doing stuff like this:

   void (*haha)() = (void(*)()) malloc (rand());
   (*haha)(); /* I kid! */

Re:i wonder...

[Mortlath]

I think that the exploits found today are leftovers from the "old days" of code writing when people were expected to follow the API. I suppose that when original Windows code was written, they didn't even think that people would write crazy files meant to overrun buffers. Most developers would not do that on purpose.

For Example, let's look at the function:

int MultiByteToWideChar(
UINT CodePage, // code page
DWORD dwFlags, // character-type options
LPCSTR lpMultiByteStr, // string to map
int cbMultiByte, // number of bytes in string
LPWSTR lpWideCharStr, // wide-character buffer
int cchWideChar // size of buffer
);

If the output buffer, lpWideCharStr, wasn't allocated with the memory specified in cchWideChar, then a buffer overflow results (according to MSDN). Bugs like that are hard to control.

I think that it's sad that developers can't be trusted anymore.

Re:i wonder...

[tim_abell]

I moved house last weekend, and I think I suffered from a buffer overflow...
Wonder if I can blame Microsoft for that one too?...

Re:i wonder...

[the_rev_matt]

Go to any Wal-Mart, Target, Best Buy, Home Depot, Lowes, or comparable store on a busy weekend. Count how many people bring out more stuff than they have room for in their car. Be it one large item or just too many small ones, I see this happen all the time.

Re:i wonder...

[hitmark]

heh, that may be so, my anology was not waterproof by a longshot. but still, how come no compiler is able to insert automatic buffer checking routines or something similar? yes it would affect performance but most desktop apps these days spend more time waiting for user input then prosessing data...

Twas the Night Before Christmas...

...when all thru the house
not a feature responding, not even the mouse

All processes were hung by the Exploit to scare,
In hopes that St. Bill's solution soon would be there...

etc. ad nauseam

Merry XMAS/Happy Hols all.

what's so hard....

[zogger]

...about running knoppix or any of the other live cds? Easy enough for them to run XP when it's not connected to the internet for games or whathaveyou,and therefore avoid exploits, and when they want to surf, have them boot up a knoppix. Really, an easy enough solution to that sort of problem. Not sure what sort of machine they have, but just recently, like two weeks ago when I gave away an older machine to a kid with no computer,I've run knoppix down to a pentium 1 level Iit's a 166 machine) and only 32 megs ram and it still worked, slow but once loaded after a few minutes it was zippy enough. It's not even supposed to work at that level but I tried it anyway just for grins. Anything above that with a reasonable amount of RAM and it's quite speedy. And as to useability,really, how is it much different from a windows OS, down in bottom left corner is a big K start menu,mash that, slide around, pick an app, works. About the same as any other OS with a GUI.

--just a suggestion is all, no biggee, but avoiding holiday (or any other day) headaches is a good thing, IMO. Linux, especially from a live cd, is just not that hard or different from windows unless you are a power user, and these folks sound like non power users, so the learning curve is probably identical, so you might as well start with something a little more secure.

Re:what's so hard....

+5 Funny!!!

Re:linux and php....

what about the php worm, that effects linux...HUGE flaw...

"Deserved" ?

Well, it isn't that easy (and really not as easy as you get your insightful).
We have plenty of critical software that does actually under no circumstances run on SP2 - and I think we are not the only ones.

It has nothing to do with the embedded firewall and/or configuration issues, but with DLL version or functionality conflicts.
E.g. PBS controlling software, various special database access tools to data in various locations (I know, they are bad programmed, but we can't fix, because we won't get the code) and so on.

So?

You've missed something...

[afa]

So, what about Windows 3.1, Windows NT 3.51 etc.?

Re:You've missed something...

[Line_Fault]

Microsoft has a specific support life-cycle for each product that it releases.
http://www.microsoft.com/windows/lifecycle/default .mspx

That should help answer your question.

Mozilla products appear safe

[CTho9305]

A quick search of the source code seems to show that the native OS LoadImage function is only used to set Mozilla icons (system tray, window icons, etc) and the splash screen (and the cck). Since none of these images come from untrusted sources*, it seems that the LoadImage hole is not exploitable via Mozilla.

*without major user intervention, like installing an XPI or messing with the JAR files that make up Mozilla

Re:Mozilla products appear safe

[16K+Ram+Pack]

That's a big "tell your friends" point. Get Mozilla/Firefox and you won't get this bug. You can just carry on as usual.

To be honest, my days on Windows are numbered. I'm lining up getting a Linux box in the new year now.

Definition of "Patched/Unpatched"

[jamesl]

Slashdot has made subtle changes to the definitions of Patched and Unpatched.

Patched Open Source: A vulnerability has been identified and someone is thinking about fixing it. Because the time between discovery and fix is vanishingly small, there are no unpatched open source vulnerabilities.

Patched Windows/Proprietary: A patch has been available for not less than 12 months and is installed on not less than 99% of affected systems. It will be several months, if not years, before vulnerabilities fixed by Windows XP SP2 will be considered patched.

Re:Definition of "Patched/Unpatched"

It's a "market reality". When patches are available, most open source consumers apply them. If they didn't, you'd see slashdot and sourceforge going down every other day from exploits. Most of the things that *matter* get patched. On Windows, even admins of web sites don't always apply patches. Witness the spread of Code Red, Nimda, and Slammer. The fact that these worms spread is proof that patches have to be available for 6-12 months for them to be installed on production Windows systems, whereas most of the ssh and apache vulnerabilities disappear within a few weeks.

Re:Definition of "Patched/Unpatched"

When patches are available, most open source consumers apply them.

Can anyone actually prove this one way or the other. Personally I doubt this is true... I bet most power users patch quickly, but closed/open source is not a factor.

I would love to see a study of patches vs user type. I know Qualys has done some work in this area. My guess is that mere mortals patch/update equally, or that windows people might actually patch more often (since they are root, windows update is pretty easy, and they been yelled at more often).

Hand Out Ubuntu CDs

[SeinJunkie]

I know the feeling. When I visited my family back home for a week, I worked on 8 PCs before I left. If you're handing out stuff in lieu of fixing hte computer, you might consider the Ubuntu CD package. Last I checked Ubuntu is still shipping free pressed CD packs. I just received all 10 of mine yesterday, and they look good. The package includes both a Live CD and an Install CD, with a brief explanation of what each does. I plan to hand the CD out to people I think would be interested in trying something different.

Re:Hand Out Ubuntu CDs

[deephollow]

Heck yes. I'm giving my brother (total computer newbie with 3 kids who *will not* keep their mitts off the computer) a computer running Ubuntu. Last time I had to fix his aging Win 98 machine it took me 10+ hours ... hopefully I'll never have to do it again.

Apparently....

[Duhavid]

For calloc() and malloc(), the value returned is a pointer
to the allocated memory, which is suitably aligned for any
kind of variable, or NULL if the request fails.

Re:Apparently....

[twiddlingbits]

Hey, I was going from memory! I haven't written OS code in probably 10 yrs and ANY code in 5 yrs. I would have looked it up to refresh my memory before I wrote the code. Which again makes me wonder if the guys at M$ can read a manual? MS programmer: "Manual? We don't need no steenking manual, We are Microsoft, we WROTE the manual and know what it says. Code it and ship it!"

Re:Apparently....

[Duhavid]

I especially love stepping thru their MFC code.

I would be ashamed to write in that fashion.

I had a compiler construction class, the prof told us "issue a warning like 'syntax error', and you fail, right there, right then". Or words to that effect. VB would fail according to his standards.

Long time not to be coding. My consolences.

Re:Apparently....

[twiddlingbits]

I architect systems now and often manage OTHER programmers. I have high standards for their code, not many meet it. But all I really expect is sound logic, good error checking and solid documentation but in many cases this seems like I am asking the impossible.

Re:Apparently....

[Duhavid]

I hear you. Perhaps you should hire me! :-)

Maybe catch them young and train them right?

inseparably linked....

[Ralconte]

These guys seem to disagree:

http://www.cnn.com/TECH/computing/9903/09/remove ie .idg/

http://nuhi.msfn.org/nlite.html

http://www.vorck.com/remove-ie.html

Haven't tried it myself, but I haven't found any hard evidence that they're wrong.

What ticks me off ...

[Ralconte]

about Windows XP is the stupid help system contating the internet whenever I clicked on it. Windows didn't have to phone home and display a fancy GUI dialog just cause I forgot a command. Wait and see, there'll be more Windows Help system exploits.

Re:What ticks me off ...

Instead of bitching, take action. Turn off the services you don't/won't use. Who needs Windows help anyways, it usually gives some ridiculous answer or plays ring around the rosie with you. Use Google instead.
I am on the same side as you, I think the new help is an xp pretty face slapped on the same old crap with an internet call.

use a frickin dictionary

[Sleepy]

Your statement is untrue. "Forced" means coercion, which you interpret can only be delivered through violence (an Uzi) but is not a true definition.

Your narrow definition of forced is plain wrong.

Try this new software.. it's called a dictionary:
forced. Come back when you finish your homework. Other suggested reading.

BeEr dAY

[Shadow_139]

Fuçking hell.., full backup yestday while the office party had started and finish crap for the fùçking payroll/bank yearend (53 month years suck)..., had beer in work so was ok..., but now on my first day off in over 6 months...., sitting in pub (in Ireland) trying to kill the hangover from office pay., to read ill have to head back into work on the "Day of Drinkng EvE"..., - rant over Snackbite getting warm (the best beer in the world) fûçk shitty Treo600 pisssing me off and crap all gprs signal in Bruxcells - best Metal Pub in Ireland.......

--------
Noodle.........,

Re:SP2 not immune

SP2 is not immune to these buffer overrun exploits. The only thing SP2 protects against is stack based buffer overruns that do not use shellcode written for SP2. See David Litchfield's paper on how to do this for Windows 2003 server and XP SP2 (link below).

http://www.nextgenss.com/papers/defeating-w2k3-s ta ck-protection.pdf

XP SP2

From what I understand, as well as a vast amount of SP2 being rewritten using NT6.0 technology (many of the NT6.0 developers were moved over to SP2), all of SP2 was compiled differently to the RTM and SP1 editions of XP so that buffer overruns were less inherent in the compiled code. This is how SP2 is not susceptible to many of the newer exploits that are effecting the other versions of Windows.

I'm, no MS fan but I think SP2 and the new line they are taking with NT6 indicates they are learning. We'll just have to see.

Re:SP2 not immune

[YU+Nicks+NE+Way]

The parent mentions a paper by David Litchfield. It's good to read that paper, but you should know several things about it.

1. All of his attacks are hypothetical. Only one attack against the stack canaries has ever worked.
2. The SP2 stack canary order was changed precisely in order to prevent that one attack.

Firefox passes the test

[Adam9]

I'm not sure if many people have tried it already, but I loaded the exploit page with Firefox.

Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

It took a few seconds to load on my p3 600mhz, but it got there just fine.

Re:Firefox passes the test

[NoMoreNicksLeft]

Partially. Firefox with java requires a registry entry, which is my problem. The machine already has java 1.4.x, so in theory, just adding the NS###.dll's to the plugin dir would do the trick. Still not working though.

what if you cant

[none980]

well on my amd64 system running windows XP pro wehever i try to upgrade to sp2 the hole system crashes on all boot attempts

Re:what if you cant

[Myen]

Assuming you are running Win32 (as opposed the Win64), try turning DEP off via boot.ini (look under /noexecute).

Re:Linux over 20 security patches released in 2 da

PMFG! j00 R teh RIGHTZORZ!! I 4m delting lynux and Nstalling windoze Midilately!

thnkuthnkuthnkuthnkuthnkuthnku!

merri khristmass!!

Re:Linux over 20 security patches released in 2 da

[RikRat]

Dude, the list contains programs for Linux.

People will still buy windows

[upsidedown_duck]

Microsoft could stick a thumb up your ass, and people would still buy more of it.

"This thumb is better than ever! It's new easier installation interface and slick operation will make upgrading well worth it. Yet, it is 100% compatible with your old thumb!" (a lie, of course, as the new thumb tries to emulate the old one but breaks the memory management).

This is a lie - updates are already available

Please stop the bs - the updates are already available at MICROSOFT.COM. Go check for yourself.

Re:This is a lie - updates are already available

Uh, no. They aren't.
Tick, tock, tick, tock....

Tick, tock...

More of the same...next week it will be something else. The week after that, another thing. Regardless of the platform or the application, it never ends.

But the real question is.....

How long will it take Microsoft to fix it?

Tick, tock, tick, tock....

XP has 60% of the Market

[westlake]

XP has 60% of the market, W2K 24%. OS Platform Statistics These stats are probably weighted somewhat against XP, but it scarcely matters. People have moved and are moving to XP in very significant numbers, at some point, you have to let go the idea that it is a "forced upgrade" and not a perfectly normal migration to a newer O/S.

"Four New Unpatched Windows Vulnerabilities"

[RzUpAnmsCwrds]

"Four New Unpatched Windows Vulnerabilities"

What a load of bull. This article is blatant Microsoft bashing.

Repeat after me: XP SP2 is not affected

Since when has "fixed in SP2" been the same as "unpatched"?

Re:"Four New Unpatched Windows Vulnerabilities"

I'm sure that your insightful comment is of much use to people who are still running Windows 2000.

Re:"Four New Unpatched Windows Vulnerabilities"

[rbarreira]

Repeat after me: Microsoft still officially supports windows 2000 and other operating systems besides XP SP2, so the vulnerabilities are still unpatched on those OS's

Seasonal correction:

Shouldn't that be "their buffers runneth over"?

Re:Linux over 20 security patches released in 2 da

[The+MESMERIC]

that just had to be an I.T Charlie speaking.

your sheer ignorance (and that of your employer)
is the sole reason Microsoft is still so successful.

Safety in Numbers

OH, there's no doubt. The problem is that people (read: INTERNET SERVERS) that are...skiddish of installing patches. They are skiddish because in the past, with NT 4.0 and later 5.0, the system bluescreened after reboot. Just like that time when Billy plugged in a USB printer and the computer bluescreened on him in front of 300 people.

The problem isn't that a "patch is available". It's that "our fucking server didn't come back up in the past, until $1200 and 48 hours later, and as far as we know, no one has broken in just yet so we're going to risk it this time".

Kind of like speeding on the freeway. There's hundreds more sons of bitches, just like you. And the idea is that you'll see them getting pulled over before you are, so you'll have time to reduce your speed (or disconnect your internet connection like Gabe Newell walked around, telling his entire staff when a German kid tiptoed in).

When you are a gazelle, there is safety in numbers.

Or so the theory goes...

hmmmmm

As this is a bug in a ms windows function I don't know how this could be ???? Maybe you're running firefox_win32 in wine ???

Actually no....

[rsilvergun]

Microsoft releases 'Service Packs' because it's a break in the Operating System version that lets sys admins know what they're getting into when they upgrade. A Service Pack is an upgrade so large and significant that it's considered a new Operating System Version, kinda like going from Kernel 2.4 to 2.6. Try upgradeing XP Home to XP Pro with SP2 installed in Home using a Pro SP1 CD, it'll helpfully stop you before you do something dumb. Service Packs also help identify to a technician (which I am) what's on the computer, what tools we can expect to be available, how those tools will behave, and where they can be found.

Also, modularity doesn't work so well when you're pushing 800+ megs worth of updates to a user base that just wants the darn thing to work. With SP2, I can give a friend a copy of the network install and say "here, install this before your internet" and not worry nearly as much about spyware / viruses. I don't have to worry about them getting tired after double clicking 20 separate patches and missing an important one....

Re:Actually no....

[ggy]

Try upgradeing XP Home to XP Pro with SP2 installed in Home using a Pro SP1 CD, it'll helpfully stop you before you do something dumb.
What? So it won't allow the upgrade?

Re:Actually no....

[rsilvergun]

No it doesn't. If you try to force it (by booting directly off the CD and running a repair) it may let you, but it'll be a disaster. The SP2 control panel applets will still be there (and a bunch of other SP2 related files), but most of the files with be SP1. The system will be unstable, and they'll be no easy way to turn on the firewall. It's like trying to install Win98 over XP, even if you can swing it it's a bad idea....

The solution is to uninstall SP2, upgrade, then reinstall SP2. SP2 does a pretty damn good job of uninstalling (manually if necessary, using the batch file spuninst.txt) so this is usually not a problem unless there's already something wrong with the computer (spyware, viruses, crappy outdated antivirus, etc), and in that case you shouldn't be upgrading anyway. Do a clean install and save yourselve some major headaches.

If you remove IE, none of these apply to Win2k

[The+Fifth+Man]

Well, if you install Windows 2000 without it in the first place, that is.

vorck.com [was Re:inseparably linked....]

[The+Fifth+Man]

Far as I know gents, I'm running hard evidence that I'm right ;-)
None of the exploits worked on my machine when I tried them, including the fuxored help files that were apparently supposed to do something bad, but only gave me an invalid help file message...

Fred Vorck
(Running Windows 2000 without IE, per my instructions)

Easier knoppix answer

[tqft]

Download installer (under windows) to somewhere
Boot with fav live cd that has good ntfs (I assume that it what your Win box is using) write support.
Copy installer to admin startup directory (or link to installer with options you want set)
Reboot