Slashdot Mirror
Microsoft's Urgent Patch Precedes Black Hat Session
Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."
damned if they do damned if they dont?
If you mod me down, I will become more powerful than you can imagine....
1. Be told of critical flaw by multiple, repeatable accounts and deny everything as a "paranoid fantasy"
2. Secretly prepare emergency patch and bury it in driver update patches
3. ???
4. PROFIT!!!
Doesn't Windows Update (via the webpage) use ActiveX?
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
I'd suspect the vulnerability and solution was such a cluster frak, that it took that long to work it out without royally fraking everything else up.
Eeaasssy big fella. The post had a point. 18 months is still ridiculous. It's almost as if MS wasn't taking security seriously and was instead wasting time on search engines, game consoles, media players, picking retail store locations and repackaging Vista as Win 7. . . . But no company could be THAT dumb and incompetent, could they?
So you're contrasting OS upgrade fees for OS X... versus not upgrading Windows.
Guess what? There are upgrade fees to go from XP to Vista to 7, too.
I know, a lot of people believe that when there is more users, there are more incentive to exploit and that is the only difference between Windows and Linux. It's just that it doesn't work that way. They are implemented in a different way, and since my confidence in the security of Microsoft isn't that great, I don't believe you are right.
I would upgrade to a Macintosh and abandon the Microsoft/ActiveX/Exploder trojanware completely
Yeah, like if mac was better at security fixes...
Segmentation Fault in "Life, Universe and Everything" at line 42. Don't Panic.
>>>Except Windows apps from today still run on a 10-year old Windows 2000 machine, for the most part.
Precisely. With Windows you don't have to upgrade because it has a relatively long support cycle, and as you pointed-out you can continue using Win2000 (or even Win98) without problem. In contrast my Mac 10.4 which is not that old, refuses to run anything because virtually all the software requires 10.5 or higher.
And thus we're back to my point - "A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on. i.e. Macs are expensive to maintain."
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Somehow people think it's normal to embed in webpages stuff that is executable code for a particular operating system and processor architecture. WTF?!?
This is soooo fucking stupid I almost can't believe it. I've tried for years to convince people of that but they look at me as if I'm an alien.
It was a tremendous lock-in strategy for Micro$oft, though. They're still cashing in on it. Fortunately, the tide is changing, but it will take a long, long time until this ActiveX shit is gone.
I do not think that the problem lies in use of C/C++, but in the horrible way of using it. From what I've gathered around the Internet "why win32 is great" is that they lacked any kind of stable way of creating their (old?) APIs; everyone just created a new standard for return values and parameter handling. And on top of that some crazy macros that make Symbian code look readable in comparison.
I mean, I've only learned how to program in C/C++ (at university) but been working as a Java dev for quite some time now. Still I can almost make sense of mplayer's or ffmpeg's source code but every time I see some "Windows" C++ it's just plain awful because of all the macros and #define constants. If you ever read KDE's or Qt's sources and compare those to something done with win32... There is a massive difference.
Every tool can be miserably misused.
Which brings me to something I've asked several times and never gotten a real response too: Why is it so damned hard for Apple guys to admit Apple is expensive? I mean you don't see Ferrari owners going "well if you figure in all the external factors its a great value for the money" because its not. Its exotic, its fast, but it sure as hell ain't cheap. Same thing goes with Apple.
As you pointed out you get crazy long support cycles out of MSFT. Win2K will be supported until April next year IIRC, and WinXP until 2014. And the simple fact is that now Apple has switched to Intel you can buy the SAME hardware that is in a Macbook or Macbook Pro for $700- $900 or more cheaper from a Dell or HP. So the price difference is for OSX and the pretty. So for an Apple guy to say Windows is expensive when they are paying that much for OSX PLUS having to "rebuy" it every year is just nuts.
Hey, Apple Guys, if you want to drive a Ferrari, just drive it and be happy. If you think spending $700-$900 or more for OSX is great, then fine and dandy, nobody is judging you. But please stop with the bullshit, okay? It makes you sound delusional or like a koolaid drinker when you sit there and try to jump through all these logic hoops trying to justify how that $2200 you paid for your laptop isn't high, when we can buy the same gear for $900-1100. You don't see the Ferrari owners trying to justify with logic hoops how they are "value for the money" compared to Ford, do you? Hell no! So just accept you have a Ferrari and be happy. But trying to come up with all these crazy hoops to try to prove that Apple computers aren't expensive just ends up with a pile of bullshit as big as MSFT's with their "get the facts" campaign, okay?
If you want to spend that extra $$$$ on OSX, just do it and be happy already. Trying to justify it with these totally crazy "value for the money" arguments just makes you sound crazy or desperate to prove you didn't get ripped off. If you think OSX is worth the hundreds or even over a thousand you spend, then just spend it and be happy with your purchase.
ACs don't waste your time replying, your posts are never seen by me.
Strictly speaking, the GP is right. The reason that ActiveX is more vulnerable than Firefox is there are a lot more ActiveX controls than Firefox plugins. (Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript. Firefox plugins are things like the PDF viewer that Acrobat installs, etc.)
However, the reason there are a lot more ActiveX controls is a, tada, bad design. It's because ActiveX fundamentally lets you embed all sorts of stuff that came with the operating system and random applications and were not designed to be controlled by a web page. Stuff around from before web browsers!
So Microsoft has to kill each of these, one at a time. That's what the '175 killbits' is talking about....something like 125 of those were on things that it should not have been possible to load in a web browser anyway, but Microsoft decided it would be great fun if you could load all those fancy new signed-DLLs-under-another-name in a web browser. And companies that had been putting out ActiveX controls and had never had to worry about security before, because they were selling a PDF rendering control to software developers to embed in their app, suddenly found out how insecure they were.
Aka, is your car secure, right now? Yes? Alright, let's transport these dangerous criminals in it. What do you mean, it's not secure from that direction?
And this isn't helped by the fact that ActiveX controls are so easy to install. I'm not talking about malicious ones, those are easy also, but legitimate good ActiveX controls, which are signed by a legit company and everything.
And they work for two years, and web design moves on...and eventually a hole is discovered in them...and crackers download that version, put it up on their web site, and wait for people to click Yes to install this clearly legit control, signed by Macromedia or whatever, so they can buffer overflow it.
Oh, look. Have to issue a killbit for that also.
The large proliferation of ActiveX controls vs. the small proliferation of Netscapian plugins is why ActiveX is so vulnerable, but the first is entirely due to a rather stupid design decision at the start of IE that let web page designers use random ActiveX controls (Which everyone forgets were not invented for web browsers, but existed before as DLLs with well defined embedding mechanisms.) in a web browser
If corporations are people, aren't stockholders guilty of slavery?
If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.
Which is close to the cost of an anti-virus subscription.
And we still don't have anything better.
And for that equal cost, you get increasing operating system performance rather than a gradual slowdown from constantly scanning everything you access. How nice!