Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Urgent Patch Precedes Black Hat Session

Posted by Soulskill on from the no-time-like-the-present dept.

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."

8 of 232 comments (clear)

  1. sensationalist much? by timmarhy · · Score: 5, Insightful
    yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.

    damned if they do damned if they dont?

    --
    If you mod me down, I will become more powerful than you can imagine....
    1. Re:sensationalist much? by mcgrew · · Score: 3, Insightful

      "Sad" isn't the word for it. Evil comes close, though. The fact that the flaw was introduced by their own development tools is what's sad. The people who get exploited by this flaw will be sad.

      --
      Free Martian Whores!
  2. Standard Operating Procedure by Drakkenmensch · · Score: 4, Insightful

    1. Be told of critical flaw by multiple, repeatable accounts and deny everything as a "paranoid fantasy"

    2. Secretly prepare emergency patch and bury it in driver update patches

    3. ???

    4. PROFIT!!!

  3. Re:Kill ActiveX by click2005 · · Score: 4, Insightful

    Doesn't Windows Update (via the webpage) use ActiveX?

    --
    I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
  4. Re:Imagine. by bstreiff · · Score: 5, Insightful

    So you're contrasting OS upgrade fees for OS X... versus not upgrading Windows.

    Guess what? There are upgrade fees to go from XP to Vista to 7, too.

  5. Re:Imagine. by hairyfeet · · Score: 4, Insightful

    Which brings me to something I've asked several times and never gotten a real response too: Why is it so damned hard for Apple guys to admit Apple is expensive? I mean you don't see Ferrari owners going "well if you figure in all the external factors its a great value for the money" because its not. Its exotic, its fast, but it sure as hell ain't cheap. Same thing goes with Apple.

    As you pointed out you get crazy long support cycles out of MSFT. Win2K will be supported until April next year IIRC, and WinXP until 2014. And the simple fact is that now Apple has switched to Intel you can buy the SAME hardware that is in a Macbook or Macbook Pro for $700- $900 or more cheaper from a Dell or HP. So the price difference is for OSX and the pretty. So for an Apple guy to say Windows is expensive when they are paying that much for OSX PLUS having to "rebuy" it every year is just nuts.

    Hey, Apple Guys, if you want to drive a Ferrari, just drive it and be happy. If you think spending $700-$900 or more for OSX is great, then fine and dandy, nobody is judging you. But please stop with the bullshit, okay? It makes you sound delusional or like a koolaid drinker when you sit there and try to jump through all these logic hoops trying to justify how that $2200 you paid for your laptop isn't high, when we can buy the same gear for $900-1100. You don't see the Ferrari owners trying to justify with logic hoops how they are "value for the money" compared to Ford, do you? Hell no! So just accept you have a Ferrari and be happy. But trying to come up with all these crazy hoops to try to prove that Apple computers aren't expensive just ends up with a pile of bullshit as big as MSFT's with their "get the facts" campaign, okay?

    If you want to spend that extra $$$$ on OSX, just do it and be happy already. Trying to justify it with these totally crazy "value for the money" arguments just makes you sound crazy or desperate to prove you didn't get ripped off. If you think OSX is worth the hundreds or even over a thousand you spend, then just spend it and be happy with your purchase.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  6. Re:It's the commonality. by DavidTC · · Score: 5, Insightful

    Strictly speaking, the GP is right. The reason that ActiveX is more vulnerable than Firefox is there are a lot more ActiveX controls than Firefox plugins. (Not to be confused with Firefox Addons, which seem to be fairly secure, and are pieces of javascript. Firefox plugins are things like the PDF viewer that Acrobat installs, etc.)

    However, the reason there are a lot more ActiveX controls is a, tada, bad design. It's because ActiveX fundamentally lets you embed all sorts of stuff that came with the operating system and random applications and were not designed to be controlled by a web page. Stuff around from before web browsers!

    So Microsoft has to kill each of these, one at a time. That's what the '175 killbits' is talking about....something like 125 of those were on things that it should not have been possible to load in a web browser anyway, but Microsoft decided it would be great fun if you could load all those fancy new signed-DLLs-under-another-name in a web browser. And companies that had been putting out ActiveX controls and had never had to worry about security before, because they were selling a PDF rendering control to software developers to embed in their app, suddenly found out how insecure they were.

    Aka, is your car secure, right now? Yes? Alright, let's transport these dangerous criminals in it. What do you mean, it's not secure from that direction?

    And this isn't helped by the fact that ActiveX controls are so easy to install. I'm not talking about malicious ones, those are easy also, but legitimate good ActiveX controls, which are signed by a legit company and everything.

    And they work for two years, and web design moves on...and eventually a hole is discovered in them...and crackers download that version, put it up on their web site, and wait for people to click Yes to install this clearly legit control, signed by Macromedia or whatever, so they can buffer overflow it.

    Oh, look. Have to issue a killbit for that also.

    The large proliferation of ActiveX controls vs. the small proliferation of Netscapian plugins is why ActiveX is so vulnerable, but the first is entirely due to a rather stupid design decision at the start of IE that let web page designers use random ActiveX controls (Which everyone forgets were not invented for web browsers, but existed before as DLLs with well defined embedding mechanisms.) in a web browser

    --
    If corporations are people, aren't stockholders guilty of slavery?
  7. Re:Imagine. by Anonymous Coward · · Score: 4, Insightful

    If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

    Which is close to the cost of an anti-virus subscription.