Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Urgent Patch Precedes Black Hat Session

Posted by Soulskill on from the no-time-like-the-present dept.

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."

10 of 232 comments (clear)

  1. Imagine. by rolfc · · Score: 5, Interesting

    There are still people that think ActiveX is a gift to humanity.

    1. Re:Imagine. by DavidTC · · Score: 2, Interesting

      No, Netscape's Web Accelerator connects to a compressing proxy server for their dialup service. It recompresses images to lower quality and makes all pages gzipped. That's it. I'm not even sure it does any caching.

      I'm fairly confused as to how this doesn't work on Linux, as it's a browser proxy, but don't care enough to actually look into it.

      Which means all this talk about switching OSes is nonsense. He's someone using a $6.99 a month dialup internet connection, he can't afford a new computer!

      Of course, apparently the idea of using Netscape's web browser, or Firefox, both which surely would work with Netscape Web Accelerator and would protect him from ActiveX, doesn't occur to him. (Granted, it doesn't seems to have occurred to anyone else here either.)

      --
      If corporations are people, aren't stockholders guilty of slavery?
    2. Re:Imagine. by ehrichweiss · · Score: 3, Interesting

      VERY good point. I own(ed) several Silicon Graphics workstations. Even though it would have been true, my justification never involved "well, if you add the fact that these don't crash every 20 minutes, the productivity makes them worth the $20,000+ paid for them". Nope, my justification was "ever see all those special effects in movies? They used THIS computer brand to make most of them, not a PC, not a Mac".

      --
      0x09F911029D74E35BD84156C5635688C0
    3. Re:Imagine. by Anonymous Coward · · Score: 1, Interesting

      Namely - A $100 fee every year to upgrade from 10.4, to 10.5, to 10.6, and so on

      I don't like to contradict your wonderful hyperbole with mere facts, but the upgrade from 10.5 to 10.6 is going to cost $29, and comes two years after the release of 10.5, making the cost $14.50 per year, not $100. The upgrade from 10.4 to 10.5 cost $129 I believe (although it was $20 if you had bought 10.4 after 10.5 was announced) and was release 2.5 years after 10.4, making the cost per year $51.6. If you bought both of these upgrades, you will have spent $35.11 per year on upgrades.

      I'd rather roll Windows XP, which has cost me a grand total of $0 USD for SP1, SP2, and SP3 over the last 5-6 years.

    4. Re:Imagine. by vassilios10 · · Score: 2, Interesting

      http://en.wikipedia.org/wiki/Stop_Making_Sense

    5. Re:Imagine. by jvkjvk · · Score: 2, Interesting

      i.e. Macs are expensive to maintain. In contrast I bought a Mickeysoft XP PC in 2002 and haven't spent a dime since then for OS updates. i.e. Cheap.

      And I bought a Mac with 10.4 and haven't spend a dime since then for OS updates. i.e. Cheap.

      And, just for those who are complaining about software - all my software works, still, on that version of the OS. Everything I have wanted to get has happened to work on that version of the OS.

      Maybe it's because I'm boring, and don't want or need all new shiney software every ten seconds, but there it is - I have had no reason to upgrade.

      So much for anecdotes, you have one, so do I.

  2. Kill ActiveX by Anonymous Coward · · Score: 1, Interesting

    Instead of releasing a KillBit patch, why not releasing once and for all a Kill ActiveX patch ? The Web as yould be a safer place.

  3. Re:The real mystery by plague3106 · · Score: 4, Interesting

    I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE. At least now we've got .NET which promises to rid us of C++ once and for all.

    ActiveX was designed to replace the overly complex COM way of building components. It was added to the browser later to provide a richer browser experience. I'm not sure I see C++ going anywhere, and you can build ActiveX components using C#.

    Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

    C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up... but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.

  4. don't even know where to start, mouth gaping by neonsignal · · Score: 2, Interesting

    You can't be serious - nearly every OS these days is written in C (with a few bits of assembler at the core). And the one viable alternative, C++, was pretty much confined to BeOS. Do think everyone just left their thinking caps at home the day they decided which language to write in? Fair swig of the whiskey. C was pretty much invented as a means of writing systems software. And you do realize that .NET is really just ActiveX by another name, smelling just as 'sweet'...

  5. Re:The real mystery by Anonymous Coward · · Score: 1, Interesting

    No, significant parts of Vista were supposed to be rewritten in C# but due to performance(or other) reasons, the plan was ditched in 2003/2004 and a normal C++ upgrade to XP was started. This was one of the big factors in the delay of Vista's release.

    There was an attempt to see if the AERO interface could be done in WPF in time for Vista but no, significant parts were not planned to be done in managed code. The biggest issue to the delay between releases was that development on Whistler-Blackcomb was reset halfway through the dev cycle to be more about correcting a set of issues around driver security and better isolation model (remember that was back when several really bad issues slammed MS and gave them a black eye in the press). Thus Longhorn, as we know it today in Vista was rescoped to be about hardening the OS. http://en.wikipedia.org/wiki/Development_of_Windows_Vista