Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Urgent Patch Precedes Black Hat Session

Posted by Soulskill on from the no-time-like-the-present dept.

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."

7 of 232 comments (clear)

  1. Imagine. by rolfc · · Score: 5, Interesting

    There are still people that think ActiveX is a gift to humanity.

    1. Re:Imagine. by DavidTC · · Score: 2, Interesting

      No, Netscape's Web Accelerator connects to a compressing proxy server for their dialup service. It recompresses images to lower quality and makes all pages gzipped. That's it. I'm not even sure it does any caching.

      I'm fairly confused as to how this doesn't work on Linux, as it's a browser proxy, but don't care enough to actually look into it.

      Which means all this talk about switching OSes is nonsense. He's someone using a $6.99 a month dialup internet connection, he can't afford a new computer!

      Of course, apparently the idea of using Netscape's web browser, or Firefox, both which surely would work with Netscape Web Accelerator and would protect him from ActiveX, doesn't occur to him. (Granted, it doesn't seems to have occurred to anyone else here either.)

      --
      If corporations are people, aren't stockholders guilty of slavery?
    2. Re:Imagine. by ehrichweiss · · Score: 3, Interesting

      VERY good point. I own(ed) several Silicon Graphics workstations. Even though it would have been true, my justification never involved "well, if you add the fact that these don't crash every 20 minutes, the productivity makes them worth the $20,000+ paid for them". Nope, my justification was "ever see all those special effects in movies? They used THIS computer brand to make most of them, not a PC, not a Mac".

      --
      0x09F911029D74E35BD84156C5635688C0
    3. Re:Imagine. by vassilios10 · · Score: 2, Interesting

      http://en.wikipedia.org/wiki/Stop_Making_Sense

    4. Re:Imagine. by jvkjvk · · Score: 2, Interesting

      i.e. Macs are expensive to maintain. In contrast I bought a Mickeysoft XP PC in 2002 and haven't spent a dime since then for OS updates. i.e. Cheap.

      And I bought a Mac with 10.4 and haven't spend a dime since then for OS updates. i.e. Cheap.

      And, just for those who are complaining about software - all my software works, still, on that version of the OS. Everything I have wanted to get has happened to work on that version of the OS.

      Maybe it's because I'm boring, and don't want or need all new shiney software every ten seconds, but there it is - I have had no reason to upgrade.

      So much for anecdotes, you have one, so do I.

  2. Re:The real mystery by plague3106 · · Score: 4, Interesting

    I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE. At least now we've got .NET which promises to rid us of C++ once and for all.

    ActiveX was designed to replace the overly complex COM way of building components. It was added to the browser later to provide a richer browser experience. I'm not sure I see C++ going anywhere, and you can build ActiveX components using C#.

    Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

    C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up... but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.

  3. don't even know where to start, mouth gaping by neonsignal · · Score: 2, Interesting

    You can't be serious - nearly every OS these days is written in C (with a few bits of assembler at the core). And the one viable alternative, C++, was pretty much confined to BeOS. Do think everyone just left their thinking caps at home the day they decided which language to write in? Fair swig of the whiskey. C was pretty much invented as a means of writing systems software. And you do realize that .NET is really just ActiveX by another name, smelling just as 'sweet'...