Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft's Urgent Patch Precedes Black Hat Session

Posted by Soulskill on from the no-time-like-the-present dept.

Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."

3 of 232 comments (clear)

  1. Imagine. by rolfc · · Score: 5, Interesting

    There are still people that think ActiveX is a gift to humanity.

    1. Re:Imagine. by ehrichweiss · · Score: 3, Interesting

      VERY good point. I own(ed) several Silicon Graphics workstations. Even though it would have been true, my justification never involved "well, if you add the fact that these don't crash every 20 minutes, the productivity makes them worth the $20,000+ paid for them". Nope, my justification was "ever see all those special effects in movies? They used THIS computer brand to make most of them, not a PC, not a Mac".

      --
      0x09F911029D74E35BD84156C5635688C0
  2. Re:The real mystery by plague3106 · · Score: 4, Interesting

    I also didn't like how ActiveX morphed from a special browser-only technology into a synonym for COM and then into a replacement for OLE. At least now we've got .NET which promises to rid us of C++ once and for all.

    ActiveX was designed to replace the overly complex COM way of building components. It was added to the browser later to provide a richer browser experience. I'm not sure I see C++ going anywhere, and you can build ActiveX components using C#.

    Whoever thought making C/C++ an implementation language for anything as complicated as an OS ought to be shot. The number of possible vulnerabilities is through the roof, as this latest patch shows.

    C was used because it was more productive then assembler, but still performed very well. Of course being so close to the metal means that its easier for programmers to screw up... but I'm not sure C# will be used to build the base of an OS anytime soon. You'd almost have to make the CLR the OS... which while an interesting idea not one I think we'd see soon.