Slashdot Mirror
Microsoft Finally To Patch 17-Year-Old Bug
eldavojohn writes "Microsoft is due for a very large patch this month, in which five critical holes (that render Windows hijackable by an intruder) are due to be fixed, in addition to twenty other problems. The biggest change addresses a 17-year-old bug dating back to the days of DOS, discovered in January by their BFF Google. The patch should roll out February 9th."
Um, no. The bug was introduced in Windows NT 3.1, and has remained in the NT line ever since. Windows 7 is very much still built on the NT codebase.
Windows 7 is Windows NT 6.1. NT has been in development for over 20 years.
Tavis disclosed the ntvdm vulnerability in January, however it was reported to Microsoft on June 12, 2009.
http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html
It's not a bug in DOS, but a bug in the NT virtual 8086 machine monitor. Since hardly anyone still runs DOS applications, it's not surprising that it took so long for the bug to be discovered. It's a feature that's not often thought about.
Is this a record(for a bug that's "known about" anyways?
A while ago OpenBSD developer found a 33 year old bug.
It depends on your definition of "known about" I guess.
And just to clarify, this bug was only discovered (at least by someone willing to disclose it) in January 2010. At least Microsoft didn't brush it under the rug for 17 years, I hope...
> Windows 3.1 - 7 are often based on the same code set.
You, sir, do not have the vaguest idea of what you are talking about.
> to get into windows 3.1 you need to type in "win" at the DOS window.
I thought for a moment you meant Windows *NT* 3.1 - 7, but ... it's clear that you didn't mean that.
FWIW, this bug affects all NT OSes right back to NT 3.1 (the first released version) and is an obscure kernel bug (it was only found in January 2010!). The BBC article was light on details except to say it "involves a utility that allows newer versions of Windows to run very old programs", but there's more detail from the always-excellent full-disclosure mailing list.
Go somewhere random
Er, from a better read of full-disclosure, I see it was reported in June 2009, not Jan 2010 as I stated earlier. Still, that's a long time for a bug to have gone un-noticed.
Go somewhere random
Yet another reason I avoid Windows and run for the hills with my linux box, if Windows was patched in a timely matter instead of being vulnerable for weeks, months, 17 years or when the media s**ts their pants, then I just might look at using it.
A.) You don't understand what really happened here. You should read the +5's in this thread before reading the next part of my post.
B.) There is absolutely nothing preventing Linux or anything else from having a problem like this. In fact, this is quite the cautionary tale for anybody running a computer. Your computer has a number of exploitable bugs in it right this second. Your machine is not safe. You need to install updates. You need network protection, firewall, etc. You need to make backups. You need to not run every executable you find from un-trusted sources. You need to use good practices when dealing with sensitive data. Running Linux, BSD, OSX, whatever, doesn't alleviate any of these concerns.
C.) Summaries often contain more information than the headline does. They also usually have links you can click on to get even more info.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
It was reported to MS in the middle of last year, and the bug's discoverer made it public last month after Microsoft still hadn't fixed it.
Hail Eris, full of mischief...
E pluribus sanguinem
I never listened to their marketing. I was quoting Microsoft's own Windows history webpage.
Slashdot's first reaction to VMware