Microsoft Finally To Patch 17-Year-Old Bug

eldavojohn writes "Microsoft is due for a very large patch this month, in which five critical holes (that render Windows hijackable by an intruder) are due to be fixed, in addition to twenty other problems. The biggest change addresses a 17-year-old bug dating back to the days of DOS, discovered in January by their BFF Google. The patch should roll out February 9th."

Nothing quite like a "timely" response

[msobkow]

How in the world can a bug exist for 17 years when they've released so many versions of Windows in that time? Hasn't the kernel been revamped three times? (Win98/ME, WinNT/Win2K/WinXP, Vista/7)

Re:Nothing quite like a "timely" response

[chill]

Backwards compatibility FTW! The one thing that if Microsoft broke, they'd have a serious OS horserace on their hands. Then anyone would be free to simply choose OS X, Linux or anything else just on merits and not "it runs all my old software".

Re:Nothing quite like a "timely" response

[SEE]

Um, no. The bug was introduced in Windows NT 3.1, and has remained in the NT line ever since. Windows 7 is very much still built on the NT codebase.

Re:Nothing quite like a "timely" response

[wizardforce]

This has to my knowledge, nothing to do with the kernel. It's a bug in a program used to run older applications. It was only found to be a problem very recently. Until now there was no real understanding that the bug existed and thus no reason to change that part of the OSes.

Re:Nothing quite like a "timely" response

[supersat]

Windows 7 is Windows NT 6.1. NT has been in development for over 20 years.

Re:Nothing quite like a "timely" response

[siride]

You have no idea what you are talking about. Read the other comments for the details. This is a bug in the ntvdm subsystem which was a newly (at the time) written system for running 16-bit apps on 32-bit Windows.

Re:Nothing quite like a "timely" response

[Brain_Recall]

And just to clarify, this bug was only discovered (at least by someone willing to disclose it) in January 2010. At least Microsoft didn't brush it under the rug for 17 years, I hope...

Re:Nothing quite like a "timely" response

[bheer]

> Windows 3.1 - 7 are often based on the same code set.

You, sir, do not have the vaguest idea of what you are talking about.

> to get into windows 3.1 you need to type in "win" at the DOS window.

I thought for a moment you meant Windows *NT* 3.1 - 7, but ... it's clear that you didn't mean that.

FWIW, this bug affects all NT OSes right back to NT 3.1 (the first released version) and is an obscure kernel bug (it was only found in January 2010!). The BBC article was light on details except to say it "involves a utility that allows newer versions of Windows to run very old programs", but there's more detail from the always-excellent full-disclosure mailing list.

Re:Nothing quite like a "timely" response

[bheer]

Er, from a better read of full-disclosure, I see it was reported in June 2009, not Jan 2010 as I stated earlier. Still, that's a long time for a bug to have gone un-noticed.

Re:Nothing quite like a "timely" response

no.. that was just the excuse they gave. the real reason is that 7 isn't much of a code change from vista.

Re:Nothing quite like a "timely" response

[noisyinstrument]

If I had got a dollar for every time I had to correct someone for RAS syndrome style mistakes I'd never have to visit an ATM machine again.

Idiots!

Re:Nothing quite like a "timely" response

http://www.winsupersite.com/reviews/winserver2k3_gold1.asp

You mean the N-Ten the Intel i860 emulator. Funny how people listen to marketing and treat the meaning of something can change :)

Re:Nothing quite like a "timely" response

[hairyfeet]

Yes and thank Jebus for backwards compatibility! Or do you actually want all your stuff broken? Converting my customers away from XP to Windows 7 so far I have had exactly ONE app be a PITA, and that was the evil Quickbooks, those that bought Intel no VM chips and couldn't run XP Mode simply went out and bought Quickbooks 09 and all was good in the universe again.

Linux doesn't have to worry about backwards compatibility because users are paying $0 for their software. Imagine if you paid $400 for Photoshop for Linux, but next year it was worthless because the latest kernel wouldn't run it? Wouldn't be very happy then, would you? I am personally VERY happy for backwards compatibility, as nearly all the software I have going back many years all "just works" even though I made the jump from IA32 to X64, first with XP X64 and later Windows 7 HP X64. So while other may laugh at backwards compatibility it makes this old PC repairman VERY HAPPY that I don't have to deal with users on Win98 or WinME (shudders at the flashbacks) because some "must have" apps won't run. Yay backwards compatibility!

Re:Nothing quite like a "timely" response

[symbolset]

Windows 7 is very much still built on the NT codebase.

You lie! Longhorn (Vista, Server 2008) was built from the ground up. Microsoft told me so!

They wouldn't lie to me. <sniff>

Re:Nothing quite like a "timely" response

[Nutria]

Imagine if you paid $400 for Photoshop for Linux, but next year it was worthless because the latest kernel wouldn't run it? Wouldn't be very happy then, would you?

You're right: I'd be sorely peeved.

However, Linux strives for userland consistency, so any problems with old programs (like WordPerfect 8) not running are to be blamed on incompatible (glibc, for example) or non-existent (GNOME 1.4, Gtk 1.3) libraries. Gtk2, GNOME2 and glibc6 (is that a Debianism?) have been out long enough, though, that there aren't too many issues like that anymore.

Not that any non-geek would care about the real reason, so "blame it on Linux" is good enough!

Re:Nothing quite like a "timely" response

[Jon+Abbott]

I never listened to their marketing. I was quoting Microsoft's own Windows history webpage.

Re:Nothing quite like a "timely" response

[symbolset]

I've known about this bug for many years - it's one of a few that date back to my college days when I had a scholarly interest in such things. Back then I used to haunt the dark corners of the Internet where these things were good for a laugh. Now they're good for a quarter million dollars because GO's haunt the dark corners now and they pay good money, and only now are ones like this coming out in common knowledge. You may be sure that if you're a high value target you've been exploited this whole time and that's why your competitors mysteriously beat you to market, or how knockoffs appeared more suddenly after your innovation than reverse engineering would allow.

What's absurd is that there are hundreds more just in the core OS. Go to apps and WMP doesn't have a streaming format that doesn't have pwnership, and let's not even talk about IE. Then there's all the forgotten formats and services, each with its vestigal exploits that still work. And then there's Office. Good Lord, as if providing multiple Turing machine capable development environments were not enough, every app includes embeds for hundreds of formats that can hose any machine that opens a document, and for each of those there's a Microsoft-only undocumented interface that's truly trusted to be exploited, because that's how they roll. And one of those apps is an email client - think about that for a bit.

Each fix only adds to the problem. Even if the patch doesn't add new exploits (most do) most people don't patch, and half of the few who do patch slowly to avoid incompatibilities. In the meantime the patch gives clues to the amateurs on which features to exploit. For 90% of systems you only need to pwn it once and leave some obvious malware and the idiot running it will clean it and think it's all good. So the smart black hat builds a database of servers running Windows he can get at from his previously Pwned boxes (yes, some of them are probably inside your firewall and most but not all of them are clients) and crafts a package to pwn the rest of your network and if necessary leave some cleanable traces. The truly nefarious black hats exploit the patching system itself - of course it has exploits and hidden hooks too.

Each rewrite leads to new problems. In 2008 how the hell do you write a server OS that hangs on a bad packet on the file sharing service? That's not what Bill promised us in 2002. In six years they couldn't even get that right? That's your clue that they're not even trying or at least they're not able. At the very least they're struggling just to copy a file as if that were a new requirement.

You would think with the billions they have to throw away on XBox and Pink, from Bing to Zune, Microsoft could afford to hire a few Pakistani code geeks to haunt the dark corners and report what they find written on the wall there. They're getting rid of their profits but they're not doing it well. You would think code security audits would extend to the historical catalog of code, but no... that group has enough to do just vetting this month's patches, let alone the output of the dev teams. I imagine the rest of them are building Bing interfaces into Yahoo's services as if they had a hope in hell of getting us to use Bing. For sure they're not throwing a ton of quality code geeks into saving their butt on WiMo 7. Fixing bugs widely known in the Underground that consumers like you don't know about? That's a 0 priority task.

Windows shops: not only are we laughing at you - we always have and we always will. You poor bastards.

Re:Nothing quite like a "timely" response

[camcorder]

If a photo manipulation program has something broken with a new version of kernel, that means developers should be unhappy since they are doing something very wrong at the beginning.

Re:Nothing quite like a "timely" response

[drinkypoo]

Are you sure there's no code remaining from Windows (not NT) 3.1? There's backwards compatiblity for things that ran on it. Why reinvent the wheel badly when you have a bad wheel on hand?

Re:Nothing quite like a "timely" response

[snowgirl]

You're missing the key difference here. Microsoft is making money hand over fist, like mad, and were doing so before security was as important as it is now. It's not so important that they ensure security in their products as ensure that clients believe that security is taken seriously.

Re:Nothing quite like a "timely" response

[neovoxx]

If this bug was in NT 3.1, I wonder if it's also in OS/2?

Re:Nothing quite like a "timely" response

[Pharmboy]

Linux doesn't have to worry about backwards compatibility because users are paying $0 for their software.

Not exactly true. I have paid for a great deal of software designed to specifically run on Linux. AVG's coroporate anti-virus server runs on Linux, tons of CRM and database applications run on Linux, even a lot of Perl based management suites for webhosting aren't free. And worth every penny from my experience. So far, compatibility hasn't been an issue when I upgrade for most, although many require a RH based system (RH/CentOS/Fedora) to work.

Re:Nothing quite like a "timely" response

[Pharmboy]

Then you wouldn't need to remember your PIN number

It's the price of a cheese pizza and a large soda...

Not discovered in January

[WD]

Tavis disclosed the ntvdm vulnerability in January, however it was reported to Microsoft on June 12, 2009.
http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html

Re:Windows NT

[supersat]

It's not a bug in DOS, but a bug in the NT virtual 8086 machine monitor. Since hardly anyone still runs DOS applications, it's not surprising that it took so long for the bug to be discovered. It's a feature that's not often thought about.

What is a "BFF"?

[John+Hasler]

Best F'ing Friend?

Re:What is a "BFF"?

[Haymaker]

I'm sorry but your butt chins are getting out of control.

Re:Patch Tuesday ahead.

[__aaclcg7560]

The /. editors are making up for having too many Apple stories since the introduction of the iPad. Now resuming normal "[Microsoft] Evil Empire Bashing" programming. Enjoy!

Re:oldest bug evar... and other leet speechisms

[Ralish]

Not even close: The 25-Year-Old BSD Bug.

Re:oldest bug evar... and other leet speechisms

[nicknamenotavailable]

Is this a record(for a bug that's "known about" anyways?

A while ago OpenBSD developer found a 33 year old bug.
It depends on your definition of "known about" I guess.

Re:sigh...

[siride]

Remember that BSD bug that sat around for about the same length of time? Yeah, it happens everywhere.

Of course, this is only a bug that can be exploited by 16-bit programs and only on 32-bit Windows. Since I run neither of those, it's not even a problem for folks like me.

Cicada bug?

[nicknamenotavailable]

Let's call it the Cicada bug.

A Cicada has a life-cycle of 17 years.
Now Microsoft is about to squash it.

Re:Cicada bug?

[Angst+Badger]

Don't worry. Some of the bugs created by Microsoft this year will be around in 17 years, too.

"Finally"?

[holygoat]

Isn't it a little disingenuous to say "finally" when the bug was discovered last month?

That it was introduced 17 years ago doesn't mean that Microsoft has been tardy about fixing it...

Re:"Finally"?

[Nimey]

It was reported to MS in the middle of last year, and the bug's discoverer made it public last month after Microsoft still hadn't fixed it.

You joke, but I think he'd like to

[Adrian+Lopez]

"We are not the streamlined, small, hyper-efficient kernel I envisioned 15 years ago. Our kernel is huge and bloated. Whenever we add a new feature, it only gets worse." -- Linus Torvalds, September 2009.

bff

[thehostiles]

Just pointing out that "Microsoft's BFF, Google" deserves a placement in internet culture

Re:Windows NT

[mysidia]

Yes... the only question is... Why didn't Microsoft disable running DOS apps by default?

Since hardly anyone does it, and the facility is only provided for backwards compatibility, it ought to require explicit manual admin action to enable.

Given the security risk exposure of having such a rarely-used feature exposed as part of the potential attack surface.

This is great news!

[martin-boundary]

This is excellent news for Digital Research! With these latest patches, DR-DOS can finally run the latest version of Windows without any spurious error messages. This is a great day!

Re:This is great news!

[Obstin8]

Sorry man, you're posting a comment that just proves you're way too old to be commenting on /.

First, most of the current batch of MCSEs (is that acronym still allowed?) will be replying to you asking for the 800 number for Dr. Dos. I suggest you send them to the Dr. Who site.

Second, your reference to an obscure company called Digital Research will confuse the weenies. DRI.COM now resolves to a site for Colburn's Travels. It appears Mr. Colburn has achieved more mileage from the site than DRI ever did. Check the stats.

Lastly, you're really confusing people with the whole concept of a 'spurious' error. Microsoft has - through the determined, repetitive, and consistent application of "innovation" - eliminated all spurious errors from the code-base. All errors are now completely intentional, rational and self-explanatory. Click here for more information. :)

Average Wait For Bug Fixes

[Greyfox]

That's really going to screw up their average response time numbers...

Re:Windows NT

[cusco]

You'd be surprised. Until two years ago the agents' interface to one of the national insurance firms was a 16-bit app dating from the days of Win 3.11.

Re:When is /. going to actually do more then just

[Liquidrage]

Fuck you mods and your troll bullshit. /. is owned by a company that has a stake in FOSS. It would be like ars being owned by a company with a stake in HD-DVD and posting any story about blu-ray in a negative light (back when there was a format war).

Every fucking headline or story about MS is painted in a bad way, and I'd say about half the stories deserve a retraction as can be seen in the threads. Other stories like this aren't even fucking news. And the headline is sensational. It's not news for nerds. It's news for nerds with a major bias.

Re:Windows NT

[slimjim8094]

That's what the NTVDM *is*. It's effectively a virtual machine, though it's closer to a virtualizer than a simulator (more like VirtualBox than Bochs)

Re:oldest bug evar... and other leet speechisms

No wonder BSD is dying.

Re:oldest bug evar... and other leet speechisms

[jabbathewocket]

since this bug was "discovered" in january its only chance at being a record would be the rapid turnaround in getting it patched..

By that I mean, rapid turnaround on Microsoft scale from disclosure in January, through to early Feb patching..

Re:oldest bug evar... and other leet speechisms

[eparker05]

I don't know if this counts... but the year 2038 problem is coming up in another 28 years. Something tells me that the public will be less riled up about this one. I don't foresee a rise in cult membership or survivalist magazine sales.

Re:oldest bug evar... and other leet speechisms

[jabbathewocket]

Reading the summary, nevermind the article would have kept both of you and the poster above you from posting sillyness.. The bug exists in a bit of 17 year old code, but was discovered last month... so not even remotely "old"

Re:sigh...

[MobileTatsu-NJG]

Yet another reason I avoid Windows and run for the hills with my linux box, if Windows was patched in a timely matter instead of being vulnerable for weeks, months, 17 years or when the media s**ts their pants, then I just might look at using it.

A.) You don't understand what really happened here. You should read the +5's in this thread before reading the next part of my post.

B.) There is absolutely nothing preventing Linux or anything else from having a problem like this. In fact, this is quite the cautionary tale for anybody running a computer. Your computer has a number of exploitable bugs in it right this second. Your machine is not safe. You need to install updates. You need network protection, firewall, etc. You need to make backups. You need to not run every executable you find from un-trusted sources. You need to use good practices when dealing with sensitive data. Running Linux, BSD, OSX, whatever, doesn't alleviate any of these concerns.

C.) Summaries often contain more information than the headline does. They also usually have links you can click on to get even more info.

Re:When is /. going to actually do more then just

[Sir_Lewk]

Don't like it? Go back to digg. Slashdot has never tried to hide or deny it's FOSS bias, nor is it ashamed of it.

Re:Windows NT

[Bungie]

Yes... the only question is... Why didn't Microsoft disable running DOS apps by default?

I think Microsoft wasn't concerned because DOS applications are all contained in a virtual machine. The hardware is emulated by the VDM or VXD's. If anything goes wrong NTVDM.EXE terminates like any other user process. Ideally it should be as safe to run and I'm sure Microsoft wanted to make running legacy DOS apps as seamless as possible to the end user.

Re:oldest bug evar... and other leet speechisms

Is this a record(for a bug that's "known about" anyways?

No; the oldest known bug is the ol' missing closing parenthesis.

Re:When is /. going to actually do more then just

[Xeleema]

Outlook is the best mail server there is.

If you're going to shill with a sub-million UID account, you should get your facts straight. "Outlook" is a client, and no, it's not the best one out there, that's a matter of opinion, with the only alternative choice typically being Lotus Notes. If you really meant "the best mail server", you probably ment to say "Microsoft Exchange", although I would have said "sendmail" or "Whatever Sun/Oracle calls their mail server now", or "anything except Domino".

I'm guessing you know this

[symbolset]

No, That's Windows 7 by itself. Office is 3GB extra.

The cited DSL fits in 64MB, all things included.

Damn Small Linux is small enough and smart enough to do the following things:

• Boot from a business card CD as a live linux distribution (LiveCD)
• Boot from a USB pen drive
• Boot from within a host operating system (that's right, it can run *inside* Windows)
• Run very nicely from an IDE Compact Flash drive via a method we call "frugal install"
• Transform into a Debian OS with a traditional hard drive install * Run light enough to power a 486DX with 16MB of Ram * Run fully in RAM with as little as 128MB (you will be amazed at how fast your computer can be!) * Modularly grow -- DSL is highly extendable without the need to customize

It includes three browsers, document processing, email, spreadsheet, VOIP, and a lot more.

The smallest pendrive I've ever heard of is the 64MB USB 1.0 device I'm holding in my hand right now that I bought my wife more than a decade ago. I paid $79 for it at Fred Meyer, because tech stores wouldn't carry it. Actually, there were 16 and 32MB versions of this, but let's not go there because this was the Windows 95 era.

I am on the record as stating that we've had no productivity increases since the advent of Windows. Let me quote from a wise man:

"Word processing was a solved problem in 1984. By 1987 spreadsheets had all the functions a normal person would ever use. Databases took a little longer, but by 1990 that was sorted. An infant could have been born that day and by now would be almost of age to vote and we've seen no real improvement in productivity since."

64MB is 0.32% of 20GB.

So let me ask you: If the Office team needs 3,000 MB to install their full application set, what can they do with 30MB - 1% of that? Splash? Can they even do that?

Re:I'm guessing you know this

[Fizzl]

Bah, just couple of years back* I compiled myself a linux from scratch to test if I could get it running on an old discarded 486dx with 8M of mem and a 40M hard drive. I had to cheat a bit by throwing in a 120M hard drive while compiling stuff. Source and object code takes a lot of space.
I can't remember what I used as a bootstrap to start the process. I think I made a custom initrd disks from some old debian netboot images.

* Well, shit. -98 was over ten years ago. I feel like a git.

Re:I'm guessing you know this

[diskofish]

Give me a break. We're comparing apples to oranges here. MS does small too. Windows CE - Microsofts OS for portable devices. Requires 1MB of ram. Fits on pendrives, etc etc. .NET Micro - Microsoft's embedded framework, for embedded application. Will fit in 64k of memory. The entire framework takes up about 10MB.

Re:I'm guessing you know this

[chrysrobyn]

I am on the record as stating that we've had no productivity increases since the advent of Windows.

Are you even old enough to remember word processors in 1984? Spreadsheets in 1987? I realize you're being funny and quoting someone else who said those things, but seriously stop to think about them.

I remember Word Perfect 5.1 in my 80x24 16 color display running on my 286 with 640KB of RAM. Let me tell you, Word from 1994 was worlds better. WYSIWYG is an amazing accomplishment that wasn't easy to get right. Even in 1994 there were small places where it wasn't perfect -- but being able to see bold or italic text instead of a different font color indicating "imagine this text is italic". Compare Word from a few years later -- on the fly typo correction, spelling and grammar highlights, with suggestions? That's progress.

A spreadsheet in 1987 wasn't usable by a vast majority of people who were sophisticated enough to understand basic table structure. Excel from 1997 had enough of a GUI to help even less sophisticated people use functions instead of just using it as a pretty interface to store numbers.

I'm not a fan of how much bloat has happened, but let's pause and understand what we've gained in the last 20 years. I don't see anybody volunteering to go back to their 286 with vintage software, and there's a reason for that.

Modern computers are able to solve problems only dreamed of 20 years ago. What I can accomplish in terms of text processing with Perl might be an incredibly inefficient use of memory and horsepower, but I can hack something together in an hour that will slog through gigabytes of data and the problem will be solved before a programmer 20 years ago would have been done optimizing the runtime to fit in the available memory. I'd even point to the travesty that is the chip designer's automated place and route toolset -- what's done routinely today wasn't even possible 10 years ago.

Re:I'm guessing you know this

[chrysrobyn]

CPT word processor, 1984 - a dedicated word processing station with 8" floppy disks, a portrait orientation widescreen crisp white CRT measuring 8.5"x11", WYSIWYG and daisy wheel printer. 80WPM. Next question.

Notably without on the fly spelling or grammar highlighting, and zero ability to transparently turn "teh" into "the". "Next question" indeed. You remember the 1984 single purpose word processor without integration into a general purpose computer, without the ability to paste images, screenshots or graphs from a spreadsheet program. And yet you stick by "Word processing was solved in 1984"? Shall I assume you're still using that machine today for professional reasons, and you never find it lacking in any niceties?

And yet for the most part, they don't. That was the point of that post. Most computers provide negative productivity - they're timesinks that let people send email and browse the web instead of doing something useful.

Those time sinks have been around for ages. In modern times, they've been hula hoops, books, comics, video games and countless other things. Computers have certainly become integrated into our modern lifestyle of leisure, and while I certainly agree that bringing a leisure machine into the workplace may have its detriments, I still believe it's a net positive. Gone are the days of relying on a squad of secretaries to synchronize schedules to hold a meeting, now we can do it transparently ourselves. For every person using Netscape when they shouldn't, there's a person who would have been reading a book or a newspaper. Nobody even brings newspapers into the workplace today! Computers aren't the slam dunk productivity multipliers, but saying that they've been stagnant since 1990 when the last database obstacle was overcome is either nieve, foolhardy or pandering to those pining for a time they don't even remember.

Take Boeing. The 787 is a marvel. For all its problems, even if you assume they cost 10% productivity, simply having the computers enabled an airplane to be designed that will add 15-25% efficiency to routes it flies. Given how long it'll fly, that's an immense efficiency multiplier. Winglets weren't even fully understood until computers came along and explained how the vortexes were working. Now that we know, that stuff seems obvious -- but winglets alone add 10% efficiency over an otherwise identical plane without them. And if you design the entire wing around having that feature in the first place, it can be 20-25% shorter, which means less weight and less drag.

Re:I'm guessing you know this

[daver00]

Dude, if you 'tune' it differently (read: recompile with completely different sets of code) is it *really* the same kernel anymore?

Re:Better late than never...

[AikonMGB]

Possibly; I was going off a meme at our lab that originates from one person saying something negative, and the other responding "you mispronounced 'awesome'."

Aikon-

Re:Maybe I'll have to take your word for it?

[Timex]

....and YOUR Slash number has six digits. Mine has five. See? I can count backwards! :)

I've been using Linux since kernel version 0.99pl10, when Slackware ruled on a couple dozen floppies.... ...and get off my lawn!

Re:Maybe I'll have to take your word for it?

[redalien]

Yeah? Well my dick's smaller than yours!

Re:Maybe I'll have to take your word for it?

[binarylarry]

Apparently your Slashdot ID doesn't make you any smarter.

But what I was getting at was perhaps if Linux chose a more modular design like a Microkernel, it would be less bloated.

Although it was in jest, as I think if they chose a Microkernel it would probably have ended up like Hurd and I'd be typing this from a Mac.

I need to track down John Titor so I can test my hypothesis.