Microsoft Finally To Patch 17-Year-Old Bug

eldavojohn writes "Microsoft is due for a very large patch this month, in which five critical holes (that render Windows hijackable by an intruder) are due to be fixed, in addition to twenty other problems. The biggest change addresses a 17-year-old bug dating back to the days of DOS, discovered in January by their BFF Google. The patch should roll out February 9th."

Nothing quite like a "timely" response

[msobkow]

How in the world can a bug exist for 17 years when they've released so many versions of Windows in that time? Hasn't the kernel been revamped three times? (Win98/ME, WinNT/Win2K/WinXP, Vista/7)

Re:Nothing quite like a "timely" response

[chill]

Backwards compatibility FTW! The one thing that if Microsoft broke, they'd have a serious OS horserace on their hands. Then anyone would be free to simply choose OS X, Linux or anything else just on merits and not "it runs all my old software".

Re:Nothing quite like a "timely" response

[SEE]

Um, no. The bug was introduced in Windows NT 3.1, and has remained in the NT line ever since. Windows 7 is very much still built on the NT codebase.

Re:Nothing quite like a "timely" response

[supersat]

Windows 7 is Windows NT 6.1. NT has been in development for over 20 years.

Re:Nothing quite like a "timely" response

[bheer]

> Windows 3.1 - 7 are often based on the same code set.

You, sir, do not have the vaguest idea of what you are talking about.

> to get into windows 3.1 you need to type in "win" at the DOS window.

I thought for a moment you meant Windows *NT* 3.1 - 7, but ... it's clear that you didn't mean that.

FWIW, this bug affects all NT OSes right back to NT 3.1 (the first released version) and is an obscure kernel bug (it was only found in January 2010!). The BBC article was light on details except to say it "involves a utility that allows newer versions of Windows to run very old programs", but there's more detail from the always-excellent full-disclosure mailing list.

Re:Nothing quite like a "timely" response

[noisyinstrument]

If I had got a dollar for every time I had to correct someone for RAS syndrome style mistakes I'd never have to visit an ATM machine again.

Idiots!

Re:Nothing quite like a "timely" response

[hairyfeet]

Yes and thank Jebus for backwards compatibility! Or do you actually want all your stuff broken? Converting my customers away from XP to Windows 7 so far I have had exactly ONE app be a PITA, and that was the evil Quickbooks, those that bought Intel no VM chips and couldn't run XP Mode simply went out and bought Quickbooks 09 and all was good in the universe again.

Linux doesn't have to worry about backwards compatibility because users are paying $0 for their software. Imagine if you paid $400 for Photoshop for Linux, but next year it was worthless because the latest kernel wouldn't run it? Wouldn't be very happy then, would you? I am personally VERY happy for backwards compatibility, as nearly all the software I have going back many years all "just works" even though I made the jump from IA32 to X64, first with XP X64 and later Windows 7 HP X64. So while other may laugh at backwards compatibility it makes this old PC repairman VERY HAPPY that I don't have to deal with users on Win98 or WinME (shudders at the flashbacks) because some "must have" apps won't run. Yay backwards compatibility!

Re:Nothing quite like a "timely" response

[symbolset]

Windows 7 is very much still built on the NT codebase.

You lie! Longhorn (Vista, Server 2008) was built from the ground up. Microsoft told me so!

They wouldn't lie to me. <sniff>

Re:Nothing quite like a "timely" response

[symbolset]

I've known about this bug for many years - it's one of a few that date back to my college days when I had a scholarly interest in such things. Back then I used to haunt the dark corners of the Internet where these things were good for a laugh. Now they're good for a quarter million dollars because GO's haunt the dark corners now and they pay good money, and only now are ones like this coming out in common knowledge. You may be sure that if you're a high value target you've been exploited this whole time and that's why your competitors mysteriously beat you to market, or how knockoffs appeared more suddenly after your innovation than reverse engineering would allow.

What's absurd is that there are hundreds more just in the core OS. Go to apps and WMP doesn't have a streaming format that doesn't have pwnership, and let's not even talk about IE. Then there's all the forgotten formats and services, each with its vestigal exploits that still work. And then there's Office. Good Lord, as if providing multiple Turing machine capable development environments were not enough, every app includes embeds for hundreds of formats that can hose any machine that opens a document, and for each of those there's a Microsoft-only undocumented interface that's truly trusted to be exploited, because that's how they roll. And one of those apps is an email client - think about that for a bit.

Each fix only adds to the problem. Even if the patch doesn't add new exploits (most do) most people don't patch, and half of the few who do patch slowly to avoid incompatibilities. In the meantime the patch gives clues to the amateurs on which features to exploit. For 90% of systems you only need to pwn it once and leave some obvious malware and the idiot running it will clean it and think it's all good. So the smart black hat builds a database of servers running Windows he can get at from his previously Pwned boxes (yes, some of them are probably inside your firewall and most but not all of them are clients) and crafts a package to pwn the rest of your network and if necessary leave some cleanable traces. The truly nefarious black hats exploit the patching system itself - of course it has exploits and hidden hooks too.

Each rewrite leads to new problems. In 2008 how the hell do you write a server OS that hangs on a bad packet on the file sharing service? That's not what Bill promised us in 2002. In six years they couldn't even get that right? That's your clue that they're not even trying or at least they're not able. At the very least they're struggling just to copy a file as if that were a new requirement.

You would think with the billions they have to throw away on XBox and Pink, from Bing to Zune, Microsoft could afford to hire a few Pakistani code geeks to haunt the dark corners and report what they find written on the wall there. They're getting rid of their profits but they're not doing it well. You would think code security audits would extend to the historical catalog of code, but no... that group has enough to do just vetting this month's patches, let alone the output of the dev teams. I imagine the rest of them are building Bing interfaces into Yahoo's services as if they had a hope in hell of getting us to use Bing. For sure they're not throwing a ton of quality code geeks into saving their butt on WiMo 7. Fixing bugs widely known in the Underground that consumers like you don't know about? That's a 0 priority task.

Windows shops: not only are we laughing at you - we always have and we always will. You poor bastards.

Not discovered in January

[WD]

Tavis disclosed the ntvdm vulnerability in January, however it was reported to Microsoft on June 12, 2009.
http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html

Re:Windows NT

[supersat]

It's not a bug in DOS, but a bug in the NT virtual 8086 machine monitor. Since hardly anyone still runs DOS applications, it's not surprising that it took so long for the bug to be discovered. It's a feature that's not often thought about.

Re:oldest bug evar... and other leet speechisms

[Ralish]

Not even close: The 25-Year-Old BSD Bug.

Re:oldest bug evar... and other leet speechisms

[nicknamenotavailable]

Is this a record(for a bug that's "known about" anyways?

A while ago OpenBSD developer found a 33 year old bug.
It depends on your definition of "known about" I guess.

Cicada bug?

[nicknamenotavailable]

Let's call it the Cicada bug.

A Cicada has a life-cycle of 17 years.
Now Microsoft is about to squash it.

"Finally"?

[holygoat]

Isn't it a little disingenuous to say "finally" when the bug was discovered last month?

That it was introduced 17 years ago doesn't mean that Microsoft has been tardy about fixing it...

Re:"Finally"?

[Nimey]

It was reported to MS in the middle of last year, and the bug's discoverer made it public last month after Microsoft still hadn't fixed it.

You joke, but I think he'd like to

[Adrian+Lopez]

"We are not the streamlined, small, hyper-efficient kernel I envisioned 15 years ago. Our kernel is huge and bloated. Whenever we add a new feature, it only gets worse." -- Linus Torvalds, September 2009.

This is great news!

[martin-boundary]

This is excellent news for Digital Research! With these latest patches, DR-DOS can finally run the latest version of Windows without any spurious error messages. This is a great day!

Re:This is great news!

[Obstin8]

Sorry man, you're posting a comment that just proves you're way too old to be commenting on /.

First, most of the current batch of MCSEs (is that acronym still allowed?) will be replying to you asking for the 800 number for Dr. Dos. I suggest you send them to the Dr. Who site.

Second, your reference to an obscure company called Digital Research will confuse the weenies. DRI.COM now resolves to a site for Colburn's Travels. It appears Mr. Colburn has achieved more mileage from the site than DRI ever did. Check the stats.

Lastly, you're really confusing people with the whole concept of a 'spurious' error. Microsoft has - through the determined, repetitive, and consistent application of "innovation" - eliminated all spurious errors from the code-base. All errors are now completely intentional, rational and self-explanatory. Click here for more information. :)

Average Wait For Bug Fixes

[Greyfox]

That's really going to screw up their average response time numbers...

Re:oldest bug evar... and other leet speechisms

No wonder BSD is dying.

I'm guessing you know this

[symbolset]

No, That's Windows 7 by itself. Office is 3GB extra.

The cited DSL fits in 64MB, all things included.

Damn Small Linux is small enough and smart enough to do the following things:

• Boot from a business card CD as a live linux distribution (LiveCD)
• Boot from a USB pen drive
• Boot from within a host operating system (that's right, it can run *inside* Windows)
• Run very nicely from an IDE Compact Flash drive via a method we call "frugal install"
• Transform into a Debian OS with a traditional hard drive install * Run light enough to power a 486DX with 16MB of Ram * Run fully in RAM with as little as 128MB (you will be amazed at how fast your computer can be!) * Modularly grow -- DSL is highly extendable without the need to customize

It includes three browsers, document processing, email, spreadsheet, VOIP, and a lot more.

The smallest pendrive I've ever heard of is the 64MB USB 1.0 device I'm holding in my hand right now that I bought my wife more than a decade ago. I paid $79 for it at Fred Meyer, because tech stores wouldn't carry it. Actually, there were 16 and 32MB versions of this, but let's not go there because this was the Windows 95 era.

I am on the record as stating that we've had no productivity increases since the advent of Windows. Let me quote from a wise man:

"Word processing was a solved problem in 1984. By 1987 spreadsheets had all the functions a normal person would ever use. Databases took a little longer, but by 1990 that was sorted. An infant could have been born that day and by now would be almost of age to vote and we've seen no real improvement in productivity since."

64MB is 0.32% of 20GB.

So let me ask you: If the Office team needs 3,000 MB to install their full application set, what can they do with 30MB - 1% of that? Splash? Can they even do that?

Re:I'm guessing you know this

[chrysrobyn]

I am on the record as stating that we've had no productivity increases since the advent of Windows.

Are you even old enough to remember word processors in 1984? Spreadsheets in 1987? I realize you're being funny and quoting someone else who said those things, but seriously stop to think about them.

I remember Word Perfect 5.1 in my 80x24 16 color display running on my 286 with 640KB of RAM. Let me tell you, Word from 1994 was worlds better. WYSIWYG is an amazing accomplishment that wasn't easy to get right. Even in 1994 there were small places where it wasn't perfect -- but being able to see bold or italic text instead of a different font color indicating "imagine this text is italic". Compare Word from a few years later -- on the fly typo correction, spelling and grammar highlights, with suggestions? That's progress.

A spreadsheet in 1987 wasn't usable by a vast majority of people who were sophisticated enough to understand basic table structure. Excel from 1997 had enough of a GUI to help even less sophisticated people use functions instead of just using it as a pretty interface to store numbers.

I'm not a fan of how much bloat has happened, but let's pause and understand what we've gained in the last 20 years. I don't see anybody volunteering to go back to their 286 with vintage software, and there's a reason for that.

Modern computers are able to solve problems only dreamed of 20 years ago. What I can accomplish in terms of text processing with Perl might be an incredibly inefficient use of memory and horsepower, but I can hack something together in an hour that will slog through gigabytes of data and the problem will be solved before a programmer 20 years ago would have been done optimizing the runtime to fit in the available memory. I'd even point to the travesty that is the chip designer's automated place and route toolset -- what's done routinely today wasn't even possible 10 years ago.

Re:Maybe I'll have to take your word for it?

[redalien]

Yeah? Well my dick's smaller than yours!