Slashdot Mirror

← Back to Stories (view on slashdot.org)

Just-Announced X.Org Security Flaws Affect Code Dating Back To 1987

Posted by timothy on from the we-have-a-history dept.

An anonymous reader writes Some of the worst X.Org security issues were just publicized in an X.Org security advisory. The vulnerabilities deal with protocol handling issues and led to 12 CVEs published and code dating back to 1987 is affected within X11. Fixes for the X Server are temporarily available via this Git repository.

108 of 172 comments (clear)

  1. Wha?!?!!! by Anonymous Coward · · Score: 5, Funny

    It's open source! Surely dedicated multitudes of programmers have been dutifully poring over the code for decades, searching high and low for potential flaws because ... well, just because it's there! Surely!

    1. Re:Wha?!?!!! by Anonymous Coward · · Score: 4, Funny

      Because Xorg is beautifully programmed and easy to understand so any programmer can quickly contribute to it's code.

    2. Re:Wha?!?!!! by phantomfive · · Score: 4, Insightful

      It's open source! Surely dedicated multitudes of programmers have been dutifully poring over the code for decades, searching high and low for potential flaws because ... well, just because it's there! Surely!

      To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Wha?!?!!! by Anonymous Coward · · Score: 1

      To be blunt, the vulnerabilities were only disclosed so the finders could collect the bounty.

    4. Re:Wha?!?!!! by ArcadeMan · · Score: 2, Interesting

      To be blunt, it took over 26 years to find even with the source code and all the programmers on the planet who could to look at it.

      If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old. As examples, OS X has nothing from Mac OS classic and Windows 95 is long gone from modern Windows version. Or at least I would hope so.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    5. Re:Wha?!?!!! by OzPeter · · Score: 1

      To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.

      I disagree with this type of statement that paints all closed source code as bug ridden by default.

      If the code is closed source then the amount/type of bugs in it is unknowable by the public.

      --
      I am Slashdot. Are you Slashdot as well?
    6. Re:Wha?!?!!! by ruir · · Score: 1, Informative

      LOL. Windows not reusing code? I guess you believe in santa claus and the fairy tooth too.

    7. Re:Wha?!?!!! by king+neckbeard · · Score: 4, Informative

      They apparently use code that's two decades old, as this bug was only recently fixed

      --
      This is my signature. There are many like it, but this one is mine.
    8. Re:Wha?!?!!! by Anonymous Coward · · Score: 1

      "Windows 95 is long gone from modern Windows version. Or at least I would hope so."
      Sorry, you are completely and utterly wrong and clearly don't have a clue what you are talking about.

    9. Re:Wha?!?!!! by Anonymous Coward · · Score: 1

      OSX could potentially suffer from anything Unix/BSD does since that's the linage it comes from. not OS8/9, a bug could in theory be from 1970....

      Windows most certainly reuses code. Notice how often when a patch was release the same patch would go for multiple operating systems, even back in the 2000 era. Look at some of the latest IE bugs the same bug would be in IE6 to IE11. I'm on 8.1 and I just searched my Syswo64 folder and found a dll from 2000 some sql management thing, not part of the OS, but still a DLL used in Microsoft environment on a MS product.

    10. Re:Wha?!?!!! by Anonymous Coward · · Score: 2, Interesting

      To be blunt, that's exactly why this was found. If it were closed source, the bugs would still be in there.

      The bugs could potentially be found no matter if the software was open or closed-source. There is no evidence that proves your statement, unless of course you happen to work for Xi Graphics (authors of the closed-source X windows server, a.k.a. Accelerated-X, which is what the free XFree86 was supposed to supercede) and have a story to share there.

      The point the OP was trying to make was that Linus's Law, specifically Eric S. Raymond's "given enough eyeballs all bugs are shallow" argument, is ridiculously idealistic as it operates under the pretence that everyone has as much insight and knowledge into the software as the author(s) have, focusing solely on the quantity of eyes. The Wikipedia reference I cite goes into a bit more depth as to why this socially-propagated belief in the open-source world is unfounded and has been repeatedly proven false. The short of it: just because the source code is available and viewable does not mean that a person viewing it has the capability, familiarity, or time to invest in reverse-engineering it and finding flaws. Anecdotally, in my experience most open-source users can't understand the code of the applications they use: they're simply generic end-users. Open vs. closed has no real bearing when you consider that data point (i.e. having the source available to read/view != having the capability to understand said source).

      Please note my statement doesn't mean closed-source has a defined/distinct advantage over open-source. They both have their pros and cons. But this age-old belief that open-source is superior solely because "the code is out there" needs to stop. Ironically, that subsection of ESR's the Cathedral and the Bazaar may in fact be one of the most damaging things to the open-source movement ever written simply because of it's head-in-the-sand viewpoint; other subsections (e.g. "The Importance of Having Users") are much more justified.

      But hey, that's just my two cents as someone who's been in all of this since the early 90s, and I'm just one person. With one set of eyes. ;-)

    11. Re:Wha?!?!!! by petermgreen · · Score: 2

      I wouldn't be so sure about that.

      On the mac while "classic" mode is gone "carbon" is still there and was explicitly intended to allow porting of code from classic macos. I'd be surprised if there wasn't some code that had been written for classic macos still in there somewhere.

      Similarly win32 was designed as a 32-bit variant of win16 and i'd be very surprised if there wasn't still some old code hanging arround somewhere.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    12. Re:Wha?!?!!! by Rei · · Score: 4, Insightful

      All million lines of it ;)

      Seriously, I'd really love to go in myself and fix the bug that's currently preventing me from using GLX, but I wouldn't even know where to begin. I think Xorg is seriously understaffed in terms of volunteers compared to the scale of the project - it looks like most bug reports don't get responses for months or years, if ever.

      --
      "We consider that six courts and an asylum claim are a rather odd way of returning to Sweden within a month."
    13. Re:Wha?!?!!! by phantomfive · · Score: 4, Insightful

      If it were closed source, the bug probably wouldn't exist anymore because closed source probably doesn't keep using code that's two-and-a-half decades old. As examples, OS X has nothing from Mac OS classic and Windows 95 is long gone from modern Windows version. Or at least I would hope so.

      There are 300billion lines of COBOL still in production. And every time you transfer money through banks, your money passes through it. OSX has code from the 90s in it, and Windows has code from the 80s.

      Pretty near every bad software practice that you find in open source software is also found in closed source software.

      --
      "First they came for the slanderers and i said nothing."
    14. Re:Wha?!?!!! by phantomfive · · Score: 1

      From your own link, "there weren't any eyeballs."

      --
      "First they came for the slanderers and i said nothing."
    15. Re:Wha?!?!!! by Qzukk · · Score: 4, Funny

      How dare you question his credentials! He's worked for no less than TEN startups, and he's never seen code that's more than three months old before it gets sold off and the company shuts down. That's 10 samples, statistically significant compared to whatever silly anecdote you've got from working at some hidebound behemoth like SAP or IBM for a decade! These posers don't even count!

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    16. Re:Wha?!?!!! by phantomfive · · Score: 1

      I disagree with this type of statement that paints all closed source code as bug ridden by default.

      To be fair, most of it is. You even have guys at Google saying that bugs are no big deal.

      --
      "First they came for the slanderers and i said nothing."
    17. Re:Wha?!?!!! by phantomfive · · Score: 1

      Similarly win32 was designed as a 32-bit variant of win16 and i'd be very surprised if there wasn't still some old code hanging arround somewhere.

      Like the basic types, where a WORD is 16 bits and a DWORD is 32 bits, which is sprinkled everywhere throughout the entire OS.

      --
      "First they came for the slanderers and i said nothing."
    18. Re:Wha?!?!!! by Matrix9180 · · Score: 1

      OS X is an evolution of NEXTSTEP, which was started in the late 80s. They saw that OS 9 was a dead end and Apple needed something "new" and "modern", so they went with NEXT (and for a good while there was this set of compatibility APIs called carbon, PROBABLY had a lot of mac classic code). You can still see a lot of similarities between Xcode today and what they were using on NEXT in the early 90s.
      new code, old code, it makes no difference. It ALL has flaws.

      --
      120chars for a sig is teh suck
    19. Re:Wha?!?!!! by bluefoxlucid · · Score: 1

      You don't get it. We've forked it 5 times; it's just old, bad code. We need to rewrite a completely new X system like Wayland or Mir so that all these old bugs are permanently gone.

      --
      Support my political activism on Patreon.
    20. Re:Wha?!?!!! by egranlund · · Score: 1

      OS X is an evolution of NEXTSTEP, which was started in the late 80s. They saw that OS 9 was a dead end and Apple needed something "new" and "modern", so they went with NEXT (and for a good while there was this set of compatibility APIs called carbon, PROBABLY had a lot of mac classic code). You can still see a lot of similarities between Xcode today and what they were using on NEXT in the early 90s.
      new code, old code, it makes no difference. It ALL has flaws.

      Heck even the images from the "Grab" program in the recent versions of OSX have the original Grab icon from NeXTSTEP

    21. Re:Wha?!?!!! by Rei · · Score: 4, Interesting

      Just did... looks like my estimate of "a million lines" for Xorg was a bit off. It's "only" half a million lines of code (481739), plus 88k lines of comments and 87k blank lines, in 1476 files.

      --
      "We consider that six courts and an asylum claim are a rather odd way of returning to Sweden within a month."
    22. Re:Wha?!?!!! by Uecker · · Score: 1

      I am not sure why you think rewriting in a different way is the solution. One could also refactor and fix bugs (which is being done).

      For example the implementation of the core X protocol has been described as good by the guy who found these bugs (because
      bugs have already been fixed in the past). New code will not automatically be better: E.g. compare his comments about Qt and KDE.

      From looking at it superficially, Wayland seems to be a pretty good code quality though. I am just not too much a fan of breaking
      compatibility with the on-the-wire protocol of X.

    23. Re:Wha?!?!!! by 0123456 · · Score: 1

      No, because the X11 programmers said 'who wants to be fixing bugs in crusty old code when we could be working on the New Shiny Wayland instead?'

    24. Re:Wha?!?!!! by macs4all · · Score: 1

      I wouldn't be so sure about that.

      On the mac while "classic" mode is gone "carbon" is still there and was explicitly intended to allow porting of code from classic macos. I'd be surprised if there wasn't some code that had been written for classic macos still in there somewhere.

      Similarly win32 was designed as a 32-bit variant of win16 and i'd be very surprised if there wasn't still some old code hanging arround somewhere.

      While technically still there, the Carbon API has been officially Deprecated since 2012, and as of OS X 10.8 (Mountain Lion), is clearly on its way out.

      It's a shame, because it was a brilliant piece of work (but also not without its problems); but the writing was clearly on the wall when it wasn't ported to 64-bit in 2007.

    25. Re:Wha?!?!!! by macs4all · · Score: 1

      new code, old code, it makes no difference. It ALL has flaws.

      open code, closed code, it makes no difference. It ALL has flaws.

      Just as true.

    26. Re:Wha?!?!!! by macs4all · · Score: 2

      Heck even the images from the "Grab" program in the recent versions of OSX have the original Grab icon from NeXTSTEP [osxdaily.com]

      But now, it's just nostalgia. Like Clarus the DogCow.

    27. Re:Wha?!?!!! by dabadab · · Score: 2

      Windows 95 is long gone from modern Windows version.

      Actually that's not true, as demonstrated by the MS14-064 (it's a bug that affects Win8 and also Win95).

      As a sidenote, Win95 is not an ancestor of Windows8. Win8 is a member of the WinNT family, its lineage going back to the first version of Windows NT, which was curiously called Windows NT 3.1 (released in 1993).
      The other line of Windowses (the one going from Windows 1.0 to Windows ME) ran in parallel and the two families sometimes shared some code but that's all, Win8 does not come from Win95.

      --
      Real life is overrated.
    28. Re:Wha?!?!!! by ArcadeMan · · Score: 1

      An 8-bit value is called a byte and we do need words to describe 16-bit and 32-bit values, regardless of the maximum allowed by the CPU.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    29. Re:Wha?!?!!! by Kjella · · Score: 1

      Your estimate was probably just a bit old, if I recall it was something like 800k when x.org took over from xfree86, they shaved off hundreds of thousands of lines of old cruft. And when they finally ran out of cruft that could be removed, they started writing Wayland. It's probably the only OSS project that's shrunk over the last 10 years,

      --
      Live today, because you never know what tomorrow brings
    30. Re:Wha?!?!!! by phantomfive · · Score: 1

      An 8-bit value is called a byte and we do need words to describe 16-bit and 32-bit values, regardless of the maximum allowed by the CPU.

      Call a 16-byte value a half-word. The only reason it's called a WORD on Windows is because of legacy backwards-compatibility issues.

      Sorry man, your utopia where everyone uses new code is a fantasy. There is trillions of dollars of code already out there, and no one wants to spend trillions of dollars to rewrite it all.

      Furthermore, I don't even understand why you would want it all to be rewritten. If it's bad code, certainly; but if the code works, then rewriting it will add new bugs.

      --
      "First they came for the slanderers and i said nothing."
    31. Re:Wha?!?!!! by Kjella · · Score: 1

      Ooh, found it in this video from 15:03, allegedly it was 1.1 million but there's no repository dating that far back to check however:

      xserver1.0.2: 879403 LOC
      xserver now (july 2013): 562678 LOC

      --
      Live today, because you never know what tomorrow brings
    32. Re:Wha?!?!!! by ArcadeMan · · Score: 1

      Why would a 16-bit value be called a "half-word"? It's always been a word and 32-bit has always been a double word. You're the one asking to use a new code with your half-word.

      Someone screwed up when we went with 32-bit CPUs and people kept saying that a word is the maximum value for a CPU. We're using 64-bit CPUs now, so that means a half word would be 32-bit and a 16-bit value would be a quarter word. You can't try to change the meaning of a word with every CPU upgrade otherwise that's when you need to rewrite trillions of dollars of code.

      Update upwards, not backwards.
      Byte is 8-bit
      Word is 16-bit
      Double word is 32-bit
      Quad word is 64-bit
      Octo word will be 128-bit
      Etc.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    33. Re:Wha?!?!!! by ArcadeMan · · Score: 1

      P.S.: I think the use of the word "WORD" makes things confusing in the first place.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    34. Re:Wha?!?!!! by theshowmecanuck · · Score: 1

      I agree, And to simplify this, testing doesn't prove or disprove the existence of bugs. If a bug is obtuse enough (like most security holes), there is a good chance it won't get tested even in day to day use. Most code over a few hundred lines gets sufficiently complex that it starts to take a real effort to do a code review. Couple that with the fact that one needs experience and/or training to read code and recognize security flaws; and most programs are thousands to tens of thousand of line long, or more. I think you will likely find that there are not very many people (or in this case none) who have the time nor inclination to review code for security flaws, regardless of whether the source code is available.

      So for sure this ultimately makes open and closed source no better than the other in this regard. In fact I can make the argument that closed source might get more reviews since people are being actively paid to look at the code day in and day out. While in open source, people often won't look at code if it isn't the new shiny thing everyone is buzzing about. I'm not saying closed source vendors are willing to spend the time and money to reengineer the code to fix found security bugs, which might take considerable time and effort (unless they are really, really bad). Mainly because doing so impacts schedules and ultimately money. It's just that in closed source, people might actually know about it sooner than in open source. But in the end, if a security flaw isn't fixed in 25 years, what's the difference which paradigm it falls under? (That's rhetorical.)

      --
      -- I ignore anonymous replies to my comments and postings.
    35. Re:Wha?!?!!! by metamatic · · Score: 3, Interesting

      Actually, OS X contains code and bugs that date back to the 1970s.

      --
      GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
    36. Re:Wha?!?!!! by Dr_Barnowl · · Score: 1

      It's a holdover from the VERY old days of computing.

      http://en.wikipedia.org/wiki/W...

    37. Re:Wha?!?!!! by phantomfive · · Score: 4, Informative

      Why would a 16-bit value be called a "half-word"? It's always been a word and 32-bit has always been a double word. You're the one asking to use a new code with your half-word.

      I think you're drunk or something, you keep on saying stuff that could be easily figured out if you looked it up on Wikipedia.

      A 'word' is the natural unit of data on the CPU architecture (not the maximum). Thus on a 16 bit computer a WORD is 16 bits, but on a 32 bit computer it's 32 bits.

      Even a byte was not necessarily 8 bits before OS/360, it commonly was found as 7 bits, or even four bits.

      --
      "First they came for the slanderers and i said nothing."
    38. Re:Wha?!?!!! by Alomex · · Score: 1

      Microsoft is famous for reusing less code that most other software shops. On top of that the present Windows systems are a derivative of Windows NT not Windows 95, so I think it would be a safe bet to say that presently Windows contains comparatively little code from Win95.

    39. Re:Wha?!?!!! by phantomfive · · Score: 1

      ok, that's kind of cool

      --
      "First they came for the slanderers and i said nothing."
    40. Re:Wha?!?!!! by phantomfive · · Score: 1

      So a 'word' is a completely useless unit because it keeps changing depending on the CPU.

      It's not useless any more than telling someone "I am here" is useless. Now, saying that a WORD is exactly 16 bits and expecting that to be portable; you are completely right, that is a silly thing to do. All the more so because Microsoft had just recently gone through the switch from 8 bit words to 16 bit words (Altair was an 8 bit computer).

      I've never seen byte (octet) being anything other than 8 bits.

      That doesn't surprise me at all. And yet they existed.

      --
      "First they came for the slanderers and i said nothing."
    41. Re:Wha?!?!!! by unixisc · · Score: 1

      Yeah, but OS-X doesn't use X, never did. NEXTSTEP, its ancestor, used Display PostScript, and OS-X uses something called Quartz. Neither of which has anything remotely to do w/ X11.

    42. Re:Wha?!?!!! by slimjim8094 · · Score: 1

      You know, 'word' actually means something, and it never referred to a particular number of bits - it was always a property of the architecture. Generally, word size == register size == memory address == unit of memory that can be operated on. 32-bit machines are 32-bit because they have 32 bit registers, and the size of a memory address is 32 bits long (=4GB), and you can't move less than 32 bits to/from RAM.

      So, yeah, it absolutely depends on the CPU, because it's the fundamental unit of the CPU. It's actually hard to imagine a less useless specification...

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    43. Re:Wha?!?!!! by styrotech · · Score: 1

      The point the OP was trying to make was that Linus's Law [wikipedia.org], specifically Eric S. Raymond's "given enough eyeballs all bugs are shallow" argument, is ridiculously idealistic as it operates under the pretence that everyone has as much insight and knowledge into the software as the author(s) have, focusing solely on the quantity of eyes.

      I disagree that it is a ridiculously idealistic statement. It is more of a misunderstood rhetorical tautology than anything else.

      A discovered bug obviously had enough eyeballs on it, and an as yet undiscovered bug hasn't had enough eyeballs on it.

      All it is stating is that more people looking is better for finding bugs than less people looking. Or another way a wider range of experiences, backgrounds, goals, biases and points of view looking for bugs is better than a narrower range.

    44. Re:Wha?!?!!! by Tablizer · · Score: 1

      I guess you believe in santa claus and the fairy tooth too.

      No I don't, she's all gums.

      --
      Table-ized A.I.
    45. Re:Wha?!?!!! by rahvin112 · · Score: 1

      Why do you think those same developers decided to create wayland? X is a disaster of legacy code and it's far more work to fix it then it is to just replace it.

    46. Re:Wha?!?!!! by Scoth · · Score: 2

      I am not a Windows developer, but I have been a long-time tinkerer and user. The 32-bit versions of Windows, even up to and including the previews of Windows 10, still include the same old NTVDM that provides support for 16-bit DOS and Windows programs. I've personally played around with running completely unmodified copies of MS-DOS Executive from Windows 2.x and 3.0, Program Manager, and various other ancient things with absolutely no trouble. This likely includes some very old code to allow this old stuff to run unmodified. There's been a bug or two in NTVDM that date back to the first versions of NT.

      As for early Win32, modern versions of Windows, including 64-bit versions, will still run the early Win32 demos that came with some of the earliest Windows NT 3.1 betas and pre-releases (once the executable format stabilized).

      Now whether this means there's actual literal old code still floating around, or just reimplementation of old libraries and APIs is anybody's guess. Based on some of the security flaws that have cropped up that date back to the earliest versions of Windows NT it certainly seems possible that there's some very old code floating around still. As a closed-source project, we'll likely never know. Though it'd be interesting to poke around in the leaked NT4/Win2k source from several years back and see if there's any clues. In general, rewriting tested, vetted code is a bad idea unless there's a good reason to rewrite it, so I'd bet there's plenty of old code kicking around in Windows in driver handling, kernel memory management, etc.

      OS X is somewhat different since it was more or less reimplemented from the ground up rather than evolutionary from existing Mac OSes - though it'd be interesting to see what might be left over from NeXT or BSD. I believe Carbon is still part of the OS, even if its deprecated; I'm even less of a Mac dev guy than I am a Windows dev, so I can't speak to the existence of old code in that.

    47. Re:Wha?!?!!! by phantomfive · · Score: 1

      You know, 'word' actually means something, and it never referred to a particular number of bits

      Unless you're using the Win32 API, then WORD is a constant type of exactly 16 bits. And a DWORD is exactly 32 bits.

      --
      "First they came for the slanderers and i said nothing."
    48. Re:Wha?!?!!! by grcumb · · Score: 1

      The point the OP was trying to make was that Linus's Law [wikipedia.org], specifically Eric S. Raymond's "given enough eyeballs all bugs are shallow" argument, is ridiculously idealistic as it operates under the pretence that everyone has as much insight and knowledge into the software as the author(s) have, focusing solely on the quantity of eyes.

      I disagree that it is a ridiculously idealistic statement. It is more of a misunderstood rhetorical tautology than anything else.

      A discovered bug obviously had enough eyeballs on it, and an as yet undiscovered bug hasn't had enough eyeballs on it.

      Actually, I wish he had limited the statement to the persistence of known bugs in FOSS code bases. ESR said the bugs are easier to find as the number of beta testers and developers increases. This doesn't appear to be true. One thing that is true is that code quality is viewed differently in FOSS than in commercial, proprietary software. All too often, software businesses treat QA, debugging and code maintenance as overhead, so there's a perverse incentive to leave known bugs - even the most egregious ones - lying around indefinitely - or at least until someone publicly raises a stink. FOSS culture values code quality more highly and is less tolerant toward bugs, so generally speaking we see somewhat better code quality, and somewhat shorter known bug life than in similar proprietary projects.

      Emphasis on 'generally speaking' in the above. Exceptions abound, but I think the trend is clear.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    49. Re:Wha?!?!!! by slimjim8094 · · Score: 1

      Yeah, but the WORD type hasn't had a relationship to the actual word size for 20 years. As you said upthread "The only reason it's called a WORD on Windows is because of legacy backwards-compatibility issues."

      It was stupid for them to lock processor-dependent stuff into the API and it means you get these ridiculous anachronisms. Especially ridiculous that "WORD" is intended to mean a fixed-size value, when "word" is defined by its processor-dependence. The API is full of this nonsense - WPARAM and LPARAM originally referred to WORD- and LONG-length parameters, respectively, but now they're both 32 bit. LPCSTR - what the hell is a long pointer? So by now it's just random junk If they wanted a 16-bit value, they should've called it an int16 or a twobyte or... hell, something that described what it actually was. But no, they were intending to describe the actual word size, and then got caught with their pants down when it changed (as anybody could see it would).

      Microsoft is to be commended for their backwards-compatibility, but it makes these poor design choices especially visible. By contrast, the POSIX API is almost completely free of anything machine-dependent, to the point that it can be a bit tricky to use sometimes "when the rubber meets the road". But at least it's consistent.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    50. Re:Wha?!?!!! by phantomfive · · Score: 1

      It was stupid for them to lock processor-dependent stuff into the API and it means you get these ridiculous anachronisms.

      So true.

      --
      "First they came for the slanderers and i said nothing."
    51. Re:Wha?!?!!! by ChunderDownunder · · Score: 1

      I read somewhere that NTVDM isn't supported in x86-64 because "long mode" won't execute "8086 Virtual Mode".

      Yet supposedly MS could resurrect the software for 64 bit Windows by running the software via the VT-x CPU extension present in most recent x86-64 CPU revisions.

      But I guess the effort to make the NTVDM subsystem 64 bit clean isn't worth it...

    52. Re:Wha?!?!!! by ruir · · Score: 1

      So you are saying they are masochists that write everything from scratch, and automagically the binaries are eerily compatible between versions. And I quite remember not long ago they discovering a 20 year old bug - but hey, I could be wrong saying they reuse code and I do not believe their markeing. http://www.techradar.com/news/...

    53. Re:Wha?!?!!! by OneSizeFitsNoone · · Score: 1

      There surely is a reason all distros for years have been configuring Xorg to run with the -nolisten tcp option set by default.

    54. Re:Wha?!?!!! by Zappy · · Score: 1

      Windows NT has a lineage dating back to April 1987 with the release of OS/2 1.0

    55. Re:Wha?!?!!! by petermgreen · · Score: 1

      register size == memory address == unit of memory that can be operated on.

      Every modern processor i'm aware of can operate on memory in 8-bit units despite having 32-bit or 64-bit register sizes and 32-bit or 64-bit memory addresses. Older processors with 8 and 16 bit register sizes typically had memory address sizes larger than their register size.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    56. Re:Wha?!?!!! by OneSizeFitsNoone · · Score: 1

      And this is just a PRESENTATION LAYER?!?

      OMFG!!!

      Xorg is more than a presentation layer. It has networking (transport layer) and authentication capabilities, as well as device drivers for some old 2D graphic cards.

    57. Re:Wha?!?!!! by OneSizeFitsNoone · · Score: 1

      To be blunt, the vulnerabilities were only disclosed so the finders could collect the bounty.

      Bounty? What bounty?

    58. Re:Wha?!?!!! by OneSizeFitsNoone · · Score: 1

      FYI: Ancient Microsoft headers defined WORD as a 16-bit signed value and DWORD as a 32-bit signed value; then the Windows API declares its functions in terms of those same WORD and DWORD typedefs. As a result, anything attempting to be even remotely cross-platform copied the standard, so now WORD means 16-bit and DWORD means 32-bit. The terms have stuck, and now they're taught in school as hard constants.

      This only has meaning in MS proper. Hardware architectures and programming languages that were born in non-16 bits environments have WORDs that are differently sized.

    59. Re:Wha?!?!!! by Scoth · · Score: 1

      I'd guess the intersection between users who require 64-bit Windows on a processor that supports VT-x and users who require the use of 16-bit programs that won't work in a virtualized environment is pretty small. Plus I suspect Microsoft likes the reduction in attack surface in removing all the old cruft, even if it could technically be reworked to run.

    60. Re:Wha?!?!!! by OneSizeFitsNoone · · Score: 1

      It is time to stop painting the open source fantasy as reality. Open source is great in theory but in practice it simply has not delivered outside of a few corner cases.

      Actually the opposite is demonstrably true: http://www.zdnet.com/article/c...
      Coverity finds open source software quality better than proprietary code
      "In 2013, code quality of open-source projects using the Scan service surpassed that of proprietary projects at all code base sizes, which further highlights the open source community’s strong commitment to development testing."

    61. Re:Wha?!?!!! by OneSizeFitsNoone · · Score: 1

      Nope. They didn't find the vulnerability by browsing the source code (almost nobody does that) and they only disclosed it so they could collect the bounty.

      Wrong on both accounts. The bugs were found through a systematical analysis of the code, and no one earned any bounty for doing so.

    62. Re:Wha?!?!!! by Electricity+Likes+Me · · Score: 1

      I'd love to see some example workflows of how you work on something like X - or the kernel, for different classes of bug hunting. It's the type of thing I've always wanted to dive into, but just the thought of trying to get to the stage where I can tweak/run/debug is incredibly daunting.

  2. In before the trolls by Anonymous Coward · · Score: 5, Insightful

    Open Source does not guarantee that all of the bugs will be found, it merely guarantees that all of the bugs can be found.

    1. Re:In before the trolls by sjames · · Score: 1

      It is better because the bugs are more likely to be found and fixed. Note that more likely is not at all the same as 100% likely.

    2. Re:In before the trolls by EETech1 · · Score: 1

      If every version of Windows had a flaw, how many of them could you fix?

    3. Re:In before the trolls by sjames · · Score: 1

      Exactly my point. However small the chance that I will spot and fix a flaw in Free Software, the odds are better than that I will find and fix a bug in proprietary software where I am not even allowed to look at the source.

    4. Re:In before the trolls by grep+-v+'.*'+* · · Score: 1

      Open Source ... merely guarantees that all of the bugs can be found.

      Well it seems like Closed Source "merely guarantees that all of the bugs can be found" by crackers. (NO, they're not hackers.) They seem to do a pretty good job of finding and exploiting problems withOUT any copy of the source for reference.

      (Well, I presume they don't. Maybe Bill Gates has a whole independent second fortune that we don't know about. Or: how DID Balmer afford to pay $2B for a bunch of guys walking around while bouncing a ball?)

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  3. so much for open source bug discovery being better by Anonymous Coward · · Score: 1

    One of the big claims is because you can't look at closed source code, bugs go undetected for longer.... 1987?

  4. What about XFree86? by halivar · · Score: 1, Funny

    Or is that project even still around?

    1. Re:What about XFree86? by halivar · · Score: 1

      Wow. Nevermind. It died in 2008. Y'all, I'm old and time slips by me pretty quick. Sorry.

    2. Re:What about XFree86? by jellomizer · · Score: 1

      Which is too bad.
      I was able to get XFree86 to work on the stuff that autodetect just fails on.
      In most particular is my old netbooks 1024x600 resolution monitor which it wants to me to run at 800x600 stretched.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:What about XFree86? by Pope+Hagbard · · Score: 1

      X.org started from a fork of XFree86, so it wouldn't make any difference.

    4. Re:What about XFree86? by Trax3001BBS · · Score: 1

      Man, don't scare me. What should i consider "old"?

      It's a state of mind really. I'm 61 and could be called old, hell I get senior discounts now.

      I have no illnesses and feel as well as I ever have, or I could dwell on every ache and pain and start acting like I was 61 instead of a "kid" (say 35 yrs old : } ) still.

  5. original story by Uecker · · Score: 2

    Original story:
    http://it.slashdot.org/story/1...
    CCC talk:
    http://media.ccc.de/browse/con...

  6. Re:so much for open source bug discovery being bet by Etzos · · Score: 1

    While many people seem to say that, I don't believe that's the actual claim. I think the claim is that it's easier to find bugs in free/open source software because the code can be read by everyone. That is, it's more likely that if there is a bug it will be found and fixed. While that may imply, to a certain degree, that bugs can go undetected for longer in closed source software it certainly doesn't state it outright. And in large code bases like X.org it's hard to imagine that old pieces of code that haven't been looked at in a long time wouldn't have some rather large vulnerabilities. At least now some of them have been found and patched.

    Plus I think it's also important to think about it from this angle: Do you have any examples of closed-source software that has been in use since 1987 that hasn't had any bugs discovered recently?

  7. So what does it affect? by armanox · · Score: 2

    So, what exactly is impacted here? Are all X11 implementations affected, or just XFree86 and X.org? I'm seeing SGI sources listed as impacted, which would point to any X11 implentation that uses GLX being impacted (including Xsgi on my IRIX systems), and seeing the age of the bug, I would imagine it would be more proper to point to things based on XFree86 rather then X.org. People forget that X11 is bigger then X.org, and the X.org team wasn't always the only game in town (if they didn't have a monopoly we wouldn't be arguing about Wayland....).

    --
    I'm starting to think GNU is the problem with "GNU/Linux" these days.
    1. Re:So what does it affect? by sjames · · Score: 1

      Since the code that had the vulnerability was originally reference code, it is quite possible (but not known) that proprietary implementations also have the bug.

    2. Re:So what does it affect? by hansot · · Score: 1

      It is a while ago (more than 20 years!), but I am certain that we fixed most of the issues described in CVE-2014-8092 and CVE-2014-8095 when porting X11R4 and we did report those bugs to the X Consortium (actually a precursor of Xorg.)

      I am also quite sure that the large companies (Sun, SGI maybe IBM) also fixed and possibly reported those bugs. I can only conclude that the software engineering practices of the X developers were a bit sub-standard, even for those days and it also makes me quite suspicious about the way-of-working of the present OpenDesktop and Xorg developers.

      I have a strong impression that they are more focused on development of Wayland anyhow. And that is not a good thing...

    3. Re:So what does it affect? by armanox · · Score: 1

      Mind if I ask which porting project you were a part of? There used to be quite a bit of X11 implementations.

      --
      I'm starting to think GNU is the problem with "GNU/Linux" these days.
    4. Re:So what does it affect? by hansot · · Score: 1

      For Sony NEWS, a fairly short lived product. The workstations were initially based on Motorola 68K, later on MIPS R3000 and up. The OS was 4.3 BSD in the beginning, later also SVR4. The X ports were quite straightforward, mostly adaption to hardware and fighting the compiler (slightly quick-and-dirty PCC based). And of course the bugs we found in X itself.

  8. Re:so much for open source bug discovery being bet by jellomizer · · Score: 3, Insightful

    Zealots are deniers.
    The problem is there are enough vocal Zealots to proclaim that how a product is licensed some how makes it superior/inferior to an other.
    But in general the more confident you are in your products superiority, the more problems you ignore or don't bother looking for.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  9. Re:so much for open source bug discovery being bet by king+neckbeard · · Score: 1

    The manner in which you state it seems far more common in strawman arguments than the actual arguments being made. Most claims regarding FOSS security are rooted in averages in situations with all other factors being roughly equal.

    --
    This is my signature. There are many like it, but this one is mine.
  10. Re:Wha?!?!!! Yup, you betcha! by mmell · · Score: 1
    That's why most respectable Linux administrators don't run X on servers. Most of us just turn off that pesky GUI so that we can get work done.

    I don't suppose M$ has some kind of command-line mode for their servers? Some sort of Disk Operating System which could be used to provide a runtime environment for applications and services without requiring the use of a large, resource-hogging graphical interface which (as has been pointed out) is a great place to find exploitable code.

    It's proprietary code! Surely the vendor has the most noble and idealized motives in making sure their code's not merely good enough to sell, it's actually good, with highly trained and competent professionals dedicated to ensuring their customer's safety after they take the money.

  11. Re:from TFA by crow · · Score: 2

    Doesn't prohibiting network connections to the X server rather defeat one of the major features of X?

    Granted, I think I usually am tunneling my X connections through ssh, so perhaps this doesn't apply as widely as it did a few years ago.

  12. X11? by MMC+Monster · · Score: 1

    Just to clarify, if we use X10 we're good?

    --
    Help! I'm a slashdot refugee.
    1. Re:X11? by fnj · · Score: 1

      Wait til you see X12.

  13. Re:from TFA by morgauxo · · Score: 1

    I USE remote X connections. Mostly over the LAN.

  14. Re:from TFA by Uecker · · Score: 1

    Yes, most Linux distributions seem to have used -tcp nolisten for quite a while. ssh -X still works fine and is very useful (IMHO).

  15. Re:from TFA by Uecker · · Score: 1

    Why can't you use ssh -X ?

  16. Re:OpenBSD comes to the rescue by bluefoxlucid · · Score: 2

    They are, in fact. It's just that you can still gain access to your non-privileged X server, and have access as the user running X. You can then make it run any shellcode you want, or return to libc and run some shell commands (doesn't require writable/executable memory this way), thus allowing for injection of a local privilege escalation attack or some sort of information leak (e.g. concurrent brute forcing of passwords). In the most basic case, landing as the non-privileged X user allows you to inspect your own processes, i.e. the X server itself, and keylog and harvest passwords.

    --
    Support my political activism on Patreon.
  17. Re:OpenBSD comes to the rescue by Uecker · · Score: 1

    Yes.

  18. Re:Wha?!?!!! Yup, you betcha! by lgw · · Score: 4, Interesting

    MS has had a fully-supported "no GUI" server option since Server 2012, but has been possible to admin CLI-only, without 3rd part add-ins, since 2008 (though the GUI would still be running, if you don't provide remote access to it, it might as well not be), and with 3rd-prty add-ins since 2003.

    However, managing multiple Windows servers is more about group policy than logging into any servers, GUI, CLI, or carrier pigeon. I've worked with management systems for 1000s of Windows servers, and the only reason you'd ever log into a server is to recover if something went horribly with a new deployment, and you wanted to find out why (to debug your deployment - just recovering the server was automatic).

    --
    Socialism: a lie told by totalitarians and believed by fools.
  19. Re:from TFA by LordThyGod · · Score: 1

    Yes, most Linux distributions seem to have used -tcp nolisten for quite a while. ssh -X still works fine and is very useful (IMHO).

    Very long time. Most typical server installations don't even install X, so if you are wanting to exploit this, you are going to have to look really hard for somebody on your LAN running an ancient distro who's disabled the firewall and other remote auth stuff.

  20. Re:from TFA by skids · · Score: 1

    These days for heavy remote X use you use stuff like Xpra, also over SSH, as it can leverage hardware encoders which the X protocol didn't have at its disposal back when it was designed.

    --
    Someone had to do it.
  21. News at 11!!! by sl3xd · · Score: 4, Informative

    Anybody who's really looked at security around X11 has known for decades that it isn't that great.

    I even remember that as recently as a year ago, ATI's drivers specifically tell you to use "xhost +" to enable GPU compute jobs using ATI devices, which resulted in a lot of "LOL NOPE" in the HPC industry. (It's trivial to root a machine that has had "xhost +" executed inside an X11 session.)

    X11 having critical security holes should surprise no one. There's a reason internet-facing servers don't have X11, and it's not just because you don't need a GUI sucking up resources.

    On the other hand, I'm thoroughly grateful that somebody decided to do something about it.

    --
    -- Sometimes you have to turn the lights off in order to see.
  22. Re:from TFA by jedidiah · · Score: 1

    Temporarily disabling a feature is not the same as permanently doing so. It's like saying that you always need to run as root. You don't. You only need to enable root level access when it's actually needed. The same goes for outward facing network services.

    Similarly MacOS doesn't enable the ssh server by default.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  23. Guess I'm finally goinna have to update to X11R5 by anonymous_wombat · · Score: 1
    I hope this isn't going to happen every 24 years.

    Just tell me that Motif is still safe.

  24. Re:Time to stop adding features, and audit instead by toonces33 · · Score: 1

    That's not a problem that is unique to Linux however. Many commercial products have the same issues - the marketing and planning people want new features as that helps them sell upgrades and maintenance, and in the past those sorts of things were prioritized higher than things like a security audit which management concluded weren't something that one could sell.

    It is only when customers demand security audits of the products that they buy that this will change.

  25. Re:wayland by unixisc · · Score: 1

    I am interested in Wayland, but question is - if the same people who wrote X11 are now writing Wayland, why would we trust Wayland to be any better, or not have the same bugs? Are the bugs related to X's remote access, which Wayland dumps for RDP/VCN?

  26. Re:Famous for the opposite... by Alomex · · Score: 2

    Windows 7 was the product release of the beta version otherwise known as Windows Vista.

  27. Re:from TFA by armanox · · Score: 1

    I commonly use XDMCP because it's simply easier and faster for a handful of the systems I work with (given, the SGI's are quite slow by today's standards...). Also trying to explain that to some Windows people when they insisted they needed to install Oracle DB on Solaris systems (they wanted me to tell them how to get a remote GUI on Solaris 9 and 10) it was far easier to point them to XDMCP.

    --
    I'm starting to think GNU is the problem with "GNU/Linux" these days.
  28. Re:Guess I'm finally goinna have to update to X11R by armanox · · Score: 1

    Well....I would stick with OPEN LOOK just to be sure.

    --
    I'm starting to think GNU is the problem with "GNU/Linux" these days.
  29. Re:Xorg? by ChunderDownunder · · Score: 1

    a Start menu, didn't Microsoft remove that for security reasons?

  30. Re:wayland by OneSizeFitsNoone · · Score: 1

    No one of the people who designed and coded X11 in the eighties are now busy on Wayland that I know of.

  31. Re:so much for open source bug discovery being bet by jellomizer · · Score: 1

    Well if the new radio's are smaller, lighter and do not need to be (better components, less moving, or parts that can move...) repaired, and offer near identical sound. Then Yes your old radio is inferior to the new one.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  32. I just wish by kilodelta · · Score: 1

    Ubuntu would fix the X.org problems in their latest version. Nothing like the GUI locking up and then going into a command prompt and seeing xorg sucking up all the system resources.

  33. Re:Wha?!?!!! Yup, you betcha! by mmell · · Score: 1

    Who said I was respectable?