You have remarkable confidence that all interactive services are fixed. So this implies you *know* there are no exploitable holes in Norton Antivirus, McAfee disk tools, or countless monitors and workstation control applications that need higher priveleges to avoid being taken down by an underpriveleged user? Any service which needs sufficient priveleges is a danger. Not to mention the fact that many are installed with those by default, whether they need them or not.
I'm sticking with label of pervasive since the number of applications that *don't* interact are quite rare in windows, as opposed to linux. Services are a fairly small subset and quite tightly controlled in comparison.
You are correct in part. There is little helping the ignorance of the Slashdot windows defenders. They are clearly incapable of even reading a microsoft security bulletin which describes this.
I say in part because there are a great many messages. It isn't just due to textboxes. It could be a message to open a file, or change some value inside the program.
My point was, as explained in the article, which you clearly have not read, or at least not comprehended, the exploit was an example of a "Shatter" attack - a general class of exploits taking advantage of the fact that almost all Win32 apps out there use Windows Messaging without validating who sent the message. Thus, these apps are exploitable in a number of ways. This is one patched example. There are undoubtedly many many more unpatched because the fundamental flaw has not been repaired - I would go so far as to say it *can't* be repaired since it is inherent to the model used.
I'd imagine, last I checked I saw this in a CERT search.
Researcher: Windows flaw remains July 11, 2003
A class of attacks that allows a person to take control of any PC or server could leave com- puter systems in corporations and Internet cafes vulnerable to attack, a researcher says. Dubbed "shatter" attacks last year, the class of security hacks uses the Windows messaging sys- tem to request that insecure but privileged appli- cations run malicious code. The Windows mes- saging system is the medium through which ap- plications and the Windows operating system communicate with each other. (from CNET)
No, haven't looked for one. It is entirely possible XP is unaffected due to this hole being patched or XP simply using different software. I am unaware, though, of XP having fixed the problem of unchecked Windows Messages.
I don't think they can, either. It would undoubtedly break at least some backwards compatibility.
You didn't read the article, did you? I'd also suggest search for more information on Google regarding this flaw in Windows Messaging.
This hole, which has been around for ages, is part of the design of windows messaging. It allows *any* unpriveleged process to send messages to a priveleged process, without checking. Thus, no administrator password needed.
Speaking of uninformed... It seems every Windows security story brings out people who feel the need to defend Windows at any cost.
No, this is completely valid complaint. Windows Messaging was simply designed wrong. It does no verification of which process sent the message. Thus, there is a pervasive and *unremovable* hole in Windows design. Furthermore, while you can do careful message checking, you can't guarantee some base class in the Windows libs you are doing is catching the evil message.
I'm aware many daemons are exploitable, but I am unaware of an equivalent for this in Linux.
Re:Spreading FUD in a submission about FUD
on
Security FUD On Linux
·
· Score: 4, Insightful
That's no help at all if arbitrary users can elevate themselves to administrator priveleges.
NT-XP is fundamentally broken. Maybe the next version of Windows will solve this design problem, but I doubt it.
This hole exists and actually has working exploits.
Yes. In fact. As pointed out, viruses mutate. Your example only works if people know IL-4 in a particular form is manmade. If no one knows, it would be assumed natural mutation. Not only that, most early work in viruses *was* using natural mutation. Amusing comparison. GE crops are feared for some odd reason in certain parts of the world. Solution? Same pesticide resistances bred through natural means. Mother nature throws in the joker herself. I'm not claiming a conspiracy, just that it would be feasible.
When someone sets off a nuke it is obviously an act of war. Viruses can be claimed to be natural. Also, nukes has disadvantage of irradiating or destroying things military might want. Viral, even non-lethal, just incapacitates the fighting force. I can see reasons U.S. would use. Heck, they may have already - who knows?
Yeah, I have no doubt that while that makes a cool catch-phrase, if we do go biofuel, there are more efficient ways than agricultural waste. Could devote whole fields to plants. Screw hydrogen. We have an efficient means of collecting and distributing solar power with no change to existing infrastructure.
But also about inefficiency of natural fossil fuels. Key Fact. Since only about one-10,750th of the original carbon in ancient plant material actually ends up as oil, multiply 4.14 kilograms by 10,750 to get roughly 44,500 kilograms of carbon in ancient plant matter to make a gallon of gas.
Note they are claiming they can eliminate dependance on oil importation with agricultural waste alone. No other cultivation necessary. And the point is. Once we use the biofuels, we are in the carbon cycle. No more pumping carbon out of the earth.
Original caption: A Palestinian child throws a stone at an Israeli tank on a road at the Palestinian Daheisheh refugee camp on the outskirts of West Bank town of Bethlehem 02 July 2002. Israeli Foreign Minister Shimon Peres told delegates at the Labor party convention in Tel Aviv, that he doubted that the planned Palestinian elections can take place while the Israeli army remains in the territories. "I am not sure the Palestinians can have elections while the army is in the territories and I don't see the army coming out of the territories if there is still terror." The Israeli army entered the self-rule West Bank territories over a week ago in Operation Determined Path. AFP PHOTO/Musa AL-SHAER
Being thrown at Israeli tanks. Why fake it? My explanation fits the evidence, the smaller photo I linked to, and the shadows on the ground. It also appeals to Occams razor. But, still searching.
I never claimed they were intelligent photo editors.
But try looking around for the original photo online before claiming the boy was added in. I did link to one copy of it - unfortunately resized a little smaller.
As for the colour change, well, that's a result of a lightening. Don't see the smudges of which you're referring, but there's no reason they wouldn't have smeared things while trying to enhance the original photo.
Slashdot Mirror
You have remarkable confidence that all interactive services are fixed.
So this implies you *know* there are no exploitable holes in Norton Antivirus, McAfee disk tools, or countless monitors and workstation control applications that need higher priveleges to avoid being taken down by an underpriveleged user?
Any service which needs sufficient priveleges is a danger. Not to mention the fact that many are installed with those by default, whether they need them or not.
I'm sticking with label of pervasive since the number of applications that *don't* interact are quite rare in windows, as opposed to linux. Services are a fairly small subset and quite tightly controlled in comparison.
You are correct in part. There is little helping the ignorance of the Slashdot windows defenders.
They are clearly incapable of even reading a microsoft security bulletin which describes this.
I say in part because there are a great many messages. It isn't just due to textboxes. It could be a message to open a file, or change some value inside the program.
Yo. Mad Mirko. Please read my response to him first, as well as my response to you. Thanks.
My point was, as explained in the article, which you clearly have not read, or at least not comprehended, the exploit was an example of a "Shatter" attack - a general class of exploits taking advantage of the fact that almost all Win32 apps out there use Windows Messaging without validating who sent the message.
Thus, these apps are exploitable in a number of ways. This is one patched example. There are undoubtedly many many more unpatched because the fundamental flaw has not been repaired - I would go so far as to say it *can't* be repaired since it is inherent to the model used.
I'd imagine, last I checked I saw this in a CERT search.
Researcher: Windows flaw remains
July 11, 2003
A class of attacks that allows a person to take
control of any PC or server could leave com-
puter systems in corporations and Internet cafes
vulnerable to attack, a researcher says.
Dubbed "shatter" attacks last year, the class of
security hacks uses the Windows messaging sys-
tem to request that insecure but privileged appli-
cations run malicious code. The Windows mes-
saging system is the medium through which ap-
plications and the Windows operating system
communicate with each other. (from CNET)
No, haven't looked for one. It is entirely possible XP is unaffected due to this hole being patched or XP simply using different software.
I am unaware, though, of XP having fixed the problem of unchecked Windows Messages.
I don't think they can, either. It would undoubtedly break at least some backwards compatibility.
You didn't read the article, did you? I'd also suggest search for more information on Google regarding this flaw in Windows Messaging.
This hole, which has been around for ages, is part of the design of windows messaging. It allows *any* unpriveleged process to send messages to a priveleged process, without checking.
Thus, no administrator password needed.
Speaking of uninformed... It seems every Windows security story brings out people who feel the need to defend Windows at any cost.
No, this is completely valid complaint. Windows Messaging was simply designed wrong. It does no verification of which process sent the message.
Thus, there is a pervasive and *unremovable* hole in Windows design.
Furthermore, while you can do careful message checking, you can't guarantee some base class in the Windows libs you are doing is catching the evil message.
I'm aware many daemons are exploitable, but I am unaware of an equivalent for this in Linux.
That's no help at all if arbitrary users can elevate themselves to administrator priveleges. NT-XP is fundamentally broken. Maybe the next version of Windows will solve this design problem, but I doubt it.
This hole exists and actually has working exploits.
6 times faster? Try 1000 times.0 27S0048
http://www.eetimes.com/semi/news/OEG20031
That'd be great except they setup the situation by which they would profit a long time in advance, too.
yes, I have unique underscore dyslexia.
time_t
So, who here is still using an int for a timestamp instead of a timet?
When time comes, we'll just change the typedef for a timet.
Yes. In fact. As pointed out, viruses mutate.
Your example only works if people know IL-4 in a particular form is manmade.
If no one knows, it would be assumed natural mutation.
Not only that, most early work in viruses *was* using natural mutation.
Amusing comparison. GE crops are feared for some odd reason in certain parts of the world. Solution? Same pesticide resistances bred through natural means. Mother nature throws in the joker herself.
I'm not claiming a conspiracy, just that it would be feasible.
When someone sets off a nuke it is obviously an act of war.
Viruses can be claimed to be natural.
Also, nukes has disadvantage of irradiating or destroying things military might want. Viral, even non-lethal, just incapacitates the fighting force. I can see reasons U.S. would use. Heck, they may have already - who knows?
Why use forests?
Why not a gigantic floating farm of blue-green algae?
There's way more ocean surface, and you don't need to hassle with cutting down trees.
Yeah, I have no doubt that while that makes a cool catch-phrase, if we do go biofuel, there are more efficient ways than agricultural waste. Could devote whole fields to plants.
Screw hydrogen. We have an efficient means of collecting and distributing solar power with no change to existing infrastructure.
But also about inefficiency of natural fossil fuels.
Key Fact.
Since only about one-10,750th of the original carbon in ancient plant material actually ends up as oil, multiply 4.14 kilograms by 10,750 to get roughly 44,500 kilograms of carbon in ancient plant matter to make a gallon of gas.
google cache of old-news biofuel breakthrough
Note they are claiming they can eliminate dependance on oil importation with agricultural waste alone. No other cultivation necessary.
And the point is. Once we use the biofuels, we are in the carbon cycle. No more pumping carbon out of the earth.
Amazon still thinks it is
Know when and where.
Original caption: A Palestinian child throws a stone at an Israeli tank on a road at the Palestinian Daheisheh refugee camp on the outskirts of West Bank town of Bethlehem 02 July 2002. Israeli Foreign Minister Shimon Peres told delegates at the Labor party convention in Tel Aviv, that he doubted that the planned Palestinian elections can take place while the Israeli army remains in the territories. "I am not sure the Palestinians can have elections while the army is in the territories and I don't see the army coming out of the territories if there is still terror." The Israeli army entered the self-rule West Bank territories over a week ago in Operation Determined Path. AFP PHOTO/Musa AL-SHAER
nope...a sp?USAU=0 &Area=search&fdid=&mdid=13188085&qsPageNo=8&lv l=e nt.asp?USAU=0 &Area=search&fdid=&mdid=13198454&qsPageNo=23&l vl=
. asp?USAU=0 &Area=search&fdid=&mdid=14219059&qsPageNo=25&l vl=
:-/
http://pro.corbis.com/popup/enlargement.
nope...
http://pro.corbis.com/popup/enlargem
Bingo.
http://pro.corbis.com/popup/enlargement
Unfortunately, this is the retouched version.
Being thrown at Israeli tanks. Why fake it?
t .asp?USAU=0 &Area=search&fdid=&mdid=14043116&qsPageNo= 1n t.asp?USAU=0 &Area=search&fdid=&mdid=14043116&qsPageNo= 1n t.asp?USAU=0 &Area=search&fdid=&mdid=14270300&qsPageNo= 2n t.asp?USAU=0 &Area=search&fdid=&mdid=14362460&qsPageNo=1&lv l=
My explanation fits the evidence, the smaller photo I linked to, and the shadows on the ground.
It also appeals to Occams razor.
But, still searching.
nope...
http://pro.corbis.com/popup/enlargemen
nope...
http://pro.corbis.com/popup/enlargeme
nope...
http://pro.corbis.com/popup/enlargeme
nope...
http://pro.corbis.com/popup/enlargeme
Pasting the boy in isn't an enhancement :-P
That it is, but I think it is fairly clear the tank underside is darker.
/ snapshots. php?view=photographers
And that the boy exists in that one too.
I suspect two diffinitive courses of action.
One: subscribe to AFP, or find someone who does, and look up original photo based on date.
Two: contact Musa al-Shaer
http://snapshots.palestinechronicle.com
In any case, I stand by the fact that some attempts at enhancement triggered a whole BBS full of conspiracy spinning.
I never claimed they were intelligent photo editors.
But try looking around for the original photo online before claiming the boy was added in.
I did link to one copy of it - unfortunately resized a little smaller.
As for the colour change, well, that's a result of a lightening.
Don't see the smudges of which you're referring, but there's no reason they wouldn't have smeared things while trying to enhance the original photo.