you're darn right about that. Apache users with Windows seem to require direct access to a binary as opposed to the source, meaning that "patch" published by ISS, regardless of correctness, was useless to majority of Windows users. This was among the reasons Apache went to CERT with their info before going public.
You're also right in other post that Apache flaws are few and far between....
well, there's something called providing ample time. We dont know how long Apache/CERT knew about the flaw. Apache probably already had the patch ready to go, just wanted to make sure vendors that redistribute Apache (ie, Red Hat, Suse, etc) were aware of the flaw and a copy of the update before going public with it.
But the point of the matter here was that ISS gave Apache virtually no time whatsoever before going public (something like less than two hours), on top of that, going public with a bad patch and incomplete (or incorrect) information.
You are correct however, that turnaround time is much faster in open source systems than closed source because of all the extra CYA stuff that has to take place. It always amazes me that someone would embarass themselves by giving a company less than a day before going public with a flaw, or makes no contact at all. Microsoft asks for 14 days, but I personally feel that 7 is sufficient, even for MS.
... but it certainly would've been better if ISS had allowed it, or even writeup a proper patch or give the right info on who's vulnerable.
Personally, their argument about not contacting the Apache Foundation because some of them work for Red Hat is complete bullshit, plus the fact that they could've contacted CERT about it instead. CERT would've made sure RH didnt take credit, since that's among ISS's fears, and also would've told them that the issue was known and being worked on.
Well, that IS how they teach people to do it in college...
Any school that does that should lose their accredidation. Reality is that no school does that nor would any teacher advocate that. The key idea is teaching the student the difference between a compiler error (ie, missing semicolons) vs. a run-time error (adding 1 instead of subtracting 1).
I'm in college now (will be a Senior in September), the freshman are taught C++, and one of the first few lab sessions involves being given some short code (written by the prof) that compiles correctly, yet contains a logic bug of some sort. Likewise, the textbook contains a discussion along similar lines, including that famous quote from MIT that says something to the effect of "We were amazed by how often we had to go back and fix errors in code that we wrote"
This sounds like a possible hoax to me. Too many odd questions surround this story -- Since when does Congress make rulings on who properly holds a patent/invention? Isn't that something for the court system? Why is it I cannot find this story at other sites? And why is the one with the story an Australian site, why hasnt the US press picked this up? Hence, I think it's a hoax.
This whole thing is wildly inaccurate. Rounding errors, ballot stuffers, dynamic IPs, firewalls. If you're using these numbers to do anything important, you're insane.
actually, MS already has some type of driver certification program for Win2k (and probably WinXP), but this doesnt stop the user from installing uncertified drivers -- the user simply is shown a dialog warning them that the driver is uncertified.
my point was to counter the statement my michael saying that data is not executable code, but that specially formed data can be treated as code in certain circumstances. hence, one can embed code in a data file in such a manner that it takes advantage of an anomoly in the program used to process the data.
virus or not, it's something michael wasnt thinking about when he said what he did about data and code.
funny you bring up that link. i'm doing research on security flaws and am going through bugtraq's archives, mining for vulnerable software. i saw that message this morning unfortunately after I made that post
*sigh* as I stated elsewhere in the thread, I didnt restrict myself to just JPEGs. I specifically stated in my post "other data files"
also, Netscape 4.7 (as stated in this thread by others) had an overflow in jpeg image processing, and was vulnerable on just about every platform they target. Granted, the exploit would be different on each platform, but it would not be too difficult to pull off mass infection through posting an infected jpeg on a popular website.
i've had discussions with co-workers about such a concept. one guy said he'd do it himself, if it weren't illegal. Nevertheless, we're hoping someone will start such a worm just to drive the point home to people about attachments.
i agree. GMT should be used for such issues as it's universally recognized.
Complicating things in the US -- *ST/*DT. Eastern/Pacific/etc Standard and Daylight Time. And then there's Indiana that doesnt observe daylight savings for farming related purposes. Please dont ask for explanation, I dont know it other than the difference pertains to daylight savings.
read my post. I said "or other data/multimedia files." Meaning I didnt restrict myself to just JPEGs, even if overflows in JPEGs are tough to come by. Also, Netscape once had an overflow in a comment header field in their image processing.
first, read this post, elsewhere from this thread. Pay attention to the point made about unexpected data.
second -- I NEVER restricted myself to just JPEGs, as I said any data file.
third -- There ARE dimwit programmers out there, and they do fail to check array bounds when processing data, making buffer overflows possible anywhere, especially C code because C doesnt automatically check bounds.
fourth -- Netscape had a buffer overflow in image processing once, Winamp had an overflow in processing of ID3 tags embedded in mp3 files, IIS had an overflow in processing of.ida paramater data. I'll stop there, as the list would literally have thousands if I were to research it thoroughly.
i'm still waiting for the "This is a virus -- Do Not Open It.exe" worm to start appearing in my inbox. The moment something like THAT goes around is when I think people will start to get the real message, or maybe MS will get the message about executable content in emails. Of course, Outlook XP refuses to send executable files w/o confirmation from the user, and wont allow opening/copying to disk of executable attachments (it actually hides it). Of course, place such a file in a zip archive and you're all set.
doesnt matter if it replicates itself, my point is that it's possible to put executable code into a data file and have it do bad things to your machine (even under Linux, though it would be limited damage). Besides, one could put the replication in with the opening of the backdoor.
bad reasoning. you cannot assume that there arent any overflows in code. Take MS recently. Before releasing WinXP, they say they weeded out all the overflows. Then UPnP's hole was exposed -- a buffer overflow.
also, i didnt restrict myself to just JPEGs. Note that I said any other data file.
Lastly, the recent security vuln in the zlib library (last March) was also such an example. The decompresser assumed normal data (ie, data made using the compressor half of zlib), and as a result a specially formed "compressed" data could exploit the hole, segfaulting the program using zlib.
say an attacker knows you use a certain program to view JPEGs, or other data/multimedia files. This attacker knows that certain program contains a buffer overflow, and how to exploit it. The attacker can assemble a specially formed file that exploits the overflow and opens a backdoor on your machine, granting himself some level of access to your computer (most likely user level access). Combined with knowledge of a local root hole, the attacker now has root access to your machine (ie, he 0wns j00). The attacker delivers this specially formed file to you in some manner (email, webpage, etc).
Suddenly, this "data" file is now containing a virus, isnt it?
The article says 1700 CET, the poster said 7pm CET. Either (a) the poster trolled or (b) doesnt understand conversions from 24-hour format. It'll shutoff at 5pm CET, 4pm GMT, 11am EDT, 8am PDT.
as long as it's more accurate than North America's Central Time (often referred to as US CT). In Canada, it's accurate as they have the Atlantic TZ on their east coast, but in the US there is no Atlantic TZ, making the US Central TZ not so central.
Slashdot Mirror
...that MS threatened infringement or something like that over using the phrase "Microsoft" or "Windows" in the advertising of LindowsOS?
you're darn right about that. Apache users with Windows seem to require direct access to a binary as opposed to the source, meaning that "patch" published by ISS, regardless of correctness, was useless to majority of Windows users. This was among the reasons Apache went to CERT with their info before going public.
You're also right in other post that Apache flaws are few and far between....
well, there's something called providing ample time. We dont know how long Apache/CERT knew about the flaw. Apache probably already had the patch ready to go, just wanted to make sure vendors that redistribute Apache (ie, Red Hat, Suse, etc) were aware of the flaw and a copy of the update before going public with it.
But the point of the matter here was that ISS gave Apache virtually no time whatsoever before going public (something like less than two hours), on top of that, going public with a bad patch and incomplete (or incorrect) information.
You are correct however, that turnaround time is much faster in open source systems than closed source because of all the extra CYA stuff that has to take place. It always amazes me that someone would embarass themselves by giving a company less than a day before going public with a flaw, or makes no contact at all. Microsoft asks for 14 days, but I personally feel that 7 is sufficient, even for MS.
... but it certainly would've been better if ISS had allowed it, or even writeup a proper patch or give the right info on who's vulnerable.
Personally, their argument about not contacting the Apache Foundation because some of them work for Red Hat is complete bullshit, plus the fact that they could've contacted CERT about it instead. CERT would've made sure RH didnt take credit, since that's among ISS's fears, and also would've told them that the issue was known and being worked on.
well, being that it's the FCC looking into licensing it, it may not be more than a few years before ISPs provide it to home users.
Well, that IS how they teach people to do it in college...
Any school that does that should lose their accredidation. Reality is that no school does that nor would any teacher advocate that. The key idea is teaching the student the difference between a compiler error (ie, missing semicolons) vs. a run-time error (adding 1 instead of subtracting 1).
I'm in college now (will be a Senior in September), the freshman are taught C++, and one of the first few lab sessions involves being given some short code (written by the prof) that compiles correctly, yet contains a logic bug of some sort. Likewise, the textbook contains a discussion along similar lines, including that famous quote from MIT that says something to the effect of "We were amazed by how often we had to go back and fix errors in code that we wrote"
This sounds like a possible hoax to me. Too many odd questions surround this story -- Since when does Congress make rulings on who properly holds a patent/invention? Isn't that something for the court system? Why is it I cannot find this story at other sites? And why is the one with the story an Australian site, why hasnt the US press picked this up? Hence, I think it's a hoax.
Didn't you read the disclaimer?
This whole thing is wildly inaccurate. Rounding errors, ballot stuffers, dynamic IPs, firewalls. If you're using these numbers to do anything important, you're insane.
actually, MS already has some type of driver certification program for Win2k (and probably WinXP), but this doesnt stop the user from installing uncertified drivers -- the user simply is shown a dialog warning them that the driver is uncertified.
my point was to counter the statement my michael saying that data is not executable code, but that specially formed data can be treated as code in certain circumstances. hence, one can embed code in a data file in such a manner that it takes advantage of an anomoly in the program used to process the data.
virus or not, it's something michael wasnt thinking about when he said what he did about data and code.
funny you bring up that link. i'm doing research on security flaws and am going through bugtraq's archives, mining for vulnerable software. i saw that message this morning unfortunately after I made that post
*sigh* as I stated elsewhere in the thread, I didnt restrict myself to just JPEGs. I specifically stated in my post "other data files"
also, Netscape 4.7 (as stated in this thread by others) had an overflow in jpeg image processing, and was vulnerable on just about every platform they target. Granted, the exploit would be different on each platform, but it would not be too difficult to pull off mass infection through posting an infected jpeg on a popular website.
lets not - i'm not the gambling type.
i've had discussions with co-workers about such a concept. one guy said he'd do it himself, if it weren't illegal. Nevertheless, we're hoping someone will start such a worm just to drive the point home to people about attachments.
i agree. GMT should be used for such issues as it's universally recognized.
Complicating things in the US -- *ST/*DT. Eastern/Pacific/etc Standard and Daylight Time. And then there's Indiana that doesnt observe daylight savings for farming related purposes. Please dont ask for explanation, I dont know it other than the difference pertains to daylight savings.
read my post. I said "or other data/multimedia files." Meaning I didnt restrict myself to just JPEGs, even if overflows in JPEGs are tough to come by. Also, Netscape once had an overflow in a comment header field in their image processing.
first, read this post, elsewhere from this thread. Pay attention to the point made about unexpected data.
.ida paramater data. I'll stop there, as the list would literally have thousands if I were to research it thoroughly.
second -- I NEVER restricted myself to just JPEGs, as I said any data file.
third -- There ARE dimwit programmers out there, and they do fail to check array bounds when processing data, making buffer overflows possible anywhere, especially C code because C doesnt automatically check bounds.
fourth -- Netscape had a buffer overflow in image processing once, Winamp had an overflow in processing of ID3 tags embedded in mp3 files, IIS had an overflow in processing of
i'm still waiting for the "This is a virus -- Do Not Open It.exe" worm to start appearing in my inbox. The moment something like THAT goes around is when I think people will start to get the real message, or maybe MS will get the message about executable content in emails. Of course, Outlook XP refuses to send executable files w/o confirmation from the user, and wont allow opening/copying to disk of executable attachments (it actually hides it). Of course, place such a file in a zip archive and you're all set.
really? this is the perfect real-life example my post needs. got a link to a story about that by any chance?
doesnt matter if it replicates itself, my point is that it's possible to put executable code into a data file and have it do bad things to your machine (even under Linux, though it would be limited damage). Besides, one could put the replication in with the opening of the backdoor.
take my example above. that can carry over to any OS, not just Windows. Though I wouldnt be surprised if an MS program becomes the first victim.
bad reasoning. you cannot assume that there arent any overflows in code. Take MS recently. Before releasing WinXP, they say they weeded out all the overflows. Then UPnP's hole was exposed -- a buffer overflow.
also, i didnt restrict myself to just JPEGs. Note that I said any other data file.
Lastly, the recent security vuln in the zlib library (last March) was also such an example. The decompresser assumed normal data (ie, data made using the compressor half of zlib), and as a result a specially formed "compressed" data could exploit the hole, segfaulting the program using zlib.
say an attacker knows you use a certain program to view JPEGs, or other data/multimedia files. This attacker knows that certain program contains a buffer overflow, and how to exploit it. The attacker can assemble a specially formed file that exploits the overflow and opens a backdoor on your machine, granting himself some level of access to your computer (most likely user level access). Combined with knowledge of a local root hole, the attacker now has root access to your machine (ie, he 0wns j00). The attacker delivers this specially formed file to you in some manner (email, webpage, etc).
Suddenly, this "data" file is now containing a virus, isnt it?
*sigh* try to make a *correction* to a post and got Overrated. and michael quitly fixed it w/o acknowlodging the update.
The article says 1700 CET, the poster said 7pm CET. Either (a) the poster trolled or (b) doesnt understand conversions from 24-hour format. It'll shutoff at 5pm CET, 4pm GMT, 11am EDT, 8am PDT.
as long as it's more accurate than North America's Central Time (often referred to as US CT). In Canada, it's accurate as they have the Atlantic TZ on their east coast, but in the US there is no Atlantic TZ, making the US Central TZ not so central.