Attack Code Found For Recent Windows Bug 184
CWmike writes "Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks. 'We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067,' said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog. 'This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000.'"
Re:Hmmm... (Score:2, Interesting)
Wikipedia seems to think that its a good idea. :P
Re:Hotpatching (Score:4, Interesting)
>And if you were MS, is that something you would want to support?
If you were MS, and wanted to brag about 5 Nines uptime, wouldn't you design the patch so you didn't have to reboot production servers once a month?
Glad I spent all weekend patching, now that the exploit has escaped.
the droning *gong* of microsoft cracks (Score:4, Interesting)
This is like a droning gong.
*Gong* Bring out your dead *Gong* Windows is insecure *Gong* Bring out your dead *Gong*
It seems to me there is a fatigue that sets in regarding unpleasant information. How many times does one have to hear a thing, especially an unpleasant thing they don't want to hear, before that person stop listening to it? This happens to me at least. We see this (as a parallel) in politics all the time, when we're told this guy or that person broke the law. Its like a background din you have to tune out to get through the day.
It's made worse because there is no solution.
For the user of windows, there is nothing they can do about the fundamental insecurity that leads to repeated, consistent, and regular security updates like this. The only option is to change OS, which if you're the average computer user, that is not an option without significant expense. It's unpleasant to hear that crackers are breaking into computers and turning them into zombie swarms of attacking botnets. Hear the same bad thing enough times, eventually people stop listening.
I was fortunate: my windows laptop was stolen in 2004 and I made the switch, and now use Mac and Linux now exclusively. Not that Mac is any panacea - I still can't stand Finder, I think it is awful, and curse it every time I need to move a few files to some other folder on another drive (usually I just use "mv"). BUT at least I'm not forced to start ignoring serious security threats that I can't prevent or address effectively. (I don't consider a long series of "After the crack" patches effectively addressing the problem)
Re:Hotpatching (Score:5, Interesting)
If you were MS, and wanted to brag about 5 Nines uptime, wouldn't you design the patch so you didn't have to reboot production servers once a month?
5 nines is ~5.3 minutes downtime per year
You don't acheive that with a single Linux box either, unless you simply aren't keeping it up to date, even if you manage to avoid 'rebooting it' you are still going to have serious trouble reliably preventing 'unavailability of services' from reaching 5.3 minutes over a year.
It takes either a mainframe or a cluster to reach 5 9's with any reliability. Windows doesn't run on a mainframe, and if you have cluster, a few scheduled reboots now and then don't result in any downtime, since you don't have to bring the entire cluster down.
So your argument really doesn't apply.
Re:Hotpatching (Score:3, Interesting)
No, I've managed to have a single Linux box reach 99.999%. It's mostly a matter of not updating the kernel; everything else can be upgraded monthly with ~15 seconds downtime, for an average of ~3 minutes annually.
Vista rulez... (Score:2, Interesting)
Seriously, this is only really gonna be a problem to someone connecting on dialup and it's gonna take so fucking long to send the information that the person running the exploit is most likely to have died from old age before they get anything worth a toss.
Re:Hmmm... (Score:4, Interesting)
I've run Ubuntu on a Dell Inspiron 9400 laptop for over a year without a single lockup.
Now, I also run VirtualBox and Windows XP under that. *That* has locked up several times. So if that's what you mean, I agree.
Re:Hmmm... (Score:1, Interesting)
Open source projects are the worst when it come to fixing problems. Nothing but a bunch of arrogant (not that they are skilled enough to truly be) developers who refuse to believe that anything they worked on has a problem.
Firefox memory leak - check
GIMP poor user interface - check
Pidgin forced size chatbox - check
Ubuntu general instability - check
There are plenty of other examples, but those are some of the most prominent and they still have yet to be fixed.