Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft Operating Systems Security Software Windows

Microsoft Sits on Security Flaw for Six Months 741

pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
This discussion has been archived. No new comments can be posted.

Microsoft Sits on Security Flaw for Six Months

Comments Filter:
  • by jwthompson2 ( 749521 ) * on Tuesday February 10, 2004 @04:13PM (#8241806) Homepage
    U Can't Trust This
    By: MCSE Hammer

    Blaster did ya some harm
    We just say, hey, another worm
    But thank you, for trusting me
    To mind your site's security
    It's all good, when your server's downed
    Our dope PR will pass blame around
    Cuz it's known as such
    That this is some software, you can't trust

    I told ya Homeland
    U can't trust this
    Yeah that's why we're giving ya the code
    U can't trust this
    Check out eEye, man
    U can't trust this
    Yo let 'em bust more funky system
    U can't trust this

    Give 'em a string or recvfrom
    Like no sweat they got the keys to your kingdom
    Now ya know
    You talk about eEye, you're talking about holes
    Remote and tight
    Coders still sweating so someone better write
    A book to learn
    What it's gonna take in '04
    To earn some trust
    Legit, either secure or ya might as well quit

    That's the word because you know
    U can't trust this
    U can't trust this
    • by Anonymous Coward on Tuesday February 10, 2004 @04:37PM (#8242132)
      U Can't Root This
      By: MC GNU/Hammer

      Linux did ya some harm
      We just say, hey, an open sore
      But thank you, for rooting me
      To mind your site's security
      It's all good, when your server's downed
      Our dope coders will run GNU debug
      Cuz it's known as such
      That this is some software, you can't root

      I told ya script kiddie
      U can't root this
      Yeah that's why we're giving ya the code
      U can't root this
      Check out Torvalds, man
      U can't root this
      Yo let 'em bust more funky grep
      U can't root this

      Give 'em a bash prompt or C code
      Like no sweat they got the salts for your hash
      Now ya know
      You talk about Stallman, you're talking ideology
      GNU's not Linux, its GNU/Linux
      Coders still sweating so someone better write
      A patch for this
      What it's gonna take in '04
      To earn some root
      Legit, either secure or ya might as well quit

      That's the word because you know
      U can't root this
      U can't Root this
    • by poot_rootbeer ( 188613 ) on Tuesday February 10, 2004 @04:54PM (#8242361)
      U Can't Trust This

      Man, this cultural reference is even older than the security flaw they just fixed...
    • by buckeyeguy ( 525140 ) on Tuesday February 10, 2004 @09:50PM (#8244719) Homepage Journal
      Geez, what's next? Baby Got Hacked?
      • by UFNinja ( 726662 ) on Wednesday February 11, 2004 @12:43AM (#8246111)
        I like buggy code and I cannot lie. You other hackers can't deny When a geek walks in with a laptop briefcase And Knoppix-STD in yo face You get sprung Wanna boot it up quick cuz you know BSoD's suck Look at the theme Gnome's wearin' I'm hooked and I can't stop starin' oh Tuxy I wanna get with ya And take yo picture My MCSE tried to warn me But them hackin' tools make me so horny. . .
    • by shis-ka-bob ( 595298 ) on Tuesday February 10, 2004 @09:56PM (#8244768)
      Well, they may say 'can't trust this', but their web site run IIS on Windows 2000. Actions speak louder than words...
  • More to come... (Score:5, Informative)

    by Anonymous Coward on Tuesday February 10, 2004 @04:15PM (#8241828)
    http://www.eeye.com/html/Research/Upcoming/index.h tml
    • Fixed URL (Score:5, Informative)

      by Anonymous Coward on Tuesday February 10, 2004 @04:29PM (#8242037)
      eeye.com [eeye.com]
      • by isn't my name ( 514234 ) <slash@@@threenorth...com> on Tuesday February 10, 2004 @04:49PM (#8242296)
        Wow, eEye still knows of 3 different high severity remote exploit in MS systems, and MS has been sitting on two of them for over 3 months.

        Secure computing indeed.
      • Why? (Score:4, Funny)

        by Warhaven ( 718215 ) on Tuesday February 10, 2004 @08:12PM (#8244295)

        These kinds of companies and organization are somewhat of an interest to me, in that they resemble the Battered Wife syndrome.

        Here they are, putting all their effort into helping fix MS's products to make the software work better, only to get brushed off and ignored for six months. Then they go and complain about how horrible of a company MS is and how horrible the software is.

        Two weeks later, they're at it again, trying to help solve MS's problems, and will yet again be brushed off and ignored. They'll complain and rant, and in another month when the next vulnerability is discovered, they'll be back at MS's side again trying to fix it. Repeat...

        Why bother investing the time and money into a company that doesn't care? If you're going to be putting in the effort, go with something like Linux where you aren't ignored, can apply the patching yourself, release the patch, and say, "Hey, we fixed the problem. Here's the patch everyone," instead of groveling at MS's feet and trying to convince the company that they should not give every 3rd-rate script kiddie admin access.

    • by edxwelch ( 600979 ) on Tuesday February 10, 2004 @05:14PM (#8242650)
      Amazing. This firm makes money from the fact that IIS is so insecure, that's why they went to so much effort to look for these security holes in the first place. It's a good incitive for customers to buy their products when they see all those security holes out their just waiting for exploitation.
  • by account_deleted ( 4530225 ) on Tuesday February 10, 2004 @04:15PM (#8241830)
    Comment removed based on user account deletion
  • Wait a minute... (Score:4, Interesting)

    by CajunArson ( 465943 ) on Tuesday February 10, 2004 @04:15PM (#8241835) Journal
    Didn't openssl have a very similar bug that
    was disclosed & fixed just about 6 months ago?
    Anybody? Buehler?

    Looks like MS gets some slack that OSS just
    has to fix immediately.
    • by the_mad_poster ( 640772 ) <shattoc@adelphia.com> on Tuesday February 10, 2004 @04:25PM (#8241982) Homepage Journal

      OSS doesn't HAVE to fix it immediately. The community and/or developers DO fix it immediately because, unlike Microsoft, they care about writing good code and having some respect. All Microsoft as an entity gives a crap about is money. It's easier to just stick a fork in the consumer's eye than fix problems, so that's what they do. They don't care what anyone thinks of them for it because they're the status quo which keeps morons who buy a new PC ever 5 weeks buying Microsoft's tired old garbage.

      That's the difference - Good OSS projects care about writing good code which is how they get recognized as good OSS projects. Microsoft doesn't care about having any respect, it just wants money.

      • by nvrrobx ( 71970 ) on Tuesday February 10, 2004 @04:50PM (#8242318) Homepage
        Now wait a minute here.

        Don't lump the actual developers at Microsoft in with management's decisions. You're implying that the developers do not want to do a good job or write good code. This is simply untrue, and I know that from personal experience.

        Just because management decided not to allow a developer to fix this bug six months ago, does not mean the developer does not want to! Blame management, don't blame the developers.
        • by Anonymous Coward on Tuesday February 10, 2004 @05:08PM (#8242574)
          There is enough blame to go around in these situations:
          • Blame the developer for creating the bug.
          • Blame QA for inadequate testing.
          • Blame management for not accepting responsibility and getting it fixed ASAP.
          • Blame marketing and account reps who don't recognize this will hurt sales.
          • Then, when you're almost done, blame the developers again for their lack of pride to not demand the right to fix their code.
          Just because you find someone to blame does not make everyone else on the team blameless.
          • by AWhistler ( 597388 ) on Tuesday February 10, 2004 @07:10PM (#8244038)
            There is enough blame to go around in these situations:

            * Blame management for forcing tight deadlines on the developer who writes shoddy code, creating the bug.
            * Blame management for limiting the time and resources for QA to develop and execute test cases which results in inadequate testing.
            * Blame management for prioritizing new sales to support, thereby not accepting responsibility and getting it fixed ASAP.
            * Blame management for structuring sales compensation so that marketing and account reps don't care about what happens after the sale, and so don't recognize this will hurt sales.
            * Then, when you're almost done, blame the developers for needing food, clothing and shelter, and getting beat down when they say anything, which gives them lack of pride to not demand the right to fix their code.

            I'm sure this is what you meant to say, right?
        • by Geek of Tech ( 678002 ) on Tuesday February 10, 2004 @05:26PM (#8242794) Homepage Journal
          All the developers at Microsoft very well may have a heart of gold, but by virtue of the fact that Microsoft is a business (no, it's no the government... yet...), they will naturally do whatever it is that brings in the most money to them and their shareholders (read "Bill"....). It may not be the best for the consumer, but they don't sell Windows for us. They sell it for them. (Not flamebait...)

    • by billstewart ( 78916 ) on Tuesday February 10, 2004 @06:35PM (#8243664) Journal
      Yes. This isn't the third DIFFERENT bug in ASN.1 discovered recently - this is the third set of applications using the SAME REFERENCE IMPLEMENTATION of ASN.1 that was discovered to be vulnerable once it was discovered that the reference implementation was buggy. SNMP and SSL got hit, then just recently H.323 got hit, and I don't know what Microsoft parts just got hit (but it wouldn't surprise me if it's Netmeeting and maybe IE.)

      Why? Because ASN.1 is the Mos Eisley of bit-twiddly protocols, and "you'll never find a more wretched hive of scum and villainy." AFAIK, there's nothing insecure about the protocol itself, but it's so ugly that everybody tends to reuse the reference implementation rather than rewriting their own. While that has some good aspects to it, some of the original reference implementation code wasn't always careful about checking bounds, etc., and eventually the University of Oulu folks did a proper study and found the holes.

      ASN.1 is one of these broad-scope protocols that tries to be everything to everybody, so it not only implements in a broad messy manner some things that were done much more simply and cleanly and debuggably in XDR, it also does some other things that are useful in a top-down hierarchical world controlled by all-knowing standards committees, and got itself included at the appropriate layers in other standards such as X.509 and H.323 (which are also big and ugly), and in SNMP (which is otherwise simple and clean and should have known better), and X.509 got itself embedded into SSL. (H.323 is the older VOIP standard, used by almost everybody even though they talk about using SIP Real Soon Now, and Microsoft Netmeeting is the popular free implementation.) One bad side of this is that very many security-critical applications have this buggy code at the bottom of them, though this is somewhat balanced by the good fact that it's so deeply buried that it's often hard to pass malicious data that far down the stack, though of course there's the ugly side which is that it's so ugly that it's hard for an interface module to verify that an ASN.1 object is malformed except by actually passing it to the vulnerable ASN.1 interpreter.

      Bit-twiddly space-saving data formats are almost always a Bad Idea. As they say, people who play with the bits deserve to be bitten. ASN.1 problems make many applications hard to write and harder to debug, but in the Open Source world, PGP has gone through several iterations of security-critical bugs because they were trying to steal bits, plus backwards compatibility issues make stealth versions difficult. The theory is that it's somehow more "efficient" to save a few bits of data storage or data transmission time by using variable-length formats, trading off the space for more CPU time and program space. This isn't totally off the wall, given 20 years of Moore's Law (which seems to have improved CPU and RAM price/performance by 10**5 - 10**6, disk by about 10**5, but smaller bandwidths by only 10**3-10**4), but the cost in programmer time, debugging time, and bug impact has been immense.

      • by boots@work ( 17305 ) on Tuesday February 10, 2004 @08:08PM (#8244270)
        (Wow, great post.)

        One of the good parts of Eric Rayrnond's new book The Art of Unix Programming [catb.org] is the discussion of protocol design, and in particular the foolishness of trying to squeeze out every single bit.

        In particular, he points out that it's often better to just use a simple encoding, and then run a compressor like LZO or GZIP over the whole thing. This lets you design a simple protocol, and you get the benefit of compression over the whole thing rather than just the metadata. Complexity, of course, is the enemy of security. It is both simpler and gives better compression; and people with more network than CPU can turn compression off or down.

        Keith Packard [keithp.com] has some similar papers looking at X11, where he concludes that clever tricks like Low Bandwidth X really don't help all that much compared to just using SSH compression.

        Latency is a different and harder problem, but one that's often better solved in the high-level design than by bit-banging.
  • Alert the media... (Score:5, Informative)

    by LostCluster ( 625375 ) * on Tuesday February 10, 2004 @04:16PM (#8241836)
    Fox News Channel reported that there was a serious flaw in Windows during their 4pm ET news burst. Mainstream media as usual leaves out tech details on stories like these, but this is just an indication of how serious this flaw is.
  • Yawn... (Score:5, Funny)

    by Anonymous Coward on Tuesday February 10, 2004 @04:16PM (#8241837)
    6 months? 2000's been out for 3 years! If it took them 2.5 year to find the bug, another half is year is no biggie.
  • by Adolph_Hitler ( 713286 ) on Tuesday February 10, 2004 @04:16PM (#8241843)
    Thats the result of Microsofts terrible history on security. Please Mr.Gates, continue to help the Linux community thrive.
    • by Saeed al-Sahaf ( 665390 ) on Tuesday February 10, 2004 @04:36PM (#8242120) Homepage
      "Thats the result of Microsofts terrible history on security. Please Mr.Gates, continue to help the Linux community thrive."

      It would be great if this where only so, but it seems that there is one factor in corporate IT that over rules security, and that's an "enterprise" quality office suite and desktop, two things that seem to be moving quite slowly. Very few question Linux in the server market, but the PHPs will not give up Outlook and PowerPoint untill there is a superior linux analog.

      By the way, recall that Linus himself predicted the corporate desktop is still 10 years off.

  • by kyshtock ( 608605 ) on Tuesday February 10, 2004 @04:16PM (#8241844)
    ... to kill the other security flaw... Windows 9x, that is.

    If you are Microsoft fundamentalist karma blaster, I meant that in a good way...

  • by UnderAttack ( 311872 ) on Tuesday February 10, 2004 @04:16PM (#8241845) Homepage
    Didn't openssl have ASN.1 issues recently? Did MSFT copy some of the code ;-) ?

    BTW: Interesting timeline of more to come [eeye.com]

    Better keep checking for updates.
  • Windows NT / 2000? (Score:5, Interesting)

    by peterprior ( 319967 ) on Tuesday February 10, 2004 @04:17PM (#8241848)
    Hang on.. If windows NT / 2000 are affected.. looks like M$ have been sitting on it for a _lot_ longer than 6 months.
    On the other hand, if they didn't know about it, I wonder how many systems could have been compromised. When was windows NT released again ?
    • They were only sitting on it for the time they *knew* about it! Doesn't matter when NT came out if they only discovered it 6 months ago........
    • by girgit ( 314584 ) on Tuesday February 10, 2004 @04:22PM (#8241920) Journal
      When was windows NT released again ?

      Most recently, Windows NT was released again as Windows Server 2003. Before that it was released again as Windows XP and before that by the loveable name of W2K.
      Hmmm. You asked when. Sorry, I don't know the dates.
    • Service Packs (Score:5, Insightful)

      by truthsearch ( 249536 ) on Tuesday February 10, 2004 @04:25PM (#8241977) Homepage Journal
      Microsoft was notified 6 months ago. Either they didn't know about it before that or they didn't disclose that they did. The bug may have existed for 10 years, but they supposedly sat on it for 6 months. Actually, since it affects all versions of NT and 2000 before service pack 3 it could have existed since about 1985.
  • Say it ain't so... (Score:4, Insightful)

    by Soko ( 17987 ) on Tuesday February 10, 2004 @04:17PM (#8241849) Homepage
    "ASN.1 is really an extremely deep...technology in Windows itself," he said. "This investigation required us to evaluate several different aspects. This is an instance where we really had to do our due diligence."

    Name me an instance where "really doing due dilligence" vis-a-vis security is an option, like this guy makes it sound. Just one.

    Please tell me Microsoft is not as inept as this. Please?

    Soko
    • by gid13 ( 620803 ) on Tuesday February 10, 2004 @04:32PM (#8242063)
      Okay, so this is the least relevant post in the history of mankind, but tell me "vis-a-vis" wouldn't be the best word EVER for ebonics:

      "A prime exampizzle of racizzle can be seen vis-a-vizzle the ethnizzlicity of the indigenizzle pizzles of South Afrizzle."

      Well, that does it for me, karma be damned.
  • quote (Score:5, Insightful)

    by Feyr ( 449684 ) * on Tuesday February 10, 2004 @04:18PM (#8241864) Journal
    didn't The Gates himself said not so long ago that they were "as fast or faster" than opensource in fixing security flaws?

    i don't have the quote on hand though...
  • Well, of course (Score:5, Interesting)

    by Medievalist ( 16032 ) on Tuesday February 10, 2004 @04:18PM (#8241869)
    Open Source software gets critical fixes within days or hours because anyone running the code can potentially fix the problem.

    As Micro$oft's ratio of programmers to supported lines of code decreases, their time to fix bugs will increase.

    To put it another way, bloat breeds torpor.
  • by ackthpt ( 218170 ) * on Tuesday February 10, 2004 @04:19PM (#8241884) Homepage Journal
    The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates."

    That's no bug!

    That's Intellectual Property!

    "In other news: PanIP has filed suit claiming Microsoft's latest bug violates one or more of their patents."

  • by getling ( 114602 ) <getling@NOsPAM.gmail.com> on Tuesday February 10, 2004 @04:20PM (#8241895) Homepage
    Looks like there is another worm out there spreading fast...its spreading through AIM by sending out links to a site at wgutv.com that masquerades as being a news site proclaiming Osama has been captured. The site downloads an executable (which appears to be digitally signed with a cert issued by Thawte) which, at the least, starts propagating to other AIM buddies. Can't find anything on NAI or Symantec--anyone else seen this in the past 3 hours? (since about 2 PM EST)?
  • by BabyDave ( 575083 ) on Tuesday February 10, 2004 @04:21PM (#8241916)

    A flaw was found in AOL Instant Messenger relating to the A/S/L library.

  • Does obscurity work? (Score:3, Interesting)

    by BillyBlaze ( 746775 ) <tomfelker@gmail.com> on Tuesday February 10, 2004 @04:22PM (#8241930)
    Well, does it?

    The article mentions that Microsoft is unaware of any computers hacked with this vulnerability. Assuming it wasn't ever used, then not disclosing it until a patch was made worked well in this situation.

    But not disclosing the problem has drawbacks, too. Your system is insecure, and you have to hope nobody else knows about the exploit either. And it's Microsoft's decision when to patch it. It will be interesting to hear why it took them six months. What if it was simply PR: do you feel safe knowing you're vulnerable so Microsoft gets good PR (until now)? Or perhaps it's just laziness. If customers don't know about an exploit, how can they apply pressure to counter it?

  • by Risto ( 666860 ) on Tuesday February 10, 2004 @04:23PM (#8241934)
    Every time I see an airport or a power plant affected by windows viruses and/or vulnerabilities I get a bit queasy Will the general public ever realize that if what you are working on is of any importance, nevermind critical importance, then Windows is not the right tool for the job. From the story: "This is one of the most serious Microsoft vulnerabilities ever released," said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif., which discovered the new Windows flaws. "The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks, pretty much any system." Maiffret said some computer systems that control critically important power or water utilities were vulnerable.
  • by lamont116 ( 522100 ) on Tuesday February 10, 2004 @04:24PM (#8241949)
    "Microsoft Corp. warned customers Tuesday about unusually serious security problems with its Windows software that could let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information." What "usually serious"? Code Red? Nimda?

    Also, Microsoft's own document on "Trustworthy Computing" [microsoft.com] (warning: MS Word format!) establishes as a goal that "[t]he company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company." I suppose that waiting six months before fixing this "unusually serious" problem somehow satisfies that criterion?
  • by Yankovic ( 97540 ) on Tuesday February 10, 2004 @04:24PM (#8241952)
    So this is very interesting, in that it's the first time that a critical flaw has taken six months to fix that the alert about the fix ALSO was delayed for six months. Yet in that time, we have not seen any significant uptick in these types of exploits, and there do not appear to be any worms like this in the wild.

    Does this verify MS's supposition that delayed publication = less exploits?
    • by LostCluster ( 625375 ) * on Tuesday February 10, 2004 @04:26PM (#8241988)
      Yep. It's clear. If there's no public discussion of a flaw, the likelyhood of an exploit is lower because the would-be hacker has to discover the flaw on their own.

      Some of the worst viruses have come from already-patched flaws that users have just neglected to apply said patch.
      • by Beryllium Sphere(tm) ( 193358 ) on Tuesday February 10, 2004 @08:40PM (#8244437) Journal
        If I were at home, I'd give you the name of the researcher who gathered actual data on this very question.

        What he found after combing through tons of CERT data was that disclosure per se didn't do much to increase exploit rates.

        What did matter was the release of automated attack tools based on the disclosure.

        One reason for full disclosure is that it allows network owners and operators to get and install fixes. However, that also didn't make much difference over the time period he studied. Exploit rates stayed about the same after patch release. Apparently people who stay current on patches are such a small minority that they don't show in the statistics.

        All that leaves plenty of room for interesting arguments over disclosure policy.
  • Six Months! (Score:4, Insightful)

    by Goo.cc ( 687626 ) * on Tuesday February 10, 2004 @04:24PM (#8241960)
    So for six months, people are left out there running software with a known security problem while Microsoft surpresses the information and spreads FUD about how Linux/Open Source security responsiveness is poorer than Microsoft's? What a crock of shit.
  • by Saeed al-Sahaf ( 665390 ) on Tuesday February 10, 2004 @04:24PM (#8241964) Homepage
    From the story: "Microsoft, which learned about the flaws more than six months ago from researchers, said the only protective solution was to apply a repairing patch it offered on its Web site. It assessed the threat to computer users as "critical," its highest rating."

    So, if they fix a security flaw sooner than six months, what status does that get? Super Double Critical?

  • heap overflow? (Score:5, Insightful)

    by akad0nric0 ( 398141 ) on Tuesday February 10, 2004 @04:25PM (#8241974)
    A very big deal is going to be made about this. Feel free to correct me (or mod me down) if I'm wrong, BUT:

    From my understanding, this is a heap overflow. Given the nature of the heap, I could see this resulting in a DoS condition, but what is the likelihood that a practical exploit can be developed, given that the heap generally contains data in random locations?
    • Re:heap overflow? (Score:3, Informative)

      by zjbs14 ( 549864 )
      Accoring to the article, code could be injected using character string and OID's that get copied without regard to length. All you would need to do is get the right stuff copied to the right place.
    • Re:heap overflow? (Score:4, Insightful)

      by BillyBlaze ( 746775 ) <tomfelker@gmail.com> on Tuesday February 10, 2004 @04:59PM (#8242430)
      The AP article mentioned that "eEye had successfully tested the method to break into its own computers." So the probability that it's possible is 1.
  • The BBC published this report [bbc.co.uk] on Microsoft security problems. Somehow, the person who wrote this managed to a whole article without including any information on what the bug actually was.

    In sort form it reads, there was a security flaw, it is bad, actually it was really bad, maybe the worst ever and it is a security flaw.
  • by squarefish ( 561836 ) * on Tuesday February 10, 2004 @04:26PM (#8241986)
    at cnn.com [cnn.com] and was patching all the machines here at work. interesting article for a few reasons- looks like M$ is still making weekly updates...

    I'm so glad I switch to linux and os x for all my personal stuff, it makes me feel so much better.
  • by Junks Jerzey ( 54586 ) on Tuesday February 10, 2004 @04:28PM (#8242013)
    Windows is insecure. We know this. Partly it is the result of the operating system and partly it is the result of bad applications. And Microsoft knows it too.

    This is why Microsoft is making the bold move of promoting managed langages like C# and VB.net, and a fully managed runtime in the guise of .net. This is a huge, huge step toward eliminating buffer overruns and other trivial errors. Tens of thousands of developers are making the move right now. Any bookstore has at least 50 books on .net technologies.

    In short, laugh about it now, let it distract you from what's coming, let it lull you into thinking Linux will always have the security edge, go right ahead. It won't change anything.
    • There is a runtime associated with these. It will also have bugs and openings. The question is will MS release often with the bug fixes. Based on their past and current record, how do you think that they will do?

      Do not get me wrong. OSS (including Linux) has its warts. But due to competition, it is kept up and at a quick rate.
  • It is not just MS (Score:5, Insightful)

    by WindBourne ( 631190 ) on Tuesday February 10, 2004 @04:28PM (#8242017) Journal
    I use to work at HP Ft. Collins in the early 90's. At that time, there was a major hole in the network code of the that was going to take about 6 man-months to fix. The local management decided to not fix it as it was decided that few knew about it and it would not be a problem. I would suspect that every major company does the same thinking; MS, Apple, Sun, SGI, IBM, etc.

    I have no doubt that all these companies do care a bit more due to the pressure being brought, but it will still be a decision similar to what Ford did with Pinto and who it was did the tires that exploded. If it costs money to fix, but nobody will see it, who cares.

    That is one of the advantages of OSS as everything is in the open. Have to fix it or will suffer big.
  • by Nom du Keyboard ( 633989 ) on Tuesday February 10, 2004 @04:39PM (#8242161)
    Have you seen the other critical update they're trying to slip through with this one?

    This item updates the Bookshelf Symbol 7 font included in some Microsoft products. The font has been found to contain unacceptable symbols.

    Looks like someone slipped something through on Microsoft (certain to lose his/her job over this one) and put it just far enough in that it doesn't show when you double click the Bssym7.tt font file to preview its style. Leaves me wondering only two things:

    1: Is there more than 1 symbol in there that is considered "unacceptable"?
    2: Just why is this considered critical?

  • by PierceLabs ( 549351 ) on Tuesday February 10, 2004 @04:40PM (#8242171)
    What better way to make people want to move to Longhorn in droves than to make the cost of staying with the currently deployed operating system seem prohibitively expensive in comparrison.
  • by truthsearch ( 249536 ) on Tuesday February 10, 2004 @04:41PM (#8242190) Homepage Journal
    The Windows help system was exploitable for about 7 years. From the time of Windows NT 4.0's release (1996?) until June, 2003, an attacker could exploit the help system to run their own code [microsoft.com]. And that's just the help system!

    As of September, 2003, there were 31 known unpatched vulnerabilities in Microsoft Internet Explorer. Some of the most critical have not been fixed in well over a year. The original page listing them was removed at Microsoft's request, but I cached it [mattschwartz.net].

    Microsoft was notified of significant issues with their implementation of the Java Virtual Machine (JVM) on September 2, 2002, and on April 9th, 2003, Microsoft issued an update to fix the problem. That took more than seven months.

    Shameless plug: more examples are available at my site [mattschwartz.net].
  • by NotAnotherReboot ( 262125 ) on Tuesday February 10, 2004 @04:43PM (#8242212)
    I am looking at WindowsUpdate right now, and am not seeing this patch.

    I can go ahead and download it from the page in the story; my question is: why is this patch not up on WindowsUpdate immediately?
  • stuff (Score:5, Funny)

    by Tom ( 822 ) on Tuesday February 10, 2004 @05:25PM (#8242776) Homepage Journal
    I guess this is in the "Stuff that matters" category then, since it certainly isn't "News" by any stretch of imagination.

  • by spurious cowherd ( 104353 ) on Tuesday February 10, 2004 @06:03PM (#8243287)
    various snippets from the BugTraq discussion [securityfocus.com]

    "In the security bulletin published by MS it states,
    "In the most likely exploitable scenario, an attackerwould have to have direct access to the user's network."

    The bulletin published by eEye states
    "...applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.) [areaffected]".

    I see a big disconnect there. Can you address this? Also, how would this potentially affect sites that are using an MS VPN solution?"

    Yes, I am not sure what Microsoft did with the wording there that seems to be misleading to at least a few people so far.
    There is just as much, if not more, chance of people using this vulnerability on server side applications as there is on client-side applications.
    For example we setup a totally IPSEC secured network and we broke into that network via our ASN bug which is called by the Kerberos.
    We also have written exploits that take advantage of ASN via NTLMv2 authentication. And the list goes on... How about evil ASN SSL CERTs?
    Client or server? There is a menu a mile long for the avenues of attacks that this thing can be used for.
    If your running, Windows NT 4.0, Windows 2000, Windows XP, or Windows 2003, you are 99.9999% positive to be vulnerable, regardless of what your configuration might be.
    Don't try to guess if you have any of the affected protocols or applications (lets not forget third party apps using the MS ASN library), just install the patch.
    Client side, server side, world wide.

    Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security

  • by Huusker ( 99397 ) on Tuesday February 10, 2004 @10:08PM (#8244911) Homepage
    This is just great. ASN.1 is used for encoding and decoding X.509 certificates, which are used in I&A (Identification and Authentication) protocols, and in X.500 directory protocols. It is used everywhere in Windows: Active Directory, LDAP, SNMP, Exchange Server, and HTTPS protocols (SSL/TLS) for starters.

    Unlike the MS Blaster bug, which had basically one exploit and one fix (the RPC service on TCP port 135), the ASN.1 protocols are used in a dozen services that are listening on TCP/UDP ports all over the place. Servers will be especially vulnerable to this.

    If you hack Active Directory you own not just the computer but the whole dang enterprise.

    Gads this will be a nightmare to deal with.

  • by geomon ( 78680 ) on Tuesday February 10, 2004 @10:09PM (#8244924) Homepage Journal
    According to Ted Bridis of the Associate Press, Kerberos belongs to Microsoft in his recent article, Microsoft Warns on Windows Security Flaws [myway.com].

    I wrote a letter to Mr. Bridis to offer a correction.

    Dear Mr. Bridis;

    You wrote:

    "Some of Microsoft's built-in security features - such as its Kerberos cryptography system - rely on the flawed software."

    This statement is factually incorrect. You're sentence should have read "... such as its implementation of the Kerberos cryptography system..."

    Kerberos is, in fact, a creation of the Massachusetts Institute of Technology:

    http://web.mit.edu/kerberos/www/#what_is

    Please respect the intellectual property rights of MIT in your future writings.

    Thanks.


C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...