Microsoft Sits on Security Flaw for Six Months 741
pmf writes "Yet another critical vulnerability affecting Windows 2000/XP/2003 has been just announced by eEye. It is worthy to note, that it took Microsoft over 6 months to fix it. The bug affects ASN.1 library and is remotely exploitable through authentication subsystems (Kerberos, NTLMv2) and applications that make use of SSL certificates." The AP has an overview.
Love the poem... (Score:5, Funny)
By: MCSE Hammer
Blaster did ya some harm
We just say, hey, another worm
But thank you, for trusting me
To mind your site's security
It's all good, when your server's downed
Our dope PR will pass blame around
Cuz it's known as such
That this is some software, you can't trust
I told ya Homeland
U can't trust this
Yeah that's why we're giving ya the code
U can't trust this
Check out eEye, man
U can't trust this
Yo let 'em bust more funky system
U can't trust this
Give 'em a string or recvfrom
Like no sweat they got the keys to your kingdom
Now ya know
You talk about eEye, you're talking about holes
Remote and tight
Coders still sweating so someone better write
A book to learn
What it's gonna take in '04
To earn some trust
Legit, either secure or ya might as well quit
That's the word because you know
U can't trust this
U can't trust this
U Can't Root This (Score:5, Funny)
By: MC GNU/Hammer
Linux did ya some harm
We just say, hey, an open sore
But thank you, for rooting me
To mind your site's security
It's all good, when your server's downed
Our dope coders will run GNU debug
Cuz it's known as such
That this is some software, you can't root
I told ya script kiddie
U can't root this
Yeah that's why we're giving ya the code
U can't root this
Check out Torvalds, man
U can't root this
Yo let 'em bust more funky grep
U can't root this
Give 'em a bash prompt or C code
Like no sweat they got the salts for your hash
Now ya know
You talk about Stallman, you're talking ideology
GNU's not Linux, its GNU/Linux
Coders still sweating so someone better write
A patch for this
What it's gonna take in '04
To earn some root
Legit, either secure or ya might as well quit
That's the word because you know
U can't root this
U can't Root this
Re:Love the poem... (Score:5, Funny)
Man, this cultural reference is even older than the security flaw they just fixed...
Re:Love the poem... (Score:5, Funny)
Re:Love the poem... (Score:5, Funny)
But www.eEye.com runs on Microsoft (Score:5, Insightful)
Re:Love the poem... (Score:5, Funny)
Wow. That would have been around about the last time Microsoft gave a shit about its customers. Surely only a coincidence?
Re:Love the poem... (Score:5, Funny)
More to come... (Score:5, Informative)
Fixed URL (Score:5, Informative)
Still Three REMOTE Exploits! (Score:5, Interesting)
Secure computing indeed.
Why? (Score:4, Funny)
These kinds of companies and organization are somewhat of an interest to me, in that they resemble the Battered Wife syndrome.
Here they are, putting all their effort into helping fix MS's products to make the software work better, only to get brushed off and ignored for six months. Then they go and complain about how horrible of a company MS is and how horrible the software is.
Two weeks later, they're at it again, trying to help solve MS's problems, and will yet again be brushed off and ignored. They'll complain and rant, and in another month when the next vulnerability is discovered, they'll be back at MS's side again trying to fix it. Repeat...
Why bother investing the time and money into a company that doesn't care? If you're going to be putting in the effort, go with something like Linux where you aren't ignored, can apply the patching yourself, release the patch, and say, "Hey, we fixed the problem. Here's the patch everyone," instead of groveling at MS's feet and trying to convince the company that they should not give every 3rd-rate script kiddie admin access.
Re:Depressing thoughts (Score:5, Insightful)
Comment removed (Score:3, Funny)
Re:Note to crackers (Score:3, Funny)
Re:Note to crackers (Score:4, Insightful)
You people that insist on bashing *nix users for "faux-superiority" remind me of crazy people that bang their heads agaisnt the wall over and over even though it hurts. I mean, give me a fucking break. I'm not the one staring down the barrel of a vendor that takes 6 months to fix a critical vulnerability or has a standing history of just ignoring such things when possible.
There's no "faux" superiority. There's nothing significant that Windows can do better than Linux in the back office anymore. Only a complete idiot would continue to use Windows systems for any mainstream services. With a few custom exceptions, there's just no room for Windows on a smart admin's server anymore, and Windows on the desktop will drop dead when vendors decide that Linux has reached critical mass and it's time to start porting commercial apps. We know it works. We know it works better than windows. It's not faux superiority. Windows just sucks and now people have a choice not to use it. Get over it. If you're dumb enough to keep exposing data and users through Microsoft's well-known, well-documented, ongoing negligence, that's YOUR problem. However, just because I don't have that problem, don't come getting all pissy with me.
Re:Note to crackers (Score:4, Insightful)
If you are still in school, or if you work in a small lab, or if you do ANYTHING except work in the real world, you probably think idiocy and stubbornness are the only things preventing the world from running *nix. At this company, and at many others I presume, at this point it makes more sense to pay a little more for the extra TCO of running and upgrading Windows than to try and rewrite the entire e-commerce website and change all internal processes. The bosses here aren't stupid - they know *nix is better, but if you even suggested the place should switch wholesale off Microsoft you'd get eye-rolling galore. It's a pipe dream.
The transition doesn't make business sense, even if the end result would.
Re:Note to crackers (Score:5, Insightful)
Re:Note to crackers (Score:4, Insightful)
Re:Note to crackers (Score:4, Insightful)
Re:Note to crackers (Score:4, Funny)
Upon encountering your ridiculous assertion that "the Gimp is AS GOOD AS PHOTOSHOP," some souls, less driven, might merely shake their heads, titter nervously, and walk away. I am not that sort of man, and I am not prepared to let your stupidity fade away unnoticed.
Cheerio.
Re:Note to crackers (Score:5, Insightful)
Now why do you presume it's kids....
I'm far from a kid and use Linux in a work environment. We also use OS/390, VMS, and yes Win9/2k/XP.
The "M$" has little to do with Linux. It has everything to do with M$ and it's defacto monopoly, it's penchant for sucking the cash cow, and showing that ogranization the respect it 'deserves'.
And when will you windoze kiddies learn it's Linux and not Lunix and that the gpl isn't viral (or we'd have windows on gpl - see MS services for Unix and in particular it's gpl components), that proprietary (and paid for!) software can be purchased for it. And that it supports most hardware. We actually did better with linux than with Win2K, driver wise, back when they were both new.
On the issue... A six monthg turnaround? You must be kidding me! It was only a week ago Bill was, falsely, claiming a one day turnaround versus weeks for Linux (typically it's less than a day).
Any windows setup, mine included, was a potential target for abuse due to this. You have to trust M$ employees not to leak it, the finding company's employees not to leak it, and the black hats community to not find it.
That is a ridiculous situation for any company to be in and it's unsatisfactory performance for any software supplier let alone one who tries to claim they're the best... M$ showed zero respect for the operations of your organization and zero respect to each and every individual customer by allowing them to face that risk without warning.
I would never trust our critical business operations to Microsoft. They have repeatedly violated that trust.
Re:Note to crackers (Score:5, Funny)
Now, if M$ decided to patch vulnerabilities like OSS did (there are lots of exploits in OSS software, but they're usually fixed in an hour), then they would be professional. But they sit on the knoweledge and litigate against people that tell them there are problems. That's not professional. That's nazi.
Re:Note to crackers (Score:5, Funny)
Like a spelling checker, you mean?
I don't need a spellchecker on Slashdot.
I just wait for a tool like you do it for me.
Wait a minute... (Score:4, Interesting)
was disclosed & fixed just about 6 months ago?
Anybody? Buehler?
Looks like MS gets some slack that OSS just
has to fix immediately.
Re:Wait a minute... (Score:4, Insightful)
OSS doesn't HAVE to fix it immediately. The community and/or developers DO fix it immediately because, unlike Microsoft, they care about writing good code and having some respect. All Microsoft as an entity gives a crap about is money. It's easier to just stick a fork in the consumer's eye than fix problems, so that's what they do. They don't care what anyone thinks of them for it because they're the status quo which keeps morons who buy a new PC ever 5 weeks buying Microsoft's tired old garbage.
That's the difference - Good OSS projects care about writing good code which is how they get recognized as good OSS projects. Microsoft doesn't care about having any respect, it just wants money.
Re:Wait a minute... (Score:5, Insightful)
Don't lump the actual developers at Microsoft in with management's decisions. You're implying that the developers do not want to do a good job or write good code. This is simply untrue, and I know that from personal experience.
Just because management decided not to allow a developer to fix this bug six months ago, does not mean the developer does not want to! Blame management, don't blame the developers.
Re:Wait a minute... (Score:5, Insightful)
- Blame the developer for creating the bug.
- Blame QA for inadequate testing.
- Blame management for not accepting responsibility and getting it fixed ASAP.
- Blame marketing and account reps who don't recognize this will hurt sales.
- Then, when you're almost done, blame the developers again for their lack of pride to not demand the right to fix their code.
Just because you find someone to blame does not make everyone else on the team blameless.Re:Wait a minute... (Score:5, Insightful)
* Blame management for forcing tight deadlines on the developer who writes shoddy code, creating the bug.
* Blame management for limiting the time and resources for QA to develop and execute test cases which results in inadequate testing.
* Blame management for prioritizing new sales to support, thereby not accepting responsibility and getting it fixed ASAP.
* Blame management for structuring sales compensation so that marketing and account reps don't care about what happens after the sale, and so don't recognize this will hurt sales.
* Then, when you're almost done, blame the developers for needing food, clothing and shelter, and getting beat down when they say anything, which gives them lack of pride to not demand the right to fix their code.
I'm sure this is what you meant to say, right?
Re:Wait a minute... (Score:4, Insightful)
I think that developers who issue statements that management is always doing the wrong thing, should remember that they too manage, a software development project for example.
Re:Wait a minute... (Score:5, Insightful)
Re:No, you wait a minute... (Score:4, Insightful)
Anyway, if it takes M$ this long to fix things, then their products suck. And you shouldn't buy them. If this were exploited 4 months ago, there would be 300 MILLION spam zombies/SCO DOSers/etc. Sorry if it's hard to fix. It's your problem, and you need to be accountable for the damage that your idiocy/cost-cutting/brainfart causes, M$.
Third Recent Hit from Same ASN.1 Problem (Score:5, Informative)
Why? Because ASN.1 is the Mos Eisley of bit-twiddly protocols, and "you'll never find a more wretched hive of scum and villainy." AFAIK, there's nothing insecure about the protocol itself, but it's so ugly that everybody tends to reuse the reference implementation rather than rewriting their own. While that has some good aspects to it, some of the original reference implementation code wasn't always careful about checking bounds, etc., and eventually the University of Oulu folks did a proper study and found the holes.
ASN.1 is one of these broad-scope protocols that tries to be everything to everybody, so it not only implements in a broad messy manner some things that were done much more simply and cleanly and debuggably in XDR, it also does some other things that are useful in a top-down hierarchical world controlled by all-knowing standards committees, and got itself included at the appropriate layers in other standards such as X.509 and H.323 (which are also big and ugly), and in SNMP (which is otherwise simple and clean and should have known better), and X.509 got itself embedded into SSL. (H.323 is the older VOIP standard, used by almost everybody even though they talk about using SIP Real Soon Now, and Microsoft Netmeeting is the popular free implementation.) One bad side of this is that very many security-critical applications have this buggy code at the bottom of them, though this is somewhat balanced by the good fact that it's so deeply buried that it's often hard to pass malicious data that far down the stack, though of course there's the ugly side which is that it's so ugly that it's hard for an interface module to verify that an ASN.1 object is malformed except by actually passing it to the vulnerable ASN.1 interpreter.
Bit-twiddly space-saving data formats are almost always a Bad Idea. As they say, people who play with the bits deserve to be bitten. ASN.1 problems make many applications hard to write and harder to debug, but in the Open Source world, PGP has gone through several iterations of security-critical bugs because they were trying to steal bits, plus backwards compatibility issues make stealth versions difficult. The theory is that it's somehow more "efficient" to save a few bits of data storage or data transmission time by using variable-length formats, trading off the space for more CPU time and program space. This isn't totally off the wall, given 20 years of Moore's Law (which seems to have improved CPU and RAM price/performance by 10**5 - 10**6, disk by about 10**5, but smaller bandwidths by only 10**3-10**4), but the cost in programmer time, debugging time, and bug impact has been immense.
Re:Third Recent Hit from Same ASN.1 Problem (Score:5, Interesting)
One of the good parts of Eric Rayrnond's new book The Art of Unix Programming [catb.org] is the discussion of protocol design, and in particular the foolishness of trying to squeeze out every single bit.
In particular, he points out that it's often better to just use a simple encoding, and then run a compressor like LZO or GZIP over the whole thing. This lets you design a simple protocol, and you get the benefit of compression over the whole thing rather than just the metadata. Complexity, of course, is the enemy of security. It is both simpler and gives better compression; and people with more network than CPU can turn compression off or down.
Keith Packard [keithp.com] has some similar papers looking at X11, where he concludes that clever tricks like Low Bandwidth X really don't help all that much compared to just using SSH compression.
Latency is a different and harder problem, but one that's often better solved in the high-level design than by bit-banging.
Alert the media... (Score:5, Informative)
Re:Alert the media... (Score:5, Funny)
Re:Alert the media... (Score:5, Informative)
Therefore I wouldn't mind the media reporting about both a major computer flaw _and_ JJ's nipple.
Re:Alert the media... (Score:5, Offtopic)
Re:Alert the media... (Score:5, Funny)
Re:Alert the media... (Score:4, Interesting)
Yawn... (Score:5, Funny)
6 months later, millions switch to Linux. (Score:4, Funny)
Millions switch to Linux: Not likely soon. (Score:5, Insightful)
It would be great if this where only so, but it seems that there is one factor in corporate IT that over rules security, and that's an "enterprise" quality office suite and desktop, two things that seem to be moving quite slowly. Very few question Linux in the server market, but the PHPs will not give up Outlook and PowerPoint untill there is a superior linux analog.
By the way, recall that Linus himself predicted the corporate desktop is still 10 years off.
it took much more... (Score:5, Funny)
If you are Microsoft fundamentalist karma blaster, I meant that in a good way...
ASN.1: same issues as in OpenSSL (Score:5, Interesting)
BTW: Interesting timeline of more to come [eeye.com]
Better keep checking for updates.
Re:ASN.1: same issues as in OpenSSL (Score:4, Funny)
I dunno, hard to say. But you'd think if Microsoft would go so far as to copy the code they'd be smart enough to copy the patch, too, instead of sitting on it for six months :-)
Re:ASN.1: same issues as in OpenSSL (Score:3, Funny)
You don't need to be that smart to copy someone else's code, and that may be the problem.
Re:ASN.1: same issues as in OpenSSL (Score:3, Insightful)
Windows NT / 2000? (Score:5, Interesting)
On the other hand, if they didn't know about it, I wonder how many systems could have been compromised. When was windows NT released again ?
Re:Windows NT / 2000? (Score:3, Insightful)
Re:Windows NT / 2000? (Score:5, Funny)
Most recently, Windows NT was released again as Windows Server 2003. Before that it was released again as Windows XP and before that by the loveable name of W2K.
Hmmm. You asked when. Sorry, I don't know the dates.
Service Packs (Score:5, Insightful)
Say it ain't so... (Score:4, Insightful)
Name me an instance where "really doing due dilligence" vis-a-vis security is an option, like this guy makes it sound. Just one.
Please tell me Microsoft is not as inept as this. Please?
Soko
Re:Say it ain't so... (Score:5, Funny)
"A prime exampizzle of racizzle can be seen vis-a-vizzle the ethnizzlicity of the indigenizzle pizzles of South Afrizzle."
Well, that does it for me, karma be damned.
Re:Say it ain't so... (Score:5, Insightful)
quote (Score:5, Insightful)
i don't have the quote on hand though...
Re:quote (Score:5, Informative)
Well, of course (Score:5, Interesting)
As Micro$oft's ratio of programmers to supported lines of code decreases, their time to fix bugs will increase.
To put it another way, bloat breeds torpor.
That's no bug! (Score:4, Funny)
That's no bug!
That's Intellectual Property!
"In other news: PanIP has filed suit claiming Microsoft's latest bug violates one or more of their patents."
in other flaws...I mean news...[semi-OT] (Score:5, Interesting)
In related news ... (Score:5, Funny)
A flaw was found in AOL Instant Messenger relating to the A/S/L library.
Does obscurity work? (Score:3, Interesting)
The article mentions that Microsoft is unaware of any computers hacked with this vulnerability. Assuming it wasn't ever used, then not disclosing it until a patch was made worked well in this situation.
But not disclosing the problem has drawbacks, too. Your system is insecure, and you have to hope nobody else knows about the exploit either. And it's Microsoft's decision when to patch it. It will be interesting to hear why it took them six months. What if it was simply PR: do you feel safe knowing you're vulnerable so Microsoft gets good PR (until now)? Or perhaps it's just laziness. If customers don't know about an exploit, how can they apply pressure to counter it?
Critical power and water utilities (Score:5, Interesting)
AP article starts with... (Score:5, Insightful)
Also, Microsoft's own document on "Trustworthy Computing" [microsoft.com] (warning: MS Word format!) establishes as a goal that "[t]he company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company." I suppose that waiting six months before fixing this "unusually serious" problem somehow satisfies that criterion?
Proof that publishing the fix enables crackers? (Score:3, Insightful)
Does this verify MS's supposition that delayed publication = less exploits?
Re:Proof that publishing the fix enables crackers? (Score:5, Insightful)
Some of the worst viruses have come from already-patched flaws that users have just neglected to apply said patch.
Effects of disclosure, paper at Oakland conference (Score:4, Interesting)
What he found after combing through tons of CERT data was that disclosure per se didn't do much to increase exploit rates.
What did matter was the release of automated attack tools based on the disclosure.
One reason for full disclosure is that it allows network owners and operators to get and install fixes. However, that also didn't make much difference over the time period he studied. Exploit rates stayed about the same after patch release. Apparently people who stay current on patches are such a small minority that they don't show in the statistics.
All that leaves plenty of room for interesting arguments over disclosure policy.
Six Months! (Score:4, Insightful)
Super Double Critical? (Score:5, Funny)
So, if they fix a security flaw sooner than six months, what status does that get? Super Double Critical?
heap overflow? (Score:5, Insightful)
From my understanding, this is a heap overflow. Given the nature of the heap, I could see this resulting in a DoS condition, but what is the likelihood that a practical exploit can be developed, given that the heap generally contains data in random locations?
Re:heap overflow? (Score:3, Informative)
Re:heap overflow? (Score:4, Insightful)
Re:heap overflow? (Score:4, Informative)
Is this the worst news report on Microsoft bugs? (Score:3, Insightful)
In sort form it reads, there was a security flaw, it is bad, actually it was really bad, maybe the worst ever and it is a security flaw.
I had just read about it (Score:3, Interesting)
I'm so glad I switch to linux and os x for all my personal stuff, it makes me feel so much better.
Laugh now, but maybe not in a few years (Score:5, Interesting)
This is why Microsoft is making the bold move of promoting managed langages like C# and VB.net, and a fully managed runtime in the guise of
In short, laugh about it now, let it distract you from what's coming, let it lull you into thinking Linux will always have the security edge, go right ahead. It won't change anything.
Re:Laugh now, but maybe not in a few years (Score:3, Insightful)
Do not get me wrong. OSS (including Linux) has its warts. But due to competition, it is kept up and at a quick rate.
It is not just MS (Score:5, Insightful)
I have no doubt that all these companies do care a bit more due to the pressure being brought, but it will still be a decision similar to what Ford did with Pinto and who it was did the tires that exploded. If it costs money to fix, but nobody will see it, who cares.
That is one of the advantages of OSS as everything is in the open. Have to fix it or will suffer big.
The Rest of the Update - Remove Unacceptable Symbo (Score:5, Insightful)
This item updates the Bookshelf Symbol 7 font included in some Microsoft products. The font has been found to contain unacceptable symbols.
Looks like someone slipped something through on Microsoft (certain to lose his/her job over this one) and put it just far enough in that it doesn't show when you double click the Bssym7.tt font file to preview its style. Leaves me wondering only two things:
1: Is there more than 1 symbol in there that is considered "unacceptable"?
2: Just why is this considered critical?
Re:The Rest of the Update - Remove Unacceptable Sy (Score:5, Informative)
As for point 2. Who knows???
Why would Microsoft *really* care? (Score:3, Redundant)
6 months? How about 7 years... (Score:5, Interesting)
As of September, 2003, there were 31 known unpatched vulnerabilities in Microsoft Internet Explorer. Some of the most critical have not been fixed in well over a year. The original page listing them was removed at Microsoft's request, but I cached it [mattschwartz.net].
Microsoft was notified of significant issues with their implementation of the Java Virtual Machine (JVM) on September 2, 2002, and on April 9th, 2003, Microsoft issued an update to fix the problem. That took more than seven months.
Shameless plug: more examples are available at my site [mattschwartz.net].
when are they releasing this patch to consumers? (Score:3, Interesting)
I can go ahead and download it from the page in the story; my question is: why is this patch not up on WindowsUpdate immediately?
stuff (Score:5, Funny)
And MS *lies* about the attack potential (Score:5, Informative)
"In the security bulletin published by MS it states,
"In the most likely exploitable scenario, an attackerwould have to have direct access to the user's network."
The bulletin published by eEye states
"...applications that make use of certificates (SSL, digitally-signed e-mail, signed ActiveX controls, etc.) [areaffected]".
I see a big disconnect there. Can you address this? Also, how would this potentially affect sites that are using an MS VPN solution?"
Yes, I am not sure what Microsoft did with the wording there that seems to be misleading to at least a few people so far.
There is just as much, if not more, chance of people using this vulnerability on server side applications as there is on client-side applications.
For example we setup a totally IPSEC secured network and we broke into that network via our ASN bug which is called by the Kerberos.
We also have written exploits that take advantage of ASN via NTLMv2 authentication. And the list goes on... How about evil ASN SSL CERTs?
Client or server? There is a menu a mile long for the avenues of attacks that this thing can be used for.
If your running, Windows NT 4.0, Windows 2000, Windows XP, or Windows 2003, you are 99.9999% positive to be vulnerable, regardless of what your configuration might be.
Don't try to guess if you have any of the affected protocols or applications (lets not forget third party apps using the MS ASN library), just install the patch.
Client side, server side, world wide.
Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security
This is a lu-lu for server security (Score:4, Informative)
Unlike the MS Blaster bug, which had basically one exploit and one fix (the RPC service on TCP port 135), the ASN.1 protocols are used in a dozen services that are listening on TCP/UDP ports all over the place. Servers will be especially vulnerable to this.
If you hack Active Directory you own not just the computer but the whole dang enterprise.
Gads this will be a nightmare to deal with.
I had no idea that Microsoft owned Kerberos (Score:5, Interesting)
I wrote a letter to Mr. Bridis to offer a correction.
Dear Mr. Bridis;
You wrote:
"Some of Microsoft's built-in security features - such as its Kerberos cryptography system - rely on the flawed software."
This statement is factually incorrect. You're sentence should have read "... such as its implementation of the Kerberos cryptography system..."
Kerberos is, in fact, a creation of the Massachusetts Institute of Technology:
http://web.mit.edu/kerberos/www/#what_is
Please respect the intellectual property rights of MIT in your future writings.
Thanks.
Re:Moderation? (Score:3, Insightful)
Re:Moderation? (Score:5, Interesting)
Assuming you didn't mean that as a joke...
The entire point of this article centers on the very fact that no fix existed, despite MS knowing about the problem for over six months.
So, even the most attentive network admin in the world, applying every fix within an hour of release, would not have had the ability to remove this vulnerability from his systems.
Personally, I find it more interesting that MS has the same problem that OpenSSH had, dating from the same time period. Time for a few folks to start comparing the relevant libraries for similarity... Wouldn't that look just great for MS's PR, getting caught not only in a copyright infringement, but using that nasty GPL'd software they so hate...
Re:Moderation? (Score:4, Informative)
Sad state of affairs (Score:5, Funny)
Re:MyDoom (Score:4, Insightful)
* The user doesn't know what happens. But so what. I didn't know that firing a gun at your head would kill you.
Re:THIS IS NOT NEWS!!!! (Score:3, Funny)
Re:And this is better than open source... how? (Score:5, Insightful)
Re:And this is better than open source... how? (Score:4, Interesting)
Or search Google for no longer under development [google.com]. See how many hits are open source projects.
Here is my list of apps that I want to see under development:
Big Sister for Windows (this one is the one I want updated most of all)
Slackware (well, its alive, but barely)
NCSA Server
In all cases I found that they were unsupported and had to switch to a different solution.
And remember, just because YOU don't use it, doesnt mean there aren't a lot of other people that use it and depend on it.
Re:And this is better than open source... how? (Score:5, Informative)
New release in September, previous release only 6 months prior to that, a changelog in current at the ftp site that shows continuous update including 11 new/updated packages in the last 4 days ?
Explain to me in what way you think this is "barely" alive ?
Re:And this is better than open source... how? (Score:3)
And FMA is widely used on what planet? Hardly on the same scale as, say, Apache, is it? Troll.
Re:Unfortunate, but unlikely in the future. (Score:4, Interesting)
The solution isn't put more eyeballs on the problem. the solution is to build a better compiler. I don't have the documentation on hand but the newer compilers at microsoft simply do away with the problem while it's building the opaque executables. the newer operating systems also operate with a "canary" in the memory system which listens for possible buffer overflows and handles the exception.
Srividya, get over yourself. "I do not make security mistakes ever." You have and you will undoubtedly make more in the future. Coders in India are not that much more astute then american counterparts, they're just paid less.
Re:My system's patched now (Score:5, Insightful)
Would you continue holding an account with a bank, whose ATM machines were infact totally neglecting PINs , even though no one actually tired it ?
I don't think, the microsoft bashers are saying that microsoft makes crappy s/w and open source makes great s/w. But what they are saying is, dispite making mistakes after mistakes, microsoft is not accountable to any of its mistakes. Neither are large corporations or end users bothering to try alternatives merely because of intertia
So what is the incentive for Microsoft to improve its security track record ?
Re:My system's patched now (Score:5, Insightful)
Ok, what about someone else who found the hole independently? Or, what if someone has broken into eeye's systems and has been monitoring their email for a "heads up" on unreleased flaws. (or the home computer of a microsoft security person). Or someone at their ISP or on their cablemodem monitoring their email. You're happy to give all these people access to your computer, too, right? Compartimentilization is very hard to do outside a rigorous structure (like the NSA) which has very strict rules, procedures, and punishments to allow enforcement.
A virus or worm that takes advantage of this flaw is only one indicator - people using the flaw for other purposes are probably not going to tell the world about it. The point is that it's impossible to tell if no harm has been done.