Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Google Microsoft Security Windows Technology

Microsoft Finally To Patch 17-Year-Old Bug 251

eldavojohn writes "Microsoft is due for a very large patch this month, in which five critical holes (that render Windows hijackable by an intruder) are due to be fixed, in addition to twenty other problems. The biggest change addresses a 17-year-old bug dating back to the days of DOS, discovered in January by their BFF Google. The patch should roll out February 9th."
This discussion has been archived. No new comments can be posted.

Microsoft Finally To Patch 17-Year-Old Bug

Comments Filter:
  • Is this a record(for a bug that's "known about" anyways?

  • by msobkow ( 48369 ) on Friday February 05, 2010 @10:12PM (#31042766) Homepage Journal

    How in the world can a bug exist for 17 years when they've released so many versions of Windows in that time? Hasn't the kernel been revamped three times? (Win98/ME, WinNT/Win2K/WinXP, Vista/7)

    • by chill ( 34294 ) on Friday February 05, 2010 @10:15PM (#31042788) Journal

      Backwards compatibility FTW! The one thing that if Microsoft broke, they'd have a serious OS horserace on their hands. Then anyone would be free to simply choose OS X, Linux or anything else just on merits and not "it runs all my old software".

      • Comment removed (Score:5, Interesting)

        by account_deleted ( 4530225 ) on Saturday February 06, 2010 @01:16AM (#31043700)
        Comment removed based on user account deletion
        • by Nutria ( 679911 ) on Saturday February 06, 2010 @01:31AM (#31043772)

          Imagine if you paid $400 for Photoshop for Linux, but next year it was worthless because the latest kernel wouldn't run it? Wouldn't be very happy then, would you?

          You're right: I'd be sorely peeved.

          However, Linux strives for userland consistency, so any problems with old programs (like WordPerfect 8) not running are to be blamed on incompatible (glibc, for example) or non-existent (GNOME 1.4, Gtk 1.3) libraries. Gtk2, GNOME2 and glibc6 (is that a Debianism?) have been out long enough, though, that there aren't too many issues like that anymore.

          Not that any non-geek would care about the real reason, so "blame it on Linux" is good enough!

          • by dryeo ( 100693 )

            Wordperfect 8 (the tar.gz commercial version) runs fine after installing libc5.deb and xlib5.deb or something close to that. Even Wordperfect8.deb will install though a lot of stuff will get uninstalled. This can probably be fixed by removing the xlibg5.deb dependency.

          • by camcorder ( 759720 ) on Saturday February 06, 2010 @05:37AM (#31044484)
            If a photo manipulation program has something broken with a new version of kernel, that means developers should be unhappy since they are doing something very wrong at the beginning.
        • Re: (Score:3, Insightful)

          by Pharmboy ( 216950 )

          Linux doesn't have to worry about backwards compatibility because users are paying $0 for their software.

          Not exactly true. I have paid for a great deal of software designed to specifically run on Linux. AVG's coroporate anti-virus server runs on Linux, tons of CRM and database applications run on Linux, even a lot of Perl based management suites for webhosting aren't free. And worth every penny from my experience. So far, compatibility hasn't been an issue when I upgrade for most, although many require

    • by SEE ( 7681 ) on Friday February 05, 2010 @10:15PM (#31042790) Homepage

      Um, no. The bug was introduced in Windows NT 3.1, and has remained in the NT line ever since. Windows 7 is very much still built on the NT codebase.

      • by Brain_Recall ( 868040 ) <brain_recall@y a h o o.com> on Friday February 05, 2010 @10:36PM (#31042920)
        And just to clarify, this bug was only discovered (at least by someone willing to disclose it) in January 2010. At least Microsoft didn't brush it under the rug for 17 years, I hope...
        • by symbolset ( 646467 ) on Saturday February 06, 2010 @03:33AM (#31044100) Journal

          I've known about this bug for many years - it's one of a few that date back to my college days when I had a scholarly interest in such things. Back then I used to haunt the dark corners of the Internet where these things were good for a laugh. Now they're good for a quarter million dollars because GO's haunt the dark corners now and they pay good money, and only now are ones like this coming out in common knowledge. You may be sure that if you're a high value target you've been exploited this whole time and that's why your competitors mysteriously beat you to market, or how knockoffs appeared more suddenly after your innovation than reverse engineering would allow.

          What's absurd is that there are hundreds more just in the core OS. Go to apps and WMP doesn't have a streaming format that doesn't have pwnership, and let's not even talk about IE. Then there's all the forgotten formats and services, each with its vestigal exploits that still work. And then there's Office. Good Lord, as if providing multiple Turing machine capable development environments were not enough, every app includes embeds for hundreds of formats that can hose any machine that opens a document, and for each of those there's a Microsoft-only undocumented interface that's truly trusted to be exploited, because that's how they roll. And one of those apps is an email client - think about that for a bit.

          Each fix only adds to the problem. Even if the patch doesn't add new exploits (most do) most people don't patch, and half of the few who do patch slowly to avoid incompatibilities. In the meantime the patch gives clues to the amateurs on which features to exploit. For 90% of systems you only need to pwn it once and leave some obvious malware and the idiot running it will clean it and think it's all good. So the smart black hat builds a database of servers running Windows he can get at from his previously Pwned boxes (yes, some of them are probably inside your firewall and most but not all of them are clients) and crafts a package to pwn the rest of your network and if necessary leave some cleanable traces. The truly nefarious black hats exploit the patching system itself - of course it has exploits and hidden hooks too.

          Each rewrite leads to new problems. In 2008 how the hell do you write a server OS that hangs on a bad packet on the file sharing service [microsoft.com]? That's not what Bill promised us in 2002 [cnet.com]. In six years they couldn't even get that right? That's your clue that they're not even trying or at least they're not able. At the very least they're struggling just to copy a file [technet.com] as if that were a new requirement.

          You would think with the billions they have to throw away on XBox and Pink, from Bing to Zune, Microsoft could afford to hire a few Pakistani code geeks to haunt the dark corners and report what they find written on the wall there. They're getting rid of their profits but they're not doing it well. You would think code security audits would extend to the historical catalog of code, but no... that group has enough to do just vetting this month's patches, let alone the output of the dev teams. I imagine the rest of them are building Bing interfaces into Yahoo's services as if they had a hope in hell of getting us to use Bing. For sure they're not throwing a ton of quality code geeks into saving their butt on WiMo 7. Fixing bugs widely known in the Underground that consumers like you don't know about? That's a 0 priority task.

          Windows shops: not only are we laughing at you - we always have and we always will. You poor bastards.

      • The bug was found in a utility anyway, not the kernel, so even if XP hadn't carried the torch of the previous NT kernel and had been revamped instead, the bug would still be in XP and other recent version of Windows.
      • by symbolset ( 646467 ) on Saturday February 06, 2010 @01:28AM (#31043754) Journal

        Windows 7 is very much still built on the NT codebase.

        You lie! Longhorn (Vista, Server 2008) was built from the ground up [microsoft.com]. Microsoft told me so!

        They wouldn't lie to me. <sniff>

      • Re: (Score:2, Interesting)

        by neovoxx ( 818095 )
        If this bug was in NT 3.1, I wonder if it's also in OS/2?
    • Re: (Score:3, Informative)

      This has to my knowledge, nothing to do with the kernel. It's a bug in a program used to run older applications. It was only found to be a problem very recently. Until now there was no real understanding that the bug existed and thus no reason to change that part of the OSes.

    • by supersat ( 639745 ) on Friday February 05, 2010 @10:18PM (#31042810)
      Windows 7 is Windows NT 6.1 [wikipedia.org]. NT has been in development for over 20 years.
    • Oh, my. I did a bit of work, last year, on an ancient project shared project that turned out to still be in use. (Small project, very stable code, old client.) There was a bug in handling mixed case filenames, and another one for handling files with spaces or punctuation in them: I'd never noticed, because when I wrote it it was all UNIX and no one _did_ that. But now some of the files were being generated by Samba clients on Windows boxes, who wrote files like "March 3rd Data.txt". So I fixed the bug, whic

    • by ildon ( 413912 )

      The article is a little misleading. The bug started in NT 3.1, not DOS or Windows 3.1.

  • This is a rather odd story to drop into the Slashdot cycle on a Friday Night (East Coast USA), it's basically just a warning that the typical Patch Tuesday (Second Tuesday of every month) is next week and the typical 0-day bugs that will be fixed which leads to the "bad guys" finding out what the bug was and deploying their attacks in the next few days.

    This really is a notice to the IT guys and people who don't have automatic update downloads installed... nothing newsworthy or out of the normal cycle of thi

    • Re: (Score:3, Funny)

      The /. editors are making up for having too many Apple stories since the introduction of the iPad. Now resuming normal "[Microsoft] Evil Empire Bashing" programming. Enjoy!
  • by WD ( 96061 ) on Friday February 05, 2010 @10:21PM (#31042826)

    Tavis disclosed the ntvdm vulnerability in January, however it was reported to Microsoft on June 12, 2009.
    http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html [grok.org.uk]

  • by John Hasler ( 414242 ) on Friday February 05, 2010 @10:26PM (#31042860) Homepage

    Best F'ing Friend?

  • Cicada bug? (Score:5, Funny)

    by nicknamenotavailable ( 1730990 ) on Friday February 05, 2010 @10:40PM (#31042942)

    Let's call it the Cicada [wikipedia.org] bug.

    A Cicada has a life-cycle of 17 years.
    Now Microsoft is about to squash it.

    • If I squash the Cicada in my computer, will it finally stop making that clicking noise whenever it's working hard?
    • Re: (Score:3, Funny)

      by Angst Badger ( 8636 )

      Don't worry. Some of the bugs created by Microsoft this year will be around in 17 years, too.

  • "Finally"? (Score:5, Insightful)

    by holygoat ( 564732 ) on Friday February 05, 2010 @10:51PM (#31043026)

    Isn't it a little disingenuous to say "finally" when the bug was discovered last month?

    That it was introduced 17 years ago doesn't mean that Microsoft has been tardy about fixing it...

  • bff (Score:2, Funny)

    Just pointing out that "Microsoft's BFF, Google" deserves a placement in internet culture

  • by martin-boundary ( 547041 ) on Friday February 05, 2010 @11:17PM (#31043192)
    This is excellent news for Digital Research! With these latest patches, DR-DOS can finally run the latest version of Windows without any spurious error messages. This is a great day!
    • by Obstin8 ( 827030 ) on Friday February 05, 2010 @11:53PM (#31043382)
      Sorry man, you're posting a comment that just proves you're way too old to be commenting on /.

      First, most of the current batch of MCSEs (is that acronym still allowed?) will be replying to you asking for the 800 number for Dr. Dos. I suggest you send them to the Dr. Who site.

      Second, your reference to an obscure company called Digital Research will confuse the weenies. DRI.COM now resolves to a site for Colburn's Travels. It appears Mr. Colburn has achieved more mileage from the site than DRI ever did. Check the stats.

      Lastly, you're really confusing people with the whole concept of a 'spurious' error. Microsoft has - through the determined, repetitive, and consistent application of "innovation" - eliminated all spurious errors from the code-base. All errors are now completely intentional, rational and self-explanatory. Click here for more information. :)
  • by Greyfox ( 87712 ) on Friday February 05, 2010 @11:26PM (#31043244) Homepage Journal
    That's really going to screw up their average response time numbers...
  • BFF, how cute...

  • That 16 bit shit will come and get you if you don't pay attention.

  • that sci-fi yarn where the mad programmer unleashes a bit of code that squirrels around the net for fifty or a hundred years, unnoticed by anyone, and when the programmer dies it unleashes the programmer's hate and fury upon the world, and no one is able to stop it even though computer's are a million times more complex and powerful than when the program was originally written? That could work?

    Awesome.
  • Windows Bugs get younger every year [darkreading.com]

Keep up the good work! But please don't ask me to help.

Working...