Windows Vulnerable To 'Token Kidnapping' Attacks

cuppa+tea writes "More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions, including the brand new Windows 2008 R2 and Windows 7."

"Windows Vulnerable"

[batrick]

Fixed the title for you.

Solution sounds easy, right?

[DWMorse]

Just don't connect to a Token Ring LAN! =V

Re:

[PolygamousRanchKid]

I think the problem would be finding a Token Ring LAN to connect to. I can't remember seeing one of those beasts in the last 10 years. Racks of 8228s with connectors that looked like mouths of aliens in a sci-fi flick . . . can't say that I miss them . . .

Re:

[buanzo]

You can find token ring all over IBM's building in Buenos Aires. I know. Don't say it.

Re:

[DWMorse]

Ugh. Mayo Clinic still has some, at least it's ethernet and not BNC.

Re:

[BitZtream]

BNC is not a networking protocol, its a connector type. Generally attached to coaxial cable.

Ethernet works over many different cable types and connectors, but it is a set of signalling protocols not a connector or cable type.

Ethernet can use BNC connectors (connected to coaxial cable), as well as RJ45 connectors (connected to CAT3, 5, or 6 cable) and several other interfaces via AUI and the like. You can even signal ethernet over fibre.

What you probably meant to say was 'at least its CAT3, not coaxial' as

Re:

[DWMorse]

Nitpicker. Yes, I find myself using terminology interchangeably incorrectly occasionally.

Granted I've never had to deal hands-on with coaxial data networks, yay. I'm quite happy enough being too young for all that.

Re:

[Muad'Dave]

I worked with ethernet back in the days of 10Base5 [wikipedia.org] that used vampire taps [wikipedia.org] that were installed by drilling a freakin' hole into gigantic RG8-like uber-shielded coax that was run straight down the long axis on the building. Users would run these huge AUI cables to the vampire tap to gain access. You could only tap the cable every 2.5 meters, so in a crowded office you'd have loops of coax with piles of taps thrown on top of each other in the drop ceiling. Note that each segment only allowed 100 taps.

Those wer

Re:

[TaoPhoenix]

I read TFS a certauin way, and then searched for exactly your post... here it is!

"I think the problem would be finding a Tolkien Ring..."

PRECIOUSSSS!!!

Re:

[Splab]

Look in government institutions - I worked as "the IT guy" in 2005-2007 at a university in Denmark, parts of the LAN was still token ring, reason behind that was at some point during upgrade to ethernet, someone decided that the whole building needed to be overhauled, effectively freezing funds for infrastructure.

Right now they are demolishing it and building a new nice department - only took them something like 12 years from deciding something had to be done to actually do it.

Re:

[Muad'Dave]

The only benefit token ring ever really had over ethernet (aside from the 16mb/s vs 10 mb/s signaling speed) was deterministic behavior. When you're doing a full motion cockpit simulator in the late 80's, token ring was the choice. In real-time, deterministic behavior is your friend.

Re:

[selven]

One Ring LAN to rule them all and in the darkness bind them?

Windows Vulnerable To 'Token Kidnapping' Attacks

[omar.sahal]

if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in default configuration you will be able to fully compromise the Windows server.

So don't use Microsoft products and you're safer!!! To be fair to Microsoft their products have been steadily improved over the years. There products are now acceptable in regards to competitors.

• win 95, usability of GUI
• win xp, stability of software, less crashes
• xp service pack 2, and vista, security (security was not optional in vista, you had to develop you're code in a more secure way, ignoring these guidelines was not over looked for compatibility with older versions of software this caused many problems with programs breaking due to incompatibility)
• windows 7, all the above and smaller foot print when installed

Re:

[yuhong]

This is way too incomplete. For one thing, you forgot NT and 2000.

Re:

[fractoid]

I ran the Windows 7 RC on my home computer and Windows Vista Professional on my work computer for around 9 months. Both machines were roughly the same spec and purchased at the same time. Vista was an absolute hog, while Windows 7 felt fairly snappy and responsive. The free RC trial wasn't enough to convince me to pay $130 for an OEM license, but it was enough to convince me that Windows 7 is at least as good as Ubuntu for a general home computing / gaming platform.

Apple replies

[irrg]

After hearing about this exploit, an Apple VP referred to this as "Microsoft's Iphone 4".

Re:

[bsDaemon]

You mean that every other operating system has this same bug? Including MacOS X, then. So, no... I doubt it's their iPhone 4. MS also has more experience dealing with stuff like this. Apple is currently experiencing what its like for a pretty girl the first time she gets blown off by some random dude she's attempting to con into doing her a favor.

Re:Apple replies

[$RANDOMLUSER]

Actually, that's a pretty good analogy, as it makes Windows the fat, ugly chick with 17 enumerable STDs.

Re:

[bsDaemon]

See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases. That just doesn't seem real to me.

Re:

[$RANDOMLUSER]

Windows has shown it will let ANYBODY fuck it. Low self-esteem and all.

Re:

[fractoid]

See, your analogy breaks down because it relies on a fat, ugly girl having had sex enough to catch 17 diseases.

It only takes once if the guy (or other girl OH HO SEE WHAT I DID THERE) is blueberry-waffle enough.

Re:Apple replies

[Bengie]

I actually remember quite a few times in the past when Linux had root elevation exploits. The Linux community just replied with "don't let people you don't trust have console access".

And some quotes from the above link

"regularWindows users can’t exploit them"

"if you can upload ASP web pages with exploit code to a MS Internet Information Server (IIS) 6, 7 or 7.5 running in *default* configuration"

It's bad, but not *as* horribly bad as the title suggests.

A properly locked down Windows machine should have been mostly immune to this anyway.

I still love how *nix naturally allows individual services to run under different users while Windows defaults to more of a blanket user to access everything. Windows is better than it use to be, but still not quite there.

Re:

[Kaboom13]

Windows does allow services to run as different users. it has since at least windows 2000, probably since NT. Services that interact with the network by default login as network service, which has limited permissions compared to the local system account. In a locked down environment (ie an internet facing or dmz server) you can use even more restricted accounts. A poorly configured Linux server is easy to exploit, in the same way a poorly configured Windows server is easy to exploit. The only difference

Re:

[Bert64]

Although windows can run services under limited accounts, it is far less common to do so... And i believe more difficult because you have to store a password for the user rather than just being able to setuid() on unix... So some unix services will start as root, and then drop privileges later.

Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.

Re:

[Jaime2]

Many applications such as Oracle, Apache, Tomcat etc typically run as SYSTEM on windows, and as their own users on unix.

So, many cross platform applications have bad security defaults when installed on Windows, but good defaults when installed on unix. That sound more like a frame job than bad security on Microsoft's part. The Microsoft equivalents (SQL Server and IIS) are configured properly by default. I'll bet that like IIS, at least two of the three don't run user threads as SYSTEM.

Re:

[Bert64]

SQL server runs as SYSTEM by default (and even lets dba users execute shell commands), IIS has improved in recent versions largely due to having been so heavily attacked previously.

Re:

[Jaime2]

SQL only runs as SYSTEM if you change the service account settings during install (in other words, not by default). Shell commands are not available unless the server is specifically configured for them using the "Surface Area Configuration Tool". Running as SYSTEM by default was fixed fourteen years ago and xp_cmdshell was disabled by default five years ago.

IIS improved seven years ago, not recently. Regardless of the reason for improvement, it did improve. IIS 6 and 7 both have excellent security re

Re:

[drsmithy]

I still love how *nix naturally allows individual services to run under different users [...]

There's nothing "natural" about it. You don't need to go far back in history at all to find the majority of services on a UNIX machine running as root.

Re:

[TheRaven64]

You also don't have to go back too far to find a time when the phrase 'UNIX security' had the same sorts of connotations as 'military intelligence'. People who used systems like VMS laughed at it, as a concept. Windows NT adopts the VMS security model, but unfortunately hides it behind a UI that wants to pretend that everything is like DOS. Security, in most cases, is a usability problem. It's easy to make a secure system. It's hard to make a usable system. It's much harder to make a secure, usable, s

Re:

[Rubinstien]

Thank you for your, as usual, rational observation.

Unix-derived OS's are only recently gaining proper fine-grained security controls, and most are still hacks, IMHO. Newer Linux has "capabilities" that allows one to mark a binary as allowed to use certain privileges, such as CAP_NET_BIND_SERVICE, but this can't be used with *scripts* due to the fact that it is the *interpreter* that would need the privilege (*bad* idea to always give it to the interpreter). Solaris 10 has user privileges such as net_priv

Re:

[TheRaven64]

It's worth noting that Symbian actually has quite a nice (i.e. simple enough to actually be used) capability model. Both libraries and executables have a set of capability flags and they interact very nicely with the Symbian driver model. It doesn't quite have a true microkernel, because the drivers are in the kernel, but the drivers are very simple. Most, for example, do not implement multiplexing - they just provide exclusive access to the device to a single userspace program (which has the direct acce

Re:

[drsmithy]

Windows NT adopts the VMS security model, but unfortunately hides it behind a UI that wants to pretend that everything is like DOS.

How so ?

Re:

[Whuffo]

Microsoft's "security" is drilled full of holes due to their desire to make the web more "active" and shut out other web services. Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits. They can claim that they're working on security all they want but as long as these and other security breaches are built into Windows, attempts to plug the security leaks will be as usefu

Re:

[shutdown -p now]

Let's list some of the offenses: ActiveX, Windows Media, Windows Update. Each of these grand ideas have "download code from the web and execute it" at their heart and are wide open to exploits.

ActiveX - ever heard of .xpi? Yeah, that pops up a prompt when you install it; so does ActiveX. And .xpi can contain native code (which many people don't even realize).

Windows Media does not "download code from the web". It's just a browser plugin, like MPlayer or VLC pugins.

Unless what you mean is that it can download codecs from the Net from a central repository (after popping up a confirmation dialog) - which e.g. Rhythmbox and Totem also do in Ubuntu, though those go through the centralized package syst

Re:

[Whuffo]

Regarding ActiveX - those object can be marked as "user choice" or "safe" - guess what the bad guys mark them as; newer Windows versions prompt on all of them so this reduces the danger a little bit - but the vast majority of users just hit the OK button when a prompt pops up. And Windows Media - you hit the nail on the head when you pinpointed it's ability to download and run install packages for codecs. But they aren't required to come from a central repository - they can come from the same domain as the

Re:

[fractoid]

[...] and I'll bet you stop and think the next time WMP wants you to install a codec to view / play some media file. It might be a legitimate request - but if it's not, your machine will belong to someone else if you click that OK button.

And this is where the whole "click OK to continue" approach falls down flat. I don't know who signed Adobe's SSL certificate. I might not even spot the difference between "Unity3D" and "Unity30" if I'm skim reading through the page. The basic fact is that if you ever install *anything* you're taking a leap of faith that what you're actually installing is what you think you're installing. So many times while running Windows, I had to give authorization to install codecs, drivers etc. and found myself thinkin

Re:Apple replies

[Blink Tag]

Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

Re:

[WrongSizeGlass]

Modded flaimbait? After MSFT's recent comments regarding iPhone4 being Apple's "Vista", I found the comment rather funny.

Indeed. Although, I would have preferred if they had posted "After hearing about this exploit, an Apple VP referred to this as "Microsoft's Vista ". ;-)

Re:

[bonch]

I love that Microsoft is essentially saying, "They suck as much as us!" How the mighty have fallen. Too bad the Vista analogy doesn't work though since people are actually buying the iPhone 4.

Re:

[Phroon]

My bad, my humor sensor is broken today. Commented to remove said moderation.

Re:

[beerbear]

I pull my hat in respect. Too many people here don't have the maturity to admit they were wrong.

"... by any user with impersonation rights."

[n0-0p]

That should be the first thing anyone familiar with Windows architecture notices. It means that it's an escalation from an account that's already running at elevated privilege (at least, it is on Vista and beyond).

So, it's definitely a security bug. But it seems like a disproportionate amount of noise for a local privilege escalation requiring higher than normal privilege to start with.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Lehk228]

if you run IIS you may as well just post your admin password and social security number on your homepage

Re:

[Anonymous Coward]

Your a little confused, IIS is probably one of the most secure web servers at the moment, at least when compared to the lesser ones such as Apache.

Re:

[ffreeloader]

Just what is it of his that is a little confused?

Re:

[Anonymous Coward]

if you run IIS you may as well just post your admin password and social security number on your homepage

Really? Try a little comparison exercise:
IIS6: http://secunia.com/advisories/product/1438/ [secunia.com]
IIS7: http://secunia.com/advisories/product/17543/ [secunia.com]
Apache 2.2.x: http://secunia.com/advisories/product/9633/ [secunia.com]

In the 7 years Secunia has listed online, IIS6 has 10 vulnerabilities, IIS7.x has 3, Apache 2.2.x has 19

Re:

[TheLink]

Yeah.

That said, it often makes very little difference when some idiot runs a PHP webapp full of holes on the webserver.

Once the attacker has exploited your webapp, they may not even need or care to escalate privileges - they probably can already get what they want. Even better if the webapp has the rights to access your crown jewels in a DB somewhere.

Nope, problem is in architecture.

[Cyberax]

Problem is in Windows architecture. Its security subsystem is so complex that it's nearly unusable. You can, in theory, create very flexible security policy using ACLs which can be attached to almost all objects in Windows but in practice nobody uses it. So glaring security bugs can live for years.

It's almost like SELinux.

Re:

[linzeal]

If you are being paid to run a SELinux box, you pry know more than 10 windows admins put together or 4-5 Linux Admins even.

optimistic

[Twillerror]

Lately the security bugs I've seen are making me feel good.

Sounds weird I know, but it just seems like they are getting more and more bizarre.

Even the flash and PDF stuff makes me feel that we are starting to go into left field for vectors. The security industry is putting itself out of work...

Where will be in 5 years...probably in a relatively safe world.

I mean heck this things says "If you can upload an ASPX file you can take over the system". That means we are worrying about how to protect against inside jobs not general problems.

When was the last major worm anyways?

Re:

[dna_(c)(tm)(r)]

When was the last major worm anyways?

Disable all spam filtering your ISP provides, wonder where all the spam is sent from... Blissful ignorance is not improved security

Re:

[John Hasler]

> When was the last major worm anyways?

Microsoft Windows 7 was released in 2009, IIRC. It has reportedly infected over 150 million computers.

Old News

[dzr0001]

I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf [argeniss.com] was published in the summer of 08.

Re:

[dzr0001]

I suppose the article does say "more than a year..." but this is really old news. http://www.argeniss.com/research/TokenKidnapping.pdf [argeniss.com] was published in the summer of 08.

Ok, so I read the zdnet article and the article does appropriately state that the exploit was discovered in 08. However, the zdnet article linked by OP is also a year old.

Patch Release

[helix2301]

So they know there is an issue with this but yet there is not another patch being released to fix this?

All versions?

[Tacvek]

Really all versions? Going all the way back to 1.0, and also including the CE versions? I strongly doubt that! Perhaps it dates all the way back to NT4, but that is still very, very different than affecting all Windows versions.

Re:About Software

[iammani]

Really? Can you find a bug in this...

#include <stdio.h>
int main()
{
        printf("hello, world");
        return 0;
}

Yes

[XanC]

It doesn't do anything useful.

Re:Yes

[Windwraith]

No, but it's polite, it's greeting the world. You are so insensitive!

Re:Yes

[davester666]

Well, attacking this specific program has all kinds of possibilities. stdlib hasn't exactly been bug-free over the years, and depending on the environment, other libraries may get automatically loaded into the address space, and those can possibly be attacked. Then there is the infamous 'cc' hack, which automatically added a backdoor when you compiled specific programs.

Just because you [the programmer] haven't typed in a large amount of code doesn't mean your program has fewer possibilities for bugs and/or attack vectors.

Re:

[pspahn]

Demonstrating "hello world" is useful to someone new to programming.

Re:

[DaveV1.0]

As a demonstration of printing, maybe. But as a general demonstration, not so much.

Re:

[Anonymous Coward]

Neither does Windows.

Re:

[MichaelSmith]

It doesn't do anything useful.

Like MOTD?

Re:

[Thinboy00]

Isn't MOTD daemonized (which provides some possibility of e.g. a DOS attack of some kind)?

Re:

[Anonymous Coward]

This is completely correct. A bug isn't simply a coding error but a design error. Programming takes an abstract concept and makes it concrete in a formal language. This involves filling in all the details -- which is quite a lot more than non-programmers think. How should the program behave if it runs out of resources, user inputs incorrect information, external system provides incorrect information, operating system error, what should the performance characteristics be, details of statecharts and sequences

Re:About Software

[Anonymous Coward]

Yep. It buggers up the prompt.

  printf("hello, world\n"); /*is better*/

*This message was compiled with -pedantic.

Re:

[alexo]

printf("hello, world\n"); /*is better*/

puts("Hello, world!"); /*is best*/

Yes.... you forgot the comments ...

[AnonymousClown]

/* Really? Can you find a bug in this... */

#include <stdio.h>

int main()

{

printf("hello, world");

return 0;

}

Re:

[Post-O-Matron]

You forgot the exclamation mark.

Re:

[WeatherGod]

but, he didn't want to disturb everybody, just the world.

Re:About Software

[ckdake]

I don't know the last time I looked at everything in stdio.h for problems so it's tough to say...

Re:

[Lord Juan]

Really? Can you find a bug in this...

#include <stdio.h>
int main()
{
printf("hello, world");
return 0;
}

But Microsoft did not write that routine, had they done it, it would read something like:

#include <stdio.h>
int main()
{
printf("hello, world");
get_administrative_privileges();
collapse_system();
return 0;
}

Re:About Software

[DAldredge]

You aren't checking the the return status of printf.

Re:

[buanzo]

You, sir, deserve my respect. People sometimes forget that the bug can be outside the source they're writing, but on the code they're calling.

Re:

[TheLink]

Seriously though, what are you going to do if printf fails? Log to a file? What if that fails? Log an error message to syslog? Then what if that fails too?

At a certain point of time it's a waste of time and resource to add extra checks.

In this case the target user would likely notice if printf fails to produce output and deal with it accordingly.

If printf produces output and still fails for some strange reason, the user is unlikely to care.

A professional way is to document it. "NOTE: in some cases printf ma

Re:

[KibibyteBrain]

It does not checks to make sure it has access to enough memory to load the string "hello world" into standard output. It also do no checks to see that the stack size allows it to return 0.

Re:About Software

[greg_barton]

Considering I once performed a security audit and found that the lead developer for the client had rewritten printf so it had damaging side effects...yes...

Re:

[forkazoo]

#include
int main()
{
                printf("hello, world");
                return 0;
}

It lacks i18n.

Re:About Software

[gringer]

you're including an external file ('stdio.h'), which could be replaced by anything. A malicious person with access to that file could change the declaration for the printf statement to call an external function (or just add code into the header file), and then you're screwed.

Thinking about this makes me wonder if that's not a standard thing to do. No one checks stdio.h, right?

Re:

[FrangoAssado]

The file inclusion is done at compile time. Presumably, whoever is compiling the code has a good system (otherwise, the possibilities much worse that what you describe: the compiler might be hacked, for example).

Moreover, in this particular instance, the file is included with '#include <stdio.h>' (as opposed to '#include "stdio.h"'), which means the compiler will look for it first in the system include directories (e.g, /usr/include). This means that, if whoever compiles the code is being attacked thi

Re:

[JesseMcDonald]

Moreover, in this particular instance, the file is included with '#include <stdio.h>' (as opposed to '#include "stdio.h"'), which means the compiler will look for it first in the system include directories (e.g, /usr/include).

The include search path can be overridden on the compiler command-line (-I) or via environment variables (C_INCLUDE_PATH), both of which take precedence over the standard ("system") search path, so there is no guarantee that the file will not be unexpectedly located in some compromised directory under the nominal control of the current user.

Re:

[FrangoAssado]

Well, if someone can inject source code during compilation, they can obviously add malicious code to the final executable.

But in this particular instance, there would be no added include directories to the compilation process, since the source code is just one file. So, to do anything bad, the attacker would have to be able to screw the compilation (by changing the command line, environment or whatever other means he has to trick or change the compiler). If they can do that, they can also do any number of t

Re:

[BitZtream]

On my desktop, no I don't check stdio.h

On our company buildfarm, yes, stdio.h is checked by the IDS before production builds run and after to confirm they are the originals.

Re:

[rudy_wayne]

Really? Can you find a bug in this...

#include
int main()
{
                printf("hello, world");
                return 0;
}

Yes. You left out goatse.cx

Re:

[PiAndWhippedCream]

Yes, "hello, world" should start with a capital letter and end with a punctuation mark. The comma is also unnecessary.

Re:

[somersault]

The comma is also unnecessary.

It is proper when addressing someone/something.

hello bugs.

[leuk_he]

It does not check the return value of printf.

Under windows it does only run in console mode.

Documentation is lacking.

The start of the source code is not marked. Since has a stop of line with a single "." there are 2 dots in start of the program that give a compile error.

Re:

[BitZtream]

You aren't accepting incoming arguments, if you were running on bare metal I'd accept that there are no incoming arguments, but you're returning 0, so you're obviously not running on bare metal or there would be nothing to return to. One of those things is a bug, take your pick.

You also forgot to terminate the printf statement with a newline\carriage return or whatever fits the OS its for, which on some OSes will result in the line not appearing even though it does get printed.

It may not crash, but yes, it

Re:

[shutdown -p now]

You aren't accepting incoming arguments, if you were running on bare metal I'd accept that there are no incoming arguments, but you're returning 0, so you're obviously not running on bare metal or there would be nothing to return to. One of those things is a bug, take your pick.

There is no requirement in Standard C to accept arguments - int main() is a perfectly valid conformant signature for the entry point. On the other hand, main is required to return an int (though, unlike any other C function, you can skip return, and the compiler should treat it as if 0 was returned).

So, no, neither of those is a bug. It could be a bug in a sense of not conforming to the specification, but in order to determine that, you have to see that spec first.

Re:

[BitZtream]

And which standard would you like to use as a official C reference point? I can think of four that are considered 'official' right now.

But, either way, reading comprehension is hard:

It may not crash, but yes, its broken and buggy by my standards.

So ...being that I just told you the standard to use (mine) and that it was wrong ... well, not sure what my point was, but go read my previous post and try again.

Re:

[shutdown -p now]

And which standard would you like to use as a official C reference point? I can think of four that are considered 'official' right now.

I'm only aware of 3 over the course of language evolution - K&R C, ANSI C89 (aka ISO C90), and ISO C99. My points apply regardless of which of those you pick, except that in C99 there is no "implicit int".

If you're talking about your subjective standard only, then it is entirely unclear to me why you feel that "accepting incoming arguments" is a requirement for main() in a "Hello, world" app. It's not going to do anything useful to them, so why should it do so?

Also, why would running on "bare metal" or

Re:

[DrVomact]

Really? Can you find a bug in this... #include <stdio.h> int main() { printf("hello, world"); return 0; }

A bit cryptic, your question is.

Are you saying that including stuff at compilation is safer than relying on DLLs that (by definition) get linked in at runtime? Just a guess of course. Why don't you just say what's on your mind? —or is C the only language you know?

Re:

[fractoid]

Really? Can you find a bug in this... #include <stdio.h> int main() {

int main(int argc, void **argv) {

Re:

[shutdown -p now]

You do not need to use "int main()", and you can instead substite a slightly more efficient void return type (none in other words) and no need to return 0 either.

void main()

The above is not valid, and will not compile on a decent implementation. Go ahead, try it with gcc or any other standard-conforming compiler.

As a side note, omitting the return type - i.e. main() { ... } - is not the same as void return type. It's actually implied int. That one is valid, yes. And you can omit the return whether you omit int or not, because ISO C allows you to do so only and specifically for main, in which case it is equivalent to ending it with return 0; - this does not affect efficiency, t

Its a "Feature" not a bug.

[Bob_Who]

Ironic how bugs are so well suited to infestation through windows. A RAID array might help....

Re:

[Bert64]

There's an important distinction to be made, between bugs (eg a buffer overflow etc) which can be corrected with a relatively simple patch, and design flaws which may require serious changes breaking compatibility...

Re:

[bonch]

This is why the majority of the public supports the Arizona legislation.

Oh, wait, this is a Windows story. Why'd you post that?

Re:

[TheRaven64]

Dude, nobody wants a racist lunatic in the white-house

Wow, you're seriously out of touch with a large fraction of the American electorate...