Serious IIS Hole; Minor X Bug 477
EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
I already view large fonts. (Score:2)
Re:I already view large fonts. (Score:4, Informative)
I've also found that the screen calibration thingy on the fonts preferences (select 'Other..' under 'Display Resolution') makes a big difference too.
Status Quo (Score:2, Funny)
About Status quo in Linux land
Re:Status Quo (Score:4, Insightful)
It's not a Linux bug, but rather an XFree86 and mozilla bug. It would probably crash any box running those two programs just as handily...
Re:Status Quo (Score:4, Informative)
Ctl-Alt-Backspace if you get hit with it, and reboot your X-server. If you want a bit more protection, run XFS font server separately (rather than letting X handle fonts) then only the font server will crash.
As for "time to fix", well XFree86 has been out for a while now, so presumably it was vulnerable all along.
Re:Status Quo (Score:4, Insightful)
No.
As a web browser, Mozilla should be able to withstand maliciously formatted content. It really is a bug.
Re:Status Quo (Score:4, Insightful)
Hmm...the flaw itself is in XFree, and it's handling of huge fonts. Presumably the only reason a web browser is such a problem is because of the potential to attempt display of a *lot* of text at once (I would assume opening a long document in Star/Openoffice with gigantic fonts would produce the same effect, although I haven't tested it myself...). Therefore, while it's a "nice" thing that Mozilla throws a limit in there to prevent one vector of attack, it's merely throwing a band-aid over the real problem, which should be fixed in XFree.
Re:Status Quo (Score:2, Informative)
DOS Mozilla users??? (Score:5, Funny)
Wow, I didn't know that Mozilla had a DOS version! How many users does it have? Three?
Re:DOS Mozilla users??? (Score:3, Funny)
Only affects HTR - a rarely used feature (Score:5, Informative)
Re:Only affects HTR - a rarely used feature (Score:4, Insightful)
The majority of Code Red attacks came (and is still coming) from private users that have never even heard of a Microsoft Security Bulletin, the URLScan tool or the Lockdown Tool.
Sadly these type of users are still in the majority.
Um, then why does it matter? (Score:5, Insightful)
Linux and other open source software aren't impervious to bugs being discovered either, they just respond faster - so the lesson here is simply "if you're an idiot, you can get '0wn3d' on any OS".
Yeah it sucks that Microsoft take two months to fix an exploit, but if it only affects a service that would have been switched off already if you followed instructions, then it's not *that* big of a deal.
Re:Um, then why does it matter? (Score:2)
If you don't use
Also, I hope that you don't have every Apache feature enabled.
Re:Um, then why does it matter? (Score:3, Insightful)
Good admins shouldn't have any problems with either Apache or IIS.
Depends on the OEM (Score:4, Informative)
As for the HTR, anybody that does a "typical" install (i.e. just selecting default options) of a Web server has larger problems than their OS.
Re:Only affects HTR - a rarely used feature (Score:3, Insightful)
very true. if Microsoft wish to market a product that is supposedly easy to use and administer, it is not the user's fault for not being told to patch and upgrade constantly.
i'd be the last person to stand up for Microsoft, but a lot of the problem is in the fact that novice users are fooled into thinking they can sysadmin without experience and training, and NOT because the software is deficient. almost any other OS you'd care to mention is vulnerable out of the box, but they are usually aimed at people who know what they are doing and patch them accordingly.
Microsoft design and market their server OSs in a way that makes it look like any fool off the street can administer them, and in my experience that is usually the case.
Re:Only affects HTR - a rarely used feature (Score:4, Funny)
...right... so EVERYONE is affected... hardly a major bug at all.
Re:Only affects HTR - a rarely used feature (Score:2)
Well, it helped me wake up this morning.
Re:Only affects HTR - a rarely used feature (Score:2, Interesting)
I know this is a GNU/Linux/OSS advocacy site. I have a great deal of appreciation for Linux, not because I use it on a daily basis, but because it is forcing my OS vendor of choice to at least pretend to sit up, take notice, and focus on some things the market never forced them to focus on before.
I know. I done been trolled.
Re:Only affects HTR - a rarely used feature (Score:3, Interesting)
I know your pain, as do many others. It's been said that IT groups don't choose Microsoft products, they just install them. One workplace of mine has Exchange, IIS and all the MS side-dishes, and I fought them kicking and screaming. But, the marketing geeks upstairs read in a magazine that something is a "robust solution" and assume it'll work in our environment.
Of course, I'd rather spend my day implementing cool new stuff to make their work better, but instead I sit around coddling a patch-monster.
Incorrect ! (Score:5, Informative)
and
Re:Incorrect ! (Score:2)
Why on earth would that happen, unless your kernel VM was seriously screwed? Last time I saw any one process hog all the RAM, it got killed pretty sharpish.
There's also a call in the bugtraq thread for apps to be more sensitive about the data they get back from calls into external APIs. That makes sense to me - especially when anyone can LD_PRELOAD a library with broken return values for various functions.
Well spotted mozilla, now everyone *else* get your acts together please
Re:Incorrect ! (Score:2)
Well, the Mozilla "bug" is that Mozilla doesn't perform a check to see if the font size is sane, it just blindly tells X to show an extremely large text. But X should definately check that it can handle it itself, so the bug is an X bug, Mozilla should just be a little more friendlier with X
Re:Incorrect ! (Score:2)
So it probably only affects XFree 4.2... I don't have 4.2 installed to verify.
Re:Incorrect ! (Score:2)
Re:Incorrect ! (Score:2, Funny)
All these years and I thought X was supposed to do that. Silly me!
Re:Incorrect ! (Score:2)
It is not really an X11 bug (Score:4, Insightful)
For example, if you feed GCC with ridiculous large input, GCC will (attempt) to allocate ridiculous amount of memory. Which is how it should be, the applications should not try to second guess the user.
Applications that take data from untrusted sources, like web browsers, should course make sanity checks. So the error is in Mozilla, not X11.
Nonetheless, one can expect more from a desktop server like X11 than from more traditional applications, since if the desktop crash all the user visible applications will go with it. So it would be a reasonable feature for X11 to make more sanity checks on its input than other local programs do.
It is really an X11 bug (Score:2, Interesting)
allocate because they don't know how much they would
use. Kernel overcommits because it expects apps to
over allocate. If kernel wouldn't over commit then
you would require absurd amounts of Swap to run.
X11 is a special app, because if it dies the screen
dies and you can't interact with the system although the system might be functioning fine.
What happens in this case is that the X11 is
killed promptly by the kernel, and does not get
any time to restore the console. Kernel cannot
and must not differentiate between processes.
In this case though the problem is more clear cut
X11 must not allow absurdly large fonts. There
should be a limit to the size of the memory it is
allocating based on the system memory. So that
it doesn't put itself into danger. It might be a
difficult question in different settings but this
case just requires a upper limit on font size,
based on the display size and system memory.
-anand
Re:It is really an X11 bug (Score:2)
X11 must not allow absurdly large fonts.
And if I'm working in the Gimp, and am trying to create a 40,000 pixel-tall letter A? The X Font Server should fail to allocate the memory to render my character why?
No, I think the fix has to be in Mozilla. When a desktop user really wants an insane font-size, they should be allowed to have it.
Re:It is really an X11 bug (Score:4, Insightful)
Hardly. Hasn't everyone at some point telnetted to a *nix machine to kill and restart a hung X11 process?
Re:It is really an X11 bug (Score:2, Insightful)
I know that there is also a sysreqkey, but not
everyone knows it, and it also may not work,
if not properly set.
-anand
Re:It is not really an X11 bug (Score:3)
Applications that take data from untrusted sources, like web browsers, should course make sanity checks. So the error is in Mozilla, not X11.
They should in some, but not all, cases. That's why rlimits exists. Certain classes of applications should not have to check everything for themselves. For example, the qmail SMTP server can be made to allocate an arbitrary amount of memory by feeding it a huge list of recipients. This is not a bug. It is designed to be run with resource limits, usually set using softlimit. It is bad engineering to include needless checks in every single application, when the OS has this built in.Re:Incorrect ! (Score:4, Interesting)
As pointed out in several posts to Bugtraq, yes, the actual bug is in X (probably in libXfont) but Mozilla is a program that retrieves untrusted data across a network and, as such, has a responsibility to reject or sanitize data that could cause problems. The old Internet maxim is, "Be liberal in what you accept and conservative in what you send," but that doesn't mean you shouldn't also do some sanity checking.
--Phil (Ardent Bugtraq follower.)
This goes to show... (Score:2, Interesting)
I honestly still think that some sort of un*x for idiots is needed before people will actually see open source opsys'es an alternative to bloody windows.
I can speak for myself, I'm a dumb windows-based webdesigner, and as much as I really like the idea of Linux, and the look of gnome and kde, and the coolness of using a console... you'd still have to dumb it down a bit more for me. Perhaps Apple's X... but then I hate Apple computers, it'd have to run on a PC.
Oh well, what I mean is: there's no point in comparing how much more terrible MSs bugs are and how much longer it takes for them to solve them. There has to be a real alternative to windows for the DUMB user, not for the tech-savy-geek, before people will actually say "hey, wait a minute, this is full of bugs and THAT over there isn't... I'll swap."
Just my opinion.
Moita Carrasco
Re:This goes to show... (Score:5, Interesting)
I think you're wrong here, since Microsoft was always very, very good at feeling out the vibes of their customer base. The current perception in the marketplace is, that Microsofts security is beyond rotten. Since even the Gartner Group [gartner.com] got on the bandwaggon, Microsoft seems to be scared shitless about that public perception.
The problem is the same as the sorcerers apprentice, who just can't get rid of the monsters anymore.
For years and years Microsoft has (overladden-) their products with features and bloat. They missed the internet entirely and when they realised their mistake they rushed an inherently insecure internet platform into the market and during all this time they didn't give a flying f*ck about security.
I agree, that Microsoft is an extremely arrogant company, that regards their customer base as cows to be milked and taken for a ride in every way possible.
The problem is that perception is changing and so they are frantically trying to restore trust; they can't let such glitches happen by purpose.
I think it's too late though to call the monsters back in and even worse:
It is my true conviction that any IT responsible on any level using IIS on new projects is guilty of gross negligence and incredible incompetence.
I know that feeling (Score:4, Insightful)
When I was working as a consultant for a major database vendor I walked into customer sites, looked at the problems at hand and usually started to script in either perl or shell.
This provoked indescribable looks from (mostly) younger IT staff and questions around the line, of:
What the hell is this? What are you doing here? Why don't you use a GUI? This was often accompagnied with smirks and laughs.
Laughing was reduced to an absolute minimum after 2 hours of scripting (including testing) and 10 minutes running the script, instead of opening a window 3000 times in order to uncheck a checkbox.
It was ususally also the very GUI oriented shops that ran into wicked recoverability problems, since they implemented their databases with GUIs, modified their database structures with GUI's and the last time they re-generated scripts from the physical schema was in the summer of '98 or so.
If they would have used scripts to start with and would have treated those scripts like source code, they could have avoided weeks - if not month - of agony and pain. Not even to mention the costs.
Re:Heh... read if you dare. (Score:2)
I beg to differ about X. It doesn't suck for me. But I will agree that it does mostly suck for the non-nerd; that's probably what you meant.
Re:Heh... read if you dare. (Score:2)
I run Linux/X on most of my machines. X sucks, plain and simple. I am far from a non-nerd
For the most part, X works okay. However, it does hog memory and crash (Mozilla 1.0 seems to crash X often for me...) My Win2k box pisses me off at how stable it has been in comparison (flies in the face of my *nix vs Windows arguments; it's hard to convince people that the OS is stable, that just the GUI crashes).
My point was simply that, in my opinion, X sucks. I use it only for lack of anything better for my Linux and BSD systems...
Re:Heh... read if you dare. (Score:2)
OK. You're entitled to your opinion... I don't have any crashes with XFree86. I run the same session for weeks at a time. top(1) misreads the memory usage due to shared memory, so if that's your gauge it doesn't hog as much as you think.
Perhaps your driver is not as stable as mine. If it's a standard driver that would indeed be a fault of XFree. An nvidia detonator driver is mostly nvidia's responsibility.
Also, I only run a stable version of fvwm2 with no Gnome or KDE. This might contribute to my stability and low memory usage. I would recommend trying different configurations.
Re:Heh... read if you dare. (Score:2)
My advice is for you to stick to tried and true hardware: a Matrox G200/G400 video card, Crucial RAM, an i440BX Asus motherboard, and an Antec power supply. Yes, this means using a Pentium III, but my P2B-D (i440BX), P3C-D (i820), and P2L97-DS (i440LX) are all crash-proof.
If you're going to buy a Pentium IV or Athlon, then try to stay a revision or two behind current technology (ie, don't use VIA's KT333). If you want something to be stable, you need to give programmers time to discover the hardware flaws.
The Killer App (Score:5, Insightful)
That's it, pure and simple. Freedom to do what you want with your machine. Freedom from proprietary formats and the hassle of interchanging data with others. Freedom to alter the code in any way you want, or to learn from it. Freedom to participate in more substantial ways than buying and installing some product from off the shelf. Freedom to use your computer as it best suits you, not as it best suits Bill Gates or Steve Jobs.
This might sound like fluff, but this is the reason why I gave up on Apple years ago, and it's why I've stayed with Linux ever since then. Apple has done some great things in the past few years, and I applaud them for it, but they are still not Free as in Freedom. Yes, I know about Darwin, but what about Aqua? Yes, I know about QTS Server, but what about iMovie? I'm not saying Apple should open these products or that they shouldn't make money, but simply that they're not going to make any more money from me because I will never feel safe with them after they discontinued a raft of great technology. This will not happen with Linux. Ever.
That's the killer app for me, and I know it's the killer app for others. Microsoft and Apple will never fully offer that freedom, and as a result I can never trust them fully. They might have more innovative products, but it doesn't matter. Quickdraw GX was innovative. So was Opendoc. And the original Cocoa project (kid's programming environment that I dearly miss). Where are these projects now? Innovation doesn't matter. Just that you're there, and free stuff will always be there, whether it's GPL or BSD or whatever, so long as it's Free as in Freedom. That's a far more powerful killer app than any I've ever heard of.
Re:The Killer App (Score:2)
The thing is with windows is that the GUI mindset can make the simple things hard. Put on top of that that windows doesn't really come with a decent programming environment as standard. Users become reliant on the fleets of Visual Basic Programmers making temperature convertors and other one line unix programs.
Once upon a time I thought Windows was the One Microsoft Way. Eventually hitting the power user wall and the desire to make network based utilities and I was introduced to the simple notion of regular expressions. It still makes me angry that a powerful and useful concept was kept almost secret from me because of Microsoft products. The number of times a quick regex would have saved me hours of text parsing.
Just for that I will never forgive them and once your eyes have opened the rush of confidence of the newly converted overwhelms you, it makes you want MS to wither and die and all those crappy VB utilities with them.
Killer app? (Score:3, Insightful)
I don't think the killer app exists anymore. A Killer app, is an application which forces you to buy the computer and operating system in order to run it.
Windows original killer app was Excel. It wasn't as good as 1-2-3, but it didn't have the memory issues which 1-2-3 had in the DOS environment. After that, why bother with WordPerfect, when you already have that Windows machine to run Excel, and MS Word will run better in your environment.
Now when the "average user" wants a computer, they don't even have an application in mind. They have a list of things they want to do. Certainly you've heard this conversation before:
user: "I need a computer"
tech: "what do you need a computer for"
user: "my son/daughter needs it for school"
tech: "what are they taking?"
user: "computer engineering"
tech: "shouldn't they be researching this themselves?"
user: "They don't really know all that much about computers. They got really good marks in programming though"
tech: (shudder) "well then just about anything will do fine. A low-end PC with Windows will be compatible with all the popular document formats out there, and will run MS Office and IE without any problems."
user: "What about a Mac?"
tech: "They're good, they have a strong following, but it won't be what they're using at the school, and their friends won't be able to help them with technical problems. Despite what anyone says they're more expensive too, but the hardware is technically superior."
user: "oh, I also want them to be able to play a few games too..."
tech: "the faster and more expensive the better, but the low end PC would be good for most games."
When the cheapest computer is "what everyone else is using", people will buy the cheapest computer. The killer app isn't what a computer can do anymore, it is what a computer can't do. Why buy anything other than a Windows PC when a Windows PC is the cheapest and does everything?
(Of course if the student were going into some multimedia program and asked this question to a faculty member, they would probably buy a Mac... because in that field, it is "what everyone else is using".. they might not though... mistakenly thinking that a low end PC whcih can run all the necessary software will perform as well as a low end Mac.)
Crashing X-Windows (Score:2)
For someone who was brave enough to try the crashing link supplied by the Register, does this kill the whole machine, or just X? And can you salvage things without rebooting by using either a virtual term or logging in via ssh?
I personally think Mozilla should implement some short-term patch to prevent exploitation of this bug until it's patched in XFree, but as the register article says, the fault doesn't lie with them.
Re:Crashing X-Windows (Score:3, Interesting)
The Bugzilla report (http://bugzilla.mozilla.org/show_bug.cgi?id=15033 9) that the Register article links to has a couple of comments from Solaris users who say that the "malicious" page crashed their X server too. I don't know if Sun's X server and XFree86 are derived from a common code base, but this would suggest that the bug is (a) old and (b) widespread.
(The reason the Bugzilla link isn't a proper href is that I tried to check it just now, and Bugzilla said links from Slashdot aren't allowed. Make of that what you will!)
Re:Crashing X-Windows (Score:3, Informative)
I personally think Mozilla should implement some short-term patch to prevent exploitation of this bug until it's patched in XFree, but as the register article says, the fault doesn't lie with them.
They already did. It's obviously a trivial fix - no fonts larger than 1,000 (or whatever). I'm suprised it took that long.
Re:Crashing X-Windows (Score:2, Insightful)
The exploit asks for a font that's utterly ridiculous - a 166666667 size font, give or take a few 6's. Mozilla tries to get X to display such a font. X dutifilly attempts to draw at that size, which requires a tremendous amount of memory, eventually bringing the whole machine down. You could get the same result by putting a malloc or fork call in a while(1) loop.
Big whoop. Apples and Oranges. I can think of several way I can crash or lock up my machine. The Mozilla bug
is a remote exploit. It's an easy one. There has to be a Mozilla bug that allowed someone to cause an endless fork on my machine to be equivalent. It's not about what you can do to your box, it's about what folks you don't want crashing your box can do.
Re:Crashing X-Windows (Score:2, Informative)
Since we all have "virtual memory" nowadays, it is entirely possible that a malloc() call reserves pages of memory that are only physically allocated once you use them. Whether or not this happens depends on your kernel's memory manager.
Re:Crashing X-Windows (Score:2)
Re:Crashing X-Windows (Score:2)
Re:Crashing X-Windows (Score:2, Informative)
For someone who was brave enough to try the crashing link supplied by the Register, does this kill the whole machine, or just X? And can you salvage things without rebooting by using either a virtual term or logging in via ssh?
Yes, linux doesn't crash :-) You can still access through telnet/ssh. You can't switch to a virtual terminal, though.
Re:Crashing X-Windows (Score:2)
That's because X still has control of the keyboard, and so the system cannot respond to your keypresses.
9 times out of 10, though, when X crashes (which is infrequent), I can ssh in from a friend's machine and kill it off. It's a bit of a pain, but as a programmer I realise that no software of even moderate complexity can ever be 100% bug free, especially something as large as X, that is used in such a wide variety of situations and on so many different types of hardware.
Cheers,
Tim
Slackware is still safe... (Score:2, Informative)
Re:Slackware is still safe... (Score:2, Insightful)
What rubbish (Score:4, Interesting)
Re:What rubbish (Score:5, Insightful)
This is a lot easier to exploit for the malicious hacker than the IIS bug. You just set up a page with huge fonts and that it, you've crashed X. But the payoff for that is a laugh at the (relatively) rare X user who visits your site.
As for the IIS bug, I'll just quote the Wired article... This, in my opinion, is a lot worse than simply crashing X. Hell, my Windows 98 crashes almost daily but that doesn't stop me from using it. Crashing isn't so bad. Black Hats stealing information and gaining control of my computer, that's bad.
Re:What rubbish (Score:2, Informative)
Debian backports security patches to whatever version they provide; look at their apache 1.3.9, it obviously doesn't have all the security bugs fixed up to the latest build..
Re:What rubbish (Score:3, Insightful)
"Any"? Spurious assertion. I've just viewed the test site, and didn't get a crash. Mind you, I only tried Konqueror, Eudora and lynx. Should I keep trying all of the other browsers that I have available until one manages to achieve the specified behaviour, or should I go back to worrying about my work machine (NT4, mandatory and unpatched IE5.01 & Outlook Express) getting rooted out from under me?
You're right that we do bash Microsoft products more than they deserve. But not much more. I'd prefer if we bashed the clueless Microserfs and control freakish IT departments that tolerate and encourage this horridly vulnerable monoculture, but that's a separate debate.
Re:What rubbish (Score:2)
Sorry, I meant Opera. Damn, there goes my snide Linux superiority. ;-)
Serious Linux Flaw? (Score:2, Insightful)
In a couple of cases, Linux was able to kill my memory hog, but there's some sort of serious resource contention. I hope the 2.6 kernel addresses this issue.
Re:Serious Linux Flaw? (Score:5, Informative)
Just putting something like ulimit -m 200000 in your startx script should limit X's memory usage to 200meg.
ulmit can also set upper limits on available CPU time, core file size, etc. Bash has a builtin version, so do man bash and look for ulimit for more details.
Re:Serious Linux Flaw? (Score:3, Interesting)
Your machine "locks" exactly because XFree86 (or other X implementation) is killed by the kernel for consuming too much memory (the "infamous" OOMKiller). Try: and you'll see your machine locking exactly like in the DoS described.
The reason it happens is that XFree86 is controling all video hardware (registers, memory...) and when you force it to die, it can't set the hardware back to the default/previous (console) values.
You still can log remotely and reboot your machine, of course, but forget about keyboard, mouse and video.
--
sig
Re:Serious Linux Flaw? (Score:3, Interesting)
Failing that (and I agree that it would be hard to come up with a sensible limit), I believe that you can enable kernel-level process accounting, whereby such things are enforced strictly by the kernel on a cumulative basis - ie each user gets an allocation of CPU time and memory. How they use that is up to them, but once they exhaust it, they can't have any more. I may be wrong, though - that may just be for logging their usage, for "charge-per-use" schemes.
In any case, the best that the memory manager could possibly do is reserve some percentage of the available memory for root, as is done with hard drive space. Of course, as X runs as root, (and has to in order to access the hardware, iirc) that wouldn't help. I'm not really very well versed with the internals of the Linux kernel, but I suspect that the memory manager "just" manages requests for memory, without regard to whether those requests are sensible. There's only so much a system can do to protect itself from malicious or badly written code that is running on it.
Cheers,
Tim
No way of camparing the two bugs (Score:4, Insightful)
And also I'm surprised about the stupidity in this sentance: "Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days." - well honestly, what does that say: isn't it obvious that a lesser problem takes less time to fix than a larger one? That's just dumb.
I'm no huge M$ fan myself, but this article smells awfully much of unjustified M$-hatred. Let products speak for themselves, and let users make their own opinions.
Bottom line: propaganda sucks.
Flawed logic (Score:4, Insightful)
This comparison defies rational comprehension. The length of time it takes to do two totally different tasks on two totally different pieces of sofware for two totally different markets is completely meaningless. I can write a program and pop it onto internet in an hour...so what? Whats the relationship?
Re:Flawed logic (Score:4, Insightful)
Mozilla has - well perhaps a relatively small army of programmers, many of whom are voluntary, and managed to patch a bug that is really only a pain in three days.
Yes - you can't quantatively compare the two and say that Mozilla is x percent more efficient/reliable/whatever than MS, but you can make a qualitative comparison and ask why MS took an order of magnitude longer time to respond. Even if we give MS the benefit of the doubt and assume that the IIS hole is much harder to patch than the Moz hole, MS should have and could have thrown much more resources at the problem to make sure it got fixed within a week - but they didn't.
Re:Flawed logic (Score:4, Insightful)
In General (i.e. not these particular problems)
I'd bet the MS had the fix inside three days as well, it then took (At a guess)
2 weeks for internal regression testing
4 weeks for external large scale customer testing and feedback
2 weeks to get the documentation, patches and everything out for wide scale deployment.
All in all thats pretty fast.
With Mozilla I'd say
3 days to fix
1 day to apply fix
3 - 5 days to get a testers to try the nightly build
numerous days of people complaining about fix
1 day * 3 as patch is removed
1 day as patch is reaplied
etc
you get the idea
(I have used Mozilla for the last 12 months on a daly basis, so don't think this is a Mozilla b
Re:Flawed logic (Score:4, Informative)
And while some (unsure about the percentage) mozilla fixes cause regression, they often hit the nail on the head with the first patch. In that ideal case the bug is squished within 3 days. Even if your "schedule" for mozilla fixes were correct, the mozilla developpers can do four iterations of that in the six weeks time it takes MS to issue their first patch. Then you assume that usually MS get's the fix right the first time, but if they don't and find regression after one week of internal testing they have to iterate too until they get it right and it'd be about as fast as an iteration in the mozilla case. If they catch it in the first week of "customer testing" they need 3.5 weeks for a cycle.
The advantage of the mozilla strategy is, that as soon as the patch is ready, anyone can test it (and at least the big linux distributions probably do so), and if there is a problem with a patch, information gets back to the developpers much earlier.
Re:Flawed logic (Score:2)
[Microsoft patches occasionally do] not play well with some applications (i.e. causing them to crash)
That's not a bug, its a feature! After all, we wouldn't want you to accidentally use that horrible Trillian or Jabber instead of MSN Messenger, would we? That could ruin your Windows Experience(TM)!
Re:Flawed logic (Score:2, Informative)
.HTR leaks are not a priority. (Score:4, Insightful)
Re:.HTR leaks are not a priority. (Score:2)
Re:.HTR leaks are not a priority. (Score:2)
Sick and tired of this self congratulation (Score:5, Insightful)
Come on, we really do not need to say these sort of things nah nah, we fixed something first, we're better than you. Does anyone else find it retarted that you can crash an X server just by telling it to display a font which is too big?
What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation? or the fact that fonts still look like ass?
If you think we can laugh at others, check those market share figures. We have a lot of work to do.
Not me. (Score:5, Insightful)
It presents the GNU/Linux and free software side, which is a small step towards bringing balance, as we do not have the big advertisement budgets to buy editorial good will, or money to order favorable rewievs from "the customer is always right" analysis companies.
What I am getting tired of is the the people who whine that slashdot is not Ars Technica [arstechnica.com] or kuro5hin [kuro5hin.org], both excellent web places with a different focus than slahsdot.
What do you mean "we", white man? I have "taken advantage of" 2D gfx hardware under Unix for longer than slashdot (or Linux) has existed. They fonts don't look "like ass" on my screen. I guess what you want is anti-aliasing. The free technology for that is awailable, it is just a question of installing it. Maybe your OS distributor have done it for you in a sufficiently recent version.Here's what I can't figure out (Score:4, Interesting)
You have all the code. It shouldn't be too hard to find the few places that you need to cap font size.
Where's all the programmers?
Ummm ... so what? (Score:3, Insightful)
Not wanting to be pedantic but the duration of time it takes to fix a bug isn't exactly a great indicator of anything (except maybe, how long it took to fix it).
It's a bit like assuming that a program with 5000 lines is obviously worse than one with 7500 lines.
We know nothing about the internals of IIS and the two bugs are not even remotely related. You simply can't compare the two and come out with anything meaningful.
Minor X bug?? (Score:2)
New MSN.com homepage code (Score:4, Funny)
<font size=<?php
if (stristr(HTTP_USER_AGENT,'mozilla')){
echo '16666666666';
} else {
echo '12';
}
?> >
Welcome to the new MSN.COM website, powered by the
(sorry about the previous post... previewed ok, but didn't post correct without extrans...)
Re:New MSN.com homepage code in php ??? (Score:2)
Re:New MSN.com homepage code in php ??? (Score:2)
Serious money in this. (Score:5, Funny)
* Find holes in MS software.
* Publicise them frantically.
* Come to "an agreement".
* Kachingggggg!
Dave
Open Source business plan finally complete (Score:5, Funny)
1. Write open-source software
2. Find holes in MS software, publicize them frantically, and come to "an agreement"
3. Profit!
This is _not_ a bug in mozilla (Score:4, Informative)
Checkout the bugzila item here [mozilla.org]
Also, this is _not_ a DOS attack. What it does is make X consume all available memory and swap. And it can be triggered remotely by running mozilla, and browsing a webpage with absurdly large fonts. But it is by no means a DOS attack, because no-one is actively attacking you, making you "Deny Service" to other users.
H1 (Score:2, Funny)
but i am sure there is more to it than that...
MS: switch to XP. (Score:4, Insightful)
and
"The server software included within Microsoft's newer Windows XP operating system was not affected by the security flaw."
Sure it's these kinds of subtle remarks from interviewed microsoft officials that make companies -with little knowledge- want to switch to the more "secure" XP server package in a last effort to stay one step ahead of the evil "hackers". I bet there are a hell of a lot of disclosed software flaws under XP as well, perhaps even some backdoors -against terrorism ofcourse- within the upcoming servicepack who knows, but usually people don't understand that.
Re:MS: switch to XP. (Score:2)
Clarity on te Moz / "Linux" bug (Score:2, Informative)
That Mozilla can made to induce this does make Mozilla a critical problem - a malicious page can cause any desktop to crash using it. That it is not the "cause" of the problem is only a matter of semantics.
And of course, the fix is already in, specifying that fonts are no larger than twice the display height.
Find your way to bugzilla via the Register [theregister.co.uk] ;)
for enlightenment
Three days? Rather a bit longer.... (Score:5, Interesting)
I am pretty sure this bug has been in Bugzilla for months without being fixed. However, bugzilla-search seems to be broken so I cannot prove it right now.
However, I am 100% positive I crashed my machine due to a remotely exploitable X bug using Mozilla a few months back. That bug is in bugzilla (search on crash, X, css, hensema when bugzilla search works again).
Re:Three days? Rather a bit longer.... (Score:4, Informative)
The IIS bug is _not_ that bad (Score:2, Informative)
MS actually _overplays_ this one in the release. For once. Too bad they claim its newly discovered.
OTOH the moz bug is (a) not in mozilla but in X as mentioned elsewhere, (b) not really fixed, just workarounded in mozilla and (c) A TOTALLY DIFFERENT ISSUE.
OTOH the IIS bug was an overrun and would be a 5min patch.
The snow effect bug (Score:2)
Listen kids, this was a known bug before BugTraq (Score:3, Interesting)
Basicly it's not just CSS it's also mixtures of center and header tags that are NOT escaped. I ran into the bug on a poorly done eBay user home page with code like:
The bug is Mozilla (gecko) doesn't parse this very well, and causes the font to scale larger and larger. This in turn allocates more and more main memory until your poor box runs out.
From our tests on #mozilla:
My linux 2.4.16/gdm/XFree 4.x box only crashed X.
A BSD user with experimental video drivers had his machine reboot.
Several other linux users ( 2.4 ) only had X crash.
One linux user with > 1GB of RAM had no effect b/c his session was too short to fill all that. =)
In short this was reported and being worked on before Mozilla 1.0 was even out.
Here's the bug report kindly filed by #mozilla:
http://bugzilla.mozilla.org/show_bug.c
"Little?" (Score:2)
There's a huge difference (Score:3, Informative)
The X bug only crashes your machine if you browse to a malicious web site. The malicious person can't do anything to your machine if they can't induce you to go to their web site, and the effect on your machine of visiting the web site is immediately obvious (X and possibly your whole box crashes) so you can learn not to visit that web site again. The malicious user doesn't really gain anything other than the jollies of knowing they crashed some machine.
A remote access bug allows someone to take over your machine surreptitiously, which is much, much worse than just crashing your machine. It means your machine's data can be inspected and changed without your knowledge, and also that your machine can be used as a staging point for other illegal activities. Particularly if your data is sensitive, this provides a great deal more incentive to a malicious user.
The Font That Ate Cleveland (Score:3, Informative)
send the 'A' glyph, along with whatever hinting it needs for 'insanely, off the scale big' (i.e. probably the hint for the biggest glyph it defines, like 72 pt). The renderer takes the 'A' and converts it into a series of strokes. The strokes are then rendered into the clipped region, resulting in pretty instantaneous drawing. The font manager decides wisely that this rendered glyph, being "pretty big", shouldn't get cached as a bitmap the next time you want to draw it.
Here's how X does it:
Request the font for the 'A' glyph, scaled to 500 feet tall. Construct an uncompressed 1bpp bitmap of the letter A to give to X to blindly blit onto the screen. Die a miserable thrashing death.
Re:Maybe (Score:3, Funny)
Re:Minor my Ass! (Score:3, Insightful)