Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Microsoft

Windows 98, Me, NT4, 2000 and XP SSL Flawed 542

Posted by CmdrTaco
from the sucks-to-be-them dept.
JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions that Konqueror was patched against the same bug in 90 minutes.
This discussion has been archived. No new comments can be posted.

Windows 98, Me, NT4, 2000 and XP SSL Flawed

Comments Filter:
  • by Vengie (533896) on Friday August 16, 2002 @03:06PM (#4084603)
    Uh-oh. IANA Windows Developer....does anyone know how many apps use this API that microsoft might potentially break? (Fixing bugs: good, breaking stuff: bad....)
  • Browser == OS (Score:5, Insightful)

    by keesh (202812) on Friday August 16, 2002 @03:07PM (#4084611) Homepage
    not a flaw in the browser, but in the operating system itself


    There's a difference? I thought they were the same thing...
  • the funny thing (Score:3, Insightful)

    by vectus (193351) on Friday August 16, 2002 @03:07PM (#4084612)
    is that for most consumers, this doesn't even matter. I mean, they will be effected by the security hole, but if their computer gets hacked or something, they'll end up just blaming their own lack of computer knowledge. They'll eventually install the patch from windows update (if they know how to access windows update), and then blindly keep surfing the net and playing "who wants to be a millionaire".
  • by MrFenty (579353) on Friday August 16, 2002 @03:08PM (#4084617)
    ...Scott Culp, manager of the Microsoft Security Response Center said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.

    Glad it's only a client side issue then.

  • But, of course (Score:2, Interesting)

    by A5un (586681)
    Internet Explorer is part of the Operating system, no?

  • by E1ven (50485) <e1ven&e1ven,com> on Friday August 16, 2002 @03:08PM (#4084621) Homepage
    Does anyone else see something amusing in these two statements when taken together?

    Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.


    and

    But Culp said that the SSL flaw doesn't affect any other application outside Internet Explorer


    • Indeed, I was on to post the exact same.

      In other words:
      "Well, that is because Internet Explorer is the real one and only operating system service you need if you want ssl."

      • So if I'm using Mozilla on Windows, is it safe?

        If this is an OS-level flaw, then it would stand to reason that there would be a problem in actually using ANY SSL on that OS. Scope and all that. So which is it? Do I need to boot in to Linux to buy anything online until the patch is released, or what?

    • Does anyone else see something amusing in these two statements when
      taken together?


      Nah. To me, it simply shows that the app providers don't trust Microsoft's implementation. For whatever reason, they've chosen to find their own methods of crypto rather than relying on MS.
    • I think that there are two amusing things in these two statements:

      One: 'it makes sense to put it into the OS so any application can use it', followed by 'the only applicatio that uses it is IE'.

      Two: I though IE WAS part of the OS, not an application.
  • He he he (Score:5, Funny)

    by legLess (127550) on Friday August 16, 2002 @03:09PM (#4084629) Journal
    Quoth the article:
    Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

    But Culp said that the SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only.
    Translation:
    "This is the best way to do it. Of course, that's not how we actually do it."
  • by SpanishInquisition (127269) on Friday August 16, 2002 @03:10PM (#4084641) Homepage Journal
    So I guess it's safe.
    It's a good thing I didn't upgrade.
    • So I guess it's safe. It's a good thing I didn't upgrade.

      IIRC, Win95 was end-of-lifed a while back. Whatever holes remained in Win95 at that time will never be fixed.

      (Then again, IE was never an integral part of Win95. You could presumably run Win95 & Mozilla (assuming Mozilla supports Win95...turns out that it does [mozilla.org]) and not run into these problems.)

  • favorite quote (Score:4, Insightful)

    by nestler (201193) on Friday August 16, 2002 @03:11PM (#4084647)
    Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

    This "makes sense" up until the point where you have to patch your kernel instead of upgrading a library. When OpenSSL had a bug, they fixed it and you could upgrade OpenSSL. When Konqueror had this specific bug, it could be uprgraded easily enough. Now Windows users have to patch their entire OS to fix this (or just use another browser that doesn't use the crypto-in-the-kernel routines).

    • Re:favorite quote (Score:2, Insightful)

      by GiorgioG (225675)
      This "makes sense" up until the point where you have to patch your kernel instead of upgrading a library. When OpenSSL had a bug, they fixed it and you could upgrade OpenSSL. When Konqueror had this specific bug, it could be uprgraded easily enough. Now Windows users have to patch their entire OS to fix this (or just use another browser that doesn't use the crypto-in-the-kernel routines).

      Why is everyone nitpicking over this? What difference does it make if one has to patch an application or an OS (Is an OS not an application?) What other crypto services do you use in Windows at the moment outside of your browser? Ok, Ok, I know you all hate MS/Windows, but this is just childish.
      • Re:favorite quote (Score:3, Insightful)

        by topham (32406)
        Because it takes Microsoft far longer to release a patch for an OS than an application.

        By the way, read the article and you find out that according to Microsoft the bug only effects IE, yet it is contained in an OS level API.

        Huh? Shouldn't that mean anything using that same API would have the problem? Unless of course this is just one piece of the IE code they toss in an in-appropriate DLL.

        No, can't be. Microsoft wouldn't do that.
        • Shouldn't that mean anything using that same API would have the problem?
          Yes. But nobody but M$ stupid enough to trust M$'s closed source encryption API.
      • Re:favorite quote (Score:2, Informative)

        by Ed Bugg (2024)
        Ummm I use crypto services outside of my browser all the time. My VPN client that I use to attatch to my company's network. I at times have a need to send encrypted/signed emails. My network uses Novell's NDS which heavily uses digital certs (hidden from the user) for authentication. My wife's computer is running WinXP and everytime it loads a driver it checks the digital signature on the driver.
        I'm sure that others that use Windows more than I do can come up with other applications that use the crypto API.
    • The term "operating system" often means more than "kernel". Library patches can be a real pain in the butt to apply if, especially if you've been distributing statically linked binaries!
    • You are looking at this from the perspective of a linux user. When someone says 'the OS' you think the kernel. But when Microsoft says 'the OS' they mean the kernel and the thousands of .dll's that work with the kernel. I'd be VERY SURPRISED if the crypto functionality they're talking about is actually in the kernel!
    • Umm, even Microsoft doesn't implement all of the Windows API in the kernel. The cryptography services are a shared library, just like OpenSSL.

  • by R2.0 (532027) on Friday August 16, 2002 @03:11PM (#4084650)
    This is the result of "integrating" IE into the OS. Now when there is a "browser" sesecurity problem, it's really an OS problem.

    Sorry MS - kill by integration, be killed by integration. It's a circle of life kinda thing...
    • Hmm,
      actually the idea to put security sensitive piece of software in a library isn't bad.
      While I have no idea how this specific case is handled in linux, it's clear that also in linux cryptographic libraries exist and are used throughout different apps.

      >ls -1 /usr/lib /usr/lib/libssl.a /usr/lib/libssl.so.0 /usr/lib/libssl.so.0.9.4

      see?
      • Blockquoth platypus:


        actually the idea to put security sensitive piece of software in a library isn't bad.
        While I have no idea how this specific case is handled in linux, it's clear that also in linux cryptographic libraries exist and are used throughout different apps.

        Exactly right and having the crypto in a library every can get at is a good thing. What you missed was that this windows problem isnt in the security library it should have been in.

        "Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer."

        So they screwed up and didnt include this code for verifying trust signatures in their API, its somewhere in the OS.

        And although knowing MS's previous security problems, its highly unlikely that this a problem in the kernel, since it affects NT based as well as 9x based systems.
      • Before everyone goes berzerk over "Microsoft the Evil Integrator!", I'm gonna take a wild stab at it and say the problem lies somewhere in here:
        C:\WINNT\system32>dir crypt*.*
        Volume in drive C is Local Disk
        Volume Serial Number is 46D4-73A2

        Directory of C:\WINNT\system32

        08/23/2001 07:00 AM 554,496 crypt32.dll
        08/23/2001 07:00 AM 70,144 cryptdlg.dll
        08/23/2001 07:00 AM 29,184 cryptdll.dll
        08/23/2001 07:00 AM 48,640 cryptext.dll
        08/23/2001 07:00 AM 53,248 cryptnet.dll
        08/23/2001 07:00 AM 51,200 cryptsvc.dll
        08/23/2001 07:00 AM 470,016 cryptui.dll
        7 File(s) 1,276,928 bytes
        0 Dir(s) 19,188,736,000 bytes free
  • Quick fix (Score:4, Funny)

    by Subcarrier (262294) on Friday August 16, 2002 @03:12PM (#4084658)
    You can disable SSL in the advanced options menu. ;-)
  • by thelinuxking (574760) on Friday August 16, 2002 @03:12PM (#4084664)
    The article says: "SSL flaw doesn't affect any other application outside Internet Explorer and that it's a client-side issue only" But if it only affects IE, and not programs such as netscape (which also of course runs on windows), then technically it IS a problem with IE!
  • Uh-oh (Score:2, Interesting)

    by buzzdecafe (583889)
    Here's a golden opportunity for MS to ramrod another "We can root your machine" EULA down the throats of desperate Windows Victims.
  • by freerangegeek (451133) on Friday August 16, 2002 @03:13PM (#4084669)
    We only wrote bad code that made it through QA for 5 different versions of the OS dating back to the mid 90s. Of course, with Palladium, our new secure platform, things like this will never happen. Good thing we got that patch out quick!

    (Oh wait, that was the Konqueror people!)

    We'll I'm sure with our new secure computing focus it will be out any time now. Please don't stop doing ecommerce, just because all your personal data can be hacked, just use Passport.

    (Oh wait, that happens with Passport too!)

    Ummmm...
  • by estoll (443779)
    I am so shocked to hear Microsoft didn't follow the standards when implementing SSL. I wonder what other technologies they have failed to implement according to the standards everyone else follows?
    • Re:Yet again... (Score:5, Insightful)

      by Scutter (18425) on Friday August 16, 2002 @03:20PM (#4084739) Journal
      I am so shocked to hear Microsoft didn't follow the standards when implementing SSL.

      Neither did Konqueror. Blame where blame belongs, please. It's trendy to just blame everything on the Big Evil Empire, but let's not forget they aren't the only ones who have bugs.
  • by tshoppa (513863) on Friday August 16, 2002 @03:19PM (#4084730)
    Seeing continued OS-level design flaws in Microsoft products is, to me, reassuring. When MS goes ahead with Palladium I'm now quite confident that it will be riddled with fundamental design flaws that will make its "security" (read: capitalist totalitarianism rule over the masses) a joke.
  • In order to make sure we compare apples to apples and oranges to oranges, I suppose it would be fair to ask the question of when the Konqueror fix will be available to the normal and possibly rather non-sophisticated public consumer crowd?

    I mean, when the fix becomes ready from MS (weeks or months, but it will) it will be applicable to most users of Windows, but the current fix for Konqueror after 90min weren't immediatly ready for the masses.

    So, when will it?
  • Bug is in inet.dll (Score:3, Interesting)

    by sneakerfish (89743) on Friday August 16, 2002 @03:21PM (#4084743)
    MS TCP/IP stack is in inet.dll. That is probably where the bug is.

    I was a beta tester for IE4 (so flame me, OK) and I found a bug in the HTTP1.1 keep-alive implementation. They never saw it because they tested only against IIS and I tested against Apache which implemented it correctly of course.

    They didn't want to fix it until I explained that %60 (at the time) of the web runs on Apache servers.

    In fact the MS product manager wanted me to call "the Apache company and have them fix Apache." Duh. Me- "There is nobody to call sir, and the problem is YOUR problem and not theirs."

    They delayed IE4 for two weeks after it had gone gold to fix it. So don't flame me.

    Anyway, that bug was in inet.dll, and I bet this one is too.
    • by platypus (18156)
      IE4 was so uncompliant on a deeper level, it wasn't funny.
      There was a bug with packet fragmentation and redirects that caused internet explorer to display a blank page which said "Object moved, object can be found _here_.", where _here_ was a link to the target of the redirect.
      Funnily, their own proxy software tended to cause fragmentation of the redirect packet quite often.

      What I didn't understand was how they were capable to produce this bug, this completely negates everything I know about seperating the different layers of transport.

    • MS TCP/IP stack is in inet.dll. That is probably where the bug is.

      Yeah, I'm sure the code for checking the heirarchy of SSL certificates is in the TCP/IP stack .dll.

      Maybe peer reviewed code isn't really that great of an idea after all....

  • News (Score:3, Funny)

    by Citizen of Earth (569446) on Friday August 16, 2002 @03:23PM (#4084760)
    Windows 98, Me, NT4, 2000 and XP SSL Flawed

    Isn't this supposed to be " News For Nerds"?
  • things i dont get (Score:5, Interesting)

    by jeffy124 (453342) on Friday August 16, 2002 @03:24PM (#4084779) Homepage Journal
    i saw the article earlier today. there are some things I just do not understand here. first some facts:
    • The bug is in the OS crypto services
    • It's NOT MS's crypto api
    • Only IE is affected.
    Time for rhetorical questions:

    Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?

    How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.
    • by tunabomber (259585) on Friday August 16, 2002 @04:24PM (#4085225) Homepage
      Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy?

      The logic is so obviously simple:

      increased redundancy == increased failsafety

      So, if one of the crypto API's has a security hole, the OS can rely on the backup API, just like how a bike with one flat tire can be ridden home on the remaining good tire.

      I tell you, those MS guys really got some effective circumetry in their noggins!

    • by J. J. Ramsey (658)
      "Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API?"

      Um, maybe one crypto service is for SSL, while the other is for, oh, maybe encrypting files?

      There are so many good reasons to bash MS, why invent a bad one?
  • Let's be fair here (Score:5, Insightful)

    by IamTheRealMike (537420) <mike@plan99.net> on Friday August 16, 2002 @03:24PM (#4084783) Homepage
    Now I'm a Linux user and lover, as anybody who reads my past comments can discover. But let's be fair to Microsoft here - all this talk is of how fast KDE (actually Waldo Bastion) patched the bug, as if this makes them superior to MS.

    You know what? I bet the 'soft could do this too. I mean have a guy, or team of guys available 24/7 to patch bugs. And you know what else? They'd still get flack for it, as Microsoft don't release patches straight away - for better or for worse, they do actually test them first (usually), make sure they don't kill wierd and exotic installs etc. I know they've released dodgy patches, but my point is that Microsoft isn't an overnight operation.

    And more to the point, how does this patch get to people? Via autoupdate of course. The patch may have been written in 40 minutes, but it's still not available on SuSE auto update (as far as I can tell) despite the fact that Waldo works for SuSE! We really need to stop patting ourselves on the back simply because we can see the progress of the patch and Microsofters can't, otherwise this bullheaded arrogance WILL bite us on the ass.

    • by FreeLinux (555387) on Friday August 16, 2002 @03:47PM (#4084974)
      You do have some valid points that should be addressed and probably will be over time. But, lest we forget, this bug was reported to Microsoft a very long time ago. Furthermore, MS has not been trying to fix the bug. Instead they chose to try to place the blame on Verisign.

      Regardless, of whether Verisign should shoulder some of the blame or not, Microsoft simply dismissed a potentially serious problem. A week later, we find out that, not only is it Microsoft's problem, but it is in the OS itself not just the browser like we had thought. Conversly, KDE was able to identify the problem and produce a fix in 90 minutes.

      Now, to your point about the availability of the patch to everyone, as I said you have point. But, if you check out KDE's site you will find that they clearly state that they do NOT distribute binaries. KDE distributes source code only and that patched source code is, and has been, available. KDE leaves binary distribution up to the distros to handle. So, Suse and Red Hat et al need to step it up a bit but, KDE did a great job!

      • by tshak (173364)
        But, lest we forget, this bug was reported to Microsoft a very long time ago. Furthermore, MS has not been trying to fix the bug. Instead they chose to try to place the blame on Verisign.

        Sometimes it is better to stick with the facts - even on Slashdot. Microsoft is A) working on a patch and B) claims to have not been alerted until it was publicly released. Here's some facts from MS's website:

        Despite the many challenges associated with exploiting the flaw, there is indeed a flaw here and Microsoft is developing a patch that will eliminate it.
        ...
        However, the report, which neglected to discuss any of the challenges associated with actually exploiting the vulnerability, was made public without any advance warning to Microsoft. Responsible security researchers have the safety of users in mind and work with vendors to ensure that the information published about potential vulnerabilities is balanced and, above all, correct.

        Reference: http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/news/IARWSV.asp [microsoft.com]
    • by 2short (466733)
      And note that I got the patch from windows update this morning. Total effort required by me: one mouse click.

      Wait! what am I saying! this is slashdot, quick, ignore the facts:
      "Micro$oft will probably patch this in a year, and then no one will get it cuz it requires 34 reboots to install"
  • by FreeLinux (555387) on Friday August 16, 2002 @03:26PM (#4084801)
    90 minutes????? What are the KDE boys doing, sleeping???

    This is just unacceptable. I cannot believe and refuse to accept that it could take 90 minutes to get a major security fix out for a browser. This is completely unacceptable. It's no wonder everyone uses IE.

    I guess the Microsofties were right after all. Support for open source software is nearly impossible to find.

    -- Before you post, are you sure you got it?
  • I've already gushed about this gem o' news already [slashdot.org], concerning MS's piss-poor plan to introduce better security in their OS's via Palladium...
  • ...indeed.

    Thank's for those memos, Bill.
  • Hmmm (Score:2, Insightful)

    by Patik (584959)
    The article mentions that Konqueror was patched against the same bug in 90 minutes.

    Note that this doesn't mean the bug was only there for 90 minutes, it was there for [months, years, I don't know]. Why didn't Konqueror take the initiative to fix this before instead of waiting until it was published? Sounds like they had the fix all along and were just waiting for the announcement so they could look good by fixing it so quickly.

  • Client-side issue is the BIGGEST - most intractable problem. Culp said this to minimize the issue. He only reassures large commercial bodies of their liability,This does not minimize anything.

    Dial-up users with ignorance of patch/upgrade will never be able to trust on-line transactions. This is the vast majority of users, and the problem is going to haunt individuals for 2+ years.

  • by dh003i (203189) <dh003iNO@SPAMgmail.com> on Friday August 16, 2002 @03:41PM (#4084919) Homepage Journal
    Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology

    Yes, indeed, it does make sense for the OS to provide such a service to any program that wants to use it, so long as that's a GOOD service.

    In general, it makes sense to provide everything from outside the program, and just have the program call on outside services. However, that means you need to make the outside services good, and it means that those writing programs don't just string together a bunch of requests (i.e., draw this, check that calls) but also work on looking for fixes to the common outside service, which would be shared by many programs.

    In other words, this approach only makes sense when the outside services are OSS / FS / public domain, which means that developers of programs can check their integrity and submit improvements. Otherwise, its just a big black hole for developers: should I trust this cryptographic routine, or shouldn't I? One never knows with proprietary routines. One can check, and improve such routines provided OSS / FS.
  • Make products buggy as hell, then get people to upgrade and pay them for it by releasing new versions which have fixed the old bugs, but introduced new bugs. Repeat ad infinetum.

    In parallel, also make sure to develop file formats and "standards" which aren't backwards compatable and don't work with any other OS', so as to lock people into MS products and force costly upgrades.

    Bwuhahahaha.
  • Why is it, every 6 months or so, I get into an argument with somebody over the fact Microsoft doesn't seem to have a clue what DLLs are for?

    I have people try to convince me that the integration of Internet Explorer into the Operating System is a good thing.

    Where the hell do these people get their training? Microsoft has a tendancy to put function calls where they are convenient for the programmer at hand (not necessarily any future programmers mine you), not in the most appropriate DLL. This isn't unusual, it happens. But why the hell do people justify it??

    Why the hell am I using a Web Browser (something whos base design is to browse web pages!!) to manage files on a local computer? The old Windows Explorer worked better and had a more appropriate (although similar) interface.

    And then, when I chalenge them on this they always retort: Can you write an OS?

    Damnit, yes I can. I don't have the time to write one, but I -could- write one.

    Even if I couldn't, Microsoft is very much an example of bad design in general. (They have some well desgiend aspects to a lot of programs too. But Clippy isn't one of those!)

  • Will this affect my ability to surf pr0n?
  • by coyote-san (38515) on Friday August 16, 2002 @04:11PM (#4085125)
    The most important thing in this story - and why the KDE fans should shut up and hide in a corner - is not the relative time to patch this mindnumblingly stupid bug, but the fact that both Microsoft and KDE made that mindnumbingly stupid mistake in the first place.

    I've been auditing some of the SSL code in various applications, and sending in patches where the original submitter thought that SSL "was just like" sockets and didn't bother to do things like checking certificate chains or setting up support for perfect forward secrecy. In some cases the "SSL" support was really just SSL-tunnels in disguise and there was a bit of resistence to changes that would force the secadmin to set up true certificates for server and possibly clients. But most accepted the need, when I pointed out that if you really need to know the server (or client!) that you're talking to you must fully check your certs.

    For instance, if your database is used to store information about ongoing criminal investigations, you do not want the bad guys to be able to masquerade as your trusted database. You want certs on the server, you want certs on the client (to keep the bad guys from connecting and adding "exculpatory" evidence to their own files), and you want to validate all of these certs.

    It's one thing for a database or NNTP server to have a broken SSL implementation. After all, we don't, yet, expect them to have SSL so the people who need to use it may well check the source for themselves. But there's absolutely no excuse for a web browser to fail to check the path. If there's any question whatsoever, pop up a warning and let the user decide whether "Joe Smith" can be trusted to sign Microsoft's security web site cert.

    (* With real SSL tunnels you can still require valid host and user keys all around. With these broken applications, you can't.)

  • by Antity (214405) on Friday August 16, 2002 @04:15PM (#4085158) Homepage

    From the article:

    Microsoft officials said it makes sense for the operating system to provide cryptographic services to any application that needs it, instead of each application having to include its own cryptographic technology.

    They're perfectly right. Everybody can have a bug like this. But there are two problems that puzzle me:

    1. When will the patches for the OSes be available?
    2. And, the worse one: Will the patches for this really ugly security leak will also come with Microsoft's new EULA that gives them access to one's computer?

    I really fear the time where users have to choose to either install a patch so fix a severe security hole and sell their (OS and computer data) souls to somebody else or just not fix their OS at all and be open to these man-in-the-middle attacks. This could become a very new quality of unsecured machines from a security point on the 'net: Users that don't want to install patches because they don't want Microsoft to own their machines - and trade this with security. (I can fully understand this.)

    With Open Source OSes, if the vendor won't fix a bug like this, somebody else would (maybe even you). With Windows, you have to rely on Microsoft even recognizing something as a bug. And if they do, there's nothing you can do but wait.

    Yes, I know, we all know this. But this problem hasn't gone away yet.

  • by cp5i6 (544080) on Friday August 16, 2002 @05:05PM (#4085554)
    How many people out there are REAL Windows Admins? Seriously? I bet not that many are true windows admins. Using windows does not qualify you as an admin. I'll admit I'm very weak on my nix admin but that's because I don't bother learning about it. In my mind Windows 2k can be just as good an OS. I bet many of you don't know that Microsoft's knowledge base acutally keeps track of all it's bugs and patches for them before they stick it on Windows Update for the rest of the masses. I bet many of you don't know that microsoft has a tool called hfnetchk ... what does it do?.. It'll download the LATEST patches that microsoft has available for you to use. It'll check your system to see what patches are installed and what aren't and give you a report telling you which article # in MS knowledge base you can find the patch for you problem. More tools you want?... How about Qchain... (which i know many of you don't know about either) that lets the user install multiple patches WITHOUT rebooting your system multiple times. For IIS Windows has IISlockd .. which many wanna-be admins didn't bother finding out during the time when nimda worms were going crazy. And the list goes on I can easily list pages worth of other tools that windows has that most people don't know about because they're ignorant. If anything I'd say windows has done a wonderful job by making people lazy. But let's take a step back. I bet many of you are saying pfft the Nix machines have this and that tool. Think about that for a moment.. why would a multibillion dollar corporation, who have a million times more resources then the average linux programmer, not bother to make a similar tool for windows if it's so useful? Kinda defies logic doesn't it especially since nowadays with IBM's backing of linux MS needs to compete performance and feature wise even more (or are you going to tell me that MS has a stranglehold on IBM?). So before anyone else goes on with the typical. . "wat you expect form MS" read up about what MS really has and acutally maintain an intellectual conversation

Aren't you glad you're not getting all the government you pay for now?

Working...