Windows 98, Me, NT4, 2000 and XP SSL Flawed 542
JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the
SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions
that Konqueror was patched against the same bug in 90 minutes.
How many apps will this break? (Score:3, Insightful)
Browser == OS (Score:5, Insightful)
There's a difference? I thought they were the same thing...
Re:Browser == OS (Score:2, Insightful)
Windows on the other hand cannot do this. I respect your point in saying they have a lot of money and customers to deal with, but their perspective on security is a bit skewed. No Windows user can fix their SSL flaw if theyre extremely paranoid, they can only hope that MS will sheild the exploit from the script kiddies of the world.
But youre right, LinuxToday is getting bad.
Re:Browser == OS (Score:2, Informative)
On top of this, I believe there has been mention of them backporting the fix as far back as KDE2.2.2 so users who don't want to get the fix from CVS can fix their systems.
Re:Browser == OS (Score:3, Informative)
Re:Browser == OS (Score:3, Insightful)
You generaly don't want to run cvs software on servers.
You also generally don't want to run KDE, or anything else involving X, on servers.
--
Re:Browser == OS (Score:2, Insightful)
And KDE's history of poor security would be...?
I also mentioned that, just because a fix is in the KDE project's CVS, does not mean that it is available for everyone - that will have to wait until the next release.
Bull shit. Ever heard of Debian's apt-get, Mandrake's urpmi, RedHat's up2date, etc.? It's up to each vendor to make the fix available to the users. You can also install it yourself without waiting for the vendor to catch up.
Microsoft has hundreds of millions of customers across the world, and the systems handle billions of dollars of revenue... this puts a huge responsiblity to get their fixes right and properly tested
Then can you explain why Microsoft releases bugfixes that uhhm break stuff? Despite the fact that Microsoft takes 2-3 months to uhhh "test" stuff, Open Source community has a much better track record in this regard.
Quite frankly, LinuxToday is becoming unreadable by anyone not a) a KDE super-fan b) rabidly anti-Microsoft.
Quite frankly, you are an idiot spreading FUD.
Slow down there. (Score:4, Insightful)
Despite your glaring lack of maturity in the above sentence, I figured I would respond.
Microsoft software (Windows/Office/Internet Explorer or any combination of the above) runs on approximately 95 out of every 100 client computers on the Internet. Now, on those computers, you have every piece of weird x86 hardware ever invented, from crappy $5 ISA modems to $5,000 SCSI RAID arrays. You also have Microsoft software that runs on Macintosh, Solaris, HP-UX and FreeBSD computers.
Now, figure that Linux runs on approximately 1 out of every 100 client computers on the Internet. (This is a high guess -- I'm giving Linux the benefit of the doubt here.) Now assume that KDE runs on 100% of those computers (also an extremely high guess.) So for every 1 person who receives the KDE fix, there will be about 92 (I'm taking out the non-Windows, non-Linux users) people who receive the Microsoft fix.
Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.
"Ever heard of Debian's apt-get, Mandrake's urpmi, RedHat's up2date, etc.? It's up to each vendor to make the fix available to the users."
Oh, I love these arguments. It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get. "But I run Linux so I can do everything myself!"
I run about 12 Linux servers. I trust my vendors (Red Hat and Sun Cobalt in this instance) to provide me with timely updates. But the funny thing is that whenever I recommend that people trust their vendor for services like Apache or PHP and use up2date, I get laughed at. In fact, when I say that I use Red Hat and Sun Cobalt, I get laughed at. "Why not just compile everything yourself? Why not just use Debian?" Well, guess what, ladies and gentlemen -- I run a profitable business off of my servers and I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers. I trust my vendor to test the updates on their set of supported hardware and release them to me in a timely manner. I will then run the vendor-supported update tool and download them.
The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves -- the epitome of the "trust no one" saying. These are the SAME people, much like yourself, who also say that it's up to the vendor to release patches. I have news for you. You either need to trust your vendor to provide patches, or you need to realize that in the real world, not everyone has time to make a test bed and test that every CVS patch works the way it is claimed to. You can't bash Microsoft for taking time to release tested updates and then claim that Linux is better because you can install a fix that is untested instead of "waiting for the vendor to catch up".
Re:Slow down there. (Score:3, Interesting)
I work on Solaris every day...where's the Microsoft software? I know that IE is available for Solaris, but I certainly wouldn't be so stupid as to actually install it.
Your giving the Windows users too much credit. The fraction of KDE users who will eventually upgrade KDE is much higher than the fraction of Windows users who will ever bother to patch their systems.
Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.
Actually, a patch that breaks something because of an odd hardware configuration simply indicates architectural flaws in the OS.
It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get.
??.
I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers...
You should at least read up on what is being delivered to you during an "up2date" session, so you know what the configuration of your servers is at any moment. Software changes can have complex ramifications, if done blindly.
I think the rabid Linux people you are going after simply are the people who want to know where they actually are at any given moment. This is actually a responsible attitude towards system administration. If you don't have time for it, perhaps you are overworked and need an assistant?
The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves...
So certain Peruvian congressmen are uber-elite system administrators? People who simply want a non-proprietary Office format also write their own kernel modules?
Re:Slow down there. (Score:3, Informative)
Let's say you need to do the same thing with a 100 debian machines. You write a script which takes about 15 minutes and you run it.
Which costs you less time and money?
Re:Slow down there. (Score:5, Interesting)
I implicity trust Redhat, Mandrake, and all the major Linux vendors for that matter; _implicitly_. Based on nothing more than the fact that they have a proven track record of being trustworthy, and not eavesdropping/abusing/fscking the consumer. Microsoft on the other hand has a notorious reputation for abusing customers, vendors, programmers and competitors. I won't provide any references because I'm quite certain that google will provide more than I care to count. Do the homework yourself if you don't already agree.
If for no other reason than that, I will trust Redhat to provide "vendor" patches because I have no reason not to. For the record, I'm not one of those "paranoid"/"I'll fix the code myself" people you spoke of. I'm just joe-average-sysadmin with my company's best interests in mind.
Re:Slow down there. (Score:4, Insightful)
I feel obliqued to answer regardless of the fact that you choose to be a coward.
Exactly what kind of profitable business you are doing? Yes you could trust your vendors to supply the latest fixes to you in timely fashion, but you don't seem to get the idea of risk management. If your 'profitable business' cannot bear the loss resulted in not-up-to-time fixes from vendors, you must check closely with latest security updates.
Since you mentioned security update site like security focus, have you realize that there's nothing you can do when your vendor like Microsoft who don't give a damn to the security problems in their products and you've no choice but to remove the problematic products until they are generously enough to release the patch?
In conclude, you either has no clue on the word 'risk' or you simply have way too much money to spare(or your boss has way too much spare money to hire the like of you).
Re:Browser == OS (Score:3, Informative)
How many? One?
Also, most vendors do not provide CVS packages for things like this. Hell, debian still doesn't even have an official KDE3. And even if there is a CVS version, how many people are going to be quick to hop on it, considering the code in CVS is typically beta at best? And what newbies are even going to know about this?
Some ridiculously stupid mumbles there. Each distribution has an easy way of upgrading the packages. In Debian it's "apt-get updage; apt-get upgrade". In Mandrake & RedHat you just run the GUI updater software. The update icon is right there on the desktop.
Nobody is suggesting that you should install a CVS version of software to get a security fix. The fixes are backported into the stable branches of the software, and vendors package them. Wow, what a concept!
And then your issue on bugfixes. Are you trying to say that OSS patches never break anything?
No, I'm saying that Microsoft breaks stuff more often despite taking months to release a fix.
patch distribution model (Score:4, Insightful)
Of course, the number of Windows desktops dwarfs the number of KDE desktops so if even a small percentage of Windows installations don't get patched, it would probably be about the same as if KDE never got patched at all.
Re:patch distribution model (Score:3, Insightful)
People who only want to use AIM, Winamp, IE, and whatever email program they've been trained to use (probably outlook express) don't want to deal with "SSL Vulnerability!" notifications popping up in their system tray.
And they certainly don't care enough to go looking for fixes in Windows Update, even though the link to it is right at the top of the start menu.
Re:patch distribution model (Score:3, Interesting)
Re:Browser == OS (Score:3, Insightful)
Re:Browser == OS (Score:3, Interesting)
Re:Browser == OS (Score:3, Informative)
The "patchy" web server has a security record so far superior to Microsoft's IIS that the edge is more like 4 milliseconds vs. 4 billion years.
The number and severity of compromises of IIS is legendary (the FBI has ranked IIS as the number one security problem on the internet). There have been times where the servers I administer have been recieving more hits from compromised IIS installations trying to spread virii than they have from legitimate users. The problem got so severe last summer that my broadband ISP had to block port 80 to keep their network up.
And this is NOT an issue of population base causing statistics to be skewed - the patchy web server has more installations than all others combined.
Re:Browser == OS (Score:4, Interesting)
Does microsoft answer to all the machines that SP3 breaks? (Some companies might not be as careful as us and could lose important data). No, the EULA explicitly states that they have zero liability even if sp3 triggers World War 3 (before GWB does).
Anyone who uses the 'liability' FUD about MS software deserves shooting. If it breaks, you get to keep both pieces (to coin a phrase).
the funny thing (Score:3, Insightful)
Re:the funny thing (Score:2)
Oh, that's good then... (Score:5, Funny)
Glad it's only a client side issue then.
But, of course (Score:2, Interesting)
Comment removed (Score:5, Interesting)
Re:These statements don't agree.. (Score:2)
In other words:
"Well, that is because Internet Explorer is the real one and only operating system service you need if you want ssl."
Re:These statements don't agree.. (Score:2)
If this is an OS-level flaw, then it would stand to reason that there would be a problem in actually using ANY SSL on that OS. Scope and all that. So which is it? Do I need to boot in to Linux to buy anything online until the patch is released, or what?
Re:These statements don't agree.. (Score:3, Insightful)
Re:These statements don't agree.. (Score:2)
taken together?
Nah. To me, it simply shows that the app providers don't trust Microsoft's implementation. For whatever reason, they've chosen to find their own methods of crypto rather than relying on MS.
Re:These statements don't agree.. (Score:3, Insightful)
One: 'it makes sense to put it into the OS so any application can use it', followed by 'the only applicatio that uses it is IE'.
Two: I though IE WAS part of the OS, not an application.
Re:These statements don't agree.. (Score:2)
He he he (Score:5, Funny)
"This is the best way to do it. Of course, that's not how we actually do it."
Re:He he he (Score:5, Funny)
"Cryptography is included in the Windows API. For some reason, no one trusts it enough to use it except our IE development team."
Re:He he he (Score:5, Funny)
"Cryptography is included in the Windows API. No-one else uses it because we don't disclose that API"
Didn't mention Windows 95 (Score:5, Funny)
It's a good thing I didn't upgrade.
Re:Didn't mention Windows 95 (Score:2)
IIRC, Win95 was end-of-lifed a while back. Whatever holes remained in Win95 at that time will never be fixed.
(Then again, IE was never an integral part of Win95. You could presumably run Win95 & Mozilla (assuming Mozilla supports Win95...turns out that it does [mozilla.org]) and not run into these problems.)
Re:Didn't mention Windows 95 (Score:2, Funny)
favorite quote (Score:4, Insightful)
This "makes sense" up until the point where you have to patch your kernel instead of upgrading a library. When OpenSSL had a bug, they fixed it and you could upgrade OpenSSL. When Konqueror had this specific bug, it could be uprgraded easily enough. Now Windows users have to patch their entire OS to fix this (or just use another browser that doesn't use the crypto-in-the-kernel routines).
Re:favorite quote (Score:2, Insightful)
Why is everyone nitpicking over this? What difference does it make if one has to patch an application or an OS (Is an OS not an application?) What other crypto services do you use in Windows at the moment outside of your browser? Ok, Ok, I know you all hate MS/Windows, but this is just childish.
Re:favorite quote (Score:3, Insightful)
By the way, read the article and you find out that according to Microsoft the bug only effects IE, yet it is contained in an OS level API.
Huh? Shouldn't that mean anything using that same API would have the problem? Unless of course this is just one piece of the IE code they toss in an in-appropriate DLL.
No, can't be. Microsoft wouldn't do that.
Re:favorite quote (Score:3, Funny)
Re:favorite quote (Score:2, Troll)
According to the EULA Microsoft Isn't responsible for the code either.
I'm a programmer by trade.
Microsoft doesn't have a fucking clue.
Re:favorite quote (Score:2)
I sure as hell could have implemented the API in question without this fuckup.
I could also patch the source code in about 10 minutes, then check the propgation of the error code and verify it is handled correctly, another 10 minutes. Longer if it isn't of course, but again, not the end of the world, other Certificate errors are already handled.
Send it off for 3rd party testing and have results back within what, an hour?
Add in the time to generate a certificate for testing, blah blah... Your not talking days. Regardless.
And no, Microsoft doesn't have a a god damn clue how to write an OS or divide functions up between appropriate DLLs.
By the way, go ahead and try to sue Microsoft based on the assumption that EULA won't stand up in court. You can't.
Re:favorite quote (Score:5, Insightful)
Here's another question. Who do you sue if that bug in IE causes you to lose money? Nobody! Read the EULA!
Re:favorite quote (Score:2)
sPh
Re:favorite quote (Score:2, Informative)
I'm sure that others that use Windows more than I do can come up with other applications that use the crypto API.
Re:favorite quote (Score:2)
Re:favorite quote (Score:2)
Re:favorite quote (Score:2)
Re:favorite quote (Score:2)
Umm, even Microsoft doesn't implement all of the Windows API in the kernel. The cryptography services are a shared library, just like OpenSSL.
What goes around comes around... (Score:3, Insightful)
Sorry MS - kill by integration, be killed by integration. It's a circle of life kinda thing...
Re:What goes around comes around... (Score:2)
actually the idea to put security sensitive piece of software in a library isn't bad.
While I have no idea how this specific case is handled in linux, it's clear that also in linux cryptographic libraries exist and are used throughout different apps.
>ls -1
see?
Re:What goes around comes around... (Score:3, Informative)
Exactly right and having the crypto in a library every can get at is a good thing. What you missed was that this windows problem isnt in the security library it should have been in.
"Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer."
So they screwed up and didnt include this code for verifying trust signatures in their API, its somewhere in the OS.
And although knowing MS's previous security problems, its highly unlikely that this a problem in the kernel, since it affects NT based as well as 9x based systems.
Re:What goes around comes around... (Score:2)
Quick fix (Score:4, Funny)
Long-term fix (Score:3, Funny)
(or better yet, a different OS altogether...)
It doesn't make too much sense (Score:3, Insightful)
Uh-oh (Score:2, Interesting)
Oh good, it's not an IE bug (Score:5, Funny)
(Oh wait, that was the Konqueror people!)
We'll I'm sure with our new secure computing focus it will be out any time now. Please don't stop doing ecommerce, just because all your personal data can be hacked, just use Passport.
(Oh wait, that happens with Passport too!)
Ummmm...
Yet again... (Score:2, Funny)
Re:Yet again... (Score:5, Insightful)
Neither did Konqueror. Blame where blame belongs, please. It's trendy to just blame everything on the Big Evil Empire, but let's not forget they aren't the only ones who have bugs.
Re:Yet again... (Score:5, Informative)
Re:Yet again... (Score:2, Insightful)
We really depend on the bugs (Score:3, Interesting)
90min to the fix, but how long to the masses? (Score:2, Insightful)
I mean, when the fix becomes ready from MS (weeks or months, but it will) it will be applicable to most users of Windows, but the current fix for Konqueror after 90min weren't immediatly ready for the masses.
So, when will it?
Bug is in inet.dll (Score:3, Interesting)
I was a beta tester for IE4 (so flame me, OK) and I found a bug in the HTTP1.1 keep-alive implementation. They never saw it because they tested only against IIS and I tested against Apache which implemented it correctly of course.
They didn't want to fix it until I explained that %60 (at the time) of the web runs on Apache servers.
In fact the MS product manager wanted me to call "the Apache company and have them fix Apache." Duh. Me- "There is nobody to call sir, and the problem is YOUR problem and not theirs."
They delayed IE4 for two weeks after it had gone gold to fix it. So don't flame me.
Anyway, that bug was in inet.dll, and I bet this one is too.
Re:Bug is in inet.dll (Score:3, Interesting)
There was a bug with packet fragmentation and redirects that caused internet explorer to display a blank page which said "Object moved, object can be found _here_.", where _here_ was a link to the target of the redirect.
Funnily, their own proxy software tended to cause fragmentation of the redirect packet quite often.
What I didn't understand was how they were capable to produce this bug, this completely negates everything I know about seperating the different layers of transport.
Re:Bug is in inet.dll (Score:3, Funny)
Yeah, I'm sure the code for checking the heirarchy of SSL certificates is in the TCP/IP stack .dll.
Maybe peer reviewed code isn't really that great of an idea after all....
News (Score:3, Funny)
Isn't this supposed to be " News For Nerds"?
things i dont get (Score:5, Interesting)
- The bug is in the OS crypto services
- It's NOT MS's crypto api
- Only IE is affected.
Time for rhetorical questions:Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?
How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.
I'll tell you why (Score:4, Funny)
The logic is so obviously simple:
increased redundancy == increased failsafety
So, if one of the crypto API's has a security hole, the OS can rely on the backup API, just like how a bike with one flat tire can be ridden home on the remaining good tire.
I tell you, those MS guys really got some effective circumetry in their noggins!
Re:things i dont get (Score:3, Insightful)
Um, maybe one crypto service is for SSL, while the other is for, oh, maybe encrypting files?
There are so many good reasons to bash MS, why invent a bad one?
Let's be fair here (Score:5, Insightful)
You know what? I bet the 'soft could do this too. I mean have a guy, or team of guys available 24/7 to patch bugs. And you know what else? They'd still get flack for it, as Microsoft don't release patches straight away - for better or for worse, they do actually test them first (usually), make sure they don't kill wierd and exotic installs etc. I know they've released dodgy patches, but my point is that Microsoft isn't an overnight operation.
And more to the point, how does this patch get to people? Via autoupdate of course. The patch may have been written in 40 minutes, but it's still not available on SuSE auto update (as far as I can tell) despite the fact that Waldo works for SuSE! We really need to stop patting ourselves on the back simply because we can see the progress of the patch and Microsofters can't, otherwise this bullheaded arrogance WILL bite us on the ass.
Re:Let's be fair here (Score:4, Informative)
Regardless, of whether Verisign should shoulder some of the blame or not, Microsoft simply dismissed a potentially serious problem. A week later, we find out that, not only is it Microsoft's problem, but it is in the OS itself not just the browser like we had thought. Conversly, KDE was able to identify the problem and produce a fix in 90 minutes.
Now, to your point about the availability of the patch to everyone, as I said you have point. But, if you check out KDE's site you will find that they clearly state that they do NOT distribute binaries. KDE distributes source code only and that patched source code is, and has been, available. KDE leaves binary distribution up to the distros to handle. So, Suse and Red Hat et al need to step it up a bit but, KDE did a great job!
Re:Let's be fair here (Score:3, Interesting)
Sometimes it is better to stick with the facts - even on Slashdot. Microsoft is A) working on a patch and B) claims to have not been alerted until it was publicly released. Here's some facts from MS's website:
Despite the many challenges associated with exploiting the flaw, there is indeed a flaw here and Microsoft is developing a patch that will eliminate it.
However, the report, which neglected to discuss any of the challenges associated with actually exploiting the vulnerability, was made public without any advance warning to Microsoft. Responsible security researchers have the safety of users in mind and work with vendors to ensure that the information published about potential vulnerabilities is balanced and, above all, correct.
Reference: http://www.microsoft.com/technet/treeview/default
Let's be even fairer... (Score:2, Informative)
Wait! what am I saying! this is slashdot, quick, ignore the facts:
"Micro$oft will probably patch this in a year, and then no one will get it cuz it requires 34 reboots to install"
90 Minutes for Konqueror fix. (Score:5, Funny)
This is just unacceptable. I cannot believe and refuse to accept that it could take 90 minutes to get a major security fix out for a browser. This is completely unacceptable. It's no wonder everyone uses IE.
I guess the Microsofties were right after all. Support for open source software is nearly impossible to find.
-- Before you post, are you sure you got it?
Well, DUH. (Score:2)
Trustworthy computing as its finest... (Score:3, Funny)
Thank's for those memos, Bill.
Hmmm (Score:2, Insightful)
Note that this doesn't mean the bug was only there for 90 minutes, it was there for [months, years, I don't know]. Why didn't Konqueror take the initiative to fix this before instead of waiting until it was published? Sounds like they had the fix all along and were just waiting for the announcement so they could look good by fixing it so quickly.
(I thought the Browser was claimed to BE the OS!) (Score:2)
Dial-up users with ignorance of patch/upgrade will never be able to trust on-line transactions. This is the vast majority of users, and the problem is going to haunt individuals for 2+ years.
On an OS Providing Cryptographic service (Score:5, Insightful)
Yes, indeed, it does make sense for the OS to provide such a service to any program that wants to use it, so long as that's a GOOD service.
In general, it makes sense to provide everything from outside the program, and just have the program call on outside services. However, that means you need to make the outside services good, and it means that those writing programs don't just string together a bunch of requests (i.e., draw this, check that calls) but also work on looking for fixes to the common outside service, which would be shared by many programs.
In other words, this approach only makes sense when the outside services are OSS / FS / public domain, which means that developers of programs can check their integrity and submit improvements. Otherwise, its just a big black hole for developers: should I trust this cryptographic routine, or shouldn't I? One never knows with proprietary routines. One can check, and improve such routines provided OSS / FS.
MS's master business plan (Score:2, Insightful)
In parallel, also make sure to develop file formats and "standards" which aren't backwards compatable and don't work with any other OS', so as to lock people into MS products and force costly upgrades.
Bwuhahahaha.
Microsoft, Libraries and DLL (Score:2)
I have people try to convince me that the integration of Internet Explorer into the Operating System is a good thing.
Where the hell do these people get their training? Microsoft has a tendancy to put function calls where they are convenient for the programmer at hand (not necessarily any future programmers mine you), not in the most appropriate DLL. This isn't unusual, it happens. But why the hell do people justify it??
Why the hell am I using a Web Browser (something whos base design is to browse web pages!!) to manage files on a local computer? The old Windows Explorer worked better and had a more appropriate (although similar) interface.
And then, when I chalenge them on this they always retort: Can you write an OS?
Damnit, yes I can. I don't have the time to write one, but I -could- write one.
Even if I couldn't, Microsoft is very much an example of bad design in general. (They have some well desgiend aspects to a lot of programs too. But Clippy isn't one of those!)
The real question is... (Score:2, Troll)
The most important thing (Score:5, Informative)
I've been auditing some of the SSL code in various applications, and sending in patches where the original submitter thought that SSL "was just like" sockets and didn't bother to do things like checking certificate chains or setting up support for perfect forward secrecy. In some cases the "SSL" support was really just SSL-tunnels in disguise and there was a bit of resistence to changes that would force the secadmin to set up true certificates for server and possibly clients. But most accepted the need, when I pointed out that if you really need to know the server (or client!) that you're talking to you must fully check your certs.
For instance, if your database is used to store information about ongoing criminal investigations, you do not want the bad guys to be able to masquerade as your trusted database. You want certs on the server, you want certs on the client (to keep the bad guys from connecting and adding "exculpatory" evidence to their own files), and you want to validate all of these certs.
It's one thing for a database or NNTP server to have a broken SSL implementation. After all, we don't, yet, expect them to have SSL so the people who need to use it may well check the source for themselves. But there's absolutely no excuse for a web browser to fail to check the path. If there's any question whatsoever, pop up a warning and let the user decide whether "Joe Smith" can be trusted to sign Microsoft's security web site cert.
(* With real SSL tunnels you can still require valid host and user keys all around. With these broken applications, you can't.)
Shared code ok - but what EULA? (Score:4, Interesting)
From the article:
They're perfectly right. Everybody can have a bug like this. But there are two problems that puzzle me:
I really fear the time where users have to choose to either install a patch so fix a severe security hole and sell their (OS and computer data) souls to somebody else or just not fix their OS at all and be open to these man-in-the-middle attacks. This could become a very new quality of unsecured machines from a security point on the 'net: Users that don't want to install patches because they don't want Microsoft to own their machines - and trade this with security. (I can fully understand this.)
With Open Source OSes, if the vendor won't fix a bug like this, somebody else would (maybe even you). With Windows, you have to rely on Microsoft even recognizing something as a bug. And if they do, there's nothing you can do but wait.
Yes, I know, we all know this. But this problem hasn't gone away yet.
In defense of microsoft (Score:5, Informative)
What's the problem? (Score:2, Funny)
So, what's he afraid of? Stealing from himself?
Object Moved (Score:2)
I liked this article under its former name, "IE and Konqueror Bug Makes SSL Insecure"
And to add to the irony, posting a Microsoft-bashing article placed against a giant square ad that says "Microsoft Visual Studio.NET - Try it Now! Get your Trial DVD today!!" is just ignorant.
Re:Not a big deal! (Score:2)
Re:Not a big deal! (Score:5, Insightful)
Re:Not a big deal! (Score:2, Funny)
2) ???
3) Profit
All your base are belong to us!
Minor problem (Score:3, Troll)
It's funny that Microsoft always comments publicly on the minor bugs, but ignores the serious ones, just until they release a patch.
Re:Konqueror (Score:3, Interesting)
Re:this is good news (Score:2)
Re:this is good news (Score:2)
Although, as others have pointed out, Konqueror is really a *nix app (not just a Linux app or even an X app, as commonly assumed). You'd be best off just grabbing a copy of Mozilla if you're really worried.
--
Evan (no reference, not even to a certain Toho Industries character)
Re:thought SSL wasn't secure anyway (Score:5, Informative)
The BugTraq [securityfocus.com] post describes the nature of a MOTM exploit using this vulnerability.
A BugTraq reader [securityfocus.com] was able to successfully demonstrate this [ipsec.pl] using dsniff and OpenSSL as his tool kit. Screenshots [ipsec.pl] on his site illustrate this, with his own bank account!
Re: integration vs modularity (Score:3)
Yeah, but it makes it harder to write portable applications.
Surprise, surprise...
(In this case, the article mentions that Internet Explorer is nearly the only application to use these OS functions at all. But the concept is clear - Put more convenient functions into an OS so that vendors won't write them on their own. The resulting product is then bound to this single OS - if the vendor doesn't want to pay more to his programmers to re-program all this code. Most won't, after they've start selling the product. And: This will artifically make porting a product to another OS seem more expensive.)
Re:Windows update was available on 8/16 at 9am EST (Score:3, Insightful)