Windows 98, Me, NT4, 2000 and XP SSL Flawed 542
JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the
SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions
that Konqueror was patched against the same bug in 90 minutes.
Re:favorite quote (Score:2, Informative)
I'm sure that others that use Windows more than I do can come up with other applications that use the crypto API.
Re:Yet again... (Score:5, Informative)
Re:What goes around comes around... (Score:3, Informative)
Exactly right and having the crypto in a library every can get at is a good thing. What you missed was that this windows problem isnt in the security library it should have been in.
"Company officials added that the flaw isn't in Microsoft's CryptoAPI application program interface (CAPI) either, which would have left a number of applications and Windows services vulnerable, not just Internet Explorer."
So they screwed up and didnt include this code for verifying trust signatures in their API, its somewhere in the OS.
And although knowing MS's previous security problems, its highly unlikely that this a problem in the kernel, since it affects NT based as well as 9x based systems.
Re:Let's be fair here (Score:4, Informative)
Regardless, of whether Verisign should shoulder some of the blame or not, Microsoft simply dismissed a potentially serious problem. A week later, we find out that, not only is it Microsoft's problem, but it is in the OS itself not just the browser like we had thought. Conversly, KDE was able to identify the problem and produce a fix in 90 minutes.
Now, to your point about the availability of the patch to everyone, as I said you have point. But, if you check out KDE's site you will find that they clearly state that they do NOT distribute binaries. KDE distributes source code only and that patched source code is, and has been, available. KDE leaves binary distribution up to the distros to handle. So, Suse and Red Hat et al need to step it up a bit but, KDE did a great job!
Re:thought SSL wasn't secure anyway (Score:5, Informative)
The BugTraq [securityfocus.com] post describes the nature of a MOTM exploit using this vulnerability.
A BugTraq reader [securityfocus.com] was able to successfully demonstrate this [ipsec.pl] using dsniff and OpenSSL as his tool kit. Screenshots [ipsec.pl] on his site illustrate this, with his own bank account!
Re:Browser == OS (Score:2, Informative)
On top of this, I believe there has been mention of them backporting the fix as far back as KDE2.2.2 so users who don't want to get the fix from CVS can fix their systems.
Re:Browser == OS (Score:3, Informative)
Let's be even fairer... (Score:2, Informative)
Wait! what am I saying! this is slashdot, quick, ignore the facts:
"Micro$oft will probably patch this in a year, and then no one will get it cuz it requires 34 reboots to install"
The most important thing (Score:5, Informative)
I've been auditing some of the SSL code in various applications, and sending in patches where the original submitter thought that SSL "was just like" sockets and didn't bother to do things like checking certificate chains or setting up support for perfect forward secrecy. In some cases the "SSL" support was really just SSL-tunnels in disguise and there was a bit of resistence to changes that would force the secadmin to set up true certificates for server and possibly clients. But most accepted the need, when I pointed out that if you really need to know the server (or client!) that you're talking to you must fully check your certs.
For instance, if your database is used to store information about ongoing criminal investigations, you do not want the bad guys to be able to masquerade as your trusted database. You want certs on the server, you want certs on the client (to keep the bad guys from connecting and adding "exculpatory" evidence to their own files), and you want to validate all of these certs.
It's one thing for a database or NNTP server to have a broken SSL implementation. After all, we don't, yet, expect them to have SSL so the people who need to use it may well check the source for themselves. But there's absolutely no excuse for a web browser to fail to check the path. If there's any question whatsoever, pop up a warning and let the user decide whether "Joe Smith" can be trusted to sign Microsoft's security web site cert.
(* With real SSL tunnels you can still require valid host and user keys all around. With these broken applications, you can't.)
Re:These statements don't agree.. - MSXML (Score:2, Informative)
I believe that the common scripting engine for HTTP - called MSXML - might be impacted.
In other words, I suspect the 2nd statement isn't correct...
Re:These statements don't agree.. (Score:2, Informative)
The reason it probably affects just IE is because this an obscure API that most apps don't need to use. Cross-platform apps that need secure communications have probably rolled their own solutions.
In defense of microsoft (Score:5, Informative)
Re:Slow down there. (Score:3, Informative)
Let's say you need to do the same thing with a 100 debian machines. You write a script which takes about 15 minutes and you run it.
Which costs you less time and money?
Re:Browser == OS (Score:3, Informative)
How many? One?
Also, most vendors do not provide CVS packages for things like this. Hell, debian still doesn't even have an official KDE3. And even if there is a CVS version, how many people are going to be quick to hop on it, considering the code in CVS is typically beta at best? And what newbies are even going to know about this?
Some ridiculously stupid mumbles there. Each distribution has an easy way of upgrading the packages. In Debian it's "apt-get updage; apt-get upgrade". In Mandrake & RedHat you just run the GUI updater software. The update icon is right there on the desktop.
Nobody is suggesting that you should install a CVS version of software to get a security fix. The fixes are backported into the stable branches of the software, and vendors package them. Wow, what a concept!
And then your issue on bugfixes. Are you trying to say that OSS patches never break anything?
No, I'm saying that Microsoft breaks stuff more often despite taking months to release a fix.
Re:Browser == OS (Score:3, Informative)
The "patchy" web server has a security record so far superior to Microsoft's IIS that the edge is more like 4 milliseconds vs. 4 billion years.
The number and severity of compromises of IIS is legendary (the FBI has ranked IIS as the number one security problem on the internet). There have been times where the servers I administer have been recieving more hits from compromised IIS installations trying to spread virii than they have from legitimate users. The problem got so severe last summer that my broadband ISP had to block port 80 to keep their network up.
And this is NOT an issue of population base causing statistics to be skewed - the patchy web server has more installations than all others combined.
Professionals or for the masses (Score:2, Informative)
I have hfnetchk and yes, it works and d/ls patches that Micrsoft have released. If they haven't released the patch yet, you are stuffed. I also have qchain and I don't trust it (some fixes didn't stick after being chained) and anyway, why should I have to run it? I manage 2K server boxes and it makes life easier.
However, there are a lot of 0wn3d 2K and XP boxes out there which can be used DOS me, you or Slashdot at the drop of a hat sitting on Cable modems or ADSL. The guys running those boxes are at home and as someone else points out over half couldn't find the C:\ prompt if they tried.
On Linux, I use RedHat's up2dat and XImian's Red Carpet. Very nice and very prompt with fixes. I also have Gentoo, but this is definitely not for people who dislike shell prompts.
Re:Oh, that's good then... Thank God for Opera (Score:2, Informative)
It is.
But they posted V 6.05 within 24 hours, making the fix available to Joe A. User before anyone else.