Windows 98, Me, NT4, 2000 and XP SSL Flawed 542
JoeSmack writes "In amazingly unexpected news, ComputerWorld is running an article that says the
SSL security hole found in Internet Explorer is not a flaw in the browser, but in the operating system itself." The article mentions
that Konqueror was patched against the same bug in 90 minutes.
But, of course (Score:2, Interesting)
Comment removed (Score:5, Interesting)
Look, nobody outside of /. cares (Score:1, Interesting)
As long as the majority of the population thinks Microsoft is da bomb, nothing will change.
Kind of like the way people think about the government, flawless.
Uh-oh (Score:2, Interesting)
this is good news (Score:1, Interesting)
We really depend on the bugs (Score:3, Interesting)
Bug is in inet.dll (Score:3, Interesting)
I was a beta tester for IE4 (so flame me, OK) and I found a bug in the HTTP1.1 keep-alive implementation. They never saw it because they tested only against IIS and I tested against Apache which implemented it correctly of course.
They didn't want to fix it until I explained that %60 (at the time) of the web runs on Apache servers.
In fact the MS product manager wanted me to call "the Apache company and have them fix Apache." Duh. Me- "There is nobody to call sir, and the problem is YOUR problem and not theirs."
They delayed IE4 for two weeks after it had gone gold to fix it. So don't flame me.
Anyway, that bug was in inet.dll, and I bet this one is too.
Re:Konqueror (Score:3, Interesting)
things i dont get (Score:5, Interesting)
Anybody else not see the lack of logic here? MS has two crypto implementations? One for the OS, one for the API? Why the redundancy? Why cant the OS use the API? Or conversely, why is the API necessary when there's the services are in the OS?
How in the world is IE the only app affected? It seems more to logical to assume that any app using this crypto services are also vulnerable.
Re:Bug is in inet.dll (Score:3, Interesting)
There was a bug with packet fragmentation and redirects that caused internet explorer to display a blank page which said "Object moved, object can be found _here_.", where _here_ was a link to the target of the redirect.
Funnily, their own proxy software tended to cause fragmentation of the redirect packet quite often.
What I didn't understand was how they were capable to produce this bug, this completely negates everything I know about seperating the different layers of transport.
Shared code ok - but what EULA? (Score:4, Interesting)
From the article:
They're perfectly right. Everybody can have a bug like this. But there are two problems that puzzle me:
I really fear the time where users have to choose to either install a patch so fix a severe security hole and sell their (OS and computer data) souls to somebody else or just not fix their OS at all and be open to these man-in-the-middle attacks. This could become a very new quality of unsecured machines from a security point on the 'net: Users that don't want to install patches because they don't want Microsoft to own their machines - and trade this with security. (I can fully understand this.)
With Open Source OSes, if the vendor won't fix a bug like this, somebody else would (maybe even you). With Windows, you have to rely on Microsoft even recognizing something as a bug. And if they do, there's nothing you can do but wait.
Yes, I know, we all know this. But this problem hasn't gone away yet.
Re:Let's be fair here (Score:3, Interesting)
Sometimes it is better to stick with the facts - even on Slashdot. Microsoft is A) working on a patch and B) claims to have not been alerted until it was publicly released. Here's some facts from MS's website:
Despite the many challenges associated with exploiting the flaw, there is indeed a flaw here and Microsoft is developing a patch that will eliminate it.
However, the report, which neglected to discuss any of the challenges associated with actually exploiting the vulnerability, was made public without any advance warning to Microsoft. Responsible security researchers have the safety of users in mind and work with vendors to ensure that the information published about potential vulnerabilities is balanced and, above all, correct.
Reference: http://www.microsoft.com/technet/treeview/default
Spin (Score:1, Interesting)
Why can't the tech press see through this?
Public need to be told "change browser or don't use online banking etc. until bug is fixed is patched". Instead they are fed "ms are working on a patch for windows".
Re:Browser == OS (Score:1, Interesting)
Also, most vendors do not provide CVS packages for things like this. Hell, debian still doesn't even have an official KDE3. And even if there is a CVS version, how many people are going to be quick to hop on it, considering the code in CVS is typically beta at best? And what newbies are even going to know about this?
And then your issue on bugfixes. Are you trying to say that OSS patches never break anything? I think you ought to check out www.lkml.org or something. Patches break other things all the time, because they're often unforseeable.
Quite frankly, you're a close-minded individual who chooses to ignore certain obviouses.
Re:Slow down there. (Score:3, Interesting)
I work on Solaris every day...where's the Microsoft software? I know that IE is available for Solaris, but I certainly wouldn't be so stupid as to actually install it.
Your giving the Windows users too much credit. The fraction of KDE users who will eventually upgrade KDE is much higher than the fraction of Windows users who will ever bother to patch their systems.
Considering that there are hundreds of millions of people on the Internet, and hundreds of BILLIONS of different hardware configurations, the chance that a Microsoft fix will break something is much higher than the chance that a KDE fix will break something.
Actually, a patch that breaks something because of an odd hardware configuration simply indicates architectural flaws in the OS.
It's funny how most people who run Linux don't trust their vendor enough to release patches in a timely manner, and actually whine about fixes being easy to get.
??.
I don't have time to sit on SecurityFocus all day and make sure I'm not affected by the myriad set of would-be bugs on my servers...
You should at least read up on what is being delivered to you during an "up2date" session, so you know what the configuration of your servers is at any moment. Software changes can have complex ramifications, if done blindly.
I think the rabid Linux people you are going after simply are the people who want to know where they actually are at any given moment. This is actually a responsible attitude towards system administration. If you don't have time for it, perhaps you are overworked and need an assistant?
The people I see who are the most rabid advocates of open source are also the most rabid advocates of doing everything themselves...
So certain Peruvian congressmen are uber-elite system administrators? People who simply want a non-proprietary Office format also write their own kernel modules?
Re:Browser == OS (Score:3, Interesting)
Re:patch distribution model (Score:3, Interesting)
Re: Shared code ok - but what EULA? (Score:2, Interesting)
Here's the situation:
I use linux on my systems but my mother uses Win98. I basically take care of her machine and it provides the connection to the net. Recently I became aware of a flaw in MSN-Messanger and decided to upgrade but pulled on the brakes when I saw the EULA - meaning I refused to upgrade and the MSN-Messanger on her machine is not secure.
Since the EULA's apply to the latest, secure versions of their code and I disagree with their EULA, I essentially have a frozen win98 machine in regards to MS code (which includes the OS).
While most people may ignore the EULA, not all of us do and their new EULA is beginning to cause some serious problems for those of us who purchased the OS when the newer EULA was not in affect.
The general EULA system is becoming more of a problem; they are showing up on more and more software. For example, in order to run a 'support' java applet I was supposed to agree with a EULA that wasn't even applicable to the current situation (it mentioned "evaluation purposes only" which I was *not* going to do). So, I did not install it. It seems that if these companies are going to make us agree to their EULA they could at least spend the time up making their EULA fit to the particular situation.
Re:Browser == OS (Score:4, Interesting)
Does microsoft answer to all the machines that SP3 breaks? (Some companies might not be as careful as us and could lose important data). No, the EULA explicitly states that they have zero liability even if sp3 triggers World War 3 (before GWB does).
Anyone who uses the 'liability' FUD about MS software deserves shooting. If it breaks, you get to keep both pieces (to coin a phrase).
Re:Slow down there. (Score:5, Interesting)
I implicity trust Redhat, Mandrake, and all the major Linux vendors for that matter; _implicitly_. Based on nothing more than the fact that they have a proven track record of being trustworthy, and not eavesdropping/abusing/fscking the consumer. Microsoft on the other hand has a notorious reputation for abusing customers, vendors, programmers and competitors. I won't provide any references because I'm quite certain that google will provide more than I care to count. Do the homework yourself if you don't already agree.
If for no other reason than that, I will trust Redhat to provide "vendor" patches because I have no reason not to. For the record, I'm not one of those "paranoid"/"I'll fix the code myself" people you spoke of. I'm just joe-average-sysadmin with my company's best interests in mind.