Win2k Security holes found

According to a story posted by ZDNN, two security holes have been found on Windows 2000, and that's even before the official release of Windows 2000! Administrators who rush to incorporate the patch from MS beware - according to one of the talkback posts on ZDNN, the patch creates a new problem with Windows 2000 news server service.

Re:Gold Master != Beta, Unless You Live In Redmond

[Shanep]

Speaking of "gala" events. When Win98 was about to go on sale in Sydney au., hundreds of morons lined up for hours outside Harvey Norman to get a copy along with some crap "free" software.

How many bugs were found in the 1/3 of the Win98 source code that was allowed to be viewed by a lawyer by court order? 3000? For only $99.95!

People are idiots.

Re:Why Did MS Stop Version Numbers?

[iang]

All this Service Pack 6, Option Pack 2 stuff drives me crazy with MS products

Actually you've overcomplicated it a little. The 'Option Pack' for NT 4 is a collection of programs you can add to NT which are not installed as standard. (Stuff like the distributed transaction coordinator, the transaction server, IIS, that sort of thing.) This has nothing to do with the version - that's a bit like complaining that Linux 2.3.4 with Apache is a different version number from Linux 2.3.4. In fact with Linux you have the potentially more confusing situation where the versions of the kernel and the distribution you're running are different.

The scheme they use is actually pretty simple - a product name, and a service pack number. They stopped putting version numbers into the main name of the product because their research indicated that this confused people - separating the product name from the release seemed to go down better.

And hey, it discourages them from charging for the bug fixes, which they used to do with carefree abandon.

Re:QA != Quality Control anymore

[dublin]

QA= Quality Assurance. (Spelled Qwality some places I've seen ...)

This replaced the previous term "Quality Control" which fell from favor in the mid-80's right after Car&Driver made a barbed comment about how it was a good thing GM had such a good Quality Control program because "after all, we wouldn't want it to get out of hand..."

Within a matter of months, Qwality teams across the nation had improved their processes for the naming of Qwality teams and QA had displaced QC. If they had just worked half that hard to improve real quality instead of just improving their image. (If I sound jaded, it's just because in my experience, Qwality teams are the closest thing you'll ever find to Dilbertian thinking in real life...)

Re:Yes, But How Can We Use This To Create Chaos? (

[WillAffleck]

Would we have to fight against Maxwell Smart then?

Sure. You take Maxwell Smart, I'll take 99.

Predjudice.

[Fict]

Of course, had this been a development linux kernel, everyone would rush to the defense with screams of "It's not ready for primetime, developers only!", etc. I don't care so much when people reply with remarks such as those made in the story, but I prefer to have un-biased story posters.

------------------

Typical!

[nevets]

I could go on like other posters and just bash Microsoft for the "inferior" product, but I think that tone is starting to get lame.

But I want to mention something about Microsoft that really irks me and should irk their customers to. And that is the following statement:

Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure

I'm sorry, but I don't buy their statement about having tighter defaults. Almost all problems with Windows has been because of defaults. It seems to me that they should default everything off, and let the user have to go and turn what they need on.

Of course I don't like the way Red Hat does this too. I had to spend a few hours trying to figure out what Red Hat had default on. I forgot to turn off the "finger" utility until I noticed in my logs that someone was using it on my firewall. Now I do my security like I do my installs: Customize, turn everything off, then when I find something I need, I install/turn-on that service.

Steven Rostedt

yes but

[NightHwk]

People don't seem to understand that win2k is *NOT* in development. It's been gold for many weeks now, and is in production for shipping in feb.

So any comment about security holes in development kernels is totaly unfounded. There is nothing development about win2k (of course, most linux users will exchange winks when encountering a statement like that ;] ).

The real funny is that MS is already releasing broken patches for a product that isn't even available yet!

NightHawk

[-1 flamebait to read]

Re:Rushing bites MS again...

[Black Parrot]

> Over a year delayed is not rushing.....

Wired has has been naming it as one of the top ten vapourware products of the year since '97.

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:How about all of the Linux security holes?

[SoftwareJanitor]

Well, it may be more accurate to say that a lot of us are subjected to having to use Windows in addition to Linux. And a lot of Slashdot readers use Macs or *BSD or other OSes besides either Windows or Linux. It just isn't a simple either-or kinda thing.

Re:Predjudice.

[Bogus Nick]

Just another case of bias by Slashdot. Did they report on the HUGE security hole in Corel Linux? Of course not, negative stories about Linux don't get posted here.

http://news.cnet.com/news/0-1003-200-1533081.html? tag=st

LOL

[Tim Behrendsen]

Customer: "My security has been breeched!"

Consultant: "Well, it might appear to be a problem, but it's not really since Linux is never considered to have a stable release."

Customer: "What???"

Consultant: "No! No! You're not looking at it the right way. Linux is in perpetual beta, so it's not really a problem you're experiencing, it's just feedback in the beta cycle!

--

Re:Predjudice.

[Le douanier]

Of course, had this been a development linux kernel, everyone would rush to the defense with screams of "It's not ready for primetime, developers only!", etc.

Nope, nothing compared. If you actually had read the article you would know that this affect final versions too, this is more alike of having a bug in the 2.2.0 kernel before any Linux distro issue a distro using this kernel. This would still be a stable kernel but not yet available in the form of a distribution.

How about this?

[ctembreull]

Ok, I won't bash them for having an inferior product, since it's been beaten into the ground already.

How about if I point out that they:

- have terrible testing processes
- rush too fast to get products out the door
- Are almost totally inept in terms of security
- apparently have NO usability staff on hand
- should take the time they currently spend "decommoditizing protocols" and applying it to proper software engineering processes

Would any of those be acceptable as an alternative?

Chris Tembreull
Web Developer, NEC Systems, Inc.

My opinions are my own, and nobody else's.

Re:How about all of the Linux security holes?

[jelwell]

You don't, but not by much. Not trying to knock you - I'm positive the votes were swayed towards Windows when I voted too.
According to the poll [slashdot.org]
Linux is at 36%.
Windows(NT&9x) is at 30%

Although if you add in the "I hate everyone crowd" to Windows that pushes windows users over: at 38%. And we all know only windows users are angry at everyone. :)
Joseph Elwell.

Re:Predjudice.

[Bogus Nick]

And how is this different from the security hole in Corel Linux? Hmm, the Linux hole is worse, and it wasn't reported here in the land of "linux is perfect and has no flaws". If it isn't a slam on Microsoft it isn't fit to post on Slashdot.

http://news.cnet.com/news/0-1003-200-1533081.html? tag=st

Even The Register is saying how good Windows2000 is and they aren't exactly fans of MS over there.

http://www.theregister.co.uk/000124-000012.html

Re:Yet another mole-whacking opportunity

[FauxPasIII]

Well, if coding for Win2k is anything like coding for Win98, it'll be more along the lines of:

*pop*
*whack*
*pop*
*pop*
*whack*
*pop*
*pop*
*pop*
*pop**whack*
*pop**pop**pop**pop**pop**pop**pop**pop**pop*

*install linux*

Re:I'm glad

[Black Parrot]

I'm aware of the criticisms of your observations elsewhere in this thread. However, I will grant you (and Microsoft) one important thing: there is no longer a

2.b) security hole ignored after reported, until the media hears about it

2.c) security hole denied for 3-6 months after it is common enough knowledge for the media to know about it.

In those regards, Microsoft has (apparently) come a long way in the last 9 months or so. I presume, without evidence, that it's because of the extremely bad rap the press was giving them over it, especially since the press (and influential sites like /.) could so easily point to OSS products being fixed in days rather than months.[1] Let's hope MS is truly reformed on this issue, regardless of what pressures brought it about.

[1] Yes, I'm aware of the recent article that compared various companies and found that MS only takes about 50% longer (IIRC) to deliver a patch than (say) Red Hat does. However, that article seems to be based on recent data, i.e. the post-reformation MS. Things were different not long ago. I remember seeing an article in the tech media last summer, titled "Same Hole, New Exploit". The author said in the first paragraph that the hole had been publicized over a year earlier, but no patch was yet available because MS was in denial mode.

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Re:Service packs [or lack thereof]

[Quikah]

There was a CNET article here [cnet.com].

Not a direct MS quote though, just the CNet reporter paraphrasing Brian Valentine, senior vice president of the Windows Division. Saying that "the first version of the operating system will not need service packs or bug fixes like other software releases". Probably a case of sloppy journalism.

Why Did MS Stop Version Numbers?

[gnatware]

All this Service Pack 6, Option Pack 2 stuff drives me crazy with MS products. How come they stopped versioning with Windows NT 4. I used to LIKE Windows for Workgroups 3.11 (note that the OS wasn't even near stable/usable until a .11 release). Nowadays, you have to guess (hmm... I think Service Pack 3 might be OK, or shoul I wait 'til 4). Hey, they could even put the version number INSIDE the year: "MS Announces Windows 2000.01.28 Advanced Server" or, even, "MS Announces Windows 2000.01.28T18:00:12-08:00 Advanced Server for Professionals" since they probably have enough build and test machines up there in Redmond to release a "pack" about five times an hour. Whatever...

Who the hell...

[Wah]

...is HeUnique and why is he quoting an (roughly) anonymous idiot in a headline? I'm all for M$ bashing, but only when necessary. This is unwarranted, but then again, this is /., so I get to bitch about it ;)

Service Pack 2

[NatePWIII]

According to certain source from developers up in Redmond it appears that service pack 2 is already in the works. Apparently service pack 1 is pretty much already finalized. This is truly amazing, service pack 2 before the final product is even released. It just goes to show you how full of bugs anything Microsoft produces. I don't think I will switch over until service pack 4 comes along, maybe then the system will be semi-stable (and secure, hah what a joke).


Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com [npsis.com]

Re:I assume...

[debrain]

No. It was sarcastic satire.

But your points are moot. I can obtain Linux for free, and fix the bugs on my own. I can pay for Microsoft software and never be able to fix the problems without entering into a perpetual upgrade-payment cycle. I reserve the right to critize anyone whom wants my money, and is failing to deliver on products. I consistently forgive volunteers.

Re:Gold Master != Beta, Unless You Live In Redmond

[ctembreull]

> Until it's in the boxes on the shelves, it's not finalized.

How can it not be finalized when CDs have been sent off to the printers for mass duplication? How in the world is that not a final product?! The documentation is being printed, the boxes, too. The discs are flying off the printers - do you really, really believe that this product is in Microsoft's hands anymore? They certainly considered it finalized enough to put on store shelves.

And that's really the sad thing about how Microsoft does business. They go too damn fast, and leave all sorts of mistakes, bugs, security holes, etc. in the shipping version of the product. And that's a real shame, because there are going to be millions of people who buy this product, bugs and all - Microsoft's folly has just been writ large in the world's computer users.

Would it help if I told you that this bug will be in the shrinkwrapped product that will be on store shelves two and a half weeks from now? It's too late to go back and fix it - the bug will be there.

And the fix won't.

I hope that impresses upon you the gravity of these sorts of errors.

Chris Tembreull
Web Developer, NEC Systems, Inc.

My opinions are my own, and nobody else's.

Aha!

[Virtex]

I think I've figured it out. All the analysts have been advising people for years to hold off buying W2k at least until the first service pack is released. So MS is going to release their first service pack right along with W2k, just so nobody will have an excuse not to buy.

Makes sense to me :)

--

An oldie but a goodie . .

[Money__]

640 thousand service packs should be enough for everybody!
--
Bill Gates
_________________________

Re:I wish we did

[debrain]

Debian updates automagically. You could have one of those bobbing chickens hitting the enter key update Debian. I'm sure that a true "consumer" Linux, when out of infancy, will provide this without even user input. (for better or worse security reasons)

No bug fixes

[Anonymous Coward]

"It took us a while to get here, but that's because we were not ready to compromise," Valentine said, promising that the first version of the operating system will not need service packs or bug fixes like other software releases. --Brian Valentine, Windows Division Senior VP http://news.cnet.com/news/0-1003-200-1497019.html? tag=st.ne.ron.lthd.1003-200-1497019 [cnet.com]

Re:Predjudice.

[Wah]

Of course not, negative stories about Linux don't get posted here.

of course they do, you just did it. And if you'd taken the time to add tags, even the really lazy people would see that all new OSes will have bugs, ofttimes catastrophic ones.

'course I'm on your side for this one, the editorial comments on the headline for this story are horrendous.

Re:I assume...

[Tim Behrendsen]

You do realize that "Hey! You have the source code; you can fix it yourself! Isn't that cool?!" is not an acceptable answer to a client when they complain about a security problem?

--

This is the Real Thing

[NatePWIII]

This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days.
Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!
However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing. Trust me there will be more...


Nathaniel P. Wilkerson
NPS Internet Solutions, LLC
www.npsis.com [npsis.com]

Mitigating vs. aggrievating circumstances

[coyote-san]

The size of Win2K is not a mitigating circumstance ("Let's give MS a break since this job is so big"), it's an aggrievating circumstance ("What the hell were they thinking?!")

It is an undisputed fact that the increase in your bug count climbs far faster than the increase in your LOC count. Sometimes far faster, depending upon how "tightly integrated" you want to make the system. It's a simple matter of combinatorical explosion - 2N objects can interact in (2N)! - N! more ways than N objects can interact.

That's why everyone on the planet... with one notable exception... has tried to maintain firm barricades between subsystems. At first glance it isn't as "user friendly," but many of us feel that nothing is more user-hostile than programs ridden by an interminal series of bugs and general flakiness.

Many critics have publically stated they doubt that Win2K will *ever* be stable. The sheer size of the code base means it's impossible for any one person to really understand what's going on, and that means it will be extremely difficult to avoid breaking Peter to fix Paul. That's why the reports that one of the two bug fixes introduced a third bug are so disturbing - this is exactly what you would expect to see from software that is simply too large to maintain.

It's still early in the game, but it looks like the critics won the first round. The real test in the next few months isn't the total number of bugs announced, it's the percentage of bug fixes which break something else. NT4 was notorious for requiring service packs to fix prior service packs, and there's now evidence (however thin) that Win2K will be far worse.

Re:Defending Microsoft - Come on?!

[micsaund]

Like the original poster of this thread, I'm not a Microsoft lover by any means (as evidenced by the 1 windows machine and 4 Linux machines on my home network), but...

Let's get real... Microsoft or not, how realistic is it to release an ENTIRE OS and not have any bugs or security holes? Can anyone honestly say that they have NEVER had a Debian/Redhat/Mandrake/SuSE/Suckware/etc. distribution that DID NOT have any "security updates" or new packages to download to "fix bugs"?

My guess is NO. That's why utilities like autorpm and the Mandrake updater exist. Go to any of the Linux distro's sites, and you'll find Errata, Security Fixes, or something similar. I was just looking at several of them this morning!

Yes, it's fun to bash MS every now and then, and sometimes (more often than not) they deserve it. But give me a break -- 2 security holes? If that's all they've got so far, they're doing better than most of the Linux distros...

Security in general, with Win2K specifics...

[Builder]

First things first. The reason that this is embarrasing for Microsoft is that they've been touting Win2K from the hilltops as being the "Most secure Microsoft offering ever...". So a security hole before the retail date _has_ to hurt!

On a broader note, I see a lot of messages saying that it is the fault of distributions etc that people get bitten by security holes. I disagree. If you have an active system administrator, it's his job to keep up to speed on these things. It's his job to know that he shouldn't run finger and wu-ftpd if the machine is just going to be a mail server. It's his job to evaluate what is on the machine and to run regular penetration tests. Saying it's the distributions fault is wrong. I don't blame car manufacturers because in the default setting the steering will drive me straight into a wall.... I learn to drive rather.

One of the largest problems facing the growing Internet market is that amount of unexperienced sysadmins coming into the game. However, sysadmining is filled with a lot of chicken-and-egg situations. You can't get the experience of how to deal with situations without working, and you're dangerous in a work environment until you have this work experience. Tough one to solve :-) Just thought I'd throw it in...

Re:Yes, But How Can We Use This To Create Chaos? (

[Skruloose]

Would we have to fight against Maxwell Smart then?

Didn't anyone READ the LINK?

[belswick]

The actual problem (the serious one) is with Index Server, which ships with NT4/IIS4. It's not just the Win2K machines, it's EVERY NT server running IIS4 with Index Server, which installs by default and must be disabled manually.

BTW, this was reported yeaterday morning on the UK ZDNET and BugTraq, it took the US ZDNET editors a day to catch on....I patched my NT boxen yesterday morning.

Re:I wish we did

[Tim Behrendsen]

Errr... no, it doesn't e-mail you, but Win/98 has a big ol' "Windows Update" function right on the start menu. Click it, and it tells you when you have important updates to install (particularly security updates). It also lets you download new features. Click the button and boom! Instant update.

And I haven't checked it out, but I wouldn't be surprised if they did have a mailing list to tell you when important updates are available.

--

Re:LOL

[Tim Behrendsen]

Uh, the point of the whole thread is security breeches caused by bugs, not by incompetent security personnel.

P.S. If you think "plethora" is an advanced word, then, well, I think it's time to buy that "Power Vocabulary" course you've been eyeing.

--

Nope.

[Mr. Piccolo]

MSDs (hence the name MSDN).

Linux 2.2.0 was not comparable

[tilly]

The fact is that while a lot of people installed 2.2.0, it was much closer to a trial candidate than a gold release. Even after 2.2.x was released it was some time before an official distribution would be based on it, Linus knew that, and so in no way could that version be considered one that (like Win2K) the end consumer would be expected to buy.

These bugs are in the version that Microsoft expected people to pay money for.

Besides which, the bug in question was, "Crash Linux". It wasn't a remotely exploitable hole, you needed to already have access to the box to (ab)use it.

Regards,
Ben

Warning: I am a rational IT professional

[rjh]

And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.

Warning: I am a rational IT professional. Not only that, but I worked in QA for a few years (first with Sir-Tech Software, then with MCI-WorldCom).

I could talk at great length about rational versus irrational QA policies. (There should be an "Ask Slashdot" about how to properly QA a product...) But that's really not the issue here; good QA, bad QA, it all boils down to the same thing in the end.

At the end of QA, the QA Lead signs off on the project. What the QA Lead signs off on becomes the first version released to the consumer.

Period, end of discussion.

The fact that Win2K went gold means that the QA Lead signed off on it. The pre-release development cycle ended the instant the QA Lead signed off on it. Everything after the moment his/her pen left the paper is part of the maintenance cycle, not the development cycle.

In short, the exploit was found in a consumer release of Win2K. It doesn't matter if it was on the store shelves or not; when the QA Lead signed off on it, it became a final product.

Everything clear?

Re:I assume...

[Evro]

Uh, I think if somebody got into Amazon's credit card database because of a security flaw in the OS, Amazon wouldn't sit around and patiently wait until the end of the quarter for a disc with the fix. I mean, Jeff Bezos calls up Bob Young (this is a hypothetical example, I don't even know if Amazon uses Linux) and says "We have a security problem because of your crappy software!"; do you think Bob is going to say, "Alrighty, wait 'til April and we'll mail the disc out, buddy!" Does that sound logical to you?

And as for downloading it from the web, I would assume MS would also have that. I mean, they may be many things, but I don't think they're stupid enough to not post a bugfix on their website at this point.
___________________

Re:Gold Master != Beta, Unless You Live In Redmond

[Score Whore]

Well. The more serious of these problems in W2K is not in the kernel. If you only want to consider Linux as the OS, then I'm willing to bet that an NT system with nothing but NTOSKernel.DLL on it is as secure as Linux, if not more so. It's pointless to argue that this problem isn't in "Linux" or that "Linux" is more secure, if you are only considering the kernel! You have nothing if you only have a kernel. You should be comparing apples and apples, not apples and a grape seed.

Microsoft has a better patch distribution system. At least they will if they provide something like the Windows Update site that is available in 98. That's something the the various Linux distros really really need. Also, the speed of releases for security patches with 98 has been admirable. If they keep that pace with W2K then they will easily be competative with the level of service provided by the various Linux distros.

Rushing bites MS again...

[SuperDuG]

Maybe MS will one day learn that rushing themselves into releasing a product might cause problems. This is 2 bugs that are out before win2k is out. And let's not forget that MS isn't open source so if there are more bugs (garunteed) that someone finds then they're will be more exploits and the only one to rely on for bug patches will be MS themselves. Guess is yet another push for the linux community.

Re:The Doc Sayz

[EvlG]

I agree. I think it would be really useful to see information on big Linux security holes posted on Slashdot, with the relevant patches in the article body perhaps. It would be a better addition than the latest sections, like all the patent crap, IMO.

Missing the point slightly

[Anonymous Coward]

I think some people are missing the point slightly. Linux has its benefits as does W2K. Linux is free and you can see the source code - W2K costs a lot of money and you have no chance to 'look under the bonnet'. If you're running a business you pay for services and software that you expect to work and fulfill the promises the vendor made you. If you're running a business and decide to implement something that 'a load of geeks' wrote which turns out to have some bugs, you have noone to blame - you got it free, understood and accepted the risks. W2K's entire thrust is into the datacentres and workgroup servers of major corporations to replace Unix and other tried and trusted OSes. The fact that W2K has bugs before it's even been released pulls the entire carpet of respectability from under it. No larger corporations would be interested in deploying Linux at the moment as they can't get any service providers to give them any guarantees. It's free, you can fiddly with it as much as you like, but if you want to run a business, buy services from someone offering a commercial version of Unix, preferably Solaris, with the support infrastructure to help you get on with the business of making money, not worrying what those whirring boxes in the back room are doing.

I assume...

[Tim Behrendsen]

...that whenever a Linux security problem comes up (in ANY of the Linux packages, in ANY state of development), we will immediately see a headline in Slashdot about it?

SORRY! Just asking.

--

Re:Predjudice.

[Paolo]

FYI, if you belong to MSDN (aka a MS developer partner) you can now download the retail Win2k for development. As for "illegall means", some developer has violated his NDA and TOS for MSDN. The real problem with security bugs is that Win2k has gone RTM (Release to Mfg) which means the copy that is vulnerable will be shipping with new PCs with Windows 2000.

Yet another mole-whacking opportunity

[JustShootMe]

Microsoft Win2K security holes:

*pop*
*whack*
*pop*
*whack*
*pop*
*whack*

Problem is most mole-whackers don't even know where to find the mallet,much less how to use it :-)
If you can't figure out how to mail me, don't.

Re:Predjudice.

[BamaPookie]

Of coure, this isn't a "development" release of Win2k, it's supposed to be the stable* release. This one is supposed to be ready for primetime.

Re:other suggestions: O/T

[Tim Behrendsen]

Personally, I thought the guy was saying to look up the plethora of linux security sites, not to look up the word plethora.

LOL! Oops... I think you're right. Still, the placement of the "quick go look it up" is next to the PLETHORA (in all scream-caps), and I hadn't read the "linux security sites" at that point in the sentence, so I think most computer language parsers would back me up on my interpretation. :)

--

I'm glad

[konstant]

Draw what conclusions you like from this episode, but I'm looking at the facts of particular case:

1) security hole found prior to ship
2) security hole reported to MS on Jan 17th
3) tested patch issued and publicized Jan 28th

That sounds pretty decent to me.

-konstant
Yes! We are all individuals! I'm not!

Re:Security in general, with Win2K specifics...

[Skaffen]

I thought that last paragraph was an interesting problem, regarding acquiring sysadmin experience.
Does running you own 24x7 server-type box (whatever OS) whilst at univeristy count?
If not, the how DO you get experience without putting someone elses computer/company/future at risk (to be melodramatic)? Is it feasable for large companies to set up trainee sysadmin network "sandpits" for them to cut their teeth on, without being able to damage the integrity of the main network?

Just my random thoughts (and queries),
Skaff

How about all of the Linux security holes?

[VAXman]

Why aren't the security holes in Linux (e.g. in Red Hat 6.1) reported on slashdot? Do most slashdot users use Windows instead of Linux, or is slashdot backed by the multi-billion dollar Linux companies to spread FUD??

Re:Predjudice.

[lubricated]

Yeah but you probably didn't know that win2k is "ready for prime time" microsoft put out gold cd's already. The final version of win2k is out to those who have managed to get their hands on it. A friend of mine actually managed to get a copy. This is not a development copy this is the real thing. its just not for sale yet. so the only way to get it is to work for microsoft, have microsoft send it to you, or some illegall means.

Wrong - this isn't development

[roystgnr]

Win2K went gold already; this is what's getting shipped to users.

Glass houses.

[Score Whore]

All new software has problems. The bigger the evolutionary step, the bigger the problems. Expect more. But don't be rectal about it. No OS is immune. How long has RH 6.1 been out? Couple months? And yet there's a list of 9 or 10 security fixes (that include several remote root exploits) up on RedHat's web site.

And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.

Re:I assume...

[debrain]

There's a significant difference. One is about to be released as a "final commercial version". Linux is a perpetual beta.

Not :Predjudice, experiance!

[Vladinator]

You are forgetting something here: It takes the Windows team a LONG time to fix a bug like this, making it a serious issue! When the last DoS attack was discovered against Linux, it was fixed in just over 8 HOURS. NT? 6 weeks, from first posting on Bugtraq.

That disparity makes the case here. It IS a big deal on Win2k. It's not a big deal on Linux, because a fix WILL be out in less than a day.

Linux: How to GET where you want to go today.

Hey Rob, Thanks for that tarball!

I wish we did

[roystgnr]

I mean, honestly, "Security hole found in wu-ftpd" would be a lot more valuable headline to most people than "New minor release of the kernel", and would happen a lot less often.

Linux is going to get a bad name someday because millions of people out there have distributions which install with tons of (often unneeded) services on, and don't know enough to subscribe to a security mailing list or check for updated packages. It doesn't matter if Linux gets security fixes within 24 hours, if most people don't install them within 6 months. No Linux distribution that doesn't come configured to automatically check for, notify users of, and help users install software updates should be considered "ready for the desktop".

Re:I assume...

[debrain]

Have you ever tried to find and download bugfixes from the MS Website? It's *n*a*s*t*y* forever to find it, and then, half the time the link is dead.

Also, in the case of a monopoly such as Microsoft, YES, they do make you wait for 6 months before releasing a patch (in the form of a Service Pack.) IIRC, you have to pay for these, much the way you have to pay for Win98 SR2, which was bugfixes for Win98. They're in the business of making money, not producing usable software. With real competition with something like Linux, they will either adapt, or crumble (I would think...)

Re:2.2.0 kernel

[coyote-san]

IIRC, many people questioned that survey because it measured the time between a company acknowledging the existence of a bug and its patch. That gave an advantage to the decidedly user-hostile approach of denying a bug exists unless a solution is in sight.

I'm not claiming that MS does this, but Red Hat obviously can't drag its feet when other distros acknowledge the existence of the bug in their releases. So RH will always be forced to be honest, and any company that admits to year-long lags is obviously fairly honest.

As for "scrounging the net" for fixes, you're either using the wrong distro or not using it correctly. Depending on your connnectivity, you should be automatically notified within hours or days of any upgrade on your distro's security site.

Re:I'm glad

[quonsar]

Microsoft is lucky that the person that found the bug was a reputable person and not someone who would have used it maliciously.

No, Microsoft was very unlucky in that regard. Had this shown up in the hands of script kiddies MS would have issued forth a reeking stream of FUD about 'malicious hackers', which would have been quickly taken up by the 'tech news' media like ZDuhNET, and another million or so of the clueless would shake thier heads and resolve to write thier legislators that something must be done about "evil hackers" so that the internet can be made safe for business-, er, Microsoft.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Re:Not surprising

[VAXman]

Obviously you have not seen the Red Hat errata list [redhat.com]. There are already ten security flaws in Red Hat 6.1. These bugs which were shipped with Red Hat 6.1 will allow an outsider to gain root access if the patch is not applied. It is OK for Red Hat to a buggy and insecure OS, but not for Microsoft?

Re:I'm glad

[JordanH]

• 3) tested patch issued and publicized Jan 28th

Problems already reported with "tested patch". Oops, back to the drawing board.

In Microsoft's defense, it's probably not a big deal that the news server is broken. Who runs news servers on Windows anyway. It's certainly not being run in the MS test labs.

-Jordan Henderson

Re:How about some honesty

[fusiongyro]

As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how /. wants users to perceive it. That's not accurate or fair.

So the fact that the bugs are in existing products somehow makes the bugs OK? Or are you just saying that because it's Microsoft, we can expect it, but that it's unfair to expect bugs in Microsoft products in newer ones? What exactly are you trying to prove here, that Microsoft has a bad rap for holes in new software, or that Microsoft software is has a bad rap for holes in existing software? Does it really matter?

I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.

Basically, in addition to the lengthy 1-2 hour installation time that is expected, and the downloading and installing of updated drivers which is almost expected (as new hardware drivers get old fast also) one is also now required to get online immediately after installation and download patches for software which was broken before it was sold? Instead of engineering better products from scratch, we'll just give the users a permanent connection to a database of corrections and act like it's their fault if they forget to "update" once a week?

You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.

The perceived damage potential may be low, but a security breach is still a security breach. If Microsoft is going to make a product and market it as a secure server operating system, and it is not secure virtually from purchase onward, regardless of the degree of insecurity, they HAVE lied to the consumer. Underestimating the power of the cracker or even the script kiddie is generally a bad idea.

he exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate .htw files until the patch can be applied.

This doesn't seem obvious to me. Should an administrator really be required to compensate for the quirks or poor design of the system? Particularly true of Microsoft software, which is both expensive and marketed primarily as a simpler solution?

Don't take this the wrong way--it's not a flame. But people don't dislike MS's software so much as the hypocrisy. They pretend as though they are producing powerful, easy to use "solutions," yet more often than not, we are given costly systems which are difficult and counterintuitive to configure, subject to security holes inherent in poor design, and unable to provide non-destructive patches due to the archaic monstrosity which they are patching. Sure, it's their fault--they haven't rewritten Windows in a long, long time; a friend of mine suspects that there is probably still Pascal in there somewhere. But if they are going to try to sell us a powerful easy solution for large amounts of money, they had better be able to provide it.

Daniel

Re:Service packs [or lack thereof]

[Vladinator]

*** WRONG ***

FOR A FACT: Internet connection sharing was NOT available for 98, you had to buy 98SE to get that feature!

FOR A FACT: You get EVERYTHING else if you download them from windowsupdate, or buy the cheep cd they put out.

Hey Rob, Thanks for that tarball!

Re:Predjudice.

[Adam Knapp]

"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates, The Road Ahead, Viking Penguin (1995)

That is the funniest sig I have seen in a long time!

Re:Gold Master != Beta, Unless You Live In Redmond

[ctembreull]

Sure.

It's been said before by others in this thread, but I'll say it again here (whoever posted this bit earlier, kudos).

Not one of those fixes affected the kernel. They may have been in relation to one or another package, but they weren't security fixes in Linux.

There's also the point that security issues and other bugs in Linux and other free software are an integral part of the evolution process of those packages/systems. On average those fixes are published far faster than fixes for Windows. Those fixes do not destroy other functionality in the fashion of this newest patch or SP6.

And, I should mention, that there are far fewer of them necessary for Linux and similar packages than there are for Windows. How many security updates have there been for NT this year, anyway? 6?

My point is that security mistakes happen. The speed and effectiveness of those responses pretty well defines how secure an operating system is, since someone's always going to have a new attack. Fixes to Linux packages are fast and clean. Windows fixes have this nasty habit of breaking other parts of the OS.

Either way, Microsoft blew it.

Chris Tembreull
Web Developer, NEC Systems, Inc.

My opinions are my own, and nobody else's.

Re:Defending Microsoft

[spectecjr]

I never asked for 90% of the things that Office purports to do. Am I being unreasonable to want software that doesn't tip over five times a day?

Office is the only software that Microsoft produces which caters to 10% of its target market all of the time - rather than putting in features for the 90% case.

Why?

Because it's the only product they make where everyone in their target market requires a completely different set of features - any given person will probably only use 10% of the functionality available. However, take any of it out, and they're cutting out a massive chunk of the market.

Also, with the new installer, things should be more stable - because it forces better encapsulation of the underlying code (because you can install it in nice feature-sized chunks).

As for tipping over over five times a day? What the hell are you doing to that poor thing? I've never seen Office crash once never mind five times in a single day!

Simon

Re:I'm glad

[AugstWest]

Draw what conclusions you like from this episode, but I'm looking at the facts of particular case:

1) security hole found prior to ship
2) security hole reported to MS on Jan 17th
3) tested patch issued and publicized Jan 28th

That sounds pretty decent to me.

Except that the hotfix breaks functionality... Define "tested."

This is nothing new. Look at SP6, which broke Winsock (how did THAT get out the door?), so SP6a was released... then pulled... then re-released, although it was hard to tell which SP you were getting, since SP6 web pages and downloads were still posted and linked to...

MS has released 6 security fixes so far this year for NT4... That's 1.5 security fixes per week for an operating system that was released how many years ago?

So, they can scream all they want about 128 bit encryption providing their security, but encryption doesn't mean squat if there are holes in the underlying foundation.

Defending Microsoft

[-=Cynic=-]

...now this is something I won't do too often.

But in the comments here you're probably going to find a zillion people saying the equivalent of "MICROSOFT IS EVIL! You won't find this in Linux/Unix/*BSD!".

And I'm here to say that MS has done a good job. It's a huge OS, people. The fact that the damn thing *runs* amazes me =) as well as the fact that it is (according to all accounts) pretty stable (as compared to typical Windows stability). Expect bugs, expect lots of bugs, because there is no way that you can test such a behemoth properly. I myself will not install it until perhaps Service Pack 3+ has come out, because it's prudent.

Of course, Linux, *BSD, etc, all have bugs, it's just that they're fixed sooner and I think we all have more tolerance for bugs found on free systems. And we all have unreasonably high expectations of MS, because they're a bunch of corporate bastards (look at their history!) and because most of us probably support alternate OSes.

Of course, the thing that *really* worries me about this article is the fact that one of the bugs was apparently known for weeks before MS even admitted it existed; now that kind of thing is sloppy, and they deserve whatever criticism they get for it.

Re:Service packs [or lack thereof]

[JordanH]

Well, I did say "Windows 98 SE box that pretty much everything you needed to make Windows 98 into Windows 98 SE was available free on the net."

Did MS make it clear that the most everything that Windows 98 SE had that Windows 98 didn't was available for free? Most people won't use Internet Connection Sharing.

-Jordan Henderson

"Non-BETA" in Linux terms is a state of mind

[Qic]

This is not surprising, and reeks of FUD and propaganda created by those who claim most bad press about Linux is FUD.

Considering anyone can run into the kernel code and hack away at any moment on a non-beta release of Linux, I guess it would turn back into beta in that particular installation.

I find it particularly funny that Linux people are so anti-MS, they don't even want to pay attention to the fact that there is always the right tool for the right job. Some jobs work better with Linux, some better with MS products.

You can rant a rage about MS all you want, but there are security issues in all OSes regardless of its lifecycle state. You can detect all detectable bugs, but you can't detect undetected bugs.

Re:How about all of the Linux security holes?

[Frater 219]

How about:

• Linux 2.1.* Security Hole [slashdot.org] (February 9, affecting the development-series kernels at the time)
  
• Bind security problem [slashdot.org] (April 16, affecting all known distros at the time)
  
• New Linux Security Holes [slashdot.org] (January 15, affecting the stable-series kernels at the time)

I picked these up by doing a search for "Linux security" using the search widget on the bottom of the Slashdot main page. These are just off the first page of results. Doubtless there are several stories about security problems in daemons which weren't turned up by this search (because they didn't contain the string "Linux").

In other words, security holes in Linux (and other free software) are reported on Slashdot. Your statement appears to be a misleading one intended to incite others to fear, be uncertain about, or doubt the honesty of the Slashdot editors. Isn't that what FUD is all about?

Further, keep in mind that while Microsoft thinks itself to be hurt by the reporting of security holes in its products, Linux is not hurt by the reporting of security holes in Linux-related software. Bug-reporting is a threat to the proprietary-software model, but it is an element of the success of the free-software model.

No patch out as of yet

[lweinmunson]

I just went to the Microsoft update site from my Win2K box (legal off of the Select CD's) and only found a couple of multi media type apps. No critical updates, no general updates, nothing. Now since they are probably going to do this the same way that they did 98 (making it a royal pain to get updates without the web site) this could be very annoying on servers. "What do you mean I have to launce IE5 on all of my servers independently to get SP78?" Can't wait 'till we're told to roll this out all over the company :) Les Weinmunson

Dammit, I'll only say it once more!

[Dirtside]

THESE ARE FEATURES, NOT BUGS! Get it straight, people!

- Bill Gates, former CEO, Microsoft

Re:Service packs [or lack thereof]

[JordanH]

• Betcha they will still be giving them out like candy

Naaah... They learned their lesson long ago on that one. You can't continue to have record quarters if you give away Betas (Win2K betas cost quite a bit more than media cost), or give away patches/service releases (Win98 Special Edition).

They'll collect up the top 10 patches and put out Windows 2000 Special Edition and charge you full price.

-Jordan Henderson

Microsoft security.

[Error27]

Although it Slashdot likes to say that there are security hazard with windows it's really an exageration.

I read an article about Unix permisions helping stop viruses but with Windows we have something far more powerfull.

Microsoft format is graphical where Linux does not have a graphical user interface [GUI]. This makes hacking a W2k more secure becuase things are not stored in plain text. Instead MicroSoft stores things in fancy graphical text. This makes it harder for hackers to read.

Linux should really work on making a [GUI] then they will be ready for "prime time." They will even be able to have advertisements on TV if they had a GUI. Also Linux would be able to handle "real time" applications. And do many other marvelous things like "enterprize readiness" and "intuitive network applications" and "erp" that Windows does.

Just my 2 shillings.

Re:Warning: I am a rational IT professional

[Arandir]

As a current QA professional, I can say that there is a lot of pressure for the QA lead to sign off, particularly when a product is overdue. It doesn't happen where I work, but I've heard horror stories from those that worked elsewhere.

"There are no longer any mustfix bugs. So sign."

"That's because you deferred all the bugs. So I won't."

How about some honesty

[Drestin]

If there is any non-bias at /. then this post will not be moderated away. No flamebait or trolling just wanna clear a couple of points up ALL using the provided story URL.

#1: The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services).

As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how /. wants users to perceive it. That's not accurate or fair.

#2 The bug was discovered AFTER W2K went gold. They have released a patch for NT4 and W2K both that works right now for both. So, before W2K is released there is a fix. I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.

#3) You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.

#4) The exploit itself was reported to MS promptly and fixed quick. The exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate .htw files until the patch can be applied.

Why don't we get a weekly update on Linux exploits and only bias pieces about MS problems?

Re:Predjudice.

[thrig]

> Re:New from MS: Delusionsoft (Score:4, Insightful)
> by bmetzler (bmetzler@twistedpair.net) on Wednesday December 15, @04:06PM EST (#240)
> (User Info) http://users.twistedpair.net/bmetzler/
>
> "It took us a while to get here, but that's because we were not ready to compromise,"
> Valentine said, promising that the first version of the operating system will not need
> service packs or bug fixes like other software releases.
>
> Can someone hang on to this story and rerun it when MS releases the first service
> pack for W2K?

Well, not the first service pack, but worthy of requoting...

Re:dude

[quonsar]

Some alien chick in France gave birth to a 3000 pound elephant, and he's a Nazi and planning to take over Australia where he's going to signal Martians to come down and kill Jennifer Love Hewitt!!

Some alien chick??? That "alien chick" was actually the illegitimate love child of Elvis and Jackie O. Sheesh. Try to get it right, please.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

other suggestions: O/T

[Evro]

I've always been partial to "myriad."

Myriad is somewhat unique in that it can be used as a noun or an adjective. e.g.:

"There is a MYRIAD (quick go look it up) of linux security sites, as well as *BSD security sites."

but one can also say:

"There are MYRIAD (quick go look it up) linux security sites, as well as *BSD security sites."


Also nice would have been "INNUMBERABLE," "COUNTLESS," and "SUPERFLUITY."

Personally, I thought the guy was saying to look up the plethora of linux security sites, not to look up the word plethora.
___________________

Re:Rushing bites MS again...

[Ded Bob]

Maybe MS will one day learn that rushing themselves into releasing a product might cause problems.

This bug might not be from rushing. Eradicating all software bugs is like eradicating all cockroaches in the world. It just won't happen.

This is 2 bugs that are out before win2k is out.

This could happen with any OS. Linux v2.4 will be out some time before RedHat completes a version of their own. Bugs could be found in the kernel before RedHat ships.

And let's not forget that MS isn't open source so if there are more bugs (garunteed) that someone finds then they're will be more exploits and the only one to rely on for bug patches will be MS themselves.

Who do most people rely on when exploits are found in Linux/FreeBSD/etc.? If they are a developer, they probably turn to the developers who developed it. This is a sore point for Microsoft. If they are just a general user, they might turn to USENET, local geek, or the distributor (RedHat/FreeBSD/Microsoft). My point being is that even though Windows is closed the users will most probably behave the same as if they owned a copy of RedHat Linux. Even if the bug is fixed by someone else besides one of the project developers, people will turn to the distributor.

When I say distributor, I am not talking about Cheap Bytes or CDW. I just can't think up a good word for it.

Why we should work for lazy people

[roystgnr]

then i guess no operating system is ready for the desktop.

Not really. Win98 comes close, at least. All that missing network functionality at least means there's less to break, and Windows Update means you can get patches when something is found broken, whether you're a security expert or not. Sure, in Windows' history it's been susceptable to remote-crash attacks more often than not, but I can't recall more than a few times it's been possible to "root" a stock Windows box remotely (not counting third-party products like mirc and ftp servers).

With Linux there's so much stuff open to the net by default that it seems like there's a remote root exploit every year. If you're security aware you'll be able to install the fix as soon as the world knows about the problem, but if you're not you're just a target.

updates are the user's responsibility. why should everyone work double for the lazy ppl?

Because that way we don't have a ripe population of insecure Linux boxes for viruses and worms to spread through?

Because that way Linux looks better in the press?

Because lazy people buy things like Unreal Tournament and CivCTP, and thus get companies to port those things to Linux so we can buy them too?

Because we have lazy or non-computer-geek friends and family whom we'd like to stop using Windows (and stop bugging us when it crashes), and we can't personally see to the security of every one of their machines?

Because distributions who do work double for lazy people sell more copies and make more money.

So we can achieve world domination! Duh.

Because sometimes *we* are inadvertently the lazy people. Deadangel, I notice your computer may be on a new distribution with no security updates required (and ssh installed; good for you), but the fact that you've still got telnet and linuxconf ports open to the net doesn't bode well for the future. (Sorry for the nmap, BTW; I hope you don't have any paranoid TCP/IP logging enabled)

Finally, because having the operating system checking it's own security in a cron job means we have one more thing that the computer is doing for us, which is just technically better. Users shouldn't have to monitor a security mailing list when the computer can do that (and update programs from cryptographically signed packages) for us.

Re:You're talking bullshit. SP6 knocked out all po

[AugstWest]

Are you always so combative? We're not even on opposite sides of the argument, you're going further in-depth on the same point I made, yet "I'm talking bullshit" and the "realise with acute embarassment the idocy of your post" bit is just flat-out abusive.

If you want to make a point, do so. I don't see the reason for personal attacks. We don't need this antagonism on /.

I wasn't stupid enough to install sp6 until it had been in use for a couple of weeks and the problems had shaken out, so I didn't bother to read all of the RFC's. Why should I?

Take a fucking Valium and relax.

Re:I'm glad

[SoftwareJanitor]

So you are proud of 11 days turnaround time? If I was a Windows user I'd want a bit quicker response than that. Microsoft is lucky that the person that found the bug was a reputable person and not someone who would have used it maliciously or announced it into the script kiddie community. While this will no doubt be somewhat of an embarrasment to Microsoft, things could easily have been much worse.

2.2.0 kernel

[coyote-san]

This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days.

Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!

However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing.

Don't overlook the issue

[NeoMage]

The actual fault is with the Index Service which is available with the Windows Option Pack on NT 4.0 and happens to also be included with Windows 2000. To me, this is not a fault with Windows 2000 but with an optional component.

Had Windows 2000 even been thought of yet, would people still be making such a fuss? Or are they simply out to bash the 'new product on the block' because it ships with a component that has an error.

You don't see people screaming about RedHat when the release a distro that contains and installs a buggy program by default. Hell, last time I installed RedHat it installed that crazy Gnome thing that has more bugs than an African river.

I guess I'm trying to say that this is simply being ridden for all people can get out of it in order to bash Windows 2000.

Re:Rushing bites MS again...

[Black Parrot]

> then they're will be more exploits

I wonder how many crackers have been participating in the beta program just to get the inside edge on this kind of stuff? (I don't know any, so don't sent the police around, OK?)


> Guess is yet another push for the linux community.

Windows 19100 going to be enormously popular when people find out you have to reboot when you install the patch. (And you thought Micorsoft really "got it right this time", eh? It's a regular Unix killer, I'm tellin' ya!)

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Red Hat did not declare "6.1 will need no patches"

[Ian Schmidt]

On national TV no less.

Of course, anyone who's had to deal with NT knows how hard to laugh at such a proclamation.

Gold Master != Beta, Unless You Live In Redmond.

[ctembreull]

Of course new software has problems. You're stating the obvious here.

The point is that this is a security hole - in an operating system that was promised to be secure. Further exacerbating the problem is that this software Is Not Beta. It is a GM release, and there is supposed to be a world of difference between a beta and a GM product.

Were this software a real beta, then it wouldn't require a downloadable patch when it finally hits store shelves. Win2k will - unless, of course, Microsoft is planning to destroy all existing shrinkwrap copies before they hit the shelves and issue a brand new GM, one which incorporates the patch. Instead, anyone who purchases Win2k will have to go download an upgrade.

There's a huge difference between beta and GM, and that difference is called "proper testing". Learn it. Live by it. Unless, of course, you make a practice of considering improperly tested, thoroughly buggy software to be of release quality. In which case, I wish you all the luck in the world. You're going to need it.

Chris Tembreull
Web Developer, NEC Systems, Inc.

My opinions are my own, and nobody else's.

Re:The Doc Sayz

[ninjaz]

Linux security is indeed an interesting topic for those of us who run Linux. However, you'd be doing yourself a disservice by relying on Slashdot for that. After all, being a Linux security resource is not Slashdot's goal.

Note that not every Microsoft security vulnerability out there is listed, either. Do a search on vunlerabilities by vendor for Microsoft at Security Focus, which is at http://www.securityfocus.com [securityfocus.com] to see all 235 vulnerabilities listed, most of which Slashdot missed.

Good resources for Linux security news, specifically, are Linux Weekly News at http://lwn.net/ [lwn.net] and its continually updated Daily Edition at http://lwn.net/daily/ [lwn.net] For additional resources you can visit Linux.Com's security section at http://www.linux.com/security [linux.com]

Re:The Doc Sayz

[Roundeye]

I've got a recommendation for you *and* Microsoft. Subscribe to the BugTraq and CERT lists. That alone would save Microsoft the embarrassment of saying "oh, we didn't know about the hole."

Oh, wait, I'm sorry. There are Microsoft people on the BugTraq/CERT lists. Well, then how could they not know about the holes? ...

[ fade to a daughter sitting in her father's lap while he reads a story to her: ]

"So, daddy, nobody came to help the little boy who cried 'Wolf'?"

"That's right honey. Because he lied to the people too many times and they didn't believe him any more."

"But, daddy, didn't you say that those Windows people lied about Windows over and over again? But you've got the new one now."

"Well, that's different honey. Microsoft is really going to do things right this time."

"I don't understand, daddy."

yes but..

[Travoltus]

You don't pay primo money for a development linux kernel, either.

Windows 2000 will charge you up the hiney - once for the client version, and once for one of three server versions, and yet you get these huge, gaping bugs.

This isn't that big of a deal yet

[rlk]

Officially released or not, W2K is widely available. They've found two holes in a layered service, and they're sending out patches in a fairly reasonable amount of time.

One can argue about the wisdom of turning on unnecessary services, but that problem is not unique to Microsoft. When I installed SuSE, I had to go and basically clean out inetd. Still nothing terribly new there. That's unfortunate, but it's an industry-wide problem.

There will be security holes in W2K. If Microsoft responds more quickly and openly, and the holes are in add-on services rather than appearing systematically in the core, then maybe they're finally learning their lesson. My guess is that they'll do better than NT4 (they've really been taking a beating over this) but not as good as the better Linux/Unix distributions. But that's just a guess, too. Time will tell.

Re:In related news...

[arivanov]

I do not think that you have any idea how close you are. The only difference is that they have been removed from the beta test list due to their inclusion on the payroll list.

Explain: MS have actually hired some of the best Windoze security people lately. David LeBlanc for example. There was a message on Bugtraq today but I guess it is not in the archive yet. So do not expect them to post any more messages about Windoze vulnerabilities any more...

Re:You're talking bullshit. SP6 knocked out all po

[AugstWest]

heh... sorry, that's one of the dangers of raising your threshhold to 1... it looks like you were replying to my post, not the response to my post, which didn't show up because it was at 0. If I could, I'd hand you some informative points. :]

not really

[CAIMLAS]

The linux development kernel is entirely different. Nobody with both balls intact (figuratively speaking) would ever recommend that a development kernel be used as a server. It's widely discouraged that anyone use a devel kernel for anything but bug testing, reporting, and severe geeking (or, rather, getting a sneak-peak at what is to come).

I find it ironic how you said "development linux kernel." Key word, "development." This thing wouldn't (more than likely) happen to linux due to extensive testing by many. MS doesn't do this with windows. Win2k had only 15 security programmers checking the entire code base! 15, for crying out loud! that's a lot of code for 150 coders to security check in such a short period of time!

Quite simply put, Microsoft screwed up. The product hasn't even been commercially available yet, and there are already two security holes, one that is fairly serious. The thing is, if this WERE the beta version of win2k, it would be tolerated or even acceptable. Maybe praised even, since the bugs would be found before final release. But no, thse bugs are in the commercial release. For the price that MS is charging, it shouldn't be defective out of the box and require repair immidiately. That's not good for the customer, and it certainly isn't good for product reliability.

If this type of thing were to happen in Linux on an even numbered kernel, (they're all essentially developmental since they're always 'active' or open, right?) MS would have a hay day of FUD and there would be a great moral decline in the lands. Microsoft will probably get away with it, since they will try and hush it up.

*sigh* Little guys always get stepped on. But that's life. People should be a lot more angry about bugs like this than they are. I mean, two weeks is a LONG time to wait for a bug patch! Linux patches are out of the bag in less than a day, sometimes within an hour of the bug's discovery. I'm not aware of a single serious/semi-serious MS bug that has been patched in less than a week.

This was not intended as a MS-bash, although it may come across as one. Microsoft has one a lot of

-------
CAIMLAS