Microsoft Microsoft Microsoft 723
Your day wouldn't be complete without Microsoft news. Ralph Nader has written an open letter to Judge Kollar-Kotelly. Seems he has a few bones to pick with the settlement. MSNBC is running a WSJ article detailing how Microsoft beat down the DOJ in settlement negotiations. Even Israel knows Microsoft is a monopoly. Microsoft reveals its keep-them-in-the-dark plan for Microsoft security vulnerabilities. Amazingly, some security firms seem to be willing to go along with it. I guess they figure setting up a sort of cartel for security flaws is in their best financial interest. SANS is keeping their list of top security vulnerabilities up to date with the latest IIS exploits. And finally, MS wishes their new disclosure rules were used for yet another huge hole in Windows. Microsoft says it's "irresponsible" to expect them to get a patch out for a critical flaw within "a few days". As usual, switch off active scripting, even though that will make essentially every webpage that's designed for IE not work.
You know what I find funny? (Score:3, Insightful)
Re:You know what I find funny? (Score:2, Insightful)
Remembering whom you are talking about should explain why they don't send this out. If they really had some competition they'd be letting you know, post haste. Ah, well, another reason why they should have been broken up for the good of the economy which wasn't done for the good of the economy.
Yours.
Theirs.
Re:You know what I find funny? (Score:2, Funny)
Re:You know what I find funny? (Score:5, Insightful)
MS's windows update is a step in the right direction, but it sucks compared to Red Hat's up2date [redhat.com] program. It's a service that is well worth paying for. Even if you just download the Red Hat ISOs, consider subscribing to RHN [redhat.com] - you are supporting future Linux development and are getting a good service at a fair price. [Disclosure: I own RHAT stock]
Re:You know what I find funny? (Score:5, Insightful)
Just my $0.02
EFGearman
---
Re:You know what I find funny? (Score:5, Informative)
They do distribute them (Score:2, Informative)
I got this in my inbox at yesterday at 9:14pm (EST). If you really care about security with Windows machines look at this page [microsoft.com], specifically that [microsoft.com] mailing list service.
Re:You know what I find funny? (Score:5, Insightful)
What is it exactly that you're so baffled by? Just because you've never seen them only shows your ignorance, since they've been sending these out for years now. As far as being in an obscure place, where would you expect to find it? I always use the direct link to the bulletin list (www.microsoft.com/technet/security/current.asp [microsoft.com]), but if I didn't know how to find it, I think I might try www.microsoft.com/security. And whaddaya know, there's a web page there and the second link on the left is for the Security Bulletin service. How obscure. *ahem*
Re:You know what I find funny? (Score:5, Informative)
Click on the link to the side that says "For IT Professionals"
There are Security Bulletins highlighted in the upper right hand side of the page. The ones discussed here are listed, along with a link that says "More".
Right on the top of that list is a link that says "Want to receive future security bulletins automatically?" You might want to click on that and subscribe.
Now for home users, they have the WindowsUpdate feature which easily allows you to download patches. Plus it also includes links to find out more information about the patch... these links go to the security bulletins again.
If Microsoft is hiding security bulletins, they are doing a piss poor job.
Re:You know what I find funny? (Score:4, Insightful)
Ha! According to the bulletin, the people that should be reading this are:
Customers using Microsoft® Internet Explorer
That's quite a few people. And consider the link you have to click on. Most users of IE probably don't consider themselves IT Professionals. Heck, some of them are afraid to remove icons from their desktop because it might break Windows.
You expect these people to:
1) Visit www.microsoft.com. That's the boring site. They want www.msn.com or www.hotmail.com (these would be much better places to put bulletins.)
2) Consider themselves IT Professionals. That means they have to be REALLY smart (yeah, sure).
Basically, it IS hidden, especially for people to don't think to look for these security vulnerabilities. Microsoft may consider posting these bulletins in more prominent places. However, as someone above pointed out, there are probably battles between Marketing and the Developers (developers developers developers developers....) about what to make easily available.
webpages designed for IE (Score:2, Insightful)
If MS security bugs encourages web designers to design gracefully degradable web pages, that's fine with me.
Of course there will be more buges reported in MS (Score:3, Insightful)
That said however, I don't care for MS and the majority of their software that I do use is out of necessity.
Re:Of course there will be more buges reported in (Score:5, Insightful)
Re:Of course there will be more buges reported in (Score:5, Interesting)
I recently attended a SANS course on IIS. According to the instructor, MS enables features to lower support costs. If it's already on nobody will call to get it working. WFM is a similiar tale. It was designed to eliminate support calls but an employee realized it could be expanded to function like tripwire.
Personally, I think if someone needed Internet printing enabled on a web server they would search for a TID instead of spending money calling MS if they couldn't noodle it out. But I'm guessing I'm just optimistic here.
Re:Of course there will be more buges reported in (Score:3, Insightful)
Okay.
Re:Of course there will be more buges reported in (Score:3, Insightful)
On another note, I'm not sure that Microsoft has any grounds for demanding to be notified about flaws in the final releases of their software. If they want to keep bugs from becoming huge public brouhahas, then they should either fix them in-house while the software is still beta, or open the source up and let other people actually fix it. They're out of line to say that people should find bugs in their ware, tell them, and then sit on their discovery while some cubicle slave works to make a patch, and Microsoft takes the credit for saving the day.
Re:Of course there will be more buges reported in (Score:4, Insightful)
Of course, it's not as simple as saying that MS sucks, but it's a combination of bad design (dont put everything in every program, dont have unlimited interoperation between everything) bad programming(dont use admin privilidges if not absolutely necessary, also a design issue maybe), bad installation policies (dont install everything or even anything but the basics by default), bad admins and bad will.
The combination of these elements end up in software you dont want to be running because it will stink from a security point of view.
So, no, you wouldnt have the same amount of problems on Linux at least. You'd have problems, yes, but not nearly as many. Unless, of course, the general policies among linux distribution vendors change to install everything insecurely by default, but hopefully that wont happen, and in the Linux world you can always change to another vendor if one of them goes seriously astray.
Re:Of course there will be more buges reported in (Score:5, Insightful)
Also, MS software is integrated on a large scale without sufficiently restrictive interfaces to cleanly separate it into individual programs. Since the number of potential bugs in a program grow faster than the length, this makes such integrated code more likely to have bugs; and, in fact, many MS bugs are due to interactions between different projects. With the Linux model, code is in relatively small chunks, which communicate over limited interfaces, so there is much less opportunity for cross-project bugs.
So I think that, to a certain extent, the reason that there are so many MS bugs reported is mostly that there are so many opportunities for MS to make mistakes, due to their size and the architecture they have chosen.
Re:Of course there will be more buges reported in (Score:4, Insightful)
The Netcraft survey crawls through all those little Melvin machines which each have an httpd running that nobody ever accesses.
Nobody cares about them. They are irrelevant.
Actually, it tends to go the other way - IIS installs as standard on a heck of a lot of WinNT boxen that do no hosting, and as (much as we hate to admit it here) most small businesses (big enough to have an always-on connection but not big enough for their own IT dept) use Windows. Most Apache installs are meant to be there.
Corvair all over again? (Score:5, Funny)
Re:Corvair all over again? (Score:2)
There is more to life than increasing its speed.
Re:Corvair all over again? (Score:4, Offtopic)
Sorry, I wrote this rant and just wanted to put it somewhere. Your mention of Unsafe at any Speed made me think of it.It is a response to Culp's comments last month.
Code Red. Lion. Sadmind. Ramen. Nimda. In the past year, computer worms with these names have attacked computer networks around the world, causing billions of dollars of damage. They paralyzed computer networks, destroyed data, and in some cases left infected computers vulnerable to future attacks. The people who wrote them have been rightly condemned as criminals. But they needed help to devastate our networks. And we in the security community gave it to them.
By listing worms that attacked a variety of operating systems Culp makes it appear that the security threat is equal to all the players in the OS space. What he doesn't do is supply a severity to the listed worms that lets us see that the worst and most widespread of these attacks were against Microsoft systems. Microsoft's dominance in the OS space only increases their responsibility for security breaches, it does not justify their targetibility.
It's high time the security community stopped providing blueprints for building these weapons. And it's high time computer users insisted that the security community live up to its obligation to protect them. We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.
What it is high time for is Microsoft to take security seriously. Their operating systems have always been about ease of use, not security. Just like passenger and baggage check in US airports are about hasslefree service. We have seen one consequence of the airports security measures, and that terrible act is the only reason airport security is increasing. Numerous reports in the past few years have pointed to the insecurity of passenger air travel, yet the airlines took no notice. Code Red may well be the clarion call to reconsider the importance of security in your operating system. If your current vendor isn't supplying it, perhaps you should look elsewhere.
Arming the EnemyFirst, let's state the obvious. All of these worms made use of security flaws in the systems they attacked, and if there hadn't been security vulnerabilities in Windows®, Linux, and Solaris®, none of them could have been written. This is a true statement, but it doesn't bring us any closer to a solution. While the industry can and should deliver more secure products, it's unrealistic to expect that we will ever achieve perfection. All non-trivial software contains bugs, and modern software systems are anything but trivial. Indeed, they are among the most complex things humanity has ever developed. Security vulnerabilities are here to stay.
According to Ralph Nader automobiles in the 60's were unsafe at any speed. He blew the whistle, and the groundswell response led to drastic changes in the manufacturing of automobiles and the responsibility of those manufacturers for the safety of the cars after the sale had occurred. Fastforward 30 years and juxtapose Microsoft for General Motors and you can hear the whistle blowing. Despite Microsofts attempts to hide behind groups such as the DMCA consumers and lawmakers will not continue to put up with the security risks using Microsoft products make them vulnerable to.
If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
Do not fear he who hath power to kill your webserver, fear he who hath the power to crack your server, steal your financial data and destroy your very business. Prior to a security fix or announcement of a vulnerability you aren't even aware that your system is at risk. The sooner information is released to the consumer, the sooner they can make a business decision as to which is the greater cost: the possibility of having their system cracked and data stolen, bearing the cost in dollars and man hours to move to a more secure system, or the business impact of shutting an insecure service down until the security bug is fixed.
The relationship between information anarchy and the recent spate of worms is undeniable. Every one of these worms exploited vulnerabilities for which step-by-step exploit instructions had been widely published. But the evidence is more far conclusive than that. Not only do the worms exploit the same vulnerabilities, they do so using the same techniques as were published - in some cases even going so far as to use the same file names and identical exploit code. This is not a coincidence. Clearly, the publication of exploit details about the vulnerabilities contributed to their use as weapons.
Again, who is it that we fear? The script kiddies who are all bark, but no bite, or the blackhats who have established user accounts on your servers and has your corporate network as their playground?
Good Intentions Gone AwrySupporters of information anarchy claim that publishing full details on exploiting vulnerabilities actually helps security, by giving system administrators information on how to protect their systems, demonstrating the need for them to take action, and bringing pressure on software vendors to address the vulnerabilities. These may be their intentions, but in practice information anarchy is antithetical to all three goals.
These methods are only antithetical when you have a dominant market position that is dependent upon people perceiving your products as being easy to use, secure, and hassle free to maintain.
Providing a recipe for exploiting a vulnerability doesn't aid administrators in protecting their networks. In the vast majority of cases, the only way to protect against a security vulnerability is to apply a fix that changes the system behavior and eliminates the vulnerability; in other cases, systems can be protected through administrative procedures. But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin.
Wrong. Providing the exact details of an exploit allows competent administrators or programmers to go to the source of a program or operating system and provide their own fix if none is available from the community at large or the creator of that program. Furthermore, a community made aware of an exploit is able to marshall its resources to provide a fix as soon as possible. Culp's position is only true in a closed source environment where the system administrator is nothing more than a mouse monkey whose idea of system administration and security are the point and click wizards provided by the vendor; or where the risk to customers of using vulnerable systems is weighed against marketing and PR concerns or the availability of programming resources and the cost of providing them.
Likewise, if information anarchy is intended to spur users into defending their systems, the worms themselves conclusively show that it fails to do this. Long before the worms were built, vendors had delivered security patches that eliminated the vulnerabilities. In some cases, the fixes were available in multiple forms - singleton patches, cumulative patches, service packs, and so forth - as much as a year in advance. Yet when these worms tore through the user community, it was clear that few people had applied these fixes.
Many people have faulted the patching process itself for the low uptake rate. Fair enough - we do need to make it easier for users to keep their systems secure, and Microsoft acknowledged this very point in a recent major security announcement. But if the current methods for protecting systems are ineffective, it makes it doubly important that we handle potentially destructive information with care.
One of my cars had a factory recall, some sort of problem with the CV boots. The auto manufacturer contacted me, on more than one occasion, to let me know that my car had a potential problem, where I could go to get it fixed, and they said they would bear the cost to fix my car. I'm not certain which one of the myriad of forms I signed when I purchased the car that signed me up for this protection plan, but it sure did work. In my 7 years of administrating Microsoft networks, the hundreds of products I have registered with them and the thousands of times I have visited their website, never once has Microsoft contacted me to let me know about a security vulnerability in the product they sold me. Making the fix available is not the same as notifying people that there is a problem and a fix.
Furthermore, like the boy who cried wolf, Microsoft products have so many vulnerabilities and the methods for keeping your systems patched are so time consuming that it can become a full time job just to keep on top of it. After awhile you just cry, "Enough!," I've got other things to do than babysit the Microsoft website to find out what the latest vulnerability is. I've subscribed to Microsoft Security alerts, and typically I have found them to be late in notifying me of problems and so filled with PR that it was hard for me to asses to true risk to my systems.
Finally, information anarchy threatens to undo much of the progress made in recent years with regard to encouraging vendors to openly address security vulnerabilities. At the end of the day, a vendor's paramount responsibility is to its customers, not to a self-described security community. If openly addressing vulnerabilities inevitably leads to those vulnerabilities being exploited, vendors will have no choice but to find other ways to protect their customers.
A very good point Culp, vendors must find other ways to protect their customers. What Microsoft has been doing is not sufficient. The whistle has been blown, the users hear it, and they know that Microsoft has not had their best interest in mind. If Microsoft had, they would have found ways to contact users of vulnerabilities and given users incentives to patch their systems.
Responsible Handling is KeyThis is not a call to stop discussing vulnerabilities. Instead, it is a call for security professionals to draw a line beyond which we recognize that we are simply putting other people at risk. By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
"Fire" is not being called in a crowded movie house, a fire alarm is being pulled and people are making an orderly egress. The egress is to Apache, Linux, Solaris, and FreeBSD. I'm grateful for that fire alarm, without it I would have found myself surrounded in flames created by blackhats while a Microsoft infomercial drones on the screen telling me, "There is no fire." I've got news for you Mr. Gates, this isn't the Matrix, and we are not all plugged into your grand scheme. Some of us see where you are taking us not just today, but tomorrow, and we're going to stop you.
Most of the security community already follows common-sense rules that ensure that security vulnerabilities are handled appropriately. When they find a security vulnerability, they inform the vendor and work with it while the patch is being developed. When the patch is complete, they publish information discussing what products are affected by the vulnerability, what the effect of the vulnerability is - that is, the type and extent of damage that an attacker could cause through it - and what users can do to protect their systems. This type of information protects users by giving them the information they need to decide whether to apply the fix, but it doesn't put them at risk.
Baaahhhh! Sheep, that is what Microsoft wants for customers. Users who blindly follow them to the slaughter house. But, shepard Microsoft can't even protect us that long. The wolves circle and pick off the sheep one by one. Meanwhile, the lead sheep watch what is going on in the slaughterhouse and they are told by the shepard not to tell the other sheep. Such information would cause a panic in the fold and desertions so great that Microsfts stock price would fall into a irretreivable spiral.
Some security professionals go the extra mile and develop tools that assist users in diagnosing their systems and determining whether they are affected by a particular vulnerability. This too can be done responsibly. In many cases, it's possible to build a tool that performs non-destructive testing and can only be used by a legitimate system administrator. In other cases, the specifics of the vulnerability make it impossible to limit how the tool could be used - but in cases like these, a decent regard for the well-being of the user community suggests that it would better to not build the tool than to release it and see it misused.
I repeat, those who use open source can always go the extra mile, and at the least, patch their own systems.
What You Can DoEnding information anarchy will not end the threat of worms. Ethics and intelligence aren't a package deal, and some of the malicious people who write worms are quite smart. Even in the best of conditions, it will still be possible to write worms. But the state of affairs today allows even relative novices to build highly destructive malware. It's simply indefensible for the security community to continue arming cybercriminals. We can at least raise the bar.
What is indefensible is Microsoft's lax security throughout an entire series of Windows operating systems, office suites, and back office products. I once heard a joke that Microsoft was in a uproar because they found a virus that Outlook was not susceptable to; the company vowed to quickly rememdy that situation. The best jokes are baised upon some truth, and this joke was very, very funny. Security warnings do not arm cybercriminals, security holes do. Once again, do you really think the most malicious of crackers out there don't know and take advantage of security holes before they are announced? Of course those crackers know, and the sooner the user knows the sooner they can do something about it.
This issue is larger than just the security community. All computer users have a stake in this issue, and all of us can help ensure that vulnerabilities are handled responsibly. Companies can adopt corporate policies regarding how their IT departments will handle any security vulnerabilities they find. Customers who are considering hiring security consultants can ask them what their policies are regarding information anarchy, and make an informed buying decision based on the answer. And security professionals only need to exercise some self-restraint.
My company can adopt a corporate policy that only open source software will be used for all mission critical systems because only open source has a proven track record of quick security fixes. Instead of worrying about a security consultants policy on security disclosures, a customer would be better served by keeping security in mind when evaluating software solutions. First avoid the obvious danger.
For its part, Microsoft will be working with other industry leaders over the course of the coming months, to build an industry-wide consensus on this issue. We'll provide additional information as this effort moves forward, and will ask for our customers' support in encouraging its adoption. It's time for the security community to get on the right side of this issue.
The security community has always been on the right side of the issue, it is Microsoft who has not. Even now they are trying to sway others to their position instead of adopting that held by the long standing security community.
Re:Corvair all over again? (Score:3, Interesting)
For what it's worth, here is what I wrote after I read Culp's essay for the first time:
I agree that some aspects of the current computer security community are quite strange. A few parties have indeed conflicting interests: They sell products which wrap around other software in order to enhance its security (from a purely methodological point of few, a questional practice in itself). In addition, these parties discover and analyze vulnerabilities (sometimes in very great detail), and they are clearly benefitting from the recent Microsoft worm craze.
However, a few of Scott Culp's arguments are slightly wrong and do not reflect reality. For example, he claims,
Is this really true? And if it is, could it have been avoided? After all, an attacker knows which components are vulnerable (just by reading the vendor announcement), and he or she can compare the machine code of the vulnerable and fixed versions. Of course, the recent worms didn't show a very sophisticated design. But it is really reasonable to expect that the attackers of the future are unable to retrieve the necessary information from a few pieces machine code?In addition, we should remember that the most visible worms were targeting closed-source, proprietary systems. By the same argument, operating systems based on free software would be facing a tremendous amount of worm-based attacks because it's much easier to write these worms based on the publicly available information. However, there is no evidence supporting that, and this is very unlikely that this is just caused by different market shares.
Furthermore, Culp questions the usefulness of detailed information on vulnerabilities to administrators:
I whish this were true, but I have seen circumstances under which additional information is essential, even for system administrators:- Vendors do not release complete information. Over and over again,
products are not mentioned, either due to neglect or because they
are no longer officially supported.
- Vendors release vulnerable versions after a vulnerability has
become known, and after public authorities (such as CERT/CC)
have stated that these vendors do not ship vulnerable versions
of the software.
-
New vulnerability types might exist in a wide range of software
from different vendors, even though they do not share common code.
- If code is shared, some vendors respond faster than other ones.
No vendor information might be available for some products.
This means that responsible system administrators have to check their system themselves in order to be sure that they are not vulnerable.Unfortunately, closed, automated tools do not help much in this context, at least without partly re-introducing the concept of full disclosure. Past experience suggests that the vulnerability has to be actually tested in order to minimize the number of false negatives. Our main concern are remote buffer overflow vulnerabilities, and even if such a testing tool is closed-source and does not contain any actual exploit code, it is not too difficult to snoop the network traffic, insert the appropriate exploit code, and try the result on some victims. In addition, testing tools require time to write and distribute, which is unacceptable in most cases. (Usually, the attacks start after the first advisory has been released, the Microsoft worms are rather exceptional in this regard.)
But my favorite argument is the following one, which has been rehashed in many, many different contexts, most of the time suggesting that software vendors should be exempted from responsibility for the consequences of using their products:
Nearly error-free software exists and is in wide use, but of course not in the general-purpose computing business. There are no technical reasons (or even mathematical ones, such as Goedel's Incompleteness theorem) for software being faulty. There is complex software which is believed to be close to zero defects, and Donald E. Knuth has shown with TeX that it is possible to write such software for use on workstations even if it uses tricky algorithms and it is fairly large. Poor software quality has different roots, many of them related to business models which force vendors to continuously release substantially different software versions, in order to generate a constant revenue stream from customers upgrading to the newest version.In addition, there is no evidence that the security vulnerabilities exploited by the worms were related in any way to the overall complexity of the system. If we look at typical buffer overflow problems in free software (for obvious reasons, we can't do that with Microsoft software, but there is no indication that Microsoft source code is entirely different), these problems are local problems in most cases, which could be caught automatically by using different software construction tools, often obvious from local code inspection, and a local fix was usually sufficient. If software shows buffer overflow problems because of its overall complexity, something is very wrong.
Indeed, security vulnerabilities will not disappear soon, but not because of fundamental technical problems. And even if complexity starts to become an issue, why not reduce complexity, then? Security vulnerabilities are going to stay simply because too many people accept them.
(And, by the way, like Windows and Solaris, Linux is a trademark, and since we aren't talking about the kernel alone, we should probably call this operating system "GNU/Linux".)
Re:Corvair all over again? (Score:4, Interesting)
I'm sorry, but a bug that is found today in NT 4.0or 2000 has most likely been around since the product came out. You're trying to say that Windows bugs don't exist until someone finds them, but Linux bugs are retroactive since the version that they are in came out. Compare apples to apples.
When the root exploit was found in Linux, the patch was available the very same day. Microsoft can't get a security fix out and tested with "a few days of work". They have hundreds of well paid programmers Linux is written by loosely tied mostly unpaid volunteers. You need to get the wool out of your eyes.
California also says (Score:3, Flamebait)
"California deserves special credit for its stance. Bill Lockyer, the state attorney general, has emerged as the most important public official in America when it comes to holding back the Microsoft tide."
Re:California also says (Score:2)
Re:California also says (Score:2)
Re:California also says (Score:4, Funny)
My preferred solution: break Microsoft into 28 operating companies. Give one to each MLB owner. Let Bill & Steve run baseball. Benefits of this solution are that baseball still gets run like a monopoly, but by people who are good at running a monopoly, and baseball comes with a built-in anti-trust exemption. Microsoft goes down the tubes, just like baseball has been doing for years. And best of all, programmer salaries get to match those of baseball players.
Keeping bugs a secret.. (Score:5, Insightful)
How are software bugs, especially critical ones, different from design flaws in a tire?
Re:Keeping bugs a secret.. (Score:3, Funny)
Re:Keeping bugs a secret.. (Score:2)
If there's a security hole in your OS, increased distribution of the information will do MORE damage (unless you believe that everyone that hears the information will immediately patch or repair their servers themselves - since if the info is distributed before a patch is available, then the vendor can't help you yet).
Big difference - bad analogy.
- Steve
Legality (Score:5, Informative)
IANAL, but I personally think MS could be sued by a company attacked through a hole kept secret by this security gang. It should in fact be illegal to withhold information about known flaws in any product, since knowing of those flaws may change the value in the customer's eyes. I see that as indirectly constituting fraud.
Anyone know of any precedence or the true current legal standing of such a situation?
Re:Legality (Score:3, Funny)
that last one is NOT a hole in windows. (Score:4, Troll)
If you read the security bulletin, it's not referring to windows at all. It's a problem with Internet Explorer version 5.5 or later.
Seems that that little slip exposes a great deal of anti-M$ bias. Not good for a supposed "news source".
Re:that last one is NOT a hole in windows. (Score:5, Insightful)
Unless... *gasp* you're calling Microsoft a liar and telling us that IE and Windows are indeed two separable products?
Re:that last one is NOT a hole in windows. (Score:2)
IE can certainly be removed from windows. I've done it several times. It's a huge pain in the ass, and it's not something that the average user-at-large would want to consider doing, but it can be done. So to put it bluntly, IE != Windows.
Re:that last one is NOT a hole in windows. (Score:2, Troll)
Of course, If IE can be removed from Windows, Microsoft has lied before the courts.
Either way, Microsoft is either lying or has another bug in their OS. Which way would you like to have it, Mr Gates?
Re:that last one is NOT a hole in windows. (Score:2)
Re:that last one is NOT a hole in windows. (Score:2)
Here's a headline for you: NONE OF THEM ARE VULNERABLE TO THIS EXPLOIT..
Since you can hardly begin to argue that 98SE is not current (it makes up at least 50% of Windows installations, and that's certainly and underestimate), then it is reasonable to say that WINDOWS does not have a flaw. Only after the introduction of IE 5.5 or higher does the vulnerability surface.
I realize that my opinion on this matter will not be popular, since the majority of slashdotters favor open-source operating systems. However, this is still a NEWS site, and it can only remain that way if the NEWS is unbiased.
Re:that last one is NOT a hole in windows. (Score:3, Interesting)
Besides, I've set Mozilla to be my default mail and html program, and that works great, as long as I don't have any instances of IE open on the desktop at the same time. As soon as you open one IE window, Windows decides that it should open ALL webpages in IE instead of mozilla, like I've told it to do on ALL occurrences of running across HTML files and links people post to IM clients, programs, etc. So I completely agree, it's a Windows problem, not just an IE problem. What's funny is that despite warning people how active scripting can cause problems without having all the appropriate security patches installed, they're displaying this info with an .asp page! Now that's what I call a short attention span.
Re:Ha ha ha! (Score:2)
already doing it.
My gaming machine at home runs windows 98SE, and after using 98Lite, it's running beautifully without the scourge that is IE. Mozilla takes care of my web-browsing functions in its place, and I'm a happier man for doing it.
And don't forget... (Score:5, Informative)
I can't read the details of the security flaw (Score:4, Interesting)
Yes. You need scripting in order to get details of the security hole. On the other hand they recommend you to disable scripting.
Odd.
Yes. I have to use Windows at work.
Yes. I could use Mozilla.
The Bug (Score:2, Redundant)
Originally posted: November 08, 2001
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer
Impact of vulnerability: Exposure and altering of data in cookies.
Maximum Severity Rating: High
Recommendation: Customers should consider disabling active scripting in the
Internet Zone and the Intranet Zone. Customers using Outlook Express who have
not set OE to use the "Restricted Sites" Zone should do so as a best practice.
Affected Software:
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Technical details
Technical description:
Web sites use cookies as a way to store information on a user's local system. Most
often, this information is used for customizing and retaining a site's setting for a
user across multiple sessions. By design each site should maintain its own cookies
on a user's machine and be able to access only those cookies.
A vulnerability exists because it is possible to craft a URL that can allow sites to
gain unauthorized access to user's cookies and potentially modify the values
contained in them. Because some web sites store sensitive information in a user's
cookies, it is also possible that personal information could be exposed.
Microsoft is preparing a patch for this issue, but in the meantime customers can
protect their systems by disabling active scripting. (The FAQ provides step-by-step
instructions for doing this). This will protect against both the web-hosted and the
mail-borne variants discussed above. When the patch is complete, Microsoft will
re-release this bulletin and provide details on obtaining and using it.
Mitigating factors:
A user must first be enticed to a malicious web site or to open an HTML e-mail containing the malformed
URL.
Users who have applied the Outlook Email Security Update are not affected by the HTML mail exploit of
this vulnerability.
Users who have set Outlook Express to use the "Restricted Sites" Zone are not affected by the HTML mail
exploit of this vulnerability because the "Restricted Sites" zone sets Active Scripting to disabled. Note that
this is the default setting for Outlook Express 6.0. Users of Outlook Express 6.0 should verify that Active
Scripting is still disabled in the Restricted Sites Zone.
Severity Rating:
Internet Servers
Intranet Servers
Client Systems
Internet Explorer 5.5
High
High
High
Internet Explorer 6.0
High
High
High
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment
patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2001-0722
Tested Versions:
Microsoft tested Internet Explorer 5.5 SP2 and 6.0 to assess whether they are
affected by these vulnerabilities. Previous versions are no longer supported, and
may or may not be affected by these vulnerabilities.
Frequently asked questions
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it irresponsibly,
and has deliberately made this issue public only a few days after reporting it to
Microsoft. It is simply not possible to build, test and release a patch within this
timeframe and still meet reasonable quality standards.
What's the scope of this vulnerability?
A malicious web site with a malformed URL could read the contents of a user's
cookie which might contain personal information. In addition, it is possible to alter
the contents of the cookie. This URL could be hosted on a web page or contained in
an HTML email.
What causes the vulnerability?
The vulnerability results because of an unsafe handling of cookies across IE zones.
How would an attacker carry out an attack using this vulnerability?
An attacker could attempt to maliciously exploit this vulnerability by hosting a page
with a maliciously crafted URL. They could also send the victim an HTML email with
a similarly crafted URL.
In the case where the attacker hosted a web page, would he have any way to
compel me to visit the site?
The attacker could not force you to visit his site. Instead, he would need to entice
you into performing some action that would cause you to visit the site. There are,
however, a variety of actions that could be used to do this, from visiting a web site
that would redirect you to the attacker's, to opening an HTML e-mail that
referenced the attacker's site.
In the case where the attacker sent me an HTML e-mail, would simply opening
the mail allow me to be attacked?
Yes. It is possible for an attacker to craft an HTML email in such a way that it
would exploit this vulnerability on opening the mail.
Why does changing my IE settings help protect me against a mail-borne
attack?
As we mentioned above, HTML e-mails are just web pages sent via e-mail. Outlook
uses the IE security architecture to limit what HTML e-mails can do when opened.
By default, Outlook 2002 opens all HTML e-mails in the Restricted Sites Zone.
Is this a permanent change?
No. Microsoft is working to develop a patch that will eliminate the vulnerability.
When it's completed, you'll be able to install the patch and then return your IE
settings to their previous values.
How likely is it that I could be affected by this vulnerability?
It depends on your web browsing and e-mail habits. Customers who exercise care
in choosing the sites they visit, and who are careful not to open obvious spam and
other untrustworthy e-mails would be at less risk from this vulnerability. However,
customers can easily make a configuration change that will provide complete
protection.
What's the configuration change that will protects against this vulnerability?
Customers who are concerned about this vulnerability should disable active
scripting. All web pages (and HTML e-mails, which are just web pages delivered via
e-mail) are categorized into one of several zones, and the settings in each zone
dictate what actions can be taken within it. By disabling active scripting in the
Internet zone a user can prevent an attacker from exploiting either the web-borne
or mail-borne versions of this attack.
How do I disable active scripting in Internet Explorer 5.5 and 6.0?
On the Tools menu, click Internet Options, click the Security tab, and then click Custom Level.
In the Settings box, scroll down to the Scripting section, and click Disable under "Active scripting" and
"Scripting of Java applets".
Click OK, and then click OK again.
I am a network administrator. How can I disable active scripting in my
enterprise?
With new deployments of Internet Explorer, an administrator would use the IEAK and disable active
scripting before building the package and rolling it out to client machines.
For currently deployed client use Profile Manager to create an auto-config INS file to make registry changes
needed to disable active scripting on the client machines with Internet Explorer already installed.
For administrators that prefer to use SMS or login scripts, the following are the registry changes that would
disable active scripting on the client machine:
HKLM\Software\Microsoft\Windows\CurrentVersion\In
HKCU\Software\Microsoft\Windows\CurrentVersion\In
There are five different sub keys under each "Zones" key. Each key control a
different security zone. The key names are 0-4.
= Your computer
1 = Local Intranet
2 = Trusted Sites
3 = Internet
4 = Restricted Sites
There is then a DWORD value under each zone number key that must be modified to disable active-scripting
for each zone.
REG_DWORD value is "1400" to be modified.
Setting this value to "3" (from "0") will disable active scripting.
HKCU setting changes take effect immediately. However the HKLM settings
would most likely require a reboot.
Patch availability
Download locations for this patch A patch will be posted as soon as it is available.
Additional information about this patch
Installation platforms:
This patch can be installed on systems running Internet Explorer 5.5 and 6.0 when available.
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center, and can be most easily
found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
All patches available via WindowsUpdate also are available in a redistributable form from the
WindowsUpdate Corporate site.
Other information:
Support:
Technical support is available from Microsoft Product Support Services. There is no charge for
support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (November 08, 2001): Bulletin Created.
Re:I can't read the details of the security flaw (Score:5, Funny)
It's the new MS security policy: "if you can't read this page, you're not vulnerable"!
Re:I can't read the details of the security flaw (Score:4, Insightful)
Windows Update either. Very interesting, how ironic that MS stuff is these days.
Nader has credibility (Score:5, Informative)
Of course, Nader's stance at the far left at the political spectrum could hurt things if the judge has right-wing leanings (as appears to be the case). At least Nader isn't as rabid as RMS. As much as I admire his commitment and idealism, RMS's uncompromising attitude and abrasive personality could do more harm than good. (Also, RMS's reputation is pretty much confined to geeks, whereas Nader has mainstream recognition.)
Re:Nader has credibility (Score:2, Insightful)
It strikes me how much we all seem to be recognizing that the courts now operate based on their political leanings instead of the foundation of law.
Nader? (Score:3, Insightful)
Alternate Plan - Security Escrow (Score:5, Informative)
Part2: The flaws do need to be placed in 'escrow' in a secure database, with a planned release date, perhaps 6 months after first notice.
Then let's see if the situation is better or worse. After all, Code Red exploited a months-old hole, which could have been discovered by monitoring Microsoft's own update pages. Somehow it doesn't seem to me that the course of the Code Red mess this Summer would have been affected in the least by Microsoft's proposed policy.
Or do they consider publication of a bugfix tantamount to 'Security Anarchy', because it lets others know that a hole exists?
But the real goal here should be that we want to keep Bugtraq and the like alive for our own use. Let Microsoft mess their own sandbox, just don't mess ours.
Quote (Score:4, Funny)
Are they referring to the recent release of XP?
Thanks Ralph (Score:3, Funny)
Also I like seatbelts.
Oh really? (Score:3, Informative)
Funny, Open Source software can have a patch out within a few days, why can't Microsoft?
Re:Not to mention Apple . . . (Score:4, Informative)
But what do I know.
Re:Oh really? (Score:3, Insightful)
Yes, you can get a patch to kernel 2.foo very quickly. But it can take weeks/months for RH to get a package out. Perhaps M$ can get the code fixed, but not quickly send out a package (and in some ways they do. They send out hotfixes, and only later service packs).
Why? In both instances, the companies have to make sure that by fixing one problem, they don't create several others.
So yes, you can get quick fixes to Samba, the kernel, etc. But it takes time for commercial vendors to roll out the patches.
(And, having said all that, I used to use Progeny, and am switching to Debian. They get out patched packages really damned fast.)
Here's an ugly one (Score:2, Informative)
Why are they asking the court to derail the settlement, effectively guaranteeing that the case won't be resolved for years? The state attorneys general claim the high ground as defenders of consumers, but it is hard to see what consumers of software would gain in prolonging this legal agony.
Uhh, ok...
security software (Score:5, Interesting)
The bylaws will also include an agreement that any security software produced by members of the group will be engineered in such a way that it can only be used for lawful purposes.
Yet again, we have a software usage agreement that restricts the types of things for which the software can be used. This is silly and ironic. If some sort of authority were set up to police the observance of this, we'd be a huge step closer to the scary world RMS describes in the famous essay set in a (hopefully) fictional future. Without such an authority, MS and friends would essentially be relying on the honor system which it hates so much.
I guess that MS and friends would rather have the sense of security they get from restrictive user licenses and the like. Folly.
BEN
BBC Article (Score:3, Informative)
They could learn from Apple... (Score:5, Insightful)
Pardon my french, but *bullshit*.
Apple released iTunes 2.0 on a Saturday night. When a major bug was found, not only did they pull the installer *immediately*, but they fixed the bug and had a new one up in its place (properly labelled 2.0.1) within 24 hours. Not only that, but they have also said that they will pay for DriveSavers recovery for anyone who lost data to the bug. Can anyone imagine MS responding that quickly? On a *weekend* even! (Or accepting responsibility for its bugs like that?)
Re:They could learn from Apple... (Score:4, Interesting)
I have seen Microsoft release products that do really stupid things, but I have trouble recalling the last time they released a music application that unnecessarily formats your harddrive. I mean, come on... MS is bad, but are they as bad as Apple? If Apple was as popular as MS, you would probably be singing a different tune about iTunes 2.0?
Debian Linux has a community run software testing process that would never let something like iTunes ship as "stable".
Re:They could learn from Apple... (Score:2)
Full disclosure should follow the announcement of a bug after 30 days or whenever a patch is released, as is standard practice on security mailing lists. Not having full disclosure hanging over a company's head allows them to become lax in protecting their customers which when it comes down to it for Microsoft is exactly what Scott Culp's job should be.
As for "Can anyone imagine MS responding that quickly?", yes. They responded in about 24 hours to the Ping of Death bug (IIRC). They were only beaten by the Linux devs who responded in about 8 hours.
To be fair though, the iTunes bug (which would wipe all your MP3s without any external provocation) and a IE bug (which requires a hostile site to set up the flaw) are in somewhat different circles. I wouldn't even make a comparison between a bug freshly released product and a bug in a browser that has been released and is in common use. Pulling the IE installer is really going to solve a lot of problems...
Apple has been fairly slow at fixing some of the security issues in OS X - many were just postponed to 10.1, so I wouldn't hold them up to being the paragon of truth and justice right now. Go look on their web site and see if you can find full disclosure on any of the problems of OS X...
Linux is even descending into the game of playing petty politics with security issues. Alan Cox should know a lot better than to play into Microsoft's hands the way he seems to be. Not announcing Linux flaws simply gives credence to Microsoft's current bad behaviour.
Re:They could learn from Linux... (Score:2, Offtopic)
As a former "black hat" (Score:5, Interesting)
The best thing I learned from my experiences as a skript kiddie is that BUGTRAQ, BoS, and every other sysadmin-visited list was the last to hear about new security flaws. Sure, on occasion, @stake or the ISS X-Force would come up with something novel. But the majority of the time, I would see sploits circulated by my Russian friends on IRC weeks before anyone even mentioned the vulnerability on BUGTRAQ. Consider the BIND 8.2.2-P5 flaw: I had the ADM sploit for it weeks before an advisory was even issued.
Stopping full disclosure won't hurt the script kiddies. It will hurt the admins, who won't have enough information to patch their source base to fix the problem. (As a FreeBSD admin with a good grasp of C, patching a security hole takes on the order of minutes now.) But it will help this cartel to keep privileged information to themselves, so that hapless admins like myself will not have the information we need to defend ourselves. And it helps Microsoft, who can honestly claim that their systems are more secure than UNIX when the UNIX admins can't defend themselves more quickly than the M$ admins can anymore. It's just capitalism at work.
-CT
Re:As a former "black hat" (Score:2)
> But the majority of the time, I would
> see sploits circulated by my Russian friends
> on IRC weeks before anyone even mentioned the > vulnerability on BUGTRAQ....
> Stopping full disclosure won't hurt the script
> kiddies. It will hurt the admins, who won't
> have enough information to patch their source
> base to fix the problem.
Seems to me some reverse-espionage is in order. Last time I took a security course, it was recommended that a savvy security admin lurk in the dark areas, just to share the information XPerience earlier than the public.
Golly, a business-savvy person could even make money that way.
What Microsoft doesn't understand is that if black hats are trading the information, they can't really tell the white/grey hats from the black ones, over the internet connection.
Or can they?
Reality check for you... (Score:2)
There's loopholes in any system. They will be exploited. It's whether or not you know about the loophole and can fix it that makes all the difference between being 0wn3d or not.
Let's not be the pot calling the kettle black (Score:4, Insightful)
It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.
Yes, the DMCA is a bad law, but it's not infinitely bad. It does not forbid discussion of bugs or circulation of patches for bugs; claims otherwise are based on confused readings.
Re:Let's not be the pot calling the kettle black (Score:2)
Re:Let's not be the pot calling the kettle black (Score:3)
It is thoroughly possible that Alan's interpretation of the DMCA is wrong, and that yours is right. However, it is Alan and not you who is at risk if he is right. It is unseemly to chide him for refusing to take what he deems to be a serious legal risk, when you yourself are at no such risk.
I'm pretty sure that Alan's point is not that "discussion of bugs" in general is prohibited by the DMCA. It is that a bug in the permissions functions of a kernel could serve as a method of evading access controls -- and that dissemination of methods to evade access controls is prohibited.
Don't forget that Alan is not the only party at risk, either. Since he is employed by Red Hat in developing the kernel, Red Hat might also find itself liable. Indeed, Alan probably has the advice of Red Hat's lawyers in the matter. He isn't in a position to go against that.
Even if you are right and Alan is wrong, the matter serves as an able example of what the lawyers call a "chilling effect" upon speech. The DMCA is vague! The matter of whether Alan is at risk is unclear and contentious -- that's why we're having this discussion. In such an environment, people such as Alan and companies such as Red Hat are going to err on the side of excessive caution. Their speech will be "chilled", even if the risk is imaginary. That's part of why restraints upon speech are so dangerous.
Re:Let's not be the pot calling the kettle black (Score:5, Insightful)
It is proper for us to reject Microsoft's attempt to keep its bugs secret. But this means that we must also reject Alan Cox's attempt to protest the DMCA by withholding discussion of security holes in Linux, under his false belief that the DMCA somehow forbids such discussion. We need to openly discuss our bugs. Otherwise we are, in effect, supporting Microsoft in their effort to stifle discussion.
Not at all. The way I see it, there are two things at work here.
- Cover his own ass from possible litigation from the people of the United States, represented by John Ashcroft.
- Drive a message to the people of the United States that the DMCA is a bad law, and they should seek its immediate repeal.
On the other hand, Microsoft, while their intention is also to cover their ass, it's not from litigation and legal hot water, it's from their own bad PR. Microsoft isn't even trying to seek repeal of the DMCA, for obvious reasons. Whereas Cox was making a political statement, Microsoft is just trying to censor bad PR.Therefore, it is right and consistent that we can hate Microsoft for censorship, and applaud Cox for censorship, because there are deeper levels and motives than simply censorship.
Critical Flaw (Score:2, Funny)
A Microsoft spokesman was later heard saying - "We didn't fix it in the first place, what makes you think we're going to now?"
From Ralph Nader's Open Letter (Score:4, Insightful)
Re:From Ralph Nader's Open Letter (Score:3, Insightful)
And to think that most of the Neanderthals on Slashdot still think it the height of humor to castigate him as a loon. I don't want to be a troll, but I find it the penulimate irony that people who can wax rhapsodiacally over RMS bitch about the one nationally recocognized politician that seems to actually "get it" when it comes to Free Software.
The ulitimate irony is, of course, that anyone actually takes these Neanderthals seriously enough to bitch about it :-(.
I made my mistake in the last election by wasting my vote on Gore. Next time, it's Green all the way, baby...
Something Amusing (Score:5, Interesting)
You can't go to Windows Update to download patches any more after you've turned Active Scripting off. Microsoft sends you to a page telling you to turn Active Scripting and all sorts of other dangerous things back on.
Redmond dumb-asses.
MS Rallying end-user support? (Score:4, Insightful)
The person who discovered this vulnerability has chosen to handle it irresponsibly , and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
I was reading through the "Irresponsible" link, as well as the vulnerability report. Information Anarchy is the phrase they have coined to display that information really doesn't want to be free. This, if successful, will cause a very adverse association to open source developers I think. If they "edjucate" their end-users into thinking that information should be tightly controlled by a centralized source, than it's easy to make the connection that the open-source community is villifying the information management structure that Microsoft and friends is working so hard to manage for the best interest of the consumers.
They claim it's not feasible for them to release a patch within 5 days. Why do I have a feeling that this code segment is probably less than 50 lines, hell - you could provide a hack just to filter malicious URLs in less than that and release that patch in well under a day or two without sacrificing what we all know as Microsofts high standards of quality.
Maybe I'm paranoid, but it seems this is a much larger tactic towards a revised SSSCA that will be in Microsofts best interest - much easier to add a clause saying it's illegal to release unauthorized security information about a companies product to an unapproved bill.
Re:MS Rallying end-user support? (Score:3, Insightful)
Uhh, no you didn't.
<I>I read the article. The difference is, I happen to know a tiny bit about programming, and you obviously don't.</I>
Yes, obviously it is so difficult to write a valid URL parser that Apache has a problem with it, and Mozilla, and hell, even Slashdot.
You want a URL parser, pick a language. You said perl here ya go (brackets ommited to appease slashdot's stupid filtering):
sub validateURL
my @ValidInstructions = (
'[^/]\.(htm|html)', ## Allow only top level that end in
);
if (
my ($req, $domain, $path ) = ($1,$2,$3);
## Lets check for user combinations, denoted by :
if ( my $userinfo = split(/@/,$domain) )
my ($user,$pass) = split(/:/, $user);
for( my $i = 0; $i < $#ValidInstructions; $i++ )
return 0
if ( $path !~
else
return 0;
}
I'll leave it as an excercise to figure out where the brackets go
So, all you need to do is add to the valid handler array, and writing reg-ex's for this is not the most efficient method, nor would I recommend it. But, it's also exceptionally easy to verify that the file is there and check the parameters in case of a dynamic page to ensure it's not a malicious intent (go read any howto-secure-a-CGI for more info).
I just spent about 5 minutes writing this out, with cold hands and all my other text. It's not far more complicated than I think it is; I'm just a good programmer. Before accusing people of how hard something is with knowing "a tiny bit about programming" find out that the person you are talking to does network development for a living. Thanks.
I'd like to take the opportunity to try to have you take a deep breath, and realize that you had no idea who I am before you started your assumption that I wasn't a programmer and just some ass-clown. I've written anything from URL validators to email validators, to pthreaded socket connection. You didn't know that though, you just instantly assumed I was talking out my ass saying that this was just such a wonderful easy idea and I just couldn't understand why they couldn't do it. It's called prioritizing of tasks, someone is in charge of this particular affected code. Whether it be in the URL validation or the cookie retrieval code (I'm not sure how IE is structured), this fix is none-the-less simple, and not an amazingly complex feat of engineering talent.
Prrof in the pudding (Score:3, Interesting)
So what is the effect on investment capital of the settlement?
The proof is in the pudding. Is Red hat stock up? Is Palm or Be stock up - or is anyone coming in with a bid that beats Palm's paltry $11 million? Is there venture capital available for companies to compete with productivity apps or streaming audio?
Re:Prrof in the pudding (Score:3)
Red Hat is trying to sell a product that can be downloaded for free. Why again do you expect investors to be lining up behind them? Especially when the only time they've been able to show profitability is by using accounting tricks -- in other words, if they continued "making money" at the same rate, they'd be bankrupt in a number of quarters.
Palm is on a not-so-slow path to www.f---edcompany.com. Everybody realizes that it's in trouble, including Palm itself. If they thought their real troubles spawned from Microsoft getting a favorable settlement, they wouldn't have just shitcanned their CEO.
Hell, Microsoft probably doesn't even plan for world domination, they've gotta be surprised by how easily it continues to be given to them by all these completely incompetent companies that you seem to be in love with. Next up: Sun Microsystems. :)
Here's why the government lost (Score:3, Interesting)
In a classic display of Microsoft pugnacity, the company hammered opposing government lawyers on nearly every conceivable point, no matter how small. Eventually exhaustion became a factor, lawyers on the government side acknowledge.
So let's make sure the state attorneys general keep their lawyers adequately supplied with No-Doze!
From the FAQ... (Score:4, Informative)
Why isn't there a patch available for this issue?
The person who discovered this vulnerability has chosen to handle it irresponsibly, and has deliberately made this issue public only a few days after reporting it to Microsoft. It is simply not possible to build, test and release a patch within this timeframe and still meet reasonable quality standards.
Hehe.
Bug Non-disclosure (Score:3, Interesting)
Bindview, Foundstone, Guardent, @Stake, and Internet Security Systems joined with the software-maker to declare they would immediately begin
Wasn't @stake [atstake.com] formed from hacker group l0pht [l0pht.com]? Yes, I think they were! They used to attend Def Con, and work on Back Orifice [everything2.com] and L0phtCrack?? Didn't they get banned from BugTraq because they posted links to thier site in the place of good, solid descriptions?
My, how times change.
-M
Hard to get a patch in a few days?! (Score:3, Insightful)
Sept. 11 As Justification (Score:5, Informative)
While I see the reasoning behind this, shouldn't the Sept. 11 attacks make us more appreciative of our freedoms than of our money? All the politicians are running around talking about freedom being the American ideal, shouldn't they be more focused on maintaining freedom than money in this case also?
Poetic Justice: My favorite Nader quote (Score:5, Insightful)
-----------------
The level of fines that would serve as a deterrent for cash rich Microsoft would be difficult to fathom, but one might make these fines deter more by directing the money to be paid into trust funds that would fund the development of free software, an endeavor that Microsoft has indicated it strongly opposes as a threat to its own monopoly. This would give Microsoft a much greater incentive to abide by the agreement.
Slashdot editor bias (Score:3, Informative)
But the bizarre thing is how biased slashdot is with their presentation. If you actually quick thru on the links and read the stories, you'll understand why.
For instance, why wasn't this article from news.com linked as well, considering it is Scott Culp responding to a lot of the questions and accusations?
http://news.cnet.com/news/0-1014-201-7819204-0.
Re:Slashdot editor bias (Score:3, Insightful)
That is a period at the end of that sentence, it means there is nothing further to add. What we're doing now is what should be done.
Keep us in the dark huh? (Score:3, Interesting)
WTF is wrong with these folks?! I can see it now - we're all going to have to sign up to some sort of subscription service to learn about the various vulnerbailities. No doubt it won't be free, right? I have a VERY hard time believing that @Stake aka L0PHT signed up for this. My opinion of those fine folks just dropped into the basement. I never thought I'd see the day when they would cowtow to Microsoft, it's a sad day indeed for the security industry.
Who are we doing this for? The children? National Security? Oh wait - Bill's cash. Seems to have greased the DOJ wheels pretty good, guess things are bad all over when the security industry sucks it up too. This just makes me sick.
Any good full disclosure sites out there taking over where PacketStorm died? If so I'd appreciate some URLs. BTW, some of the folks on our team swear the SecurityFocus has pulled data OUT of their vulnerability database in recent months. Cannot confirm it for sure but when you know you looked it up previously and then it's not there later you have to begin to wonder....
P.S. If RFP signs on Hell will have frozen over. Thankfully he doesn't appear to take cash for his efforts!
Re:Keep us in the dark huh? (Score:4, Informative)
But basically, no we aren't pulling anything out.
Great Quote from the WSJ (Score:5, Insightful)
Knowing how a security protocol works should not make it less secure. I can read how SSL works, but that does not make it less secure. Same with Kerberos, DES, RSA, etcetera. A proper security protocol should be secure even if you know how it works. Security through obscurity DOES NOT WORK.
This quote sounds like it came from Microsoft, but get this: he works for the DOJ! This guy James was the one in charge of the negotiations with Microsoft. He is supposed to be on our side.
It seems like he knows very little about computer security. It also seems like he believed whatever the Microsoft lawyers told him. No wonder they arrived a such a one-sided settlement.
Irresponsible? Conventional wisdom is wrong... (Score:3, Insightful)
Maybe so, but what I don't get is this expectation everyone has that these security holes go through the same steps...
The real danger is when someday someone will discover one of these huge gapping holes, not tell a soul, and then exploit them for profit, terror, extortion, or simple chaos.
We've been lucky so far. For Microsoft to try to divert the entire blame is what is irresponsible. Remember who created the security hole in the first place....
I'm a MS supporter, but this is ridiculous (Score:5, Insightful)
Usually, I think MS has an undeservedly bad reputation. But I can't stomach their assertion that open discussion about their bugs is somehow unethical.
From Microsoft's article [microsoft.com]:
We can and should discuss security vulnerabilities, but we should be smart, prudent, and responsible in the way we do it.
Who chooses what sort of speech is smart, prudent, and responsible? The speaker? Or Microsoft? Since they branded it irresponsible to reveal a security flaw only "days" after telling Microsoft about it, it seems obvious to me that this is a request to let Microsoft control all discussion about their security flaws. This is patently unacceptable.
If we can't eliminate all security vulnerabilities, then it becomes all the more critical that we handle them carefully and responsibly when they're found. Yet much of the security community handles them in a way that fairly guarantees their use, by following a practice that's best described as information anarchy. This is the practice of deliberately publishing explicit, step-by-step instructions for exploiting security vulnerabilities, without regard for how the information may be used.
I don't think it's best described as information anarchy. Anarchy is an emotionally loaded term, like piracy. But anarchy just means "not centrally controlled or regulated". Do we want all discussion of security to be centrally controlled and regulated? If you replace the phrase "information anarchy" with "free speech", the article becomes much more enlightening. The author seems to try to address this by saying:
By analogy, this isn't a call for people for give up freedom of speech; only that they stop yelling "fire" in a crowded movie house.
But the movie house is on fire. The bug exists - your private information is vulverable. The responsible thing for Microsoft to do is admit that they made a mistake, and work to put out the fire. Unfortunately, they've chosen to blame the messenger.
It's natural for a powerful organizion to want to surpress speech that points out its flaws. It's natural - but it should never be tolerable.
Re:Someone... (Score:2)
Seems your check bounced.. (Score:2)
Microsoft made PC vendors deals they couldn't refuse (and when they accepted, couldn't afford to get out of) to put their stuff on machines. If it's already on the machine, most people won't bother to get a different program unless it's so atrocious as to be unusable. Doesn't matter if it's free- it'd have to be 100 times better for the average person to bother with getting it. Once you're in that position, it's very difficult to shift the player in place because of network effect- it's nothing at all to do with how "good" a program is.
Re:Ralph Nader's hypocrisy (Score:2)
This is just lying right-wing ideological crap. He has said that the public (government) has a right to limit the actions of corporations when those actions might harm the interests of the public.
Re:Ralph Nader's hypocrisy (Score:2)
Gross exaggeration makes your point weaker, not stronger.
Re:Linux Linux Linux (Score:5, Interesting)
I can sell my Copy of XP if i wish, if i sell my NFL tickets it can be scalping.. Microsoft doesn't price point XP, they give it a value. I can buy XP and sell it for 30 bucks or 300 bucks, whatever the consumer is willing to pay. I can't do that with Baseball tickets, nfl tickets ore phone service.
Try selling your copy of XP online, and watch how fast MS stops you because of licensing issues. If you actually sell it on the street, they could still nail you if they find out. You can resell your sports tickets at face price without violating scalping laws. Phone service is a service, not a product, and thus is non-transferable.
Or how about this one?
So why all the resistance on microsoft? Why not make it a perfect world and attack the NFL, MLB, NBA, WNBA and your local telco megopoly who restrict your choices and charge you exhuberant prices and rip off the consumer.
Because there are other sports and other phone options, and for the most part those don't do such blatant anti-competitive practices. You don't see the NFL trying to create a baseball team. M$ wants to control the entire computing experience and then some...and they make no bones about it. And of course, the biggest point is that MS has been found to be in violation of law for their monopolistic practices, and yet they still fragrantly defy the law. That makes them a viable target for criticism, pure and simple.
Re:Linux Linux Linux (Score:3, Funny)
Hint of what response you can expect: In. Your. Dreams.
Re:It's not a security flaw (Score:2, Insightful)
How about when sircam started e-mailing random documents to anyone in the address book. I got a load of random files for absolutely no reason at all. An inadvertant spam.
Just because you don't use Microsoft products doesn't mean Microsoft products can't be used to attack your machine(s). Indirectly, your still effected somtimes.
Re:...every website made for IE?? (Score:4, Informative)
No. They must convince you to go to a webpage or open an HTML email. Have you never gone to a webpage where it loads a popup (i.e. another webpage)? Or redirects you to another webpage? That's all they have to do.
Re:Most Effective Remedy (Score:3, Informative)
Do the best you can under the circumstances. I use Macs, and I make a point of throwing out IE and using iCab or netscape or something- and I also go into the system folder, and throw out the large amount of operating system code (to support IE) such as ActiveX support and a host of OS extensions Microsoft insist upon building into Macintoshes.
Interestingly, this seems to make the Mac more stable. But the bottom line is you cannot either avoid indirectly purchasing Microsoft products- or even running MS OS code! by using stock Macs. They come with extensive Microsoft code and you have to literally go in and take that garbage out if you want to run a non-Microsoft MacOS.
How's that strike you? Does that make you more or less persuaded that Microsoft is dangerous and all-controlling? Maybe your original vow is all the more worthwhile seeing as you CAN'T do it without either going incredibly DIY to the point of building your own computer and running nothing but Linux, or abandoning computers entirely.
Did you know it was that bad?
Re:Why it takes MS so long.... (Score:3, Insightful)
So the problems that Microsoft patches cause are not solely due to 'oh, Microsoft software is so much more sophisticated and advanced!' but due to bad planning and inappropriate bundling combined with lack of disclosure of what's being altered. And it is going to get MUCH worse, not better. To cap it off, if they are able to suppress disclosure of bugs and security holes, they don't need to regression test anywhere near as hard as you seem to think they are doing- because all that will happen is that Windows boxes will mysteriously die and there won't be any publically disclosed link to connect that with Microsoft updates.
Hell, if they can truly cut off all disclosure, they can just STOP any work on security patches entirely. Who'd know?