Microsoft PPTP Buffer Overflow; VPNs Vulnerable 349
An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.
MS Bugs (Score:4, Funny)
Re:MS Bugs (Score:3, Funny)
I would, but I have neither the time, nor the bandwidth :)
Re:MS Bugs (Score:3, Interesting)
Re:MS Bugs (Score:2, Funny)
Re:MS Bugs (Score:2)
I seem to recall that there was a Dilbert strip with Ratbert in Q&A, who had "Lethal", "Boneheaded", and "Vexing" as his bug severities. This would probably be a very good way to categorize them for end users
What's the average per week? (Score:2)
1.5 Official bulletins / week. (Score:2)
How many are buffer overflows? (Score:4, Insightful)
Re:How many are buffer overflows? (Score:2)
Re:How many are buffer overflows? (Score:2)
Microsoft has so many layers of API's and othe rlegacy crap that even their C code is slower (just look at how fast a clean OS written in C is comapred to Windows). Why not at least incur a slowdown for soemthing useful like security. If instead of using unchecked buffers, they used safe buffer code, they wouldn't have this problem.
One particular Outlooke xploit I recall used an overflow in the timezone field. So, instea dof "GMT+500", someone might but "GMT+505005050505050505...". Because Microsoft made an array of 4 bytes to hold the timezone offset, but didnt' stop reading until teh end of the string... someone could overwrite memory space.
Now, I'd accept slightly-slower timezone parsing if it meant some thug couldn't take control of my compter by sending me an e-mail!
Re:MS Bugs (Score:2)
So far they couldn't exploit it to run code (Score:4, Informative)
A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.
A remote compromise can not be excluded,
as we were able to fill EDI and EDX with our data.
It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.
Re:So far they couldn't exploit it to run code (Score:3, Funny)
Maybe the short-term fix would be to run in Safe Mode. Then we're ok, right?
Re:Are you sure? (Score:2)
What can be exploited? (Score:2, Interesting)
Also, does this apply only to Windows systems using PPTP or to VPN hardware devices as well?
Re:What can be exploited? (Score:4, Insightful)
This is an extremely bad bug; VPN software is deployed to protect intranets whilst allowing machines outside to connect- often it is the only thing between an intranet and the outside world.
This is a really, really worrying thing; if an exploit rather than just a DOS exists, and they indicate that they think it probably is there, it's a huge hole in tens of thousands of firewalls worldwide.
You've always got a choice; open source, or open wallet; now you've got open firewall too, thrown in at no extra charge. Nice!
Re:What can be exploited? (Score:2)
NT 4? (Score:2)
Re:NT 4? (Score:4, Informative)
I would expect RRAS to also be vulnerable but, there won't be a patch for it due to discontinued support.
Re:NT 4? (Score:2, Informative)
Re:NT 4? (Score:2)
This is good news considering we're only holding on to our NT4 server long enough to find a way to migrate to linux. I'll be moving our pptp server over to linux this weekend now that I've read about this. I actually read it earlier in the day and wasn't sure what to do until I could find out more information.
NT4 Patches Will Be Released Until at LEAST 2004 (Score:2)
Look at the link that Tweek posted. They are being very careful not to piss off the server market. Windows 95 support started to disappear without warning. Compare that decision to the page Tweek referenced and you'll see the difference in attitude.
Details... (Score:2, Redundant)
Sent: Thursday, September 26, 2002 5:44 AM
To: bugtraq@securityfocus.com
Subject: Microsoft PPTP Server and Client remote vulnerability
phion Security Advisory 26/09/2002
Microsoft PPTP Server and Client remote vulnerability
Summary
The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
remotely exploitable pre-authentication bufferoverflow.
Affected Systems
Microsoft Windows 2000 and XP running either a PPTP Server or Client.
Impact
With a specially crafted PPTP packet it is possible to overwrite kernel
memory.
A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.
A remote compromise should be possible deploying proper shellcode,
as we were able to fill EDI and EDX with our data.
Clients are vulnerable too, because the Service always listens on port
1723 on any interface of the machine, this might be of special concern
to DSL users which use PPTP to connect to their modem.
Solution
As a temporary solution for the Client issue, one might firewall the PPTP
port in the Internet Connection Firewall for Windows XP.
We dont know of any solution for Windows 2000 and Windows XP PPTP servers.
The vendor has been informed.
Acknowledgements
The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
on behalf of phion Information Technologies.
Contact Information
phion Information Technologies can be reached via:
office@phion.com / http://www.phion.com
Stephan Hoffmann can be reached via:
sh@phion.com
Thomas Unterleitner can be reached via:
t.unterleitner@phion.com
References
[1] phion Information Technologies
http://www.phion.com/
Exploit
phion Information Technologies will not provide an exploit for this issue.
Disclaimer
This advisory does not claim to be complete or to be usable for any
purpose.
This advisory is free for open distribution in unmodified form.
Articles or Publications that are based on information from this advisory
have to include link [1].
Lawsuit, Linux VPN (details) (Score:2)
In reference to remarks about lawsuits. This is a smart move, this would probably help against the getting-our-asses-sued-by-MS possibilities.
If they poke their own machines I don't think it quite counts the same as hacking somebody else's machine and then telling them they're vulnerable.
I was just recently looking at the possibilities of setting up a linux VPN, instead of opening up my Windows machines (/. never posted it, boohoo for me). This looks like a good reason to do it that way, anyone have suggestions? I've looked at freeS/WAN [freeswan.org], but the online documentation is dead
I'm downloading the freeSwan files before their server gets slashdotted now too - phorm
Re:Lawsuit, Linux VPN (details) (Score:2)
FreeS/WAN works, kinda, if you don't mind it taking over routing and a couple of other things with it. pipsecd [debian.org] is a lot simpler (just tunnels, and not even dynamic) to set up, for fixed point-to-point links.
If you don't have to interoperate with win32 peers (other than merely routing for them), I'd suggest tinc [linux.org]. A lot easier to deploy than IPSec variants (in my experience), it's quite good security, and the most easily manageable solution I've come across yet, especially for meshes of more than two machines.
Freshmeat has lots of other possibilities, I haven't even tried the majority, let alone all of them. I'm sure you'll find something that suits you're needs, though. =)
Re:Lawsuit, Linux VPN (details) (Score:2)
I would really like to hear more about how you set this up.
It's pretty straightforward but you must (through PPP negotiation) tell your PPTP clients where the WINS server is or you will not be able to go anywhere by name. We use PoPToP fairly regularly but are migrating to IPSec with certificates since Win2k supports it and it's a much better standard.
Re:Lawsuit, Linux VPN (details) (Score:2)
I don't really need server names, the main purpose is just for sharing certain files and/or IPX/SPX connections (for LAN games). No need for domain names as nobody will be using this connection to go anywhere but in.
I mean you need to send the WINS server info so you can get NetBIOS resolution. i.e. \\someserver instead of \\server.ip.address.here.
What are you doing to implement [Win2k x509 IPSec]?
This [ebootis.de] is where I got started. I was most confused when creating the certificates, and later (on win2k) when I realized that the software it asks you to install is just a wrapper for the code win2k already has.
And its a good thing! (Score:5, Insightful)
Thank goodness they will be keeping this information from the people who will do bad things with it. I'm sure that the script kiddies would never share this information with each other! Besides the nice people who are installing these systems really should be on a "need to know" basis anyways....
Screw the end user.
Re:And its a good thing! (Score:2)
Not if you're a competent sysadmin, and PATCH YOUR BOXES like you should...
An exploit is released on a Thursday or Friday like this. The code is posted, but the patch is not. You must be one fucking amazingly competent sysadmin to be able to patch this hole already. And no, shutting off the service is not always an option.
open source community debugs microsoft software (Score:4, Funny)
Slashdot Exclusive: Software Not Perfect (Score:5, Funny)
"For years people have believed that commercial software works flawlessly," said Slashdot editor Timothy. "We always believed that bugs in commercial software were just a myth - the kind of stories open source programmers told their children around late-night campfires."
Comments from Slashdot readers indicated the level of surprise. "It's unbelievable. Every operating system, word processor, web browser and game I've ever purchased has always worked flawlessly out of the box. And now they're telling us that there are bugs, and even security flaws? It's unbelievable!" commented one user.
"If software really does have flaws, this could really put the future of computing in jeapordy," added another. He continued, "Will people be willing to use software that saves them or their company thousands or millions of dollars a year if it's possible that an unlikely buffer overrun might release a credit card number? People will go back to writing documents with real pens and checking spelling with actual paper dictionaries!"
One apparently young poster thought there might be a little overreaction. "I don't know what a buffer overrun is, but as long as I can still IM girls to ask if they'll be my girlfriend and play counterstrike, I don't care either."
Re:Slashdot Exclusive: Software Not Perfect (Score:5, Insightful)
I write code and I've let more bugs out than I could possibly remember. They happen, it's part of the game. But two things make this type of thing mock-worthy. 1) MS has more net worth than most countries. They need to be held to a standard that their size and resources dictates. 2) Bill has quite publicly stated that security is now their number one priority. I for one have not seen any improvement in that department.
-B
Re:Slashdot Exclusive: Software Not Perfect (Score:2)
I think there are two variables at play; one being that security is a larger field and more people are looking for defects in Microsoft's code, and not just Microsoft, you'll notice that there are not more exploits in other operating systems, such as Linux and even OpenBSD. Two, Microsoft has been MORE responsive to fixing the bugs, XP now comes with an auto updater and sends fixes out automatically (if configured to do so).
It seems clear that Microsoft is more focused on security now then ever before, this doesn't mean we'll be hearing more about bugs, it means will be hearing about them more!
-Jon
Re:Slashdot Exclusive: Software Not Perfect (Score:2)
This is simply a method of sending out updates. It may or may not have anything to do with fixing bugs. Indeed it could just as easily ensure that buggy code gets distributed quickly.
Re: (Score:2)
Microsoft's Response: Keep it under wraps (Score:2)
It's okay if users whisper stories around the campfire about software bugs and hacking exploits, but we must make sure that they don't begin to peel back the layers of proprietary software and peer inside. After all, it is not the user's responsibility to worry about their welfare, they need to let the properly respected authorities handle things.
The best course of action is to deny all vulnerabilities reported on this slashdot. Next, we should use these open forums to ferret out and prosecute anyone caught trafficing in vandalware or any information that could be used to create such an atrocity. Developers and users alike must be taught that they have no business worrying about what goes on inside their computer, that is the job of Proprietary Makers of Software.
I think not. (Score:2)
These are not bugs, just extended features that have not been documented. In this case a remote administration tool.
Re:Slashdot Exclusive: Software Not Perfect (Score:2)
Seriously tho, if you want to be the biggest player on the block, you'd better be prepared for more scrutiny. If you wanna be #1 in a market, you'll be the one wearing the biggest bullseye.
Just like bugs are a consequence of life, so are bullseyes. They have 40 billion in the bank to fight bugs with; most other companies do not. Where as other companies deserve some slack because they dont have these resources, MS does not.
Defending the Indefensible (Score:2)
The Slashdot editors posted a link to a Microsoft-backed security organisation that is devoted to making the world a better place. Just because Microsoft, which has perpetrated just about every evil on the software industry imaginable, is the company backing this other company, doesn't mean it won't be completely impartial and cause security-related bugs to become freedom-loving United States citizens!
Slashdot is just full of trolls who can't understand that this is an ad hominem attack which means an argument that says whenever someone acts evil 100% of the time for 20 years you can't discount the possibility that this time they're acting to promote the greater good of mankind.
Just read the article, people! And I quote:
See? They're going to release drafts of the guidelines in early 2003. Nothing to worry about here, folks. Move along. DRM is good. Linux is bad. Stop worrying, buy your DVDs and CDs, and consume like you've never consumed before. If you don't like it, don't buy it. Microsoft is obligated to screw the consumer. There is no monopoly. The Justice Department meted out the justice already.
Re:Defending the Indefensible (Score:2)
So how come I already know that it's going to say:
"Partial disclosure should only be made after donating copious hours of free consultation to the vendor, full disclosure should never happen, even after the fixes are out..."
Who does OIS think they are trying to kid? (Score:3, Insightful)
This kind of information is only going to be considered "handed on a plate" to the inexperienced/newbie script kiddie who poses a minor threat. The kind of person who is going to do real damage, who has the skills and experience to aggressively hack a system is not going to gain anything from public disclosure, they will already know about the exploit. Limiting release only protects the vendor from the incessant cry for a fix..
Hmmm... (Score:2, Funny)
Re:Hmmm... (Score:2)
It's what people call themselves after they've just taken their two-week crash course on how to take the tests and pass the examinations. Apparently this is a good way of earning the degree if you don't plan on remembering any of it afterward.
I remember fondly an individual who'd said he was an "MSCE," who knew less about how his Windows-equipped PC worked than I did--and I'd only been fixing computers professionally for about a year.
Re:Hmmm... (Score:4, Funny)
Disclaimer: There are various (unofficial) levels of MCSE-- Some may not know how to play Minesweeper or Solitaire.
Disclaimer #2: I'm studying for a MCSE.
Re:Hmmm... (Score:2)
Re:Hmmm... (Score:2)
What CmdrTaco's spell-checker suggests for "MCSE".
MCSE quotes. (Score:3, Funny)
Yea, so what? They won't have a patch ready for weeks. I'm going to play golf.
It is acting kinda strange. You better reboot, just to be sure.
The server's down? Again??
It can't be down. I rebooted it 5 minutes ago.
Naw, they won't bother us. It's not like we're the DOD or something.
Don't bug me now. I've almost got high score on Pinball.
Sure, I've heard of Linux. It sucks!
More Details from cnet (Score:3, Informative)
cnet technews [com.com]
From the article:
"This is top priority","We are proceeding with all due speed." - Christopher Budd, Microsoft security response center
I have a new Band (Score:2, Funny)
Coming to a VPN near you...
GREAT !?!?! months down the drain. (Score:2)
I spent months trying to get my IPTabled firewall to allow PPTP connections to my NT server. I doubt microsoft will address this since they have all but abandoned this type of VPN. Thats settles it IPSEC in tunneling mode here I come.
Re:GREAT !?!?! months down the drain. (Score:2)
yea right, IPTables does not support Protocol 47 which is required. the only way to get it to work is to patch the kernel. For which the patch only works with version 2.4.17. If you do get it to work it only supports one connection at a time. My server wouldn't work on a 2.4.17 kernel because of required hardware versions that worked only with later versions. so the patch is out of the question. The IPTables version of the pptp patch was just released with patchomatic and that fails whenever you try to apply it.
PPTP? (Score:5, Informative)
One of the first things I did when I took over my current company's network was to shut down PPTP and move everyone to an IPSec VPN. The upside is better security, the only downside was they had to install a client. You couldn't VPN from a stock Windows box. You have to install the Cisco client. Now with the Cisco gear working with Win2K/XP's L2TP and IPSec even that isn't an issue.
Re:PPTP? (Score:2)
I can walk a remote user through a VPN setup with the 2K PPTP setup in under 5 minutes with my eyes closed. I'm not sure I can walk myself through the 2K ipsec setup without some external docs to setup.
I'll grant you its simple with tunneled mode between two router-like devices, but client end nodes?
Also, I think most of the security vulnerabilities of PPTP were specific to an older, unpatched MS client or server. I don't think a modern (2k/XP) PPTP stream is particularly vulnerable.
Re:PPTP? (Score:2)
Setting up L2TP/IPSEC is basically the same routine. Only you have to install a certificate as well, using MMC (XP/2000) or IE (95/98/ME/NT4).
Also, I think most of the security vulnerabilities of PPTP were specific to an older, unpatched MS client or server.
Yes, most of them [counterpane.com]. But how good are your users' PPTP passwords? [uni-freiburg.de]
I don't think a modern (2k/XP) PPTP stream is particularly vulnerable.
What does the Windows version have to do with this? Is the implementation in, say, Win95 flawed, compared to Win2000/XP? What do you know that we don't know? :-)
Re:PPTP? (Score:2)
Up until I lost my job today, I used PPTP to gain access to any part of a fairly large IPSec based wan that did private network routing on top of the internet. Pritty sweet eh? It was fairly useful when I was at the lan party gaming away and needed my q3 key or something off one of my workstations.
Re:PPTP? (Score:2)
Re:PPTP? (Score:2)
Note that whether or not IPSec will work through your NAT has absolutely *nothing* to do with the IPSec implementation. IPSec's difficulties with NAT are inherent in it's design (and understandably so). So referring to most IPSec implementations as "NAT friendly" is probably not correct.
Re:PPTP? (Score:2)
But I've been using Nortel's Contivity client, through 2 levels of NAT without other problems, using Mandrake 8.2 as a firewall, and that was even over wireless connections. I think there may be something clever in the Contivity client to enable this, but I may be wrong. I've never used FreeSwan, but I looked at the documentation and it seemed to suggest that it wouldn't work with multiple levels of NAT, but I haven't any hands-on experience.
Re:PPTP? (Score:2)
Re:PPTP? (Score:2)
Correct. Note that the IPSEC over UDP standard has not been ratified yet. It also adds some overhead.
For FreeS/WAN you'd need the unofficial NAT-T patch [freeswan.ca].
Re:PPTP? (Score:2)
Re:PPTP? (Score:2)
In a word, you're full of shit. People use VPNs because they care about security.
VPNs are useful only when you have servers which grant access based on source IP address or other such nonsense.
What have you been smoking? People use VPNs to link large networks together, and to allow standard protocols (like filesharing) to operate.
Show me a "secure protocol" that allows you to mount your home directory across a network.
OK - this is a troll
Ahh, now I understand. Please answer this question: how the hell did a troll with such a low user ID get to post at 2?
Re:PPTP? (Score:2)
I thought having a low user ID gave one the right to troll. Taco and gang do all the time!
Oh wait! I'm trolling. At 2 no less. It must the low user ID. Aaaaahhhhh!
Re:PPTP? (Score:2)
I accept that hiding the problem from the outside world is better than leaving it exposed, but still the best answer would be to fix the problem altogether (using Kerberized NFS, if such a thing existed, or just ssh/scp).
So, what's new? (Score:2, Informative)
PPTP's encryption algorithm was cracked years ago (in fact, about a month after it was introduced) by Bruce Schneier (sp?) et. al. and hasn't been considered safe ever since.
So now we have a buffer overflow exploit in a "VPN" product which was already known to be insecure. Another nail in PopTop's coffin, but little else.
At the time, Schneier referred to Micro$oft's clumsy attempts at do-it-yourself encryption as "Kindergarten Cryptography."
Nothing has changed much since then, except that maybe they've graduated to somewhere around Third Grade by now....
Seems you're still stuck in kindergarten. (Score:2)
Kindergarten cryptography? Don't think so.
PPTP & ADSL (Score:3, Informative)
This means that gazillions of machines using a "secure" ADSL channel are now vulnerable.
Ho Hum. Am I glad not to be using LoseDows.
Re:PPTP & ADSL (Score:2)
It's simply used to tunnel all sorts of network traffic between the ethernet adaptor and the modem. I believe this is why a typical ethernet ADSL modem works fine behind a switch or hub.
I could be completely full of shit, too. I do recall reading about PPTP being used by my Alcatel modem, but it doesn't require any oddball software on my side (just PPPoE and pppd).
Anyway, if this is the case, I don't think DSL users are at risk in this situation. But of course I can't be sure, but it seems like it's a completely unrelated use of the PPTP protocol...
Exploit, shmexploit! (Score:4, Funny)
Man, we praise Tivo for allowing a certain series of keystrokes to allow 30-second fast-forwarding (or is that ReplayTV, I don't remember). But when MICROSOFT has secret, useful features in place.... we rip them apart! Come on people!
(yes, it's humor, calm down)
Virtual Public Network (Score:3, Funny)
The PPTP bug (Score:2)
Okay, maybe you can confirm that their claim is true using some black box testing. Unfortunately, the guys with the unlimited time budget aren't the good ones, usually.
I don't understand the purpose of this advisory, really (at least not from a technical perspective). I don't think anyone has got a policy to disable any services based on such information. Microsoft won't admit that there is a problem until they have got a some fix. The bad guys will work overtime to discover the exact nature of this security defect, and the good guys will work overtime as usual, but are busy with other issues.
Doomsday? (Score:5, Insightful)
Yes, Mr. Customer, I did charge you quite a bit, but I have enclosed a listing of the bugs and security flaws that I patched while I was here. These are things you usually never know about until you get burned by them, but I feel I owe it to you to stay on top of them and help you stay current...
Microsoft+Bugs+Patches=Value added for me
Keep up the good work, Bill!
Re:Doomsday? (Score:2)
I was expecting to see one of those profit lists. You know...
1) Patch Microsoft bugs
2) ???
3) Profit!!!
PPTP is not used anymore (Score:2)
MS also said that they can't find a way to make this vulnerability to execute code on the target, vulnerable machine (CNet.com's article on this). An advisory from an unknown group which hasn't informed the vendor first but finds it necessary to cry out loud from the top of their lungs that they found a possible flaw in an old protocol and everyone should know about it, isn't very trustworthy IMHO. I think the german security group was running low on attention. Well, they got their attention now.
I hope next time they are not this stupid and think about the people who run vulnerable systems and first discuss the flaw with the vendor and after a period (say 3 weeks) publish the flaw.
Limited disclosure doesnt take the problem away. (Score:2)
Why does microsoft believe that just because nobudy tells them about an exploit nobody uses it? One would imagine that if i was a hacker that works as a freelance that i wouldnt reveal my hacks to bugtraq. If i did my tools to do the work (steal information) would be gone.
When bugtraq gets information about an exploit it could have been known to foreign governments and real hackers for years. To wait before we realese exploits will only give a false sence of security but i can imagine thats right up Microsofts alley.
Jackasses... (Score:5, Insightful)
So, in other words, let's say you run a company with a PPTP VPN. Some "security research group" sends a press release to CNET, and then eventually gets around to posting about it to bugtraq. No more information is available. You don't know whether it's a valid issue, whether it's a DoS or a remote compromise, or whether or not you're even vulnerable. Do you pull the plug on your VPN? How much money would you stand to lose by disconnecting your corp net vs. standing by and waiting for more info? Meanwhile, thousands of kids and unsavory professionals are sitting at home working on finding the PPTP bug for themselves. Pity you don't have the same amount of time to do that yourself.
At that point, your only hope is that someone else found the bug independently, and releases a real advisory to the standard lists, so you can become aware of the scope of the problem. Someone who wasn't as concerned with media exposure as with accurate reporting and security in general.
Incidentally, a search on securityfocus.com for Phion generates no hits for any other issues or advisories, just the "end of the world" VPN flaw [silicon.com]... we'll see.
Microsoft already has the advantage, so... (Score:2)
Microsoft, of course, wants restricted disclosure so that its patches (binary only) are an advantage over open-source (which has patches in source code, and is in effect a full disclosure). If that becomes the way of things, you can be sure they will abuse the system and be lax about it. That's why full disclosure is essential.
However, even with full disclosure after a fixed period of time, Microsoft will still have an advantage because the bug won't be revealed readily by the binary patch, whereas an open-source patch will pre-maturely reveal it. So Microsoft will have an advantage over open source either way. That means only one reason remains for them to want to suppress full disclosure; they want to be able to avoid having to develop and deliver patches in a timely manner (possibly to hold off for months so they can package it up with more and more control-ware that gives them more control over your PC).
as a corporate firewall admin (Score:2)
Re:as a corporate firewall admin (Score:2)
A far as click thru agreements go, they've barely been tested in court and as IANAL I'll reserve judgement. We've recently been exploring the legal ramifications of email retention...Lawyers could make falling off a log dificult if there was a dollar to be made at it...
Re:as a corporate firewall admin (Score:2)
If they encounter massive loss due to a vendor's lack of disclosure, and they would have been able to readily prevent the loss if the vendor had disclosed, they should have the makings of an "interesting" court case.
What do you bet.... (Score:2)
These bugs should be avoidable (Score:2)
Non Disclosure (Score:2)
Skript kiddies are not the problem. Let this message be shouted from the hills. A sckript kiddie scrawls his name on your corporate web page and leave a little egg on your face. They are harmless. The person you need to worry about a LOT is the hacker who knows what he is doing, who already knows your flaws, and is looking for your company secrets, your pre-patent diagrams, your strategy memos and he wants to sell to the highest bidder.
I'm sure the PR people are working on a fix! (Score:2)
Remind me of a conversation I had with my employer (Score:3, Funny)
Me: 'kay, what are we using?
IT guy: eSmith VPN
Me: Which is? PPTP VPN? IpSec?
IT guy: What? Use Windows 2K VPN to connect.
Me: Uh, right. I'll be using PPTP on my linux box, is that all right?
IT guy: No way!
Me: Why not?
IT guy: It's not on the approved software list, therefore it's a potential security risk.
Me: Uhhh... all right. Then I'll use Win2K VPN.
IT guy: Really?
Me: Sure, as far as you know.
Which pretty much sums up commercial IT. Better the devil you know than the devil you don't.
Re:wow, interesing (Score:4, Informative)
Re:wow, interesing (Score:2, Funny)
The commercial applications are slim...unless you have a company that gets paid to take down other people's servers.
You mean like VA Software Corporation [slashdot.org]?
Re:wow, interesing (Score:3, Funny)
Hello, RIAA. We have a business opportunity for you...
Re:wow, interesing (Score:2)
Re: wow, interesing (Score:2, Funny)
> These vulnerabilities only allow DoS attacks, not intercepting data.
Couldn't a hostile party use your server's pattern of up and down times as Morse code, to send secret messages or something?
Re:wow, interesing (Score:2)
Frontpage 2000 server extensions: DoS
Frontpage 2002 server extensions: Run arbitrary code
The 2002 vulnerability, allowing arbitrary code to be run, shows how serious Microsoft was about $ecure computing.
Two reasons (Score:2)
2. Most Slashdot readers run Windows [slashdot.org], whether they admit it or not. Many Slashdot readers also administer Windows boxes professionally therefore, such posts are important and informative.
Re:time to start firing/ reducing pay (Score:2)
Re:time to start firing/ reducing pay (Score:2)
MS Buffer Overflow was written, but it kept crashing. Some kind of overflow bug or something.
Re:time to start firing/ reducing pay (Score:2)
I don't know if you're a programmer or not, but it's really not just that simple. Many pointers are completely dynamic, depending on many other dynamic things that simply couldn't possibly be found at compile-time.
And many times, you might pass a pointer off to a function (that is in a separate library), which then manipulates the memory pointed to, and passes a pointer off somewhere else, ad infinitum. It's just not always that easy in a reasonably complex peice of software to just find and erradicate buffer overflows.
Even the debug runtimes for MS VC++ aren't perfect; they simply allocate a couple extra bytes on either side of any allocated memory, and if those bytes are touched a breakpoint is called the *next* time you access a memory-related function. Which doesn't always help (especially in a multi-threaded program).
Sorry for the rant, but I've been knee-deep in VC++ all day hunting buffer issues (not security-related but still a pain). It's very easy to over-step what you allocated, especially when you're several functions (and possibly several DLL's) away from where you started...
Re:Microsoft is a bunch of hacks (Score:2)
You must be a certified genius! (Score:2)
Fucker.
Blackmail? (Score:2)
Are you seriously proposing that security vendors should blackmail software companies? I can imagine that now:
Full disclosure is the only response that makes any sense at all. The end users should be able to decide for themselves if they should risk their information with unpatched software.
Mod this up (Score:2)
K.I.S.S. (Score:2)
It's very easy, and almost predictable, to "out-smart" yourself.
I'm not sure of the origin, but I think KISS originated in Lockheed's Skunkworks. The original "stupid" was probably something like a 19-year-old PhD from MIT. The real battle is against Mother Nature, and she's got enough tricks up her sleeve so that, comparatively, *everybody* is stupid.