Microsoft admits 'critical' flaw (http://news.bbc.co.uk/1/hi/business/3477899.stm)
From the BBC:
Microsoft has warned that a "critical" flaw in the latest versions of its Windows operating system could allow hackers to access a person's computer.

In its monthly security bulletin, the world's largest software maker said Windows versions NT, 2000, XP and Server 2003 were affected.

Giving the problem its highest security rating of "critical", Microsoft has called on users to download a software repairing patch free from its website.

This is said to cure the problem.

The flaw is also said to be completely unconnected with the latest clutch of computer viruses currently causing problems around the world.

'Serious vulnerability'

It could however allow hackers to quietly break into someone's computer to steal files, delete data, or eavesdrop on what that user is doing.

Marc Maiffret of eEye Digital Security, the US company that discovered the Windows flaw, said it was a major issue.

"This is one of the most serious Microsoft vulnerabilities ever released," said Mr Maiffret.

"The breadth of systems affected is probably the largest ever."

He added: "This is something that will let you get into internet servers, internal networks, pretty much any system."
http://windowsupdate.microsoft.com/

but as M$ has stopped magazines cover discs carrying security updates, and its bound to be yet another huge download to fix, its just yet another reason to ditch M$ and use a decent OS.

(either that or go broadband)

Actually, it's only about 300K. It downloads and installs easily. So, if you're running Windows, DO IT NOW!!!

Thanks RC. I have auto update off (along with most other so-called "services", so I tend to forget about security patches. I just looked.
I'm due a 21.9MB download.
I remember when the whole damn OS came on 1 floppy!
(Exits , dribbling into long grey beard.)

It's effects are so pervasive that it seems this would be a source code level hack to exploit. I'm not happy with MS's response, but I wonder how many people really know enough code at that level (besides MS code drones ) to exploit it. That SHtuff is like the secret coca cola formula, not commonly available.

Well, don't worry; there are only at least seven other unpatched security flaws in Windows Microsoft hasn't gotten around to patching yet...

I read somewhere that the next MS OS won't give free patches. Is this Anti-Bill propoganda? Are we expected to pay for fixes for buggy software or remain vulnerable?

Originally posted by Soapy Sam
Thanks RC. I have auto update off (along with most other so-called "services", so I tend to forget about security patches. I just looked.
I'm due a 21.9MB download.
I remember when the whole damn OS came on 1 floppy!
(Exits , dribbling into long grey beard.)

I remember when you had to type it in.

Originally posted by Soapy Sam
I remember when the whole damn OS came on 1 floppy!
(Exits , dribbling into long grey beard.) I can remember when the whole OS came on 20 feet of punched paper tape!

(Exits in wheelchair)

Originally posted by Soapy Sam
I remember when the whole damn OS came on 1 floppy!

You mean, like this? (http://www.menuetos.org/)

Originally posted by Zep
I can remember when the whole OS came on 20 feet of punched paper tape!

(Exits in wheelchair)


Paper tape? We had to set up the OS using a bunch of switches on the front panel!

(Exits in back of hearse)

Rocks! We had to move ROCKS, I tell you!

(exits in hermetically sealed fossil preservation container in museum's bus)

Well after I* created the universe on the 7th day I* took a breather. I* was musing how the laws of the universe should be written. Should I* eccode the laws in software or hardware?. I* tried both. One effort produced spoken word which looking at how creation myths and the bible ( hehe thats a good one ) turned out was a poor idea , the other is ..... well you know Pi and e and there's others out there . Guess I*should never 2nd guess myself.
---God (well thats my avatar's name anyway)


*(he who shall not be named, tm.)

I like how getting the swastika and Star of David out of the Bookman Symbol 7 font rated a "critical" Windows update.

Originally posted by richardm



Paper tape? We had to set up the OS using a bunch of switches on the front panel!

(Exits in back of hearse)

Some Army recruiting ads invited you to "learn computer programming" on the Eniac, using patch cords !

Evedently my thoughts on the hack being source code level was correct , seems Micro$oft is looking for a mole.
(theres a similar thread)
http://news.bbc.co.uk/2/hi/technology/3485545.stm

Originally posted by TillEulenspiegel
Evedently my thoughts on the hack being source code level was correct , seems Micro$oft is looking for a mole.
(theres a similar thread)
http://news.bbc.co.uk/2/hi/technology/3485545.stm

What are you talking about?

A) What does it mean to say a hack is "source code level?"

B) Does the article have anything to do with any critical flaws in Windows? No.

Is anyone other than you drawing this connection?

I'm not sure that the source code leak represents a big security problem for Windows users in the future. I suppose it is possible that there are some glaring back doors in it that could be exploited but most MS exploits are buffer overflows and social engineering. If some bugs are going to be obvious in the source you would think that MS coders would have fixed them already.

The problem for MS is that this is another blotch on an already weak security record. They are losing trust amongst their customers. That is a business killer.

A) What does it mean to say a hack is "source code level?"

Sorce code is the human level programming language used to write a program a computer I.E C++, Basic,COBAL,FORTRAN. This is a high level language that shows the structure of what the programmer is attempting to accomplish, normally it will include labels that give a programmer an intuitive grasp of a highly complex programming ideas and convenient management of I/O processes and interrupts.

The program then is converted either directly to machine language or thru an intermediate processes to assembler language then machine code. Machine code is nothing but 0 and 1s, it in its finished form exclude all comments and structures that make high level languages easy for humans to use.
"Hack" is a loose term like Kluge and has various meanings , the usage in this case meant ( which dates me ) ..to cobble together a small program or just some lines of code that take advantage of the structure of Windows OS. The level of the knowledge of the person who could do this demonstrates an understanding of the source code of Windows, which is one of the most closely guarded secrets since pythagorean theorem.

B) Does the article have anything to do with any critical flaws in Windows? No.
Well perhaps I responded with more latitude to the thread topic then You would allow,but the truth is there is no flaw, just an intimate knowledge on someone's part that they sought to expose to a wide audience. Well consider it a rebuttal to the idea of a flaw and not an OOT response.

Is anyone other than you drawing this connection?

Umm Yes..........
http://news.independent.co.uk/digital/news/story.jsp?story=491183
http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.asp
http://msnbc.msn.com/ID/4253584/

Personally I preferred the brevity of my other post, like a joke , if you have to explain it...

edit to add:
Agree Jim, thats why the open source model (Linux) is better. It's subject to the most brutal examination and debugging process that ensures robustness because it is not profit driven and fixes bugs on the fly and when there is a security flaw ( or more normally a driver flaw =) ) it is addresed and not sat upon.

Originally posted by TillEulenspiegel
A) What does it mean to say a hack is "source code level?"

Sorce code is ...

"Hack" is ...


Thanks, I'm a professional programmer. What I'm asking is what you meant by using those words together. It reads like nonsense.

For the record, I imagine most people in the industry would read "souce code level hack" to mean a hack that has been inserted into the source code for the target project, which is not at all how the Windows security flaws are taken advantage of (*).


The level of the knowledge of the person who could do this demonstrates an understanding of the source code of Windows, which is one of the most closely guarded secrets since pythagorean theorem.


This is what I suspected you probably meant, but it's simply untrue. If you'd care to support that statement, I'd love to hear your support.


Is anyone other than you drawing this connection?

Umm Yes..........
http://news.independent.co.uk/digital/news/story.jsp?story=491183
http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.asp
http://msnbc.msn.com/ID/4253584/



I wasted my time looking at all three of these links, none of which draws any connection between the latest hacks to effect Windows and the release of the source code, which is what you are claiming.


... (Linux) is better. It's subject to ... examination and debugging process that ensures robustness because it is not profit driven ...


(Emphasis mine)
Untrue. Many, many contributors to the Linux source code are *completely* profit driven. You need look no further than mods submitted by developers of Linux distributions.

Even if it were true, you're the only person I know who claims profit motive makes Linux better. Why do you feel that is so?


... and fixes bugs on the fly ...


What meaning does "on the fly" have in this context?


and when there is a security flaw ( or more normally a driver flaw =) ) it is addresed and not sat upon.


I'd insert "more likely to be" - but otherwise very true.

-Chris

(*) We don't know of any "hacks" in the Windows code like this, but it is well known that one of the major arguments for open source is that it makes this kind of "hack" less likely to succeed.

Originally posted by Captain_Snort
but as M$ has stopped magazines cover discs carrying security updates, and its bound to be yet another huge download to fix, its just yet another reason to ditch M$ and use a decent OS.

(either that or go broadband)

I'll gladly dump Windows when there is an alternative OS that doesn't require technical support just to install it.

Case in point -- my foray into Linux. Spent two weeks trying to get it to load up, configure the display, and set up the Ethernet connection. Ended up dumping it and moving to Windows ME. It installed in less than an hour, found ALL the hardware without having to go hunt drivers on the net.

Migrated a second Windows ME machine to XP using the upgrade package this afternoon. Went for a complete reinstall, rather than keeping what was on the hard disk originally. Install time was about 45 minutes. I confess it didn't find the integrated sound system on the first boot, but it found everything else, and three minutes after I put in the CD with the motherboard drivers, it was making sound.

One comment made by one of the forum members in the "Why Windows will never replace Linux (for now)" thread was particularly telling -- the gentleman flat came out and admitted that EVERYONE had trouble installing Linux. Gripe about Windows and Microsoft all you want, but they probably do the best job of supporting the customer as far as getting a functional install on a ragtag assortment of hardware. That's why I'll spend the hundred bucks (US) to get an upgrade to XP, instead of downloading a free copy of Linux. I want to USE my computer, not fiddle with it.

I've looked at MenuetOS -- I like the potential in what I see, but for the moment, it's pretty much a cardboard shell. Looks good, does a few things well, has ZERO support and absolutely NO formal documentation. As soon as they get to a release number greater than or equal to 1 (current release is .75), it might be useable for something other than a hobby machine.

Sloppy coding in Windows? You can make a case for it, though it might be interesting to see what percentage of the modules contain "errors" and exploitable flaws when compared to the system overall. I --think-- they wrote the code to do the tasks specified at that time, and made a reasonable effort to anticipate possible problems. One of the axioms of programming since CP/M days is that no matter what safeguards you build into your code, some ingenious idiot will find a way to sneak bad data or malicious intent around them.

Nobody offers an OS that comes even close to the functionality and ease of use that Windows does, with the exception of Apple and their Macintosh OS's. Windows got out on the market with the widest distribution and the greatest number of installations. To think that everyone is just going to migrate to some mythical equivalent OS overnight at zero cost is about as reasonable to expect some Microsoft programmer to cut a few lines of code some evening to correct some just-discovered flaw in the base software and make it available as an upgrade. Fixes take time when other code is built on the code that's been altered -- you've lost all the field experience from having the original code out in the field, actually being used by the people who paid for it to begin with. You can't tell me that you software jockeys out there havent spent several sleepless days or weeks chasing down bugs created by some relatively minor change in a program you've written that rippled outward and messed up something else.

That said, I feel that Windows is probably too large and certainly too expensive. I subscribe to the Borland Turbo Pascal for DOS pricing scheme -- if you get the price down to $49.95, people will buy all the copies they need, rather than pirating a copy from somewhere else. Witness iTune's success with 99 cents a song downloads.

Regards;
Beanbag

Originally posted by Beanbag
I'll gladly dump Windows when there is an alternative OS that doesn't require technical support just to install it.

Well, there is one--Mac OSX--but you probably want one on commodity hardware.

And there used to be one--Be OS--but they're dead.

One comment made by one of the forum members in the "Why Windows will never replace Linux (for now)" thread was particularly telling -- the gentleman flat came out and admitted that EVERYONE had trouble installing Linux. Gripe about Windows and Microsoft all you want, but they probably do the best job of supporting the customer as far as getting a functional install on a ragtag assortment of hardware.

Except the the SuSe distribution really is a no-brainer to install. But you had a valid point in the other thread, because SuSe is just one distribution, and when people think "Linux," they think that all distributions were equal.

Which model would result in the most secure OS?

1) Keep the source code a closely guarded secret.

2) Assume that the bad guys have the source code.

Originally posted by Beanbag
I'll gladly dump Windows when there is an alternative OS that doesn't require technical support just to install it.

As if you don't to install Windows? I've had far more troubles installing Windows than Linux.

Case in point -- my foray into Linux. Spent two weeks trying to get it to load up, configure the display, and set up the Ethernet connection.

What distro & version?

I once raced a guy who insisted that Windows was a quick, straightforward install. This was in the Windows NT/Red Hat 6.2/NetWare 5.1 days. We had indentical systems. He installed Windows NT. I installed, sequentially, Red Hat 6.2 and Novell NetWare 5.1. I fully installed Red Hat, went to install NetWare but it failed mid-install and I had to redo the installation from scratch...and I STILL beat him!

One comment made by one of the forum members in the "Why Windows will never replace Linux (for now)" thread was particularly telling -- the gentleman flat came out and admitted that EVERYONE had trouble installing Linux.

I don't. Every time I install SuSE 9.0, it just simply works.

Gripe about Windows and Microsoft all you want, but they probably do the best job of supporting the customer as far as getting a functional install on a ragtag assortment of hardware.

Bull$#!7. Try getting a straight answer from Microsoft when something doesn't work. I can always get a Linux solution in ten minutes at no charge whatsoever.

Also, installation ain't everything. It seems like all the time with Windows I'm having to recover from some crash or having to roll back to a previous restore point because the system has farked itself up and Microsoft doesn't give you any way of fixing it. Whereas Linux—I have to say it again—just simply works.

"Thanks, I'm a professional programmer. What I'm asking is what you meant by using those words together. It reads like nonsense."

"For the record, I imagine most people in the industry would read "source code level hack" to mean a hack that has been inserted into the source code for the target project, which is not at all how the Windows security flaws are taken advantage of (*).

My You are being pedantic aren't You? Well if didn't use the correct nomenclature I apologize, but I suspect most knew what I meant .I'm a hardware geek and programming is just on the periphery of my profession , so I know enough to muddle thru. I would label "a hack that has been inserted into the source code for the target project" to be a backdoor but maybe I'm wrong there also. The truth of the matter is that this is not a hack as defined by me and others or a flaw as described by Microsoft, but a vulnerability that stems from the fact the many people have source code to examine and exploit.



"This is what I suspected you probably meant, but it's simply untrue. If you'd care to support that statement, I'd love to hear your support."

What is untrue? That this involves source code being leaked or that Microsoft guards it's proprietary software closely. They do distribute APIs and I/O and Interuupt schedules ( maps? addresses? can't be too careful with words) for third party vendors but not normally huge chunks of source code.


"I wasted my time looking at all three of these links, none of which draws any connection between the latest hacks to effect Windows and the release of the source code, which is what you are claiming."

The articles are all based on the topic we were discussing.



"Untrue. Many, many contributors to the Linux source code are *completely* profit driven. You need look no further than mods submitted by developers of Linux distributions."

I said the "Model" not certain vendors -Red Hat ,SuSE, ect.

"Even if it were true, you're the only person I know who claims profit motive makes Linux better. Why do you feel that is so?"

I did not say that, I said "because it is not profit driven", without an eye towards the bottom line or the next release.

The GNU open source project softwares (including Linux) is written, tested, revised all in the open by anyone who has the expertise to successfully attempt it ( and some who don't ) . It's analogous to the peer review process of scientific papers and abstracts, which are published in your community are subject to, all have the opportunity to prove or disprove the validity of the paper.



"What meaning does "on the fly" have in this context?"

Defects corrected - easily detected and patched.


I'd insert "more likely to be" - but otherwise very true.

-Chris

I didn't post to start a pissing contest, mearly to say that my estimate of a "Flaw" with such far reaching consequences must be at the source level and not another MS IIs php or buffer overflow hack seems correct. I do not wish to engage in a debate of syntax or labels so now, having explained myself , will remove myself from this thread.

Originally posted by shanek


I don't. Every time I install SuSE 9.0, it just simply works.


Agreed. I had not run Linux at home for a couple of years, and then always Slackware. Last week I decided to go ahead and install SuSe 9.0--my first time at home with a non-Slackware distribution. The only "gotcha" was that I, for reasons I cannot currently fathom, decided to install off the FTP site rather than just go out and get a copy of someone's CD. So it took a long time to install.

But when it did install, it auto-detected everything, including my optical USB mouse, printer, network card (and thus DSL), everything. Back in The Day (1995) when I started running Linux you had to set all that stuff up manually, recompiling the kernel with proper driver support and tweaking all the conf files. Linux has come a long, long way. I would actually say that on a Suse system running KDE, you could use it as a desktop OS for the average computer user. Really--it's THAT easy.

I've had only minor problems with it since, and nothing that I didn't get an answer for minutes after posting a question to a newsgroup or listserv. And I didn't have to pay a dime to technical support or wait on the phone, listening to crappy hold music.

I've had fewer problems (like NONE since Windows 98) installing Windows than with my two hacks at Linux. Stability has never been a problem, but then again, I'm VERY conservative with what I install, hardware- and software-wise, on my machines. That may be why it's been years since I've seen a Blue Screen of Death on one of my machines, and lockups only occur when I un-hibernate with Windows Media Player 9 on my laptop:D

I may give Suze a try, now that I've got a spare machine or two.

Regards;
Beanbag