| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Microsoft's Security Dilemma | |
|
||
| Time: 14:39 EST/19:39 GMT | News Source: eWeek | Posted By: Robert Stein | ||
|
There seem to be two competing visions at the company—one in which security is paramount and another in which top priority goes to features that make it easy for anyone to build applications. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 402 Last | Next |
The time now is
6:06:44 AM
ET.
Any comment problems? E-mail us |
| #1 By 12071 (203.185.215.149) at 4/12/2004 8:04:01 PM |
|
Given that you're the most ignorant person on the face of the planet when it comes to Linux (i.e. distro's not being free, having to recompile your kernel and applications etc etc etc etc), how about you spare us your opinions on what the vision for Linux is and is not.
Plus Microsoft has no security dilemma's! According to Microsoft they have never had an exploit written before they released a patch.... except for that other week .... and that time before then .... and well, let's just ignore those and keep pushing the same message, that things have changed, that security is #1 now! |
| #2 By 7797 (63.76.44.67) at 4/13/2004 8:39:23 AM |
| If it wouldn't be so sad it would almost be amusing to watch Parkker and sodablue rabmble on about how crappy linux is. Can't we have one (1) discussion about the topic without bringing in the OTHER OS(s) and bashing it/them? |
| #3 By 7797 (63.76.44.67) at 4/13/2004 4:04:59 PM |
|
for the month of April there are some new "critical" updates from Microsoft.
However one of them is actually a meta-patch http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx "This update resolves several newly-discovered vulnerabilities. Each vulnerability is documented in this bulletin in its own section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges." A nice way to make 13 vulnerabilites seem as if it was only 1 |
| #4 By 12071 (203.217.27.61) at 4/13/2004 7:06:01 PM |
|
#4 You mean 14 disclosed vulnerabilities in 1, 8 of which are remotely executable, and then we wonder just how many undisclosed bugs, vulnerabilities, etc have been rolled up into this 1 patch?
But let's not get away from the real point here. Microsoft have only 1 patch, OSS would have had 14 separate ones, that makes Microsoft better, more optimized! |
| #5 By 7797 (63.76.44.74) at 4/13/2004 8:02:31 PM |
|
"In fact, it appears Apache lumps a lot of fixes into 1 patch as standard operating procedure."
This is not a fact. The fact is that Apache lumps lots of patches into a release along with other bugfixes and maybe even new features. And what are you trying to say? Just because Apache has done this as standard operating procedure its OK for Microsoft to do the same? Why would Microsoft use the same crappy procedures as such a worthless open source project as Apache. Or maybe MS is just trying to make it appear as if there was only 1 vulnerability to the casual user or journalist because they can't afford to have the news plaster all over that another 16 vulnerabilities have been found. Nah thats impossible they'd never do something like that. |
| #6 By 7797 (63.76.44.74) at 4/13/2004 8:06:36 PM |
|
"1250 per year! WOW!"
wow? amazing? is it really? are we just talking an OS here? many different apps? how many? etc etc |
| #7 By 7797 (63.76.44.74) at 4/13/2004 8:16:06 PM |
| parkker you know what? You win. You have convinced me. Open Source software is expensive, and insecure and bloated and overall shoddy and riddled with many backdoors that let murky governments spy on our secrets. They have been trying to hide vulnerabilities from us by fixing several of them with one "patch" for years. They are deceiving us. Their software has so many vulnerabilities it DWARFS those of Microsoft. I dont understand how I could have been blinded for so long. I want thank you for opening my eyes. You were right all along. How can I ever thank you? I will now join you in the fight against those pesky open source zealots and ABMers by spreading the truth about how great, secure, slick, fast and generally GREAT all Microsoft software without exception is. |
| #8 By 7797 (63.76.44.74) at 4/13/2004 8:16:33 PM |
| oh nevermind :) i was just kidding. |
| #9 By 3339 (64.160.58.135) at 4/13/2004 8:49:29 PM |
|
"chris would make a super big stink about Microsoft if it lumped 36 fixes into 1 patch."
MICROSOFT HAS DONE EXACTLY THAT, FOOL!!! Are you going to make a "super big stink" about Microsoft now? No, only you are entitled to hypocrisy because only you are stupid enough to beleive yourself and not see how retarded you act, yes? The 4 patches today are for 20 separate vulnerabilities!!! Correction: at least 20!! The full number is unknown because of their obscurity techniques!!! They've been doing this ever since they went to the monthly schedule!!! "The software giant released four patches to cover the 20 security issues, as part of its monthly update schedule. Microsoft wouldn't comment on the level of risk the flaws present, instead maintaining that companies that apply the fixes won't be in danger." They won't even comment on how important they are anymore!!! "The largest patch, MS04-011, fixes at least 14 security flaws." "At least six of the 14 flaws could result in a remote user taking control of a Windows computer." Jesus, Parkker, read an article about Microsoft for a change, start patching your computer, instead of whakking off to Apache vulnerabilities and pinup posters of iPods! You have nothing to stand on anymore because Microsoft has descended so far down the obscurity path, the security firms which are finding the vulnerabilities for MS cannot even tell what has or has not been repaired in their patches. At least Apache does provide separate updates and details each fix made in each patch which contains multiple issues! You can't logically, certainly not intelligently, start preaching about the numbers of vulnerabilities when you don't know the number of flaws in the product you are defending!!! Don't you get that, retard! This post was edited by sodajerk on Tuesday, April 13, 2004 at 21:04. |
| #10 By 12071 (203.185.215.149) at 4/13/2004 11:31:41 PM |
|
#9 "Just the usual 25 or so patches per week. Each made up of 1 or more vulnerabilities."
Did you count the 'tcpdump' DOS, 'sysstate' etc. twice? (i.e. Debian and Gentoo) Because you should, after all if there's a patch for Mandrake, it'll more than likely also have to be used in RedHat etc as well. That way you can inflate the number to billions of patches for Linux =) Thought I'd help you out. #11 "wow? amazing? is it really? are we just talking an OS here? many different apps? how many? etc etc" There really is only 1 fair way to count them. We must compare the default install of Windows 2003 Server (because that's what we all run on our desktops) vs A complete install of Linux + all of the applications available for it at that time (because that's also what we all run on our desktops). And yes, that includes installing all 12 C compilers, all 10 text editors, all 3 ide's, all 4 web servers, all 3 proxy servers, all 12 window managers etc etc etc, because that's what everyone is running at the same time! #14 "Microsoft has gone to a monthly security release schedule for various reasons." Customers like to wait an additional 30 days to patch their system. #16 "Hey, I'm not the one that made multiple fixes and issue." You brought Linux into this discussion and tgnb brought up multiple fixes. Learn to read in future. "That was OSS fanboy chris who did that." A better way of putting it is.... You are the FUD, and I'm the Anti-FUD. If that makes me an OSS fanboy in your eyes, so be it. "at least Microsoft is not on course for 1250 fixes a year, unlike OSS." So how many fixes is Microsoft on course for? I need a number if we're going to compare!! And I want to know the number of bugs that Microsoft will fix, not the amount of rolled up fixed they release or the number of bugs they decide to disclose to the public! Come on, let us all know how many! It shouldn't be difficult. If OSS can be efficient enough to make a note of each bug fixed, surely Microsoft, the innovative one, would do even more for you! Surely they have somewhere where you can look up at all those undisclosed bugs they they just threw in because they weren't important enough to mention on their own. |
| #11 By 12071 (203.185.215.149) at 4/14/2004 3:36:01 AM |
|
#19 "I believe the last time we had this discussion you added in a vulnerability for "Virtual PC on the Mac" to the total "
You believe wrong, I don't think I've ever mentioned anything about Virtual PC, let alone Virtual PC for the Mac! "For example, with Linux, at the rate of discovered vulnerabilities, you might have to patch the kernel on Monday, OpenSSL on Tuesday, sendmail on Wednesday, Apache on Thursday, a couple of the lesser known apps on Friday, and 5 or 6 other apps on the weekend. Isn't that tiring?" That's not my job, so I can't answer whether or not it's tiring. But if I'm not using openssl or sendmail or apache or some of those lesser known applications then I've had a nice quite week. At the same time, I know that I've got the patch as soon as it's released and it is then up to ME when I apply it (or if I apply it), rather than havin to wait until next month. Everyone has their favourite methods. "I can read well" Ok, it's time to get petty. If you can read well then why did you say "Hey, I'm not the one that made multiple fixes and issue. That was OSS fanboy chris who did that." ??? "I notice you used to harp on multiple fixes per released patch" You should have noticed that I have a bigger issue with undisclosed patches included as part of other patches, not the roll up of many individual patches into a single package per se. "Ha ha. You are just an OSS fanboy who like to pass on the OSS myths, like code review, NSA "secure linux", only Windows does mutliple fixes per patch." If you can substantiate those claims, I'd love to see the proof. I never said only Microsoft does multiple fixes per patch, I simply mentioned that the NSA have created their own modified version of Linux called "Secure Linux" and code review? Can you please point me to where I've said much about it? Anywhere? If anything I would have mentioned that the OSS model allows for better code review due to anyone being able to view the code - only you and your ignorant MS-only friends believe that it's a myth. "Under 100 for the year. Significantly less than the 1250+ OSS is on course for." Now show me proof of this! I don't want some random number, show me proof! |
| #12 By 12071 (203.185.215.149) at 4/14/2004 3:36:44 AM |
|
#19 "Ahhh. Another OSS fanboy myth."
You've forgotten already huh? Perhaps you just have selective memory - seems to be quite an issue with you MS-only fans. This might trigger that memory of yours... Exploit Information: (IE BMP exploit) http://www.securitytracker.com/alerts/2004/Feb/1009067.html Information about when this was patched: (i.e. in IE6 SP1) http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.asp: "On Monday, February 16, Microsoft began investigating a reported exploit on versions of Internet Explorer allegedly discovered by an individual studying the leaked source code. This exploit is a known issue that Microsoft had discovered internally and addressed with the latest release of Internet Explorer -- Internet Explorer 6.0 Service Pack 1." Link to ALL the DISCLOSED fixes in SP1: http://support.microsoft.com/common/canned.aspx?R=d&H=List%20of%20Fixes%20in%20Microsoft%20Internet%20Explorer%206%20SP1&LL=&Sz=kbIE600sp1fix&Fr=&DU=&SD=GN&LN=EN-US&CND=1&VR=&CAT=&VRL=&SG=&MaxResults=150 Can you point us all to where this BMP exploit was fixed in SP1? Or is this "myth" only in your head? Hang on, let me help you out a bit. There was a similar bug with PNG files which was fixed here: http://www.microsoft.com/technet/security/bulletin/MS02-066.mspx but as you can guess, no mention of any fixes for BMP files. So please, if this is a "myth" and Microsoft disclose all the details of all the fixes, please show us all where they have disclosed this BMP exploit? If you can't provide this information be man enough to say so, and then take that "myth" label away =) "Say, do you wish to comment on this?" What would you like me to say? That I'm suprised that servers at a university got hacked? Hate to break it to you but students try to do that on a daily basis! Are you saying Windows machines are not compromised? Or were you just having a cheap stab? "imaginary NSA Secure Linux" Imaginary? |
| #13 By 7797 (63.76.44.202) at 4/14/2004 10:25:34 AM |
| chris_kabuki I admire you for the patience you have trying to de-fud parkker. |
| #14 By 7797 (63.76.44.202) at 4/14/2004 5:21:37 PM |
|
"Too bad none of the distros actually use the NSA add-ons"
Too bad you don't know what you're talking about! http://www.gentoo.org/proj/en/hardened/selinux/selinux-x86-install.xml |
| #15 By 7797 (63.76.44.202) at 4/14/2004 5:23:08 PM |
|
"But with all the reboots necessary to keep Linux patched, the amount of uptime you get it abysmal."
You obviously have no real-life experience with keeping Linux boxen patched otherwise you wouldnt make such an ill informed statement. |
| #16 By 7797 (63.76.44.202) at 4/14/2004 5:24:42 PM |
|
"Thats why Linux is unsuited for "supercomputer clusters"."
I don't recall anyone in this thread saying they are suited? Is Windows suited? |
| #17 By 12071 (203.185.215.149) at 4/14/2004 8:14:09 PM |
|
#23 "What BMP exploit?"
Once again you prove you cannot read or you're just too lazy to read - maybe in the future you need me to spell everything out to you and to quote all the relevant parts - apparently providing a link for you to click on it too complicated. Have a look at the link I gave for the BMP bug (here is the link again incase you can't find it: http://www.securitytracker.com/alerts/2004/Feb/1009067.html). What do you know? There's an example bmp exploit attached! Exploit Included: Yes "Microsoft found a bug." Obviously they did find it before releasing SP1, and they patched it. So far, good work. But you know where they fail? They fail because they didn't DISCLOSE it! There's nothing you can say to that! You can't point us all to the page where Microsoft disclosed this bug... because Microsoft don't disclose all the bugs they fix - the proof is right there. No myth, Microsoft doesn't disclose all the bugs they fix! "It seems very likely that new code that fixed the PNG problem also fixed the BMP problem. It was probably the exact same code." It seems... Maybe... Ummm.... Ahhh... no sorry parkker, the exploit was in 'imgbmp.cpp' - Given the NAME of that class, I highly doubt your ludicrous stories of it being the same code. And even if it was, let's imagine that the code WAS shared, why not disclose THAT FACT in the advisory? Why not mention that the fix is for PNG AND BMP files? Why? Because Microsoft don't disclose all the bugs they fix! It is a myth that Microsoft discloses all the bugs they fix - therefore you should take the number of bugs fixed with a grain of salt! |
| #18 By 12071 (203.185.215.149) at 4/14/2004 11:36:10 PM |
|
#29 "The BMP exploit you reference came out 2 years after Internet Explorer 6 SP1 came out."
And? What's your point? I was using that example because it's PROOF that Microsoft does not disclose all the bugs they include in their patches! So far you're shown no proof to say this is not the case, you've just tried to weasel your way out of it! "It seems very likely that new code that fixed the PNG problem also fixed the BMP problem. It was probably the exact same code." I'll repeat myself since you can't read: "It seems... Maybe... Ummm.... Ahhh... no sorry parkker, the exploit was in 'imgbmp.cpp' - Given the NAME of that class, I highly doubt your ludicrous stories of it being the same code. And even if it was, let's imagine that the code WAS shared, why not disclose THAT FACT in the advisory? Why not mention that the fix is for PNG AND BMP files? Why? Because Microsoft don't disclose all the bugs they fix!" "If the fixed the bug for the PNG exploit, and the same bug could also be exploited with BMP images, is Microsoft supposed to tell the world that BMP files could also be exploited?" YES!!! It's called DISCLOSING ALL THE BUGS you've fixed! If you've fixed a bug in 'imgpng.cxx' (or whatever the actual source file may be) and you have also fixed a similar bug in 'imgbmp.cxx' then you disclose BOTH fixes, not one of them whilst hiding the other! Microsoft do NOT disclose all the bugs they fix! "The simple answer is no." The parkker "oh crap I've got nothing of substance to try and prove you wrong" answer is no. The actual answer, to everyone else, is yes. "It is good enough to tell people to upgrade because security issues are being addressed." That's all very well and good but you're avoiding the undeniable FACT that Microsoft do NOT DISCLOSE all the bugs they fix. How much simpler can I put that so you can understand? "Microsoft does not have an obligation to make life easier for hackers, which is what you want them to do." So you can't read, you can barely comprehend, but you can read my mind. Astounding! "By the way, it appears to to get a non-bloated Linux kernel you need to compile it. Do you plan to apologize for all the times you said the opposite?" How about you start by: 1) Proving I said you don't have to compile your kernel to get a 'non-bloated' one. 2) Define what 'non-bloated' actually means and who else abides by this same definition. 3) Show that you cannot get a tailored kernel pre-built for you which you can then get via up2date, apt-get, yum etc (or via the GUI front ends for those applications) which fits the 'non-bloated' definition in part 2 above. Sure you won't get the most highly optimized kernel for your particular system without compiling it yourself... but what you fail to understand (amongst all the other things you fail to understand) is that you don't need a completely optimized kernel, the majority of users are happy with the kernel optimized for their machine architecture. These kernels aren't as bloated as you are trying to make them out to be. So until you offer all of us proof otherwise, the FACT remains that: It is a myth that Microsoft discloses all the bugs they fix - therefore you should take the number of bugs fixed with a grain of salt! |
| #19 By 3339 (64.160.58.135) at 4/14/2004 11:57:03 PM |
|
Not that anyone said it, but there are those who will disagree that Linux is unsuited for supercomputers:
http://www.computerworld.com/softwaretopics/software/appdev/story/0,10801,49472,00.htm http://www.wired.com/news/technology/0,1282,35113,00.html http://www.techweb.com/wire/story/TWB19980706S0015 http://www.fcw.com/fcw/articles/2003/1117/web-super-11-18-03.asp http://www.fcw.com/fcw/articles/2000/0424/web-nws-04-27-00.asp http://www.pnl.gov/news/2002/computer.htm http://www.newsfactor.com/perl/story/17310.html http://www.vnunet.com/News/1141778 |
| #20 By 12071 (203.185.215.149) at 4/15/2004 4:18:37 AM |
|
#32 "Why make life easier for hackers? I'm glad Microsoft, in this one instance, chose not to make life easier for hackers."
Why disclose full information on the bugs you are fixing!?! You're right... Security through Obscurity is the best way! It is a myth that Microsoft discloses all the bugs they fix - therefore you should take the number of bugs fixed with a grain of salt! |
|
Write Comment
Return to News |
Displaying 1 through 25 of 402 Last | Next |
The time now is
6:06:44 AM
ET.
Any comment problems? E-mail us |
