| ActiveMac | Anonymous | Create a User | Reviews | News | Forums | Advertise |
|
|
|
User Controls |
|
New User |
|
Login |
|
Edit/View My Profile |
|
|
|
|
|
|
|
ActiveMac |
|
Articles |
|
Forums |
|
Links |
|
News |
|
News Search |
|
Reviews |
|
|
|
|
|
|
|
News Centers |
|
Windows/Microsoft |
|
DVD |
|
ActiveHardware |
|
Xbox |
|
MaINTosh |
|
News Search |
|
|
|
|
|
|
|
ANet Chats |
|
The Lobby |
|
Special Events Room |
|
Developer's Lounge |
|
XBox Chat |
|
|
|
|
|
|
|
FAQ's |
|
Windows 98/98 SE |
|
Windows 2000 |
|
Windows Me |
|
Windows "Whistler" XP |
|
Windows CE |
|
Internet Explorer 6 |
|
Internet Explorer 5 |
|
Xbox |
|
DirectX |
|
DVD's |
|
|
|
|
|
|
|
TopTechTips |
|
Registry Tips |
|
Windows 95/98 |
|
Windows 2000 |
|
Internet Explorer 4 |
|
Internet Explorer 5 |
|
Windows NT Tips |
|
Program Tips |
|
Easter Eggs |
|
Hardware |
|
DVD |
|
|
|
|
|
|
|
Latest Reviews |
|
Applications |
|
Microsoft Windows XP Professional |
|
Norton SystemWorks 2002 |
|
|
|
Hardware |
|
Intel Personal Audio Player 3000 |
|
Microsoft Wireless IntelliMouse Explorer |
|
|
|
|
|
|
|
Site News/Info |
|
About This Site |
|
Affiliates |
|
ANet Forums |
|
Contact Us |
|
Default Home Page |
|
Link To Us |
|
Links |
|
Member Pages |
|
Site Search |
|
Awards |
|
|
|
|
|
|
|
Credits |
 |
Microsoft Security Patch Said Ineffective | |
|
||
| Time: 08:49 EST/13:49 GMT | News Source: Reuters | Posted By: Byron Hinson | ||
|
A Microsoft Corp program designed to plug a common security hole is vulnerable to the very attack it was designed to prevent, the Wall Street Journal alleged in a report on Thursday, citing a prominent security consulting firm. Last month Microsoft Chairman Bill Gates announced a company-wide initiative to improve the security features of its products. Microsoft on Wednesday unveiled a collection of programming tools, including a new version of a special-purpose program that it modified to try to prevent a common hacker attack called buffer overflows, the Journal said. | ||
|
Write Comment
Return to News |
Displaying 1 through 25 of 422 Last | Next |
The time now is
4:53:50 PM
ET.
Any comment problems? E-mail us |
| #1 By 2332 (129.21.145.80) at 2/14/2002 2:43:00 PM |
|
I'm still trying to figure out what the hell these guys are talking about.
A security patch? Microsoft hasn't released any security patches for .NET - it's only been out for two weeks. The flaw they are talking about, as best as I can tell, has to do with the way .NET manages the call stack. This call stack technique has nothing to do with Linux, but is used in some open source code managment tools. It's also a technique that's been around for about 20 years, and has nothing specifically to do with open source or Linux. Anyway, I don't see how a programmer could write an application that directly utilizes the call stack in .NET. Now, granted, I've avoided the managed C++ extensions like the plague, since I can use C# and write my code faster, cleaner, and with the same capabilities (or so I thought). I can't find anything in the docs about directly manipulating the call stack in an application, nor can I figure out how a flaw such as this would be taken advantage of. Does anybody have any details links about this? |
| #2 By 2332 (129.21.145.80) at 2/14/2002 2:58:32 PM |
|
Thanks to an alert Slashdot reader (gasp!):
"The protection afforded by the new feature allows developers to continue to use vulnerable string functions such as strcpy() as usual and still be "protected" against some forms of stack smashing. The new feature is closely based on an invention of Crispin Cowan's called StackGuard and is meant to be used when creating standard native code (not the new .NET intermediate language, referred to as "managed code"). " So, basically, the problem exists when you're using VC++.NET to write unmanaged code. In other words, in this very specific case, C++ programmers are writing the code they've been writing all along. Seems to me this is being blown way out of proportion... but I guess I shouldn't be surprised anymore. |
| #3 By 2332 (129.21.145.80) at 2/15/2002 5:40:02 AM |
|
Turns out it was baloney:
http://www.securityfocus.com/archive/1/256365 |
|
Write Comment
Return to News |
Displaying 1 through 25 of 422 Last | Next |
The time now is
4:53:50 PM
ET.
Any comment problems? E-mail us |
