|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
14:26 EST/19:26 GMT | News Source:
E-Mail |
Posted By: Brian Kvalheim |
WASHINGTON - Microsoft has admitted there's a dangerous design flaw in its latest Windows Server 2003 software. The software is aimed at large corporate cusotmers. The company says the flaw could allow hackers to seize control of a Windows computer over the Internet, stealing data, deleting files or eavesdropping on e-mail. The flaw also affects Windows versions popular among home users.
|
|
#1 By
13998 (217.122.34.74)
at
7/17/2003 3:56:46 PM
|
And this security hole is not special for Windows 2003. It effects all Windows systems, including Windows 2003.
|
#2 By
3108 (168.226.12.243)
at
7/17/2003 6:10:58 PM
|
Ok, first of all I agree that this is a critical vulnerability, because the windows service that has it is the RPC service, which is the one that COM and DCOM run over and the one that allows to connect appications with the technologies that the OS has.
However I would like to tell #1 that the "Trustworthy Computing" security intiative is not a crock because if you take time to look at who discover the bug you will realize that was a company called Last Stage of Delirium Research Group (http://lsd-pl.net/) whch is a company that Micerosoft pays to audit their OS, yes this company has the source code of windows as many other companies that Microsoft pays to audit their code. And the need for code auditing is part of the Trustworthy Compuring security initiative, so it works becasue the bug was discovered by a company which audits the windows OS and Microsoft did the patch, no hacker discovered it and therefore there was no planed mass attack.
By the way do not confuse code autiting with opensource, in the first one there are experts in the second one there are a lot of all.
|
#3 By
931 (67.35.50.203)
at
7/17/2003 6:23:18 PM
|
"And what percentage of the default 2000/XP installs have firewalls installed? For that matter, there may be competent admins who put their servers behind a firewall, but far too often there are people who don't know what they are doing administering these boxes.
"
Your out of your skull in my opinion, I know of no admin that incompatent that would actually open 135\7 to the internet. Every single firewall I know of blocks this buy default, hell even the cheap home swith\router\firewalls block this by default, in fact on some of them it's not even an option to turn it off.
"So yes, I think it's fair to say that this is "the worst Windows vulnerability ever". "
Highly disagree it's not the worst ever, certainly it's important but it's not the worst hole found ever in windows.
"but rather it's a service that is enabled by default, and exposed to the internet by default"
Sorry dude but nothing is exposed to the internet by default, one must actually plug the dam thing into a network first that in connected to a network that is connected to the internet (and not blocking the rpc port) ..
It's important that those fools at home or those few moron at some company who have a winxxx box hanging on the net with 0 protection need to address quickly with this patch. The rest of us who are behind devices or software that block rpc need to update when we have time. Personally while very important this is being blown out of proportion from a realistic corporate point of view. Sure I'll patch my systems.. but it'll be next month when we rollout a bunch of other patches with our sp4 deployment, after we have tested them all together.
This post was edited by KnightHawk on Thursday, July 17, 2003 at 18:23.
|
#4 By
3108 (168.226.12.243)
at
7/17/2003 6:35:14 PM
|
dkg_ctc:
Microsoft pays or contracts some security and auditing companies for different reasons ans different software, www.foundstone.com and http://www.coresecurity.com had autided , are autiding and will uptade upcoming verisons of the .net framework and one of these companies have published a press release about that. Not every security company or research firm needs to publish who was his contractor.
I know they work for microsoft believe me, an MVP told me.
|
#5 By
12071 (203.185.215.149)
at
7/17/2003 8:05:50 PM
|
#6 It's critical not only because of what can be done by exploiting it but also by the fact that it's a REMOTE HOLE and it's a remote hole that has existed since NT! If Microsoft's "Trustworthy" PR stunt is to be bashed it should be on that fact alone! Why wasn't this found by Microsoft's own code audits? It's been around for long enough!
And #1 wasn't bashing the "Trustworthy" initiative, he was getting in early before anyone could say anything negative about it.
|
#6 By
12071 (203.185.215.149)
at
7/17/2003 10:03:09 PM
|
#15 Sarcasm will get you nowhere. Didn't Bill come out and say that security was the most important aspect they were going to take a look at - rather than blindly adding more features in they were going to sit down and audit their code. Now aside from the fact that they should have been auditing their code all along, they have had how many years to find this? Sorry, but if you're going to come out with a big PR stunt like this, be prepared to back it up or don't be suprised by the backlash. From your comments you're at least aware at just how serious this vulnerability is and for how long it has existed. Just because the general public didn't know about it before doesn't mean that no-one knew about it. And knowing all that I'm suprised that you would be suprised by the backlash on Microsoft's Trustworthy Computing initiative.
|
#7 By
12071 (203.185.215.149)
at
7/17/2003 11:43:27 PM
|
#18 "Let's see...one vulnerability that affects the default install of Windows 2003, and you're claiming that they haven't "backed it up".
Correct, one MAJOR CRITICAL REMOTE HOLE that exists not only in the default install of Windows Server 2003 (after the whole Trustworthy PR stunt) but also in every other NT based OS.
"then you can talk about the failure of Trustworthy Computing"
No offence but you don't get to decide when I can and when I cannot talk about something.
"security vulnerability in the default install for months after its release"
If you want to get pedantic, this vulnerability has existed since NT came out.... a bit more than a couple of months.
"open source zealots like yourself"
I'm now an open source zealot? Ha! That's rich coming from a MS Sheep! See, we can keep throwing these petty personal insults around for the hell of it if you really want. Get over it, just because someone doesn't continually praise Microsoft or dares to say anything negative about them doesn't make them an open source zealot.
"Ironically (but unsurprisingly) they aren't so quick to cry about poor security when the first vulnerability in a default Redhat install is announced less than a week after its release."
Did RedHat come out and make a big song and dance about their "Trustworth Computing" initiative? If so then they deserve the same kind of backlash if the vulnerability is of the same nature. The same goes (and went) for Oracle when they proclaimed their system as Unbreakable. This has nothing to do with any one particular company or open source vs commercial software.
|
#8 By
12071 (203.185.215.149)
at
7/18/2003 12:57:59 AM
|
#21 I'll try to make this short as I don't have the time or patience to continue this childish argument with you where you feel it necessary to start throwing personal insults because you have nothing better to do.
"you're using an OS"
How do you know what OS I am using? Between work and home I use three different OS', stop making assumptions and then basing your arguments on those assumptions.
"There's a difference between someone who "doesn't continually praise Microsoft" and someone who "continually bashes Microsoft while heralding the wonderous, secure nature of open source". (In case you weren't sure, you fall in the latter of the two categories.) "
Please point me to where I am, and I quote, "heralding the wonderous, secure nature of open source". I'll wait here until you find me doing that, let along doing it continually. Note that I haven't said that I don't bash Microsoft, I do, but only when I feel they deserve it, and in this case I saw the whole Trustworthy Computing initiative as nothing more than a PR stunt. Oooh, code audits... what the hell have they been doing all this time if code audits are something new! I also saw Oracle's Unbreakable slogan as a PR stunt, but you won't have issues with that because it's not Microsoft. Baaaaa! I'll give you credit though, unlike the other sheep on here you at least promote the importance of this vulnerability rather than downplaying it or trying to shift the focus to some other vulnerabiltiy that someone else has.
"Linux advocates claimed that Linux is more secure...Windows is less secure..."
Not sure who these advocates are that you speak of, but if you read the 'open source' versions of ActiveWin, e.g. Slashdot, you will find that those people who claimed Linux as being more secure.... continue to claim that.
|
#9 By
135 (208.186.90.91)
at
7/18/2003 1:46:56 AM
|
As much as people complain about Microsoft, the unfortunate thing is that the competition is even worse.
Maybe the industry is doomed and we should all become short order cooks.
|
#10 By
12071 (203.185.215.149)
at
7/18/2003 2:46:15 AM
|
#27 "Let's see...I suppose I could go by what you've stated in the past...but no, certainly that's not fair... *rolls eyes*"
What have I said in the past? You admit in your next paragraph that you don't save my past posts or even remember what I did and did not say.... Keep rolling those eyes boy meets world!
"I have better things to do than save all your posts for future references, or go back and search your posts, but the next time you do I'll be sure to point it out, don't worry."
You have better things to do than remember what I did and what I did not say but you don't have anything better to do than to assume, make up and guess what I may or may not have said? Until you come up with some evidence where I have been "heralding the wonderous, secure nature of open source" we'll all just ignore your assumptions.
"Hmm...weren't you just complaining about "childish arguments" and "personal insults"? Or are they only wrong when its other people doing it?"
It's wrong no matter who does it, but if you get to do it it's really only fair that I do it back right.
"Hmm...could it possibly be you?"
There you go assuming again. I'm not advocating Linux, I don't think I've made a comment to that effect here at all, if anything I haven't been advocating Microsoft and instead been advocating something in the middle. I don't have a "use anything but Microsoft" motto and I don't have a "use only Microsoft" motto either.
"No, certainly I couldn't have been referring to Mr. "Trustworthy Computing means there should never ever be a vulnerability again...but Linux doesn't claim to be 'Trustworthy', just more secure, therefore it's ok that it's less secure!". "
a) Stop assuming and b) Stop putting words in my mouth, unless you can actually show me where I have said those things.
|
#11 By
61 (24.92.223.112)
at
7/18/2003 8:57:00 AM
|
Being a line cook is good for a nice adrenaline pump. :)
|
#12 By
12071 (203.217.70.63)
at
7/19/2003 1:18:29 AM
|
#34 JF... you responding was a suprise... normally you're too busy standing up for soda =)
"Do you remember how many vulnerabilities Windows 2000 had affecting its default configuration in its first three months? I'm sure it was more than one."
Yes Microsoft are improving, by leaps and bounds, they even managed to get the patch out for this vulnerability a lot faster than the previous efforts, but that doesn't change my mind that Trustworthy Computing was nothing more than a PR stunt. They should have always been performing code audits rather than making a big song and dance that they are NOW doing it.
"You know what's rich?"
You always standing up for every other MS zealot here?
"If something is trustworthy, you can get over its flaws enough that you trust using it."
So you can trust something with a flaw in it which allows anyone to run anything they like on your pc?
"Why don't you freakin' tell us what you use so we don't have to keep "assuming"? I think you like to make people guess. Talk about childish. Let the eye rolling begin!"
So because I haven't told you what I use that's a perfectly good reason to start assuming? Riiight. Interesting logic there. Between work and home I use Solaris 8, Linux and Windows 2000/XP.
"Oh yeah. Hey look, John Wayne Gacy buried the bodies of 50 young men in his back yard! It's only fair that you get to do it too! As a symbol of my good faith, I offer to walk to your house with a loaded revolver so you can do me in first!"
Don't be stupid.... too late I guess. I'm only human, if someone who does nothing more than dream up assumptions and then base their whole argument on those assumptions then goes ahead and starts with the personal insults because that's how they like to show their age, I'm not going to sit back (all the time) and not say anything back. If you don't like it, don't read it =)
"There are two sides to this argument. Microsoft and... uh, everything else. I don't see a middle. After closed-source and open-source, I see nothing."
In your mind there is only one side to any argument, Microsoft's side, and that's fine, but don't start with the insults and other crap because someone else may be either on the other side or somewhere in between, e.g. supporting Microsoft in some but not all cases.
|
#13 By
2332 (65.221.182.2)
at
7/19/2003 4:08:38 AM
|
#36 - While the term "Trustworthy Computing" is certainly a product of the marketing / PR department, the effects inside Microsoft are not.
They have fundementally changed the way they develop software... from design to QA.
A single bug, or even a slew of bugs, doesn't prove that "Trustworthy Computing" is a hoax or a PR stunt. In fact, it proves nothing.
|
|
|
|
|