ActiveMac - The Most Activated mac Resource

ActiveMac

User Controls

New User

Edit/View My Profile

ActiveMac

Articles

Forums

Links

News

News Search

Reviews

News Centers

Windows/Microsoft

DVD

ActiveHardware

Xbox

MaINTosh

News Search

ANet Chats

The Lobby

Special Events Room

Developer's Lounge

XBox Chat

FAQ's

Windows 98/98 SE

Windows 2000

Windows Me

Windows "Whistler" XP

Windows CE

Internet Explorer 6

Internet Explorer 5

Xbox

DirectX

DVD's

TopTechTips

Registry Tips

Windows 95/98

Windows 2000

Internet Explorer 4

Internet Explorer 5

Windows NT Tips

Program Tips

Easter Eggs

Hardware

DVD

Latest Reviews

Applications

Microsoft Windows XP Professional

Norton SystemWorks 2002

Hardware

Intel Personal Audio Player 3000

Microsoft Wireless IntelliMouse Explorer

Site News/Info

About This Site

Affiliates

ANet Forums

Default Home Page

Link To Us

Links

Member Pages

Site Search

Awards

Credits
�1997/2004, Active Network. All Rights Reserved.
Layout & Design by Designer Dream. Content written by the Active Network team. Please click here for full terms of use and restrictions or read our Privacy Statement.

Microsoft fixes eight-month old flaw

Time: 07:03 EST/12:03 GMT | News Source: VNUNet | Posted By: Byron Hinson

Microsoft is warning of yet another critical flaw which could give hackers "complete control" over computers running one of several versions of its operating system. The software giant confirmed that the flaw affects Microsoft Windows NT 4.0, NT Server 4.0 Terminal Server Edition, Windows 2000, XP and Server 2003. Systems administrators should apply the update immediately, Microsoft said.

Write Comment
Return to News

Displaying 1 through 25 of 318
Last | Next

The time now is 5:39:41 PM ET.
Any comment problems? E-mail us

#1 By 2332 (65.221.182.2) at 2/11/2004 9:26:28 AM

Let's see. According to open source advocates, who claim that full and immediate (or close to it) disclosure is the only way to handle security flaws, this should have been exploited left and right during the 8 months it was known for.

But it wasn't. Eeye decided to let Microsoft fix the bug on its own schedule, and kept the potentially damaging information to itself during that time. The result was essentially the same as if Microsoft had patched it 8 months ago - nobody got hit.

Now, why should it take Microsoft 8 months to patch? I'm not sure. That definitly seems excesive. Then again, I'm not privy to the source code in question. It seems pervasive enough that it required extremely extensive testing before releasing a patch. Who knows.

The point is, if Eeye had given Microsoft the customary month, then "forced" them to patch by telling everybody how to exploit the flaw, more damage would have been done than was done by keeping things secret as long as possible. This seems contrary to what most open source advocates insist.

Could somebody else have found the flaw? Sure. I suppose people could have been exploiting the flaw for a long time. Then again, they could have been exploiting the flaw long before Eeye found it! If they chose to do so, chances are they wouldn't have given Microsoft any opportunity to fix it anyway.

The fact remains - the primary reason people release exploits before a company has patched has nothing to do with some sense of duty or a desire to increase the security of the products people use. It has everything to do with wanting to get as much credit for their accomplishments as possible. You'll get more credit by releasing an exploit that allows a million machines to be compromised than if you quitely do the right thing and let Microsoft (or who ever) patch things on their own schedule.

It's all about ego.

#2 By 135 (209.180.28.6) at 2/11/2004 11:22:29 AM

Wow, this story is getting bigger and bigger over time. Yesterday it was a six month old flaw, today it is eight.

Given the issue appears to have been within the Kerberos authentication system, I imagine testing was considered critical to Microsoft and their customers.

#3 By 6859 (206.156.242.36) at 2/11/2004 11:40:56 AM

<I>The bottom line is that MS ships inherently insecure products and cost everyone time and money</I>

The same can be said for every Linux and BSD disto as well.

#4 By 3339 (64.160.58.135) at 2/11/2004 12:40:18 PM

A letter at The Inq:

"Microsoft talked up ASN thing last year

Mike,

I have a question that may be interesting. A year or so ago, openssl had this ASN vulnerability, and of course, Microsoft played it up, telling us how open source stuff was insecure. Then, someone started grepping various binaries for the APIs that openssl uses, and lo and behold, a bunch of Microsoft binaries showed up.

The rest of the world just applied the latest openssl patches, recompiled, and, in some cases, just downloaded rpms or debs and was done.

However, it appears to take Microsoft more than half a year to fix this problem, and if the grepping fella was correct, Microsoft is only taking the fix from openssl anyway...

Which means, contrary to Microsoft's assertation, black hats knew about this a long time ago (heck, if I knew...) and this means you may have been "owned" without anyone knowing it.

But, and here's the question: Microsoft keeps telling us how secure they are, because, gosh darn it, lookit all those linux security vulnerabilities. But, with this ASN bug for example, it took Microsoft more than half a year to fix it. Now, I understand that at certain companies, at year end, there's a rush to book revenue and delay payments. Is there an SEC equivalent for counting the number of security vulnerabilities/year? And should Microsoft have booked this security hole in 2003 or 2004?

Tai"

#5 By 3339 (64.160.58.135) at 2/11/2004 1:32:18 PM

"#7 Actually, openSSL did not completely fix the ASN problem for Windows until November 4th."

And? It was fixed for most platforms long, long ago. Why would I care that it took so long to fix OpenSSL for Windows? The point is: problems with ASN were known long ago. Microsoft knows they have a TON of fundamental dependencies on ASN in ALL of their products. The OS community repaired ASN via OpenSSL.

In fact, doesn't your post further cement my point. OpenSSL was fixed and tested for most systems that used it. It was later determined that it was still vulnerable, but only on Windows, because of Microsoft's ASN implementation. Novell discovered this and fixed it for OpenSSL on Windows. Why didn't Microsoft do the same testing and coding, that Novell did, for their very own product? Novell was kind enough to do it for an open source application on a different platform. Maybe Microsoft should have put some staff on patching OpenSSL for Windows if in fact there fix is largely coming from those repairs anyway.

I don't know what you mean by ONE product. OpenSSL is on many platforms. The vulnerabilities were repaired for all of these platforms, but Windows remained susceptible. And last I remember Windows is actually many products. Apparently, Novell was able to complete the testing in two months, not seven to eight months, from the time they discovered that Windows was uniquely susceptible to this flaw because of a poor ASN implementation.

This post was edited by sodajerk on Wednesday, February 11, 2004 at 13:40.

#6 By 2332 (216.41.45.78) at 2/11/2004 2:00:16 PM

#5 - The bottom line is that MS ships inherently insecure products and cost everyone time and money. It' s not really an issue how the flaw was exposed, but that it shipped in the first place.

Ah yes, because Microsoft is the only company who has bugs in their code. Good point. I bet Microsoft was like "Hey... our millions of lines of code are completely bug free, but let's throw in some bugs so we can cost people time and money! Awesome!"

I'll admit it would be difficult to ship something as complex as an OS with zero flaws, but we have been buried under a steady stream of this for 5+ years now, with the last couple being the worst.

Actually, per line of code, Microsoft has below the average number of bugs for the industry. That means that overall their code has fewer bugs than most people's code. The problem is, they ship the most used software on the planet.

This becomes all the more frustrating when MS trumphets each new release of Windows as the most secure, yet the last couple seem to be the most full of holes

How so? Windows 2003 is by far the most secure product Microsoft has ever shipped. It has had only a handful of bugs since it was launched almost a year ago. It has had far few flaws than both Windows 2000 and Windows NT. Microsoft products are absolutely getting more secure. (See: http://www.winnetmag.com/windowspaulthurrott/Article/ArticleID/41730/windowspaulthurrott_41730.html)

And no one trot out the "it's because everyone uses Windows" argument; besides being useless MS spin and not based on fact, it doesn't hold up historically.

I assume you're not doubting that more people use Windows than any other OS. I'll assume you're doubting the claim that the more used a piece of software is, the more likely it will be both inspected for bugs and exploited by those who find those bugs. As I mentioned, people hack primarily as a power trip. They love getting credit for outsmarting people. The bigger the hack, the better.

When even the slightest exploit in an OS with lesser market share has cropped up it's been attacked almost instantly, proving that there are no shortage of a-holes with too much free time in the world.

No, people attack it because they're annoyed by the open source advocates who are constantly attacking them.

We are suffering from a mono-culture built on an inherently insecure design from a company that has begun to belive it's own spin.

I agree that a mono-culture can have problems associated with it. In fact, it's a well proven in biological systems. But you�re ignoring countless things when triumphantly stating the obvious.

First, a mono-culture, as you call it, has many advantages. Compatibility is a big one. If it wasn't for the mono-culture, chances are computers would be far harder to use. Why should a disk that works in my Mac not work in my PC? Sure, these products can adapt... but without standards that inherently force a mono-culture of sorts, computing would be harder.

Second, the unix world has the SAME mono-culture problems. Many pieces of Mac OS X, for instance, are vulnerable to the same exploits for FreeBSD. Almost all the Linux distributions suffer from the same vulnerabilities because they exist in a shared code base.

In a sense, open source helps to INCREASE homogeneity in software. It increases the chance that a broken piece of code in one product will also be in countless other products.

As far as Windows being an "inherently insecure design"... please, enlighten me. How is one of the only operating systems designed from the ground up with security in mind an inherently insecure design? Is the NTFS permission system insecure? Is Kerberos or NTLM insecure? Is the security token system insecure? Give me an example.

I have a feeling you've confused (or perhaps ignored) the difference between design and implementation.

#7 By 3339 (64.160.58.135) at 2/11/2004 2:07:33 PM

This comment has been removed due to a violation of the Active Network Terms of Use.

#8 By 3339 (64.160.58.135) at 2/11/2004 2:11:51 PM

"Why should a disk that works in my Mac not work in my PC?"

Because Microsoft refuses to support standards. The one and only reason.

#9 By 3339 (64.160.58.135) at 2/11/2004 4:52:20 PM

What's your point, parker? My initial post was that people became aware of this problem a year ago. I already know that many platforms were affected and had fixed the problem a long time ago.

By the way, who has claimed that a flaw in ASN is Windows only? Huh, who? What we have been saying is that MS is the only one which knew for such a long time, kept it quiet, and took forever to repair. To dodge that, you are pointing to ones which were made public half a year ago and were fixed half a year ago, or ones which were discovered a month or two ago and were fixed a month or two ago. So?

As for post #17, didn't we discuss you acting less like a moron? We are looking at 2 different vulnerabilities. I am speaking of the OpenSSL flaw that Novell fixed for the Windows version 4 months ago. You know? the one you brought up in the first place, dumb@ss.

You are just repeating yourself, and trying to divert our attention from your first diversion. Yes, eDirectory had a vulnerability that was discovered two months ago and fixed 2 weeks ago in 50 or so days. How does that compare to a vulnerability that Microsoft knew about seven months ago and didn't fix for over 200 days?

This post was edited by sodajerk on Wednesday, February 11, 2004 at 16:54.

#10 By 12071 (203.185.215.149) at 2/11/2004 6:57:11 PM

#1 "According to open source advocates, who claim that full and immediate (or close to it) disclosure is the only way to handle security flaws"
I believe that most people that are concerned with Security (not Security through Obscurity!) share the view that full disclosure is the BEST way of handling security flaws. This has little to do with open source advocates and a lot more to do with security advocates. Sure Security through Obscurity is a nice addon but only if you have some real security underneath it all, otherwise all you're doing is fooling yourself into thinking your systems are secure.

"this should have been exploited left and right during the 8 months it was known for."
Not quite sure how you got from A above to B here.... How do you know that it HADN'T been exploited in that time? How do you know that no-one knew about this until eEye told Microsoft? Just because there isn't a script kiddie exploit ready to use or the latest round of the Outlook Virus hasn't gone around doesn't mean that these hole haven't and aren't being exploited!

"nobody got hit."
I'd LOVE to know how you know this! Please do tell.

"Now, why should it take Microsoft 8 months to patch?"
Very good question! Especially after Mr Gates came out and announced how quickly Microsoft release patches! Maybe they only release patches quickly when there is a full disclosure of those holes and therefore people are made aware of the hole!! [sarcasm] No no no, that couldn't be it at all - then again, if no-one knows about a hole then you have all the time in the world to fix it - and I mean really, why bother fixing it anyway! It just costs money and it's not hurting anyone currently now is it! [/sarcasm]

Maybe you're one of those people who is happy to live in the dark and just install the latest patch if and when it's released, and the best of luck to you! Other people would like to know about a hole as soon as it's found, giving them a chance to evaluate the risk themselves. Giving them a chance to turn that service off, block that port, disable that function, whatever it may be until a patch is released. These people don't have the same faith that you do that no-one will exploit the hole unless they've been given a ready to use exploit!

#12 "Actually, per line of code, Microsoft has below the average number of bugs for the industry."
Got any links where you can show us that this is indeed true? I am quite intrigued to know HOW you know, a) How many lines of code there are in most applications and even more impressingly, b) How you know how many bugs there are in those lines of code! Maybe you mean bugs that have been found thus far? But that's a rather meaningless statistic! Or maybe it takes Microsoft developers, on average, more lines of code to write the same thing as someone else.

"That means that overall their code has fewer bugs than most people's code."
This is completely bogus based on the "proof" you've shown.

"Windows 2003 is by far the most secure product Microsoft has ever shipped. It has had only a handful of bugs since it was launched almost a year ago."
It is indeed by far the most secure OS Microsoft have released. Absolutely no argument there.

"No, people attack it because they're annoyed by the open source advocates who are constantly attacking them."
Prove it FUD boy. You would enjoy writing articles with Paul Thurrott!

#11 By 3339 (64.160.58.135) at 2/11/2004 7:14:50 PM

chris, nice breakdown. I was planning something similar until I came upon the letter pointing out that EVERYONE should have been looking at ASN a year ago (and everyone was but MS)... and then I got sidetracked by parker's idiocy...

But I'd like to add a one key point to your breakdown:

Less bugs? Who cares! A bug is not the same thing as a security vulnerability. You can design your file structure, your method of file transfer, authentication, and many, many other services to be dependent on ASN and you can design an email system such that viewing an attachment is very similar to running untrusted code, and you can do it without ANY bugs!!! But this doesn't mean you aren't building the least secure piece of cr@p either!

Bringing up the issue of bugs is a weak deflection (based on a faulty argument no less). A bug is not necessarily a security vulnerability, and a security vulnerability definitely does not have to be a bug. Code can be perfectly coded and still be very vulnerable from a security perspective.

#12 By 3339 (64.160.58.135) at 2/11/2004 7:45:28 PM

This comment has been removed due to a violation of the Active Network Terms of Use.

#13 By 3339 (64.160.58.135) at 2/11/2004 8:07:45 PM

By the way, parker, it is in your best interest to argue these are very different flaws. It took Novell, a much smaller company than MS, 45 days to fix something across many more platforms than MS is willing to support when it took Microsoft 200+ days to do so for solely their own platform. Pretty f'in pathetic.

This post was edited by sodajerk on Wednesday, February 11, 2004 at 20:27.

#14 By 4240821 (213.139.195.162) at 10/26/2023 10:43:42 AM