The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Hackers exploit Windows patches
Time: 12:22 EST/17:22 GMT | News Source: BBC | Posted By: Joshua Baer

Malicious hackers and vandals are lazy and wait for Microsoft to issue patches before they produce tools to work out how to exploit loopholes in Windows, say experts. Instead of working it out for themselves, malicious hackers are reverse engineering the patches to better understand the vulnerabilities, said David Aucsmith, who is in charge of technology at Microsoft's security business and technology unit.

Write Comment
Return to News

  Displaying 1 through 25 of 401
Last | Next
  The time now is 5:54:05 AM ET.
Any comment problems? E-mail us
#1 By 8047 (24.98.39.236) at 2/26/2004 6:14:44 PM
My God, no wonder people say Microsoft doesn't get it about security when you have David Aucsmith in charge of MS security business stating "If you want more secure software, upgrade".
Security by upgrade is nothing more than revenue generation and misdirection of the real problem. (and no, I'm not anti-MS, nor disagree that keeping software up-to-date is important, but that is an absolutely asinine statement.) They really don't get it!!

#2 By 6253 (24.1.206.27) at 2/26/2004 8:29:11 PM
SMG, it's not revenue generation when many of the upgrades are free.

Cost of IE 2, 3, 4, 5 for Windows 95 purchasers: $0
Cost of DirectX 6, 7, 8, 9 for Windows 98 purchasers: $0
Cost of IIS 3, 4 for Windows NT 4.0 purchasers: $0
Cost of WMP 7, 9 for Windows 2000 purchasers: $0
Cost of Outlook 2002 for Exchange 2000 (which came with Outlook 2000) purchasers: $0
Cost of Outlook 98 for Outlook 97 purchasers: $0
Cost of PocketPC 2002 for purchasers of PocketPC 2000 models equipped with adequate memory and ARM CPU: $0
Cost of Visual Studio Installer 1.0, 1.1 for Visual Studio 6.0 purchasers: $0

These are bona-fide "upgrades" rather than "updates" (service packs, hotfixes) or minor add-ons, and these are just a few examples from over the years.

Now take a look at this page:
https://www.redhat.com/support/errata/archives/

The bold header on this page tells you that "Errata" includes "Security Alerts" and "Bugfixes." Below the header, it tells you, "Errata is no longer being issued for the following products. Please upgrade." Make sure you've got $179+ before you click the upgrade link.

Then it proceeds to list Red Hat Linux 8.0 and earlier versions. Red Hat Linux 8.0 was released on September 30, 2002 and replaced by 9.0 on March 31, 2003. If you bought the "current" version of Red Hat Linux, 1 year ago today, you would be officially unsupported today for Security Alerts and Bugfixes. Sure, you could spend half your waking hours to figure out all the generic kernel fixes that might be applicable to you, and to hunt down RPMs from various sources for fixing the vulnerabilities in openssh, samba, etc.

So while Microsoft is still giving us free security tools and patches for products released in the late 90's, the leading vendor of Linux is abandoning customers who bought the "latest" a year ago. In fact, if you bought Red Hat Linux 9.0, it reaches its end of life in 2 months.

Sure, you could go with Fedora, but that's not so different than going Debian. In other words, scrap the entire notion of commercial Linux, which is what supposedly makes Linux "ready for the enterprise." Every time someone finds Linux to be insecure, the fanatics respond by claiming that the Linux systems were configured by incompetents. Well the IT world is full of incompetents, and that's why organizations want to buy platforms from vendors who will support them. And everyone knows that vendors cannot support old versions forever.

Microsoft's phasing-out of Windows 98 and NT 4.0 support has gotten drawn out for years longer than planned, all due to customer feedback. Where's the $$ incentive forcing Microsoft to keep supporting those folks? When you buy from a vendor who has $53 billion in the bank, you know that they can afford to support whatever they want to. In exchange, I think Microsoft deserves the right to be quoted as encouraging people to upgrade.


#3 By 8047 (24.98.39.236) at 2/26/2004 10:26:30 PM
holedup,

Indeed, those are good examples, but minor in the big scope of such a blanket statement Aucsmith made. 95 to 98 to ME to 2000 to XP were not cost-free upgrades to get "secure". The point I'm making is..."it is good to upgrade and keep things up-to-date" vs. "security IS upgrading" is ridiculous. That is simply not a good thing too spit out from a company that states it is committed to security and has "started" to turn its leaf towards security vs features.
For years, people have kept preaching at MS they should have taken Novell's take on security...lock down out-of-the-box and simple common-sense of granting security as needed. For years, MS ignored this and even mocked it only for it to FINALLY start with Windows Server 2003 "lock-down" out-of-the-box and reverse it's stance. Granting access as needed is MUCH easier than going through 5 white papers, 53 KB articles, 30 security bulletins, 5 webcasts, 7 independent security books, the hackers guide and the resource kit just to secure a Windows box, only to find out "oh sh^T, their recommendations just broke half my applications".
I laud MS's changes and do believe they are going in the right direction, but still not quite there and his statement still tells me they don't get it. Additionally, I have to deal with MS PSS Security quite a bit and know in very much detail what they DON'T publicly state or clarify or simply is inaccuarate or insufficient to secure "features". They wash down security information way too much and provide so few details how it breaks other things (mainly because their features were so wide-open in the first place and told developers how to code poorly and insecurely)!

As far a xNIX, don't use it, don't care about it, I agree it's worse.
As far as Novell, they got security right, BUT they lost it years ago in other areas and have other flaws.
None of them are perfect and indeed MS has made some positive steps, BUT only because people keep pushing them harder and proving their philosophy was wrong all along.

For I'm not bashing MS, I'm simply stating what I feel that the vendor I have to support and am skilled at, just isn't "getting it" yet. They are getting better, but if you only see what I see internally at MS, you'd understand they live in a bubble. Unfortunately, the bubble is flawed, but yet they market so well, they convince the world to join their bubble instead of making the "best" decision to get the hell out of their bubble and truly see the "real" world us tech-heads have to deal every day.

This post was edited by SMG on Thursday, February 26, 2004 at 22:31.

#4 By 12071 (203.185.215.149) at 2/26/2004 11:01:37 PM
"We have never had vulnerabilities exploited before the patch was known"

NEWS FLASH :- Hackers stopped!
Microsoft has ceased releasing any patches to their Windows operating systems stopping hackers from being able to write exploits.

#5 By 12071 (203.217.69.61) at 2/27/2004 3:01:53 AM
#5 I'm not only mocking Microsoft's security.... I'm mocking the moron who said, and I quote, "We have never had vulnerabilities exploited before the patch was known"! This moron also happens to be in charge of technology at Microsoft's security business and technology unit.

Given your stance on Microsoft, you should be a little more concerned that the guy in charge of SECURITY is going out in public and making such stupid statements! That's not to say that many exploits AREN'T written after a patch is released, this is indeed the way it happens in many cases. But to say that no-one has ever exploited an MS bug before they patched it is plain and simply ignorant - and ignorance shouldn't be in charge of security!!

Halt your Linux vs Microsoft crusade for 5 minutes. I didn't say that Linux or OSS doesn't have security issues - in fact I didn't even MENTION Linux!! - they have them as much as anyone else has them. The difference is that the security issues in OSS are out in the open for anyone to see, full disclosure, rather than hiding fixes inside other fixes, which are probably hidden inside other patches!

#6 By 19992 (66.101.204.156) at 2/27/2004 8:02:07 AM
#4

It's a typical BBC article, they didn't bother proofing the story before it ran.


This quote is from the same article linked above.

"Mr Aucsmith said he could only think of one instance when a vulnerability was exploited before a patch was available. "

Now I have to wonder which quote is accurate?

This post was edited by happyguy on Friday, February 27, 2004 at 09:34.

#7 By 6253 (4.13.144.234) at 2/27/2004 5:06:25 PM
SMG, I see now. You're one of those die-hard, cling-to-nwadmin-and-even-wish-it-were-still-syscon people. Maybe you can help me figure out how to get off Novell's mailing list. Ever since I got my CNE in 1996, they won't leave me alone.

NetWare wasn't and isn't the slightest damn bit more secure than NT. You either don't understand well enough to realize it, or you're intentionally hoping to revise history for people who weren't there.

The only thing that kept NetWare secure was that you couldn't run a damn thing on the servers except for NLMs which had to be written by gods. By the time Novell realized that they needed an app server and not just a dumb file & print server, the only thing they could do was slap a JVM on it. I don't blame Novell for buying SuSE. NetWare was a hopeless dead-end, kept alive only by people too slow and lazy to understand what was wrong with it.

During some time I spent as a trainer, I noticed that people with NetWare backgrounds had a harder time understanding NT security than people with no computer background at all, because the NetWare bigots kept trying to find "equivalents" for everything. The models are entirely different and when you try to evaluate one by the other's criteria, you're going to misunderstand a great deal. Whereas Microsoft LanMan/NT requires network resources to be shared explicitly, NetWare automatically exposes all of its disk volumes and printers. Since you would never have users running apps on a NetWare server, there's no reason you wouldn't share all disk volumes and printers.

Further, the bindery was simple to understand (and thus gained a lot of mindshare amongst people who didn't have much mind to share) but horribly limiting. When Novell came along with NDS and declared it the first directory service for a PC NOS, it was a lie. It was the first hierarchical one and offered some advances like multi-master replication, but NT domains had been providing the convenience of consolidated administration for cross-server authentication. Best practices combined the domain with local SAM databases to allow departments and divisions to manage their servers' resources without having redundant maintenance of users and groups for the enterprise. This is the basis for "global groups should go in local groups which are then assigned permissions." Less than half the people in the world know that this is how ACLs should be managed in NT, and less than half of those people truly understand why. Largely, it's because they are "old dogs" trained on Novell's tricks, who can't unlearn NetWare long enough for a totally different approach to sink in.

#8 By 8047 (24.98.39.236) at 2/28/2004 3:19:04 PM
holedup in denial,
That was a humorous piece, albeit quite the opposite in reality.

And no, I haven't the slightest loyalty to NW at all. I'd rather slice my nipples off. I won't touch Console One cause the damn thing requires the horsepower of the SETI program to even launch. Pathetic.

:>

#9 By 241474 (94.23.226.25) at 11/14/2009 7:17:11 PM
Since the cost of servicing an iPhone is outrageous and monopolized by one company. I'm wondering if jailbreaking is true, if its something you should/can do yourself, or should you buy one already 'jailbroken'?



________________
[url=http://unlockiphone22.com/]unlock iphone 3g[/url]

#10 By 409625 (194.8.75.44) at 9/29/2010 6:10:59 PM
Health Food Pills all
http://www.ibiza43.com/ - generic valium no prescription Treatment of Insomnia: [url=http://www.ibiza43.com/]buy valium without prescription[/url] If used for prolonged periods of time however, Valium can be counterproductive and cause a wide range of side effects. <a href=http://www.ibiza43.com/>valium pill</a> Side effects that one may experience when taking Valium (especially at higher dosage levels) include: Valium dependency, suppression of REM sleep (which leads to fatigue), impaired motor function, impaired coordination, impaired balance, dizziness, nausea and in some cases, even depression.

#11 By 409625 (194.8.75.44) at 9/30/2010 4:09:03 AM
Blackmail Royal Drugs Video all
<a href=http://www.auto-source.org/>buy cetirizine online</a> Zyrtec to treat allergy Buy cheap generic or brand Zyrtec (Cetirizine) at one of the reputable online pharmacy. [url=http://www.auto-source.org/]zyrtec sale[/url] The new formulation received approval from the FDA in August 2008. http://www.auto-source.org/ - buy generic zyrtec No prescription is needed! Worldwide delivery.

#12 By 433276 (194.8.75.44) at 11/6/2010 5:10:12 PM
Malleria Tablets

http://www.realintheday.com/ - cialis tadalafil
Schon seit einigen Jahren ist Cialis im Vergleich zu Viagra immer beliebter geworden, dies konnte mit der genannten langeren Wirkdauer zusammenhangen.
[url=http://www.realintheday.com/]cialis kaufen[/url]

#13 By 434432 (213.5.66.16) at 11/9/2010 2:07:27 AM
Pharmaceutical Drug Search

http://www.left4deadaddicts.com/ - order levitra online
cheap cialis
[url=http://www.left4deadaddicts.com/]levitra 20mg[/url]

#14 By 435282 (193.105.210.42) at 11/11/2010 2:27:41 PM
Codiene Result On Drug Test
[url=http://www.mwdcabinets.com/]order levitra online[/url]
Just take levitra drug with proper care and you will observe the change in yourself within a short period of time.
mwdcabinets.com

#15 By 434432 (213.5.66.16) at 11/21/2010 3:00:08 PM
Emergency Care Iv Drug Abuse http://rkberane.com/ - cymbalta drug Cymbalta is an anti-depressant that is used to treat severe depression as well as anxiety. [url=http://rkberane.com/]cheapest cymbalta[/url]

#16 By 434432 (213.5.66.16) at 11/27/2010 4:35:24 PM
Idk Drug Usage [url=http://glowdiva.com]viagra price[/url] Order Viagra (Sildenafil) at discounted price. http://glowdiva.com - cheapest viagra

#17 By 434432 (213.5.66.16) at 11/27/2010 7:15:52 PM
Doctor Franks Dog Medicine [url=http://www.lasvegasgrouptraveler.com/]ativan lorazepam[/url] If you have problems breathing, glaucoma, kidney disease, liver disease, or a problem with mental illness or substance abuse, you should not take Ativan. http://www.lasvegasgrouptraveler.com/ - lorazepam online

#18 By 441002 (193.105.210.42) at 12/2/2010 8:54:17 PM
Unmedicated Tablets Medicated Liquid [url=http://www.weberudite.com/]precio levitra[/url] Millones de hombres en el mundo sufren de alguna manera con la impotencia o disfunciA?n erAİctil y esto llega a dificultar su vida de pareja, su calidad de vida, autoestima, etc. http://www.weberudite.com/ - levitra 20 mg

#19 By 441002 (193.105.210.42) at 12/3/2010 10:42:05 AM
Lafayette Indiana Drug Centers [url=http://www.prosperityaffiliates.net/]xanax without prescription[/url] Xanax is the trade name for the medication known as Alprazolam. http://www.prosperityaffiliates.net/ - buy cheap xanax online

#20 By 442201 (213.5.66.16) at 12/10/2010 4:37:37 PM
Hart Attack Drug http://www.caritasplacevillage.com/ - accutane for sale Accutane is not for people that have the odd pimple now and then it is for serious acne. [url=http://www.caritasplacevillage.com/]generic accutane online[/url]

#21 By 444555 (91.201.66.154) at 12/20/2010 8:32:11 PM
Party Pills What'S In Them
[url=http://aldireviews.com/]buying clonazepam online[/url] Additionally, these effects can continue for six months after taking the medication. http://aldireviews.com/ - klonopin medication

#22 By 446693 (193.105.210.42) at 12/25/2010 9:19:21 PM
Stores Carrying Respitrol Asthma Medication http://www.filge.com/ - order clonazepam online In addition, mania is often treated with Klopin until other drugs can start working. [url=http://www.filge.com/]generic clonazepam drug[/url]

#23 By 447452 (91.201.66.84) at 12/27/2010 4:37:52 PM
Hello, Penn Veterinary Medicine [url=http://www.pinemeadowsretreat.com]phentermine price[/url]
It is generally used for curing obesity problems or something related to that.
http://www.pinemeadowsretreat.com - generic phentermine online

#24 By 447452 (91.201.66.84) at 12/27/2010 8:20:57 PM
Hello, Sdsu Drug Bust Mugshots [url=http://www.pinemeadowsretreat.com]discount phentermine[/url]
Its effect is not long lasting.
http://www.pinemeadowsretreat.com - phentermine cost

#25 By 448235 (91.201.66.154) at 12/28/2010 6:00:53 PM
Drug Regimen Unassisted Grading Scale http://www.mpeye.org/ - propecia
[url=http://www.mpeye.org]buy finasteride online[/url]
, U.
http://www.mpeye.org - order propecia online
Finasteride is the name of the source from which Propecia is extracted from.
<a href=http://www.mpeye.org>discount propecia</a>

Write Comment
Return to News
  Displaying 1 through 25 of 401
Last | Next
  The time now is 5:54:05 AM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *