Tip jar

If you like CaB and wish to support it, you can use PayPal or KoFi. Thank you, and I hope you continue to enjoy the site - Neil.

Buy Me a Coffee at ko-fi.com

Support CaB

Recent

Welcome to Cook'd and Bomb'd. Please login or sign up.

March 29, 2024, 12:59:41 AM

Login with username, password and session length

Microsoft warns of 'critical' Windows security flaws

Started by MonkeyDrummer, February 11, 2004, 12:16:48 PM

Previous topic - Next topic

MojoJojo

Except, of course, that Microsoft are now only doing monthly security patches.

They broke the cycle for Internet Explorer last week because it was a particularily bad bug, and Microsoft took the option of removing the feature instead of fixing it. So it didn't take very long.

The vulnerability fixed in this latest patch was discovered 6 months ago... And this is for the most serious vulnerability  since the one Blaster was based upon.

MonkeyDrummer

I mean I'm prepared to accept that occasionally mistakes happen and things are overlooked, still no excuse but I'm giving Microsoft the benefit of the doubt. However, for it to take them 200 days to come up with a solution just takes ths fucking piss. What did they do lock 150 monkeys in a room with 150 computers? They might as well have. But this happened with Blaster too, they announced the security flaw a month before Blaster started taking computers out so expect a similar situation in a few weeks time.

Vermschneid Mehearties

QuoteMicrosoft urged consumers to apply the repairing patch immediately if they were using Windows NT, Windows 2000 or Windows XP versions of its software

Haha. I love Windows ME.

Timmay

Quote from: "Vermschneid Mehearties"Haha. I love Windows ME.
Indeed, this particular flaw only effects the NT flavour of Windows, so 95, 98, and ME are uneffected. However, by using the non-NT type of Windows, you are already using some of the most hackable and insecure operating systems that exist. There ain't no patch or fix that can stop that, other than firewalls and the like.

Pinball

Presumably M$ takes so long so it can bundle other patches in at the same time, and so key customers can get patched before the security risk becomes public knowledge, though I agree it seems pretty incompetent to take so long.

I wonder how many of these "flaws" are deliberately included by M$ for the security services and M$'s own customer monitoring? Only when they become publically known do they then bother to fix them. If true, this would give a whole new justification for switching to open source Linux...

MonkeyDrummer

Yeah, they said in the report that they wanted to fix the problem with one update so that's why it took so long. No point in half fixing the problem i suppose but it still smarts a bit. These guys are supposed to among the top of their field and they can't even scratch their own arse. They're a fucking joke and a disgrace.
[/u]

gazzyk1ns

Most of the time it's half MS not wanting to shout from the rooftops that their OS has such a serious security hole, and half people being ignorant and not bothering to check for updates. The patch for Blaster was available moths before... anyone even called the thing blaster. If people would only go to Windows Update once a week and download any 'critical updates' then nothing like blaster would ever make itself apparent. You can bash MS all you like but that's not an unreasonable request, most (all?) Linux distributions ask to check for net updates on setup which is basically the same thing.

Microsoft in the past have been ever so good at releasing security updates for Windows and IE, they've publicised hundreds of security holes which, to any public knowledge, have never been exploited and probably never will be.

If you're starting to fret about the decreasing amount of security updates to IE then switch to another browser... although personally I wouldn't worry at all, this latest spate of worms* and mass-mailers are flaws in Windows, and Outlook (specifically the address book coupled with the way it will open certain attachments without asking) respectively. Possibly more importantly, especially with the mass-mailers, they just exploit flaws in your ignorance - which is exactly why the Linux fanboys write them.


*worms, this is an interesting one... up until about a year ago "WORM" was an acronym which meant "Write Once Read Many times", with reference to the way it spread itself. However since the publicity surrounding Blaster et al, and the term has had to have been written in non-tech publications, numpties seem to have had to drop the acronym completely to understand it, preferring to just say "worm", which is confusing. I know worms burrow around out of sight and maybe that's what they're getting at, but it's hardly the same thing.

Timmay

And don't think for a minute that UNIX (and therefore Linux) doesn't have it's fair share of security holes, viruses, patches, fixes, etc.

Part of the reason the media don't report on such flaws, is because they don't hear about them. Many of the people who are discovering the Windows and Linux flaws, *use* Linux themselves, so keep news like this very much 'underground', and fix it quietly. And although plenty of virii exist for Linux, you don't get the outbreaks as you do with Windows, because Linux hasn't got a 200 million plus installer user base*, like Windows.

* I actually have no idea how many Windows installations there are. I did try to look it up, but I'm guessing it's a fuck load, say 200 million?

gazzyk1ns

Yeah and as well as that, a lot of people say "Windows is less secure than Linux" which isn't necessarily correct. Windows has infinitely more attackers than linux. In real usage that does in effect mean that it's "less secure", but it's missing the point to say "cum on m$ get ur fingerz out". They are getting their fingers out and whilst their security is far from perfect, the Linux fanboys' attacks are leading to constant development and/or tightening, however minor, of Windows security.  If it carries on evolving and developing because exploits are constantly exposed then at some point the Linux people might start regretting they'd exploited them.

MojoJojo

Quote from: "gazzyk1ns"
*worms, this is an interesting one... up until about a year ago "WORM" was an acronym which meant "Write Once Read Many times", with reference to the way it spread itself. However since the publicity surrounding Blaster et al, and the term has had to have been written in non-tech publications, numpties seem to have had to drop the acronym completely to understand it, preferring to just say "worm", which is confusing. I know worms burrow around out of sight and maybe that's what they're getting at, but it's hardly the same thing.

Hmmmm, the Hacker's dictionary has quite a different entymology of the usage http://www.catb.org/~esr/jargon/html/W/worm.html ... basically going back to a 1970s novel.

And "Worms" don't really Write Once Read Many times... If you go back to Core War origins  they do pretty much the opposite. I think the WORM acronym is really only used  to describe certain types of obscure data storage.

Gah, sorry for going off topic, I'll shut up now.

Purple Tentacle

Back in my 11 year old IT lessons we were taught that WORM was "Write Once Read Many times", an early acronym for CD-R.


Not virii.


I've been cold-calling Heads of IT about fucking Microsoft all day, and if I hear one more fucking light-hearted joke about viruses I'm going to kill.

Be calm, be calm, look at the baby!

Uncle_Z

Quote from: "MojoJojo"...entymology...

This typo in a creepy crawly context has made me smile.

Good linkage though :)  Saves me going to find a resource for the hacker vs cracker nomenclature too.  (There was going to be a point about loads of terms being misappropriated, countered by a half-arsed "language evolves" muttering.  Both are superfluous so I can crawl back in my cave)

bill hicks

What really pisses you off is having to go out and buy a copy of Windows XP on the monday (for £180 no less), installing it and then going to the Windows update to make sure to find out that the piece of software you got hours earlier (for 180 fucking quid remember) requires 15 critical updates. FIFTEEN.

And then another one the next day.

imitationleather

Quote from: "Purple Tentacle"I've been cold-calling Heads of IT about fucking Microsoft all day, and if I hear one more fucking light-hearted joke about viruses I'm going to kill

Well if I get it, it certainly won't be the first time that I've picked up a virus as a result of a contact from the internet!

Pinball

Windows Update pings automatically on my PC (though I have to accept download). It's incredible that numpties still fail to d/l updates despite that.

MonkeyDrummer

I would expect Linux to have a few flaws, it's free of course. Windows 2000 server isnae and as such I'd expect a more professional product. Does anyone know the default  windows update option? I'm not sure as I can't remember, but it really should default to automatic. I came into work this morning and i had a nice wee balloon down in the bottom corner telling me everything was going to be ok.
But yeah, it is a culmination between Microsoft keeping shtum and bad update policy, however in the past you'd have to be at least semi-active computer mind to have been aware of the Blaster threat as I can remember it wasn't very public until after the event ( i may be wrong there). Probably why it made Metro's front page today then.

Purple Tentacle

I'm all for developing a deadly exploding virus that could potentially take the legs off and fill the face with shrapnel of anyone who's stupid to open unsolicited attachments via email.

Or anyone who's too lazy to spend 5 minutes installing a firewall.

Kill!  Kill!!   Kill!!!!!

MojoJojo

Quote from: "gazzyk1ns"Yeah and as well as that, a lot of people say "Windows is less secure than Linux" which isn't necessarily correct. Windows has infinitely more attackers than linux. In real usage that does in effect mean that it's "less secure", but it's missing the point to say "cum on m$ get ur fingerz out". They are getting their fingers out and whilst their security is far from perfect, the Linux fanboys' attacks are leading to constant development and/or tightening, however minor, of Windows security.  If it carries on evolving and developing because exploits are constantly exposed then at some point the Linux people might start regretting they'd exploited them.

There is some truth in this, but  the UNIX/Linux architecture does have some inherent advantages in terms of security:

Root/Adminstrator - in Linux sort of standard to run without full access privaleges most of the time, while in Windows it gets annoying extremely quickly, so most people just run under an admin account

Open Source - this sort of goes both ways, but you can have a greater assurance about the abscence of security flaws if as you can look through the good yourself. And lots of people who are not intimately attached to the code probably already have.

Default Off behaviour - MS has been well known for leaving all those services most people never use on - with there security flaws left on to. They are changing this behaviour in future OS releases.

Linux demands some basic knowledge from the user - you get stuck fairly quickly if you know nothing about the security model. In Windows all you need to do is run as Administrator all the time, then you can do all the boneheaded (from security viewpoint, anyway) stuff you want.

Bah, I'm not that much of a Linux zealot, and I realise that it isn't the right choice unless you're a computing professional/nerd.

Hmm, I seem to be contradicting you a lot in this thread gazzyk1ns. Sorry.

You do know your argument is the same one Bill Gates was using a week or so a go in response to the latest virii outbreak?

[/list]

MojoJojo

Quote from: "MonkeyDrummer"I would expect Linux to have a few flaws, it's free of course. Windows 2000 server isnae and as such I'd expect a more professional product. Does anyone know the default  windows update option?

The latest service pack defaulted it to "On". (Also had to sign (tick?) a more restrictive User Agreement, in a "we'll only fix your our software if you allow us to restrict your rights even more" type way).

I'm really not a Linux zealot.

Timmay

Quote from: "MojoJojo"I realise that it isn't the right choice unless you're a computing professional/nerd.
And this is why I keep persisting with it. I *am* a computing professional and a nerd, always have been, always will. I've configured numerous Solaris systems, and even used to use Linux during my Uni days. Now, I'm finding that although it's getting *better*, I just can't be arsed.

Just give me an OS that looks nice, is easy to use from the moment of getting the CDs out the box, and works. Linux isn't like that.

terrorist

Quote from: "Timmay"
Quote from: "MojoJojo"Just give me an OS that looks nice, is easy to use from the moment of getting the CDs out the box, and works. Linux isn't like that.

Try mac OS X (may not be relevant as I've jumped in at the tail end of a thread here without reading it) It's super-cool.

[sorry seem to have done something funny with the quote]

Timmay

Heh... I wondered how long it would take to get onto Macs! I might try it, one day, one day when God sees fit to bless me with a £2000 windfall for a decent Mac.

In the meantime, I'm quite happy with XP.

Sherringford Hovis

Quote from: "Timmay"Just give me an OS that looks nice, is easy to use from the moment of getting the CDs out the box, and works. Linux isn't like that.

Must've been a while ago you tried Linux - boxed versions like Xandros are now EASIER to install thatn WinXP.

gazzyk1ns

Mojo:

Nice info on the worm thingy, a lot of that up there was assumption - I just found it funny as I knew the existing meaning/uage of the WORM acronym. It would have been typical for the mainstream meadia to dumb it down. Fair enough though, it appears they haven't.

Re: Linux - yeah I completely agree with all you said there, you might have read in the other thread that I use Mandrake myself. I just don't know enough about it yet to switch 100% from WIndows. Mandrake specifically (or KDE, not sure) has some niggly issues with monitors and refresh rates and that's been my specific problem.

I think a lot of us forget that we've got 10 years of experience in Windows behind us, so comparing the ease of use with Linux - where we're starting from scratch - isn't fair. I personally am determined to learn how to use Linux to a similar level that I can use/configure Windows, so I can then see which is best for me from an unbiased point of view.

The point of my post was that people are panicking unnecessarily about Windows security flaws and bashing MS needlessly again, if you're firewalled, don't take silly risks, and update regularly then you should never have a problem.

Timmay

Quote from: "Sherringford Hovis"Must've been a while ago you tried Linux - boxed versions like Xandros are now EASIER to install thatn WinXP.
If you call 2 weeks ago a long time ago, then yes. And while I can't speak for Xandros, the latest Mandrake wasn't anywhere near as easy to install as XP. See my comments on another thread, about recompiling kernels, and reinstalling Linux because I didn't have some compiler installed, to install some nVidia drivers for an up-to-date common as muck graphics card.

And either way, it'd have be fucking special to be easier than XP to install. I've done many installations of it at work, and you put the CD in, tap in your key if you haven't got a volume license edition, press a couple of 'OK's, and 30 mins later, it's done. All the hardware's detected, and it's ready to rock.

Geej

I must agree with Timaeee.

I wanted to run Linux on my new system as a dual boot thing (choose your operating system on boot up) - and I even bought Red Hat Linux.

After a fair bit of faffing around (anybody here who has been 100% Microsoft is going to get a little bit lost answering questions in the installation program refering to operating sytem files he has no idea about) it was nearly all done.

Except for one thing.  Modem drivers.  It didn't have the right one.
No siree Bob.  Couldn't find one either.  A 'Win Modem' is apparently what I had. So no driver for you Geej!

I went to our local geek shop.  They had no idea either.  Except buy a Modem which they were sure would work on Linux (Even asked the admin Linux geek chap).  So I spent another £30.

Went home and shoved it in.

XP didn't even blink.  It got on with it and was happy.
Linux didn't blink either.  Couldn't even see it.
It did offer me a nice thought though "Try downloading a driver for it" - through what?
I became a little angry then.
I had spent the best part of 4 weeks trying to get Linux to work, then thought "Fuck it - life is too short"

When it can install and be used as easily as XP somebody tell me, and I'll give it another go - until then Sir Bill gets my money - and not because I want to give him any more money and not because I haven't tried other options...

Timmay

Yeah! mICroSOFT RulEz oK!!!!!111 LOL!!1 doWn wItH tHE PenGIUn!

Yup. Even after the toil of getting it to run, with your common as muck components in your PC, it still doesn't look as nice. Not speaking for GNOME here, I've not tried it, but the windows in KDE look tacky, and almost unfinished. You open a new application or something, and the window kinda draws gradually, first you see an outline, then a split-second later, BANG, it's filled the boxes and it's no longer see through, then BANG, there's the content.

If I sound like I've got a downer on Linux, I kinda have at the moment, cause it's recently pissed me off. But on the whole, as I've said before, I would like to be able to use it instead of XP. I would like it to be better than XP.

blue jammer

[disclaimer, I haven't installed or used Linux, other than Final Scratch software which has it's own installer, runs from CD, easy peasy]

I don't understand why people want to get away from using Microsoft O/S.  It feels to me like a lot of people do it to be 'cool' or 'different' somehow, maybe that is a huge sweeping statement, but it's what I think.

How many of you using/wanting to use a Linux distro instead of Windows XP or 2000, want to do so, as you are going to try and achieve something of worth, maybe programming, or for the purpose of getting a job due to having Linux experience?

If all you are doing is switching over from Windows to Linux, so you don't think you are a 'sheep' then it seems very pointless.

I'd have thought Linux would be quite limiting for a lot of things, ok, it'll no doubt have it's own players for music and movies, it's own office software and the likes, but in terms of support, updates, and future development, it's surely more limited than Windows?

Timmay

Personally, I want to do it partly so I'm using legit software, so I can learn another technology/be able to say I've done it (it's a geek thing), and because I genuinely think that underneath, deep in the architecture, it is inherently a better operating system.*

* Although I firmly believe XP isn't far behind, and Windows is catching up quickly.