ALL YOUR XP BELONG US?
You are a sheep running XP and the shepherd is walking towards you wearing gum boots ... are you nervous yet?
Microsoft has released a security patch to squash a bug in Windows that hackers are exploiting to compromise whole networks of computers. Redmond said today a vulnerability (MS14-068) in the Kerberos authentication system, used by default in the operating system, allows a normal user to ramp up their privileges and access …
Now considering that XP is now cordoned off the rest of systems I'd consider these systems more secure than general use system with Windows 7. Also, I'd hope that patch actually fixes the issue on the server. having a client system compromise security of the whole network can't be considered good design.
This vulnerability is a domain controller one - it's in the code used by a Kerberos KDC (which in Windows is a DC) to validate a Kerberos ticket. You can alter some of the ticket data to gain more privileges and still the ticket validates. Thereby client machines and non-DC servers are not affected, thereby XP is not affected by this vulnerability.
Anyway because any server could be (manually) promoted to be a DC, and because anyway the same code looks to be present on client systems too, the patch applies to all systems, although what you need to patch ASAP are the DCs.
As said I would not be surprised if the same Kerberos libraries are shared among client and server versions, thereby it makes sense to bring them all up to date, even if some code is never called by clients system. Maybe while fixing the bug they also took the time to refactor some code to make it more robust, and make it less vulnerable to yet unknown issues.
I'm confused, why would this make xp users nervous?
Microsoft said the vulnerable component is in all supported versions of Windows – Vista through 8.1 – and Windows Server – 2003 through 2012 R2. The company has made the fix a critical priority Windows Server systems.
Did Ballmer fart in the general direction of the security team and fetchez la vache onto them and is Nadella resurrecting it?
On the other hand, I heard the dudes in security would be folded into marketing or something? Has this order of High Pointyhairedness been belayed?
Did Ballmer fart in the general direction of the security team and fetchez la vache onto them and is Nadella resurrecting it?
I get the Monty Python allusion but I just can't make linguistic nor grammatical sense of this
Plus, it's actually Nadella who's done most of the sacking.
[REDACTED],[REDACTED], [REDACTED],[REDACTED] and [REDACTED] will be annoyed.
Now they will have to pay [REDACTED] to be able to continue their ongoing campaign of [REDACTED] [REDACTED] [REDACTED].
In the meantime to prove your not [REDACTED] [REDACTED] or [REDACTED] would you please ensure that your communications are completely in the clear and that you fax all passwords and the services that they are for, including ip addresses mac addresses physical location and the type of information stored on them to [REDACTED]
Yours
[REDACTED]
[REDACTED][REDACTED][REDACTED][REDACTED][REDACTED]
[REDACTED][REDACTED][REDACTED]
[REDACTED]
<rant>
After all of theses years of Windows OS releases, almost every patch Tuesday for the last 10+(?) years, how can (new) remote code execution / privilege elevation exploits still be happening?
As a developer for 20+ years, I just, really, REALLY! don't understand how this can still be happening to newer versions of Windows...
Either:
- MS has no fucking understanding of security
or
- MS doesn't care about security
or
- MS code is complete and utter shit
or
- MS developers don't know anything about coding
or
- Some combination of the above.
I get really, REALLY! tired of the same old shit day after day, month after month, year after year.
It's a damn good thing that most of my internet-facing machines are ABW (anything but windows). MS must think that I have infinite time to spend on testing/patching machines with their code, because they apparently can''t, won't or are unwilling to fix their stuff.
Complete and utter failure on their part.
Yes I'm very frustrated with MS right now. Even Windows 10 has this problem - even after completely skipping a major (9) (sic) version!!
</rant>
I'm sorry, it's been a bad day (night)... And if I could specify a FAIL + ALE (As in I need a beer after this one...) icon in the future, that would be cool.
MS was never focused in producing stable and smart code. Half baked programming ruled the west coast for too long. It was cheaper and faster to produce poor coding, and with the early IBM alliance, generated a guarantee market, yielded large profits. So large profits yielded business models that supposed poor coding and created a massive 3nd party products fixing the obvious.
As a developer you should then be aware that it's pretty much impossible to release 100% bug free code, especially when your talking about something the size of Windows.
True, but ...
There is such a thing as coding with security in mind. A long time ago Microsoft hired the chief architect of the VMS operating system away from Digital, with the brief to write them a secure kernel to replace Windows 98. The result was Windows NT 3.51. It was the most secure system Microsoft ever had, possibly second only to VMS in terms of excellence.
Being secure meant that graphics performance sucked compared to Windows 98 (where there was basically no security at all). This was a completely inevitable result of securely managing the system's memory on the hardware of the day. So what did Microsoft do? It took this kernel that had been engineered for security, and blew holes in it in order to make the graphics run faster. Enter NT 4.0. Broken by design and orders from the top. Then 2000 (further security compromises), then XP(even more). Eventually what had once been one of the most secure OSes in existence (perhaps behind only VMS) became an unmaintainable kluge. Around XP SP2 they claimed to realise that security mattered and started trying to patch the holes that they had deliberately created in a once-secure design. The result was an un-maintainable kluge.
So they re-wrote it again. Enter Vista ....
You may say that was all a long time ago and you'd be right, except that you'd also be asserting that a system that was deliberately broken security-wise can then be patched back to secure by the people who broke its design.
The evidence all suggests that Microsoft simply does not understand security at all.
And if you think Linux et al are any different you're very much mistaken
Different culture. Open-source applications are of variable quality. Some are excellent, some less so.
The Linux kernel is engineered with security in mind and is overseen by Linus. He is very smart, he does not suffer fools gladly, and most importantly he has no marketing department to tell him what he has to compromise (ie, break) tomorrow, because some touchy-feely focus group of non-technical users thinks it would be a good idea to let it display pink elephants galloping faster.
More generally the Linux ecosystem learns from its mistakes. Things in active development get better. If there is a disagreement one project may fork into two, which then compete until either one branch runs out of supporters, or (occasionally) until both branches have found different niches in the open-source ecology. It's a very similar process to natural evolution. In both cases good designs prosper, poor designs die out.
"As a developer you should then be aware that it's pretty much impossible to release 100% bug free code, especially when your talking about something the size of Windows."
That may be so, but there is a big difference between bug free and insecure code; a professional programmer would be aware of this difference.
The worrying, but yet informative aspect of all the security announcements is just how much code in the supposedly brand new versions of Windows actually date back to at least XP/2003. Which given the seemingly common thread to many of the Windows exploits over the years, doesn't bode well for the quality of the various code inspections and reviews that must have occurred over the years.
"...impossible to release 100% bug free code..."
I wrote about 30 page-feet of code that was bug free as far as we know. Used for years with not a single bug report ever. Not one. Punch line: wrote it overnight in about 12 hours straight (not including the planning and laying out the primary data structure).
Not the first time either. Wrote another 10,000+ LoC program in one sitting. Perfect. At "$100 per LoC", is it really worth a million dollars for a long day?
We had a programmer on staff that did not code himself. He just "...transcribed it straight from God." He could have a discussion with you, looking you in the face, while continuing to touch type the software code straight from God into the PC. It got weird when, without breaking eye-lock with you and continuing to discuss other topics, he would backspace to correct typos. We figured God whispered in his ear, "Backspace, backspace, backspace, now continue..." His code was perfect every time, and I mean His code. LOL.
It's not that difficult, as long as the requirements and your thinking are clear. But when lots of people get involved, then it all goes to hell pretty quick.
Maybe that's the real reason that Linux got off to such a good start. Work of one guy.
Just installed yesterday security fixes for file, libgcrypt11 and nss in Debian... the problem is not in Windows only, it looks... just see https://www.debian.org/security/2014/
Thereby, instead of keeping on whining about MS, just ensure your systems - whatever they run - are properly kept up to date.
Thereby, instead of keeping on whining about MS…
No, it's perfectly correct to moan about MS's dreadful track record on this. The issue of liability is also important for software companies: think of the trillions that Microsoft has made over the years by selling shoddy software. Who pays for any lost time / overtime as a result of some of these serial fuck-ups? Will it really take a massive legal case to change fundamental development practices? Will companies start behaving differently if the same recall rights apply to their software as is the case in the car industry?
This doesn't mean the open source community doesn't need to improve either: openssl should make all us shudder and cringe. We need to work together to develop and follow better programming and testing practices. This doesn't mean we'll ever develop bug-free software but we can do a fuck of a lot more to reduce the number of bugs around.
You kind of missed my point. I never claimed that ABW machines were perfect. What I don't like is the constant "remote code execution" and "elevated privileges" patches, which I don't see in other OS's nearly as much (ShellShock, Heartbleed not withstanding). This has been going on with MS for multiple years. This is the issue. When I find and fix bugs in my code, I generally look around other areas and see if the problem exists elsewhere as well. You know, be proactive in fixing stuff?... MS developers appear to do nothing of the sort.
I have no faith at all that any past, current or future version of Windows can ever be made safe (as long as it's connected to the outside world) with these patches that patch for the same symptoms.
I've always been a Windows and Linux and Solaris admin + users, but lately I am seriously considering just banning all Windows OS from my work and life. I am getting older and don't have the time left to allow MS to waste my time with their crap. Maybe it's a case of "get off my lawn". It doesn't really matter why actually, but that's where I'm getting to.
Well, as a developer and with a vested interest in Linux, why not have a good look around the codebase in GNU or even just the Kernel and report back here all the bugs that you find (after a responsible disclosure to the team)? I guarantee there are at least 100 sitting there at the moment that are modestly easy to find for a great developer.
You'll probably easily pick up many that are similar to ones that have already been found previously and that has an hundred of thousands of developers looking at the code.
This isn't a Linux bash (no pun intended), it's just big codebases have lots of bugs. Some will be critical and in the 'internet age' many will also be remotely exploitable.
why not have a good look around the codebase in GNU or even just the Kernel and report back here all the bugs that you find
And while you're at it, do the same for the Windows code base..
Oh.. Wait...
(I agree, there's likely many more of these bugs to be found as humans invent ingenious ways of doing things no one else though would be tried, but at least with OSS you can look around!)
I think that over the last 13 years, the bitmap vulnerability was the worst, by far ... remember, Windows gets 0wned by displaying the contents of a folder - that is simply the proof that windows is just one big sieve - it is simply not possible on *nix.
I keep saying but "The World Won't Listen" ...
Besides, to the other numpty above saying that Microsoft patches quicker ... I care to disagree, the Bash vulnerability was made public before patches could be provided, however, as soon as the devs had committed their code, anybody could have used a subversion/git/cvs (select appropriate) client to get the sources and patch - Nothing beats that - and you know what, if MS decided that patch x will be released on patch Tuesday and not immediately, you're toast. In the OpenSource world, if you think you need to patch, you patch when YOU want (provided the patch has been committed). Of course, you can also wait until the distribution provides the patch (akin to MS customers), however, you do not have to ...
Besides, no 3/6/9/15 or whatever reboots required, except for a select few packages - certainly NOT for userland stuff, and never for browser, productivity suites, calculator, clock.exe
But that is OK, I understand you feel like "Half A Person" and I feel for you...
Besides, no 3/6/9/15 or whatever reboots required, except for a select few packages - certainly NOT for userland stuff, and never for browser, productivity suites, calculator, clock.exe
Actually, it's never more than one reboot IME (several distros over the years), and no 40+minute shutdown followed by a 40+minute start to do them.
WTF is up with 7 atm? We've had a number of customers complaining about massively long shut down and restart times while updates are done, day after day after day (have seen one 7 machine that has done over 100 updates (many "important") in the 24hrs it's been here - and the customer has automatic updates fully on!). While I'm in mini-rant mode.. Why the hell do updates stop to wait for further confirmation that you want to continue, like stopping part way with a "Do you really want to update this program" when I already selected the update?
Bout time MS learned something about usability of computers. Still, their updates are helping win people over the the Blessed Light Side :)
Love the Linux world. Updates all done in the background. At most one reboot, only if critical core stuff udpated. No slow shutdown or startup.
>>Just installed yesterday security fixes for file, libgcrypt11 and nss in Debian... the problem is not in Windows only, it looks...
Equating every vulnerability with every other vulnerability is a fair play, I am sure.
As well as comparing the complete plethora of all possible software of various sources, an 50+ gig behemoth Debian pan-distribution with a very thin number of isolated software pieces MS barely manages ...
However, we can take that, perhaps though it's just the time to get a Debian Tax instituted instead of the good ol' MS Tax you have to still pay nowadays?
This post has been deleted by its author
"After all of theses years of Windows OS releases, almost every patch Tuesday for the last 10+(?) years, how can (new) remote code execution / privilege elevation exploits still be happening?"
Presumably in the same way that critical remotely exploitable vulnerabilities existed in BASH for the last 18 years...
Microsoft invented the culture of buggy software. "Oh we'll fix that next patch time".
Windows users get excited when they hear the announcement of their new Windows OS "service pack".
I am suprised that Microsoft have not been sued out of existence as they knowingly sell faulty software.
Perhaps they should of really got rid of the NT kernel/FS after XP but they probably didn't bother because it was too expensive(sic) to develop.
This is going to make using windows phone fun! I've just blown by data allowance on yet another total re-write of my phone's OS from MS.
Windows sucks at patch day proves it again and again and again and again and again and again etc...
Then the problem is your lack of connectivity and your data plan limit - not the patch size.
Actually No!
I point you at Microsoft's own minimum system requirements for Windows 8 say <http://windows.microsoft.com/en-GB/windows-8/system-requirements> which only notes "Internet access (ISP fees might apply)" as an "Additional requirements to use certain features", but fails to give any sizing information for WUP. This can only be a major oversight by MS given that back in the late 90's there was a design edict to the effect that MS's websites must be usable over a 28.8 kbps dial-up, because of the wide variation in connection speeds its customers were achieving.
Only when MS specify a minimum Internet service level can it be claimed that the problem is the end user's.