digg

Facebook Connect Join Digg About

How does Microsoft explain seven-year patch delay?

news.cnet.com The software giant says that fixing the flaw earlier would have broken customer network applications.

Who dugg this? Made popular Nov 15, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

138 Comments

show profanity settings
expand all
  • Topher06, on 11/14/2008, -14/+69I think most people missed the point that while there may have been a flaw for 7 years, obviously it wasn't a big deal.
  • gcnaddict, on 11/15/2008, -4/+50"WTF. This is why I bought a Mac."

    No, this isn't.
  • gcnaddict, on 11/15/2008, -6/+35I hope you guys read the article:

    "When this issue was first raised back in 2001, we said that we could not make changes to address this issue without negatively impacting network-based applications," wrote Budd. "And, to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."

    That's a pretty good reason not to fix a hole no one exploited until *this year*. Fixing it would've brought ridiculously bad publicity to Microsoft back then because of the sheer number of apps which would've been broken as a result.

    Here's what an attacker would have to deal with to exploit this (thanks, metasploit):
    "First, the victim must have ports 139 or 445 open and accessible to the attacker. Second, the victim's user account must have administrative access to their own machine. Third, if the victim's OS is Windows XP or 2003, they must have a password set for their account. Fourth, if the machine is XP, the system must be configured to allow remote network logins as the specified user and not Guest (the default). The exploitable setting becomes the default when the machine joins a Windows domain. Fifth, the user must have access to write to ADMIN$ and permissions to create and start Windows services. While most administrative accounts have these rights, domain policies can come into play. Finally, if SMB signing is configured as mandatory, this attack won't work because the signature will fail."
  • aimhelix, on 11/14/2008, -14/+29How often was this exploited for and how much damage has this flaw caused?
  • smotpoker, on 11/15/2008, -9/+23It's not exactly to tell. Most people just accept that they have to wipe and start over periodically because of viruses and malware. They have been indoctrinated to believe that it's natural for computers to sometimes randomly get an unfixable problem that may or may not be fully resolved by starting from scratch.

    What % of users that you know bother finding out how they were infected or determining whether they even are infected when their computer starts acting funky or causing random errors? They just blame it on the kids (or one of those things that "just happens") and reinstall. In fact, there are probably a fair amount of infections that are attributed hardware malfunctions as well due to unscrupulous repair shops that, surprisingly enough, are willing to lie to make some sales.
  • olafcore, on 11/15/2008, -0/+131337
  • ArthurSucks, on 11/15/2008, -4/+17I can, maybe YOU can't.
  • temsi, on 11/15/2008, -1/+12Time for a hip replacement.
  • olafcore, on 11/15/2008, -9/+19You bought a Mac because there was an exploit seven years ago that you didn't know about that just got patched? What?
  • akchrs, on 11/15/2008, -8/+18How does Microsoft explain seven-year patch delay? With bitter sweet irony.
  • gcnaddict, on 11/15/2008, -6/+16You can right click in Mac. However, the fact that it takes two hands to do it without tweaking some settings or buying a two-button mouse is retarded.
  • JonForTheWin, on 11/15/2008, -4/+13Zoshu still has the issue where he can't right click on a Mac. The rest of the world continues on without him.
  • fugazied, on 11/15/2008, -1/+10if you know how to secure it. After installing your firewall, virus checker, spyware scanner and registry protector it is kinda secure.
  • inactive, on 11/15/2008, -0/+9I'm going to go out on a limb here, and say that you didn't graduate at the top of your systems engineering class.
  • diemunkiesdie, on 11/15/2008, -4/+13I'm a little confused how an attacker would be able to exploit this. Would they have to be on your internal network? Does having a good firewall protect you? The detail on this are a little scant.
    Edit:
    "For the attack to work, a victim could be sent a malicious e-mail message that, when opened, would try to connect to a server run by the attacker. That machine would then steal network authentication credentials from the victim, which could then be used to gain access to the victim's machine.

    This type of attack would be blocked by a firewall, so a hacker would have to already be on a computer within the network in order to launch the SMB relay. Microsoft rates the flaw as "important" for Windows XP, 2000 and Server 2003 users, and as "moderate" for Vista and Server 2008."
    Source: http://www.pcworld.com/article/153719/.html?tk=rss ...

    In other words, I don't need to be in a rush to apply this patch. The likelihood of someone breaking into my home network and using this attack against me is pretty slim. Corporate networks, on the other hand, should get this patch in place ASAP!
  • HornyHeathen, on 11/15/2008, -6/+15Apple takes 5 months to secure OS X Java
    http://www.tectonic.co.za/index.php?page_id=2754&b ...
  • inactive, on 11/15/2008, -0/+9Wait, I thought you said the OS was secure?
  • Shirleycakes, on 11/15/2008, -2/+11...holy *****, 1337? Seriously? What year is it?
  • gcnaddict, on 11/15/2008, -6/+14They were. That's why your apps still work on Vista.
  • mycoplasma, on 11/15/2008, -3/+10@brainnovate: No it isn't. You probably didn't even know about this until today.
  • jamesmcm, on 11/15/2008, -0/+7It was an error in random number generation or creating secure key. It was still rather difficult to crack the keys and you had to be on an affected system. Then after cracking the key, in order to connect to your machine you have to be forwarding the ssh port with no firewall/security (and hosting an ssh server). So it was nowhere near as severe a problem.
  • smotpoker, on 11/15/2008, -1/+7"This type of attack would be blocked by a firewall, so a hacker would have to already be on a computer within the network in order to launch the SMB relay"

    Sounds to me they are asserting they would need local access *if* you are running a firewall. Otherwise... good thing no one who uses windows disables their firewall!
  • iridesce, on 11/15/2008, -9/+15And people wonder why the linux users look at the microsoft users and just sigh ...
  • gcnaddict, on 11/15/2008, -1/+7@Junior612: "Apple didn't make Java."

    http://www.daniweb.com/blogs/entry3247.html

    "Apple has known that its Java implementation has been, quite frankly, screwed since way back when. At least since April, because that is when Sun Microsystems started shipping security updates that fixed the flaws it had uncovered. Fast forward through the summer and, at long last, Apple has finally managed to sort out the problems with its own version of Java and announce updates to plug at least two dozen security holes in the OS X versions."
  • inactive, on 11/15/2008, -2/+7well it beats waiting 8 years.. is probably how they explained it
  • threemagic, on 11/15/2008, -12/+17"stupid moron"? Just the fact you said that shows your brilliance...

    Linux servers dominate the web. Why is that important? Well they are everywhere and are open to the world, they are easy to find. Yet....they don't have the same problems as MS. OS X is based off BSD...in other words, they aren't obscure. So there is NO such thing as security by obscurity.

    Now, don't spout garbage yourself. Repeating a myth is just ridiculous.
  • Clbull, on 11/15/2008, -10/+15Apple didn't take 7 years to fix a pretty noticeable vulnerability
  • Clbull, on 11/15/2008, -2/+7Buried, because I never remember there being a "Year of the Linux Desktop" in the past
  • gcnaddict, on 11/15/2008, -6/+11"Apple has about 8% market share. There are hundreds of thousands of viruses in the wild for windows, and none for mac. You can't put that all on "security through obscurity"."

    Yes you can. It's not worthwhile to create a virus that affects both platforms yet; the sheer number of Windows systems online is enough to make building a Windows-only worm much more cost-effective than building a double-headed worm just to infect 8~% more computers.

    Simple cost benefit analysis:
    A) Spend two days writing a virus which affects 90~% of all client computers
    B) Spend two days writing a virus which affects 8~% of all client computers
    C) Spend three days writing a virus which affects 98% of all client computers

    Which would yield more for the profit-minded black hat?
  • 4321234, on 11/15/2008, -1/+5I found the fix for that;
    Solution:
    Apply updated packages.
    Looks like auto updates took care of that.



  • jamesmcm, on 11/15/2008, -0/+4The new mice have a right-click although it's a bit frustrating since you have to not be resting your finger on the left lick or the touch sensitivity buggers up. But you can treat it like a normal mouse - you clearly haven't used a mac in the last 5 years.
  • bcassner, on 11/15/2008, -1/+5Release the patch now with a doomsday description. Goal - scare people into buying an upgrade to Vista. Money in the bank.
  • gcnaddict, on 11/15/2008, -4/+8It's funny because Java is far more accessible by an attacker than this SMB Auth flaw.

    However, your URL is a waste of time. This (linked within) is more useful:
    http://www.daniweb.com/blogs/entry3247.html
  • Wang, on 11/15/2008, -2/+6Apple is just as bad, plenty of serious vulnerabilities have been brought to their attention and it's also taken then years to put out a fix. Sometimes there are good reasons why Apple and Microsoft take their time to release patches (often there are wider ramifications that need to be considered) but to take longer than a year is pushing it...
  • tnoy, on 11/15/2008, -1/+5It describes 0% of the machines where I work, and we have a rather large Windows network.
  • gcnaddict, on 11/15/2008, -2/+5You've got worse problems if your employees are accessing resources on boxes not part of the domain.

    You've got even worse problems if the users on the domain have unnecessary admin access, as listed as a pre-req in the metasploit post I clearly quoted:
    "Second, the victim's user account must have administrative access to their own machine."
    as well as:
    "Fifth, the user must have access to write to ADMIN$ and permissions to create and start Windows services."

    I don't believe there's more than a few business networks per million which have both of those conditions.
  • JonForTheWin, on 11/15/2008, -6/+9You just described 95% of all windows machines in a business environment.
  • admiral101, on 11/15/2008, -9/+12Windows - 7 years after a flaw is exploited to patch
    Linux - patched before it gets exploited
  • JonForTheWin, on 11/15/2008, -2/+5>They can't fix it completely without breaking a slew of applications,

    Which is indicative to something seriously wrong with their system architecture.
  • FKnight, on 11/15/2008, -0/+3You're a liar.
  • smotpoker, on 11/15/2008, -2/+5Astonishing! It took an entire FIVE DAYS BEFORE the vulnerability was reported to find and fix it in the kernel and almost two months to fix it in samba! Why can't they neglect their users for 7 years like MS? That seems to be a very effective marketing strategy.

    http://kernel.org/pub/linux/kernel/v2.6/ChangeLog- ...
    http://lists.samba.org/archive/samba-technical/200 ...
  • inactive, on 11/15/2008, -5/+8Remember that article about the firefox exploit that was posted two days ago? The very second I opened that article, my Fedora update manager alerted me of a new firefox update. Fedora's not an enterprise distro, nor do I get paid support, yet somehow, the small community of computer enthusiasts who maintain Fedora do a much more competent job at fixing flaws in some third-party software than Microsoft does at fixing flaws in their own system services. Sad, really.
  • rdoger6424, on 11/15/2008, -1/+4get a hand doctor. You may have tendonitis in your middle finger.
  • MicrosoftBob, on 11/15/2008, -1/+4Or do you have a Microsoft book in your hip?
  • tnoy, on 11/15/2008, -1/+3That got a chuckle out of me.

    Though, I am rather drunk, so it might not be funny at all.
  • FKnight, on 11/15/2008, -0/+2Just so everyone knows what gcnaddict just said, I'll translate:

    "It's retarded that you can't press the second mouse button without buying a mouse with a second button"

  • bipolarruledout, on 11/15/2008, -0/+2Always good to see everyone be completely unreasonable to dig each other down repeatedly.
  • DigitAl56K, on 11/15/2008, -1/+3"First, the victim must have ports 139 or 445 open and accessible to the attacker."

    I think the number of machines in a business environment whose ports, any ports, can be accessed by an attacker from the Internet must be very close to zero simply by virtue of corporate routers.

    Certainly if someone from the Internet was sending netbios datagrams to machines on my internal network there would be an administrator explaining why he should be allowed to keep his job.
  • DemDude, on 11/15/2008, -0/+2So... you haven't ever used Vista.

    Vista-bashing has stopped being cool when Vista was released and turned out to be a pretty decent OS.
  • Fetching more discussions...
    Show 51 - 100 of 144 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.