How does someone write code that can be subject to a buffer overrun hack?!? I can't imagine receiving a stream of data from an external source and not prefixing the stream with an exact byte count, allocating a buffer big enough to hold the stream, and then only grabbing as many bytes as you have room for. It's remarkable the number of these types of bugs I've heard about. Silly coders. Really, how does this happen?

yeah!

/whatever he said.

Wow, 2 comments and not a single 'OMFG M$ sI TEH SUX0R!!1!1 ROFLOL' post.

OpusSoup: Easy. People are taught how to use strcpy. No one is taught strncpy in school.

This always pisses me off. The reason why so many flaws are identified in Microsoft OSs is that they are the ones targeted by hackers. If Red Hat or Lindows was subject to the same level of malicious scrutiny as Microsoft's systems are, there would be just as many holes discovered. However, if these holes were found, there would be NO organized system of recourse to address the security concerns. It amazes me that people actually FAULT Microsoft for sending out security patches every time some criminal finds a way to exploit the OSs. We should be grateful that MSFT is willing to keep trying to make Windows a more secure system.

/end rant.

Consider the following:

Pizza.EXE:

1) Obtain the following ingredients:
2) Dough
3) Tomato Sauce
4) Cheese
5) Knead the dough until it's nice and fluffy.
6) Yadda, yadda...

OK, in the above, #1 and #5 are instructions, #2-4 are data. Number four takes up six spaces until the next instruction. Now we update our data - the ingredients list - and let's say we downloaded...

4) CheeseAnd then kiss your cat

...in the space of #4. Because the computer/language/OS didn't check to make sure that the new #4 didn't take up only six spaces, the new instruction in space #5 is now "And then kiss your cat" - ie, the data overlays the valid instruction, and the bogus instructions get executed. So instead of pizza you get catfood-breath.

Well, that's how I understand it, anyway.

Now maybe those bastages at Microsoft will stop telling Polish jokes. Eh, they probably tell "Apple user" jokes, actually.

"Polish hackers discover (today's) critical Windows flaw"

So I assume these guys stumbled across Microsoft's Headquarters then.

Or is that Everyday's critical windows flaw, not just todays.

ANOTHER overflow exploit? Geez.

OMG ROFL H4x0r3D bY p0l35!@!!1111

^ wast just about to do that.

cscx

Just for you;

'OMFG M$ sI TEH SUX0R!!1!1 ROFLOL'

cscx: OMFG M$ IS TEH SUX0R!!!!111!11!! ROFLMFAO!!!!1!1!

Beorn: MS is just publizied more. If you follow Security Focus's Bugtraq you'll find security vunrabilities all over the place regardless of platform. Just recently I delt with an issue in GnuPG (crypto package) -- while not related to the core OS itself, it was a local exploit nonetheless. The point? Software has bugs. *shock* Just some draw the attention of the mainstream press due to their bad track record.

I find it amazing that they find all these bugs yet I havent patched my windows xp at all since i got it and i've never been hacked or had any trouble with it. Lets face it: these 'vulnerabilities' aren't near as bad as the media makes them out to be. Add to that the odds of you getting hacked are 1 and 1,000,000.

In other news: http://www.theregister.co.uk/content/4/31778.html

Yes, the rich, who've had a history of repressing poor men's liberties finally get their day in the sun. Bill Gates, the world's richest man is teaming up to secure the United States. Ben Franklin is unavailable for comment.

If only there were some way to write a well... let's call it a class of objects. And this 'class' could be used to make all sorts of things similar to it... we could call them subclasses. That sure would be spiffy!

Then they could write just one really safe goddam buffer class and make everybody in the OS use it. If they used memcpy they'rd be fired!

Too bad they don't have any way to make one these "class" things.

doctechnical:

Best. Analogy. Ever.

Once upon a time, a LONG LONG time ago when I was training to be an MCT, my tutor was a real geek.

He mentioned something about the RPC thing. It's still pretty much beyond me, I'm an admin, not a programmer.

The 2nd guy I had who was even more dorky (he taught SMS and SNA, for example) said there were tons of ways to fake credentials to access Windows.

It's just a design thing I guess. At least MS fixes them. It doesn't excuse sloppy code or poor architechture, but they at least care.

xen0blue: Two things:

You rarely notice if you have been comprimised. Think in the same lines of having a virus without an AV scanner.
Most exploits are done by teenage script kiddie farkheads that think they're cool but have just enough technical understanding to install Quake III.

So yes and no; there's some overhype by the media (Suprise!), and there's some truth...

Another flaw?

How do you tell where the flaws sto and the operating stsem begins?

oh, if only there was a way to break this monopoly, an alternative, a FREE platform on which to run my PC...oh, woe is me...

I suppose I'm living in a fantasy world.

Obey Big Bill/Big Blue/Big Brother!

/coughlinuxcough...

The "good news/bad news" status update on the main page immediately made me think of The Simpsons...

Old Man: "Take this object, but beware! It carries a terrible curse..."
Homer: "Ooh, that's bad!"
Old Man: "...but it comes with a free frogurt..."
Homer: "That's good!"
Old Man: "...the frogurt is also cursed..."
Homer: "That's bad!"
Old Man: "...but you get your choice of topping..."
Homer: "That's good!"
Old Man: "The toppings contain potassium benzoate..."
[Silence]
Old Man: "That's bad!"
Homer: "Can I go now?"

Don't ask why. Anyways, hope you guys are making good progress.

WalkingCarpet: Good call! I enjoy playing both games.

xen0blue: the odds of you getting hacked are 1 and 1,000,000.

The odds of you getting hacked while using a Macintosh: 1/infinity

Seriously, Microsoft must be standing on their toilets if they waited this long to discover such a major flaw. Makes me sick. I want to go use my G3 now.

They found a flaw that affects very MS OS except Windows ME? You're telling me Windows ME is good for at least one thing?

Ha ha! I have ME! Kneel before he who is immune to the hackers!

I am a dual-user as well...at work, I use XP Professional and I can't wait to get home and bathe in the love that is Mac OS X.

The irony is I am a programmer in all things Microsoft. ASP, Visual Basic, SQL Server, etc. Once I went Mac, I couldn't go back. I have expelled all Winblows machines from my home.

My TiBook is like a member of the family...

This is Fark, and no Polish jokes yet? Wow...

rel-yo, I certainly don't intend to offend you but Windows ME is the shiatiest OS ever. Please, upgrade to 2000 or XP as soon as possible.

In fact, what's your address, I'll snail mail you a copy of XP.

With the vast numbers of hackers targeting Microsoft OS's there will ALWAYS be a hole. The question is will MS continue with the Security Updates fast enough for end users to be protected?

There's holes in Windows
There's holes in Linux/Unix
There's holes in Macintosh - but who in their right mind whould WANT to?

This ones for you Diabolik-

Q- Why dont polish women use vibrators
A- it chips their teeth

xen0blue:

Our servers have been hit 3 times because our lazy system admin was always late to patch. Yes we are running on Windows 2000 servers. So, desktop users like you may not experience this shiat, but ISP's and ASP's take the most of the crap. So media is actually NOT hyping it. It is real and it is out there.

gotta love it when the cult of apple chimes in.

If Apple offered a significant bounty for finding exploitable bugs in their software, I bet a ton of them would be discovered in no time.

Also, having dialup helps your security (yes, it's true). Especially if they're looking for DOS rooted boxes. So broadband IP's become bigger targets than dialup.

JoelKatz, no one is disputing that but the fact is that will never be the case unless some dramatic shift in the market comes about, which will not happen.

So Mac users can gloat about this if they like, because it is fact.

Quote: The software giant issued a patch Wednesday morning to plug a critical security hole that could allow an attacker to take control of computers running any version of Windows EXCEPT FOR WINDOWS ME.

Wow, everything except ME sucks. Where are those flying pigs?

So Macs don't suck so long as nobody uses them (discounting the whole "them being horribly overpriced" issue), but as soon as anybody does then they suck as hard as Windows machines? Well I'm persuaded!

Woohoo, 200 machines to update in the morning. Tommorow is going to be one heck of a day.

Yup, there're holes in Linux too. . . . Of course, what with the source code open and available to the general public, we have thousands of people working on patching those holes every day.

Of course, thanks to Windows, 90% of you readers don't have a clue what's running on your computer right now.

Remember DOS? Back then I could print a directory listing of every file on my system and tell you exactly what each file did. On a properly-built Unix system, the same thing applies, if you pay careful enough attention and have some Unix experience. But Windows? Who-the-fark knows. Apparently, crackers do.

I use Windows 3.1

It's the best one there is!

See, this is why everyone should throw their computers in the dumpster and install Linux on their Sega Dreamcast. It's the only way to compute. :P

srwap that was my thought......finally WinME is good for something.i guess what ever makes it immune is what is making it unstable lol

Beorn, don't make me laugh!

Microsoft has always, and will always care about one thing: Profit.

They rush their OS's out as quickly as possible in order to beat out any competition without any due regard to security or even stability.

UNIX has bugs too, but NO WHERE NEAR AS HUGE as the windows bugs.

I don't blame the programmers. They are rushed by management (and anyone whose ever read Dilbert knows what I'm talking about!) to hurry up. 99% of managers dont know squat.

Seriously people, Microsoft is the biggest monopoly on Earth. Why the fark can't they do something right?

2003-07-16 08:51:43 PM Beorn
If Red Hat or Lindows was subject to the same level of malicious scrutiny as Microsoft's systems are, there would be just as many holes discovered. However, if these holes were found, there would be NO organized system of recourse to address the security concerns.

The biggest hole found on the Linux platform, in recent memory, was the Apache mod_SSL exploit. It was first reported to the Apache list on Saturday September 14, 2002 at 14:03:01. Apache released an initial fix to the development community at 14:37:15 the same day. The patch was immediately tested, reported safe by the majority of the developers and the public release was made at 14:51:08. Damn, I guess you are right they really do need an organized system to address their security concerns because that kind of response is just ridiculous. Unless they can slow things down so it takes them 30-90 days to release a patch for a critical problem, like Microsoft, they'll never be ready for the enterprise.

First, let me say that I'm shocked, no, shocked, that something like this was discovered. Then...

If Red Hat or Lindows was subject to the same level of malicious scrutiny as Microsoft's systems are, there would be just as many holes discovered. However, if these holes were found, there would be NO organized system of recourse to address the security concerns.

Actually, the info would be posted in a forum dedicated to Linux bugs. Then, since everyone who runs Linux has access to the Linux code, the fix would be made available far more quickly than with MS, and everyone could fix their own systems instead of waiting for another MS patch.

Add in the fact that MS has a long history of denying a vulnerability in their OSes when security experts (*cough* hackers *cough*) contact them privately, and then only fess up to the problem when the experts go public with it, only to get chastised by MS for not working with them to resolve the problem.

Yes, I can see where it would be logical to defend MS and try to slam Linux.

/running Win2k with a firewall, so I'm not even a Linux geek

Yawn. Once in a few months, with patches, I can live with. Luckily my Windows machine just updated itself and I rebooted and all was well.

Sorry, folks, but this is nothing like the 2-10 security problem/fix reports I get from RedHat *every single day.*

MegaDethHead...

Putt's Law:
Technology is dominated by two types of people: those who understand what they do not manage, and those who manage what they do not understand.