If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Computerworld)   Microsoft's Rapid-Response Coding team springs into action with today's bug fix to correct a couple of security holes that have been there for 22 and 84 months. But they've "never been exploited"   (computerworld.com) divider line 29
    More: Unlikely  
•       •       •

950 clicks; posted to Geek » on 11 Nov 2008 at 9:09 PM (5 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



29 Comments   (+0 »)
   

Archived thread
 
2008-11-11 08:37:36 PM
Just because a hole exists, doesn't mean it gets exploited.

My arse has been around for longer than these, and has never been penetrated by an outsider.

QED.
 
2008-11-11 09:15:12 PM
Done in one? But not in two?
 
2008-11-11 09:17:12 PM
VISTA SUCKS THREAD!
 
2008-11-11 09:18:11 PM
6 important at a total of 9.6MB
/Vista Ultimate
 
2008-11-11 09:19:39 PM
drjekel_mrhyde: 6 important at a total of 9.6MB
/Vista Ultimate


1 was for some hole in SP2 but Vista has no SP2 weird
 
2008-11-11 09:30:46 PM
drjekel_mrhyde: drjekel_mrhyde: 6 important at a total of 9.6MB
/Vista Ultimate

1 was for some hole in SP2 but Vista has no SP2 weird


Could be a common issue and patch for Vista and XP SP2
 
2008-11-11 09:31:19 PM
here is a pic
Link (new window)
click on the pic to make it bigger
 
2008-11-11 09:32:33 PM
"rapid" is such a relative term.
 
2008-11-11 09:32:44 PM
the_sidewinder: drjekel_mrhyde: drjekel_mrhyde: 6 important at a total of 9.6MB
/Vista Ultimate

1 was for some hole in SP2 but Vista has no SP2 weird

Could be a common issue and patch for Vista and XP SP2


ok thanks for letting me know that
 
2008-11-11 09:32:55 PM
it looks like that bake sale worked.

mac users can go eat a bowl of discs
 
2008-11-11 09:47:57 PM
And-1: Just because a hole exists, doesn't mean it gets exploited.

My arse has been around for longer than these, and has never been penetrated by an outsider.

QED.


Define 'outsider' please.
 
2008-11-11 09:51:33 PM
And-1: Just because a hole exists, doesn't mean it gets exploited.

My arse has been around for longer than these, and has never been penetrated by an outsider.

QED.


The second page of the article describes the long standing hole involving SMB authentication. Specifically, through use of a tool called SMBRelay. According to Sir Dystic, who wrote SMBRelay "The problem is that from a marketing standpoint, Microsoft wants their products to have as much backward compatibility as possible; but by continuing to use protocols that have known issues, they continue to leave their customers at risk to exploitation... These are, yet again, known issues that have existed since day one of this protocol. This is not a bug but a fundamental design flaw. To assume that nobody has used this method to exploit people is silly; it took me less than two weeks to write SMBRelay."
 
2008-11-11 09:53:33 PM
Somebody needs to post the picture from Ghostbusters of the Titanic arriving... "Better late than never."
 
2008-11-11 10:29:30 PM
And-1 [TotalFark] 2008-11-11 08:37:36 PM
Just because a hole exists, doesn't mean it gets exploited.

My arse has been around for longer than these, and has never been penetrated by an outsider.


What about ... family?
 
2008-11-11 10:38:50 PM
RunGMC: The second page of the article describes the long standing hole involving SMB authentication. Specifically, through use of a tool called SMBRelay. According to Sir Dystic, who wrote SMBRelay "The problem is that from a marketing standpoint, Microsoft wants their products to have as much backward compatibility as possible; but by continuing to use protocols that have known issues, they continue to leave their customers at risk to exploitation... These are, yet again, known issues that have existed since day one of this protocol. This is not a bug but a fundamental design flaw. To assume that nobody has used this method to exploit people is silly; it took me less than two weeks to write SMBRelay."

If you are trying to get into my arse, you are really going to have to try harder than that.

/I am tempted though.
 
2008-11-11 11:32:54 PM
84 months? Forgive me if I'm skeptical...
/Aren't we like at least two full kernel builds different from 2000?
 
2008-11-11 11:51:40 PM
And-1:
If you are trying to get into my arse, you are really going to have to try harder than that.

/I am tempted though.


Coquettish buttsecks sounds so hot. Is that brown eye winking?

/I keed
//Microsoft, buttsecks, all the same thing
 
2008-11-12 12:55:22 AM
Barakku: 84 months? Forgive me if I'm skeptical...
/Aren't we like at least two full kernel builds different from 2000?


Reminds me of that story a few months ago where someone found an issue with how Mac OS X handles log-in passwords that possibly went all the way back to NeXTSTEP.
 
2008-11-12 01:02:34 AM
Just whipped this one up
i33.tinypic.com
 
2008-11-12 01:21:44 AM
musashi1600: Barakku: 84 months? Forgive me if I'm skeptical...
/Aren't we like at least two full kernel builds different from 2000?

Reminds me of that story a few months ago where someone found an issue with how Mac OS X handles log-in passwords that possibly went all the way back to NeXTSTEP.


Guess it goes to show as long as no one finds it they don't really have much motivation to fix it. I did notice all the sudden 18 megs of (mostly) important updates in one DAY and was like "what, did they wait to release this shiat?" I usually get just the Windows Defender definitions...
 
2008-11-12 02:18:09 AM
drjekel_mrhyde: Just whipped this one up

Funny pic, but full of fail; unlike most BSODs, most KPs come from hardware issues.
 
2008-11-12 03:25:37 AM
And-1: Just because a hole exists, doesn't mean it gets exploited.

My arse has been around for longer than these, and has never been penetrated by an outsider.

QED.


i39.photobucket.com

/Better late than never
//Right?!
 
2008-11-12 03:43:11 AM
Walt_Jizzney: drjekel_mrhyde: Just whipped this one up

Funny pic, but full of fail; unlike most BSODs, most KPs come from hardware issues.


FAIL

BSODS means there is something wrong with the hardware...you call them kernel panics in OSX and Linux.

try reading the error msgs they always say what went wrong just some of them are a bit more cryptic.
 
2008-11-12 12:01:08 PM
So. Some guy discovers an obscure bug that no one has noticed previously. It's only exploitable if someone knows it is there, and he's the only one.

He says "Crap, how long has this obscure, but potential problem been here"

He looks at the source history, and sees it was from 7 years ago. Fortunately it isnt one that has ever caused any problems - but he decides it should be fixed anyway.

As he is part of a rapid response team, he fixes it immediately, and releases a patch

Im not sure I see the problem.

Im a software engineer. If I see a bug from code that has been around forever, I'll often fix it too.
 
2008-11-12 12:59:51 PM
mtylerjr: Im a software engineer. If I see a bug from code that has been around forever, I'll often fix it too.

Right. "Days of Risk" is defined as days between public disclosure of the vulnerability and the patch becoming available. It doesn't mean someone didn't know about the vulnerability long before and keep it secret, but it's unlikely it was being actively exploited in large numbers for, say, seven years without MS noticing.

Or, to put it another way, if you're a bad guy and you use a 0day to own a lot of machines, someone's going to notice.

Also, I'm not sure what "Rapid-Response Coding team" means. I'm guessing subby doesn't know what MSRC stands for.
 
2008-11-12 08:38:58 PM
KrispyKringle: Also, I'm not sure what "Rapid-Response Coding team" means.

I'm just guessing here, but I suspect it's people who have the knowledge and access to the source code of Microsoft products needed to rapidly address critical security issues and write patches in a short period of time.
 
2008-11-13 05:17:15 AM
Walt_Jizzney: unlike most BSODs, most KPs come from hardware issues.

i34.tinypic.com
 
2008-11-13 11:16:07 PM
Yankees Team Gynecologist: Walt_Jizzney: unlike most BSODs, most KPs come from hardware issues.

You guys obviously don't work on macs. Most KPS can be traced to hardware issues that perhaps then trigger software issues.

I'll bet you dimes to dollars that there were hardware issues with the mac that they used for the Phone display.
 
2008-11-14 12:07:30 AM
Walt_Jizzney: You guys obviously don't work on macs. Most KPS can be traced to hardware issues that perhaps then trigger software issues.

I'll bet you dimes to dollars that there were hardware issues with the mac that they used for the Phone display.


You've obviously never touched a Windows machine, and if you have you've never had a BSOD, not even once.

I don't disagree that KPs are caused mostly, if not entirely, by hardware issues. Read your post again and try again at locating the flawed part of your statement. Go on, put your tiny fanboy brain into overdrive. It'll only hurt a little bit.
 
Displayed 29 of 29 comments



This thread is closed to new comments.

Continue Farking
Submit a Link »






Report