Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Windows Operating Systems Software

Latest SP2 News 483

Xformer writes "It seems that SP2 for Windows XP isn't as secure as Microsoft touts it to be. Heise Security has uncovered two flaws in SP2's bolstered security measures, both of which may be used to get around the new trusted/untrusted executable origin checks. Of course, who would be surprised by this?" Reader EtherNetFreak writes "Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application." Reader Finalnight writes "'Microsoft Corp. yesterday delayed yet again its oft-delayed Windows XP Service Pack 2, this time postponing the patch's distribution through the company's Automatic Update service.'"
This discussion has been archived. No new comments can be posted.

Latest SP2 News

Comments Filter:
  • sp2 (Score:2, Funny)

    by zxflash ( 773348 )
    SP2 for Windows XP isn't as secure as Microsoft touts it to be you just blew my mind :)
    • by beh ( 4759 ) * on Wednesday August 18, 2004 @04:47AM (#9999051)

      Yes, I couldn't suppress a first smirk upon seeing this article. But then again, there are two major reasons we shouldn't be laughing too much about this:

      a) While uncertainty about Micro$oft brings some more people to Linux (which is touted to be more secure, but then again - it can just as well be penetrated by hackers), it also turns people away from using the Internet because they get too scared of what's going on there. The latter are mostly elderly people, but nevertheless - even they should be free to use the Internet, something which a number of them dread now because they feel their privacy (through spyware) and/or financial background (due to phish scams) may be at risk. And this is not a good thing.

      b) Staying still, laughing about Micro$ofts misfortune here has to more immediate effects: (a) it will spurn M$ developers even more to deliver better software - and (b) has Linux people potentially stay back and enjoy M$'s misfortune (and hence giving M$ more time to catch up, security-wise, that is). Do you want to sit at the "other" end of the story in a year or two - once M$ has sorted out most of its security issues, while linux might be more and more negligent of these issues (because everyone "knows" that it's Windows that's insecure).

      Personally, I've had some of my machines broken into about 2 years ago - and that was out of negligence (thinking Linux would be safe enough on its own). In the end, it probably was just a couple of script-kiddies breaking into the box to install - of all things - an IRC proxy/cache/logger on the machine. I don't know how the originally got into the machine, as I am not even quite sure WHEN it happened. But it went far enough that they even replaced the system's own ps/netstat/... to make sure those wouldn't display the "wrong" processes. I only noticed a problem when I inadvertently stumbled across it...

      Since that time, I've done some more work trying to secure the box as far as (with MY knowledge) possible - but I'll no longer think my machines are inherently better than a M$ server might be. M$ *will* catch up - and they DO have the money they need to fix these kinds of problems.

      The question is - do WE have the idealism to hunt down every single bug? (M$ people don't need the idealism for it - they get well PAID to do it).
      • Or one of the BSD's at least? Not sure as I don't use it.

        Anyway linux isn't anymore secure or insecure then windows. It is just that most linux users got a tiny bit of a clue. But a cluefull person could also be able to setup a secure windows machine.

        I keep waiting for MS to be really smart and adopt a more gentoo like approach to new windows installations. A very real problem is that a new "legal" installation is unpacthced and will not survive long enough to download patches. But this is only because MS

  • by Novanix ( 656269 ) * on Wednesday August 18, 2004 @02:58AM (#9998684) Homepage
    These "flaws" are not really that big of a deal. The idea of warning is so that files are not run afterwards by mistake. They give an exploit in which someone opens cmd.exe, then drags the file into it. Well if the user will follow along and execute some command they suggest, then things are already out the window. In addition the other exploit talks about overwriting a current file and it not showing a warning, once again if they can get you to overwrite a file on your hard drive with their file then you are already gone.
    • by asciono ( 220392 ) on Wednesday August 18, 2004 @03:11AM (#9998737)
      One thing is when Slashdot covered the SCO stuff, when it was hot, about five times per day. But SP2? C'mon! Microsoft just loves beeing in the spotlight.

      Until CodeWeavers comes up with a nice patch for wine to make SP2 work, please stop the presses!
      • by EpsCylonB ( 307640 ) <.moc.bnolycspe. .ta. .spe.> on Wednesday August 18, 2004 @04:15AM (#9998955) Homepage
        Microsoft just loves beeing in the spotlight.

        I think you have too high an opinion of Slashdot. Why would microsoft care one way or the other about a website whose readers are 1) a minority of windows users and 2) heavily biased towards linux.

        On the other hand it makes sense for slashdot to post these stories because there is almost certainly some admins here who want to hear the latest news about sp2.
        • by LiquidCoooled ( 634315 ) on Wednesday August 18, 2004 @04:27AM (#9998987) Homepage Journal
          I don't know about you, but just being Open Source fan unfortunately does not mean I can stay away from Windows.

          In the real world, we have jobs and PHBs and spouses who don't want to disrupt things or break working apps (Sims for the missus, god help me if I break that one!).

          I think the SP2 stories are required reading at the moment, and at the same time, I am glad the comments are littered with cynical remarks and questions. We need to question the motives of these companies, and we need to test SP2 to breaking point.

          We want Linux to "take over the desktop", but at this point, as a compromise I am happy running Firefox and OO.org.

          I won't try and say I dual boot, I find the thought of having to reboot an entire computer just to run one program absolutely stupendous, but when I get my linux bug I always have a knoppix disk lying around :)
      • by Ilgaz ( 86384 ) on Wednesday August 18, 2004 @06:35AM (#9999491) Homepage
        I run Intego netbarrier on OS X (yep, shoot me) and man, these days I am on 56k k (shoot again)... :)

        Getting 3 kb/sec and continuous alert sounds, I wondered what the heck happened, checked logs.

        A new stupid lamer virus checking my port 135. I am on OS X right? FreeBSD based? Got firewall? nothing helps. I am effected by STUPID windows and some jerks opening attachments.

        So, I really hope SP2 will work as advertised, at least stopping viruses coding in VISUAL BASIC for Gods sake... I am not making any sarcasm. I hope it works and guess what? Only owning Macs, I watch all stories about SP2 with Yahoo alerts etc.
    • Yeah, these "flaws" are retarded. Telling people to open a command line and run a command with several arguments is much more complex than simply telling them "click yes on the security dialog to run the program". Clicking yes on dialog boxes is something users do all the time and don't think twice about. In fact, if Microsoft really wanted to make it difficult to run programs downloaded from the Internet, they could have *required* that users perform heise's procedure to run them. It would probably be
      • Completely off topic, I admit, but I've seen your sig before and cant work out what it does. What does it print out?
      • Telling people to open a command line and run a command with several arguments
        Sorry, who's telling people to do that? The point made was, rather, that compromised machines can still be made to bypass this mechanism since it's not been built into the command line interface.
        • Heise is! Didn't you even notice the "sample email worm" given by heise? How did this get modified informative? Stupid crack-smoking mods. Aren't you familiar with the oh-so-popular "email with executable attatched that the user must manually run to start the virus"? Once the machine is compromised, the game is already over, because the virus can run whatever code it wants regardless of WinXP's new security features.
      • Telling people to open a command line and run a command with several arguments is much more complex than simply telling them "click yes on the security dialog to run the program".

        Is it really?

        On the phone it's great to be able to say "Press Alt-F2 and then P-R-O-G-R-A-M", it's much more efficient and straightforward than "Press Start, then go to that submenu, then go to that submenu, then search for PROGRAM, then click it"

    • I think it's a bigger deal than you think.

      The issue at hand is that there exists a way to execute programs without checking the ZoneIDs. That's less secure than desirable. All methods of execution should be secured. There are bound to be scenarios where this could be exploited that don't involve the user opening up a cmd window and typing the command.

      That said, yeah yeah yeah, Windows isn't secure, blah blah blah, Linux rules, etc.
      • by phobonetik ( 522196 ) <sigurd AT silverstripe DOT com> on Wednesday August 18, 2004 @03:31AM (#9998811) Homepage
        Yes - agreed - to be exact; "With Service Pack 2, Microsoft introduces a new security feature which warns users before executing files that originate from an untrusted location (zone) such as the Internet. There are two flaws in the implementation of this feature: a cmd issue and the caching of ZoneIDs in Windows Explorer. The Windows command shell cmd ignores zone information and starts executables without warnings. Virus authors could use this to spread viruses despite the new security features of SP2. Windows Explorer does not update zone information properly when files are overwritten. So it can be tricked to execute files from the internet without warning."
    • by alex_tibbles ( 754541 ) on Wednesday August 18, 2004 @03:26AM (#9998789) Journal
      It depends. The 'flaw' here is that certain actions that *sound* OK are not. In a perfect system, all insecure actions would be *obviously* insecure (like "open a root shell and type the command '0wnme'").
      It's like the social engineering attack: "Can I have your username?". People are told not to dish out their passwords, but usernames should be fine, right? Attacker then calls tech support (at the same company) saying: "Hi, I've forgotten my password. My username is . Please reset it for me."
    • The specific flaws may not be big deal today, but Jürgen Schmidt's article Microsoft: A matter of trust [heise.de] makes some very good points about what the response says about Microsoft's attitude to the problem. One of the biggest obstacles to security it the "it hasn't been exploited yet so it isn't a problem" attitude in those who hold the purse strings. It is a recipe for always doing too little, too late.

    • The cmd.exe social engineering: run this gif through cmd.exe, is a very interesting one. In all my nefarious machinations I'd never thought of that one.

      On the contrary I think these are some very interesting bugs.
  • by tpgp ( 48001 ) on Wednesday August 18, 2004 @02:58AM (#9998687) Homepage
    From the end of the second page:

    "We have investigated your report, as we do with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."


    *Shrugs*
    • Joe ServicePack to boss: I've got this dazzling new CD and some sound-bytes from Microsoft. Shall I install this stuff anyway?

      Boss: The CD looks very attractively packaged. Let's try...

      -
  • Isn't it normal? (Score:2, Insightful)

    by Anonymous Coward
    Surely, it's normal to release patches. Why is this news?

    So they patch up to SP2 and they continue to patch. I would hope so.

    So there's issues with SP2. I dare you to do a similar number of changes and then have no issues with the resulting code.

    Yet another slow news day we we see headlines like "Ask Slashdot; I want to install a text editor, what do slashdot recommend?"
  • by rvw ( 755107 ) on Wednesday August 18, 2004 @03:01AM (#9998700)
    Well it appears that at least one hotfix is already available to fix yet another bug in Windows XP, post SP2 application.

    I'm curious how long it takes them to release Service Patch 2 for SP2...

  • by jhoegl ( 638955 ) on Wednesday August 18, 2004 @03:05AM (#9998716)
    I really would like to know if Microsoft has an outsourcing company working on this project. They openly admit they outsource parts to outsourcing companies, why not this?

    If this is the case, it is very easy to see why Microsoft has so many problems with security. They have no control over the hires, no control over the code (you can review it, but thats a lot of code), you have no control over security of the code.

    I sometimes wonder if people purposly put in backdoors or buffer issues to allow this to happen. A unhappy coder is a dangerous coder, and lets face it, if you work for an outsource company, you probly are not too happy. I sure wasn't.
  • by nboscia ( 91058 ) * on Wednesday August 18, 2004 @03:11AM (#9998740)
    This makes me wonder how Microsoft, as well as many other large software corporations, manage security patches and quality assurance of their software. Is the problem with there being so many people working on different projects that they do not communicate and therefore things get overlooked, or is it due to the complexity of the software, or something else entirely? I couldn't imagine how someone could manage 'security' for Windows (or any similarly large project) and be 100% sure of what all the technical staff do. Does it come down to having more meticulous software engineers and rigorous testers? How would people recommend this be done? I'm sure the typical "make it open source!" answer will be given, but if that is not an option, how do companies who are more successful at this do it?
    • by Oestergaard ( 3005 ) on Wednesday August 18, 2004 @05:57AM (#9999329) Homepage
      What you do when you want a large system to be secure:

      You implement a very small "core" or "security kernel" or "call it what you like". It is called a "reference monitor" in TCSEC. It is a piece of code that will be asked "can subject X do operation Y on object Z", whenever a user or program attempts any operation on any object (like a file or a network connection). This piece of code is so small and simple that you can inspect it and possibly even formally *prove* it to be correct.

      The operating system kernel will then guarantee that the reference monitor is consulted on all such operations. This is, after all, what operating system kernels do, among other things.

      Now; you can write a simple security policy for each subsystem in your operating system. One policy for your browser, one for your word processor, one for your regular secretaries, one for your accountants, etc. (a real OS with these features will of course have the majority of all policies set up and ready by default).

      The system will now enforce the security policies on everything that goes on in the system. Because the OS is enforcing these policies, and because the subsystems cannot magially change the security policies set up for them, this is called "Mandatory Access Controls", or MAC for short.

      MAC ensures that a bug in, say, your browser, cannot be exploited to, say, go thru your documents and harvest e-mail addresses. Simply because the system policy does not allow a browser with internet access to access local documents. Just an example.

      This is how secure systems are built. This is what SELinux is trying to do, and this is what Trusted Solaris has done for a while. This is what is required if you want a TCSEC certification in the B (or A) class, not the kindergarten-security of the C class.

      Or, under the common criteria, this is what you need to get certification against the LSPP (as Trusted Solaris has), instead of the kindergarten-security CAPP (as Win2000 can have in certain restricted setups), or even the home-grown "security targets" (which SuSE got).

      This is old and well known technology. Too bad big businesses and governments never put pressure on the vendors to actually have real security built in.

      Good to see SELinux coming along nicely, and Sun moving Trusted Solaris features into Solaris 10.

      All is not lost - but trust me, they will be selling snow-cones in hell before you see MAC in Windows.
  • by Graabein ( 96715 ) on Wednesday August 18, 2004 @03:23AM (#9998773) Journal
    Is it there or isn't it? What is it? It's the Heisenberg Patch!
  • by City Jim 3000 ( 726294 ) on Wednesday August 18, 2004 @03:27AM (#9998790)
    These 'flaws' are of the same type as posting a script in your .sig that executes "rm -rf /" on a *nix system.

    The best security measure would be some device that read the mind of the user and warned if you were too stupid. Or maybe even easier:

    if(spywareCount > 20) stupidUser = true;
  • by melted ( 227442 ) on Wednesday August 18, 2004 @03:34AM (#9998818) Homepage
    in SP2. They've gone through pretty much everything, re-hashed a lot of stuff, sometimes on a very deep level. Tons of bugs were fixed. There's not a software company in the world that could release something like this with zero bugs. Not even demi-god Linus Torvalds is capable of such a monumental technological feat as releasing code without bugs.

    Having said that, it's all about risk management. If you're willing to postpone SP2 roll out in your org you've got to estimate the risks of not rolling it out, too. As I said it fixes a lot of issues, and if there's a bug or two the benefits still outweigh the risks by a wide margin.
    • n SP2. They've gone through pretty much everything, re-hashed a lot of stuff, sometimes on a very deep level. Tons of bugs were fixed. There's not a software company in the world that could release something like this with zero bugs. Not even demi-god Linus Torvalds is capable of such a monumental technological feat as releasing code without bugs.

      It can't be very deep when you allow this "bug" to go through a command-window. Then it's just a patch to explorer, and explorer-alternatives like Litestep and o
  • Execute.me (Score:5, Interesting)

    by lastberserker ( 465707 ) <babanov&earthlink,net> on Wednesday August 18, 2004 @03:35AM (#9998823) Homepage Journal
    How's sending .gif and asking to run cmd on Windows XP system is any different from sending .gif and asking to execute perl on Linux or BSD?
    • Re:Execute.me (Score:4, Insightful)

      by arivanov ( 12034 ) on Wednesday August 18, 2004 @04:32AM (#9998999) Homepage
      It is different in the sense that:

      If SP2 has introduced as standard blocking execution based on ADS data, it has to be uniform across the OS. The fact that CMD does not do the check means that the check is not on kernel level. It is a userland check, most likely in explorer libraries which are universally used by MSFT software at the moment. This means that there is likely to be a way to do this without asking and this protection is not likely to apply to any 3rd party executables that do not rely on IE. This also means that SP2 enforces the use IE to access filesystem and launch executables

      So MSFT did one of its usual stunts - it decreased the security of the system, screwed the competition while getting some publicity of for a security feature. Good marketing...
      • Re:Execute.me (Score:4, Informative)

        by bushidocoder ( 550265 ) on Wednesday August 18, 2004 @09:20AM (#10001040) Homepage
        There was actually alot of chat about where this protection should be placed prior to SP2 RC1 and the general consensus amoung developers (both in and out of MS was that it should be placed in explorer). The problem with making it kernel level is that applications which use web auto-update methods to retrieve new binary versions of executables or dlls would block on an exec or CreateProcessEx and prompt the user. This would be such a pain in the ass and confusing in user space that it appeared most developers would rather invent their own auto-update strategies than take advantage of the strategies MS is beginning to push on the market. In the end, its more beneficial to end users to have a uniform update model - a uniform update model means that in the next generation of Windows Update Services, enterprises will be able to deploy updates and patches to all types of software regardless of vendors from a centralized repository. Also, it helps consumers in future versions of Windows Update when MS begins to allow third party signed binaries to be hosted on Windows Update itself.
  • by CRC'99 ( 96526 ) on Wednesday August 18, 2004 @03:38AM (#9998832) Homepage
    Ok, correct me if I'm wrong, but isn't a Service Pack supposed to add security fixes, and patches to operate more 'as expected'...

    Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.

    Remember, you can get *ROOT* access to linux by rebooting and adding 'single' to the boot line. Does this mean that it should be fixed in the next kernel/distro?

    You can only do so much to protect the user. If you go out of your way to bypass security measures, then the OS should not be expected to protect you.
    • by spineboy ( 22918 ) on Wednesday August 18, 2004 @03:50AM (#9998879) Journal
      There are many, many reports on iPODLounge (the main iPOD support forum) of people who install SP2, lose their iPOD functionality, and then need to roll back their XP system to pre-SP2 in order to get their iPODS to function again.

      I just got a new 4th gen iPOD, which I can write to on Linux, but can't get to work on my XP-SP2 Windows dual boot machine.

      Guess what I'll be uninstalling next...

      • by Vandil X ( 636030 ) on Wednesday August 18, 2004 @07:09AM (#9999646)
        My wife and I both own 3G iPods (connected via Firewire) and using the latest firmware.

        No problems under Service Pack 2 whatsoever, though Windows Firewall did fuss about iTunes wanting to connect o the Internet.

        From my experience, many of the times when an OS/feature breaks from a service pack installation, it's because the user's PC was already damaged by corrupt files, registry entries, or"tweaks". The Service Pack simply exposed them.
    • I wouldn't call this "out of my way" to bypass the feature. They could have closed it off a little better.

      Wrt single user booting, sure, no system is secure when an attacker has physical access to the hardware. But I can see how these flaws are remotely exploitable, which is much worse. The first flaw is more a social engineering issue, but I can see how flaw #2 can cause real problems.

    • Yes, you can do something convoluted to get something to misbehave (save the file, open up a command prompt, run the file) etc, but seriously, if a normal user does this, then they are beyond help that we can expect an OS to provide.

      How about a .cmd or .bat file? I bet that is also vulnerable since this "security fix" is only in Explorer, a stupid decision. Security should be at the foundation, not tacked over the windows (pun intended). So all you need is the user to get a bad file to run, and off they g
  • by OffTheLip ( 636691 ) on Wednesday August 18, 2004 @03:43AM (#9998849)
    From my perspective based on the size of SP2 I'd say it's a new OS. Two patches/flaws in a MS OS is darn good. Kudos to Redmond.
    • It's not a new OS in any way, shape, or form. Go to the Run command on an XP SP2 box, type in "winver" and you'll see this is still Windows NT 5.1, just as all versions of Windows XP have been since they first came out. This is one of those many cases where size does not matter.
  • by Skiron ( 735617 ) on Wednesday August 18, 2004 @03:58AM (#9998908)
    The trouble is, M$ do not have the luxury of coding a free, open system as per Linux and are more concerned with the 'control' of the code in what it allows a user to do (or more importantly, what they are not allowed to do!!). Basically, the whole design from bottom up of windows is a bad legacy and will always cause problems

    BTW, here is the SP2 fix list SP2 fix list [microsoft.com]

    Some great stuff here e.g. -> 823830 Your Windows XP computer stops responding after you log on :D
  • *Yet* another flaw in XP SP2 has been found:
    Even with the service pack applied, Windows does nothing to guard against the user revealing their password to a complete stranger in a train station in exchange for some crappy pen. [theregister.co.uk]

    MICROCRAP WINBLOWS!!!!!!!
    • by mcbevin ( 450303 ) on Wednesday August 18, 2004 @04:50AM (#9999064) Homepage
      I think that about summarizes what I've read of these flaws. If anything, the 'exploits' are simply disagreements with the philosophy regarding how the changes should have been implemented - i.e. at what level.

      Microsoft has added protection to some things, but not others, so its a 'flaw' that the protection only protects these certain things. But it most likely a design decision - you have the security stopping the dumb user from accidentally opening something in explorer without realising what it is, without handicapping advanced users using cmd or having say security pop-ups every time a program internally invokes another etc.
  • Mod article down (Score:5, Insightful)

    by Ceriel Nosforit ( 682174 ) on Wednesday August 18, 2004 @04:03AM (#9998922)
    In my humble opinion, this article is about as useful as a troll. Many /. readers have already pointed out that these aren't much of flaws.

    Mircrosoft is finally playing the right tunes, but someone on a vendetta can't accept this, so they nitpick after _anything_ to pin on SP2.
    For Christ's sake, Sendmail. Sendmail had a brand new remote execution (That's translates to your unpatched box being rooted.) exploit posted a week or two ago, and not a word was said.

    This isn't news. This is hypocrisy.

    --
    • Re:Mod article down (Score:5, Informative)

      by Anonymous Coward on Wednesday August 18, 2004 @04:50AM (#9999063)
      The Sendmail issue you speak of was related to MS^T^TSCO's version of sendmail...

      By SearchSecurity.com staff
      02 Aug 2004 | SearchSecurity.com

      SCO fixes two critical flaws in Sendmail
      The SCO Group of Lindon, Utah has issued a fix for two old vulnerabilities in Sendmail that malicious people could use to launch a denial-of-service attack or compromise a vulnerable system. IT security firm Secunia of Copenhagen, Denmark calls the flaws "extremely critical." The first problem can be exploited to cause a denial-of-service attack and could allow a remote attacker to execute arbitrary code with the privileges of the Sendmail daemon, typically root, according to SCO's advisory. The second problem is in the prescan function in Sendmail 8.12.9, which allows remote attackers to execute arbitrary code via buffer overflow attacks. The vulnerabilities affect OpenServer 5.0.6 and 5.0.7. The SCO recommends users install the latest packages.
    • by rozz ( 766975 ) on Wednesday August 18, 2004 @05:02AM (#9999112)
      This isn't news. This is hypocrisy.

      actually, this is slahdot

  • Low tech (Score:5, Funny)

    by Anonymous Coward on Wednesday August 18, 2004 @04:11AM (#9998943)
    Sending an email and instructing a user to do something more than "click here"? What's next, "Hello. To see nude pictures of Natalie Portman, please: go to insecure.org and download nmap, go to arin.net and find ip ranges for several major calbe internet providers, search for vulnerable Windows XP systems that you can use exploits on (use Google to find Windows compiled versions of the exploiting tools), and use the exploits to inform the remote user of this method. If you infect 10 people and get them to pass it to 5 of their friends, Bill Gates will send you a check for $50 for every person that references you. It's true! I did it and you can to! K THX!"

    DeMe
  • by Reteo Varala ( 743 ) <.moc.sotnoilsorpmal. .ta. .oeter.> on Wednesday August 18, 2004 @04:16AM (#9998958)
    At the top of the hour, we'll bring you Microsoft's latest battle to ensure Security in their Service Pack 2 Upgrade, but first, this message from your sponsor...

    *cue the Microsoft ad* ...Okay, Microsoft the #1 manufacturer of software in the US has announced that it will not be shipping its Service Pack 2 upgrade on time. We have an operative at Microsoft headquarters who can bring you the scoop. Stan?

    *cut to Microsoft Windows ad*

    Mr. Ballmer, how does this delay affect your company's efforts to ensure the security of your customers? What does this mean in your plans to release the Longhorn operating system?

    "Well, Stan, we here at Microsoft have been long at work making things safe and secure for every single person, and we don't plan to change that now. As for Longhorn, that will be put on delay until we can secure what we have now. Beyond that, I can't comment."

    Do you give any credence to the rumors that more and more of your customer base might be slipping to Windows?

    "Yes, but they'll be back, when they discover that the costs of going to Linux is higher than staying with us. Our plans of world... ...security are coming along just fine. Hang in there, and we'll show you that Microsoft is the only company in the world that can offer you security from all manners of Internet threats, from pirates to hackers, and of course, file-sharers."

    Thank you, Mr. Ballmer. Back to you, Charlie.

    *cut to Charlie*

    Thank you, Stan. When we come back, a look at your money, and a surprising look at SCO's evidence, proving once and for all, it's ownership of UNIX and Linux...

    *cut to MSN Ad*

    Darl McBride, CEO of the SCO Group, uncovers an amazing discovery that could turn the tables in their court case against IBM, who they allege had taken UNIX code, the recipe for a computer to work, as they provided this evidence this afternoon in court...

    *cut to scene where Darl is in a straitjacket, screaming that Linux is his and if he can't have it, no one will* ...oops, sorry, wrong footage...

    *cut to scene where SCO lawyers present the Chewbacca Defense*

    No question, IBM's claims make no sense. So, here we have conclusive evidence that Linux rightly belongs to the SCO Group.

    In an unrelated incident, Darl McBride, surprised at the effectiveness of the maneuver, lost his sanity, and shouted about his ownership of Linux.

    *whisper: Do you think they'll buy that? What?* *looks at camera* Oh, when we return, we'll cover your money, and it's safety in MS-backed stocks.
  • Enough already... (Score:5, Interesting)

    by Ghostgate ( 800445 ) on Wednesday August 18, 2004 @04:18AM (#9998967)
    I mean, let's be serious. I'm not defending Microsoft because let's face it, they have allowed some pretty serious security flaws to get into Windows in the past. But the article does mention "social engineering" and I ask you, isn't this at the root of many, many security issues? I'm not saying Microsoft is never to blame - not at all. But what I wonder is how much damage has to be done before the typical user just sits down and LEARNS a little about security. I am honestly appalled at the number of computers I see that are on the internet without ANY form of anti-virus protection - much less a firewall. Computers are certainly much more complex to operate than say, a car - and we make people go through a whole course and take a test before they're even legally allowed to drive one. Why? Because they can end up killing someone, or themselves, if they don't do it right. With a computer, it's not that severe, but you can still do some major damage (or have it done to you).

    Put it this way. If the average user took the time to learn just a little more about this device that is a BIG part of their lives, and how to keep it and their private information secure, would security really be as massive of an issue as it is today? I will say this, though - I'm glad Microsoft has turned the firewall on by default in SP2. I know it's going to cause a lot of headaches, but think about it - a lot of people are hearing about a firewall for the first time thanks to SP2. Hearing about it, and being FORCED to deal with it, is a big step for the average user towards learning more about security.
  • by Anonymous Coward on Wednesday August 18, 2004 @04:19AM (#9998970)
    After installing SP2 i received an email from a person i don't really know, but he somehow had found a Word document with a lot of personal information about me online and was worried i might have misplaced it. He was so nice to send it to me, so i tried to open the document to see what was in it but Word wouldn't start properly and nothing seemed to happen. So it seems SP2 breaks Word. And on top of that my computer is really slow lately and sometimes messages appear on my screen like, 1 0wn j00! WhaAHAHa 5uck3R!!
    kinda funny but i don't remember installing that...

    seriously, if a user is dumb enough to follow instructions to do something he never asked for from somebody (he probably doesn't even know) he got an email from, you might just as well ask them to install backdoor.exe because it will make their computer faster.
  • In SP1 (and XP original I think) there is a certain time during system startup when it is on the network already but the "Personal Firewall" is not yet started. This time is long enough for some exploit to "own" the machine. Pisses me off.
  • by Numen ( 244707 ) on Wednesday August 18, 2004 @04:32AM (#9998998)
    That tag is starting to wear awful thin.

    Why is it harmful to stoop to clutching at any desperate cheap swipe at MS ignoring any similar commentary on OSS software?.... because there's a large number of NERDS that miss a lot of useful "stuff that matters" on Slashdot because they're not prepared to deal with the rabid hypocrisy of articles like this one.

    Secondly it makes the OSS comunity look like a bunch of immature fanboys rather than the dedicated professionals most of the community is made up for... that directly impacts adoption of OSS by business.

    If you've ever wondered why OSS struggles for credibility in many businesses, bullshit like this article and the culture it encourages are a significant factor.

    Articles like this one hurt the OSS community way way more than they ever hurt MS and feed back into the fact that the OSS community itself is all the advertising MS needs.

    "News for OSS Nerds. Any desperate shot at MS."

    Grow the hell up.

    Get back to news for ALL nerds, and stuff that genuinley does matter. Because **gasp** there are Nerds that also develop on the MS platform, and not suprisingly they're more likely to hear the OSS side of the argument if they're actually around rather than on the other side of the room rolling their eyes at you... and maybe... just maybe... you have as much to learn from them as they have to learn from you.
    • by dave420 ( 699308 ) on Wednesday August 18, 2004 @07:57AM (#10000057)
      Good points, dude!

      I'm one of those developers. I write OSS on Windows, because Windows does for me what I want. I'm not starting a windows vs. linux debate, but a maturity vs. immaturity debate. I can totally understand why people use linux. I really can. I even use it myself (tho not on my own desktop). I'd defend someone's right to use linux with all my might. Why do I get the feeling that sentiment wouldn't be reciprocated by the /. community? It's called objectivity, folks. If you want OSS to be respected, start respecting other operating sytems. Start respecting closed-source apps and developers, and they'll start respecting you more (they already respect you, but this cheap pot-shot name-calling only hurts that).

      I find it increasingly difficult to talk to people who don't know about OSS and tell them how cool it is, because the community behind it is cheap. Really cheap. Are you all proud that you're bashing an operating system that your favourite OS is aspiring to replace? If linux had 95% of the desktop share, would you love it if people bashed it without any reason what-so-ever? Of course not. So don't do it to windows. Sure, pick up on the truly bad stuff, but also pick up the good stuff. Do the same for linux, as well. Be fair, that's all. Objectivity. It's your friend.

      Anyway, I'll be called a troll for this. I don't care any more. I waste so much time wading through people talking out of their asses on here, it's hard to get to the actual stuff that matters.

  • by tod_miller ( 792541 ) on Wednesday August 18, 2004 @04:44AM (#9999039) Journal
    if(Lucasarts)
    post.replace("SP", "EP", 0);

    Look, SP2 sucked, noone liked it, we are all waiting for SP3, although most of us have this feeling that it will be more of the same. ...

    It gets complicated with SP4-6 due to something called the time-space continuum.
  • by dioscaido ( 541037 ) on Wednesday August 18, 2004 @05:17AM (#9999164)
    ... Linus and crew are at work with yet another version of the kernel, this time numbered 2.6.9! Those people are so sloppy, having to upgrade the kernel every few months to fix all the issues. Doesn't sound quite right now does it? Change the tag to SP2 and Windows, and we have a slashdot headline! Mod me as troll if you like, I'm just trying to make a point.
  • Zero Mission (Score:3, Interesting)

    by Graymalkin ( 13732 ) * on Wednesday August 18, 2004 @05:23AM (#9999182)
    In the past few Windows XP SP2 threads there have been several people complaining about slashdites seemingly "picking" on Microsoft and celebrating any and all flaws the update has. I don't feel bad for Microsoft in the slightest at this point. They've been touting the security of Windows XP for years now and have done little to actually back up their claims. Sure some Windows XP system on a managed network with double filtered internet access and nightly reimaging might be pretty secure. In the home however Windows is simply a distaster waiting to happen.

    While SP2 is more secure than the original release and SP1 that doesn't reduce the number of Blaster hits my firewall blocks. It also doesn't affect the 50% of Windows users that will never download the update and will continue to be hammered by viruses and worms. Microsoft's delays and incompatibility problems just exacerbate the matter.

    It's good to see Microsoft taking real heat from the industry press over their problems in SP2. The industry as a whole rolling over for Microsoft is what led to the situation as it stands now. The original release of Windows XP was riddled with holes and and was summarily exploited. No one seriously called Microsoft on this fact and SP1 was little more than a collection of security patches and minor bug fixes. The changes made in SP2 should have come out years ago. Maybe then you could plug a Windows system into a cable modem and last more than twnety minutes without being exploited.

    Linux is improving in the usability and management arena and MacOS X is gaining mindshare as Apple improves its hardware. Both of these OSes are designed much more securely yet have a high level of technical capability. I really hope people begin to see there are alternatives to Windows and they're not nearly as bad as Microsoft would have you believe. SP2 is going to teach their management a hard lesson; despite being a monopoly power in the industry they still have to improve and maintain their OS.
  • Awwwww, FUUUUUDGE! (Score:3, Interesting)

    by Asprin ( 545477 ) <gsarnoldNO@SPAMyahoo.com> on Wednesday August 18, 2004 @06:41AM (#9999511) Homepage Journal

    Well, I learned something. Apparently, for some time now, Windows XP has been completely willing to execute executables that do not have an executable file extension. For example, if you rename notepad.exe to notepad.gif, you can "CMD /C NOTEPAD.GIF" and it will pop right open. Not sure yet if explorer will do this the same way: One test I ran (notepad.exe -> notepad.xxx) prompted for a program, while another program (nestor.exe -> nestor.xxx) just ran normally. Maybe it has something to do with the origin of the file, or whether the file extension is registered or not. I noticed that Windows replaced notepad.exe with a new copy a few seconds after I renamed it.

    The point?

    Those of us using RENATTACH [pc-tools.net] on our mail servers to filter out malware and viruses now have another hole to plug.

    Thanks, Microsoft.

    Dorks.
  • by HangingChad ( 677530 ) on Wednesday August 18, 2004 @07:33AM (#9999785) Homepage
    The post service pack exploits are coming out before the service pack? Day 0 exploits are one thing but this is like a day -14 exploit.

    Pretty soon we'll have Longhorn exploits coming out.

  • by SilentChris ( 452960 ) on Wednesday August 18, 2004 @08:35AM (#10000429) Homepage
    I think some UNIX vets are confusing the Windows implementation of the command line and UNIX's. In UNIX they're pretty much identical in terms of functionality. In Windows that's not the case.

    Example: yesterday I tried to FTP from a Windows 2003 server to another box. For the sake of speed, I tried using IE as my FTP client. Windows 2003 locked down the box by default, so that client wouldn't work without tweaking IE settings. However, I tried the Windows FTP command line app and it worked fine.

    The "safeguard" described in the article really isn't meant to be a safeguard at all. It doesn't follow any of the low-level security features that the system provides (like permissions). It's just a quick tag for Joe User to remember that a file was downloaded and not placed by them.
  • by kabdib ( 81955 ) on Wednesday August 18, 2004 @09:49AM (#10001446) Homepage
    I have respect for folks who can find buffer-overruns, heap-mangling attacks and so forth. These people are smart, hard-working and diligent. They give evil a good name.

    I have nothing but contempt for someone with an axe to grind whose only response is the "exploit" in the linked article. It's pretty lame. Come back when you've written enough of your own code to present an attack surface. :-/

    Grow up. Sheesh.
  • by drdink ( 77 ) * <smkelly+slashdot@zombie.org> on Wednesday August 18, 2004 @11:04AM (#10002495) Homepage
    It never ceases to amuse me to see the continual bashing of Microsoft on Slashdot. Yes, Microsoft has some major security issues to work out. However, they are making a fairly good faith effort to do this now. Service Pack 2 was a decent attempt. Yes, there were bugs introduced by Service Pack 2. But even Linux has bugs [slashdot.org] every once and a while after a new release.
    If you really must discredit Microsoft, at least do it on fair ground and acknowledge that the operating system(s) you hold dear also have some bugs. And please, do not call them Micro$oft, M$ and other lame variants. It is Microsoft Windows, not Micro$haft Windblowz. If you can't even have the common decency to refer to somethign by the proper name, then nobody worth listening to is evey going to take you seriously.
    If you want your community to be seen in a decent light, then you must behave decently.

Garbage In -- Gospel Out.

Working...