Serious IIS Hole; Minor X Bug 477
EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.
Re:Only affects HTR - a rarely used feature (Score:4, Insightful)
The majority of Code Red attacks came (and is still coming) from private users that have never even heard of a Microsoft Security Bulletin, the URLScan tool or the Lockdown Tool.
Sadly these type of users are still in the majority.
Serious Linux Flaw? (Score:2, Insightful)
In a couple of cases, Linux was able to kill my memory hog, but there's some sort of serious resource contention. I hope the 2.6 kernel addresses this issue.
No way of camparing the two bugs (Score:4, Insightful)
And also I'm surprised about the stupidity in this sentance: "Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days." - well honestly, what does that say: isn't it obvious that a lesser problem takes less time to fix than a larger one? That's just dumb.
I'm no huge M$ fan myself, but this article smells awfully much of unjustified M$-hatred. Let products speak for themselves, and let users make their own opinions.
Bottom line: propaganda sucks.
Flawed logic (Score:4, Insightful)
This comparison defies rational comprehension. The length of time it takes to do two totally different tasks on two totally different pieces of sofware for two totally different markets is completely meaningless. I can write a program and pop it onto internet in an hour...so what? Whats the relationship?
Sick and tired of this self congratulation (Score:5, Insightful)
Come on, we really do not need to say these sort of things nah nah, we fixed something first, we're better than you. Does anyone else find it retarted that you can crash an X server just by telling it to display a font which is too big?
What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation? or the fact that fonts still look like ass?
If you think we can laugh at others, check those market share figures. We have a lot of work to do.
Re:Slackware is still safe... (Score:2, Insightful)
Re:What rubbish (Score:5, Insightful)
This is a lot easier to exploit for the malicious hacker than the IIS bug. You just set up a page with huge fonts and that it, you've crashed X. But the payoff for that is a laugh at the (relatively) rare X user who visits your site.
As for the IIS bug, I'll just quote the Wired article... This, in my opinion, is a lot worse than simply crashing X. Hell, my Windows 98 crashes almost daily but that doesn't stop me from using it. Crashing isn't so bad. Black Hats stealing information and gaining control of my computer, that's bad.
Ummm ... so what? (Score:3, Insightful)
Not wanting to be pedantic but the duration of time it takes to fix a bug isn't exactly a great indicator of anything (except maybe, how long it took to fix it).
It's a bit like assuming that a program with 5000 lines is obviously worse than one with 7500 lines.
We know nothing about the internals of IIS and the two bugs are not even remotely related. You simply can't compare the two and come out with anything meaningful.
Re:Flawed logic (Score:4, Insightful)
Mozilla has - well perhaps a relatively small army of programmers, many of whom are voluntary, and managed to patch a bug that is really only a pain in three days.
Yes - you can't quantatively compare the two and say that Mozilla is x percent more efficient/reliable/whatever than MS, but you can make a qualitative comparison and ask why MS took an order of magnitude longer time to respond. Even if we give MS the benefit of the doubt and assume that the IIS hole is much harder to patch than the Moz hole, MS should have and could have thrown much more resources at the problem to make sure it got fixed within a week - but they didn't.
Re:Status Quo (Score:4, Insightful)
It's not a Linux bug, but rather an XFree86 and mozilla bug. It would probably crash any box running those two programs just as handily...
MS: switch to XP. (Score:4, Insightful)
and
"The server software included within Microsoft's newer Windows XP operating system was not affected by the security flaw."
Sure it's these kinds of subtle remarks from interviewed microsoft officials that make companies -with little knowledge- want to switch to the more "secure" XP server package in a last effort to stay one step ahead of the evil "hackers". I bet there are a hell of a lot of disclosed software flaws under XP as well, perhaps even some backdoors -against terrorism ofcourse- within the upcoming servicepack who knows, but usually people don't understand that.
Re:What rubbish (Score:3, Insightful)
"Any"? Spurious assertion. I've just viewed the test site, and didn't get a crash. Mind you, I only tried Konqueror, Eudora and lynx. Should I keep trying all of the other browsers that I have available until one manages to achieve the specified behaviour, or should I go back to worrying about my work machine (NT4, mandatory and unpatched IE5.01 & Outlook Express) getting rooted out from under me?
You're right that we do bash Microsoft products more than they deserve. But not much more. I'd prefer if we bashed the clueless Microserfs and control freakish IT departments that tolerate and encourage this horridly vulnerable monoculture, but that's a separate debate.
I know that feeling (Score:4, Insightful)
When I was working as a consultant for a major database vendor I walked into customer sites, looked at the problems at hand and usually started to script in either perl or shell.
This provoked indescribable looks from (mostly) younger IT staff and questions around the line, of:
What the hell is this? What are you doing here? Why don't you use a GUI? This was often accompagnied with smirks and laughs.
Laughing was reduced to an absolute minimum after 2 hours of scripting (including testing) and 10 minutes running the script, instead of opening a window 3000 times in order to uncheck a checkbox.
It was ususally also the very GUI oriented shops that ran into wicked recoverability problems, since they implemented their databases with GUIs, modified their database structures with GUI's and the last time they re-generated scripts from the physical schema was in the summer of '98 or so.
If they would have used scripts to start with and would have treated those scripts like source code, they could have avoided weeks - if not month - of agony and pain. Not even to mention the costs.
The Killer App (Score:5, Insightful)
That's it, pure and simple. Freedom to do what you want with your machine. Freedom from proprietary formats and the hassle of interchanging data with others. Freedom to alter the code in any way you want, or to learn from it. Freedom to participate in more substantial ways than buying and installing some product from off the shelf. Freedom to use your computer as it best suits you, not as it best suits Bill Gates or Steve Jobs.
This might sound like fluff, but this is the reason why I gave up on Apple years ago, and it's why I've stayed with Linux ever since then. Apple has done some great things in the past few years, and I applaud them for it, but they are still not Free as in Freedom. Yes, I know about Darwin, but what about Aqua? Yes, I know about QTS Server, but what about iMovie? I'm not saying Apple should open these products or that they shouldn't make money, but simply that they're not going to make any more money from me because I will never feel safe with them after they discontinued a raft of great technology. This will not happen with Linux. Ever.
That's the killer app for me, and I know it's the killer app for others. Microsoft and Apple will never fully offer that freedom, and as a result I can never trust them fully. They might have more innovative products, but it doesn't matter. Quickdraw GX was innovative. So was Opendoc. And the original Cocoa project (kid's programming environment that I dearly miss). Where are these projects now? Innovation doesn't matter. Just that you're there, and free stuff will always be there, whether it's GPL or BSD or whatever, so long as it's Free as in Freedom. That's a far more powerful killer app than any I've ever heard of.
Re:Sick and tired of this self congratulation (Score:1, Insightful)
What is this called when Microsoft does it? FUD.
What is this called when the GNU/Linux community does it? Patroitism.
Double standards? Of course -- this is Slashdot.
Re:Flawed logic (Score:4, Insightful)
In General (i.e. not these particular problems)
I'd bet the MS had the fix inside three days as well, it then took (At a guess)
2 weeks for internal regression testing
4 weeks for external large scale customer testing and feedback
2 weeks to get the documentation, patches and everything out for wide scale deployment.
All in all thats pretty fast.
With Mozilla I'd say
3 days to fix
1 day to apply fix
3 - 5 days to get a testers to try the nightly build
numerous days of people complaining about fix
1 day * 3 as patch is removed
1 day as patch is reaplied
etc
you get the idea
(I have used Mozilla for the last 12 months on a daly basis, so don't think this is a Mozilla b
Re:Minor my Ass! (Score:3, Insightful)
Re:Crashing X-Windows (Score:2, Insightful)
The exploit asks for a font that's utterly ridiculous - a 166666667 size font, give or take a few 6's. Mozilla tries to get X to display such a font. X dutifilly attempts to draw at that size, which requires a tremendous amount of memory, eventually bringing the whole machine down. You could get the same result by putting a malloc or fork call in a while(1) loop.
Big whoop. Apples and Oranges. I can think of several way I can crash or lock up my machine. The Mozilla bug
is a remote exploit. It's an easy one. There has to be a Mozilla bug that allowed someone to cause an endless fork on my machine to be equivalent. It's not about what you can do to your box, it's about what folks you don't want crashing your box can do.
Re:Status Quo (Score:4, Insightful)
No.
As a web browser, Mozilla should be able to withstand maliciously formatted content. It really is a bug.
Not me. (Score:5, Insightful)
It presents the GNU/Linux and free software side, which is a small step towards bringing balance, as we do not have the big advertisement budgets to buy editorial good will, or money to order favorable rewievs from "the customer is always right" analysis companies.
What I am getting tired of is the the people who whine that slashdot is not Ars Technica [arstechnica.com] or kuro5hin [kuro5hin.org], both excellent web places with a different focus than slahsdot.
What do you mean "we", white man? I have "taken advantage of" 2D gfx hardware under Unix for longer than slashdot (or Linux) has existed. They fonts don't look "like ass" on my screen. I guess what you want is anti-aliasing. The free technology for that is awailable, it is just a question of installing it. Maybe your OS distributor have done it for you in a sufficiently recent version..HTR leaks are not a priority. (Score:4, Insightful)
It is not really an X11 bug (Score:4, Insightful)
For example, if you feed GCC with ridiculous large input, GCC will (attempt) to allocate ridiculous amount of memory. Which is how it should be, the applications should not try to second guess the user.
Applications that take data from untrusted sources, like web browsers, should course make sanity checks. So the error is in Mozilla, not X11.
Nonetheless, one can expect more from a desktop server like X11 than from more traditional applications, since if the desktop crash all the user visible applications will go with it. So it would be a reasonable feature for X11 to make more sanity checks on its input than other local programs do.
Um, then why does it matter? (Score:5, Insightful)
Linux and other open source software aren't impervious to bugs being discovered either, they just respond faster - so the lesson here is simply "if you're an idiot, you can get '0wn3d' on any OS".
Yeah it sucks that Microsoft take two months to fix an exploit, but if it only affects a service that would have been switched off already if you followed instructions, then it's not *that* big of a deal.
Re:Only affects HTR - a rarely used feature (Score:1, Insightful)
FWIW, my IIS box is patched. I search the MS patch areas daily looking for the hole du jour.
Re:I already view large fonts. (Score:1, Insightful)
Killer app? (Score:3, Insightful)
I don't think the killer app exists anymore. A Killer app, is an application which forces you to buy the computer and operating system in order to run it.
Windows original killer app was Excel. It wasn't as good as 1-2-3, but it didn't have the memory issues which 1-2-3 had in the DOS environment. After that, why bother with WordPerfect, when you already have that Windows machine to run Excel, and MS Word will run better in your environment.
Now when the "average user" wants a computer, they don't even have an application in mind. They have a list of things they want to do. Certainly you've heard this conversation before:
user: "I need a computer"
tech: "what do you need a computer for"
user: "my son/daughter needs it for school"
tech: "what are they taking?"
user: "computer engineering"
tech: "shouldn't they be researching this themselves?"
user: "They don't really know all that much about computers. They got really good marks in programming though"
tech: (shudder) "well then just about anything will do fine. A low-end PC with Windows will be compatible with all the popular document formats out there, and will run MS Office and IE without any problems."
user: "What about a Mac?"
tech: "They're good, they have a strong following, but it won't be what they're using at the school, and their friends won't be able to help them with technical problems. Despite what anyone says they're more expensive too, but the hardware is technically superior."
user: "oh, I also want them to be able to play a few games too..."
tech: "the faster and more expensive the better, but the low end PC would be good for most games."
When the cheapest computer is "what everyone else is using", people will buy the cheapest computer. The killer app isn't what a computer can do anymore, it is what a computer can't do. Why buy anything other than a Windows PC when a Windows PC is the cheapest and does everything?
(Of course if the student were going into some multimedia program and asked this question to a faculty member, they would probably buy a Mac... because in that field, it is "what everyone else is using".. they might not though... mistakenly thinking that a low end PC whcih can run all the necessary software will perform as well as a low end Mac.)
Re:Status Quo (Score:4, Insightful)
Hmm...the flaw itself is in XFree, and it's handling of huge fonts. Presumably the only reason a web browser is such a problem is because of the potential to attempt display of a *lot* of text at once (I would assume opening a long document in Star/Openoffice with gigantic fonts would produce the same effect, although I haven't tested it myself...). Therefore, while it's a "nice" thing that Mozilla throws a limit in there to prevent one vector of attack, it's merely throwing a band-aid over the real problem, which should be fixed in XFree.
Re:It is really an X11 bug (Score:4, Insightful)
Hardly. Hasn't everyone at some point telnetted to a *nix machine to kill and restart a hung X11 process?
Re:Only affects HTR - a rarely used feature (Score:3, Insightful)
very true. if Microsoft wish to market a product that is supposedly easy to use and administer, it is not the user's fault for not being told to patch and upgrade constantly.
i'd be the last person to stand up for Microsoft, but a lot of the problem is in the fact that novice users are fooled into thinking they can sysadmin without experience and training, and NOT because the software is deficient. almost any other OS you'd care to mention is vulnerable out of the box, but they are usually aimed at people who know what they are doing and patch them accordingly.
Microsoft design and market their server OSs in a way that makes it look like any fool off the street can administer them, and in my experience that is usually the case.
Re:It is really an X11 bug (Score:2, Insightful)
I know that there is also a sysreqkey, but not
everyone knows it, and it also may not work,
if not properly set.
-anand
Re:Only affects HTR - a rarely used feature (Score:2, Insightful)
I'm curious though. If Apache grows and develops an easy to use GUI administration interface, does that mean that the quality of Apache admins as a whole will go down? Just because of pretty widgets?
Re:Flawed logic (Score:1, Insightful)
Re:Um, then why does it matter? (Score:3, Insightful)
Good admins shouldn't have any problems with either Apache or IIS.
Re:Um, then why does it matter? (Score:2, Insightful)
It makes no sense to compare fix time on a bug that requires adding a limit to font size (probably affects a few thousand lines of code that can be fixed by search and replace at worst) to a security exploit that needs to be fixed without killing the functionality for those that need it (because if that was ok the exploit was ALREADY fixed by the lockdown tool turning off the feature).
In the end the comparison is like comparing changing the tires to changing the ignition lock and saying one mechanic is faster than the other. If you are going to try to argue that open source reacts faster (which it doesn't necessarily by any means) at least use a valid argument please.
Freedom for the Advanced (Score:1, Insightful)
The general market for computers couldn't care less about coding their own features, or fixing issues themselves, or recompiling binaries when a patch comes along... Sure *nix is geared for the tech-savvy - but it's downfall is that lack of consumer friendliness that would give it appeal to the public. When it comes to servers and admin level users, it very well may be the OS of choice. But until it embraces the 'ease of use' that Windows has cleverly grasped over the years of its public reign, or has the software support and stability that windows has, it won't be the best overall OS. Each OS on the market has it's own weaknesses and strengths. *nix is destined to remain a tech-user's dream unless things change.
It has so much potential, but it has to get away from the source code oriented system, and leave that as an easily accessible option for those who do care.