Microsoft's Urgent Patch Precedes Black Hat Session 232
Julie188 writes "Mystery solved! Microsoft's latest emergency out-of-band patch was weird beyond belief. A notice was sent to journalists and researchers late Friday evening that the patch was coming Tuesday, but Microsoft refused to explain the flaw and even put a cone of silence around researchers who would have otherwise talked about it. But finally, one researcher broke ranks and explained that the patch was caused by a flaw introduced in Microsoft's own development tools. This flaw was also the source of the emergency ActiveX patch, which took about 18 months to complete and which supposedly fixed the problem by turning off ActiveX (setting a 'killbit' on the control). Researchers at Black Hat on Wednesday will be demonstrating how to override the killbit controls and get access to vulnerabilities supposedly stopped with a killbit. What's really scary is that Microsoft has issued 175 killbits fixes so far."
Cone of Silence? (Score:5, Funny)
Microsoft refused to explain the flaw and even put a cone of silence around researchers
Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.
It took 18 months... (Score:2, Funny)
Killbits, Killbill ... (Score:2, Funny)
Re:sensationalist much? (Score:4, Funny)
yes activex sucks, anyone who doesn't know this already has rocks in their head, but calling a patch "weird beyond belief"? MS gets wind of security hole that might be really bad, patches it urgently.
Not only that but they patch it urgently for the 175th time. If that isn't urgent I don't know what is.
I don't know of any other OS company that's that focused on security that it patches the same kind of thing that many times : "We have to make sure, the security of our users is important to us !".
Now that's dedication !
Re:Cone of Silence? (Score:1, Funny)
Microsoft refused to explain the flaw and even put a cone of silence around researchers
Those suck. My dog had to wear one of them for a week. Didn't shut him up but it sure stopped him from licking what used to be his balls.
Do researchers lick their balls?
Re:The real mystery (Score:5, Funny)
I've always been baffled by Microsoft marketing's insistence that ActiveX is pronouced "active" with the "X" silent. I've never met anyone who didn't pronounce the technology "Active-X".
Considering all the exploits it's made possible, I call it hActive-X.
Re:Standard Operating Procedure (Score:3, Funny)
*Haxx0r ur world con 2009*
Today I will demonstrate on this stage a vulnerability that MS have known about for a year! I will show off an attack that will give me control of any system!
*opens IE and visits the site with his exploit*
*nothing happens*
*becomes aware of the sound of crickets and 2000 people in the audience*
Comment removed (Score:5, Funny)
How many kb is that? (Score:3, Funny)
Microsoft has issued 175 killbits fixes so far.
So, how many kilobytes of killbits is that?
Re:sensationalist much? (Score:4, Funny)
Sure, it's easy to disable killbits if you have the ability to run code on a windows system. But if you've already reached the point of running arbitrary code on a windows system, why would you go through the trouble of disabling a kill bit and then hope that the ActiveX control gets exploited so that you can... run code on a windows system? Think about it.
Re:Imagine. (Score:3, Funny)
> a dime since then for OS updates. i.e. Cheap.
Alright, I am now officially tired of this "whose upgrades are cheaper" argument between the Mac and Windows folks, so listen up:
I got a CheapBytes Debian CD in 1998, and updates are always free. That makes my total cost something like six bucks, including shipping, in eleven and a half years, which averages out to fifty-some cents per year.
So everyone who spends more than a dollar a year on software can just SHUT UP about how cheap their option is, okay?