Microsoft Discloses Security Flaws in XP and WMPlayer 295
An anonymous reader writes: "Salon is running a story on Microsoft's disclosure of a number of security flaws in WinXP and Windows Media Player, versions 6.4 and 7.1. The story also states that there are 2 critical vulnerabilities in Commerce Server 2000. Will I ever get the bang for my MS buck?"
Get them from... (Score:5, Informative)
After seeing holes in OpenBSD and Apache recently, I guess it's Microsoft's turn again. ;)
Re:Get them from... (Score:3, Flamebait)
After seeing holes in OpenBSD and Apache recently,
oh come on, the apache vulnerabilities were embarrasing, but that does not make all the vulnerabilities of IIS alright. And according to the new strategy of MS you are going to pay a subscription fee to MS to get updates. Apache updates are going to remain free.
I guess it's Microsoft's turn again.
Microsofts turn at what? They still don't have the most widely used web server. They still do not patch as fast as the free alternatives are patched. We still cannot see the source since that would pressent a threat to national security.
Re:Get them from... (Score:2)
Our courts are flawless. And Microsoft has a Monopoly.
That's why nobody can use Apache or Linux.
Or better yet.... (Score:2)
Re:Or better yet.... (Score:2)
Actually, Critical Update Notification has been superseded by Automatic Updates. Instead of telling you that you need to go download some updates, it'll download them and tell you that they need to be installed.
(Of course, to add Automatic Updates, you need to have checked the Windows Update site sometime in the past month or two. The luser who's been running unpatched Win98 for the past four years isn't too likely to have done that.)
Yet more unwarranted MS bashing (Score:2, Informative)
Every Operating System and application has bugs. If there were security bugs in Linux or Freeamp, would it warrant front page news?
Not wishing to be Flamebaity at all. MS have a lot of things severely wrong with them. For once they've dealt with an issue in timely fashion. This is not the Anti-MS rhetoric you're looking for.
Re:Yet more unwarranted MS bashing (Score:5, Insightful)
Yes. If there were a security bug in Linux, Mozilla, XMMS, FreeAmp, etc, that allowed your computer to be compromised, it would warrant front page news on Slashdot.
Or was that supposed to be one of those rhetorical questions?
Re:Yet more unwarranted MS bashing (Score:5, Insightful)
"Security focus has a post on a huge venurability in all versions of OpenSSH from 2.9.9 to 3.3. Just another example of you getting crap for paying nothing."
I think the poster's intent was to remind everyone that MS is not the only company that has security problems and that they did deal with the issues already.
Re:Yet more unwarranted MS bashing (Score:5, Insightful)
If the openSSH people were running at 1 critical bug/two weeks this is exactly what you would read.
Re:Yet more unwarranted MS bashing (Score:2)
You're right. There WOULD be a news article on Slashdot about a bug if it were in a piece open source software. However, Slashdot's news articles about bugs in open source software usually include a link to the patch for the program if it has already been released. But in this case, like all the others, Slashdot refuses to even acknowledge the patch for Microsoft product, let alone provide a link to it, so that they can infer that it hasn't been patched.
Re:Yet more unwarranted MS bashing (Score:3, Funny)
Heh.
Re:Yet more unwarranted MS bashing (Score:2)
I wish. Then I could just patch them and be done with it.
I could go on for hours with examples of major issues that Slashdot has refused to publish
You "could" but you don't.
Re:Yet more unwarranted MS bashing (Score:3, Insightful)
Then when is IRSSI the fault of Linux developers?
Look at how fast major server products (OpenSSH, Apache, etc) get patched after exploits are discovered. Then look at how long it takes MS. And how MS delays (UPnP) around critical sales times like christmas.
There's no way you can say with a straight face that MS has a decent security record compared to open source projects like Linux, Apache, etc. (Hell, they barely have a decent security record compared to Sun, etc.)
Install the latest Mandrake with enough aps to replicate the functionality of Win2k Server. Now tell me how often you have to patch it to avoid remote exploits. How often during the same time does Win2k Server have to get patched?
Of course, IRSSI doesn't count here, any more than you can count mIRC against Win2k.
Re:Yet more unwarranted MS bashing (Score:2, Insightful)
(1) MS Windows comes with virtually all PCs.
(2) The ammount of security holes alone found in Windows in a given week FAR, FAR outweighs those found in any other OS that I can think of.
Given that we've all had to have Windows shoved down our throats at some point in our lives, don't you think that knowing exactly how it's fucked up this week might just be a plus?
Same reason I wanna know about a security flaw in Linux. So it can be fixed.. for every 1 hole in Linux though, there are like 50 in Windows, so it's a bit more important to fix the Windows ones, that is if you don't say fuck it and delete the POS first.
Re:Yet more unwarranted MS bashing (Score:2, Insightful)
Don't ever, ever think that any operating system has less bugs than the other. That is a dangerous belief that is going to reach up and grab you. All of these operating systems are written by human beings.
Microsoft wrote XP to a certain point (like Linux did with 2.4.0), and then released it. After that point, they would have to continiously send out updates to fix bugs and do updates. And everyone on
However, in that same time frame, The 2.4 tree in linux has gone through 19 revisions, with many critical bug fixes! This proves that Linux has just as many bugs as Microsoft.
The difference is that Linux is open about their problems - and they make an effort to keep the public informed. If a critical problem is found, the code is changed (almost immediately).
Microsoft hides their bugs. So for them to come out and announce bugs (and patches) before the bugs become newsworthy issues is a step in the right direction.
Re:Yet more unwarranted MS bashing (Score:3, Interesting)
Microsoft hides their bugs. So for them to come out and announce bugs (and patches) before the bugs become newsworthy issues is a step in the right direction. "
I see the problem a little differently. A lot of the vulnerabilities that have been mentioned in Windows are really features that MS implemented that people have found a way to exploit. The Melissa virus comes to mind.
So what'll happen is MS will add new features, and then somebody'll find a way to be a nuisance with them. Unfortunately, what'll happen is that the resolution to the problem isn't so clear. "Do we take out the feature, or do we put a rule in it and wait for somebody to find a loophole?"
Anybody used Office XP? (heh yah right, sorry) One of my coworkers is using Outlook XP. One of his coworkers tried to send him an
I can't help but think that MS just got tired of people being hit with it and just removed it all together.
Just to be clear: I'm not arguing with you, just presenting another angle to the story. It's a big tangled mess. Windows has bugs, vulnerabilities, and features that can be used against you. I hope the Linux community is paying attention to this. I have a feeling they could develop a solution that allows the interesting features without allowing kiddie scripters to exploit them.
Re:Yet more unwarranted MS bashing (Score:2)
Re:Yet more unwarranted MS bashing (Score:2)
Intriguing.
Bugs cause Microsoft?
Somebody other than Microsoft is putting the bugs in?
Correlation does not imply lack of causality.
Re:Yet more unwarranted MS bashing (Score:3, Funny)
Perhaps that is why this is news? eg. Man bites Dog, MS Fixes Security Flaw in Time?
Re:Yet more unwarranted MS bashing (Score:4, Insightful)
Stop being paranoid about alleged M$ bashing.
You get what you pay for? (Score:5, Insightful)
Given the revenue stream of say Win-XP compared to that of commercial Linux distributions, I am very surprised that MS still makes code with so many holes. If XP ius too big for MS to manage the development and support, then they should simplify it.
Re:You get what you pay for? (Score:2)
You are right that Windows is a typical commercial package. However unlike almost any other purchase, you are bound to the vendor for corrections. This happened before MS existed (IBM were as bad over mainframe operating systems).
With open source, it doesn't mean that it has any fewer bugs, but at least I, and a number like me can go kick the tires and look under the hood.
You haven't been able to couple my statements with the question that I pose. Yes, I have no expectation of quality from a commercial vendor like Microsoft, no matter what I have paid. I can't even fix it either. There are plenty of bugs in open source software as well, but at least I or more likely, others, have a chance to fix them.
Re:You get what you pay for? (Score:2)
Re:You get what you pay for? (Score:2)
I don't have anything personal against Mr Gates or Microsoft. However unlike Mr Ford who created and sold the affordable Model-T, Gates's crew has a philosphy that only they should be permitted to fix anything.
Re:Yet more unwarranted MS bashing (Score:5, Interesting)
has anyone else experienced this?
Re:Yet more unwarranted MS bashing (Score:2)
> one of my XP-running friends went through this
> upgrade.. It compleatly trashed all his funky
> video codecs.. He currently cant watch about
> 2/3rds of the stuff hes downloaded. Most of them
> being independant music videos.
Well, if the patch is the same one mentioned on ZDNet (http://zdnet.com.com/2100-1104-940063.html), then one of the "bugs" has to do with Digital Rights Management. It may be that your friend wasn't "supposed" to be able to watch those videos before, and Microsoft "fixed" it.
If your friend would check their EULAs (end user license agreements) for MSN (if they have it) and XP, they would find that Microsoft can also download stuff that might affect their ability to use their downloads automatically whenever they are on MSN, or whenever they download secured content whose manufacturer has notified Microsoft that their DRM needs an update to handle some new problem or hack. If these updates keep people from viewing their content, Microsoft basically says "tough".
Me thinks your friend might want to consider a new player, if not a new OS.
"They bind our hearts: 'Let's sell them again and again!'
Our plan understands the sea; we can wait for her coming."
From the song "Infant Girl" in the Japanese version of Mothra (1961).
Re:Yet more unwarranted MS bashing (Score:2)
Cue Microsofties, stage left (Score:1, Interesting)
OpenXP (Score:2, Funny)
Be persistent (Score:2, Insightful)
If they don't treat you right the first time, buy buy again.
Re:Be persistent (Score:2)
You can fool some of the people all of the time.
Link (Score:3, Informative)
Would it have killed ya to post this as well Timmy? =P
Bang! (Score:1, Funny)
Bang! (Score:1)
alright. No boom? No boom _today_, boom tomorrow, there's always a boom tomorrow.
--Matt
PS: I suppose one could also be banged by their lawyers.
Re:Bang! (Score:5, Funny)
Poor Salon (Score:2, Funny)
Bang for the buck (Score:1)
You're getting plenty of bangs and you still complain???
Were is journalistic integrity nowadays
If only.... (Score:4, Insightful)
Re:If only.... (Score:2, Insightful)
Re:If only.... (Score:2)
Especially if you own the software, like I did with Diablo 2, before I sold it.
With something you didn't pay for, Quicktime for instance, you're on shaky ground perhaps.
Yellow Sticky Script (Score:3, Informative)
I have no idea if that can be done in windows. I know that it can be done with most, if not all, Linux desktop enviroments.
Linux on the desktop does not need to be "difficult". Linux remains the better option over Windows, you just have to get over being lazy. The bad news is you have to learn something new. The good news is you're gonna learn something new, and it's going to work.
So what if your friends mom can't/won't write scritps to automate her computing tasks. You do it for her for a fee (even if it's just chocolate chip cookies). You set up a Linux desktop for her once. Give her one button access to the things she wants to do and she'll be out of your hair. She damn sure won't be calling you to come fix her computer because of the daily BSOD.
Re:Yellow Sticky Script (Score:2)
I'm not getting rich, but I am gaining some weight.
It's not so bad really. You would be suprised at how many people have computers just to do email or surf the web and dont do anything else with them.
Re:Yellow Sticky Script (Score:2)
I love calls like "How do I do X" and "How do I view this file I downloaded" because those are the kinds of questions asked by interested people who want to learn. They pay, I teach, they learn, we're all happy.
Re:If only.... (Score:2)
You also see similar double standards with Windows freeware (e.g. MSIE) being considered good, because they don't cost anything. But open source is "bad", because it's free...
Is it safe? (Score:5, Funny)
Customer: Hello..? uh... hello...? I want ta get a copy of Windows XP. Is anybody here?
CLERK, unseen: Is it safe?
Customer: Is what safe?
Clerk: Is it safe?
Customer, preturbed: Yes... It's safe. It's very safe...
Clerk: Is it safe?
Customer: Lissen! Are you going to come out, or what?
Clerk: Is it safe?
Customer: THIS ISN'T FUNNY!
Clerk 2: It puts the lotion on its skin and puts it in the basket.
Clerk: Shut up man. Is it safe? Is it safe? IS IT SAFE?
Customer: STOP IT! I JUST WANT A COPY OF WINDOWS XP! (Customer breaks down to the floor, sobbing) I just want a copy of XP...
Clerk: Is it safe?
Customer screams and runs out of the store, climbs into his car, which immediatley spins out and slams into a fire hydrant. The car bursts into flame. The customer bails from the car and runs down the darkened, abandoned street. He gets a half dozen steps from the car, and then he, illogically and without reason, bursts into flame himself.
Clerk 1: Thirty seconds, You owe me five bucks.
Clerk 2: I don't have five bucks.
Clerk 1: Take it from the register.
On-topic discussion part.
THEY TOLD ME IT WAS SAFE! I TRUSTED YOU MICROSOFT! I TRUSTED YOOOOOOOOOOOOOOU! YOU BLEW IT UP, YOU MANIACS YOU BLEW IT UP!
"PokeySteve, are you drunk?"
"Yes, but on love.
And whisky.
But mainly whisky."
At last an end to these senseless free patches... (Score:3, Funny)
Better update options? (Score:3, Interesting)
When it comes to software like the media player, this is much more serious. This goes into much more than just one single OS. I run Win95, Win98 and Win2000, and all these may be affected. On top of that the media player keep posting me to update the software. Wouldn't it be nice if the system gave me the option to update to the most stable and secure version or the latest version? You might think I have that option, as I may choose not to download the latest, but make my way through the download jungle to find an earlier version. But this jungle is impossible to move through for ordinary people.
I understand that Microsoft wait with disclosure of the bug until they have a patch. This is often criticized, but in some cases it make sense.
Re:Better update options? (Score:2)
It isn't opening any ports. Or at least I don't think it does. Err, ummm, I mean I sure hope it doesn't open any ports.
As for executing code inside the media files, that isn't any stupider than running a macro the instant you open a text file or running a script the instant you open an E-mail. They all add features and enhance the user experience. Microsoft is just being innovative by enabling data to become as active and flexible as code. One of my favorite features is how some video files will conviently pop open one or more browser windows to a related website.
P.S.
Hint for anyone sarcasm impaired: consider the possibility that "enhance the user experience" might just mean that I agree with you.
-
Security is MS's big weakness so why... (Score:4, Insightful)
However, the fact that it isn't makes me think that the vendors aren't entirely confident with the Linux security offer.
Perhaps it's too technical - there are plenty of security patches for GNU/GPL/Linux - I use that title advisedly, as they are rarely in the kernel (at least one a week AFAICS) - but they are generally on a faster turnaround than MS. But it's still not brilliant....hmmmm. Must think about this some more.
Danger Danger Danger (Score:3, Interesting)
*Exactly*.
In a world where we cannot convince people that MHz don't matter, and people believe that security is a product, attempting to convince them of the security issues with MS will prove fruitless.
MS will just release statistics and compare their OS with the number of security holes found in OS + Applications and people will believe it to show that Linux is less secure. They will turn up their marketing engines and hype that Open Source means Lower Security and people will believe it.
True Story: I was attempting to convince a certified MS XP technician that MS didn't understand security. Keep in mind this is someone deep within the ranks of the Microsoft Heresy (like the Cainite Heresy, but more Hideously Evil(TM)).
I cited Scheiner, cDc, L0pht, and a half-a-dozen others. I talked about how open source was a good thing, the reply I got back can be summarized:
1) Security is a product ("A firewall will make you secure")
2) He thought the only reason you would want to secure your system was to keep people from browsing the pr0n there (and seeing the other files).
3) The threat level is minimal--no one would want to break into *your* system.
4) Believing that security was a real issue was like believing everything anyone told you (down to "three headed big foots in Utah").
Of course this is absolutely absurd, but thats what he believed. While you may not be able to sell the general public on all of that, it gives an impression on how MS treats security and how their marketing department would convince their users to treat it.
Sad, but true.
Re:Security is MS's big weakness so why... (Score:2)
microsoft bugs and linux bugs (Score:2)
bang for MS buck? (Score:2, Funny)
Umm...I think you've just been banged for your MS buck. :)
Bang for Buck (Score:2, Funny)
I don't know about you, but I've paid $0 in my lifetime for MS software, so you could say I've gotten at least my share of bang. But I wouldn't say that. I'd say that MS owes me for forcing their way into an OS monopoly, therefore forcing me to use their Piece of Crap in order to use lots of apps I want to use (ie, games).
Love and kisses,
Jeff
Anyone read Cringley's Pulpit this week? (Score:5, Interesting)
Why... (Score:2)
Why do you, whoever you happen to be, stand for this?
The only way this can truly change is through market intervention: legal solutions will be iffy and likely do more harm than good; internal forces certainly won't cut it; and petitioning is useless.
Support Apple, Support Linux, Support OpenBSD, but don't support Microsoft!
Technical Details (Score:5, Informative)
Not trying to whore for karma; just thought someone would be interested.
Oh please... (Score:5, Funny)
Oh please, when was the last time you actually bought a microsoft product?
Re:Oh please... (Score:2)
Last time for me was when I found (in 2000) that I simply couldn't buy a laptop in the UK without a Microsoft OS (and other preloaded software). Funnily enough, even though I replaced it with a Linux distro, I'm still waiting for my refund [slashdot.org].
Tell you what, when I receive the money, I'll buy a legit license key for the copy of XP on my (gaming) desktop. Fair enough?
Re:Oh please... (Score:2)
Oh, about five years ago.
Re:Oh please... (Score:2)
What, you mean software? Why would I want to use a Microsoft software product?
Re:Oh please... (Score:2)
Of course then people would point out that since they in fact bought it at fries they did not pay microsoft directly.
But its not thursday today... (Score:2)
Apache & OpenSSH (Score:2)
Trojan End User License Agreement (Score:5, Interesting)
Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update.
Security update? Who's security are they protecting? There is no option to uninstall media player. Your choices (if you wish to continue using Windows) areA: Leave your system open to bugs that give system level access to the next worm (imagine nimda with a malicious /default.htm)
B: Bite the bullet and install the patches. But if Microsoft releases an update that silently and without notification installs itself and 'disable(s) your ability to ... use other software', you're SOL. But hey, it's ok. Don't you know Microsoft is supporting 'Trustworthy Computing'?
Re:Trojan End User License Agreement (Score:2)
Did you read what it said? (Score:3, Interesting)
Look at that EULA again:
These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer.
WinAmp is one of those "other software on your computer" which may be disabled. Duh.
Essentially, this is a backfit of their XP license [slashdot.org] and DRM technology for the 60% of WinSlaves that are using Win98.
Given that Windows Security is an oxmoron, there's no reason to "upgrade" your computer this way. Outlook, IE or some stupid piece of junk like a plug and play deamon that you never knew listened to the network will eat you anyway.
If you just must have M$ in your house, blind it to the network by NOT installing the network card drivers or pointing it to a bogus gateway IP number. Never use it to surf, read email or anything else that M$ will never do right. I admit that I have such a beast in the corner for talking to cameras and an old scanner. It's legal and I own it. But I'll never ever trust it. Red Hat's dual boot (GRUB) let's me get the information off of it.
Re:Trojan End User License Agreement (Score:3, Interesting)
Legally, this means "I agree to allow Microsoft to make updates, that will be automatically downloaded, and that may break any non-Microsoft software for any reason, or for no reason". There's absolutely no limitation on the 'disable your ability to ... use other software' clause. 'And' applies the 'disable' part to the 'other software' part, nowhere is 'other software' defined. Also note it's up to Microsoft what they consider 'reasonable efforts'!
They're getting to be sneakier than the music industry contract lawyers. That is rather disturbing...
Simple Answer (Score:2)
No
Trying to force DRM? (Score:5, Insightful)
What's the bug?
DRM doesn't work... turns out you can hear copyrighted MP3s. This is a big security vulnerability and you mush download this patch, otherwise the finanical security of the RIAA will be at stake, and that's unamerican.
[Note: This is intended as a joke and as food for thought. This is not fact.]
Re:Trying to force DRM? (Score:2)
If it's a joke, I'm not laughing [slashdot.org]
Re:Trying to force DRM? (Score:2)
No, DRM patches are more important than critical updates. Microsoft demands the right fo ram them down your throat weather you want them or not...
"You agree that in order to protect the integrity of content and software protected by digital rights management ("Secure Content"), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer."
-
Windows update: patched and go. (Score:3, Informative)
People can whine all they want about that there are security flaws and ofcourse it's sad these still pop up, but the patches are there, the system to install them is VERY easy (just click one single button) so in the end, the end-user is not that much hurt by them, simply because the patches are installed so easily.
The discussions about 'security flaw free' software are endless and allthough they should be held, are nowhere near consensus: as long as there are humans involved in hammering out code and as long as the computer/software based checkinglogic is not up to par as where it should be, these flaws WILL be there, possibly in every tool written by man. Until computer science reaches the point where a compiler can proof that software is security flaw free, we should be grateful that the FIXES for security flaws are installed using the most easiest way: by simply clicking one single button.
Re:Windows update: patched and go. (Score:2)
No. That is their responsibility.
On my redhat servers I do not have to click anything or reboot for updates. I just read my email to see what was done. I believe that you need to go reboot your servers now?
Re:Windows update: patched and go. (Score:2)
I was making two other points.
1.) Don't be thankful, for what is owed you. Most patches are trying to make what you actually purchased look something like what you thought you purchased.
2.) You still have to go to your data center at the hours of the undead to reboot your servers and hope that all comes back online.
I really dislike having to pay overtime, or giving "Flex time" to my employees every weekend. in order that we can apply our corporate approved patches and reboot. I really dread Monday morning.
What if you're not online? (Score:2, Interesting)
Maybe vendors should have to release these updates on CD as well.
NOTE: I'm not focusing on MS here, other vendors should be asked to do the same.
Just got this in my inbox? (Score:4, Interesting)
nice new trojan on everyone's box that their av software doesn't detect. if
these morons were serious about security, they'd use ssh, not http, for
updates (and let you turn off html rendering in your email client).
Didn't think it'd be moded that much. (Score:2)
So I better give him the credit.
the communists have built up a huge arsenal (Score:2)
I know what BSA fears most,
It's the possibility that the communists have built up a huge arsenal of
keygens (before thecrack.net went down a couple of weeks ago.) and they
are planning to release a worm that generates everyone a new random
license, making it impossible to tell which software is pirated and which
is not. This will of course be the end on the BSA, probably through the
madness of running round in circles if nothing else.
But don't tell them I know these things, or I might gave a knock on the
door tomorrow asking why I have no licence for my Linux boxen.
So who actually read the technical right up: (Score:4, Informative)
From http://www.microsoft.com/technet/treeview/default
Re:So who actually read the technical right up: (Score:2, Insightful)
That's the problem. You have to use IE. It's what Windows Media Player uses to draw its window. It's integrated in the operating system, remember?
Re:So who actually read the technical right up: (Score:2)
Web browsing is interpreting of content. That should be in user space. Perhaps it should be a part of every OS install, but that's a lot different than the networking code which fetches the content.
The OS really shouldn't do much, it should just provide services to the other components.
Remember how everyone gave MS hell for Win95, saying it was still a DOS app? Well, people were somewhat wrong to do so. Win95 sucked in that it was limited by the same things a MS-DOS, but it shouldn't have been an OS. It should have just been an integrated desktop environment running on top of the real OS. Anything else is hideous to debug and very unsafe.
Re:So who actually read the technical write up: (Score:2)
Geez... (Score:2, Funny)
Will I ever get the bang for my MS buck?
Timothy, you do every day. What would /. be without the daily "M$ sucks! Lets all post about how horrible M$ is!" story to increase those page loads?
Why, /. might actually have to talk about things of interest to geeks!
Given M$ history with backward data compatibility (Score:5, Insightful)
Its the ultimate in Big Brother technology. The eradication of memory or of access to memory.
Ever seen people with disorders of the hipo-thalamus? They can't form short term memories. Their lives are hard and extremely confusing since the world is a new mystery every damn day. They are extremely vulnerable to being scammed from one minute to the next.
Whoever proposed this inside of M$ is an absolute diabolical monster. A human being (given the events of the last two centuries and the incredible slaughter perpetrated on each other, that is NOT a compliment,) with delusions of god-hood. One that looks bad even compared with the most the megalomaniacal tyrant to slaughter people in order to change their minds about something.
At least when you kill people, you're show for the sub-simian scum you are and/but your victims a're well and truly safe from further predation.
But this deliberate creation of the potential for maiming of the aggregate memory of an entire culture makes the death camps is so utterly base, so vile, so despicable, so
And M$ will find enough "Judas Goats," enough imbeciles to plunge mankind into a second dark ages. Would that the road to the coming Hell was not paved with moot intentions and banal disregard.
Slavering drooling monsters and utter despicable despots, we can overthrow. But our doom will come in the form of some utterly reasonable man in a suit who's just doing his job.
There are a hundred million graves prematurely filled by the victims of some utterly reasonable men in some (uni)form of suit, who's just doing his job.
The ultimate triumph of Voltaire's bastards will be even more thorough and degrading than the patrician nightmare of the religious maniacs who merely preach evil and bring subjugation and death.
You should have already (Score:2)
Just remember, YOU'RE the bang-ee.
Re:Something troubles me... (Score:2)
Additionally it's GL spectrum analyser has frozen my system on occasions.
I don't think XMMS has had any remotely activatable flaws though.
Re:Something troubles me... (Score:2)
Additionally it's GL spectrum analyser has frozen my system on occasions.
GL SA frozed yer system only because your OGL implementation is written out of someones ass. GL SA doesn't run as root, OGL implementation (parts) are. So go and blame someone else.
And yes, I know what I'm talking about, I wrote an XMMS visual plugin myself, it has never been able to freeze my system, It uses SDL, which is sane.
Re:Something troubles me... (Score:2)
Re:Something troubles me... (Score:5, Insightful)
Why on earth would there be a bug in OpenSSH/Sendmail/Apache/BitchX that allows uncontrolled access to the system. What we have here folks is a very good example of a troll posting before it thinks, going with the crowd in its 'M$ sucks! Linux rules! Muahahha' mindset.
Software has bugs. Sometimes exploitation of those bugs, if they're severe enough, can allow an attacker to run code on the target system. This is not a flaw unique to Windows.
Please, think before you post.
Re:Something troubles me... (Score:2)
OpenBSD has bugs.
Microsoft Windows has bugs.
One remote hole in the default install, in nearly 6 years.
Exploit of the week, with things like gopher holes never closed.
Re:Something troubles me... (Score:4, Informative)
The bug is really only a technical one. In practice, it's really like that "Perrun" hoax virus, in that it requires a huge amount of setup and complete access to the system in order to gain... well, to gain complete access to the system, which an attack would already need in order to use this bug maliciously. Basically, Windows Media Player can remotely open up the system if the attacker has found a way to get a malicious executable file into IE's cache and then convinces their victim to go to a maliciously constructed website that they've setup. When the victim goes to the maliciously constructed website, Windows Media Player could then give out information that could be used to get into the system through the IE cache.
The problem lies in the specific executable file that has to be placed into the cache. In order to get the executable file into the cache, the attacker would have to have full access to the machine or trick the user into accepting it and running it. But if they could get the user to do that, they would have full control of the system anyway, just like they would if the victim was running any OS other than Windows.
So really, it's just a small, stupid bug that's being blown out of proportion. It can't do anything other than redundantly take over a computer after it has already been taken over in a different way.
Re:Something troubles me... (Score:2)
A bug always seems small and stupid until someone finds a way to easily exploit it. The recent Apache bug is a great example. At first announced as unexploitable on non-Windows 32 bit systems, some freak had a ready-to-run root exploit for it in less than 3 days. The process of locating a security issue and the subsequent process of developing an exploit for it are two different processes and two different disciplines.
maru
Re:Something troubles me... (Score:3, Informative)
Not a problem. The system will dump ANYTHING it is given into the cache. Take a virus.exe file and rename it to banner.jpg or something. The browser drops it in the cache with a randomized the name and sub-folder. Since it's not actually a jpg or whatever it may be silently ignored. If an attacker can discover the randomized name and location in the cache he can tell the OS to run it as an EXE. It isn't simple, but all the required steps HAVE been worked out and are available on the net.
So no, this is not "a small, stupid bug that's being blown out of proportion".
-
Re:Something troubles me... (Score:4, Informative)
> Why on earth would there be a bug in Media player
> that allows uncontrolled access to the system.
> What we have here folks is a very good example of
> what a horribly designed OS Windows is...
XP isn't Palladium (yet), but it is a/the DRM OS. Microsoft's Media player is like a trap door that leads down to the core of the system. In the center of the OS, behind that trapdoor, sits a huge spider called DRM. Every file loaded, whether a document or media file, an application, or a driver, has to pass DRM's inspection. DRM checks to see that those documents and media files are legally licensed, and those drivers and applications are approved by Microsoft (don't want any of that cancerous GNU goop around). Anything that smells even slightly fishy to DRM gets pounced on and eaten. Anything that passes muster, gets passed on to the OS and applications for use.
In unix-speak, that DRM spider would be the god of root, able to tell even root what they can and cannot do. If you try to work around DRM and do what you want with the idiot box you paid for, DRM calls on his old bud DMCA, and DMCA sends the nice folks from the FBI to cart you and your PC off to separate jail cells.
Since everything the media player plays goes through DRM, it is easy to see how a media player bug could affect the whole system. And since DRM is relatively new, it will have bugs itself. And since DRM is potentially updated everytime you download a song (check your XP EULA), the potential for disaster is high. Yes it is horrible design. Then again, DRM is a horrible concept.
That's the price one pays for doing business with a company that treats their customers like potential criminals. The ironic thing is that Microsoft is the one convicted of breaking the law.
What happens when you embrace and extend Godzilla? Nuclear heartburn!
See "Godzilla 2000" (released in Japan as "Godzilla 2000 Millenium") for details.
Re:Something troubles me... (Score:3, Insightful)
Re:I did! (Score:2)
Yes, but it's no different from similar cases in other operating systems. Buffer overflows happen in both Windows and Linux, and in both cases they can allow the mallicious data to execute arbitrary machine code as the current user. In both systems, this is usually sufficient to cause severe damage.
"Think before YOU post--you clearly demonstrate the common mindset of finding someone with an exposed problem and attacking it like a shark in order for a much needed ego-boost."
Yes, except that you don't appear to have the slightest clue as to what you're talking about. Anyone who's done more than a cursory look at computer security and exploits would be aware as to how prevalent buffer overflows are. It's not a problem specific to any type of program.
So I just don't see where XP even comes into the picture. You made an absurd, hand-waving claim, someone called bullshit on you, and now you're going on a tirade about how it's this vicious shark attack.
Oh, and you threaded your post incorrectly, as your reply seems to be targetted specifically at Zeddicus_Z, but you replied to your own post.
Re:Salon are just so helpful, aren't they? (Score:2)
Some of us got exceeding upset when Explorer carried the same set of vulnerabilities for over six months. It was lucky because there wqas a web-site that did some benign things that you could test whether the vulnerabilities were fixed. Many weren't.
Re:microsoft bagging (Score:2)
Anyway, what you say about ease of use has a grain of truth in it, but the situation is not nearly so drastic. Connecting to a network is trivial under either OS, and takes about the same time, either through command line or gui utilities offered by Mandrake and RedHat. Installing binary software typically takes less time under package managed systems than it does under Windows, same for uninstall. I don't see how rpm -i is harder than setup, you can even click on an icon and install it, unlike downloading most zips from the internet where you unpack, then hunt down setup to run.
Now stuff like sharing files currently does take a bit longer typically (of course providing that the user installed File and Print Sharing, otherwise they get stumped under Windows too), since the file managers typically do not offer shortcuts to samba/nfs sharing configuration, but RedHat and Mandrake again provide 'wizards' to set this stuff up if you can't deal with
The bottom line is that thanks to projects like KDE and Gnome (though 2.0 seems to be a step backward in usability to me, it's like Sun's usability input screwed things up) and companies like Mandrake and RedHat, Linux distributions are becoming easier to use constantly, while distributions like gentoo and debian exist for the power users, and they all are mostly binary compatible, and completely source compatible, so it is a great deal more variety of choice than say 'Home', Professional, Server, etc... Which are all basically the same thing with a few extra things tossed in at every level, with nothing ever removed nor more power given over the system to more advanced users.
Re:Microsoft has had many unpatched exploits, FACT (Score:2)
Unfortunately, I want to exploit the applications on my machine. I could just buy a pocket calculator and get rid of my computer - that would be secure too.
If security is paramount, to exclusion of all else,
Which it never is. If security is paramount to the exclusion of all else you simply leve the computer switched off.
I'm computing in the real world, you are clearly computing in the MacWorld.
TWW