InfoWorld pays tribute to the humble Windows bug -- ground zero for several of the most colossal security meltdowns IT has ever endured. From share-level password flaws, to Web server traversal vulnerabilities, to overflow after overflow, the past decade of Windows flaws and patches and exploits has given IT one hot cup of hell after another -- all while giving rise to entire industries built around protecting users from malware authors who themselves have matured their practices to juvenile pranks to moneymaking criminal enterprises. Microsoft has been noted as the fastest vendor to patch OS flaws, to be sure, but the hits keep on coming. Perhaps it is high time for another OS vulnerability scorecard.
Post a Comment
Member since:
2005-07-06
however the popups on the site in question were annoying,
interestingly, some of the conclusions of the aftermath of the malware are that an overall improvement in security and patch handling including hardware (cable modem firewalls built in for example) have occurred
cheers
anyweb
Member since:2005-08-26
Member since:2005-07-06
Member since:
2006-01-07
Member since:
2006-09-19
While this is pretty bad stuff and cost the industry millions, my favorite Windows bug did not make it to the list: Windows 98 would just hang after 49.7 days uptime due to faulty memory management. Expired just like a Brine shrimp: http://support.microsoft.com/?scid=kb%3Ben-us%3B216641&x=7&...
Member since:2005-07-20
I believe that was a 32-bit timer count rollover bug, just like the one Linux 2.4 had for a while, except that Linux used a slower count and therefore lasted 400+ days.
That bug is the reason that the Linux 2.6 kernel now initializes the jiffies count to -5 minutes, forcing a rollover in order to catch that bug.
Member since:2006-09-24
Member since:2005-07-20
Actually it depended on which version of Linux 2.4 and what drivers were running. Many things didn't handle rollover well and if your SCSI controller decided command reset timeout was now 390 days in the future, the system may as well have been locked up.
At any rate, my original point (that I forgot to write out) was that the Windows bug wasn't a memory corruption bug, but this timer bug.
Member since:2005-07-06
Member since:
2005-07-06
If it's a competition then this one is good also: Ubuntu had a version where the installer's log contained the root password in the the clear:
http://it.slashdot.org/article.pl?sid=06/03/13/0525254
But what's the point of listing all these vulnerabilities?
Member since:
2008-05-26
Yeah, that Ubuntu one was pretty bad. But at least when they were informed of it, they fixed it right away. Within 24 hours I believe.
Apple had an easy local root vulnerability that required just one line of Applescript. They were warned 4 years ago that their design could cause this flaw, and Tiger shipped with a setuid root program that you could use to turn the vulnerability into an exploit. In August this year (2008) they finally fixed it.
It's not even like you had to do a buffer overflow attack or anything to root an OS X machine; just put in a single Applescript command on the command-line and you've got it. Apple never listened to the people who envisaged it. Apple took years to release a patch for something that really only required a single "chmod" command to fix the immediate problem, and who knows if the flaw can't be opened up again using third party programs.