Microsoft downplayed the significance of a reported flaw in its latest update to Windows XP.
Microsoft: SP2 shimmy’s not a flaw
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
M$ just keeps acting like normal. This way they’re driving business and home users away. I know since this is what drove me and my business away from anything M$.
It’s not a bug, it’s a feature. =)
Almost reminds me of when the Iraqi information minister
said there were no US troops in Iraq, and 5 minutes
later we rolled right through where they were filming.
They could have at least came up w/ a better excuse.
Basicly all they said was “OK he’s right, but what hacker
is really going to want to use this to hack into someone
elses computer?…”
Hmmmmmm I wonder?
Sorry, I have to agree with MS on this one. The non exutable stack was never touted to be the end of all buffer overflows. The idea of a non executable stack has been known and discussed for years. If this is new news to “Matt Hines” it makes me wonder how qualified he is to comment on the matter.
And MuD, I know there have been patches available for the Linux kernel for years to give it a non executable stack but I don’t even know if this has been regarded with enough importance to merge it into the main kernel tree yet.
Here is a thread from the Linux kernel mailing list in 1997 with a patch and discussion of this feature.
http://www.ussg.iu.edu/hypermail/linux/kernel/9704.1/0328.html
Point is though, even though there are ways around it, it still hardens the OS.
Shimmy shimmy flaw shimmy scam shimmy yay,
Microsoft reports a flaw every day.
“M$ just keeps acting like normal. This way they’re driving business and home users away. I know since this is what drove me and my business away from anything M$.”
Yea, funny how MS does things in the best interest of their company. Damn them for doing things to bring in customers and money!
When you’re number one, there’s only one way to go. There are so many cool things going on in the UNIX/Linux/BSD world that there’s only one way for them to go, too. And the bonus: UNIX, Linux, and *BSD can actually work together pretty well. Once OpenSolaris is out, the days of closed proprietary operating systems will be behind us. The only company without an open OS kernel in their catalog: Microsoft.
The problem _is_ that they do what’s in the best interest of the company, not what is in the best interest of the customer.
They secure their monopoly, then let things stagnate. IE has had bugs that have frustrated me for years. Outlook/Exchange are missing nice features other groupware applications have had for a long time. Then there is 80-90% profit margin I’ve read they make off Office/Windows.
“the software giant on Tuesday said it does not believe the issue represents a vulnerability.”
Only in Redmond is beating a protective element of an OS NOT considered a vulnerability.
—
New Equal Opportunity Mac Mini Conga
http://www.fresh83.com/conga
…just affect the software NX and not those running on CPUs with hardware NX?
a good comment.. unfortunately nobody seems to be bothered with a valid comment…
“Positive said that attack programs that use the exploit to get around Windows XP Service Pack 2 protections work reliably”
Isn’t this a valid reason for Microsoft to leave the PR aside ? Those russian guys even provide a solution on their website.
a good comment.. unfortunately nobody seems to be bothered with a valid comment…
Exactly. One of the goals of SP2 was to make it harder for a programmer to pull this off, not impossible. Of course, many people comment on this article probably didn’t even bother to read it .. they just go staright into bash mode.
Ok, now everybody take out your Bibles and turn to Jobs chapter 1.
Microsoft cleverly spins their failure to implement the technology properly by saying “well, it wasn’t intended to do X” – and the Windows trolls all knee-jerk their way to agreement by saying, “Well, it wasn’t intended to make attacks impossible…”
All of which is irrelevant because nobody said anything of the kind in the first place. Can you say “straw man”? I knew you could…
Microsoft screwed up the technology, and there is a way to sidestep it because of this. This makes it a security vulnerability. Period.
Fix it and shut up with the excuses already.
And Bill tells the Beeb “Security is a priority”…
Pardon me while I ROTFLMAOUID (UID=Until I Die)…
“Well, it wasn’t intended to make attacks impossible…”
All of which is irrelevant because nobody said anything of the kind
So, what are you saying then? If it was not specifically meant to make it impossible in the first place, then anything that makes it possible means Microsoft screwed up? From what I’ve heard, it isn’t exactly easy for somebody to actually pull this off, which was the whole point to begin with.
Positive is saying it’s a vulnerability and MS is saying not so fast, but it could be a problem.
Conclusion: We don’t know what the problem is. If MS releases a critical security bulletin on this then we can say it really is a serious vulnerability.
Conclusion: We don’t know what the problem is. If MS releases a critical security bulletin on this then we can say it really is a serious vulnerability.
As a parellel to this, let’s consider an example using the Linux operating system. If somebody wrote a shell script that deleted all the files from a user’s /home directory that the user had access to delete and tricked people (via social engineering) to run the script, does that in itself represent a vunerability in the OS? Even if developers put extra measure in place to make it harder for a rogue script to delete all of a user’s files, if a script writer is able to do so, but only by having to jump through several hoops, does that mean that the developers screwed up?
“As a parellel to this, let’s consider an example using the Linux operating system. If somebody wrote a shell script that deleted all the files from a user’s /home directory that the user had access to delete and tricked people (via social engineering) to run the script, does that in itself represent a vunerability in the OS? Even if developers put extra measure in place to make it harder for a rogue script to delete all of a user’s files, if a script writer is able to do so, but only by having to jump through several hoops, does that mean that the developers screwed up?”
No because Linux is perfect in every way.
They’re exactly right, and yes, I’m a “die M$ at all costs” zealout.
“Does anyone know when the Windows OS will hit ‘stable release’ version? ”
Thats a funny joke. Seriously, if Windows is in Beta then Linux must be in the alpha stage.
so basically they set the bar to “mediocre”?
The real problem is: Should I trust in what MS says about this? Is the flaw critical? One party says yes, but not during the next months, the other says it’s no bug, it will not be fixed.
If such a statement came from Linus Torvalds or Alan Cox or the likes I would believe them. They have shown a history of truth, and if they made a mistake they later said: Yes I made a mistake, so please help me fix it.
As this statement does come from Microsoft with their huge cabinet of standard lies I tend to not believe them.
People not believing what MS says might become a problem for them one day.