Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Plugs "Drive-By" and 14 Other Holes

kdawson posted more than 4 years ago | from the clip-clop-clip-clop-bang dept.

Security 189

CWmike writes "Microsoft today patched 15 vulnerabilities in Windows, Windows Server, Excel, and Word, including one that will probably be exploited quickly by hackers. None affects Windows 7. Of today's 15 bugs, Microsoft tagged three 'critical' and the remaining 12 'important.' Experts agreed that users should focus on MS09-065 first and foremost. That update, which was ranked critical, affects all still-supported editions of Windows except Windows 7 and its server sibling, Windows Server 2008 R2. 'The Windows kernel vulnerability is going to take the cake,' said Andrew Storms, director of security operations at nCircle Network Security. 'The attack vector can be driven through Internet Explorer, and this is one of those instances where the user won't be notified or prompted. This is absolutely a drive-by attack scenario.' Richie Lai, the director of vulnerability research at security company Qualys, agreed. 'Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver.'"

Sorry! There are no comments related to the filter you selected.

Hold me. (1)

fotoguzzi (230256) | more than 4 years ago | (#30059002)

I'm scared!

In before (0)

frozentier (1542099) | more than 4 years ago | (#30059016)

In before Windows vs Linux vs Mac shitstorm...

Re:In before (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30059476)

Mm... Linux. Used it for 3 years solid as my main OS a few years back and it was wonderful.

Switch to XP after those 3 years because well, I can't remember. Probably gaming of some sort.

So recently I had this leftover Athlon X2 4200+ system staring me in the face begging for a new OS install. Installed Ubuntu onto the HDD over PXE.

Laggy performance, Inconsistent labeling on programs/menus, Horrible network performance. Out of the box it is just.. Bad. Did we seriously take "two steps back" with all the advances in technology we've had since I last used it?

Oh, and I'm sure I'll be flamed, but this is not a lack of technical ability issue. Out of the box, with properly detected hardware, the mouse should really not lag across the screen while getting 200KB/sec throughput on a file transfer with modern hardware. Oh well..

yohaa.us (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30059038)

Yohaa [yohaa.us] -

And the others? (1)

s1lverl0rd (1382241) | more than 4 years ago | (#30059040)

What about the fourteen other fixes?

Re:And the others? (3, Funny)

somersault (912633) | more than 4 years ago | (#30059060)

They're not fixes. They're just there to introduce more vulnerabilities that will "encourage" people to shift to Windows 7 ;)

Re:And the others? (1)

Dystopian Rebel (714995) | more than 4 years ago | (#30059238)

Sir, thank you for a good Huxley quotation (your sig).

Re:And the others? (1)

smitty777 (1612557) | more than 4 years ago | (#30059492)

Not sure the real level of facetiousness here, but I think that's a pretty insightful comment. [bad analogy] It's like investigating a crime scene - you always have to ask yourself "who's the one really benefiting here"? [/bad analogy]

Re:And the others? (1)

Gadget_Guy (627405) | more than 4 years ago | (#30060302)

Not sure the real level of facetiousness here, but I think that's a pretty insightful comment.

In what way? They just fixed bugs all the way back to Windows 2000. That says to me that there is still life left in the old OS yet. If they wanted to encourage people to upgrade, they wouldn't back port all of the fixes.

Re:And the others? (2, Insightful)

plague3106 (71849) | more than 4 years ago | (#30060930)

Not fixing would backfire. Would you buy a product from a company that totally abandons the existing product as soon as they release a new one?

Re:And the others? (0)

Anonymous Coward | more than 4 years ago | (#30062506)

Don't Microsoft and Apple both engage in this sort of stuff already?

Re:And the others? (4, Informative)

eldavojohn (898314) | more than 4 years ago | (#30059104)

What about the fourteen other fixes?

The article talks about them at the end (on the second page):

Microsoft also issued critical updates for Vista and Server 2008 [microsoft.com] , as well as for Windows 2000 Server. On the latter, which harbors a bug in its implementation of the License Logging Server [microsoft.com] , a tool originally designed to help customers manage Server Client Access Licenses (CAL), Storms urged users of that aged operating system to apply the patch pronto, even though the machines are probably well-protected.

"Windows 2000 Server has the logging server enabled by default, but those systems are likely behind multiple firewalls, and people running [Windows 2000 Server] are pretty cognizant of the fact that it's an older version and will act accordingly."

Excel and Word also received patches today. Eight vulnerabilities were addressed in Excel in MS09-067 [microsoft.com] and one in Word with MS09-068 [microsoft.com] . Both updates also affected the Mac editions, Office 2004 and Office 2008.

For more info, check out the top six listings here [microsoft.com] .

Well... (3, Informative)

vistapwns (1103935) | more than 4 years ago | (#30059070)

If you patch, you're safe. Too bad so many XP users don't opt-in to patching, a lot of them will be infected, but it's a good thing MS started auto-patching by default with Vista, also since Vista has a lot of anti-exploit code (DEP, ASLR, Protected Mode Sandboxing, etc.) it probably won't see very many infections, although I thought I saw on another site that Vista wasn't affected.

Re:Well... (4, Insightful)

RiotingPacifist (1228016) | more than 4 years ago | (#30059250)

Too bad so many XP users don't opt-in to patching

This is Microsoft's fault for not offering a security only patch channel and pushing WGA ,etc through as windows updates.

I know this is probably comes across as trolling but it's not just Microsoft bashing for the sake of it.

Re:Well... (0, Flamebait)

Anonymous Coward | more than 4 years ago | (#30059292)

No, this is the fault of people who pirate their operating system and then expect it to be supported. Some things have a price. Pay the price if it is worth it to you. Don't use it if the price is not worth it to you. Some people call that "vote with your wallet". Just taking it for free and then expecting support is ludicrous and the height of hypocrisy.

Re:Well... (-1, Redundant)

tokul (682258) | more than 4 years ago | (#30059354)

No, this is the fault of people who pirate their operating system and then expect it to be supported.

Or people who can't trust OS updates, because Windows update system is used to push spyware and new software.

Re:Well... (0)

Anonymous Coward | more than 4 years ago | (#30059474)

Spyware? Really? Spyware? Come the fuck on man, seriously.

Re:Well... (1)

Dishevel (1105119) | more than 4 years ago | (#30060838)

Can't take anything seriously from AC.

Re:Well... (4, Insightful)

Spazztastic (814296) | more than 4 years ago | (#30059364)

No, this is the fault of people who pirate their operating system and then expect it to be supported. Some things have a price. Pay the price if it is worth it to you. Don't use it if the price is not worth it to you. Some people call that "vote with your wallet". Just taking it for free and then expecting support is ludicrous and the height of hypocrisy.

While I do agree that pirating a piece of software and expecting support is unreasonable, Microsoft is only increasing the number of botnets when they refuse updates to pirated software. Refuse software and hardware updates, but at least include security updates. With the increased number of botnets, that's more computers out there trying to infect others and it will without a doubt hit legitimate systems owned by users who just ignore that little yellow shield with the exclamation point on their taskbar. It is also their fault, but some people just don't know better.

Re:Well... (1)

CrazedSanity (872448) | more than 4 years ago | (#30060124)

Let's think about this not from a moral perspective, but from a business one. In all reality, it is better for Microsoft to ignore those with pirated copies of Windows and thereby allow botnets and viruses to flourish: they're "in bed" (or at least used to be) with anti-virus companies, and now they're making their own; what good is an anti-virus program if there isn't widespread infection? "Illegitimate" systems having high infection rates (and generally lowered performance) gives more validity to the idea that people should pay for a valid copy of Windows.

(I could add a great blurb here about switching to other systems that have only a tiny fraction of the vulnerabilities of Windows, but this isn't a Microsoft-bashing.)

Re:Well... (4, Insightful)

gbjbaanb (229885) | more than 4 years ago | (#30060554)

Let's think about this not from a moral perspective, but from a business one

Ok, lets do that.

As Microsoft software is the single most predominately used OS in the world, having large numbers of these installations being vulnerable to botnets is not only putting the efficient working of the global networks at risk, costing large sums as innocent ISPs upgrade their infrastructure to cope with the deluge of useless spam traffic and and virus payloads; costing businesses large sums to protect themselves from the deluge of virus, phishing and spam that routinely attacks their users; costing consumers vast sums as they attempt to protect themselves from the same deluge of attacks; but also puts the economy at risk with phishing attempts and other fraudulent and criminal activities that at best reduce people's confidence in using it for economic activity.

Given the above, the government should step in and force Microsoft to be more responsible for securing the national infrastructure from these attacks. Infrastructure that the modern economy depends upon. They keep telling us how many billions of Dollars are lost to virus attacks, how much conficker cost business, etc. Imagine how much the economy would suffer if there was a really big botnet/virus that did more than inconvenience users.

You can ignore moral aspects here and focus on the purely economic. We did that with banker's bonus-driven practices, and look how well that turned out. By ignoring the 'moral' aspects of Microsoft's monopoly and their self-interested lack of securing their OS, we may yet suffer similar problems.

(this isn't really Microsoft bashing, its more monopoly bashing)(though, I recall someone senior at MS saying they liked piracy because it made developers and users become accustomed to Microsoft software which had a beneficial effect to them - perhaps it is Microsoft's fault after all).

Re:Well... (1)

CrazedSanity (872448) | more than 4 years ago | (#30062094)

I absolutely agree. From a global perspective, Microsoft is very wrong for not allowing all systems to receive the most important security updates.

But from Microsoft's business perspective, it is in their best interest to give just anybody updates, as doing so would suck away even more bandwidth. It also devalues the purchasing of valid licenses: "I can get all the updates with my pirated copy? Why the hell should I buy a copy then?"

[WARNING: M$-bashing in 3... 2... 1...] The only reason anybody even thinks about security now is because of how terrible Microsoft's implementation (or lack thereof) has been so far. People seem to believe that viruses are just a part of owning a computer. They think that Microsoft Office is the only word processing system there is, and all the ones I've seen that received a non-Microsoft document (like "*.odf") figured that the file was corrupt if they couldn't open it in Word.

I could sit and rant all day to just about any born-and-raised Microsoft user that there are other OS's out there that are free of viruses (not to mention free of cost), and they just won't care, because they can't even differentiate between the operating system and the software. Running 20 different programs on their computer just to get 80% of the viruses removed is commonplace, even if they have to pay a lot of money for several of them.

"Your Windows XP workstation got formatted because you were infected with a virus? Well, we got this fancy-dancy Windows 7 here for ya, for only $300. Come this way, and I'll show you all the hardware you're going to need to make your computer run..." [20 minutes later] "... or you could just spend $2000 on this brand new system that already has it."

IMHO, Microsoft doesn't give a damn about its users. Pirates are pirates. Even granny down the street that managed to reinstall Windows XP using some (perfectly valid, unused) key she got from her neighbor. MS doesn't care about the economy either, as long as they're getting paid.

Re:Well... (1)

plague3106 (71849) | more than 4 years ago | (#30060954)

Ya, ok, they already do that. So what exactly is your point?

Re:Well... (0)

Anonymous Coward | more than 4 years ago | (#30059482)

No, it's because I don't want spyware to tell me that my genuine copy of Windows is NOT genuine because of a server mishap.

Re:Well... (1)

Runaway1956 (1322357) | more than 4 years ago | (#30060228)

Meanwhile, various problems with Windows updates are conveniently forgotten. Of about 7 machines that I updated to XP SP3, one was a "Gotcha" from Microsoft. The eternal reboot thing. That didn't bother me terribly - it was a minor inconvenience to wipe and reinstall. But, what about the non-technical great-grandma who had no backups? All her pictures of grandchildren and great grandchildren were probably lost when her dorky grandson started muddling with her old, outdated system. How much you want to bet that auto-update was disabled after that? Not just on HER machine, but her kids, the grandkids, the great grandkids, and everyone who would listen to the old biddy complaining?

Microsoft's problems are Microsoft's problems, period. The pirates didn't create a single one of them.

Re:Well... (1)

MikeBabcock (65886) | more than 4 years ago | (#30060488)

Software piracy may be wrong, but allowing those computers to sit on the Internet spreading vulnerabilities is too. Microsoft should either disable non-genuine versions altogether or offer the security patches to them for the sake of the rest of us.

Re:Well... (1)

Dishevel (1105119) | more than 4 years ago | (#30060816)

Seriously though. How often do I have to prove I bought something. Every time I upgrade my Graphics or a network card? I am all for proving I bought something. ONCE!

Re:Well... (1)

RiotingPacifist (1228016) | more than 4 years ago | (#30061038)

Apparently [slashdot.org] windows offer update to pirates too, but that is not my point. My point is that i should be able to auto-install security updates without having to worry about other patches and software being downloaded with it. IIRC ie7 and/or ie8 were installed via automatic updates (and set themselves as default browsers), there are situations where that is not acceptable.

If you look at debian/fedora there is always the option of keeping an entirely stable (no new software/bugfixes*) except for security patches, this means admins can apply security patches automatically without worrying about other changes to the system.

*even simple bugfixes break stuff if I've already implemented a work around.

+5 informative? (4, Informative)

vistapwns (1103935) | more than 4 years ago | (#30059562)

Good grief. MS offers ALL security patches to EVERYONE, including pirates, and also offers many other patches such as stability and performance updates to everyone as well.

---
"There seems to be a myth that Microsoft limits security updates to genuine Windows users," wrote Microsoft's Paul Cooke, who works in Windows Client Enterprise Security. "Let me be clear: all security updates go to all users."
----

From http://www.tomshardware.com/news/windows-pirate-bootleg-security-patches,7666.html [tomshardware.com]

Re:+5 informative? (1)

RiotingPacifist (1228016) | more than 4 years ago | (#30060902)

I'm not talking about pirates, there are many cases where legitimate users do not what to apply all patches to their system, but applying only security patches is acceptable.

For example a company that has ie6 only Intranet sites don't want to test against ie7/ie8 but still want security patches for ie6, without having to comb through all the updates and pick out the security ones.

e.g. the equivalent of using debian and having the security repo enabled but not backports.

Re:+5 informative? (0)

Anonymous Coward | more than 4 years ago | (#30061074)

Even using Windows Update, you can do exactly that.

You can choose not to install IE7, IE8, WGA (or any others) and say "don't ask me again".

Re:+5 informative? (1)

RiotingPacifist (1228016) | more than 4 years ago | (#30061244)

Using it manually you can, however AFAIK using it automatically there is no way to apply only security updates.

Re:+5 informative? (0)

Anonymous Coward | more than 4 years ago | (#30061410)

There is if your the admin running the Windows network. MS offers several methods of controlling what patches get applied at the enterprise level.

Most of them are a PITA, but they work.

There are also third party offerings, and heaven forbid a Windows admin should script anything, but I used to apply patches during login.

Re:+5 informative? (0)

Anonymous Coward | more than 4 years ago | (#30061184)

Try this, install windows xp, go to windows update, you can't get any updates until you have installed WGA. It's the first one. Now you can wait for windows to download updates in the background and install them, but you cannot proactively install them unless you first install WGA.

WGA is not a security update. WGA is not critical [except perhaps to microsoft].

+5 Insightful (Was:+5 informative?) (0)

Anonymous Coward | more than 4 years ago | (#30061746)

Good grief. Canonical offers ALL security patches to EVERYONE, including leechers, and also offers many other patches such as stability and performance updates to everyone as well.

http://www.ubuntu.com/getubuntu/upgrading [ubuntu.com]

In a Kano analysis [wikipedia.org] , this functionality is Basic. If Microsoft denied it to paying customers; they would start losing them. It's just that simple.

Re:Well... (0)

Anonymous Coward | more than 4 years ago | (#30060360)

1. set mpa.one.microsoft.com to 127.0.0.1
2. your windows is now genuine

On the decision to update or not to update (1)

Jeffrey_Walsh VA (1335967) | more than 4 years ago | (#30061548)

While supporting 100+ Xp machines for a period of about two years, I noticed that machines that were set to accept all updates typically suffered a gradual but steady drop in performance over time. My guess is registry bloat is the biggest culprit. The machines that didn't update automatically, but had service packs installed when available maintained noticeably better performance. The downside of playing russian roulette with security also showed with the non-updated machines hit by malware - rarely, but more often than the updated set - despite a good effort to keep third party security software (MacAfee, Symantec, or Kaspersky) on and updated.

"Opt-in" Is The Wrong Term (2, Interesting)

EXTomar (78739) | more than 4 years ago | (#30062248)

It isn't quite true to suggest people don't "opt-in to patching" on any Windows product. It is more the case the process is arcane and confusing to some users. And worse still, the system trains the rest of the users to blindly accept things that look like "official updates" when they are really malware. I've lost track on the number of times someone asked me what was going on when the WGA thing pops up. The way it is worded and framed seems to freak users out and I see why: Going for months with a legit copy and suddenly getting challenged makes people wonder if they accidentally broke or misconfiguration their system. That means many hit cancel because Microsoft gave these worried users a choice of "Do you want to take the chance breaking your system? Yes or No?"

Yay, tight integration of browser with OS... (3, Insightful)

bcmm (768152) | more than 4 years ago | (#30059076)

"Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver."

Anybody else think something is integrated with something else in a deeply, deeply wrong way here?

Re:Yay, tight integration of browser with OS... (1)

Stenchwarrior (1335051) | more than 4 years ago | (#30059166)

"Anybody else think something is integrated with something else in a deeply, deeply wrong way here?"

Remember IE4? [wikipedia.org] I know this mostly talks about how M$ tried to monopolize the browser world, but when it first came out in 98 Se I remember thinking "Man they really twisted this into the OS...we can't even uninstall it!". I think that's just part of their "Enhanced User Experience" :-p

Re:Yay, tight integration of browser with OS... (1)

fast turtle (1118037) | more than 4 years ago | (#30060524)

Turn in your geek card. The integration began with IE 4 and the active desktop feature in Win98. At that point, we were screwed, blued and tattoo'd by MS.

Re:Yay, tight integration of browser with OS... (5, Funny)

eldavojohn (898314) | more than 4 years ago | (#30059170)

"Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver."

Anybody else think something is integrated with something else in a deeply, deeply wrong way here?

I most certainly do! This is unfair! When will Firefox and Opera have such privileged access to kernel space. It results in a bad user experience when the Javascript code I slave over can only help you manage your user files, registry keys and kernel libraries if you're using IE.

Yours truly,

Crafty McStealsYourShit

Re:Yay, tight integration of browser with OS... (1)

jittles (1613415) | more than 4 years ago | (#30059668)

When will Firefox and Opera have such privileged access to kernel space.

As soon as you want Firefox exploits to be even more dangerous to the user. A web browser should keep itself strictly in user space.

Re:Yay, tight integration of browser with OS... (1)

bcmm (768152) | more than 4 years ago | (#30059898)

Whoosh!

This is ironic... (1)

Anonymous Coward | more than 4 years ago | (#30062208)

That FireFox has more access to the system than IE on Vista and Windows 7, because it doesn't implement protected mode. Grow up, children.

Re:Yay, tight integration of browser with OS... (0)

Anonymous Coward | more than 4 years ago | (#30059306)

Captain Obvious ? Is that you ?

Re:Yay, tight integration of browser with OS... (2, Interesting)

jspenguin1 (883588) | more than 4 years ago | (#30059702)

According to Microsoft, the Windows kernel improperly parses Embedded OpenType (EOT) fonts, which are a compact form of fonts designed for use on Web pages.

One question: Why is the kernel parsing fonts?

Re:Yay, tight integration of browser with OS... (1)

plague3106 (71849) | more than 4 years ago | (#30061026)

Perhaps to draw them on the screen when rendering text?

Re:Yay, tight integration of browser with OS... (1)

TeXMaster (593524) | more than 4 years ago | (#30062258)

Perhaps to draw them on the screen when rendering text?

I thought GDI was supposed to that? Or is GDI in kernel-space now?

Re:Yay, tight integration of browser with OS... (2, Informative)

b4dc0d3r (1268512) | more than 4 years ago | (#30062602)

From what I understand: GDI functions are in the kernel for speed reasons - constantly switching to usermode just to draw things slows down the system.

Vista moved it into userspace, and lots of users complained about slowness. Looking at the vulnerability details, this just gives you privilage elevation on Vista (and related servers), not remote code execution.

For Windows 7, MS moved GDI back into the kernel, with some redesign. So they apparently fixed this issue when they returned GDI to user mode.

Again, just my understanding, could be wrong.

Re:Yay, tight integration of browser with OS... (1)

0ld_d0g (923931) | more than 4 years ago | (#30059748)

Except, IE is in no way integrated with the NT kernel. You're just parsing words of a random spokesperson (who is most likely not even a programmer) to your benefit.

You see, there are these things called libraries which this thing called IE uses. Some of those libraries make calls into the kernel, like say.. rendering fonts with the right kerning and proper sub pixel anti-aliasing using the display driver.

If you start connecting the dots, I think it should be clear enough from here. Or do we need a car analogy?

Re:Yay, tight integration of browser with OS... (1)

ultranova (717540) | more than 4 years ago | (#30062000)

Or do we need a car analogy?

Rendering fonts in kernel space to make it faster is like removing the the wall between engine and passenger compartments of a car to reduce its weight. Not to mention seatbelts.

Re:Yay, tight integration of browser with OS... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30060370)

Anybody else think something is integrated with something else in a deeply, deeply wrong way here?

This flaw is in font rendering, and oddly enough was a similar flaw just fixed in the mac as well.

It has to do with invalid downloadable fonts that then get rendered.

Re:Yay, tight integration of browser with OS... (4, Informative)

Ralish (775196) | more than 4 years ago | (#30060438)

Anybody else think something is integrated with something else in a deeply, deeply wrong way here?

No, not really, at least, not in the way you're insinuating. The Win32k kernel mode driver is essentially the major component of the Windows kernel responsible for kernel-mode graphics related processing. Put more succinctly by MS from the MS09-065 [microsoft.com] security bulletin:

Win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. It contains the window manager, which controls window displays; manages screen output; collects input from the keyboard, mouse, and other devices; and passes user messages to applications. It also contains the Graphics Device Interface (GDI), which is a library of functions for graphics output devices. Finally, it serves as a wrapper for DirectX support that is implemented in another driver (dxgkrnl.sys).

The handling of EOT (Embedded OpenType) fonts is apparently (at least partially) handled by the kernel and presumably a component of the GDI system. IE supports EOT fonts and presumably just hands them off to the kernel, after all, it is delegated the responsibility of handling them, so why re-implement it in IE? The flaw is not really in IE but in buggy code in the relevant processing. There is an argument to be made that IE really shouldn't be explicitly processing these fonts by default in an untrusted network (and this can be changed in the preferences, but is not the default), but the flaw itself is in the system call code itself; the latter is merely about reducing attack surface in the case of exploits such as this arising.

My point is, this isn't really a case of IE being "overly" coupled into the system (which isn't to say it isn't, just that I don't view this as an example of it). Whether it's sensible engineering to have the kernel handle this stuff is probably a far more interesting and valid argument. Protecting against system call vulnerabilities is pretty tough, as you do expect the kernel to be trusted, indeed, if you can't trust the kernel you have serious problems. A quick google seems to suggest Firefox doesn't support EOT fonts, and I'm not sure if any other browsers do either, but if they did, they may well have their own exploit situations as well.

Re:Yay, tight integration of browser with OS... (1)

Ralish (775196) | more than 4 years ago | (#30060528)

Minor correction:
This isn't necessarily limited to EOT fonts, but is a flaw in the font parsing code in the kernel in general. EOT fonts are just the exploit vector as specific to IE, but other font types can be used for less likely exploit vectors, such as TTF fonts in a Terminal Services setup. The point is this is a flaw in a kernel system call and IE's use of this system call + default settings makes it vulnerable to exploitation.

Re:Yay, tight integration of browser with OS... (0)

Anonymous Coward | more than 4 years ago | (#30061524)

Most reasonable observers would point out that parsing fonts in kernel space is itself pretty much brain-damaged.

Re:Yay, tight integration of browser with OS... (1)

Ralish (775196) | more than 4 years ago | (#30061636)

Did you read my original post?

Whether it's sensible engineering to have the kernel handle this stuff is probably a far more interesting and valid argument.

Re:Yay, tight integration of browser with OS... (1)

Abcd1234 (188840) | more than 4 years ago | (#30062468)

Well, tbf, I think the GP's point is that there is *no* argument for handling fonts in kernel space. ie, it's not an "interesting" argument since it's one you shouldn't even be having.

Re:Yay, tight integration of browser with OS... (1)

Abcd1234 (188840) | more than 4 years ago | (#30062392)

The handling of EOT (Embedded OpenType) fonts is apparently (at least partially) handled by the kernel and presumably a component of the GDI system.

Interesting. So this actually goes even deeper than IE being integrated with the OS, and demonstrates why things like font handling should *not* be done in kernel space.

'course, this wasn't always the case. There was a time when the video subsystem was largely a userspace component, but during the NT days, they decided to move a lot of video-related functionality into the kernel for performance reasons... and now they're paying the price in the form of weaker security.

Re:Yay, tight integration of browser with OS... (1)

bheer (633842) | more than 4 years ago | (#30060710)

It would be deeply, deeply wrong if IE was the only way to get infected. The vulnerability [vupen.com] is quite interesting -- it can be invoked by crafting a special Embedded OpenType (EOT) font file, which then exploits a vulnerability in kernel mode driver that parses font code. So you can be exploited using Microsoft Office, Wordpad -- anything that can display EOT-embedded fonts. All you have to do is open a document containing the offending font. Of course, IE is easy to exploit because all you need to do is put up a web page.

Note that Windows 7, in which most drivers are back in user space, is not vulnerable to this exploit. Killer reason to upgrade, imho. This is also the reason most video driver crashes don't crash Windows 7 -- the display is simply re-initialized.

Re:Yay, tight integration of browser with OS... (1)

WhiteDragon (4556) | more than 4 years ago | (#30061098)

Note that Windows 7, in which most drivers are back in user space, is not vulnerable to this exploit. Killer reason to upgrade, imho. This is also the reason most video driver crashes don't crash Windows 7 -- the display is simply re-initialized.

This seems like a no-brainer, but they must have had some reason for putting all those things in kernel space before. Perhaps performance? But isn't the Win7 performance better anyway?

Re:Yay, tight integration of browser with OS... (2, Informative)

bheer (633842) | more than 4 years ago | (#30062688)

NT 3.x supported user-space drivers and was criticized by reviewers for poor graphics performance (especially those who wanted to run visualisation/CAD apps on it). But it was rock-solid, as you can imagine.

NT 4 introduced kernel-mode display drivers, which helped it become very popular with engineers who needed these apps (remember, the only other 'mainstream' OS on the market at this time was Win95/98 and System 8/9; NT was rock-solid by comparison and Linux didn't have many commercial apps at this time).

Given that stats show that 3rd-party drivers are the #1 reason behind Windows blue-screens, starting with Windows Vista, Microsoft started to use the mini-driver approach for drivers. They've expanded and refined the use of such drivers with Windows 7.

Essentially, vendors write a user mode client driver that executes in user-space, with some basic functionality being implemented in kernel-space by a Microsoft-written and Microsoft-QA'd driver. So you get crash resistance without losing speed. See Layered Driver Architecture [microsoft.com] on MSDN for more.

Re:Yay, tight integration of browser with OS... (1)

v1 (525388) | more than 4 years ago | (#30061940)

was just going to say... aaaaaaand that's what you get for hooking the kernel to your web browser ... idiots.

"windows security" isn't just an oxymoron, it's the oxymoron. They just... never... learn.

That's shocking! (2, Interesting)

Rik Sweeney (471717) | more than 4 years ago | (#30059132)

They thank someone from Google for helping them spot the vulnerability! It's in the acknowledgements:

http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx [microsoft.com]

Re:That's shocking! (1)

Gadget_Guy (627405) | more than 4 years ago | (#30060462)

They thank someone from Google for helping them spot the vulnerability! It's in the acknowledgements

They always do that. It is in Microsoft's interests to publicly acknowledge the people who send them security reports because they want to encourage people to do that. It is preferable to what happened in the recent story [slashdot.org] where the guy posted the bug in a blog rather than telling them directly.

The accepted practice is to privately tell the company about a bug and give them time to fix the problem before posting about it publicly.

It's Still Windows (3, Insightful)

dkh2 (29130) | more than 4 years ago | (#30059150)

No wonder my home system was such a dog this morning. It was pulling the latest patches and updates.

Meanwhile, it's still Windows. There's only so much improvement you can make when the manufacturer insists on packing so much into the "kernel." I was always taught that the OS kernel is the one piece that provides the interface between all software and all hardware. File systems, GUIs, internet browsers and lesbian Pr0n are all just forms of software that should be clients to the ultimately optimized but minimalist kernel.

Re:It's Still Windows (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30059684)

The Linux kernel is at least as huge and monolithic as the NT kernel, the only difference being that most of the NT kernel cruft is GUI stuff and most of the the Linux kernel cruft is obscure support infrastructure for your 128-processor mainframe or 1980's scsi card :)

Re:It's Still Windows (4, Informative)

Bacon Bits (926911) | more than 4 years ago | (#30059730)

There's only so much improvement you can make when the manufacturer insists on packing so much into the "kernel."

So in trying to bash Microsoft you're saying that Linux sucks?

Linux is a monolithic kernel. Windows is a hybrid kernel. Linux puts a lot more into kernel mode/real mode than Windows does. Many drivers in Windows are user mode drivers, for example, particularly printers. The only thing I can think of that runs in kernel mode in Windows and not in Linux is the graphics system -- which is why the screen flickers and changes resolutions slower in Linux and Windows tends to run full screen games and video better with DirectX, but it also rarely brings the system down... not that a system you can't get desired display output from is useful entirely.

Re:It's Still Windows (1)

gzipped_tar (1151931) | more than 4 years ago | (#30060402)

So in trying to bash Microsoft you're saying that Linux sucks?

Life and computing both suck. Get over it.

Linux puts a lot more into kernel mode/real mode than Windows does...

I don't use Windows and I of course can't speak for the GP, but it appears to me that GP simply admires a minimalistic kernel design which is lacking in today's mainstream OSes. He wasn't trying to make an argument of Linux being better than Windows or vice versa. So why rinsert the Linux vs. Windows blahblahblah?

And by the way, I don't think code quality has anything to do with where the code lies, in kernelspace or otherwise. Bad code is a problem not because it's in the kernel, but because it's bad.

Re:It's Still Windows (1)

ettlz (639203) | more than 4 years ago | (#30061140)

Windows is a hybrid kernel. Linux puts a lot more into kernel mode/real mode than Windows does.

Oh come on now, "hybrid" kernel is nonsense marketspeak; all the high-level services such as networking and filesystems and drivers run in the same address space. How they chat to each other is irrelevant here, NT is a monolithic kernel. And what the hell is a configuration database, the Registry, doing as a kernel service? And then there's GDI etc. --- (up until recently used to be) a kernel service.

The only thing I can think of that runs in kernel mode in Windows and not in Linux is the graphics system

The thinnest end of the graphics wedge (namely, modesetting, GPU multiplexing and memory management) is now being pushed into the Linux kernel, where such low-level hardware stuff should be. The GL heavy lifting and provision of a high-level graphical system (e.g. windowing, viz. X) is done in userspace, where it should be. The problem with Windows used to be that a lot of the latter was also a kernel service. Flickering displays are quickly becoming a thing of the past these days as typically the optimal resolution is chosen early on when the relevant DRI module (i915 or radeon, so far) loads.

Re:It's Still Windows (1)

Abcd1234 (188840) | more than 4 years ago | (#30062606)

Linux is a monolithic kernel. Windows is a hybrid kernel. Linux puts a lot more into kernel mode/real mode than Windows does. Many drivers in Windows are user mode drivers, for example, particularly printers.

Uh, just FYI, printer drivers are usermode in Linux as well. Furthermore, until recently (ie, the Vista pedigree), the Windows drivers were built against the KMDF, and so ran in kernel mode.

Secondly, your statement that "the only thing I can think of that runs in kernel mode in Windows and not in Linux is the graphics system" *severely* understates the impact of this difference. The "graphics subsystem" in both Windows and Linux is *massive*. That's an extremely non-trivial amount of code that unnecessarily runs in kernelmode on Windows, and that means a vastly increased surface area that can be exploited.

'course, that's not to say Linux couldn't improve and move more functionality out into userspace (assuming no negative performance impact). But Windows is really not that much better.

No, that was me (1)

FreeUser (11483) | more than 4 years ago | (#30059998)

No, that was me, driving my Mac Truck(tm) Lorry Load(tm) Malware Package through the gaping holes in your operating system. The patch you think you applied is just a little eye-candy to make you feel all warm, snug, and safe. It's working. too. :-)

Turn off Automatic Updates's download and install! (1)

antdude (79039) | more than 4 years ago | (#30062150)

You can leave it on to notify you or just download them manually when MS releases them (your job to keep track like reading security news or check MS Updates every second and fourth Tuesdays of each month; don't forget emergency releases once in a while!).

Would the big customers know more? (4, Interesting)

140Mandak262Jamuna (970587) | more than 4 years ago | (#30059182)

From the article

But while Storms speculated that Microsoft knew the EOT font flaw was a security issue -- and waited until now to patch older Windows -- Lai thought that Microsoft didn't realize until recently that it was also a security vulnerability in editions prior to Windows 7. "I think they fixed this bug as part of the code sanitization during [Windows 7's] development cycle. It was actually only publicly disclosed recently, and then they patched it in other Windows

The article is speculating what did Micrsoft know and when did it know it etc. Microsoft's standard line defending its security through obscurity policy is, "we are not providing any details because it is going to help the hackers". But what about its big customers? Almost all businesses do not care much about its small customers. So forget small timers. But Microsoft has to coddle its big Fortune500 company customers. Would they be informed, even under confidentiality agreements and non disclosure agreements, which platforms and applications are vulnerable?

How do these big companies justify being so meek and acquiescing to Microsoft? If these Fortune 500 companies chip in 100,000$ a year, they can create an Institute of Software Interoperability and go towards reducing their switching costs. Microsoft has total revenue of more than 25 billion dollars, and a significant chunk comes from these big companies. They pay off has to be enormous for these companies.

Re:Would the big customers know more? (2, Informative)

thejynxed (831517) | more than 4 years ago | (#30062328)

Yes, the appropriate contacts in such organizations get informed. Chiefly, the CIOs and their assorted assistants down the IT chain. What they then do with that information is up to them. There's a reason these companies pay for their overpriced support contracts and license aggreements with Microsoft.

I know the major security vendors like Symantec are also informed.

This has been addressed several times (redundantly, I might add) in Slashdot articles over the years, and can probably even be confirmed by your own IT department.

Nothing is perfect, either Windows 7 (0, Offtopic)

mssoh449188 (1676380) | more than 4 years ago | (#30059210)

I am used to it now, Just like whenever a new product launched, for instance Windows 7, do not hope that it will be perfect as it claimed to be the day 7 in the bible where everything is set. Anyway Windows and Microsoft are still man-made, nothing is perfect. Winson http://aabatterycharger.org/ [aabatterycharger.org]

IEaaaaggghhh, trolling for more smoke&mirrors (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30059226)

what's really 'funny' is that robbIE/VA larry et al derive a disproportionate % of their fortunes from paid ads for the infactdead softwar gangster bugware, when to begin with, robbIE & fuddles were nemeses. how the worm turns, no?

then robbIE, kodemaster extrordinaire, has some of his juvenile butt buddies present us with false solicitations as well. wwworm again. talk about 'holes'.

mynuts won; to be hidden/deleted immediately, let freedumb (of speech/information), ring (up the sales)?

Re:IEaaaaggghhh, trolling for more smoke&mirro (1)

rickb928 (945187) | more than 4 years ago | (#30060770)

And they say AI isn't ready for real-world applications yet. pfft.

hole in their head (0)

Anonymous Coward | more than 4 years ago | (#30059278)

will they patch that one too?

When does SP4 come out for XP?

Fourteen? (5, Funny)

paimin (656338) | more than 4 years ago | (#30059510)

I, for one, have been getting my hole plugged by Microsoft for a good twenty plus years now.

So sore.

and what, pray..... (1)

gadget junkie (618542) | more than 4 years ago | (#30059526)

....is Internet Explorer?........aaaahh, that buggy browser that comes with windows. I stopped using it four years ago and deleted the icon.

Seriously tough, I think that when people choose to use a browser that messes with system internals above other browsers that are NOT messing with the kernel, they get what they ultimately deserve. I remember a particularly buggy period that really had me going definitely over to Firefox: whenever IE crashed, I had to reboot. With firefox, killing the program would suffice, and I had far fewer problems anyway.

Re:and what, pray..... (0)

Anonymous Coward | more than 4 years ago | (#30059664)

I systematically nLite or vLite the systems I install and totally remove IE, WMP and lots of other useless crap. And my installation CDs end up 25% of the original size. Way to go :-)

soon2b extinct:-) (0)

Anonymous Coward | more than 4 years ago | (#30059922)

browser stats on a website i tend show a heartening trend:

         sept09   oct09
MS IE      47     41.6 %
Firefox    27.5   33.5 %
Safari     12.5   13.3 %

Re:and what, pray..... (1)

tuzo (928271) | more than 4 years ago | (#30061018)

Seriously tough, I think that when people choose to use a browser that messes with system internals above other browsers that are NOT messing with the kernel, they get what they ultimately deserve.

I don't think people have this coming to them given that:

  • most people don't "choose" a browser -- they just use the one that comes with their OS
  • an extremely small percentage of computer users actually know what a kernel is

Should users be more educated? Maybe. But I don't think it's going to happen because most people don't care. They just want their computer to work.

What people really deserve is great software with as few bugs and security holes as possible irrespective of their technical understanding of computers.

Mac, Linux, anything but Microsoft (1)

curmudgeon99 (1040054) | more than 4 years ago | (#30059586)

Once again I am delighted that I switched to Mac. The entire Windows ecosystem is riddled with these sorts of design flaws. What more reason can anyone need to get off of Microsoft?

Re:Mac, Linux, anything but Microsoft (1)

Sporkinum (655143) | more than 4 years ago | (#30059934)

The primary vulnerability was mitigated by using Firefox and Open Office. The drive by needs IE or Powerpoint or Word to execute.
 

Re:Mac, Linux, anything but Microsoft (1)

curmudgeon99 (1040054) | more than 4 years ago | (#30060056)

So, one must assume you are in complete agreement with me, since both of those products with vulnerabilities are made by Microsoft. I just wonder what rock someone must have been living under to not notice the steady stream of bad news coming out of Redmond. Microsoft just produces total and complete crap, from the first to the last byte.

Re:Mac, Linux, anything but Microsoft (1)

Ralish (775196) | more than 4 years ago | (#30060750)

And yet, Apple's default browser Safari has a pretty terrible security record, the latest OS X release contained a bug that nuked account data, and OS X consistently falls behind both Linux and Windows in defence-in-depth security mitigations. While Apple might like to boast about its operating system security, this doesn't appear to be due to any particular "hardened" design versus other mainstream operating systems and in fact lacks solid implementations of various security features that have been standard elsewhere for a long time, rather, it just doesn't seem to have had a lot of exposure to those who would exploit it. If you were posting from a OpenBSD box I might hesitate before replying, but OS X is just another mainstream OS with a broad audience and plenty of holes.

So, I'd suggest getting off your high horse. All operating systems have their bugs and security exploits, and ignorance of your systems security record and capabilities does not make it secure. Also, excessive smugness is not an endearing character attribute.

Re:Mac, Linux, anything but Microsoft (1)

alen (225700) | more than 4 years ago | (#30060542)

snow leapard has been out for 2 months and service pack 2 has just been released. the fixes are for some pretty obvious stuff that should not have made it past QA like the Flash performance issues.

Re:Mac, Linux, anything but Microsoft (0, Offtopic)

plague3106 (71849) | more than 4 years ago | (#30061172)

Well, I guess if you want to pay double for the same computer that doesn't run as many applications. But enjoy your overpriced hardware and Office 2008 for mac. Lets hope your iPod doesn't catch fire and burn down your house.

Re:Mac, Linux, anything but Microsoft (1)

curmudgeon99 (1040054) | more than 4 years ago | (#30061984)

OpenOffice.org? Funny, I was bought Microsoft's products several times and always regretted it. I have never regretted anything I bought from Apple. Go ahead and rue your wasted money on Microsoft products. They suck and no amount of whining by MS Fanboys can change that.

Re:Mac, Linux, anything but Microsoft (1)

DrXym (126579) | more than 4 years ago | (#30062218)

OS X has been tardy in implementing things like ASLR and there have been plenty of security issues that Apple took too long to patch. It may be that OS X in general has a better track record than Windows, but Apple certainly aren't paying as close attention to security as they should.

OK, just a second now... (2, Interesting)

FatdogHaiku (978357) | more than 4 years ago | (#30059908)

I gotta wonder about the line:
'Anyone running IE [Internet Explorer] is at risk here, even though the flaw is not in the browser, but in the Win32k kernel mode driver.'
Why aren't users of other browsers on the older Win platforms vulnerable? Is there some other risk or problem that is being ignored or even concealed?

Man, I can't believe I got that out without laughing...

Re:OK, just a second now... (4, Informative)

taviso (566920) | more than 4 years ago | (#30060732)

I discovered this bug (check the credit section [microsoft.com] in the advisory), so can explain. The bug is in parsing a component of TTF files, which are handled by the GDI kernel subsystem in Windows. Anything that tries to load fonts can be used to exploit this vulnerability, as they will eventually reach this code, Internet Explorer just happens to be the easiest way to reach it remotely.

Other browsers _are_ affected, the difference is that there's only one level of indirection before the vulnerable code in Internet Explorer, and at least two in other browsers. This is because IE supports EOT files directly, which via TTLoadEmbeddedFont() are decoded and passed straight to GDI, where as other browsers take a TTF input, convert it into an EOT and then pass that to TTLoadEmbeddedFont, so you have to convince three different chunks of code your input is valid (the browser, t2embed, then gdi), instead of just two in IE.

If you use any browser that support @font-face on Windows (Safari, Firefox 3.5+), you should still patch and reboot.

Re:OK, just a second now... (1)

Culture20 (968837) | more than 4 years ago | (#30062542)

And what of people running old versions of IE on Solaris or Mac? There's no Win32k kernel mode driver there...

Legal generalization: (1)

Hurricane78 (562437) | more than 4 years ago | (#30060190)

Anyone running IE [Internet Explorer] is at risk here,

That statement is still true, even when the rest of it is missing. ^^

Then again, what does it give us, to help those, who were chosen by natural selection, to be punished?
Wouldn't it make more sense so block all packets coming from IE users?
Use the drive-by hole, to put a trojan on those systems, whose only purpose it is, to block all outgoing traffic, except Microsoft servers and their DNS mappings, until the system is updated. If the system is updated, the trojan restores everything, and deletes itself.

I think everything else just tells nature, to create even bigger idiots.

Before you get too worked up (1)

PNutts (199112) | more than 4 years ago | (#30061056)

Hop in your time machine and skip ahead two stories to the Lightweight Rootkit Protection post. TFA mentions nine real-world rootkits that target "that platform" (Ubuntu 8.04) and the 2.6 kernel. I know there are a cubic gazillion reasons to wear the "your OS sucks" t-shirt but I think some of that emotion should be put into action and get more eyes on the open code to identify issues before the bad girls do and/or trash your system (KK, I'm looking at you). I have the unrealistic goal of not having a problem in the first place as compared to patching it quickly.

How'd we get here? (1)

WheelDweller (108946) | more than 4 years ago | (#30061164)

It's now NEWS when Microsoft does it's JOB. Hmm.

Why only MS patches... (1)

CannonballHead (842625) | more than 4 years ago | (#30061680)

Why no mention of the several dozen patches released in Snow Leopard 10.6.2? And they were only patches for Apple's latest OS. Unfortunately, those patches apparently aren't very interesting or something.

Microsoft. tsk tsk tsk. (0)

Anonymous Coward | more than 4 years ago | (#30061862)

Microsoft sucks in the fact that they take so long to discover these things. They ignore the millions of users who have been reporting these same flaws to them, and as such, are allowing more and more virus attacks to pop up. Windows is just now on version 7, whereas most Linux-driven platforms are on version 9 or higher and Mac is on 10.5. The reason: Mac and Linux devs actually listen, and it helps them to patch vulnerabilities like this quicker. Wake up and smell your userbase, Microsoft.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?