Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Firm VUPEN Claims To Have Hacked Windows 8 and IE10

samzenpus posted about 2 years ago | from the protect-ya-neck dept.

Microsoft 118

An anonymous reader writes "Windows 8 was released late last week, and already this week French security firm VUPEN says it has broken Microsoft's latest and greatest security features. The company claims it has developed a 0-day exploit for Windows 8 and IE10, by chaining multiple undisclosed flaws together."

Sorry! There are no comments related to the filter you selected.

have fun hacking a OS that few want to run (-1, Troll)

Joe_Dragon (2206452) | about 2 years ago | (#41848281)

have fun hacking a OS that few want to run

Re:have fun hacking a OS that few want to run (0, Troll)

Nyder (754090) | about 2 years ago | (#41848297)

have fun hacking a OS that few want to run

Yep, it's bad news for the those 10 people that use it...

Re:have fun hacking a OS that few want to run (0)

Cute and Cuddly (2646619) | about 2 years ago | (#41848821)

10? That many?

Re:have fun hacking a OS that few want to run (5, Funny)

BronsCon (927697) | about 2 years ago | (#41849035)

Well, it's more than 01, less than 11, and still only a 2-bit binary integer.

Re:have fun hacking a OS that few want to run (0)

Doctor_Jest (688315) | about 2 years ago | (#41849931)

Up to, but not including, 10. Reads like an old Sun Microsystems license agreement, doesn't it? I remember their legalese included the phrase "up to, but not including, 2 processors" on a Solaris 9 agreement. :)

Re:have fun hacking a OS that few want to run (2, Informative)

tuppe666 (904118) | about 2 years ago | (#41848367)

Its a pretty common quote, basically its about the unloved and unwanted Vista

http://www.microsoft.com/en-us/news/exec/steve/2008/10-12AdDay.aspx [microsoft.com]

"STEVE BALLMER: Vista is our best selling product ever. So, if that takes too much getting over -- we're not going to have products that are much more successful than Vista has been. We sold over 180 million copies in the first 18 months, quite successful."

Re:have fun hacking a OS that few want to run (0)

Anonymous Coward | about 2 years ago | (#41849547)

Well, it had one big selling point.

It had "up^Wdowngrade to XP" option when XP was no longer available to buy.

Re:have fun hacking a OS that few want to run (0)

Anonymous Coward | about 2 years ago | (#41849567)

Let's see, IE can't even load pages properly over a slower connection.

IE7: Jumps to Page Cannot Be Displayed error page.

IE8: See IE7, they never fixed the bug.

IE9: Throws error 408 and error 409 errors in place of the generic Page Cannot Be Displayed. Two browser versions later, they still didn't fix the bug. Rolled back to IE7 since at least it has a progress bar during page loading. (Idiots at Microsoft did away with it in IE9, just watch the circle spinning for however short or long.)

IE10: I don't run Windows 7 nor Windows 8. Don't care to. Don't care about IE10. Microsoft lost me as a customer beyond Vista 64-bit SP2.

Anyway, it doesn't surprise me that IE10 might still be a bug ridden POS with a few security holes.

Re:have fun hacking a OS that few want to run (1)

wonkey_monkey (2592601) | about 2 years ago | (#41850869)

IE8: See IE7, they never fixed the bug.

What bug, specifically, is this? Or have you just screwed up your IE and you're intent on blaming it on Microsoft?

Re:have fun hacking a OS that few want to run (1)

hawkinspeter (831501) | about 2 years ago | (#41850961)

How do you screw up a browser unless you're changing it's code?

Re:have fun hacking a OS that few want to run (0)

Anonymous Coward | about 2 years ago | (#41852693)

by installing stupid toolbars and other things like BHOs

Thank you.. (-1)

Anonymous Coward | about 2 years ago | (#41848307)

Thank you captain obvious!

Lesser Target Security. (5, Funny)

TechyImmigrant (175943) | about 2 years ago | (#41848351)

I thought that little used operating systems were less vulnerable because fewer hackers would target them compared to popular, mass market operating systems such as Linux and MacOS.

Re:Lesser Target Security. (4, Informative)

Shoten (260439) | about 2 years ago | (#41848497)

Yes, but that effect covers casual attackers. When your attacker is well-resourced and determined to hack YOU...then it's not such a good thing, because they're willing to find the specific vulnerabilities in an obscure OS or application. Microsoft Windows gets pretty well wrung-out because of all the attention. For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched. But if a nation-state actor or large criminal organization had a reason to hack OSX, they probably would have looked for (and found) some 0-days on their own, then leveraged them.

Re:Lesser Target Security. (1)

Desler (1608317) | about 2 years ago | (#41852429)

For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched.

You mean programs like Java and Flash were full of vulnerabilities. Also, people manually installing trojans on their system is not an OS vulnerability. Care to share these "vulnerabilities" that weren't in third-party software or malware that users were installing themselves? Please post any examples of drive-by malware downloads, etc. that were actually OS flaws.

Re:Lesser Target Security. (1)

tlhIngan (30335) | about 2 years ago | (#41853647)

Please post any examples of drive-by malware downloads, etc. that were actually OS flaws.

Safari has/had nasty bugs that took advantage of the "auto-open safe files" default setting, which I think counts as they're distributed by the same vendor as the OS and it comes preinstalled.

I think QuickTime is similar as well a few malicious MOV files can get you hooped.

Bunches of flaws in the open-source software it comes with as well (though we usually attribute that to the software on Linux, and to OS X on OS X. So an Apache flaw would be reported as an Apache flaw on Linux, or an OS X "Webserver" flaw on OS X...).

Windows insecure, Linux difficult (0)

aNonnyMouseCowered (2693969) | about 2 years ago | (#41849821)

I guess plenty of Slashdot discussions still revolve around the "reputations" these two OS types established at the start of the millenium. It's nice for a joke or two, or for some clueless fanboy to rant about. But the latest Windows and Linux releases are roughly at the same level of in/security and difficulty/ease of use, bar things like misbehaving user pograms and unsupported hardware. The moral here maybe that if you're starting a new software product you have to put equal attention into these two things.

Re:Windows insecure, Linux difficult (1)

TechyImmigrant (175943) | about 2 years ago | (#41849847)

The moral here maybe that if you're starting a new software product you have to put equal attention into these two things.

Software? I design cryptographic hardware for a living you insensitive clod!

Re:Windows insecure, Linux difficult (1)

Anonymous Coward | about 2 years ago | (#41849967)

Bull [cough] Shill [cough] Shit

Re:Windows insecure, Linux difficult (1)

Seeteufel (1736784) | about 2 years ago | (#41851141)

I expect those fanboys to run Windows 8s = Windows Aids and search for bugs and vulnerabilities. Actually, I never had a virus with Linux, and my drupal server was only once compromised. The reason I like windows is that third party apps just work, the reason why I use Linux is the shell and multiple desktops. I mostly need Firefox and Thunderbird and Irssi, that is all.

Re:Lesser Target Security. (1)

mevets (322601) | about 2 years ago | (#41850245)

MicroSoft released a pretty decent surface.

crickets..

Re:Lesser Target Security. (-1)

Anonymous Coward | about 2 years ago | (#41852403)

Man, you Linturds must be pretty butthurt that Windows 8 was still used by vastly more people than Linux even before RTM or official release. Consumer preview users dwarfed Linux by several times.

Windows RT? (1)

Gaygirlie (1657131) | about 2 years ago | (#41848401)

I wonder if their hack could be used on Windows RT to gain low-level access to the system, allowing one to essentially jailbreak the thing and let one side-load apps on it. I'm not planning to buy a Windows RT - tablet and one of the reasons is exactly the fact that I am only allowed to install stuff from Windows Store; a fully-working jailbreak would atleast make the thing slightly more useful.

Re:Windows RT? (1)

Anonymous Coward | about 2 years ago | (#41848503)

You can side-load apps on RT. ;)

Re:Windows RT? (2)

Gaygirlie (1657131) | about 2 years ago | (#41848523)

Really? How? Because even Microsoft's own website doesn't say that. You can only side-load things if you have a proper license for that, meaning that you need to be a large company with a contract with Microsoft.

Re:Windows RT? (5, Informative)

Gaygirlie (1657131) | about 2 years ago | (#41848627)

To back up what I just said: http://msdn.microsoft.com/en-us/library/windows/hardware/hh825613.aspx [microsoft.com]

[August 2012] Sideloading apps on Windows 8

Sideloading is supported on the following editions when you activate a sideloading product key:

        Windows 8 Pro

        Windows 8 Enterprise*

* The sideloading product key is not required with Windows 8 Enterprise when the computer is joined to an active directory domain.

noteNote
Sideloading is also supported on Windows RT. The group policy service is not enabled by default on Windows RT. You must enable the service before policies can be applied to the computer.

To sideload line-of-business apps on Windows Server 2012, the computer must be joined to an active directory domain.

For more information, see How to Add and Remove Apps.

In other words a side-loading key is needed. Ordinary users won't get that and won't be able to side-load.

Re:Windows RT? (5, Informative)

cbhacking (979169) | about 2 years ago | (#41849351)

Actually, getting a sideloading key is dead easy. You have to run Powershell as Admin, then type Show-WindowsDeveloperLicenseRegistration (or just "show-wi" and hit Tab). Enter Windows Live credentials - anything, including a throw-away account created for the purpose, will work - and boom, you are unlocked for sideloading. Works on Windows 8 (Pro, Enterprise, or otherwise) and on Windows RT (tested it on a Surface).

http://msdn.microsoft.com/en-us/library/windows/apps/Hh974578.aspx [microsoft.com]

I don't know what's up with that old data that says you can't. That's been bouncing around for almost a year, and as far as I can tell it was *never* true, even on pre-release versions. You've been able to unlock Win8 for sideloading since the first preview builds came out! It's as though there's two completely different teams talking about this. Well, three (the one that says *only* Store apps are allowed) but the last one is the marketing team trying to keep the n00bs from getting confused; they are safely ignorable. Fortunately, the team that supports the more open approach is the one that is correct.

Re:Windows RT? (4, Interesting)

Microlith (54737) | about 2 years ago | (#41849637)

Yes, you can go through a ridiculously complex process to install a key that will expire and Microsoft can revoke so that you can run some software on your system. It's more akin to Apple's extreme restrictions on side loading than Android's 3rd party sources checkbox. The only difference is that Microsoft isn't charging you $99 to get one. You're still at Microsoft's mercy, and no one can use your application unless they too are capable of repeating the steps.

I don't know why people keep defending this. It's designed explicitly to inhibit people from using it and bypassing the store.

Re:Windows RT? (1)

westlake (615356) | about 2 years ago | (#41851389)

Yes, you can go through a ridiculously complex process to install a key that will expire and Microsoft can revoke so that you can run some software on your system.

Let's be honest here:

The geek sideloads.

The convenience and security of the app store and the apps sideloaded by their school, employer, etc., trumps all other considerations for others. How many casual Linux users install apps that haven't been packaged and "marketed" for their distribution?

Install Visual Studio Express and the recreational or student programmer can renew his key in one or two clicks.

Re:Windows RT? (0)

Anonymous Coward | about 2 years ago | (#41850249)

So, open power shell, type a command, sign in with a live ID. Damn, that's complicated!

Re:Windows RT? (5, Insightful)

Anonymous Coward | about 2 years ago | (#41850637)

Well - that was the main complaint about Linux.

And now -using windows- it is suddenly a no-brainer?

Wow... just wow!

Re:Windows RT? (0)

Anonymous Coward | about 2 years ago | (#41852963)

And one of the main complaints about Windows has been its ineffectual CLI for power users.

So here we are in a power user situation and you need to use the quite effective, relatively new CLI. Cats and dogs living together. The end of the world.

Re:Windows RT? (2)

Cowmonaut (989226) | about 2 years ago | (#41852843)

Alright, throwing away mod points but you are completely dead wrong. You clearly do not understand how sideloading works in Windows 8.

Per Microsoft, sideloading is installing an app without the Store. With Windows 8 you have to have two things in order to sideload an app:

1. You need either the fully packed installer (which you cannot apparently save on your computer and can only download through the Windows Store app proper; going to the Windows Store page in a web browser doesn't give you any options to install or download) OR you need the unpackaged app including its .MAIN file.

2. You need the product key for the specific app.

Both of these things you will only have if you are the original developer of the app or if the original developer deigned to share it with you. They won't, since that essentially gives you their source code and ability to steal their product from them.

To make things even worse, you need these items in order to "provision" an app (MS' term) prior to running Sysprep on an image.

Basically, unless its a Line of Business (LOB) app that was developed internally by your company, you cannot sideload or provision an app in Windows 8.

It's hilarious, since we are using Windows 8 for a project for Microsoft and their own OS is stopping the things they want from happening. In my opinion, they listened to marketing guys who don't fully understand how people actually use Windows in a business environment so that they could get accurate data for individual usage. Everything they have done is 100% anti-business. The Windows Store is only fit for home consumer use, and even then...

The real clincher to me that Microsoft is losing its mind and trying to piss off their Enterprise customers is that as an IT admin you are incapable of managing the Windows Store outside of disabling access to it. Any updates that need to be done, have to be done by the user. You have to have a Windows Live account for it, logged in, and you can't fix license sync issues with the apps except through a manual process.

Windows 8 is just a disaster for business.

Re:Windows RT? (3, Insightful)

tuppe666 (904118) | about 2 years ago | (#41848599)

Windows RT is going to be hell its hard to find actuate reliable information about anything. From wikipedia http://en.wikipedia.org/wiki/Windows_RT [wikipedia.org] it claims.

"Perhaps the biggest change is that Windows RT will only run applications that have been included in Microsoft's App store. This requires certification by Microsoft that they consider the application to be suitable."

and obviously

"Users will not have an option to disable UEFI secure boot on Windows RT systems. As a result, only operating systems that have been signed for secure boot by their developers can be installed"

Re:Windows RT? (3, Insightful)

tuppe666 (904118) | about 2 years ago | (#41848519)

I wonder if their hack could be used on Windows RT to gain low-level access to the system, allowing one to essentially jailbreak the thing and let one side-load apps on it. I'm not planning to buy a Windows RT - tablet and one of the reasons is exactly the fact that I am only allowed to install stuff from Windows Store; a fully-working jailbreak would atleast make the thing slightly more useful.

Why buy a closed device, when open devices like Googles Chromebook which is available cheaper and isn't locked. Excusing manufacturers for their abuse behaviour...and giving them money, never persuaded, and manufacturer to be more open.

Re:Windows RT? (1)

Gaygirlie (1657131) | about 2 years ago | (#41848579)

I did say I'm not planning to buy one, so you're barking up the wrong tree.

Re:Windows RT? (1, Insightful)

Jaktar (975138) | about 2 years ago | (#41848811)

Why buy a closed device, when open devices like Googles Chromebook which is available cheaper and isn't locked. Excusing manufacturers for their abuse behaviour...and giving them money, never persuaded, and manufacturer to be more open.

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet. The grass isn't always greener on the other side of the fence. The only difference between the grass is that different dogs shit on either side. I've flashed many different ROMs to my Kindle, I've owned a Playbook, I have a Linux netbook. Pretty much every OS sucks in it's own special way. If the only thing that sucks about WinRT is that it's "closed", then I'll take one.

Re:Windows RT? (0)

Anonymous Coward | about 2 years ago | (#41848957)

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google ...

If your only response is to lie relentlessly, then I suppose it's safe to Ignore all your arguments.

Re:Windows RT? (5, Informative)

tuppe666 (904118) | about 2 years ago | (#41849007)

I'm sorry to disagree with you. Clearly you have an issue with Google. It is untrue that they sell your information. Their business model does not allow that. The whole point is they will *never* sell your information...they sell targeted AD space. They are advertisers just like Apple and Microsoft.

On the point of privacy. Clearly you have not installed Windows 8. Its defaults are appalling, and your being insincere in implying Microsoft is better.

The bottom line though is I personally would like a device where I can choose to install whatever OS. The reason being I personally quite like the look of the oversized trackpad on Chomebook , and the ability to install Debien, and it beong Good Value, all three features lacking on windows rt devices.

Re:Windows RT? (0)

Anonymous Coward | about 2 years ago | (#41851563)

"It is untrue that they sell your information." That may be true - but Google RENTS your information - Google says to advertisers,"W have users with profiles that align with your desired profiles. Pay us and we'll place ads that these user will see" That's really close to selling user information.

Re:Windows RT? (1)

Jaktar (975138) | about 2 years ago | (#41851715)

This is straight from the Google privacy page:

http://www.google.com/intl/en/policies/privacy/key-terms/#toc-terms-sensitive-info [google.com]

Information we share

We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply:

With your consent

We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive personal information.?

Sensitive personal information This is a particular category of personal information relating to confidential medical facts, racial or ethnic origins, political or religious beliefs or sexuality.

Read that again. It's opt-in only if it's "sensitive personal information". For everything else, unless you "opt out" you've already given Google your consent and they are free to share your information with other companies. For the types of things that are included in that *everything else* is a hellofawholelot.

Tell me I'm wearing a tinfoil hat, that's fine. I know Google isn't the worst of all companies. The real problem is scale. They're everywhere. If you're comfortable with giving up privacy for free stuff, that's certainly for you to decide. Google is waiting with open arms for you.

As far as the default settings for Win8 being atrocious, I can't comment. You didn't provide any specific concerns about them.

Re:Windows RT? (1)

Raenex (947668) | about 2 years ago | (#41851927)

It is untrue that they sell your information. Their business model does not allow that. The whole point is they will *never* sell your information...they sell targeted AD space.

Where "targeted AD space" is based on information all about you. Maybe they aren't reselling your name + information, but they sure are collecting it. Facebook requires real names, and Google has gone chasing after that policy, starting with Google+. Just the other day YouTube oh so helpfully wanted me to upgrade my account to my real name. I was able to decline it... for now.

Re:Windows RT? (0)

Anonymous Coward | about 2 years ago | (#41852185)

I'm sorry. Could you remind me who owns Doubleclick again?

Re:Windows RT? (3, Insightful)

thoth (7907) | about 2 years ago | (#41849341)

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet.

So Microsoft has stated they will guarantee full privacy of your info that is stored in SkyDrive?

If your going to pull the "grass isn't always greener" argument, then Microsoft still loses, as their device is more expensive, will everything else (their treatment of your data) the same.

Re:Windows RT? (2, Insightful)

LordLucless (582312) | about 2 years ago | (#41849743)

Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet

Well, gee, it's lucky Google doesn't scan, categorize and resell very piece of information on your device then, isn't it? FUD much?

Re:Windows RT? (1)

Anonymous Coward | about 2 years ago | (#41849891)

The only part of that statement that can be debated is "resold." But you can be damn sure the other verbs apply.

Re:Windows RT? (1)

LordLucless (582312) | about 2 years ago | (#41849969)

Well, thank goodness I've got your assurances Anonymous Coward.

Re:Windows RT? (2)

blind biker (1066130) | about 2 years ago | (#41849901)

If the only thing that sucks about WinRT is that it's "closed", then I'll take one.

Windows RT (WinRT is the new API, Windows RT is the new OS) is not "closed", it is closed, and that's not the only thing that sucks about it.

Re:Windows RT? (3, Interesting)

pentadecagon (1926186) | about 2 years ago | (#41850775)

With Microsoft you have worse privacy than with Google. They collect at least the same amount of information, and because everything is closed you never know what else they transmit and collect.

Re:Windows RT? (0)

Anonymous Coward | about 2 years ago | (#41850151)

Lets see, I can buy a more expensive device that has the applications and ecosystem that I prefer, and I don't really care that it is sandboxed because it does not impair my use case in any way. Or I can buy a cheaper unlocked device that runs nothing of any interest to me and I have no desire to exercise the capabilities gained by its unlocked state. It really a pretty easy decision.

Win 8 Pro or RT or Both? (0)

Anonymous Coward | about 2 years ago | (#41848449)

Does this affect one or both of the flavors of 8?

On the bright side, your typical hacker won’t be able to figure this one out either: Windows 8 raises the security bar even higher than before, and if it was easy, someone would have beaten VUPEN to it long ago.

And who thinks that other hackers won't figure this out?

captcha: untried

Re:Win 8 Pro or RT or Both? (4, Insightful)

Gaygirlie (1657131) | about 2 years ago | (#41848505)

On the bright side, your typical hacker won’t be able to figure this one out either: Windows 8 raises the security bar even higher than before, and if it was easy, someone would have beaten VUPEN to it long ago.

And who thinks that other hackers won't figure this out?

More precisely, who says the other hackers would disclose it if they found such vulnerabilities? There's plenty of profit to be earned in vulnerabilities in the black market.

Re:Win 8 Pro or RT or Both? (0)

Anonymous Coward | about 2 years ago | (#41850055)

You didn't RTFA, did you? That's exactly what these guys do. They're not a "security company" at all. Pack of cunts would be more appropriate.

If you’ve never heard of VUPEN, that’s because it isn’t your typical security company. The firm finds exploits in popular software from major technology companies like Microsoft, Apple, and Google, only to sell the details to governments around the world and various other parties willing to write massive cheques.

Re:Win 8 Pro or RT or Both? (-1, Troll)

Anonymous Coward | about 2 years ago | (#41850479)

They're not a "security company" at all. Pack of cunts would be more appropriate.

That's right, they're French.

Hack Windows? (0)

Anonymous Coward | about 2 years ago | (#41848487)

Open a command prompt as administrator and type

del /F /S c:\*.*

Re:Hack Windows? (4, Funny)

ThatsMyNick (2004126) | about 2 years ago | (#41848563)

I tried that. But it did not hack the computer I was trying to hack. And now my computer is not working either.

Re:Hack Windows? (1)

History's Coming To (1059484) | about 2 years ago | (#41848985)

Next time try targetting 127.0.0.1 - it's a far easier target.

Re:Hack Windows? (0)

Anonymous Coward | about 2 years ago | (#41850341)

I happen to have just the right tools, I'm gonna show that bastard.

NO CARRIER

Re:Hack Windows? (1)

cdxta (1170917) | about 2 years ago | (#41849447)

don't forget /q

4 chained flaws to be exact! (5, Funny)

stillpixel (1575443) | about 2 years ago | (#41848567)

1. They bought Windows 8. 2. They Installed Windows 8. 3. They connected Windows 8 to the internet. 4. They surfed goatse with IE10.

Re:4 chained flaws to be exact! (1)

History's Coming To (1059484) | about 2 years ago | (#41849011)

+1 Insightful. The computer savvy of Windows users will always be its weakest point, purely because of it's the only interface for "I hate computers" people.

Hardly surprising, it's still a baby. (0)

BPPG (1181851) | about 2 years ago | (#41848597)

Considering that W8 still has that new OS smell, this is hardly surprising. Like any piece of software, it will take a while before it is provably secure. Microsoft may not have the worst QA department in the world, but it the only way to really put it through its paces is to let the world bang on it like it is now.

The real question is, how many 0-days haven't been announced?

Re:Hardly surprising, it's still a baby. (4, Insightful)

hobarrera (2008506) | about 2 years ago | (#41848931)

It's sad to see that MS has dominated the market for so long that exploits seem accetable and it's insightful to claim this. Software should be well-written before you start charging for it. Period.

OpenBSD has only had 2 remote security holes in several dozen releases, in over 15 years. Why is it acceptable that something you pay for has had thousands more every release?

Re:Hardly surprising, it's still a baby. (0)

Anonymous Coward | about 2 years ago | (#41849091)

Computers were built on trust, it's an inherent flaw in their design.

OpenBSD vs Windows. I wonder which would be viewed more enticing to find exploits in....

Re:Hardly surprising, it's still a baby. (0)

smash (1351) | about 2 years ago | (#41849271)

To be fair, if you compare the functionality of an OpenBSD "default install" (which is all they count the vulnerabilities in) to a Windows 8 installation, it is hardly comparable. Now I hate Windows 8 as much as anyone, but this comparison simply isn't worth much.

Re:Hardly surprising, it's still a baby. (0)

Anonymous Coward | about 2 years ago | (#41850297)

That's the problem. The client Windows is not delivered hardened, with services and features enabled as needed and the way needed. The server version, on the other hand, is moving faster to that particular direction.

Re:Hardly surprising, it's still a baby. (0)

jones_supa (887896) | about 2 years ago | (#41850359)

How surprising some slashtard were to mod you down.

Not suprising at all (1)

SmallFurryCreature (593017) | about 2 years ago | (#41850987)

I am a Linux user because of this exchange:

Me to tech department: "Hi, I need to setup a FTP server with anonymous access only for people to download our companies installer who have problems getting it through http"

BSD user: FTP is insecure because password are plain text.

LInux user: You can run proftp for a simple open ftp with just one directory in a chroot jail so it is perfectly safe and accessible.

Basic openbsd is plain useless and out of date, start updating and adding stuff you need, and they stop counting security holes. If openbsd was a car, it would be the safest car in the world. It would also never ever have moved out of the garage.

In the real world you need to trade security for functionality. Let BSD guy loose on your systems and nobody can hack into them, and neither can anyone use them. You get the perfectly secure system and all your developers and users leave you because the system is unusable. The BSD admin will not only insist on 20 character passwords that are a mix of characters, numbers, symbols and arcane spells but insist usernames follow a similar pattern. And for mobile access as well. 4 digit unlock on company phone? NOOOO! INSECURE!!!! 12 char password atleast and mix of caps, characters, reading symbols and dna sample!

And then they wonder why everyone spends all their time working around the system. Was so bad in one company that all work was getting done on laptops over mobile connections because getting things done through channels just took to fucking long.

Next BSD release will be called concrete, you poor concrete over your computer and it will be very secure!

Re:Not suprising at all (0)

Anonymous Coward | about 2 years ago | (#41851225)

It looks like you accidentally duplicated the second half of your comment.

uplicated the second half of your comment.

Re:Not suprising at all (0)

Anonymous Coward | about 2 years ago | (#41851627)

it depends on what you use it for. OpenBSD has full functionality for being a great router/firewall out of the box. Bgp, ospf, all these things where on linux you'll have to install (oh wait not popular enough it's on another dvd) afterwards. Also it's userland is complete, no suprises with a minimal install; all the unix utilities which you should have are there. You don't have to trade security for functionality imho. There's an ftpd included in the base system, I even run it on some sites without problems. There are better alternatives though. I worked at a place (isp) which ran all it's systems on freebsd and openbsd and I can tell you they were very usable.

Re:Not suprising at all (0)

Anonymous Coward | about 2 years ago | (#41851629)

If I need a break from sysadmin work can I come join you under your rock?

1) This isn't BSD vs Linux.
2) Usernames following a pattern is good practice. The BSD admin will use long secure passwords for himself and critical accounts and advise the others. (Passwords don't help if they don't even bother to lock the screen. Have a functioning backup for that.)
3) I don't worry about ftp in a real jail (man jail). Better than chroot.

Switching systems because of the sysadmin's stance (might even been company enforced) is plain dumb. It has nothing to do with the system. Atm I prefer BSD, because some Linux changes doesn't make sense if the computer isn't a desktop and I don't mind a little more typing if I do it once per set up (The user wont notice it anyway). I hate regressions.

Re:Not suprising at all (1)

hobarrera (2008506) | about 2 years ago | (#41852233)

I am a Linux user because of this exchange:

Me to tech department: "Hi, I need to setup a FTP server with anonymous access only for people to download our companies installer who have problems getting it through http"

BSD user: FTP is insecure because password are plain text.

Whoever gave you this answer is a moron. There's no plaintext password if it's an FTP for anonymous users.

Re:Hardly surprising, it's still a baby. (0)

Anonymous Coward | about 2 years ago | (#41850129)

So you want to compare a default install of OpenBSD that is basically useless to the average person as it has nothing installed, to a usable install of windows. I hate MS with the best of them but this is a moronic comparison, OpenBSD has very few exploits as it comes with nothing installed and is only slightly more useful than a boat anchor till you install stuff.

Re:Hardly surprising, it's still a baby. (0)

Anonymous Coward | about 2 years ago | (#41850741)

But OpenBSD is also useless. It doesn't even support essential security features like 802.1X.

Re:Hardly surprising, it's still a baby. (1)

Ash-Fox (726320) | about 2 years ago | (#41851403)

Software should be well-written before you start charging for it. Period.

How do you assess if it's well written?

From what I understand of Microsoft's development cycle, they do employ third parties to do security penetration testing on their systems before release as well as numerous other sorts of audits from manual to automated testing.

What would you suggest they do to reach your level of 'well written'?

OpenBSD has only had 2 remote security holes in several dozen releases

Out of the box with the default installation.

Of course, nobody uses OpenBSD in it's default configuration because it's useless. There are bigger security problems with OpenBSD, such as the default of creating just a root user, no configuration of sudo out of the box, ssh enabled to permit root logins by default (therefore making it an excellent bruteforce target) and so many other daemons that retain an unsafe configuration by default (although, I emphasize they aren't installed by default, so this magically makes it okay to the OpenBSD crowd). OpenBSD in this configuration doesn't help users learn 'safe' way of using the system and from experience, I have seen many who just continue using root for everything.

In reality, you will find that servers and desktops from SuSE or Ubuntu are more secure because of the enforcement of various policies. Ubuntu for example tries to ensure all the daemons run as regular users that don't have access to more than what they need to. SuSE on the other hand focuses on having daemons jailed, so even if they are running as root, they don't have access to the rest of the system. They both have sane root and sudo policies. Root by default not being accessible from remote systems and instead need to enter via a regular user and use sudo to obtain access to higher privileged commands.

OpenBSD really needs to update their security practices because security these days is more than just kernel vulnerabilities and what the default configuration installs with the system (which is essentially 'nothing' on OpenBSD). The practice of blaming the user for the fact they are using poor default configurations on daemons and poor user privilege management which is encouraged by how the system sets up the system initially does not help security.

Why is it acceptable that something you pay for has had thousands more every release?

If it's unacceptable, don't use it. So far, I find Microsoft's security practices somewhat more decent than OpenBSD's when it comes to default and usable configurations.

Re:Hardly surprising, it's still a baby. (1)

hobarrera (2008506) | about 2 years ago | (#41852197)

Software should be well-written before you start charging for it. Period.

How do you assess if it's well written?

From what I understand of Microsoft's development cycle, they do employ third parties to do security penetration testing on their systems before release as well as numerous other sorts of audits from manual to automated testing.

What would you suggest they do to reach your level of 'well written'?

It's not too hard to determine when it's "well written": it's basically when the default install does not have security holes. ie: not like windows.

OpenBSD has only had 2 remote security holes in several dozen releases

Out of the box with the default installation.

Windows has security holes out-of-the-box with all the defaults set. No system is safe if a user reconfigures it. What OS can protect me from a user who sets his password to his birthdate?

Of course, nobody uses OpenBSD in it's default configuration because it's useless. There are bigger security problems with OpenBSD, such as the default of creating just a root user

The installer quite clearly offers a choice to create a non-root account

, no configuration of sudo out of the box, ssh enabled to permit root logins by default (therefore making it an excellent bruteforce target)

This is only enabled if you skipped the step in whice you can create a non-root user. If you only have root, then it's quite obvious you'll want to log in as root

and so many other daemons that retain an unsafe configuration by default (although, I emphasize they aren't installed by default, so this magically makes it okay to the OpenBSD crowd).

[citation needed]

OpenBSD in this configuration doesn't help users learn 'safe' way of using the system and from experience, I have seen many who just continue using root for everything.

In reality, you will find that servers and desktops from SuSE or Ubuntu are more secure because of the enforcement of various policies. Ubuntu for example tries to ensure all the daemons run as regular users that don't have access to more than what they need to.

OpenBSD does this and chroots several daemons as well.

In any case, this is a fine example of yet another OS that cares about security to some degree, but does not defend window's stance in any way.

SuSE on the other hand focuses on having daemons jailed, so even if they are running as root, they don't have access to the rest of the system. They both have sane root and sudo policies. Root by default not being accessible from remote systems and instead need to enter via a regular user and use sudo to obtain access to higher privileged commands.

Again, OpenBSD only suggests you don't disable remote root logins if you skipped the step where you create another user. For quite obvious reasons.

OpenBSD really needs to update their security practices because security these days is more than just kernel vulnerabilities and what the default configuration installs with the system (which is essentially 'nothing' on OpenBSD). The practice of blaming the user for the fact they are using poor default configurations on daemons and poor user privilege management which is encouraged by how the system sets up the system initially does not help security.

Why is it acceptable that something you pay for has had thousands more every release?

If it's unacceptable, don't use it. So far, I find Microsoft's security practices somewhat more decent than OpenBSD's when it comes to default and usable configurations.

1) Install XP on a PC.
2) Plug an internet cable.
3) Sit back.
4) You now have an infected machine.

Windows 8 hasn't reached this point yet, but it's just a matter of time, as with every other release.

Re:Hardly surprising, it's still a baby. (1)

volxdragon (1297215) | about 2 years ago | (#41848993)

Like any piece of software, it will take a while before it is provably secure.

Provably secure? *snicker*

Re:Hardly surprising, it's still a baby. (1)

BPPG (1181851) | about 2 years ago | (#41849105)

Exactly. For example, I can prove that Windows 3.1 is secure on a modern network.

Re:Hardly surprising, it's still a baby. (0)

Anonymous Coward | about 2 years ago | (#41849177)

Very true as I doubt many people are writing 16-bit malware anymore! (Hey you did say 3.1 and not 3.11)

Re:Hardly surprising, it's still a baby. (1)

smash (1351) | about 2 years ago | (#41849283)

No it's not. Just because Windows 3.1 malware is not currently running rampant, it doesn't mean the old exploits like WinNuke (and others) aren't still available if someone wants to target you. In fact, if someone can exploit ANY application in Windows 3.1, they have system level access, as the old Windows versions prior to NT were not multi-user, and only had one security context.

Re:Hardly surprising, it's still a baby. (0)

Anonymous Coward | about 2 years ago | (#41850863)

you silly noob, winnuke exploited a vulnerability in the NETBIOS, in _win95_

Re:Hardly surprising, it's still a baby. (1)

gewalker (57809) | about 2 years ago | (#41849139)

You don't know much about VUPEN [forbes.com] -- they are expletive deleted low-lifes of the first order. VUPEN used their existing 0-day exploits from older versions of Windows -- and they don't tell the manufacturers about the exploits -- they only sell them for big bucks to government intell. agencies, etc.

Re:Hardly surprising, it's still a baby. (2)

1s44c (552956) | about 2 years ago | (#41853565)

You don't know much about VUPEN [forbes.com] -- they are expletive deleted low-lifes of the first order. VUPEN used their existing 0-day exploits from older versions of Windows -- and they don't tell the manufacturers about the exploits -- they only sell them for big bucks to government intell. agencies, etc.

If low-lives can find these zero days how come MS with their massive profits and massive install base can't find them first and fix them?

Maybe because fixing Windows is like polishing a turd.

Christmas (2)

koan (80826) | about 2 years ago | (#41848613)

Is what it must be like for malware authors when Microsoft releases a new OS.

Not surprising (0)

Richy_T (111409) | about 2 years ago | (#41848659)

Security generally advances through evolution, not revolution.After making significant advances in security from 3.1 to XP, Microsoft is all out of evolution and so they're just throwing in random shiny (and they've even run out of the semi-good stock of that).

So new code just for the sake of it and is it any wonder bugs come along with it?

One can only hope... (0)

Anonymous Coward | about 2 years ago | (#41848695)

...Microsoft is able to warn both users in time.

wow (0)

Anonymous Coward | about 2 years ago | (#41848747)

it took *that* long to get exploited?

This is important ... (1)

stevez67 (2374822) | about 2 years ago | (#41848941)

... NOT. All the fuss about zero day exploits and the only people who ever use them are the ones who find them and the engineers who plug the holes. No big take-down of masses of people, no crippled companies, no nothing.

Re:This is important ... (1)

BPPG (1181851) | about 2 years ago | (#41849131)

only people who ever use them are the ones who find them and the engineers who plug the holes.

If people were going to use a 0day maliciously, then they wouldn't have announced it. In which case the engineers wouldn't be involved until after it was found in the wild.

Re:This is important ... (1)

Anonymous Coward | about 2 years ago | (#41849441)

VUPEN isn't going to use the zero day maliciously. They're just going to sell it to the highest bidder. Because that's the company's business model.

inforMative dickdCick (-1)

Anonymous Coward | about 2 years ago | (#41849111)

Re:inforMative dickdCick (0)

Anonymous Coward | about 2 years ago | (#41850379)

Informative dick-click: your penisbird will get blue, if you put too much rubber on it. By formality of progress, you get distracted. However we can plainly state that just "doing something" would be a lot slower.

Nig6a (-1)

Anonymous Coward | about 2 years ago | (#41849729)

Re:Nig6a (0)

Anonymous Coward | about 2 years ago | (#41850397)

Doing something beyond the scope of BSD is fundamental to the project again. That is the definition of giving to other people.

Thing is... (1)

WillyWanker (1502057) | about 2 years ago | (#41850273)

The sad thing is they think anyone actually cares.

If I may be allowed to... (1)

empgodot (1044446) | about 2 years ago | (#41850767)

Even though I lack any surprise in this announcement, and would actually have been surprised if no 0-day had arisen within the first week after release, please kindly allow me to express, and excuse if it may sound a little childish, my first reaction:

lol

Not shocked (4, Informative)

ledow (319597) | about 2 years ago | (#41851329)

It took me nearly a day to get a "Active Directory Users and Computers" icon on my Windows 8 Pro VM.

- First I have to download RSAT.
- It errors with random hex-code when run.
- Much googling (and no help in the MS KB) later, I find out it doesn't like being on a mapped shared drive (which is what VMWare uses for it's shared drive with the host).
- Copy to C:\, run it.
- It installs without error, but nothing happens after (nothing in Windows Features related to remote admin tools, no new icons).
- Much googling (and no help in the MS KB) later, it turns out I don't have the en_US language installed and it won't work without it (despite the computer being en_GB!) but will just die silently.
- Go to install language, get empty language lists.
- Think they must be on the CD, so point it at the original CD image. Nope. Nothing useful.
- Much googling (and no help in the MS KB) later, it turns out that because I'd disabled Windows Search, it totally stops the list of languages populating.
- Enabled Windows Search.
- Installed language.
- Still no joy.
- Much googling (and no help in the MS KB) later, it turns out that because I have disabled Automatic Updates, it won't actually download the language pack (or error, or tell you that, or anything).
- Re-enabled, got the language pack (150Mb!)
- Reinstalled the MSU
- Finally get "Users and Computers".

It doesn't shock me that in that mess of code there might be a security feature or two that's lax. I mean, seriously? Half the things had no error code or even message to say they weren't going to work or why and those that did provided zero useful information.

- You can't install an MSU from a network-mapped drive (even if it appears as a mapped drive Z:!)
- You can't install RSAT with only en_GB enabled.
- You can't even see the languages available without Windows Search enabled (WTF?)
- You can't install a language without Automatic Updates enabled (Again, WTF?)
- You have to know all this to get Users & Computers working (which, if I remember rightly, is installed by default on most "Pro" versions of Windows or at worst was an Add/Remove Windows Feature kind of deal from the initial install disk).

I'm not surprised, with that amount of cross-interaction between COMPLETELY unrelated components, complete lack of user feedback, and random interactions, that there's a few security problems cropping up.

And that's not even the worst experience I've had with a clean Windows 8 VM image from an official Windows 8 ISO with a proper Windows 8 Pro Product Key. I actually managed to BSOD the VM within hours of install, not by even doing anything remotely interesting.

Re:Not shocked (1)

cyber-vandal (148830) | about 2 years ago | (#41851587)

I feel your pain. Microsoft Dynamics CRM regularly throws up such gems as "An unknown error has occurred" which you then have to spend days trying to figure out via Google or in extreme cases disassembling the DLLs. Microsoft just seem totally averse to providing decent error messages or any documentation to suggest what caused the error message. I see the new blue screen doesn't have any "scary" useful information on it any more either.

Re:Not shocked (2)

bertok (226922) | about 2 years ago | (#41851781)

I had a similar experience when I was asked to evaluate Hyper-V as a potential replacement for VMware ESX server. The installer failed because I didn't use the en-US keyboard.

I laughed, didn't even bother trying to fix the problem, and told my boss that there's no way in hell we're trusting our infrastructure to a hypervisor that depends on the keyboard layout to function. That's a blatant sign of shoddy engineering.

Here's another example for you: Windows Server 2008 R2 will not run a PowerShell script from a network share by default. So, here's the process:

- The error message will tell you to enable script execution.
- Run "Set-ExecutionPolicy Unrestricted -Force"
- Run the script again. It runs, but only after a "safety" prompt. This breaks your unattended workflow. No helpful tip this time.
- Much googling later, it turns out that it's IE's Enhanced Security Crap.
- Turn IE ESC off for Administrators.
- Still the same warning.
- Much googling later, you discover that downloaded script files are tagged with a hidden stream to mark them as potentially unsafe.
- Open the properties of the file, and click "Unblock".
- Still the same warning.
- Did you use ".com" as the suffix of your domain's FQDN? Oops, Windows now thinks that it's the "Internet", instead of the "Intranet", even though it's the same FQDN as the machine's own domain! Apparently that simple check was too hard to do, but looking for a bunch of variants of ".com" suffixes was easy.
- Go to the Tools menu of Internet Fucking Explorer, and add the name of the file server to the Intranet list. Obviously. Because that's the first place I'd look to make my console scripts work. O_o
- At this point, your script will work... for that user, and nobody else.
- Sigh, now to track down the setting in Group Policy, so it can be pushed out to all the servers.
- Unless the script needs to run before the machine is joined to the domain.
- Oh fuck it...

I suspect that one of the many root causes of this kind of shoddy engineering is that the "well trodden path" for Microsoft Engineers is a machine that's already joined to the Microsoft domain, with pre-prepared policies applied to it. They just don't use or test other scenarios enough. They don't work on non-domain machines. They don't work with keyboards other than en-US. They don't test scripts downloaded from the Internet, because when they developed PowerShell, there weren't any yet!

I don't believe it! (1)

1s44c (552956) | about 2 years ago | (#41853449)

Security holes! In Windows!

It's just like every other release from Microsoft then, bug ridden and insecure.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?