Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS: Windows Phone 8 Wi-Fi Vulnerable, Cannot Be Patched

timothy posted 1 year,24 days | from the is-there-a-workaround-for-the-workaround? dept.

Handhelds 146

Freshly Exhumed writes "Microsoft advises that a cryptographic problem in the PEAP-MS-CHAPv2 protocol used in Windows Phone 8 to provide WPA2 authentication allows a victim's encrypted domain credentials to be collected by an attacker posing as a typical WiFi access point. Redmond further states that this problem cannot be patched, although a set of manually entered configuration changes involving root certificates on all WP8 phones and on WiFi access points will apparently address the issue. WP7.8 phones are likewise vulnerable."

cancel ×

146 comments

Sorry! There are no comments related to the filter you selected.

Can't you protect it with HOST files? (-1, Troll)

Anonymous Coward | 1 year,24 days | (#44508589)

paging apk

Re:Can't you protect it with HOST files? (5, Interesting)

Anonymous Coward | 1 year,24 days | (#44508893)

Robert Scoble is a former technology evangelist at Microsoft who decided to leave the company in June 2006 to become the vice president of Podtech.net. At that time, it was believed that Scoble had resigned because he was looking for a higher salary elsewhere.

Innovation is the key, he said, pointing out that Microsoft had completely failed to get itself noticed in the tablet and smartphone markets.

"Since I've left [Microsoft], what have they done that's interesting? Microsoft [Xbox] Kinect is the only thing I can think of and for a company that has 90,000 employees, to have only one product that you can point to that's innovative, that's pretty disappointing I think,” he said according to The Age.

"Compare that to Google, which is showing you self-driving cars, Google Glass and a phone that you can talk to, the Moto X, and on and on — automatic picture improvements on Google+ — It's a much more innovative company that is driving the future harder and faster."

One of the reasons why Microsoft fails to innovate right now is the current leadership, Scoble explained, revealing that Steve Ballmer is actually trying to make more money by rolling out innovative technologies.

“I just don't believe Steve Ballmer really likes the future. When I interviewed [him] he said innovation is something cool that makes a lot of money. And that's absolutely not true. [Google Glass] might never make a dollar but it's new, it's interesting [and] it causes conversations. If you're an innovator, you push the future ahead. You don't care whether it necessarily makes a dollar,” he continued.

http://news.softpedia.com/news/Former-Employee-Says-That-Microsoft-Is-Not-Longer-Cool-Blames-Steve-Ballmer-373770.shtml [softpedia.com]

Re:Can't you protect it with HOST files? (1)

cmurf (2833651) | 1 year,24 days | (#44511931)

They lack innovation because they lack imagination. Ballmer isn't a futurist. Until he, and the entire VP layer, are gone, we will not see innovation from Microsoft. "There's no chance that the iPhone is going to get any significant market share. No chance." That, in a world with craptastic cell phone UX. The typical houseplant knew it was a dead paradigm on life support, and anyone who came in to do a half way decent job would get significant market share. Microsoft desktop OS lifespan is 12+ years to the point most of it's users not only don't expect innovation, they don't want it. And then for the past ~4 years did the polar opposite with their mobile strategy by having zero legacy compatibility, to the degree hardware was being abandoned (no software updates) days after being announced.

Why can't it be patched? (5, Insightful)

metrix007 (200091) | 1 year,24 days | (#44508607)

If it can be fixed through manual configuration changes, why can't a patch make those same configuration changes?

Re:Why can't it be patched? (5, Funny)

i kan reed (749298) | 1 year,24 days | (#44508619)

Because the NSA won't let them?

Re:Why can't it be patched? (5, Informative)

Anonymous Coward | 1 year,24 days | (#44508659)

because the root certificate being installed is for the internal domain and Microsoft doesn't have that certificate.

please note: this is only for PEAP using domain credentials. not standard WPA2-PSK that just about everyone uses.

Re:Why can't it be patched? (4, Insightful)

Anonymous Coward | 1 year,24 days | (#44508747)

watch as your actual-factual answer languishes at 0 while the "funny" comment about the NSA gets +5 Insightful.

Re: Why can't it be patched? (0)

Anonymous Coward | 1 year,24 days | (#44508831)

Most people expect that any "manual configuration change" can be scripted, creating an automatic patch. It still doesn't make sense.

Re: Why can't it be patched? (1)

metrix007 (200091) | 1 year,24 days | (#44508873)

Really, why not? Configuration changes are stored somewhere. Have the patch diff the changes...

In this case where you need a local certificate it makes sense. Most of the time...

Re:Why can't it be patched? (-1)

Anonymous Coward | 1 year,24 days | (#44509013)

and Microsoft doesn't have that certificate.

Why don't they ask the NSA for it?

Re:Why can't it be patched? (3, Interesting)

Anonymous Coward | 1 year,24 days | (#44509253)

because the root certificate being installed is for the internal domain and Microsoft doesn't have that certificate.

please note: this is only for PEAP using domain credentials. not standard WPA2-PSK that just about everyone uses.

The scary thing (if i read this correctly) is that someone could theoretically sit outside a business where a lot of WP8 users are, listen for a while to snoop the wireless details (SSID, AP's mac, whatever they want) and then set up a fake hotspot in the parking lot. As phones leave the building's wifi perimeter, they will try to re-auth to the fake hotspot and give away their user's credentials. The user can then turn their wifi gear toward the building, and log in as an insider with probably tons-o-access to the internal network and the crown jewels.

Who cares if it's only a few businesses or that "most people" dont bother with it, the potential for targeted abuse is so huge that I don't see any sane enterprise keeping this turned on. They are better off just handing out "secret" WPA keys to their users than bothering with auth that basically ensures they are vulnerable.

Re:Why can't it be patched? (1)

robmv (855035) | 1 year,24 days | (#44509345)

Or treat wireless like an internet connection, require VPN access over it

Re:Why can't it be patched? (1)

Anonymous Coward | 1 year,24 days | (#44509767)

Or treat wireless like an internet connection, require VPN access over it

Too many people (mostly in the corporate world) believe that "defense in depth" means multiple layers of the highest encryption possible, and users who complain about having to authenticate 9 times just to check their email won out and required stored/cached single sign on so that you can breeze through all 9 layers as soon as you unlock your laptop with your domain password. It turns out that all that authentication shot them in the foot. Plus, if any ol person can belly up to your corporate WiFi, that makes you the same as Starbucks amiright? We can't have lazy, coffee swilling jerks laying around the office all day can we?

Re:Why can't it be patched? (1)

sexconker (1179573) | 1 year,24 days | (#44511345)

Or treat wireless like an internet connection, require VPN access over it

How would a VPN help? This vulnerability affects the authentication with the access point. If you authenticate, get an IP, and try to open a VPN connection, it's too late.

Re:Why can't it be patched? (1)

robmv (855035) | 1 year,24 days | (#44511505)

Because you can't access the company network without access to the VPN. Serious enterprise networks do not trust only the wireless encryption, simple as that

Re:Why can't it be patched? (0)

Anonymous Coward | 1 year,24 days | (#44510605)

The scary thing (if i read this correctly) is that someone could theoretically sit outside a business where a lot of WP8 users are

You mean just outside Redmond's WP8 development office?

Maybe this whole vulnerability report should have just been an internal memo.

Re:Why can't it be patched? (0)

Anonymous Coward | 1 year,24 days | (#44510645)

alot of wp8 users? Did I read that correctly? naw, I've only seen one (1) WP in a year, thats it. all others are iphone or samsung phones...

Re:Why can't it be patched? (3, Insightful)

DrXym (126579) | 1 year,24 days | (#44510649)

Sounds like Microsoft has most to fear on their own campuses since I doubt that there are many other businesses with a high enough concentration of vulnerable phones who would be worth the risk.

Re:Why can't it be patched? (2, Interesting)

r1348 (2567295) | 1 year,24 days | (#44511217)

Luckily, there's not such thing as a "business where a lot of WP8 users are", except maybe for Microsoft itself, but I wouldn't bet my life on it...

Re:Why can't it be patched? (1)

sexconker (1179573) | 1 year,24 days | (#44511329)

because the root certificate being installed is for the internal domain and Microsoft doesn't have that certificate.

please note: this is only for PEAP using domain credentials. not standard WPA2-PSK that just about everyone uses.

The scary thing (if i read this correctly) is that someone could theoretically sit outside a business where a lot of WP8 users are, listen for a while to snoop the wireless details (SSID, AP's mac, whatever they want) and then set up a fake hotspot in the parking lot. As phones leave the building's wifi perimeter, they will try to re-auth to the fake hotspot and give away their user's credentials. The user can then turn their wifi gear toward the building, and log in as an insider with probably tons-o-access to the internal network and the crown jewels.

Who cares if it's only a few businesses or that "most people" dont bother with it, the potential for targeted abuse is so huge that I don't see any sane enterprise keeping this turned on. They are better off just handing out "secret" WPA keys to their users than bothering with auth that basically ensures they are vulnerable.

The only thing you get is the encrypted credentials. Is PEAP-MS-CHAP v2 vulnerable to any practical attacks?

Re:Why can't it be patched? (2)

WaffleMonster (969671) | 1 year,24 days | (#44511565)

The only thing you get is the encrypted credentials. Is PEAP-MS-CHAP v2 vulnerable to any practical attacks?

If the TLS certificate is not validated all protections of TLS are null and void as it can be MITMd. In other words PEAP-MS-CHAPv2 becomes just MS-CHAPv2.

Cracking MS-CHAPv2 is trivial...
https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ [cloudcracker.com]

Not just practical its EASY.

Re:Why can't it be patched? (0)

Anonymous Coward | 1 year,24 days | (#44511507)

Where are you going to find a place with a lot of WP8 users? Redmond?

Re:Why can't it be patched? (4, Informative)

aaron44126 (2631375) | 1 year,24 days | (#44508797)

It says in the article that configuration changes must be made on the WiFi access points as well.

Re:Why can't it be patched? (1)

wmac1 (2478314) | 1 year,24 days | (#44509191)

Perhaps it means to change the configuration on "genuine access points" in a way that clients are not required to set vulnerable settings on their phone.

Re:Why can't it be patched? (4, Informative)

fuzzyfuzzyfungus (1223518) | 1 year,24 days | (#44508987)

If it can be fixed through manual configuration changes, why can't a patch make those same configuration changes?

The configuration change is enabling server certificate validation. If the network is set up for this, all is well: just like SSL, the server demanding the credentials from the client connecting to the network has a certificate, which the client can verify before attempting to authenticate. Spoofing becomes effectively impossible without access to a suitably signed cert.

However, if the authentication server is not set up to use a certificate, or is set up to use a certificate not signed by one of the CAs in the client's list of trusted authorities, enabling server certificate validation will cause the client to freak out and never attempt to authenticate (since validation will, correctly, fail.)

Re:Why can't it be patched? (1)

Strider- (39683) | 1 year,24 days | (#44509559)

The configuration change is enabling server certificate validation. If the network is set up for this, all is well: just like SSL, the server demanding the credentials from the client connecting to the network has a certificate, which the client can verify before attempting to authenticate. Spoofing becomes effectively impossible without access to a suitably signed cert.

The fundamental problem you run into however, is that at the point where you need to verify the certificate you don't yet have a network connection. In a PEAP environment, the certificate is presented to the client before layer 3 connectivity has been established. The client obtains the certificate, sees that it has been signed by a valid CA, but it can not actually verify that the certificate is being presented by the right server since, well, there's no network connection yet. It's really one of those chicken and egg problems, there's no good way to resolve it.

The reality is that in most cases, it should pop a warning giving certificate details (along with the fact that it has been signed by a trusted CA), and asking the user if they would like to proceed (and then saving that approval if desired).

Re:Why can't it be patched? (0)

Anonymous Coward | 1 year,24 days | (#44510643)

The client would have the DNS name so it could compare the CN though wouldn't it?

Or is the problem an attacker uses your SSID and presents their own valid trusted CA signed certificate for their own auth server? So when setting up your client you didn't specify the actual auth server DNS name so it can't compare the CN in the cert?

Perhaps the solution would be to have the SSID be the CN used in the certificate. So I would have to have a certificate with a CN of "corporate-wireless.example.com" and a SSID of the same name.

Re: Why can't it be patched? (1)

buchanmilne (258619) | 1 year,24 days | (#44512061)

EAP is performed when the EAP client is trying to establish layer 2 connectivity, before IP address aasignment can happed. Since there is no IP, there is no way to do a DNS lookup, and nothing to validate the subject cn against.

If certificate validation against CA certificates is disabled by default ( which is the case on Android as well), certificate validation collapses to whether the cert has expired.

I am only aware of 2 mobile platforms that do this better, iOS which prompts on a new EAP certificate, and Symbian, which didn't allow connecting to EAP networks with certs not signed by a trusted cert.

  The recent 'it just works' race to the least secure is not going to end well.

Re:Why can't it be patched? (1)

WaffleMonster (969671) | 1 year,24 days | (#44511291)

The fundamental problem you run into however, is that at the point where you need to verify the certificate you don't yet have a network connection. In a PEAP environment, the certificate is presented to the client before layer 3 connectivity has been established. The client obtains the certificate, sees that it has been signed by a valid CA, but it can not actually verify that the certificate is being presented by the right server since, well, there's no network connection yet. It's really one of those chicken and egg problems, there's no good way to resolve it.

You resolve it the way all browsers and sane operating systems resolve it. You load/keep a list of trusted root certificates against which the device can validate the server certificate by itself out of band of the wifi communication channel.

There are even extensions to TLS where OSCP can be performed over TLS such that revocation checking does not require network access.

Re:Why can't it be patched? (-1)

Anonymous Coward | 1 year,24 days | (#44509179)

Because its microshit and they suck a fat cock?

Re:Why can't it be patched? (1)

ISoldat53 (977164) | 1 year,24 days | (#44509575)

Maybe they can find some programers somewhere that can re-write it.

Re:Why can't it be patched? (0)

Anonymous Coward | 1 year,24 days | (#44510555)

>MS: Windows Phone 8 Wi-Fi Vulnerable, Cannot Be Patched

A 10-lb sledgehammer will do the job nicely..

Re:Why can't it be patched? (1)

sjames (1099) | 1 year,24 days | (#44511285)

Because it only works by pre-sharing a generated certificate between the AP and the client. MS can't make that happen with a patch.

oops... (1)

buzzsawddog (1980902) | 1 year,24 days | (#44508641)

So that's why all of the wifi pineapples sold out at DEF CON...

Re:oops... (4, Funny)

binarylarry (1338699) | 1 year,24 days | (#44509163)

Nah, whats the fun in hacking all 5 people who've bought Windows Phones?

Apple Newton probably has bigger marketshare right now.

Re:oops... (1)

gstoddart (321705) | 1 year,24 days | (#44509783)

Nah, whats the fun in hacking all 5 people who've bought Windows Phones?

Depends, if they're over-represented in corporate environments, they could be very attractive things with a known exploit.

Oh please (5, Informative)

Anonymous Coward | 1 year,24 days | (#44508653)

Every phone which implements CHAPv2 is vulnerable, because that's a broken algorithm. You can't patch it, because then it wouldn't be that algorithm anymore and stop working with other implementations of the algorithm. The right thing to do is to encapsulate it in a securely encrypted tunnel, but to have that, you have to check the certificates. If you don't secure the tunnel, an attacker can MITM you and crack the CHAPv2 inside. Not properly securing tunnels is a problem everywhere.

Re:Oh please (0)

Anonymous Coward | 1 year,24 days | (#44508727)

Dead on. Mod this up!

Re:Oh please (4, Funny)

tysonedwards (969693) | 1 year,24 days | (#44508731)

The fact that we have such lax tunnel security is a travesty.
I propose that we immediately bring in the TSA to man the entrance to every tunnel, for our children!

Re:Oh please (1)

DFurno2003 (739807) | 1 year,24 days | (#44510965)

The politically correct term is "Tube"

Re:Oh please (1)

Anonymous Coward | 1 year,24 days | (#44508739)

Quiet you, we're trying to bash Microsoft here.

Knock Knock.

Who's there?

Windows Phone 8.

Windows Phone 8 who?

Exactly.

Re:Oh please (0)

Anonymous Coward | 1 year,24 days | (#44510127)

Quiet you, we're trying to bash Microsoft here. Knock Knock. Who's there? Windows Phone 8. Windows Phone 8 who? Exactly.

Congratulations, you are on the jury!

Re:Oh please (0)

Anonymous Coward | 1 year,24 days | (#44508965)

So every phone is vulnerable, except the ones that aren't. Got it.

Re:Oh please (4, Informative)

jrumney (197329) | 1 year,24 days | (#44509025)

Every phone which implements CHAPv2 is vulnerable

Other phones don't automatically give out your corporate domain login details using it though.

Re:Oh please (0)

Anonymous Coward | 1 year,24 days | (#44509273)

Mod parent up! This is the big deal!

Re:Oh please (2)

rodrigoandrade (713371) | 1 year,24 days | (#44509099)

But lambasting Microsoft and Windows phones is a lot more entertaining than some boring technical and cohesive explanation.

Re:Oh please (4, Informative)

93 Escort Wagon (326346) | 1 year,24 days | (#44509295)

Well, to be fair to the blasters and lambasters:

- This is a protocol developed by Microsoft, and it's fundamentally broken
- Knowing it's fundamentally broken, Microsoft still included it on their phone and enabled its use by default

Re:Oh please (0)

Anonymous Coward | 1 year,24 days | (#44509913)

It's not enabled by default. You need a receiving end / access point for it. =P

Re:Oh please (1)

am 2k (217885) | 1 year,24 days | (#44511229)

Just like PPTP! I think I can see a pattern there.

Re:Oh please (1)

Notabadguy (961343) | 1 year,24 days | (#44509293)

I think Al Gore has a lock box full of tubes that has room to store this. Lock boxes are safer than tunnels.

Re:Oh please (1)

sexconker (1179573) | 1 year,24 days | (#44511439)

On a scale of WEP to AES, how broken is PEAP-MS-CHAP v2?

Wait (3, Insightful)

jayhawk88 (160512) | 1 year,24 days | (#44508655)

What's so special about Windows Phone 8/7.8 with regards to this issue? If you're not requiring a cert validating the identity of your radius server/access point/whatever, ANY device is going to be vulnerable to a spoofed SSID kind of attack, right?

Re:Wait (2)

wmac1 (2478314) | 1 year,24 days | (#44509233)

Don't take the fun out of it please :) !

it does it automatically (1)

dutchwhizzman (817898) | 1 year,24 days | (#44509907)

The problem is that you can't really turn off this behaviour and it does it automatically. Every client (laptop, tablet, phone, other wireless device) that does this fully automatic, may leak Active Directory account data that could be used to actually log on to file servers as well. It's not just MicroSoft that has this problem with PEAP, but that it's apparently not possible (at least not easily) to put some safety measures on the phone so you can mitigate this. I'm sure there will be other PEAP client implementations on other vendors devices that will suffer from this "automatically leaking AD logon data", but apparently, most vendors don't do it as bad as MS?

FUD? (0)

blcamp (211756) | 1 year,24 days | (#44508697)

This is quite the "Oops" on the part of MSFT which, even if this is nothing more than anti-MS FUD, can ill-afford this kind of bad press with a platform which has less than 4% of market share.

Re:FUD? (1)

ackthpt (218170) | 1 year,24 days | (#44508789)

This is quite the "Oops" on the part of MSFT which, even if this is nothing more than anti-MS FUD, can ill-afford this kind of bad press with a platform which has less than 4% of market share.

Probably the result of an office memo, which came down from the top, worded something like this: More animations, more inexplicable navigation, don't worry about security or adhering to the APIs, we can fix that later .. or not.

Re:FUD? (1)

1s44c (552956) | 1 year,24 days | (#44509067)

This is quite the "Oops" on the part of MSFT which, even if this is nothing more than anti-MS FUD, can ill-afford this kind of bad press with a platform which has less than 4% of market share.

The Microsoft mantra has always been that they only get cracked because they have most of the market share. Here they have 4% of the market share and they are still getting cracked.

Maybe the things MS make are just no good?

Re:FUD? (0)

Anonymous Coward | 1 year,24 days | (#44510089)

The handshaking here (CHAP) is not just present in WP7/8 devices, but practically all Windows versions.

Biggest difference is that it's usually used over wire in a corporate environment.

Rather than issue a security advisory.. (4, Funny)

Trailer Trash (60756) | 1 year,24 days | (#44508737)

They ought to just call the guy who bought one and explain it to him.

Re:Rather than issue a security advisory.. (1)

adycarter (261257) | 1 year,24 days | (#44508855)

They just did, and It doesn't bother me.

Panic over everyone!

Never met anyone who had a windows 8 phone (1, Flamebait)

jfdavis668 (1414919) | 1 year,24 days | (#44508763)

Never met a Zune user, either.

Re:Never met anyone who had a windows 8 phone (2)

DogDude (805747) | 1 year,24 days | (#44508875)

Hello! Nice to meet you. My girlfriend has one, too.

Parent must be spam (2, Informative)

jabberw0k (62554) | 1 year,24 days | (#44508915)

Real Slashdot users don't have girlfriends (or boyfriends for that matter).

Re:Parent must be spam (0)

Anonymous Coward | 1 year,24 days | (#44508985)

Some of us have wives, so we're still not getting laid. Six of one, half-dozen of the other...

Re:Parent must be spam (1)

1s44c (552956) | 1 year,24 days | (#44509043)

Six wives and a half-dozen girlfriends? You must be tired!

Re:Parent must be spam (1)

MiniMike (234881) | 1 year,24 days | (#44509555)

Six wives and a half-dozen girlfriends?

No, he just has polydactyly. [wikipedia.org]

You must be tired!

He probably is, but TMI.

How do you get on on the day it won't turn on? (1, Interesting)

dbIII (701233) | 1 year,24 days | (#44509011)

So it's 1984, and I'm in a high school math class where I have to write a very simple calendar program on a Sperry computer, never knowing that years later the guy that did the same thing on the Zune would have got a zero and be held up as an epic failure to programmers today. How the fuck do you forget leap years? How the fuck do you mess things up so badly that your device will not even turn on on some days due to that calendar bug? How bad is the quality control to miss such a thing that was a high school level exercise decades ago?

Re:How do you get on on the day it won't turn on? (1)

wonkey_monkey (2592601) | 1 year,24 days | (#44509219)

So it's 1984, and I'm in a high school math class where I have to write a very simple calendar program on a Sperry computer

And you've inadvertently created the trans-temporal internet protocol? Kudos!

Re:How do you get on on the day it won't turn on? (1)

gstoddart (321705) | 1 year,24 days | (#44509523)

How the fuck do you forget leap years?

Gross incompetence, and a total lack of awareness of the Gergorian calendar.

Re:How do you get on on the day it won't turn on? (0)

Anonymous Coward | 1 year,24 days | (#44511543)

A 24-hr deadline?

Re:How do you get on on the day it won't turn on? (2)

oji-sama (1151023) | 1 year,24 days | (#44511727)

How the fuck do you forget leap years?

The same way you forget the month December from calendar I guess. It is strange, though.

Re:How do you get on on the day it won't turn on? (1)

Teun (17872) | 1 year,24 days | (#44511979)

Because the guy was cheap?
And/or he grew up with and is accustomed to a Moon cycle based calender?

Still doesn't explain how it (in a market leading company) got past peer review...

Re:Never met anyone who had a windows 8 phone (1)

Horshu (2754893) | 1 year,24 days | (#44510817)

Another variant of the old "I don't know anyone who voted for Nixon" line.

Re:Never met anyone who had a windows 8 phone (0)

Anonymous Coward | 1 year,24 days | (#44511709)

God, why would anyone have a Zune, the damn bloatware to use it alone would scare me off... I do however, quite like my Lumia 928.

The Good News, (0)

Anonymous Coward | 1 year,24 days | (#44508843)

is that no one is using a Windows Phone.

Use windows (1)

1s44c (552956) | 1 year,24 days | (#44509023)

Every year there is a story on slashdot where the perfect response is 'Use Windows, get screwed.' It seems things have not changed much in the last 15 years.

Re:Use windows (2)

QilessQi (2044624) | 1 year,24 days | (#44509709)

Some folks argue that the stories (or, rather, the presentation and discussion of them) are unfairly slanted against Microsoft. For me, it comes down to this:

When a company has a warchest in excess of 500 billion US dollars, as well as immense market penetration in a variety of domains -- desktop operating systems, web browser, word processing software, spreadsheet software, etc. -- it is expected to have its act together.

Re:Use windows (2)

rullywowr (1831632) | 1 year,24 days | (#44510225)

Some folks argue that the stories (or, rather, the presentation and discussion of them) are unfairly slanted against Microsoft. For me, it comes down to this:

When a company has a warchest in excess of 500 billion US dollars, as well as immense market penetration in a variety of domains -- desktop operating systems, web browser, word processing software, spreadsheet software, etc. -- it is expected to have its act together.

(CompanyX AND 500 billion dollars) != "its act together"

For example:

Windows ME

Windows Vista

Zune

Games for Windows Live/Steam DRM

Surface RT

Xbox One and their DRM strategy (until it was revoked)

Re:Use windows (2)

QilessQi (2044624) | 1 year,24 days | (#44511143)

Oh, I agree ... Microsoft doesn't have its act together. My point was that given its war chest and the demands of its current user base, it should. There's simply no excuse.

I think that's why some of us on /. come down harder on Microsoft then on smaller companies. Sure, all software shops produce buggy code from time to time. And many vendors ship products that they hope will be game changers but that, ultimately, people aren't interested in. But most of these companies don't have a zillion dollars to spend on usability studies, development, and testing.

Good foundations are important (0)

Anonymous Coward | 1 year,24 days | (#44509107)

Nice to see WP8 shares the same good foundations as any M$ product. (Captcha: wretches)

Product death ... (0)

gstoddart (321705) | 1 year,24 days | (#44509451)

Redmond further states that this problem cannot be patched

One more nail in the coffin of a product which has been dying since it was released.

Come on guys, just how bad of a job are you doing these days?

Re:Product death ... (0)

Anonymous Coward | 1 year,24 days | (#44510869)

.....You do realize Windows Phone market share is growing faster than any other currently? It's still small, but it's growing fairly rapidly. Jesus fanboys are terrible.

Re:Product death ... (2)

Windowser (191974) | 1 year,24 days | (#44511383)

.....You do realize Windows Phone market share is growing faster than any other currently?

Statistics are like bikinis. What they reveal is suggestive, but what they hide is vital.
Take this simple example :
Company A as only 1 user of their phone. Then another person buy the phone. Now there is only two user, but they just doubled their users, 100% increase !
Company B as 100 users of their phone. Then another person buy the phone. Now there is 101 usersm but only 1% increase

If you only look at the stats, Company A is growing way faster than Company B.

Re:Product death ... (1)

gstoddart (321705) | 1 year,24 days | (#44511817)

You do realize Windows Phone market share is growing faster than any other currently?

Why, yes, they could double their market share by selling a relatively small amount of units, but that doesn't mean that there is really a significant amount of them in use.

According to this [osnews.com] :

Over the past 12 months, Windows Phone went from 3.1% market share to 3.7%. This means that while shipments of Windows Phone devices are growing, they're barely growing any faster than the industry as a whole.

Ooooh, Microsoft has gained 0.6% of the market over the last 12 months. I'm impressed, and I can only imagine the competitors are all running scared.

And in case you'd like to claim that's not what it says, let's go straight to IDC here [idc.com] , it's the first table on the page. They may have shipped 8.9M units this year vs 4.7M units last year, but how many of them have actually sold?

Jesus fanboys are terrible.

Yes, especially when they cling to a lame statistic which doesn't say what they think it says. Next you'll try to tell me the Zune was a raging success.

It's true that, as a percentage increase from what they had last year, Microsoft phones are 'growing faster' relative to itself (NOT faster relative to the overall market), but in terms of overall magnitude in the market, it's still a dud. Compared to what it did last year, it make huge gains ... compared to what everybody else did last year, Windows phone is a drop in the bucket.

That doesn't equate to "Windows Phone market share is growing faster than any other" -- not by a bloody longshot.

But, hey, you keep consoling yourself that it's the fanboys of competing technologies who are spreading lies and propaganda that Windows Phone is a joke and a failure. You console yourself that, if they'd only listen to the statistics which demonstrate it's a superior phone, we could all get along.

And I'll keep assuming you're a drooling idiot who doesn't know how to read the statistics. All that stat says is how fast Microsoft's share increased over the last year compared to where Microsoft's share was last year.

But growing from 3.1% of a market to 3.7% of a market isn't the success story you seem to think it is.

Where does it say that it cannot be patched? (4, Informative)

Fosterocalypse (2650263) | 1 year,24 days | (#44509461)

You put it in quotes so I assumed you were quoting one of the two links you put in but neither state that. I know there's a lot of anti-MS people here but stick to the facts please. I understand that the current solution they offer is not a patch but something that the user needs to do manually, but seriously when you quote something use what they actually said. "Recommendation. Apply the suggested action to require a certificate verifying a wireless access point before starting an authentication process. Please see the Suggested Actions section of this advisory for more information." - from: http://technet.microsoft.com/en-us/security/advisory/2876146 [microsoft.com]

Re:Where does it say that it cannot be patched? (3, Informative)

UnknowingFool (672806) | 1 year,24 days | (#44509785)

I think technically the flaw cannot be patched, but the vulnerability can be mitigated. Just reading it, it seems to be an inherent problem with the algorithm. Presumably it is analogous to the DNS cache poisoning flaw that Dan Kaminsky [wikipedia.org] discovered in 2008. DNS was patched to make it less vulnerable but the flaw existed in the protocol itself. There was no truly way to fix it without re-writing the protocol. Replacing it with DNSSec was the recommended course of action.

Re:Where does it say that it cannot be patched? (3, Interesting)

WaffleMonster (969671) | 1 year,24 days | (#44511475)

I think technically the flaw cannot be patched, but the vulnerability can be mitigated. reading it, it seems to be an inherent problem with the algorithm.

This is not the case here. It is a flaw in the MS implementation of a technology rather than the technology itself. A flaw by the way does not exist in other versions in Microsofts own products if they are configured properly.

Presumably it is analogous to the DNS cache poisoning flaw that Dan Kaminsky discovered in 2008. DNS was patched to make it less vulnerable but the flaw existed in the protocol itself. There was no truly way to fix it without re-writing the protocol.

There was no way to fix SYN attacks against TCP without replacing it either...oh wait yes there was cookies were added to mitigate the problem and today are widely deployed. The same solution for DNS continues to sit on a shelf and collect dust for no sane reason.

http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-03 [ietf.org]

Replacing it with DNSSec was the recommended course of action.

April 1st must come late this year cuz DNSSec is glued on top of DNS and has all the same insane transport issues that we continue to allow DNS to have. Only now now with significantly higher computational cost and DDOS amplification factors which just might give SNMP with public community strings a run for its money.

Hardware And Services (0)

Anonymous Coward | 1 year,24 days | (#44509501)

Hows that working out for you, Microsoft?

People already weren't buying your hardware or services before you switched, you think people are ever going to?
People hate you as a company now, like genuinely hate you. They learned your bullshit tactics and now they are finding alternatives.

Shoulda stuck with the OS and Office types. Those were your biggest income.
But you shafted everyone from Vista onwards. You even fucked over Intel and straight up lied to them. Wintel died that year.
Who has your back now?

Redmond? (0)

Anonymous Coward | 1 year,24 days | (#44510009)

Who is 'Redmond' by the way?

Reeks of a data funnel (1)

Stan92057 (737634) | 1 year,24 days | (#44510153)

Reeks of a data funnel for the NSA

Re:Reeks of a data funnel (0)

Anonymous Coward | 1 year,24 days | (#44511153)

Moron.

This is a willfull and intentional act (4, Interesting)

WaffleMonster (969671) | 1 year,24 days | (#44510529)

I personally contacted MS security people about this years ago before WP8 was released and they told me they would look into this and get back to me guess what I tried to follow up and they never did.

To be very clear the problem is complete lack of necessary levers and knobs to validate the TLS certificate and common name of certificate in WP7-8. Without these options TLS is trivially MITMd this leaves only MS-CHAPv2 which has known to have been completely and publically broke for years.

What is worse they don't even try there is not even a leap of faith latch as there is in other mobile platforms whereby if the cert changes it at least tells you it is different... The system never warns you or anything.

To be even more clear this is not a problem that Microsoft just stumbled on... They knew full goddamn well what the implications of leaving those levers and knobs out of WP7 were... They knew about them circa 2002-2003 when their wireless supplicant was released for XP. They just didn't give a shit.

Re:This is a willfull and intentional act (0)

Anonymous Coward | 1 year,24 days | (#44511253)

No, you didn't.

Microsoft is so dead. (0)

Anonymous Coward | 1 year,24 days | (#44510615)

Microsoft is so dead.

Re:Microsoft is so dead. (0)

Anonymous Coward | 1 year,24 days | (#44511193)

Does Netcraft confirm that?

So This Problem Affects... (0)

Anonymous Coward | 1 year,24 days | (#44510701)

...how many worldwide "lusers" that ought to be using something else....

Android is vulnerable too (0)

Anonymous Coward | 1 year,24 days | (#44510827)

If the end-user doesn't require a server certificate check then Android is vulnerable too.

How can.. (0)

Anonymous Coward | 1 year,24 days | (#44511531)

Windows Phone 8 have vulnerabilities if nobody uses it.....

Re:How can.. (0)

Anonymous Coward | 1 year,24 days | (#44511753)

Windows Phone 8 have vulnerabilities if nobody uses it.....

Ok... Hypothetically, if anyone actually used WP8 then they would be vulnerable.

Fixed it for you...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>