Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Serious IIS Hole; Minor X Bug

michael posted more than 12 years ago | from the truthworthy-computing dept.

Bug 477

EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days.

Sorry! There are no comments related to the filter you selected.

A poem! ( FP?) (-1)

on by (572414) | more than 12 years ago | (#3692296)

The Slashbot, by on by
-----------------------

Sitting at home,
In my folks basement,
Refreshing Slashdot,
Next story,
Next story.

Sitting at my PC,
Cock in my hand,
Watching a live feed,
On a pay pr0n site. (Fathers credit card)

Spooging into my sock,
Mum comes in the door,
Hiding,
Obfuscating the evidence.

Mum understands,
It's only normal,
For a 13 year old,
13...Years.

Itchy hairs,
On my nads,
Sprouting out,
Be a Man soon, soon.

Back to Slashdot,
No new story,
Refresh,
Refresh. (Tired now)

Sitting on my bed,
Star Wars bedspread,
Britney posters,
All cum stained.

Sleep now,
Check Slashdot tommorrow,
+5, Insightful?
I can dream!

I.
Can.
Dream. (Portman)

THE END

# Important Stuff: Please try to keep posts on topic.
# Try to reply to other people comments instead of starting new threads.
# Read other people's messages before posting your own to avoid simply duplicating what has already been said.
# Use a clear subject that describes what your message is about.
# Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)

Problems regarding accounts or comment posting should be sent to CowboyNeal.

2nd FP in a row... (-1)

on by (572414) | more than 12 years ago | (#3692317)

...suck it down! gargle and swallow!

Pr0n By Numbers! (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3692343)

I am a true bisexual.
  1. My first sexual experiences began with two female cousins at the age of twelve.
  2. My cousins were a bit older than me with one being fourteen and the other almost sixteen. During one encounter, the two of them tied me to a table and toyed with my body for a very long time.
  3. But I don't think that is really a good starting point for my story.

  4. My sexual life really took a major turn when I was seventeen.

  5. I grew up in a well off family.
  6. We had a maid, Maria, who came over daily to clean, do laundry, and cook.
  7. My mother lead a very comfortable life, socializing and out visiting my aunt and friends.
  8. My sixteen-year-old brother was also very active with friends and sports.
  9. That left me home alone a lot.
  10. It wasn't that I didn't have friends or outside interests, I just loved to read, lay by the pool to suntan, listen to music, chat on the telephone, and spend my days in a very leisurely way.
  11. That is, when I wasn't going to school.

  12. As I said, my sexual life really began years ago.
  13. I lost my virginity at the age of thirteen to a sixteen-year-old boy who really didn't know what he was doing, but the feeling of something inside of me was a wondrous new experience that I had to have more of.
  14. My opportunities for sex with girls far out numbered the opportunities wih boys.
  15. This was due to the delightful social habit of sleep overs.

  16. Sleep overs provided me the opportunity to seduce my friend.
  17. As a result, I was able to develop four consistent sexual partners.
  18. These girls seemed to enjoy sex with me more than with their boyfriends because the guys just wanted to stick their dicks inside of them and get off.
  19. Young guys just don't know how to take the time to pleasure us.
  20. So, we would spend hours in sexual talk, teasing touches, and caresses before progressing to direct sexual stimulation.


  21. I digress once again.

  22. I had discovered Victorian novels almost a year earlier. After reading a couple of chapters, I just had to masturbate.
  23. Well, it seems I wasn't the only one on whom the novels had that effect.
  24. One day I came in from the pool, topless as usual, to discover Maria on my mother's bed, in the throws of an orgasm.
  25. I stood in amazement watching her throw her head back, one hand pressing hard against her pussy and the other with a tight grasp of her breast.
  26. I had never looked at Maria in a sexual way before.
  27. But seeing her there in such an erotic way, I couldn't help myself but lay beside her on the bed, lean over and kiss her full on the lips.
  28. Her lips
    parted to receive my tongue and the passion she was feeling passed through our contact.
  29. Our bodies pressed together, her hands pulling me close, pushing her groin into my thigh seemingly sending her off into another orgasm.
  30. We continued to caress, touching each other with tenderness.
  31. Maria suddenly stopped and turned to me.


  32. "Oh, I am so sorry, Misses.
  33. I shouldn't have done that! Your mother will surely fire me now!", she said with tears welling in her eyes.
  34. I reached over, softly stroking her cheek, I said, "No, Maria, this will be our secret.
  35. It was my fault. I should have walked on by and left youalone.
  36. I was overcome by your arousal and wanted to share."
  37. She stood silent for a while. It was clear she was pondering what to do next.
  38. Her face couldn't hide the emotional confusion battling inside of her.
  39. Then she reached for me. We hugged. I couldn't help but want her.

  40. We spent the next couple of hours in sexual bliss.


  41. But this still isn't the turning point in my life.
  42. Maria and I engaged in sexual pleasures at least once a day that summer.
  43. She exposed me to many of the fantasies I developed and had read about in my books. It seems that Mother had become curious as to what was going on when she was out.

  44. Looking back, it was no surprise. Maria and I often used her bed since it was so big.
  45. Also, the television and VCR at the foot of her bed provided us with many hours of delight watching porn movies. I know that a number of times, we had to scamper off the bed just as Mom arrived home.
  46. Maybe we didn't smooth the covers well enough or maybe we left behind the fragrance of our sex, but whatever the clues were, Mom had discovered what Maria and I had been up to.


  47. I can remember it like it was yesterday.
  48. Monday morning.
  49. Mom usually got up early and went out to the tennis club for her lesson and games.
  50. But this Monday, Mom stayed in bed. Mondays had always been Maria and my most active days.
  51. Maria's absence on the weekends had always left me wanting her more on Mondays.
  52. Anyway, around 9:30 after my brother had hopped on his bike and headed over to one of his friend's places, Mom called me and Maria into her room

    "Maria, Jessica, I have something to show you.", Mom said.


  53. I looked at Maria and she looked at me.
  54. I am sure my face looked as
    bewildered as hers.


  55. With that, Mother started the VCR.
  56. Our eyes turned and locked onto the screen.
  57. There we saw Mom's bed.
  58. My mind raced! Sure enough, Maria and I soon appeared already naked.
  59. Maria had her hands full of a dildos and toys.


  60. I turned and looked at Mom. I tried to read her face, but it was
    releasing no clues.
  61. I was sure that Mom was going to ground me and take away my allowance for a very long time.
  62. Then, the most horrid of thoughts crossed my mind - she was going to fire Maria!


  63. It must have been the look of terror in my face that caused my mother to stop the VCR and say, "Why didn't you let me know? Why didn't you invite me to join you two?"


  64. My head turned so rapidly, I could feel my neck almost snap. I stared at
    Maria and she stared back.


  65. "Well, aren't you going to join me?" Mom queried.


  66. With that, she threw back the covers to reveal her naked body.


  67. It must have been the tennis or all of her other activities, because my
    mother's body did not look like it belonged to a 39 year old woman.
  68. Her breasts were not large, but what she had stood out nicely from her body.

  69. Breast-feeding two babies didn't appear to have had any ill effect.
  70. And her areola and nipples were large and dark.
  71. Mom's nipples must have rivalled the nipple on a baby's bottle.
  72. The odd thing is, I had never really noticed.
  73. But there they stood, fully erect and ready for me to get reacquainted.


  74. Maria crawled up on one side of my mother, and I on the other.
  75. My lips encircled my mother's right nipple and Maria took in the other side. Mom placed her hands on the back of our heads, pressing our mouths into her chest.
  76. She arched her back, offering her breasts to our greedy lips and tongues.


  77. I couldn't believe how firm my mother's breast was.
  78. My hand cupped her boob pulling it slightly away from her body. I wasn't sure how Mom liked her nipples being sucked, so I tested various techniques (many of which I had learned from Maria).
  79. I ran my tongue around the outside edge. I sucked on it lightly.
  80. I squeezed it between my lips. I bit it lightly with my teeth.
  81. That is when I found out Mom liked pain.


  82. Mom's hands slid from our heads to reach for our breasts.
  83. Mom's hand
    engulfed my left breast as she lifted and then pressed it into my body.
  84. I slid my hand down Mom's body only to discover Maria's hand already busy teasing Mom's clit.
  85. I reached lower to find wetness oozing from Mom's pussy.
  86. Slipping a finger inside of Mom brought a small gasp from her.
  87. I slipped a second finger inside of her and felt her pussy contract slightly around my fingers. Mom's pussy was textured. I was later to learn her g-spot was about the size of a silver dollar.
  88. I could only imagine how Dad
    must have enjoyed that.


  89. But for now, my fingers explored inside of Mom. The moisture continued to flow from her.
  90. I could no longer resist the urge.
  91. Standing, I walked to the foot of the bed and flopped my body down, positioning my face between my Mother's legs.
  92. Now I was worshipping her sex with my mouth.


  93. Maria had risen and removed her clothes.
  94. She was now positioning herself over my Mother's face. Maria slowly lowered her pussy to Mom's mouth as I continued to explore my Mother's pussy, with now three fingers inside of her.


  95. I am sure if I had stopped to think, I would never have gotten myself into this position.
  96. But lust is such a powerful force in me.
  97. That morning and all day, I got to discover my Mother in a whole different way.
  98. And she got to know me in a way she must have dreamed about for sometime. Mom never stopped touching, kissing, licking, sucking, or caressing me except to drink or go to the washroom.


  99. That was the turning point in my life.
  100. This day was only the beginning of a journey to sexual experiences like I never expected, but continue to enjoy today.
  101. I look forward to telling you more about the pleasures of my life, and the numerous friends I found in
    college.


  102. Today, I still consider myself bisexual, but rarely have sex with men. My life is surrounded with many many female sex partners.
  103. I am sure it never you are very naughty if you have read down this far :\.

Fuck me sideways with a spatula... (-1)

on by (572414) | more than 12 years ago | (#3692355)

how fucking long did you spend typing that lot in?

ALL REACTIONARIES ARE PAPER TIGERS (-1)

Mao Zedong (467890) | more than 12 years ago | (#3692297)





  1. HELLO

    HOW ARE YOU

    TODAY?

    I'M SWELL

    ALTHOUGH

    I WISH I HAD A TARTY HEMORRHOID TO CHEW ON.

Re:ALL REACTIONARIES ARE PAPER TIGERS (-1)

on by (572414) | more than 12 years ago | (#3692309)

plz chw my trty hmrd! k thx bye

I already view large fonts. (2)

satanami69 (209636) | more than 12 years ago | (#3692299)

To me that's one of the benifits of Mozilla. I view everything at 120%. Take that CNN! You can't stop me from actually reading stories now.

Re:I already view large fonts. (4, Informative)

uglyduckling (103926) | more than 12 years ago | (#3692413)

If you look in the 'fonts' preferences, there's now an option for minimum font size. It's a great way to deal with ridiculously small fonts without making everything else look chubby.

I've also found that the screen calibration thingy on the fonts preferences (select 'Other..' under 'Display Resolution') makes a big difference too.

Re:I already view large fonts. (0, Offtopic)

mrselfdestrukt (149193) | more than 12 years ago | (#3692430)

Hehehehe. That was real funny man!
I'll pay the shipping fees if I can send you mine...

Status Quo (2, Funny)

Johnny O (22313) | more than 12 years ago | (#3692300)

About Status quo in M$ land....
About Status quo in Linux land :-)

Re:Status Quo (1)

ozbon (99708) | more than 12 years ago | (#3692369)

And as with Status Quo records everywhere, every single one sounds the same as the last...

Re:Status Quo (4, Insightful)

GypC (7592) | more than 12 years ago | (#3692418)

It's not a Linux bug, but rather an XFree86 and mozilla bug. It would probably crash any box running those two programs just as handily...

DOS Mozilla users??? (5, Funny)

Xpilot (117961) | more than 12 years ago | (#3692302)


Wow, I didn't know that Mozilla had a DOS version! How many users does it have? Three?

Re:DOS Mozilla users??? [just to avoid confusion] (1)

alapalaya (561911) | more than 12 years ago | (#3692321)

to DOS Mozilla users

read: "to cause Denial Of Service to Mozilla users".

(It's the same than saying MS-DOS: Microsoft's sw causes Denial Of Service to its users ... ok, just kidding here :) ).
Cheers.

(yeah, my sig is wrong, so what?)

Re:DOS Mozilla users??? [just to avoid confusion] (0)

Anonymous Coward | more than 12 years ago | (#3692389)

He may be mocking the bad capitalization of the "Denial of Service" abbreviation. It's usually "DoS", not "DOS".

Re:DOS Mozilla users??? [just to avoid confusion] (1)

barnsleyBigUn (84793) | more than 12 years ago | (#3692391)

I do so love the smell of sarcasm in the morning

Re:DOS Mozilla users??? [just to avoid confusion] (1)

RevDobbs (313888) | more than 12 years ago | (#3692434)

right up there with coffee and napalm...

oh, wait, it's morning already? Another night wasted away on a Win2K box... thank god the new office OpenBSD/Samba server is up and running

Re:DOS Mozilla users??? [just to avoid confusion] (-1)

TrollBurger (575126) | more than 12 years ago | (#3692471)

And vinegar. Goddamn I love enemas.

Re:DOS Mozilla users??? (0)

Anonymous Coward | more than 12 years ago | (#3692405)

I bete there are more systems out there running DOS than Linux (mostly embedded, but I bet there are still lost of Wordperfect 4.2 users, who just aren't connected to anything more sophisticated than a printer).

Number of users confirmed! (0)

Anonymous Coward | more than 12 years ago | (#3692433)

Three users confirmed, just like gopher! [pcquote.com]

Only affects HTR - a rarely used feature (5, Informative)

byolinux (535260) | more than 12 years ago | (#3692304)

This is hardly a major bug IMHO... "an older, largely obsolete scripting technology - where the previous one lay in the ISAPI extension that implements ASP." "The IIS Lockdown Tool disables this functionality by default. Customers who have retained the functionality but deployed the URLScan tool as discussed in Microsoft Security Bulletin MS02-018 would likewise be protected against the vulnerability." So, it only really affects those sysadmins who don't bother to lock their server down. It's not going to be a major issue for the majority.

Re:Only affects HTR - a rarely used feature (4, Insightful)

erlando (88533) | more than 12 years ago | (#3692330)

But you are forgetting the vast amount of users running IIS without knowing it by way of having installed Win2K with indexing services and what not.

The majority of Code Red attacks came (and is still coming) from private users that have never even heard of a Microsoft Security Bulletin, the URLScan tool or the Lockdown Tool.

Sadly these type of users are still in the majority.

Re:Only affects HTR - a rarely used feature (4, Funny)

edrugtrader (442064) | more than 12 years ago | (#3692419)

"this really affects those [microsoft] sysadmins who don't bother to lock their server down"...

...right... so EVERYONE is affected... hardly a major bug at all.

Re:Only affects HTR - a rarely used feature (0, Troll)

mnordstr (472213) | more than 12 years ago | (#3692468)

"it only really affects those sysadmins who don't bother to lock their server down"

Which happens to be the majority. If you're lazy enough not to run a real web-server then you're lazy enough not to make it secure.

"an older, largely obsolete scripting technology"

I don't think the script kiddies care about the popularity of the technology, if there's a hole, there's a hole.

Incorrect ! (5, Informative)

dnaumov (453672) | more than 12 years ago | (#3692307)

This article is incorrect. That bug is an XFRee bug and not a Mozilla bug. It's not fixed, although it's possible that it's been worked around in Mozilla. Read the text itself, I think it says:
X-windows, with or without the font server (XFS) running can be crashed remotely via Mozilla when fonts are set to an unnaturally large size with CSS (Cascading Style Sheets), Tom Vogt of Lemuira.org has reported.

and
"An
X bug allows all available memory to be consumed, which causes the system to freeze. The behavior can be duplicated with applications like the Gimp, we're told, but these aren't remotely exploitable. But with Mozilla, a pest can easily set up a malicious Web site which will crash unsuspecting Tuxers' boxen and cause any unsaved data in open apps to go away.

Re:Incorrect ! (1, Redundant)

dnaumov (453672) | more than 12 years ago | (#3692313)

DOH ! I should've read the title better myself. I suck :o)

Re:Incorrect ! (2)

PigleT (28894) | more than 12 years ago | (#3692342)

"An X bug allows all available memory to be consumed, which causes the system to freeze."

Why on earth would that happen, unless your kernel VM was seriously screwed? Last time I saw any one process hog all the RAM, it got killed pretty sharpish.

There's also a call in the bugtraq thread for apps to be more sensitive about the data they get back from calls into external APIs. That makes sense to me - especially when anyone can LD_PRELOAD a library with broken return values for various functions.

Well spotted mozilla, now everyone *else* get your acts together please ;)

Re:Incorrect ! (0)

Anonymous Coward | more than 12 years ago | (#3692380)

So the X-server gets killed pretty sharpish. IIRC that is pretty fatal for most X-applications, right? I don't think you're going to see a dialog asking where to save your work.

Re:Incorrect ! (-1)

Rogain (91755) | more than 12 years ago | (#3692396)

It only crashes the X-server. Your "boxen" are safe. But it is sure a fun webpage. Go to mozilla's bugtraq and get a copy of it. Send it to your friends.

Re:Incorrect ! (2)

mnordstr (472213) | more than 12 years ago | (#3692439)

"That bug is an XFRee bug and not a Mozilla bug"

Well, the Mozilla "bug" is that Mozilla doesn't perform a check to see if the font size is sane, it just blindly tells X to show an extremely large text. But X should definately check that it can handle it itself, so the bug is an X bug, Mozilla should just be a little more friendlier with X :-)

Re:Incorrect ! (2)

prockcore (543967) | more than 12 years ago | (#3692456)

It's unclear what versions of X are affected. The reporter claims to have verified the bug with 4.2.0, but on my box with XFree 4.1.0, all that happens is Mozilla closes down immediately. The Gimp does the same. No memory problems. (Still a bug, but definately not the DoS attack it's made out to be)

So it probably only affects XFree 4.2... I don't have 4.2 installed to verify.

Re:Incorrect ! (2, Funny)

ActiveSX (301342) | more than 12 years ago | (#3692466)

An X bug allows all available memory to be consumed

All these years and I thought X was supposed to do that. Silly me!

Biased reporting yet again (1)

Procrasturbator (585082) | more than 12 years ago | (#3692310)

I've come to expect this sort of reporting. Oh, a bug that lets people who have no right mess up your work, that's a BAD thing! Microsoft did nothing about it when they could have, ooh, that's BAD!

Where's the representative for the evil population of the world? Where's the representation of the eMasochist?

Re:Biased reporting yet again (0, Flamebait)

CaptainZapp (182233) | more than 12 years ago | (#3692331)

I'm a little bit sick and tired about all those whiners complaining about biased reporting.

This is slashdot for crying out loud and neither the editors nor the contributers have any obligations whatsoever for objective reporting or commenting.

If you don't like it in here feel free to tune into ZDnet or read some unbiased reports by Microsoft sponsored "Think Tanks".

There is no need to thank me.

Re:Biased reporting yet again (0)

ActiveSX (301342) | more than 12 years ago | (#3692477)

I'm a little bit sick and tired about all those whiners who don't see BLINDINGLY OBVIOUS SARCASM.

kthxbye

Whack the gopher? (1)

ObviousGuy (578567) | more than 12 years ago | (#3692312)

This is actually a pretty bad threat. Redirect a page to a gopher link and hijack the computer. Bad MS!

does time matter that much? (0)

Anonymous Coward | more than 12 years ago | (#3692316)


3 days or 2 month, when you think the users have updated the servers anyhow?

Yes its good that bugs get fixed fast, but I wounder how many just doesnt care to install the fixes.

Agreement from Hell (1)

jsse (254124) | more than 12 years ago | (#3692318)

A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft.

Was that this agreement [air0day.com] they are talking about?


(Don't click I Agree for God's sake)

*yawn* (0)

Anonymous Coward | more than 12 years ago | (#3692320)


big deal. M$ security holes are dime a dozen, M$ makes the most insecure application in the face of the planet.

This goes to show... (2, Interesting)

Moita Carrasco (571940) | more than 12 years ago | (#3692322)

The fact is Microsoft doesn't give a damn, because it doesn't need to give a damn anymore. Windows in its various forms continues to have outrageous security holes, and still people keep using it, buying licences and standing by it.

I honestly still think that some sort of un*x for idiots is needed before people will actually see open source opsys'es an alternative to bloody windows.
I can speak for myself, I'm a dumb windows-based webdesigner, and as much as I really like the idea of Linux, and the look of gnome and kde, and the coolness of using a console... you'd still have to dumb it down a bit more for me. Perhaps Apple's X... but then I hate Apple computers, it'd have to run on a PC.

Oh well, what I mean is: there's no point in comparing how much more terrible MSs bugs are and how much longer it takes for them to solve them. There has to be a real alternative to windows for the DUMB user, not for the tech-savy-geek, before people will actually say "hey, wait a minute, this is full of bugs and THAT over there isn't... I'll swap."

Just my opinion.
Moita Carrasco

Re:This goes to show... (5, Interesting)

CaptainZapp (182233) | more than 12 years ago | (#3692375)

The fact is Microsoft doesn't give a damn, because it doesn't need to give a damn anymore. Windows in its various forms continues to have outrageous security holes [...]

I think you're wrong here, since Microsoft was always very, very good at feeling out the vibes of their customer base. The current perception in the marketplace is, that Microsofts security is beyond rotten. Since even the Gartner Group [gartner.com] got on the bandwaggon, Microsoft seems to be scared shitless about that public perception.

The problem is the same as the sorcerers apprentice, who just can't get rid of the monsters anymore.

For years and years Microsoft has (overladden-) their products with features and bloat. They missed the internet entirely and when they realised their mistake they rushed an inherently insecure internet platform into the market and during all this time they didn't give a flying f*ck about security.

I agree, that Microsoft is an extremely arrogant company, that regards their customer base as cows to be milked and taken for a ride in every way possible.

The problem is that perception is changing and so they are frantically trying to restore trust; they can't let such glitches happen by purpose.

I think it's too late though to call the monsters back in and even worse:

It is my true conviction that any IT responsible on any level using IIS on new projects is guilty of gross negligence and incredible incompetence.

Re:This goes to show... (1)

Moita Carrasco (571940) | more than 12 years ago | (#3692409)

"It is my true conviction that any IT responsible on any level using IIS on new projects is guilty of gross negligence and incredible incompetence."

I find this comment particularly good, I will spread it around my friends.

Let me just add this important bit: I live in Portugal, a small underdeveloped sh*tty european country and the fact of the matter is people keep trusting and buying Microsoft. Our clients all have IIS servers, and the ones that don't serve their websites from inhouse at least have their LANs based on one windows or other.
Clients keep looking at us as if we're weird outter-space creatures everytime we mention unix-based hosting and programming.
And recently, a visual basic programmer ofering us his content manager solution had no idea what we were talking about when we said we used Perl.

So the perception in me post wasn't very wide, but the sad thing is: it still holds true, somehow, at least in certain parts of the world.

But I really did like your reply. I still see no great alternative to windows as far as the simple computer user is concerned.

Moita Carrasco

Heh... read if you dare. (1)

Amiasian (157604) | more than 12 years ago | (#3692383)

The fact is Apple does give a damn, because it has to. The operating system must be checked and supported to maintain the market share which Apple must viciously battle Microsoft to maintain.

I agree on paragraph II, for the most part. UNIX for idiots is needed. And, as for Unix's GUI, let's put it plain and simple: X-Windows sucks. I'm sorry to have offended anyone, but I come from the standpoint of an Aqua user ... (which, as far as I know -being based on Quartz/PDF - is one of the best windowing systems ever). Just one thing peeved me a little. You say "I hate Apple computers." But, you seem to like the OS. Want a good OS (X)? Then buy a good computer. Macs have steadily improved and are very competitive (consumer iMac with Super Drive ... mayhaps that doesn't suit your needs ... anyone?) with PCs. As Apple continues to expand it's marketshare, albeit slowly, we can continue to see prices drop and, let's face it, innovation to improve.

Open source and Apple are the only real lights of the industry. In hardware, everyone tries to kiss Microsnuff's ass, so innovation is slow. Apple can develop independent of them. In software, the PC space kisses Microsnuff's ass. And so, software is also limited that way. Unless, of course, you go open source. But Open Source itself is not so great. The reason I say this is because it tries too much to imitate closed source. Gimp to be Photoshop StarOffice to be MS Office, etc. And all of that's great. Still, the non-opensource is better. Why I say, then, that open-source is innovative is the fact that it has potential. To break the mold. To create new categories of applications. The Mac's killer app was Photoshop and image editing. Apple II had Visicalc. The IBM PC had a random assortment of junk. My question is, what's open-source's killer app?

Re:This goes to show... (0)

Anonymous Coward | more than 12 years ago | (#3692400)

I'm with you matey. I can see more and more servers becoming non M$ when our customers figure out... "so its more stable, runs faster on lower spec machines, can be pruned and mod'd to do EXACTLY what we need eh?"

But show me an apache server with configuration done by a text file, that never coughs and dies like IIS(hardly ever then) and I'll show you a whole office full o punters who can't FIND the document they just saved because its not in their My Documents folder. (I shit you not)

Give me a desktop environment that mimics windoze so we can ween them off that damed dirty office assistant. But no, what I've found is SOME (avoiding a flame I hope) have the attitudes of:

.Let the lame suffer
.But I'm smarter then them so sod 'em
.Its their own fault, they should know better (??)

I WANT to see M$ beat like a bad stepchild but there isn't a stick (in this case a GUI and Office-type app) to do it with.

Now I know someone's going to come back with "what about x" and "you're forgetting y" but heres a laugh for you, go ask an default end user in a M$ environment what StarOffice is, or Apache or even Navigator (Sadly). We must emmulate, educate then erradicate. heh heh heh. Sorry, Came over all Nixon there for a minute ;)

Crashing X-Windows (2)

krmt (91422) | more than 12 years ago | (#3692323)

I'd heard briefly about the Mozilla bug, and I understand why it's X's fault, but I'm curious... how is it that X is able to crash the system this hard? Because it's got direct access to hardware? Because it runs with root privledges? Also, is this just XFree86, or are all variations of X affected?

For someone who was brave enough to try the crashing link supplied by the Register, does this kill the whole machine, or just X? And can you salvage things without rebooting by using either a virtual term or logging in via ssh?

I personally think Mozilla should implement some short-term patch to prevent exploitation of this bug until it's patched in XFree, but as the register article says, the fault doesn't lie with them.

Re:Crashing X-Windows (3, Interesting)

Pembers (250842) | more than 12 years ago | (#3692357)

Also, is this just XFree86, or are all variations of X affected?

The Bugzilla report (http://bugzilla.mozilla.org/show_bug.cgi?id=15033 9) that the Register article links to has a couple of comments from Solaris users who say that the "malicious" page crashed their X server too. I don't know if Sun's X server and XFree86 are derived from a common code base, but this would suggest that the bug is (a) old and (b) widespread.


(The reason the Bugzilla link isn't a proper href is that I tried to check it just now, and Bugzilla said links from Slashdot aren't allowed. Make of that what you will!)

Re:Crashing X-Windows (0)

Anonymous Coward | more than 12 years ago | (#3692367)

Portions of X, by defination, must have supervisor level access to your hardware. Without it, you'll have a hard time getting it to manipulate the registers and memory on your video card, and you won't see much. So yeah, a bug in X could screw you over, just as much as a bug in the kernel could kill your system.

Now, what I would like to know is if this bug is reproducable with X running on top of a framebuffer device?

Re:Crashing X-Windows (3, Informative)

RandomPeon (230002) | more than 12 years ago | (#3692378)

The exploit asks for a font that's utterly ridiculous - a 166666667 size font, give or take a few 6's. Mozilla tries to get X to display such a font. X dutifilly attempts to draw at that size, which requires a tremendous amount of memory, eventually bringing the whole machine down. You could get the same result by putting a malloc or fork call in a while(1) loop.

I personally think Mozilla should implement some short-term patch to prevent exploitation of this bug until it's patched in XFree, but as the register article says, the fault doesn't lie with them.

They already did. It's obviously a trivial fix - no fonts larger than 1,000 (or whatever). I'm suprised it took that long.

Re:Crashing X-Windows (1)

leuk_he (194174) | more than 12 years ago | (#3692384)

Just from reading the articles:

It dos'es by using A LOT OF MEMORY.
X crashes OR your PC becomes unresponsive. It is like running MSwindows 2000 on a 16MB machine. It is still running but so slow it does not work. Lots of applications crash when they do not get memory. Then there are 2 things that can happen:
-The machine crawls to a halt. (ssh and killing X might solve this, depends on os configuration)
-X crahses, taking down some application with their data with it.

The link in the register gives me a timeout. maybe someone can mirror it?

Re:Crashing X-Windows (0)

super-flex-o-matic (517410) | more than 12 years ago | (#3692410)

i got several x-windows crashes with 4.0 every 6days. mostly if i got kdm/gdm ord xdm running to login. i just login via the console to minimize the chance of those nasty krashes.

Re:Crashing X-Windows (1)

uglyduckling (103926) | more than 12 years ago | (#3692436)

Woah - what graphics hardware are you using? I use gdm exclusively here, never login from the console because this is mainly a web-browsing and WYSIWYG (OpenOffice) word processor. The only time I have _ever_ seen X >= 4.0 go down hard is when I was using an early version of drivers for an ATI TV tuner.

Re:Crashing X-Windows (2)

nomadic (141991) | more than 12 years ago | (#3692442)

What I don't understand is why the story said simply there was a bug in Mozilla; if it's xfree, then people using Mozilla on Windows aren't effected, eh?

Slackware is still safe... (2, Informative)

unixmaster (573907) | more than 12 years ago | (#3692324)

Slackware doesnt use xfs font server so that mozilla doesnt crash when viewing big ( really big ) fonts .

Re:Slackware is still safe... (2, Insightful)

Mr Windows (91218) | more than 12 years ago | (#3692356)

The Register Article [theregister.co.uk] specifically says:
X-windows,
with or without the font server (XFS) running can be crashed remotely via Mozilla [my emphasis]
So it seems that Slackware is just as vulnerable as anyone else.

Re:Slackware is still safe... (1)

ankit (70020) | more than 12 years ago | (#3692370)

So it seems that Slackware is just as vulnerable as anyone else.

No it isnt. I havent been able to crash my system, or affect it in anyway whatsoever by going multiple times to the "dreaded page". I am using Slack 8.0, with mozilla 1.0. I really think slackware users are immune to this bug for whatever reasons...

Re:Slackware is still safe... (0)

Anonymous Coward | more than 12 years ago | (#3692417)

you base your theory on the fact that you (ONE) slackware user does not experience the bug so ALL must not experience it?

In case it's slashdotted (-1)

Big Dogs Cock (539391) | more than 12 years ago | (#3692325)

OSDN | Our Network | Newsletters | Advertise | Shop Slashdot ----------- All OSDN Sites freshmeat Linux.com LinuxGram NewsForge OSDN.com Slashcode SourceForge.net X faq code awards journals subscribe older stuff rob's page preferences submit story advertising supporters past polls topics about bugs hof Sections apache Jun 11 (1 recent) apple Jun 12 (5 recent) askslashdot Jun 13 (12 recent) books Jun 12 (1 recent) bsd Jun 10 developers Jun 12 (5 recent) features Jun 8 interviews Jun 10 radio Jun 29 science Jun 13 (6 recent) yro Jun 12 (4 recent) This page was generated by a Group of Stealth Elephants for Big Dogs Cock (539391). Serious IIS Hole; Minor X Bug Posted by michael on Thursday June 13, @10:10AM from the truthworthy-computing dept. EyesWideOpen writes "Microsoft announced Wednesday that there is a serious software flaw with its IIS web server. The 'vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site.' A researcher with eEye Digital Security discovered the flaw in mid-April but it wasn't announced publicly because of an agreement with Microsoft. The Wired article is here and this appears to be the MS bulletin describing the vulnerability in detail." And several people reported this Register story on a way to DOS Mozilla users by trying to display ludicrously large fonts. Microsoft's time to patch a remote hole where the attacker can gain complete access to your computer: two months. Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days. ( Read More... | 11 comments ) WiFi, Light Bulbs, And The FCC Posted by Hemos on Thursday June 13, @07:04AM from the what-to-be-done dept. JFMulder writes "According to Cringely, 802.11 WiFi wireless networking is going to get in lot of troubles when Fushion Lightning starts marketting low-power light blubs which causes interferences with Wifi signals. Read about it at I, Cringely. Supposedly the new kind of light bulb is a real electricity saver and can wreck havoc to wireless networks in a half a mile radius. So what would you prefer? Wireless networks or low cost light bulbs all around the country to save more and more on electricity?" Update: 06/13 03:52 GMT by M: Cringely confused the FHSS-or-DSSS 802.11 standard with the DSSS-only 802.11b standard, but the general warning about the potential for interference is certainly troubling. ( Read More... | 119 comments ) Live via Satellite: NATO Aerial Surveillance Video Posted by michael on Thursday June 13, @04:00AM from the run-another-T-1 dept. Factomatic writes "The BBC is reporting 'NATO surveillance flights in the Balkans are beaming their pictures over an insecure satellite link - and anyone can tune in and watch their operations live.' All you need is a satellite dish. John Locker tapped into the NATO aerial surveillance feed over the Balkans from England and has been e-mailing, faxing and calling NATO since November to get them to fix the problem. NATO denies it is a problem at all. I wonder if this would work in Afghanistan, too?" No, the article notes that Afghanistan is taking up all the secure communications bandwidth, and operations in the Balkans are getting kicked over to unencrypted channels. We ran an older story about the military's growing bandwidth crunch. ( Read More... | 138 comments ) A Wireless Alliance Forms Posted by michael on Thursday June 13, @02:22AM from the your-call-cannot-be-connected-as-dialed dept. MikeD83 writes "A wireless alliance has formed between the likes of Nokia, Microsoft, Intel, Walt Disney Co., and almost 200 other companies. Their mission is to develop an open standard for how wireless phones can be used on any network." Whoo-hoo! DRM for cell phones! The group's website has some more information. ( Read More... | 161 comments ) Microsoft Case Proceeds Posted by michael on Thursday June 13, @12:54AM from the day-follows-night dept. YeOldeCurmudgeon writes "This story just posted on Yahoo: Federal Judge Denies Microsoft Motion to Dismiss Antitrust Case. Microsoft's motion to dismiss the suit filed by the 9 dissenting states was denied. The judge agrees the states can sue." An article in the San Francisco Chronicle summarizes the case's current state and what's coming up next. ( Read More... | 213 comments ) Inside the Joint Strike Fighter Competition Posted by chrisd on Wednesday June 12, @11:51PM from the complex-work-for-complex-tools dept. jonerik writes "The June issue of the Atlantic Monthly has this account of the history of the Joint Strike Fighter competition between Boeing and Lockheed Martin (which the latter company ended up winning this past fall, with Boeing now touting its expanding line of unmanned aircraft as the true future of tactical aviation). The article does a fine job of showing how the competitors dealt with the challenge of producing an aircraft (now dubbed the F-35) that the Air Force, Navy, Marines, RAF, and Royal Navy could all live with. Funniest part: Boeing's X-32 entry, with its enormous pelican-like jet intake, had some questioning whether the plane's bizarre appearance didn't hurt its chances more than its performance. 'Helpful as my contacts at Boeing were, no one was eager to claim credit for the design of the plane,' says the article's writer James Fallows." Fascinating article. ( Read More... | 254 comments ) Calculators vs. PDAs in the Classroom Posted by michael on Wednesday June 12, @10:44PM from the crutches-for-the-weak-minded dept. TheMatt writes "CNN.com is reporting about a new conflict perhaps emerging in classrooms: calculators v. PDAs. The article talks about how TI seems to be making their latest calculator more PDA-like, while PDAs are gaining TI-like functionality. A comment on current math education is this quote from the article: "When you have circles and ellipses, there is no way you'd be able to do this without a calculator," Jarvis said. "It helps us visualize what we're doing." Were the compass and geometry uninvented?" ( Read More... | 470 comments ) Universal, Sony Cutting Prices on Downloaded Music Posted by michael on Wednesday June 12, @09:49PM from the invisible-hand dept. Don Symes writes "Sony Music and Universal appear to be getting ready to allow downloads of singles for $.99 and albums for $9.99 without crippleware or restrictions on personal copying/burning." Another semi-interesting piece submitted by several people is this propaganda from the recording industry. 2.8 million copyright-infringing CD-R's were seized in the U.S. last year (9 million world-wide); from that the IFPI extrapolates that 950 million copyright-infringing CD-R's were actually sold, world-wide. How do you get from 9 million to 950 million? Mostly hand-waving. ( Read More... | 393 comments ) Ask Slashdot: Making Users Back Up Important Data? Posted by Cliff on Wednesday June 12, @08:44PM from the it's-for-their-own-good dept. Lux Interior asks: "Help! I am the ad-hoc computer guy in a small satellite office of a larger company. We have no CIO, no IT department, and no policies whatsoever as regards data retention or backup. Therefore, a lot of company property exists one place-- on individual hard drives. The office is made of almost entirely of rudimentary users, on WIN98 and 2000 machines, who never, ever, back up any company information. Has anyone out there had experiences in a small-office setting with: changing users' behavior in regards to managing their data; setting up best practices for backing up information properly; and making sure that the most computer-apathetic users comply with what you've put in place?" Sometimes the best way to make users conform to policy is to not give them a choice in the first place. Automated backup systems on each workstation can go a long way in helping this. Which software packages have such functionality (the more unobtrusive, the better)? ( Read More... | 809 bytes in body | 646 comments | Ask Slashdot ) Logitech Pocket Digital Review Posted by CmdrTaco on Wednesday June 12, @07:25PM from the don't-accidentally-run-it-through-the-laundry dept. randomErr writes "Earthweb/Internet.com has this article about a new ultra slim camera for $130. It has no flash, zoom, or LCD monitor, and takes snapshots instead of spectacular pictures. The advertised resolution is 1.3 megapixels with and actual resolution of 640 by 480. But it's the size of a credit card, half an inch thin, with all-day battery and image capacity." ( Read More... | 188 comments ) Developers Bounds Checking for Open Source Code? Two New Microsoft Languages - AsmL and Pan TrollTech Contest Results Anounced Extensible IDEs? Return of the WaSP PHP 4.3.0 w/ZEND 2 Alpha OGRE GPL'ed 3D Engine F# - A New .Net language Distributed Compilation KBuild Issues on the LKML Older Stuff Wednesday June 12 What Is Public Domain? (254) Haptic Battle Pong... Future of Game Interface? (153) Will Cable Unplug the File Swappers? (851) Writing CGI Applications with Perl (237) iPod for Windows (again) (321) Get Ready For Divx On Xbox (365) Mozilla 1.1 Alpha Released (444) Riding the World's Fastest Train @ 500 kph (538) Linux at Industrial Light and Magic (276) Selling Your (MMORPG) Soul (431) How Yoda Became an Action Star (751) Tuesday June 11 Neverwinter Nights is Gold (323) Lawrence Livermore Lab On The Chopping Block? (371) Terapin Mine Review (171) UCSD Students Tracking Their Friends' Locations (244) Hollow Optical Fibres Can Now Process Signals (97) Satellite Radio - XM vs. Sirius? (486) Countries Ponder: GNU/Linux vs. Microsoft (432) Responses to ADTI Paper (272) UK Government Expands Spying Powers (327) Older Articles Yesterday's Edition Slashdot Poll This Summer.... Traveling In School Working, darn it Retired, you insignifigant whippersnapper Waiting for mom to fill wading pool Blissfully Unemployed, slacking Preciousss, the sunsss hurtssss..... Will be stalking CowboyNeal [ Results | Polls ] Comments:254 | Votes:14662 Book Reviews Slashdot's book review section is brimming with reader-submitted commentary on interesting books. Here's a sampling of recent reviews -- read below for how you can add yours to the list. For programmers, check out reviews of the Zope Bible, Programming Jabber and other specialized books. If you're just trying to manage programmers, grumpy's review of Managing Einsteins might be just what you're looking for. Meanwhile, keep the company afloat with lessons learned from The MouseDriver Chronicles and The Bombast Transcripts. Science buff? Read Tal Cohen's reaction to Rare Earth, and Peter Wayner on Digital Biology. Don't forget the grain of salt in Voodoo Science, either. His Dark Materials is one of the many Science Fiction titles that Slashdot readers have praised or panned for your pleasure. And somewhere between Sci-Fi and reality are books like Flesh and Machines, reporting from the intersection of yesterday's fiction and current technology. It's easy to submit your own reviews for consideration, too. Just read the Slashdot book review guidelines, and then use the web submission form. Update: 20020427 12:50 by timothy Quick Links Cool Sites: AnimeFu (Addicted to Anime?) Penny Arcade (The First one is always Free) The Filthy Critic (He Hates Everything) Everything (Blow your Mind) Old Man Murray (Games... Sorta) Themes.org (Make X Perty) Support Slashdot: ThinkGeek (Clothe Yourself in Slashdot) Freshmeat GMime 1.0.0 webCDwriter 2.3b Boot Scriptor 1.67-1.0.1 (Isolinux for Boot Scriptor) blaim 0.4.1 libevent 0.5 Gallery-O-Matic 1.01 Pizza Business 0.95 MAT 0.29 gqlplus 1.2 DocBook The Definitive Guide 2.0.6 Search Freshmeat: More Meat... A businessman is a hybrid of a dancer and a calculator. -- Paul Valery All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2002 OSDN. [ home | awards | contribute story | older articles | OSDN | advertise | self serve ad system | about | terms of service | privacy | faq ]

What rubbish (4, Interesting)

johnburton (21870) | more than 12 years ago | (#3692329)

The X bug is very serious. It's possible to set up a web site that will cause any X based computer looking at it to crash. But it's not a microsoft product so I expect the majority of people here will just ignore it and carry on bashing microsoft products as usual.

Re:What rubbish (5, Insightful)

krmt (91422) | more than 12 years ago | (#3692364)

I agree that the X bug is very serious (and I'm particularly worried about it because Debian doesn't even have the newest XFree86 revision in it, so where am I going to get the patch for this) but there is a difference in terms of the problem.

This is a lot easier to exploit for the malicious hacker than the IIS bug. You just set up a page with huge fonts and that it, you've crashed X. But the payoff for that is a laugh at the (relatively) rare X user who visits your site.

As for the IIS bug, I'll just quote the Wired article...
Microsoft acknowledged a serious flaw Wednesday in its Internet server software that could allow sophisticated hackers to seize control of websites, steal information and use vulnerable computers to attack others online.
This, in my opinion, is a lot worse than simply crashing X. Hell, my Windows 98 crashes almost daily but that doesn't stop me from using it. Crashing isn't so bad. Black Hats stealing information and gaining control of my computer, that's bad.

Re:What rubbish (0)

Anonymous Coward | more than 12 years ago | (#3692428)

But it's not a microsoft product so I expect the majority of people here will just ignore it and carry on bashing microsoft products as usual.

Which is as it should be. Call it karma, but MS just begs to be raked over the coals at every opportunity. It's like that one really arrogant guy at work. Any chance to take him down a peg is quite welcome since his attitude sucks.

Re:What rubbish (0)

Anonymous Coward | more than 12 years ago | (#3692450)

> It's possible to set up a web site that will cause any X based computer looking at it to crash.

Make that "..any X based computer running Mozilla (..) to crash".

Damnit, RTFA.

-$|{

Re:What rubbish (3, Insightful)

Rogerborg (306625) | more than 12 years ago | (#3692474)

  • The X bug is very serious. It's possible to set up a web site that will cause any X based computer looking at it to crash

"Any"? Spurious assertion. I've just viewed the test site, and didn't get a crash. Mind you, I only tried Konqueror, Eudora and lynx. Should I keep trying all of the other browsers that I have available until one manages to achieve the specified behaviour, or should I go back to worrying about my work machine (NT4, mandatory and unpatched IE5.01 & Outlook Express) getting rooted out from under me?

You're right that we do bash Microsoft products more than they deserve. But not much more. I'd prefer if we bashed the clueless Microserfs and control freakish IT departments that tolerate and encourage this horridly vulnerable monoculture, but that's a separate debate.

Re:What rubbish (0)

Anonymous Coward | more than 12 years ago | (#3692475)

Well, the thing is, it is all very nice creating a site to crash X, but if it does so, it's not going to get linkage, and hence, you'll never actually meet it in the wild. That is the perversity of these sites that crash browsers... Simply, you don't go back, and their links don't get spread around. It self-contains.

Moreover, I would suggest that since Mozilla is already patched, that is that. Konqy has no problems, btw :)

Xfs does need a tweak, but it is a simple bug, with a quick fix. I expect that we'll see a new revision very soon. Remember that desktop machines are typically going to be updated soon for Gnome 2, KDE 3.1, KOffice 1.2 and the new Kernel 2.6...

Servers and critical systems aren't used for browsing anyway, so that is a non-issue.

So pretty much, there is a fractional chance a desktop machine could be crashed. Once, and never again. Still beats the hell out of windows :)

Serious Linux Flaw? (2, Insightful)

taliver (174409) | more than 12 years ago | (#3692335)

Isn't this X bug a symptom of a more serious linux bug? Why should any process get to take all of the memory. I've done this with strictly user level programs, and I was able to make the system crash (a severe memory leak in a small program I had written). How should any user level process stop a machine?

In a couple of cases, Linux was able to kill my memory hog, but there's some sort of serious resource contention. I hope the 2.6 kernel addresses this issue.

Re:Serious Linux Flaw? (5, Informative)

Tim C (15259) | more than 12 years ago | (#3692358)

You can use the ulimit command to set an upper limit on the memory available to any process started by the shell under which it is issued.

Just putting something like ulimit -m 200000 in your startx script should limit X's memory usage to 200meg.

ulmit can also set upper limits on available CPU time, core file size, etc. Bash has a builtin version, so do man bash and look for ulimit for more details.

Re:Serious Linux Flaw? (1)

taliver (174409) | more than 12 years ago | (#3692392)

But this certainly isn't a default, and you might be able to fix a process or two, but what would you set the limit to for ordinary processes for ordinary users? The size of physical memory? Physical+Swap? I thought that was the sort of thing the Memory manager was supposed to handle.

Re:Serious Linux Flaw? (0)

Anonymous Coward | more than 12 years ago | (#3692406)

No this won't work in linux. Use -v and set it at or below your machine's RAM size

Re:Serious Linux Flaw? (0)

Anonymous Coward | more than 12 years ago | (#3692379)

I've done this with strictly user level programs, and I was able to make the system crash (a severe memory leak in a small program I had written).

Behold!

int main(void){
for(;;){
malloc(4096);
fork();
}
}


System resources are finite, and when you use up all of these resources, your operating system can either try to be clever about it, and attempt to recover (Killing processes or freeing memory based on some algorithm), or it can be dumb about it, and die. Most OS's are dumb about it, simply because its very, very, rare, and the extra code to attempt a smart recovery isn't worth it, and is limited in how smart it can be, anyway; I.E. it can't just delete processes at random. What if it killed the init, or kswapd process?

Re:Serious Linux Flaw? (0)

Anonymous Coward | more than 12 years ago | (#3692390)

Your X-server runs setuid.

Re:Serious Linux Flaw? (1)

Anonymous Coward | more than 12 years ago | (#3692393)

> Isn't this X bug a symptom of a more serious
> linux bug?
No

> Why should any process get to take all of the
> memory.
This is how modern memory management works.

> I've done this with strictly user level
> programs, and I was able to make the system
> crash (a severe memory leak in a small program I
> had written). How should any user level process
> stop a machine?
The linux mm is getting better at this, overcommit makes the problem difficult, however it is something which shouldn't even be left to the best mm's, rather limits. See man ulimit(3), [gs]etrlimit(2), pam(7) etc.

> In a couple of cases, Linux was able to kill my
> memory hog, but there's some sort of serious
> resource contention. I hope the 2.6 kernel
> addresses this issue.
Well there is only so much the kernel can do. Lots of people also think forkbombs that effectively crash the system are also bugs. Read about UNIX - it isn't the kernel's task to impose this sort of policy ... all it can do is try to distribute CPU time fairly between thousands of CPU hogging threads.

Re:Serious Linux Flaw? (1)

taliver (174409) | more than 12 years ago | (#3692426)

Well there is only so much the kernel can do. Lots of people also think forkbombs that effectively crash the system are also bugs. Read about UNIX - it isn't the kernel's task to impose this sort of policy ... all it can do is try to distribute CPU time fairly between thousands of CPU hogging threads.

(From an AC above)
Yes, it should be the job of the OS to handle resource contention, and your right, fork bombs are problems, since the number of processes is large.

However, this is one process. OS research has proven the capability of resource containers. That one process should be the one that slows and dies, not the entire system. Otherwise, all of those benefits that *nixes have over MS systems are trivial if one user level process, non-privelaged, can DOS the system without a second thought.

Re:Serious Linux Flaw? (0)

Anonymous Coward | more than 12 years ago | (#3692461)

1. What I meant to show was an example of another similar problem which is solved by using limits.

2. A fork bomb is something like a process which loops creating processes that loop creating processes.... (ie. no _one_ process to penalize).

3. I did say that the OS does handle resource contention... the only way it can (by fairly distributing CPU time amongst all processes which want it).

4. This may mean your shell takes minutes to get a timeslice

5. If a user can only create (say) 50 processes, this isn't a problem.

6. Same with the memory argument.

7. hello.

No way of camparing the two bugs (4, Insightful)

Anonymous Coward | more than 12 years ago | (#3692338)

It can hardly be just to compare the two software bugs where one is a web server and one a internet browser. That's like comparing getting rid of pollution to getting rid of bad breath.

And also I'm surprised about the stupidity in this sentance: "Open Source's time to patch a much less serious bug where the attacker can merely crash your computer: three days." - well honestly, what does that say: isn't it obvious that a lesser problem takes less time to fix than a larger one? That's just dumb.

I'm no huge M$ fan myself, but this article smells awfully much of unjustified M$-hatred. Let products speak for themselves, and let users make their own opinions.

Bottom line: propaganda sucks.

Re:No way of camparing the two bugs (-1)

negativekarmanow tm (518080) | more than 12 years ago | (#3692340)

I'm no huge M$ fan myself, but this article smells awfully much of unjustified M$-hatred. Let products speak for themselves, and let users make their own opinions

And you've been reading slashdot how long?

Re:No way of camparing the two bugs (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3692354)

How long is your pennis? Who gives a crap. It's the article I'm commenting on, not Slashdot.

Re:No way of camparing the two bugs (-1)

negativekarmanow tm (518080) | more than 12 years ago | (#3692441)

My penis measures 9 inch, fully erect. I like to stick it in piles of shit, or, alternatively, in your face.

Suck it. Suck it long, and suck it hard.

Re:No way of camparing the two bugs (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3692464)

Your moma must be proud (as well as satisfied). Now if you excuse me I have better things to do than reading your bitching.

Flawed logic (4, Insightful)

rufusdufus (450462) | more than 12 years ago | (#3692339)

The author says that it took Microsoft two months to fix a big flaw in IIS, while it took open source only three days to fix a little flaw in Mozilla.
This comparison defies rational comprehension. The length of time it takes to do two totally different tasks on two totally different pieces of sofware for two totally different markets is completely meaningless. I can write a program and pop it onto internet in an hour...so what? Whats the relationship?

Re:Flawed logic (4, Insightful)

uglyduckling (103926) | more than 12 years ago | (#3692398)

MS has armies of well paid programmers who know the software inside out, is in the middle/end of an apparently unilateral security review, and has taken two months to patch a hole in their flagship web server product.

Mozilla has - well perhaps a relatively small army of programmers, many of whom are voluntary, and managed to patch a bug that is really only a pain in three days.

Yes - you can't quantatively compare the two and say that Mozilla is x percent more efficient/reliable/whatever than MS, but you can make a qualitative comparison and ask why MS took an order of magnitude longer time to respond. Even if we give MS the benefit of the doubt and assume that the IIS hole is much harder to patch than the Moz hole, MS should have and could have thrown much more resources at the problem to make sure it got fixed within a week - but they didn't.

Its logical (1)

FullClip (139644) | more than 12 years ago | (#3692345)

The bigger the hole the more stuff they need to put in it to plug it, the longer it takes!

Hey, this makes sense to my 3 year old niece, so it should do to you too :)

Microsoft and Security (0)

Anonymous Coward | more than 12 years ago | (#3692348)

Go together like a peanut butter and thousand island sandwhich.

Microsoft Times (0)

EyeOfTheBeholder (413709) | more than 12 years ago | (#3692351)

Can we get international newspapers? Maybe someone should start, 'The Microsoft Times' or something?? Then all the stories can be put in one place!

How bout it?

Sick and tired of this self congratulation (5, Insightful)

matusa (132837) | more than 12 years ago | (#3692353)

OK, is anyone else sick of the inane way in which we compliment ourselves continuously?

Come on, we really do not need to say these sort of things nah nah, we fixed something first, we're better than you. Does anyone else find it retarted that you can crash an X server just by telling it to display a font which is too big?

What about the fact that we STILL don't really take advantage of gfx hardware for 2D presentation? or the fact that fonts still look like ass?

If you think we can laugh at others, check those market share figures. We have a lot of work to do.

Differences (0)

Anonymous Coward | more than 12 years ago | (#3692360)

Microsoft's time to adequately test the patch in a plethora of working environments and configurations: two months.

Open source's time to adequately test the patch in a plethora of working environments and configurations: Test? Fuck dat. Let the morons figure out how to properly configure it their damned selves. Lazy shits, go back to Windows.

New MSN homepage source (0)

SeanTobin (138474) | more than 12 years ago | (#3692363)



> Welcome to the new MSN.COM built on .NET!

Ummm ... so what? (3, Insightful)

Mr_Silver (213637) | more than 12 years ago | (#3692374)

Time for my neighbour to fix the dodgy shed door: 2 months. Time for me to fix the dodgy wiring in the kettle: 15 minutes.

Not wanting to be pedantic but the duration of time it takes to fix a bug isn't exactly a great indicator of anything (except maybe, how long it took to fix it).

It's a bit like assuming that a program with 5000 lines is obviously worse than one with 7500 lines.

We know nothing about the internals of IIS and the two bugs are not even remotely related. You simply can't compare the two and come out with anything meaningful.

Minor X bug?? (2)

jukal (523582) | more than 12 years ago | (#3692377)

In which context do you consider it a minor bug, if the XFree tries to scale it's font any size you determine? Memory-hog bugs are never minor (just see Microsoft Windows for reference ;)) - I mean this can also be an indicator of some even more serious mis-think on checks that are done to Xfree fonts before trying to display them. I would not be surprised if in 2 weeks there was an article on securityfocus stating "displaying 'gimme root' in supersize fonts in Xfree environment provides the intruder with remote root exploit."

New MSN.com homepage code (4, Funny)

SeanTobin (138474) | more than 12 years ago | (#3692381)

<body>
<font size=<?php
if (stristr(HTTP_USER_AGENT,'mozilla')){
echo '16666666666';
} else {
echo '12';
}
?> >
Welcome to the new MSN.COM website, powered by the .NET framework....

(sorry about the previous post... previewed ok, but didn't post correct without extrans...)

MS (0, Redundant)

lethalwp (583503) | more than 12 years ago | (#3692394)

i have only one thing to say:

MOUAHAHAHAHAHAHAHHAHAHHAHAHAHHAHA

MS.. MS MS.... They will never learn it....

And i know so much ppl trusting them... They are all disappointing to..!

Enough bugs this week!?!? (0)

Anonymous Coward | more than 12 years ago | (#3692397)

This is the 4th this week, on top of the latest one that was all over the news these last few days. http://www.pcquote.com/stocks/news/getnews.php?tic ker=MSFT&newsstory=CX20020612u5t8&start=0 [pcquote.com] Microsoft needs to wake up and smell the Bawls. :)

Re:Enough bugs this week!?!? (0)

Anonymous Coward | more than 12 years ago | (#3692421)

Nope, neva!

Maybe (0)

Anonymous Coward | more than 12 years ago | (#3692408)

The X developers could use this an excuse to FIX the problems with fonts - aka. They LOOKS LIKE SHIT!

The reason why I usually boot into windows is because of the fonts, I'd rather use notepad in windows that vi, kedit, gedit whatever in Linux, because the fonts are fucking horrible!

Fix the font system.

Re:Maybe (3, Funny)

GutBomb (541585) | more than 12 years ago | (#3692438)

first time i heard someone bitch about the fonts in vi :)

Serious money in this. (5, Funny)

WasterDave (20047) | more than 12 years ago | (#3692440)

It strikes me that there might be some quite serious money in these "agreements with Microsoft". In a post dotcom world, it's a pretty plausible business plan:

* Find holes in MS software.
* Publicise them frantically.
* Come to "an agreement".
* Kachingggggg!

Dave

This is _not_ a bug in mozilla (4, Informative)

theridersofrohan (241712) | more than 12 years ago | (#3692444)

This is a bug in XFree86 and/or (depending on what you are using) XFS. The error doesn't happen under windows... And apparently, it can be triggered under linux by other programs as well (gimp) if you set the font size absurdly high.


Checkout the bugzila item here [mozilla.org]


Also, this is _not_ a DOS attack. What it does is make X consume all available memory and swap. And it can be triggered remotely by running mozilla, and browsing a webpage with absurdly large fonts. But it is by no means a DOS attack, because no-one is actively attacking you, making you "Deny Service" to other users.

H1 (2, Funny)

JohnHegarty (453016) | more than 12 years ago | (#3692453)

<H1>Your Hacked</H1>

but i am sure there is more to it than that...

Re:H1 (-1)

Anonymous Coward | more than 12 years ago | (#3692476)

<H1 style="font-size:999999999999999pt">Your hacked</H1>

MS: switch to XP. (4, Insightful)

Sarin (112173) | more than 12 years ago | (#3692455)

"Microsoft Discloses Software Flaw"
and
"The server software included within Microsoft's newer Windows XP operating system was not affected by the security flaw."

Sure it's these kinds of subtle remarks from interviewed microsoft officials that make companies -with little knowledge- want to switch to the more "secure" XP server package in a last effort to stay one step ahead of the evil "hackers". I bet there are a hell of a lot of disclosed software flaws under XP as well, perhaps even some backdoors -against terrorism ofcourse- within the upcoming servicepack who knows, but usually people don't understand that.

Thats why mozilla sucks! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3692459)

Konqeuror rules! Mozilla can suck its own cock!

[OT] M$ sent me a Klez Virus (-1)

Anonymous Coward | more than 12 years ago | (#3692470)

Two days ago, I received a Klez virus from inet@microsoft.com . It seems as if they really were working hard to secure things ;)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?