Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Exploits Circulating for Latest Windows Holes

CmdrTaco posted more than 9 years ago | from the netcraft-confirms-that-trolls-are-uncreative dept.

Security 185

1sockchuck writes "Exploits are already circulating for at least two (and possibly four) of the Windows security holes addressed in Microsoft's updates on Tuesday. Several working exploits have been released for a new vulnerability in Windows Plug and Play technology, which could be used to spread a worm targeting Windows 2000 machines, according to eEye security, which has released a free scanner to help network admins identify vulnerable computers."

cancel ×

185 comments

Sorry! There are no comments related to the filter you selected.

Microsoft Induced? (5, Funny)

Deltaspectre (796409) | more than 9 years ago | (#13304120)

Perhaps this vulnerability was a 'Feature' to get people to migrate away from Windows 2000?

"interesting" my ass (0, Troll)

Adolf Hitroll (562418) | more than 9 years ago | (#13304190)

you = teh moron [lemonparty.org]

Re:"interesting" my ass (0, Troll)

Blarrrg (907169) | more than 9 years ago | (#13304277)

you = teh moron [hookedonphonics.com]

Re:Microsoft Induced? (1)

daniil (775990) | more than 9 years ago | (#13304244)

Only as much as the rest of the holes in Windows 2000 are.

Too many services on your Windows2000 box mabe? (0, Redundant)

alexandreracine (859693) | more than 9 years ago | (#13304514)


This may be a little hard comment, but do 100% of Windows 2000 servers really need the plug and play service to be running? Mabe 1% really need it. For the others, just deactivate it and future bugs and holes wont touch you. I think it is a pretty good practice to deactivate everything that you dont need!

Don't beleive me? I only work in a computer security company, what do I know? ;)

Re:Microsoft Induced? (1)

randm.ca (901207) | more than 9 years ago | (#13304523)

My UID is prime... is yours?
As a matter of fact, yes.
On the quest to ban Dihydrogen Monoxide
I'm going to assume, based solely on the evil sounding name of this substance, that it is deadly. So can I make a donation anywhere to help the cause?

Re:Microsoft Induced? (1)

Deltaspectre (796409) | more than 9 years ago | (#13304648)

Donations can be made of space in your bank account to the next Nigerian fellow that happens to email you :)

Re:Microsoft Induced? (1)

agraupe (769778) | more than 9 years ago | (#13304710)

I'm not sure if you get the joke or not, but Dihydrogen Monoxide is, in fact, water.

Re:Microsoft Induced? (1)

joepeg (87984) | more than 9 years ago | (#13305001)

Nah,

They are just going to kick all Windows 2000 users to the curb on June 30, 2005 [microsoft.com] whether you come with them to XP/Longhorn, or not.

Only two or four... (4, Funny)

creimer (824291) | more than 9 years ago | (#13304154)

At least, Microsoft is maintaining great quality control.

Is it really New? (4, Funny)

ellem (147712) | more than 9 years ago | (#13304159)

I mean W2K has been around for about... uh, 5 years?

So isn't this just an old exploit that was just found?

See? Having 900,000,000,000 lines of code is a good thing.

Re:Is it really New? (0)

Anonymous Coward | more than 9 years ago | (#13304258)

To be fair to M$, there isn't much they can do more than releasing a patch. Patches will always get quickly reverse engineered and exploits developed, but their Automatic update mechanism in XP SP2 is the best you can hope for amongst the uneducated masses.

What really annoys me is that they actually leave vulns unpatched for months. See eeye:
http://www.eeye.com/html/research/upcoming/index.h tml [eeye.com] , there are unpatched IE holes more than 4 months old!

Re:Is it really New? (0)

Anonymous Coward | more than 9 years ago | (#13304590)

Maybe Microsoft is just trying to prove they can out do FireFox. After all, Mozilla kept the critical shared function objects code execution exploit a secret for 2 months before patching it, and left the content-generated event exploit (which they rated as a "high" security risk) open for 3 months.

And with each version we get even older vulnerabilities being admitted for the first time (the 1.0.5 release fixed a high risk exploit that was reported before 1.0.3 was released, and had 3 more exploits that where known before 1.0.4) so Microsoft obviously has no choice but to go big if they want to remain competitive with FireFox's growing list of unpatched vulnerabilities.

Re:Is it really New? (4, Interesting)

99BottlesOfBeerInMyF (813746) | more than 9 years ago | (#13304321)

So isn't this just an old exploit that was just found?

No. This is an old vulnerability that was just published, and had new exploits written and published for it. That is not to say other exploits have not existed for this vulnerability for the last five years.

Re:Is it really New? (1)

bill_mcgonigle (4333) | more than 9 years ago | (#13304828)

This is an old vulnerability that was just published, and had new exploits written and published for it.

Just to amplify what you've said:
This is an old vulnerability that was just published
publically, and had new exploits written and published for it.
It's possible, and has a certain chance of being likely that this exploit has been published in non-public fora for the past five years.

As we learned a couple stories back, Microsoft is catching exploits of unpublished vulnerabilities in their honeypots. I'm rather surprised they're making it public - to rephrase it: "Yes, we have 0-day exploits." Warms the heart, doesn't it?

Re:Is it really New? (1)

RabidOverYou (596396) | more than 9 years ago | (#13305080)

> It's possible, and has a certain chance of being likely ...

Well gosh, there's an authoritative statement.

Re:Is it really New? (2, Funny)

dagr8tim (866860) | more than 9 years ago | (#13304689)

I mean W2K has been around for about... uh, 5 years? So isn't this just an old exploit that was just found?

This just goes to prove that hackers are getting as lazy. I mean it took them 5 years to find this hidden feature. Or maybe MS programmers have more forsight than we give them credit for.

Registration form privacy information at eEye (4, Insightful)

mikeophile (647318) | more than 9 years ago | (#13304170)

Our website's registration forms require users to provide contact information (names and email addresses) and financial information (account or credit card numbers). Financial information that is collected is used to bill the user for products and services purchased and is only used internally by eEye. Contact information is used to confirm and ship orders, to contact the user when necessary, and to notify users when new products and services are available. Users may choose not to receive future mailings from eEye; see the Choice/Opt-Out section below. eEye Digital Security may occasionally share visitor contact information with official product resellers that adhere to a comparable privacy policy; visitor contact information is NEVER given to other third-party vendors that are not affiliated with eEye.

Why do they insist on my personal information if they aren't going to use it?

They have the ability to let me opt out of of mailing, why don't they provide an opt out for my information in the first place?

Re:Registration form privacy information at eEye (0)

Anonymous Coward | more than 9 years ago | (#13304204)

Notice they only say "NEVER given to other third-party vendors that are not affiliated with eEye."

which means if they are actually affiliated with companies that do naughty things you're screwed... I wonder if they give a full list of affiliates or if thats "private" comopany information.

loopholes as usual.

Re:Registration form privacy information at eEye (1, Informative)

Anonymous Coward | more than 9 years ago | (#13304289)

enjoy [nyud.net]

Re:Registration form privacy information at eEye (1)

deviantphil (543645) | more than 9 years ago | (#13304539)

Our website's registration forms require users to provide contact information (names and email addresses) and financial information (account or credit card numbers). Financial information that is collected is used to bill the user for products and services purchased and is only used internally by eEye. Contact information is used to confirm and ship orders, to contact the user when necessary, and to notify users when new products and services are available. Users may choose not to receive future mailings from eEye; see the Choice/Opt-Out section below. eEye Digital Security may occasionally share visitor contact information with official product resellers that adhere to a comparable privacy policy; visitor contact information is NEVER given to other third-party vendors that are not affiliated with eEye.

Or...you could just not give them a valid email address? Or...if they need to send you something (registration code....whatever) via email you can do this:

  1. Buy Domain for $8
  2. Make bogus alias that points to your real email address
  3. Register for whatever (with bogus alias)
  4. Get required email
  5. Delete Alias

Re:Registration form privacy information at eEye (1)

JFitzsimmons (764599) | more than 9 years ago | (#13304594)

Too much work. Try this:

http://www.spamgourmet.com/ [spamgourmet.com]

Lip service to privacy (1)

Vainglorious Coward (267452) | more than 9 years ago | (#13304661)


In similar vein, note that you have to fill in your email twice [eeye.com] . A classic example of why "double opt-in" is utterly meaningless.

It is interesting that... (5, Insightful)

donleyp (745680) | more than 9 years ago | (#13304177)

The exploits came out after the announcement and not before. It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge? Compare this to Cisco who tried to squash recent publicizing of their vulnerability.

Re:It is interesting that... (0)

Anonymous Coward | more than 9 years ago | (#13304292)

It begs the question

It raises the question. Begging the question means something completely different.

Re:It is interesting that... (1)

Le Marteau (206396) | more than 9 years ago | (#13304347)

It raises the question. Begging the question means something completely different.

Not any more, Poindexter. The definition has changed. Languages have a tendency to do that, just as pedants have a tendency to want to see their language cast in stone.

Re:It is interesting that... (2, Insightful)

timster (32400) | more than 9 years ago | (#13304452)

The problem is that now it means both things, and every time you encounter it you have to reason out which meaning is being used. So it's currently better to not use the expression at all, and substitute "raises the question" for one meaning and "circular logic" for the other.

Evolution of language isn't a problem, but useless entropy like forgetting the meaning of an expression makes clear and effective writing more difficult. There are those of us who like to read clear and effective writing, so we wish that it were easier to do.

Re:It is interesting that... (1)

Le Marteau (206396) | more than 9 years ago | (#13304519)

I hear you, and certainly commiserate.

I have personally resigned the phrase 'begs the question' to the trash heap of vulgar language, and unless I'm talking to a man of letters and not the general public, I don't use the phrase. It's 'more proper' usage is all but useless in the 'real world' .

It's too bad, but such is life and language. The vulgar consistantly take words with precise and definate meanings and sully them. I guess what I'm saying is that to try to fight that kind of degredation is an exercise in futility and never ending frustration, and is best avoided.

Re:It is interesting that... (1)

operagost (62405) | more than 9 years ago | (#13304643)

It's 'more proper' usage is all but useless in the 'real world' .
You are correct. Unfortunately, you used the wrong "its."

D'oh!

Re:It is interesting that... (1)

deesine (722173) | more than 9 years ago | (#13304918)


LOL

Major crash'n burn...after pulling off a couple loops and rolls.

Re:It is interesting that... (1)

fbjon (692006) | more than 9 years ago | (#13304911)

I've been trying to find an explanation for the original meaning, but haven't found one that makes logical sense (I'm not a native speaker). Any pointers? I can understand circular logic, but my brain cannot twist that from the phrase "beg the question"...

Re:It is interesting that... (0)

Anonymous Coward | more than 9 years ago | (#13304787)

I agree.

Of course, the phrase "I agree" means "I think you're an idiot" according to my personal definition.

Just because some people are confused about what a phrase means, it doesn't mean we should throw away the existing definition and start using theirs. Otherwise everything Microsoft does is innovative.

Re:It is interesting that... (0)

Anonymous Coward | more than 9 years ago | (#13304307)

I could be wrong, but isn't that typical of what's been happening for the last couple of years?

It seems that most of the recent viruses and other malicious software attacking Windows have come out AFTER patches for those vulnerabilities are provided by Microsoft. I guess virus writers are relying more on reverse-engineering patches than on finding vulnerabilities themselves...of course, whatever credit Microsoft does or does not deserve for their patching policies, if the holes weren't there to begin with, there wouldn't be these problems...

Re:It is interesting that... (1)

Tengoo (446300) | more than 9 years ago | (#13304331)

It begs the question, do we need to give M$ credit for pushing the patch before the exploit became common knowledge?


Uh oh, the grammar nazis will decend upon ye shortly. I heard that phrase misused on CNN the other day, how the hell does that happen.

Re:It is interesting that... (2, Insightful)

uqbar (102695) | more than 9 years ago | (#13304339)

Cisco had also patched their vulnerability before the publicity. The whole point of the BlackHat presentation was to encourage admins to use the patch, and to shame Cisco for underplaying how serious the issue is.

I don't know exactly why... (2, Funny)

Stanistani (808333) | more than 9 years ago | (#13304182)

But I'm reminded of a childhood verse...
"The worms crawl in, the worms crawl out
The worms play pinochle on your snout..."

Re:I don't know exactly why... (2)

Fishstick (150821) | more than 9 years ago | (#13304700)

Lovely little nursery rhyme, that
Did you ever think, as a hearse goes by,
That you might be the next to die?
They wrap you up in a big white sheet,
And bury you down about six feet deep

They put you in a big black box,
And cover you up with dirt and rocks,
And all goes well, for about a week,
And then the coffin begins to leak!

The worms crawl in, the worms crawl out,
The worms play pinochle on your snout.
They eat your eyes, they eat your nose,
They eat the jelly between your toes.

A great big worm with rolling eyes,
Crawls in your stomach and out your eyes,
Your stomach turns a slimy green,
And pus pours out like whipping cream.

You spread it on a slice of bread,
And that's what worms eat when you're dead.

Alternate / Additional Lines:

They wrap you up in a long white shirt
And cover you up with rocks and dirt

They put you in a long pine box
And cover you over with dirt and rocks

The worms that crawl in are lean and thin
The worms that crawl out are fat and stout

Your eyes fall in and your hair falls out
Your brains come pouring out your snout

They use your bones as telephones
and call you up but you're no longer at home

Your eyes pop out, your teeth decay
and that's the end of a peaceful day

You turn the color of sickening green
And pus comes out like butter and cream
You wipe it up with a piece of bread
And that's what you eat when you are dead

They eat your eyes, they eat your nose
They eat the jelly between your toes

Your stomach turns a mossy green
And pus comes out like fresh whipped cream
You wipe it up with a piece of bread
And that's what you eat when you are dead

Free, but not without pain (3, Insightful)

bitslinger_42 (598584) | more than 9 years ago | (#13304185)

Is anyone but me getting sick of these companies releasing "free" tools that require you to register for their incessant spam, phone calls, and other marketing harassment in order to download? Yes, I understand that they spent money to develop the tool, but what if I want to scan my home network? MySQL isn't too bad, at least. They have the marketing signup, should you be interested, but provide a link to download without all the crap.

[Wanders off muttering about the good old days of gopher and archie]

Re:Free, but not without pain (1)

zxnos (813588) | more than 9 years ago | (#13304309)

yup. but if you look hard there is sometimes a small line of text that says "click here to download without registering". at least autodesk has one. it is hard to see though.

Re:Free, but not without pain (1)

uqbar (102695) | more than 9 years ago | (#13304355)

It's even worse when you pay for the tool and you still get spam, spyware and worse...

link (2, Informative)

Anonymous Coward | more than 9 years ago | (#13304380)

right here [nyud.net]

-WH

MOD UP (0)

Anonymous Coward | more than 9 years ago | (#13304410)

+1 useful

Re:Free, but not without pain (0)

Anonymous Coward | more than 9 years ago | (#13304454)

Yes, I understand that they spent money to develop the tool, but what if I want to scan my home network?

then write your own damn tool.

Not to worry... (1)

pmdata (861264) | more than 9 years ago | (#13304187)

Exploits ike these will all be fixed in Longhorn, umm, Vista. Seriously, the general population doesn't patch the security fixes that are out there, let alone the new ones that come out every other Tuesday. So exploits based on new patches are irrelevant if a computer can be compromised with mydoom.

Re:Not to worry... (3, Interesting)

guildsolutions (707603) | more than 9 years ago | (#13304305)

Microsoft with all its massive billions of dollars, charging in excess of $300 for a full, licesned version of Windows XP Proffessional... Cannot afford to write clean, bug free code?

As a programer myself I am often faced with the idea of completely re-writing my code, not just leaving the function sit, while being unused.

Compare to Apple's OS X (granted, the numbers argument about there is not a mass majority to spread a major virus even if it was to be discovered), why cant Microsoft decide to take shape, and start producing a REAL operating system that is built upon firm solid foundations of bug free (realitivly) code. They have admited in the past that they have pushed features ahead of security, and yet our major corporations still tout that microsoft is secure enough for there senstive finiancial information.

Give me a break will ya? I really just wish that microsoft would have a much more open beta, much more strict adherance to quality code, and less mouthpeices saying how great there stuff is.

Re:Not to worry... (1)

pmdata (861264) | more than 9 years ago | (#13304327)

I'm affraid that you are wishing for something that's never going to happen. Here's to the OS X revolution! pm

Re:Not to worry... (3, Interesting)

whoever57 (658626) | more than 9 years ago | (#13304509)

I think that you have to assume there will be bugs in the code. I am sure Apple has bugs. The real question, is: why are there so many listening ports on a Windows NT/2K/XP machine? Even one that has no files shared for users. What does it need them for? MS recommends running a firewall, which rather defeats the purpose of any listening ports, including such things as the administrative shares. In this case, we have some code that is supposed to detect new hardware apparently listening on the Ethernet port. Why? New hardware is going to fly down the network? Wow! MS should patent that now since it would put UPS and Fedex out of business. So, I don't think it is so much a bug as "what in $DEITY's name were they thinking when they designed this feature?"

Re:Not to worry... (1)

Achoi77 (669484) | more than 9 years ago | (#13304846)

I wish there was a direct correlation between "Making more money" and "Quality Products." Let's face it: Microsoft is the McDonalds of the Operating System world. They aren't interested in giving you the best thing on earth, they are interested in supplying you with barest essential needs to sustain you, in order to maximize their profit without sacrificing their customer demand and quarterly profits.

Don't misunderstand me, I'm not trying to bash Microsoft. Overall I beleive their product fills the need of the majority of their customers in terms of productivity. And yes, there are other Operating Systems out there that are much better suited for different or more specialized needs.

But if all you are looking for is a cheap burger and a soda to prevent you from, well - starving, then you can bet your job that most people are not going to go to DB Bistro Moderne to get a $50 Foie Gras burger when the McDonalds down the street will fulfill that need perfectly,more cost effectively, and quicker.

People that actively search for a better alternative solution will always luck out. To these guys, the cheap burgers they find are the Carl's Jr, or the In-N-Out Burgers: higher quality burgers for the same amount of cost and convenience (YMMV, but you get the gist of what I'm trying to say). But the majority of the world doesn't really care. To them, a burger is a burger is a burger is a burger. All they care is:
1) Can I get on the internet to buy stuff?
2) Can I chat with my friends?
3) Can I take photos and print them from my computer?
4) Can I write documents or other work related material?
5) Can I listen to music with it? 6) Does it *just work?* (I really hate that term)

In fact, it's only a recent trend that we are starting to see quality coming up from the woodwork. As more Wendys are popping up, McDonalds is forced to up their quality standards in order to keep customer satisfaction (again, whether or not you beleive Wendys has higher quality products is irrelevant). It's the capitalistic way. Microsoft doesn't want to enforce a level of quality if it's going to cause them to lose money, unless they need to. And they are starting to need to.

Let the MS Bashing begin! (0)

Anonymous Coward | more than 9 years ago | (#13304189)

I mean, how DARE they release a fix for a security hole BEFORE it's exploited.

Tom

Why is this surprising? (3, Interesting)

SkiifGeek (702936) | more than 9 years ago | (#13304200)

The recent article on the front page here (2 down at the moment), talks about vulnerabilities linked to MS05-038 being in the wild in mid July (actually quite a bit earlier, but we will give them the benefit of the doubt). There have been a number of minor exploits in existence for at least a month and a half with respect to some image handling capabilities through IE (also MS05-038).

Security-Protocols claimed to have discovered the vulnerability linked to MS05-041, and there were some minor claims that other people had been able to make it into exploits which weren't widespread.

I initially thought that the Plug and Play vulnerability was linked to a report on an overflow with respect to handling USB devices (which has also been reported), but it seems to be much worse.

I am fully aware of the reasons why companies EOL their software, but Microsoft's cessation of mainstream support for Win 2000 might be coming back to bite them, given that Win 2000 is just as vulnerable to these exploits as Win XP and 2003, if not more so.

Re:Why is this surprising? (0)

Anonymous Coward | more than 9 years ago | (#13304230)

I am fully aware of the reasons why companies EOL their software, but Microsoft's cessation of mainstream support for Win 2000 might be coming back to bite them, given that Win 2000 is just as vulnerable to these exploits as Win XP and 2003, if not more so.

You know that Microsoft will still provide security fixes for win2000 for 5 more years, right?

Numbnuts.

Ofcourse..this is NAN (0, Offtopic)

iyerns (906870) | more than 9 years ago | (#13304207)

Ofcourse... This is NAN (Not A News). You can always expect this with MS !

Aren't they always critical? (1)

TheOtherAgentM (700696) | more than 9 years ago | (#13304210)

I think once in the past three years I've seen on month without an update that was critical. Also, the way I've seen it, is that you have three to six months before the vulnerabilities are widely attacked. There are always people that are quicker on the ball, but three to six months is a good range before every other website is taking advantage of thtese vulnerabilities from what I've seen.

Everything... (0)

Anonymous Coward | more than 9 years ago | (#13304220)

...is OK in here, Bob!* (heard from a little voice in my Mac).

* Remember that .com ad with a fish talking to its owner?

Unless I'm mis-reading this... (4, Insightful)

goldspider (445116) | more than 9 years ago | (#13304227)

...Microsoft patched the holes BEFORE the exploits started circulating?

If that's the case, what's the problem?

Re:Unless I'm mis-reading this... (1)

pete6677 (681676) | more than 9 years ago | (#13304263)

The millions of users who don't patch are the problem. Sometimes these exploits turn their computers into zombies that send spam or spread viruses, making them other peoples' problems as well.

Re:Unless I'm mis-reading this... (0)

Anonymous Coward | more than 9 years ago | (#13304265)

One word: Slammer.

Re:Unless I'm mis-reading this... (1)

afree87 (102803) | more than 9 years ago | (#13304281)

Not everyone auto-updates and reboots right when the patch comes out. Some people might even ignore the Windows Update icon for weeks at a time, or tell it to stop bothering them.

Re:Unless I'm mis-reading this... (1)

dreamer-of-rules (794070) | more than 9 years ago | (#13305069)

It's very easy to ignore. Just a tiny blue ball at the very bottom right.. and is auto-hidden half the time. It's taken months to train my coworkers how to check for updates.

Apple actually opens a window *gasp* and gets in your face about updating. That, and that most Mac users I know trust Apple updates (except for iTunes updates, which "always" tighten DRM).

Re:Unless I'm mis-reading this... (1)

crlove (857212) | more than 9 years ago | (#13304298)

The problem is that most people don't patch their systems.

Seems to me Microsoft almost always has a patch before the exploits go around.

I keep my system updated and turn on the firewall in XP, and I've never had a security issue with my machine.

Re:Unless I'm mis-reading this... (1)

crlove (857212) | more than 9 years ago | (#13304315)

Well color me Redundant. Apparently I'm a slow typer.

Re:Unless I'm mis-reading this... (1)

RPoet (20693) | more than 9 years ago | (#13304319)

The problem is that most people don't patch their systems.

These days, people run expensive (in both monetarily and computationally senses) "virus" scanners instead of updating their systems. Ideally, if you have an up-to-date system, there are no holes for worms to exploit, so you don't need worm protection. Right?

Re:Unless I'm mis-reading this... (1)

crlove (857212) | more than 9 years ago | (#13304332)

if you have an up-to-date system...you don't need worm protection

Well, I'm sure some would argue that. But it's always been my philosophy, and it's always worked for me.

Re:Unless I'm mis-reading this... (4, Insightful)

Espectr0 (577637) | more than 9 years ago | (#13304444)

Simple. It is known that exploits are made after MS releases the patch, by reverse engineering them. Since 90% of the people is stupid and don't patch their systems (i made this up) then these people get hit.

My rant is not against MS. It's against people (supposedly people with knowledge) don't take the time to update their systems. SP2 actually improved this by trying to push the updates in the user's throats.

Re:Unless I'm mis-reading this... (1)

bill_mcgonigle (4333) | more than 9 years ago | (#13304857)

My rant is not against MS. It's against people (supposedly people with knowledge) don't take the time to update their systems.

Until recently, they haven't really had to. They should have, but the zombie nets are relatively recent developments.

I wonder how many people burned out their Model T engines because they didn't understand they had to change the oil.

Begin the Slashdot chant... (0, Troll)

bigtallmofo (695287) | more than 9 years ago | (#13304231)

Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code

I can already hear the Slashdot chant of how security researchers have every right to release exploit code usable by script-kiddies whenever they want. I can't wait until the Internet culture is such that just because you can do something doesn't make it right.

Re:Begin the Slashdot chant... (1)

spot35 (644375) | more than 9 years ago | (#13304542)

not entirely sure why this is a troll.

I can take a gun and shoot someone now just because someone made a gund available to me, but that doesn't make it right. I can release an exploit to software to disrupt many peoples lives because someone told me how to do it, but that doesn't make it right.

Just because it's on t'interweb doesn't change the rules of morality and ethics, right and wrong.

Re:Begin the Slashdot chant... (1)

ggzeama (886517) | more than 9 years ago | (#13304556)

Back in old days, it was like that. Since commercial companies stormed in, the culture has changed: it has become the common culture (=avg(all the people that are using it)); the equation was the same, but since only *.edu people had access ...

Re:Begin the Slashdot chant... (1)

Lifewish (724999) | more than 9 years ago | (#13304851)

They do have every right, legally speaking. It's not a feature of Slashdot or internet culture, it's a feature of the American style of government. Ethically speaking, most security researchers disclose responsibly anyway - they give the company a month or so to fix the problem before telling the world. I, and probably most slashdotters, would agree that telling world+wife before the company producing the software has had a fair bash at the problem is a little off, if only because a lot of us know what it's like to be in the company's position.

In fact, it's essential to have a healthy population of security researchers finding flaws and (eventually) making them public, because it stops companies sitting on their arses [computerworld.com] for months or otherwise playing silly buggers [com.com]

no Windows for me anymore (0)

Anonymous Coward | more than 9 years ago | (#13304250)

I've been a devote Windows user for many years but I am so fed up with patching Microsoft's crappy code and having to run several antivirus and antispyware programs at any given time. Instead of hiring more developers Microsoft is using us as unpaid guinea pigs to chase bugs and exposing us to script kiddies breaking into our machines. This is an endless rat race. At the same time they are hyping Windows security with sponsored "independent" studies and trashing Linux with brewed up FUD. I am sick and tired of this bullshit. I've backed up my data and I am burning my first Linux install disk. If I like it I'll be using Linux from now on.

Well give and take credit from Microsoft (1)

binderhead126 (809883) | more than 9 years ago | (#13304273)

On one hand, things like this are very serious, and at least they are fixing the issue. The problem is that while many business continue to use Win2K, Microsoft in my opinion, has shifted its focus to WinXP or 2003, Yet critical fixes are still needed for 2K. Personally, the software curse is in effect here, once you produce something, you have to support it forever. Microsoft has a nice history of dumping products, or "ending support" as they call it.

Re:Well give and take credit from Microsoft (2, Insightful)

toddbu (748790) | more than 9 years ago | (#13304375)

It's exactly this kind of argument that people need to make to their bosses when talking about using open source software. Your company should decide when the life of a piece of software is over, and they can make this decision on factors like "Do I want to patch this or install a new version?" And because some vulernable software like IIS is built right in, you can't just upgrade that one piece if the vendor decides they'll no longer fix it for your platform.

Microsoft's biggest problem really is all this integration that they do when it doesn't need to be done. Yes, it's nice that I can click on a link in an email and open a document in my browser. That's a good use of integration. But when much of the system depends on a couple of dlls that can't be upgraded without changing the whole system then that's not good at all. I think that there's a huge appeal to the F/OSS model and decoupling of software when it comes to this kind of thing.

Re:Well give and take credit from Microsoft (1)

pointbeing (701902) | more than 9 years ago | (#13304432)

On one hand, things like this are very serious, and at least they are fixing the issue. The problem is that while many business continue to use Win2K, Microsoft in my opinion, has shifted its focus to WinXP or 2003, Yet critical fixes are still needed for 2K. Personally, the software curse is in effect here, once you produce something, you have to support it forever. Microsoft has a nice history of dumping products, or "ending support" as they call it.

I believe MS is discontinuing patch support for Win2k on March 31, 2010. MS is in business to make a profit, not to cater to more altruistic motives. Windows NT 4.0 patch support lasted for *eight* years.

So - what other software company is still patching eight-year old OS? Sun? IBM? SCO? Novell? Apple?

And Linux doesen't?!?!? (0)

Anonymous Coward | more than 9 years ago | (#13304623)

Red Hat ends support for OSes that are only 12 months old! Some distros won't update anything > 6 months old! Linux is THE WORST for long term support.

And Apple has dumped more products cold than Microsoft ever has.

Microsoft has actually be quite good on this in the PC arena.

Re:And Linux doesen't?!?!? (2, Informative)

chez69 (135760) | more than 9 years ago | (#13304822)

the enterprise versions are supported for 3 years. fedora is just a testbed, most of the folks that use it (including me) realize this.

if you want long term support, buy something that has it.

Scanner? (5, Funny)

Fear the Clam (230933) | more than 9 years ago | (#13304312)

"...eEye security, which has released a free scanner to help network admins identify vulnerable computers.

What, the Windows startup screen wasn't sufficient to identify vulnerable computers?

Re:Scanner? (0)

Anonymous Coward | more than 9 years ago | (#13304897)

Source code has been leaked :

#include
int main(int argc, char *argv[])
{
    #ifdef WIN32
        printf("You are vulnerable\n");
    #else
        printf("You are safe\n");
    #endif

    return EXIT_SUCCESS;
}

Re:Scanner? (1)

wgray8231 (905984) | more than 9 years ago | (#13304980)

"What, the Windows startup screen wasn't sufficient to identify vulnerable computers?"

Apparently, this isn't obvious enough for the IT community at large. Many of them still consider Winblows to be top-notch.

In other news... (2, Insightful)

Anonymous Coward | more than 9 years ago | (#13304356)

Hundreds of vulnerabilities discovered in Linux since the release of a distro:

http://www.mandriva.com/security/advisories?dis=10 .1 [mandriva.com]

But of course, that's not newsworthy because it doesn't involve hating Microsoft. This ain't a troll; it's an attempt to show that BOTH systems have pretty lame security track records, yet all we hear about is Windows.

Look at that list above. Given 300 million clueless users running that Mandrake instead of Windows, don't you think there'd be exploits for that plenthora of holes too?

Re:In other news... (1)

Zunni (565203) | more than 9 years ago | (#13304477)

It's not sexy to make Linux look bad... And even if you do the zealots will simply fire back "What do you want, it's free..."

Re:In other news... (2, Insightful)

BabyDave (575083) | more than 9 years ago | (#13304581)

Hundreds of vulnerabilities discovered in Linux since the release of a distro:
Of course, Windows doesn't come with the hundreds (thousands?) of applications that Mandriva does, and so it's a bit unfair to compare the Mandriva security advisory list (which includes fixes for MySQL, Apache, Perl, Mozilla, Vi, etc etc) to the Windows list.

Here's some news for you, chum. (3, Informative)

Anti-Trend (857000) | more than 9 years ago | (#13304859)

First of all, Linux distros support every package on the system, not just the core files like MS update. That means perl, MySQL, apache, even the modules for apache. Everything. With that in mind, compare the Secunia security reports for Mandrake 10.0 [secunia.com] and Windows XP Pro 10.0 [secunia.com] , which hit the market at about the same time. Have a look at the amount of unpatched vulnerabilities in both and see if you can still come to the same conclusions. Sheesh!

Just Upgrade (0, Troll)

Sinju (907042) | more than 9 years ago | (#13304386)

It isn't all that expensive anymore just to get an upgrade to Windows XP and volia problem solved, well for w2k anyways. And w2k is way out of date by computer standards. In about 3 months stuff is out of date in computer standards so 5 years?!?!?! A much better upgrade would be just go with Linux. More security all around.

Re:Just Upgrade (1)

Yo_mama (72429) | more than 9 years ago | (#13304443)

It isn't all that expensive anymore just to get an upgrade to Windows XP

Maybe not for one machine, but how about for 500, 1,000, or 10,000?

Re:Just Upgrade (3, Insightful)

Skruffy42 (903020) | more than 9 years ago | (#13304448)

I still have people using 75Mhz machines with windows 95, and most of my users are running 2000. We don't need to or have the budget to upgrade everyone to a new box with XP on it just so they can use word/excel, and email each other porn.

Re:Just Upgrade (1)

Sinju (907042) | more than 9 years ago | (#13304503)

Yes well what about linux then? It is definately a upgrade that is affordable if you have the time. And if you get the right Linux it will run on any machine just about and has more security for sure.

Re:Just Upgrade (2, Insightful)

Tourney3p0 (772619) | more than 9 years ago | (#13304796)

How exactly is Windows 2000 "out of date" by any standard except the date it was released? Windows XP is horrid compared to Windows 2000. Very few people I know have "upgraded" to Windows XP from Windows 2000. It's easier and cheaper to open the case and remove a stick of ram. Install a Yoshi's Island skin, and you have instant 2000->XP upgrade. Mentalities such as yours are why you need a 3 Ghz P4 and 512 MB of RAM just to open Microsoft Word in less than 30 seconds.

Re:Just Upgrade (1)

Sinju (907042) | more than 9 years ago | (#13304930)

Windows 2000 doesn't have as much security as XP for one. And the only time I do use Windows is to play games because Linux as of yet does not have many major game creators. And I don't like Intel either ;). I use a duel-core amd and 2gigs of Corsair XMS Speed Series ram. Which goes to a whole subject all togather... If you want to be more productive when you are working it tends to help to have a fast computer to process all the information or render a 3d object. It is a major time saver.

Exploits circulate after bug report (1)

91degrees (207121) | more than 9 years ago | (#13304471)

The exploits appeared not to exist before they were reported and announced. Now they do. This is not such a problem, since there is a patch available.

However, it does make me suspicious of the dogma of some white hat hackers, that black hats may already know about vulnerabilities so there's no reason not to give full exposure.

nessus plugins available (3, Informative)

sgt scrub (869860) | more than 9 years ago | (#13304475)

If you need to test the machines on your network Nessus http://nessus.org/ [nessus.org] has released plugins.

Re:nessus plugins available (2, Informative)

ninja_assault_kitten (883141) | more than 9 years ago | (#13305052)

Yes, and you have to be a direct feed user to get them. At least for the next several days.

Win 98 (0)

Anonymous Coward | more than 9 years ago | (#13304491)

Yes my Windows 98 Second Edition PC is not affected ;) This has to be a first...yes/no???

Exploiting the Exploit (2, Interesting)

Anonymous Coward | more than 9 years ago | (#13304637)

The company distributing this requires you provide personal information just to pick up a small scanner which is entirely unnecessary. The purpose it seems behind distributing these little tools is to collect this information for sale and for use in sales.

I would recommend that users stop using slashdot.org as a way to distribute pointless software in an attempt to collect free user data.

Re:Exploiting the Exploit (1)

ninja_assault_kitten (883141) | more than 9 years ago | (#13305101)

Uhm, you are truly a master of the obvious. Why else would they give it away for free?

And how is it unncessary? I suppose you'd prefer the next least expensive alternative, paying $1200 for a Nessus direct feed license to get the plugin right now?

Sort of Offtopic but... (0)

Anonymous Coward | more than 9 years ago | (#13304649)

eEye is hands down the most retarded name I've ever heard in my life.

steps ahead (4, Funny)

fihzy (214410) | more than 9 years ago | (#13304745)


Once again: (original at http://slashdot.org/comments.pl?sid=71367&cid=6457 101 [slashdot.org] )

10) find big remote vulnerability in product
20) perfect the exploit
30) have fun with it for months
40) find another big hole in same product
50) perfect exploit for hole
60) alert vendor about original hole
70) have fun with new hole
80) goto 40

living in stone age? (0, Redundant)

Liveandletlive (841246) | more than 9 years ago | (#13304782)

Oh! People still use windows 2000?

OB Pun (1)

chooks (71012) | more than 9 years ago | (#13305060)

So would their scanner software be called eEye eEye 0?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>