Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Windows .ANI Problem Surfaced Two Years Ago

Zonk posted more than 7 years ago | from the about-twenty-times-longer-than-firefly's-run dept.

Microsoft 110

An anonymous reader writes "There's a new twist to the tale of Windows .ANI exploit, that's been in the news all week (including when a spam campaign used the teaser of nude Britney Spears pictures to lure people to malicious sites). InformationWeek reports the Windows .ANI bug at issue first surfaced — and was patched — two years ago, in early 2005. 'If they had simply looked for other references for the same piece of code when they originally dealt with it a few years ago, they would have found this and patched it in 2005,' says Craig Schmugar of McAfee. 'It would have saved a whole lot of people a lot of time, money and effort.' Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking."

cancel ×

110 comments

1st post! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18640105)

1st post!

Attn. Linux Users: (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18640125)

Q: Why does 'Open Source' software suck so bad?
A: Because the programmers can't see the screen [ukdirtypanties.com]

lol

Typical Linux User. [ukdirtypanties.com]

Re:Attn. Linux Users: (0)

Anonymous Coward | more than 7 years ago | (#18641567)

You should submit that site to Something Awful as an ALOD

Re:Attn. Linux Users: (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18644919)

Hey Bill! Why are you showing us your underwear?

Also, if that is a Linux user then why is Windows on the screen? Actually you give a great insight in to the type of person you are just by showing us the site you visit. Does mommy know you look at those sites? Now go to bed because you have to get up and sign on the dole tomorrow then come back to mommy for your 47th birthday!

Typical Microsofty dickhead! What the fuck has this got to do with Linux! Linux does not use .ani files!

omgwtflol (-1)

Anonymous Coward | more than 7 years ago | (#18640127)

Rendering animated icons => remote code execution => omgwtflol

How is that a lure? (4, Funny)

kypper (446750) | more than 7 years ago | (#18640145)

when a spam campaign used the teaser of nude Britney Spears pictures to lure people to malicious sites

Talk about an anti-virus.
If all attempts to hijack my machine involved using her as a lure, I'd uninstall AVP in a heartbeat; you couldn't pay me to see her nude.

Re:How is that a lure? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18640297)

you couldn't pay me to see her nude.

Admit it. When some photographer took pictures of her post-pregnancy snatch, you were all over it.

Re:How is that a lure? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18640513)

She had a sea-section, so the fact that it was post-pregnancy was somewhat irrelevant, as my fist can attest.

Yes, I know it's spelled "C-section" but what you fuckers don't remember is that Spears is a mermaiden.

Re:How is that a lure? (5, Funny)

Lehk228 (705449) | more than 7 years ago | (#18641785)

no she's not a mermaiden, if anything she is closer to being a submarine, huge and full of sea men

Re:How is that a lure? (1)

TriZz (941893) | more than 7 years ago | (#18641573)

...you know how I know you're gay?

Bill O'Reilly: Carnie Person +1, Informative (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18640555)


Here is proof that Bill O'Reilly is a Piece of Babbline Protoplasm As Is John McCain, BushCo Candidate For Prezeedent [youtube.com] .

I hope this helps the conversation in the brain-dead United Gulags of America.

I have Bush_Cheney_Rice_Rove_Rumsfeld-free weekend!!!

Regards,
K. Trout, Patriot

Re:Bill O'Reilly: Carnie Person +1, Informative (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18641055)

O'Reilly is absolutely insane.

And a Nazi.

Every time an illegal immigrant commits a crime, some how it "means" more than if a non-illegal does it. This is fascism. People are not debating immigration on the merits, they're trying to spread hatred. Even O'Reilly's strongest supporters should, if they have any decency, be condemning this kind of witchhunt.

But they will not. Because they're fuck-heads. You don't get to be a fan of O'Reilly and have any morals whatsoever. As long as you can find a reason to hate, that guy will sooth you and ensure you don't feel too bad about hating. He's the get-out-of-jail-free card for the lynch-mobs.

It says a great deal he can make Geraldo look decent.

Re:Bill O'Reilly: Carnie Person +1, Informative (1)

got2liv4him (966133) | more than 7 years ago | (#18642945)

is it just me, or are you what you seem to hate?

Re:Bill O'Reilly: Carnie Person +1, Informative (0)

Anonymous Coward | more than 7 years ago | (#18646583)

I dislike individual people who do bad things, not groups of people who happen to have a mix of good and bad people.

If I hated Bill O'Reilly because he was white, or Irish, or American, or some other arbitrary criteria that has nothing to do with his background, then you might be on to something. Moreover, if I promoted hatred against Americans, whites, or the Irish, by pretending that his actions were somehow indicative of the associated group, then you would have a point. But I don't.

O'Reilly isn't criticising a drunk driver. He's spreading hate against an entire group of people, the vast majority of whom have never done anything evil beyond crossing a border and doing a job the natives didn't want to do. He is evil.

Re:How is that a lure? (1, Funny)

Lehk228 (705449) | more than 7 years ago | (#18640615)

what does alien v. predator have to do with this?

Re:How is that a lure? (1)

yurnotsoeviltwin (891389) | more than 7 years ago | (#18643037)

I'm really hesitant to click that link because I feel like it would be totally in-character for /. editors to point a link entitled anything like "nude Britney Spears pictures" to an actual virus, just for kicks.

Re:How is that a lure? (0)

Anonymous Coward | more than 7 years ago | (#18643473)

Well, it's not like the editors could actually get infected by a virus. They all run Macs.

Strange... (4, Funny)

creimer (824291) | more than 7 years ago | (#18640209)

The last time I saw an ANSI bug was during my days as a BBS Sysop years ago!

Re:Strange... (3, Informative)

morgan_greywolf (835522) | more than 7 years ago | (#18640309)

The last time I saw an ANSI bug was during my days as a BBS Sysop years ago!


Actually, the ANSI sequence 'viruses' (which were done by remapping keyboard keys to macro sequences which then executed commands) are just another form of terminal sequence attack that was quite popular a few years back when many people were still using terminal-oriented mail readers like pine, elm and mutt. These were the good ol' days when ISPs passed out shell accounts for reading mail and such. It forced Linux distros to shore up their termcap files and such.

MOD PARENT REDUNDANT (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#18641927)

http://it.slashdot.org/comments.pl?sid=229105&cid= 18576121 [slashdot.org]

Do you recycle all your jokes?

Re:MOD PARENT REDUNDANT (1)

creimer (824291) | more than 7 years ago | (#18643157)

This is Slashdot! Dupes abound, stories recycled, and anonymous cowards nitpick!

a-HA! (1)

SeaFox (739806) | more than 7 years ago | (#18640225)

InformationWeek reports the Windows .ANI bug at issue first surfaced -- and was patched -- two years ago, in early 2005....
Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking."

So now we can say that Windows actually had twice as many ANI bugs as we originally thought and Microsoft admitted so themselves.

Take a break (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18640229)

Zonk - buddy - you came on around 2 am and it's almost 10am and you seem to be in a rut with the MS stories. Take the rest of the day off and fill it with a long nap...for my sake, please? :)

Cut it out (4, Funny)

symbolset (646467) | more than 7 years ago | (#18640407)

Steve, leave the slashdot editors alone. If you need to blow off steam, go throw a chair or something.

Just offer a fair trade (0)

Anonymous Coward | more than 7 years ago | (#18640251)

You know, I figure if they would just really deliver the nude pics of Britney Spears, plenty of people would gladly sign up to allow their machine to be used as part of a distributed computing project in return. A win-win zombie bot network via opt-in bribery.

Wouldn't that be (4, Funny)

eviloverlordx (99809) | more than 7 years ago | (#18640257)

an .ANL exploit?

Re:Wouldn't that be (5, Funny)

EmbeddedJanitor (597831) | more than 7 years ago | (#18640347)

No, it's a back door.

Re:Wouldn't that be (0)

Anonymous Coward | more than 7 years ago | (#18640443)

lol zunes

Oblig. (1)

iluvcapra (782887) | more than 7 years ago | (#18641417)

Hello, Mr. Potato Head! Back doors are not secrets!

Well (1, Flamebait)

El Lobo (994537) | more than 7 years ago | (#18640265)

Well Einstein... Fixing one bug doesn't mean that you will re-visit the whole thing... Even the simplest code in Windowss is part of the BIG SYSTEM, with any component interacts with others . And this is a very complex system. Nobody does as he says. Fopr example, patching a problem with the Linuzzzz kernel doesn't mean that it's patched forever... Nobody can predict that some other problems will raise even with the newly patched code... Oh yes, another thing... MacAfee is the perfect software, I forgot...

Nothing to see here.. (1)

madsheep (984404) | more than 7 years ago | (#18640295)

This has been written about multiple times in multiple places. Not to mention this was already referenced in the article from the Slashdot posting a few days ago. Keep it moving...

This ANI exploit is different! (5, Funny)

andrewd18 (989408) | more than 7 years ago | (#18640329)

Microsoft claims this .ANI vulnerability is different from the old, but beyond that they're not talking.

Of course this .ANI exploit is different... the one that came out in 2005 didn't affect Vista!

Re:This ANI exploit is different! (0)

Anonymous Coward | more than 7 years ago | (#18642657)

I bet that was "ANY exploit is different."

Re:This ANI exploit is different! (0)

Anonymous Coward | more than 7 years ago | (#18645135)

You are absolutely correct, it is a completely different exploit. The reason I believe this is because, as Microsoft fanboys keep spouting, Microsoft dumped the 'XP' code and started again when building Vista. Surely if they dumped old code an old vulnerability wouldn't exist?

Incompetent Liars (5, Insightful)

Jeremy_Bee (1064620) | more than 7 years ago | (#18640491)

The thing that bugs me the most about these kinds of issues is the reporting of them in the media.

If you read the slashdot summary (or even the whole first page of the article), you get the impression that some people think the bug is pretty much the same thing as the 2005 one and that Microsoft disagrees. The story is structured like a "He said, she said," kind of thing and no one is painted as right or wrong. If you *do* manage to make it to the second page of the article however, you find out that several very respected security professionals and security companies present detailed compelling evidence to the effect that Microsoft is both incompetent and disingenuous in their opinion on this bug.

It is the same bug (essentially) reported in 2005, and it should have been caught in a matter of hours or even minutes after the 2005 bug was initially reported to them. This by reason of Microsoft's own self-stated bug hunting and code modification procedures.

The conclusion is absolutely inescapable that Microsoft completely failed to follow their own basic rules of coding and security auditing here. They also are lying or at the very least splitting hairs about it being a "separate issue," and they seem to be deliberately trying to pull the wool over peoples eyes about it. Yet this story has been reported around the web as a kind of "maybe McAfee is right, or maybe Microsoft is right," thing for the most part??? Why?

On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is. It seems like this bug occurred because the same old *.ani code from the previous versions of MS Windows was included in Vista with literally no oversight and no checking.

Why do people buy products from these people again?
And why do they always seem get the benefit of the doubt in the media?

Re:Incompetent Liars (2, Insightful)

Watson Ladd (955755) | more than 7 years ago | (#18640825)

To answer the first question: API lock-in. A lot of strange hardware is windows-only, and the same with a lot of software. Microsoft might have horrible API's, but people use them to appeal to the Windows market, and so increase its size. Look at COM vs. Objective-C. The answer to the second question is because of the fear of a libel suit. You said the bug occurred because Microsoft didn't check it. Far more likely is they checked it incompetently. The difference is the difference between libel and truth. Actually, I might still be vulnerable to a lawsuit.

Re:Incompetent Liars (1)

networkBoy (774728) | more than 7 years ago | (#18643043)

Do you have an honest belief that what you have stated is true?
If so there is no slander or libel. (A court ordered apology and forced publication of a correction in the same media that the initial comment was made may still be required, however).
-nB

Re:Incompetent Liars (0)

Anonymous Coward | more than 7 years ago | (#18640875)

I don't disagree with you about MS,... but I think one might also consider the possibility that the "security" software folks are trying to show that the average user will continue to benefit from their software,... even if MS says they've improved their lockdown in Vista. So, the "commentators" may not be totally disinterested bystanders. [ as some one I knew once said (jokingly), "I'm not prejudice,... I hate everyone." ]

regards,
devout coward

Re:Incompetent Liars (3, Interesting)

garobat (804835) | more than 7 years ago | (#18641211)

On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is. It seems like this bug occurred because the same old *.ani code from the previous versions of MS Windows was included in Vista with literally no oversight and no checking.


Well, considering the mount of dialog boxes kept unchanged from XP and all, it seems pretty obvious that Vista is not "all new code". And what would be the point, as long as core component are rewritten, why would they redo the whole gui code?

Re:Incompetent Liars (1, Offtopic)

mypalmike (454265) | more than 7 years ago | (#18641319)

I'm not using Vista, and I'm writing this on my Debian box. But this is ridiculous.

It is the same bug (essentially) reported in 2005, and it should have been caught in a matter of hours or even minutes after the 2005 bug was initially reported to them.

Do you write code? It sounds like some copy-and-paste code had a bug in it, and they didn't catch both places. They probably should have caught it, but they didn't. If they are incompetent merely because they have code that is exploitable by stack overflows, then every OS and most network applications out there are the result of incompetence. There is no software development process that will guarantee every potential exploit will be caught.

On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is.

Got a reference to back that up? Anywhere that a MS spokesperson has stated that Vista is "all new code"?

Re:Incompetent Liars (1)

Splab (574204) | more than 7 years ago | (#18641517)

Or perhaps the issue was fixed in a branch, but for some reason never got committed to the main trunk(s).

Re:Incompetent Liars (2, Insightful)

Tanuki64 (989726) | more than 7 years ago | (#18641879)

Do you write code? It sounds like some copy-and-paste code had a bug in it, and they didn't catch both places.
I do write code. And copy-and-paste code is always a sure sign of an incompetent coder.

Re:Incompetent Liars (4, Insightful)

Bodrius (191265) | more than 7 years ago | (#18642769)

Really? I write code for a living too, and a categorical statement of the form "doing X is ALWAYS a sign of an incompetent coder"... always seems to me, at best, a sign of an unexperienced coder. Either that, or an extremely lucky one.

I'll just assume your case is the latter :-)

Sure, copy-and-paste duplication should be avoided where possible, along with gotos, reinventing the wheel, long complicated functions, lack of type safety, etc.
Also, all code should really be a perfect and pristine example of elegance and modularity. Bug-free is even better!

Reality bites, though.

Unless we're talking of brand-new projects of a small size, I find it really hard to believe that comminiting to 0% copy-and-paste-code is a practical proposition.

For a non-trivial product with some legacy, copy-and-paste is often the best among various non-optimal choices.

- Do you really want to tightly couple these two unrelated components because you want to use those 5 lines of code?
- Can you afford to carry over all of the dependencies on that library or class?
- Or can you afford the refactoring to avoid those dependencies? How many new components (which were not changing before) do you need to retest now that you pulled the code out?
- Can you afford to lose that development and testing time on other features that you need for RTM?

    That's not to mention the almost-guaranteed design time discussing where that re-usable code should move to in the first place... and do we need to change it to make it more generic? Do we need to ship all the refactored components with no functionality change? etc. etc.

I agree with the sentiment: Copy-and-paste duplication sucks, and should be avoided wherever possible.

But honestly, if you can ALWAYS say that avoiding copy-and-paste at all costs is the right decision for your product, for your team, and for yourself... I don't know whether to envy you, or to fear you.

Re:Incompetent Liars (1)

Belial6 (794905) | more than 7 years ago | (#18643437)

Here here! I know, I just copied and pasted an entire application's code. I then did modifications to the code. Why? Because even though I would have loved to have spent the next 6 month rewriting the application from scratch, a different department needed 98% identical functionality; and my boss was not going to authorize 1040 hours of work to maintain best case scenario coding practices when we could roll the copied code out in 24 hours of work. And to keep from doing a copy and paste, we would have had to rewrite from scratch, or spend 12 month sorting through what could and could not be pulled without rewriting.

On the plus side, it really is great working for a manager that actually does understand the ramifications of writing bad code for political reasons, and that can be trusted when he makes that decision. This is particularly good when he also understands that spending extra time now to write good reusable code will save time and money later, and is willing to make sure that the time is made available when the corporate politics allows it.

Re:Incompetent Liars (1)

Tanuki64 (989726) | more than 7 years ago | (#18644673)

On the plus side, it really is great working for a manager that actually does understand the ramifications of writing bad code for political reasons, and that can be trusted when he makes that decision. This is particularly good when he also understands that spending extra time now to write good reusable code will save time and money later, and is willing to make sure that the time is made available when the corporate politics allows it.
Do you really know such a manager? My experience with manager is that they pretend to understand, encourage you to ignore good coding practices for a quick, but dirty solution, but if the s***t really hits the fan because of those decisions, they cannot remember any of it and you stand there as an incompetent idiot.

Re:Incompetent Liars (1)

Belial6 (794905) | more than 7 years ago | (#18646321)

Surprisingly enough, Yes, I do. He pads most projects with most projects with a little bit of extra time specifically for the purpose of writing good reusable code. When he asks for bad code, it truly seems to be only when we are looking at a huge cost savings, like the 1040 hours vs 24 hours, or for political reasons, really important software must be is faced with the option of, write it faster than good coding practices will allow, or it doesn't get written at all.

His trust in us has really paid off though. It took about 3 years, but we can now code new applications with more features, less bugs, and greater configurability in about 65% of the time we used to write software. The great part about this is that he gets to budget less time, AND pad the projects with time for us to improve on our reusable code base.

I feel like a suck up when I rave about him, but after working for so many bad managers, it is a breath of fresh air. To work for someone that really gets it. Of course the rest of the company is still a Dilbert nightmare, but he shields us from the vast majority of that.

Re:Incompetent Liars (1)

Tanuki64 (989726) | more than 7 years ago | (#18647205)

In that case I really envy you. Of course, my initial post was very much black and white. If you really can trust your project manager, and you really know the rules, then you also know when you can bend them.

However, he majority of project managers is incompetent. 90% of those I know got their position because they were loud mouthed, brown nosing morons, which where unable to write reliable code or perform well with whatever job the initially had. One department is really glad to get rid of them, the other does not know, what they can expect and the moron gets promoted.

But even if you have one of the 10%, be careful. You never know, when he finds something better paid and leaves. His successor might not know or want not to know, what was only an agreed on quick hack/compromise and therefore was expected to be a bit brittle or that there was such an agreement at all.

Re:Incompetent Liars (1)

Tanuki64 (989726) | more than 7 years ago | (#18644297)

always seems to me, at best, a sign of an unexperienced coder. Either that, or an extremely lucky one.
You forgot the third possibility: An experienced coder, who was responsible for such a design flaw himself and was seriously bitten by it.

Unless we're talking of brand-new projects of a small size, I find it really hard to believe that comminiting to 0% copy-and-paste-code is a practical proposition.
On the contrary, I'd say in a small project you can get away with code duplication. And there is nothing wrong with copy-and-paste code per se, it just has to be removed in a following refactoring step.

- Do you really want to tightly couple these two unrelated components because you want to use those 5 lines of code?
There are many ways to avoid code duplication. If the method you choose makes you worry because of coupling, choose another. Btw. I don't know how many lines were wrong in the M$ code, but it must be enough to contain a serious bug.

- Can you afford to carry over all of the dependencies on that library or class?
Or an inline function, or a namespace with non-member functions, or.... See point above.

- Or can you afford the refactoring to avoid those dependencies? How many new components (which were not changing before) do you need to retest now that you pulled the code out? - Can you afford to lose that development and testing time on other features that you need for RTM?
Here you are on to something really true. It does not need to be the fault of a coder. Given the right type of idiot project leader/management you can reduce every developer to a bumbling code moron.

But honestly, if you can ALWAYS say that avoiding copy-and-paste at all costs is the right decision for your product, for your team, and for yourself... I don't know whether to envy you, or to fear you.
Code duplication has risks. You learn about the risks in almost each book about software engineering. Is it always the right decision to avoid it? I don't know, I don't know all possible scenarios. For M$ it was clearly the wrong decision not to avoid it in this case.

You see, it is not only the code duplication. Be it documentation, be it requirements engineering be it whatever. You always get reasons to take shortcuts. We don't have the time, we cannot afford this, we cannot afford that. It bites, sooner or later it bites.

Re:Incompetent Liars (1)

Bodrius (191265) | more than 7 years ago | (#18644865)

It seems you missed the point of the comment, so I'll just cut short to the argument we seem to agree on.
Which incidentally, was the whole point of the comment.

But honestly, if you can ALWAYS say that avoiding copy-and-paste at all costs is the right decision for your product, for your team, and for yourself... I don't know whether to envy you, or to fear you.


Code duplication has risks. You learn about the risks in almost each book about software engineering. Is it always the right decision to avoid it? I don't know, I don't know all possible scenarios.


That was the point: no developer can really claim X is ALWAYS the right/wrong decision.
The absolutism of the word I capitalized above (as in the previous reply) is what bothered me from the original claim.

Do you write code? It sounds like some copy-and-paste code had a bug in it, and they didn't catch both places.

I do write code. And copy-and-paste code is always a sure sign of an incompetent coder.


There is no such certainty in real world software engineering.
Not outside of academia, or some other ivory-tower universe where code is the goal per se rather than the means, and there are no risk / costs that customers have to pay for.

Every choice, both 'shortcuts' and 'optimal' solutions, have risks associated with them that can bite you sooner or later, and ignoring the risks of the latter can be as dangerous as ignoring the risks of the former. Evaluating such trade-offs is the substance of engineering after all, software or otherwise.

Re:Incompetent Liars (1)

Tanuki64 (989726) | more than 7 years ago | (#18644985)

That was the point: no developer can really claim X is ALWAYS the right/wrong decision.
.
.
.
There is no such certainty in real world software engineering.
I don't think I misunderstood you. But I think I made it not clear enough that I disagree. If you are a developer with no managerial functions, there is one decision, which is as close a ALWAYS right as a decision can come: Design as clean as you can. No shortcuts ever. If you think your code needs a refactoring, do it. If it means missing a schedule, so be it. The explanation is simple. If you miss a time frame, it is your fault AND the fault of your project leader. If you take a shortcut and your code superficially works, you just did your job, and your project leader gets a mention for his good work. When then the same code month later breaks or turns out buggy or inadequate, nobody remembers what you said before, what you wanted or deemed necessary. You suddenly are alone the one who has to take the blame, your reputation gets damaged.

Every choice, both 'shortcuts' and 'optimal' solutions, have risks associated with them that can bite you sooner or later, and ignoring the risks of the latter can be as dangerous as ignoring the risks of the former. Evaluating such trade-offs is the substance of engineering after all, software or otherwise.
This depends very much on your position in the developer hierarchy. I don't know anything about the hierarchies in the M$ development teams. In larger software companies the general design is usually done by a senior software engineer, the actual implementation details are handled by some low level coders. The .ani problem smells much like sloppy implementation by some junior.

So if I may summarise my statement: If you are a developer and don't get the time and resources to do a good job, you are f****d, if you think you help your company by rushing work, using shortcuts, accept half baked compromises, you are doubly f****d.

Re:Incompetent Liars (1)

Locutus (9039) | more than 7 years ago | (#18646305)

it didn't sound like copy-paste to me. The first bug( found Dec 2004 ) was a failure to validate one of the parameters of an Animated Mouse function and the invalid value of "0" could be exploited. What I read in the recent story is that the current bug is due to another parameter of the same function going unchecked and/or accepting invalid data. They used the term "header" in the story but I think they must have ment parameter since that was publicly stated as the problem with the 2004 instance of the bug.

So, here Microsoft was claiming that Windows 2000 was some rock solid and secure built-from-the-ground-up operating system, they declared something called "Trustworthy Computer Initiative", claim Windows XP is some rock solid and secure built-from-the-ground-up operating system. The do the same for Windows Vista and we've already seen that the WMF exploit was from code dating back to Windows 3.x and now we find that the monkeys at Microsoft can't even find a bug in the same program method/function as the one found in 2004. AND, now we are finding out that Microsoft knew of this recent bug in Dec of 2005 but didn't patch it for over 3 months while the previous bug was fixed/patched within 30 days. Me thinks that Microsoft didn't want the public knowing so soon after Vista shipped that an old mouse bug opens their "most secure operating system available" to attackers.

LoB

Re:Incompetent Liars (1)

Tanuki64 (989726) | more than 7 years ago | (#18646705)

it didn't sound like copy-paste to me. The first bug( found Dec 2004 ) was a failure to validate one of the parameters of an Animated Mouse function and the invalid value of "0" could be exploited. What I read in the recent story is that the current bug is due to another parameter of the same function going unchecked and/or accepting invalid data.
How many parameters does this function have? That's to say how many bugs we can expect in this one function in the future?

Re:Incompetent Liars (2, Insightful)

bendodge (998616) | more than 7 years ago | (#18641369)

Why do people buy products from these people again?
Because (overall) it just works, and has incredibly good hardware support.

It also is aesthetically pleasing. While there has been lots of effort put into making things like KDE look good, the individual shiny buttons and bars don't agree with a universal theme. Windows development is centralized, so the everything fits together visually.

I personally prefer the look of Windows XP to any OS (note I haven't used Vista), just because the gradients, buttons, and esp the fonts all fit together smoothly.

Re:Incompetent Liars (0)

Anonymous Coward | more than 7 years ago | (#18643391)

Because (overall) it just works, and has incredibly good hardware support.

Please stop by and fix my wireless connection that fails because "the cache couldn't be emptied."
No hurry, though, as the Mac right next to it is able to seamlessly connect.

Re:Incompetent Liars (0)

Anonymous Coward | more than 7 years ago | (#18644321)

Bill? Is that you?

Re:Incompetent Liars (1)

Ash-Fox (726320) | more than 7 years ago | (#18644385)

Please stop by and fix my wireless connection that fails because "the cache couldn't be emptied."
No hurry, though, as the Mac right next to it is able to seamlessly connec
Please stop by and fix my wireless connection that fails because I updated to OS X 10.4.9 (from 10.4.5 -- apparently the updated drivers aren't working?).
No hurry, though, as the Kubuntu Linux laptop I'm typing on is able to seamlessly connect.

Re:Incompetent Liars (1)

shutdown -p now (807394) | more than 7 years ago | (#18646169)

It also is aesthetically pleasing. While there has been lots of effort put into making things like KDE look good, the individual shiny buttons and bars don't agree with a universal theme. Windows development is centralized, so the everything fits together visually. I personally prefer the look of Windows XP to any OS (note I haven't used Vista), just because the gradients, buttons, and esp the fonts all fit together smoothly.
Sadly, the uniform look&feel of Windows has been slowly becoming worse in recent years, and hit a new low with Vista. In XP we had slightly 2 fonts: Tahoma and MS Sans Serif. Those were used by different applications somewhat at random, but at least they looked similar (though if you enabled ClearType, you'd easily spot MS Sans Serif, since it's a bitmap font, and as such, not anti-aliased). Then .NET and WinForms came and added Microsoft Sans Serif to the list (note, this isn't the same as "MS Sans Serif" - it's a True Type font and thus looks slightly different). What more, some controls in WinForms applications use GDI+ engine to render their text, which does font smoothing slightly more blurry than the default (GDI) ClearType renderer. Now with Vista, we have a new default UI font, Segoe UI... but still quite a few system dialogs and stock applications use Tahoma and/or MS Sans Serif. Then came WPF with its own "improved ClearType with subpixel glyph positioning", which in effect makes fonts look even more blurry [microsoft.com] , and quite visibly different from the default renderer in both XP and Vista. And that's just fonts. Need I remind how the look&feel of MS Office changed with every release since Office 2000, and was never consistent with the default look of the then-current OS at the time? And now Vista, which does not use the default look even for its own system dialogs and the most basic utilities (file Open/Save dialog, Explorer, IE to name a few). WPF is also very inviting in its rich capabilities to style widgets different from native OS L&F, and those few WPF applications that we've seen so far, including those from Microsoft itself, seem to be using those features heavily to present their own application-specific L&F...

Sadly, it seems that the time of uniform UI L&F experience on Windows is almost passed.

Backwards compatible (0)

Anonymous Coward | more than 7 years ago | (#18641425)

Great... My copy of Office 97 probably won't work in Vista. But the BUGS are 100% backwards compatible.

Re:Incompetent Liars (0, Offtopic)

CODiNE (27417) | more than 7 years ago | (#18641613)

Why is it that a 0.3% drop in Apple's marketshare gets widely reported but the jump from 2% to 6% of the market didn't?

Re:Incompetent Liars (2, Insightful)

ceroklis (1083863) | more than 7 years ago | (#18641645)

Microsoft has access to the source code, the "experts" don't. They have simply no basis for these claims. Their conclusions are based on their ideas on how code is supposed to be written, not on knowledge of the actual structure of the code in question. Ever tried to debug old spaghetti code that was written ten years ago, never properly documented and that nobody in the organization understand anymore? Maybe it is more complicated than they think. That's why I wouldn't trust them more than Microsoft on these matter. Not that I would trust Microsoft in the first place, since they have to interest in being open and honest on these matters, but that's ok.

As an aside, I am tired of these endless criticisms of windows. It was never marketed as an über-secure or über-robust system. So stop complaining and understand that it is a relatively inexpensive and user-friendly OS, with a good feature set, an enormous library of software, good backward compatibility and only limited work being done on its security or robustness. If the good points matter more to you than the bad ones, use it and learn to live with the occasional exploit. If you want robustness and security, put your money where you mouth is and use Trusted Solaris. But don't complain if it is expensive and has no games.

Re:Incompetent Liars (1)

afidel (530433) | more than 7 years ago | (#18644359)

Uh, it IS the exact same bug, you put too much data into a certain data structure type within the ani type files and you hit a buffer overflow. The only change with this iteration is that they patched how the code is called to handle that structure for the first occourance of the structure in the file, in otherwords they applied a bandaid by not allowing the corrupt data structure to get to the vulnerable code, but they failed to realize that if you put a second occourance of the data structure in the file it will be handed to the same vulnerable code via another code path. What they SHOULD have done is fix the damn broken code. There is no reason to allow unbounded data structures which is what leads to these stupid exploits, and applying bandaids around them just leads to more stupid exploits because they don't always know every way a given piece of code is accessed.

Re:Incompetent Liars (1)

Locutus (9039) | more than 7 years ago | (#18646449)

I guess that is why Bill Gates has been running around the world saying that Windows Vista is "the most secure operating system available"... Sorry but they have been saying their shit doesn't stink in regards to security and reliability since the W2K release.

And that bit about the security experts not knowing what they are talking about because they don't have the source code, well they have the binary code and from that they can generate assembly code. With that, it's pretty easy to see if an unchecked parameter to a function is being exploited just as the previous exploit was and they can tell if the flaw is in the same function as the previous one.

Sorry but you're wrong on so many levels. IMO.

LoB
 

Re:Incompetent Liars (1)

Una Nahmed (1085363) | more than 7 years ago | (#18646963)

"As an aside, I am tired of these endless criticisms of windows. It was never marketed as an über-secure or über-robust system. So stop complaining and understand that it is a relatively inexpensive and user-friendly OS" Heh? You're kidding, right? Windows has ALWAYS been marketed as robust and secure--ESPECIALLY Vista. You can't possibly listen to any MS exec or marketer all the way up to Bill Gates talk about it without hearing repeatedly and almost desperately about how this is the most secure Windows ever. Pure deception, of course--self-deception naturally, but nonetheless the marketing spin du jour... And what on earth can you possibly mean by "relatively inexpensive"? Compared to what, starting from scratch and developing your own OS? Certainly not compared to MacOS X, _absolutely_ not compared to most Linuxes. Upgrading to Vista can cost the better part of $600... Not relatively inexpensive in the least--two installs could have gotten a lovely Macbook instead... with a truly user-friendly, secure, robust OS and some truly useful (and highly usable) programs--including many *NIX tools--thrown in FOR FREE. Go back to astroturfing somewhere else.

Re:Incompetent Liars (1)

midnighttoadstool (703941) | more than 7 years ago | (#18641677)

Microsoft have always put a high priority on backwards compatability, as do almost all of us. So you have to be pretty naive to think that "all new code" is going to mean a total re-write. After all they only need to stick in a few lines of "all new code" to hoodwink the likes of yourself.

Further if you have any idea of what is involved in backwards compatability (ref: Raymond Chen's blog) then you'll understand how reluctant Microsoft may be to change even such a small thing as that.

It's a nice rant you've made there, but incompetent liars they are not. And I mean that in both meanings of the phrase.

Re:Incompetent Liars (0)

Anonymous Coward | more than 7 years ago | (#18642261)

Microsoft have always put a high priority on backwards compatability, as do almost all of us.

This is one of the things unit testing is good for. If Microsoft were competent, they would have tests in place for each and every exposed API method. Backwards compatibility would then be a complete non-issue.

Writing unit tests after the fact, however, is very difficult since you're basically reverse engineering a specification from observed behavior. It doesn't help that pre-.NET Microsoft APIs are monstrosities full of undocumented behavior. It also doesn't help that some Windows applicationd developers used Windows internals in their programs.

In short, if Microsoft had been competent, they would have a much easier time right now. .NET is a leap in the right direction as far as API design and implementation goes, but that isn't going to fix backwards compatibility issues with monstrosities like Win32 and MFC.

I was thinking exactly the same thing... (0)

Anonymous Coward | more than 7 years ago | (#18641735)

> Why do people buy products from these people again?
> And why do they always seem get the benefit of the doubt in the media?

I ask it myself, too.

The problem here -- I think -- is one of bad decision process.

I mean, when some decision is made, it can go wrong either because input data were incorrect or the criteria used were flawed. Furthermore, a weight resulting from subjective priorities may affect even further the whole process.

Expanding on that, suppose a non-techie is about to buy a computer. Have you ever bought any new gizmo about which you don't know what is important? The potential buyer is totally at loss... people he does not trust are telling, at the same time, that Windows is flawed; that Windows is now more secure than ever; that Linux is the future; that he'll be unable to use Linux because it's too complicated...

Processor models and brands, clock frequencies, memory types, refresh rates, amound of disk space, video accelerators, monitors... these "inputs" are confusing and he doesn't know whom to trust.

What criteria can be used to decide on such data? For a non-techie layman, everything is unknown, so much that many simply choose to trust the salesman, supposing he must know better. Worse yet, the salesman has an aura of respectability coming from the retail chain, from traditional computer brands and, sometimes, even higher price tags make lousy PCs look like powerful machines (if it's so expensive, it has to be a good one for sure -- or so the buyer thinks). We know the salesman has an agenda, the retail chain must sell first what's in stock etc. etc. Even shelf space is fiercely disputed, so that the buyer may even not get to know the best deals.

So data and criteria are subject to being incomplete, biased, distorted, laden with FUD and so on.

Now, there's still the question of priorities. Some people are really interested in making the most of the computer, so they pay a lot of attention, read a lot of things, try different options to gather better data and refine their selection criteria.

This may take a lot of time, but they do it. Unfortunately, these are very few. Most people simply lead busy lives and have not enough time for this. So they accept their limitations and just buy what others are buying -- or rather, what is being offered (again it's all about shelf space...).

Advanced Windows users are also in this category: they don't have time to learn Linux; they are half-experts, they know only the Windows side -- and even if they don't like it, they're afraid to start over from zero in Linux.

In companies, this same scenario occurs and again people do not buy what's best. Plus, they're even afraid to lose their jobs, so it's better a bad choice than an unusual choice (even if it is the right one). Psychology is a major factor here.

This, to me, is very similar to the Imperial x SI units the USA live now or the coming format wars of ODF x OOXML -- or, more aptly, consumer-owned versus corporate-owned data and its containers.

It's going to be a long fight, and all the dirty tricks they know are gonna be used: FUD, pressure on OEMs, suits, paid "studies", lies, excluding technical and/or legal measures etc.

But hard-working, organized people and countries will seize this opportunity to change first and faster. Bigger ships will turn sloooowly and may not be able to meet the speed of change.

I, for one, am very tired of trying to advocate free software and to show the benefits of SI to Americans, which won't hear me -- I still put high hopes in ODF, though.

Fortunately, free software is going very well, thanks and other countries are jumping ahead quickly, making the USA obsolete (which will in turn open their eyes better than advice, because their pockets will hurt).

And OOXML is so bad it might lose on its own "merits". Let's see.

Re:Incompetent Liars (2, Interesting)

UnknowingFool (672806) | more than 7 years ago | (#18641869)

This sounds familiar. One of my friends who once worked for MS showed me a bug in the screen saver. It was first identified in NT4. It was fixed in Win2K. But when XP came out, the bug was back. It wasn't one that would allow for attack; it was just one of those annoying ones, but it was astonishing that it still existed.

Re:Incompetent Liars (2, Interesting)

Foolhardy (664051) | more than 7 years ago | (#18642061)

There is a certain class of security vulnerability where malformed data passed to a library in the same process can cause code execution. From the library's point of view, since the library is in the same process as the caller, they're both at the same trust level, so calling a function does not cross a security boundary and no secure validity checking need be performed. The worst that could happen is that an app causes a library to execute code in its own process, a non-issue. The only parties involved are the application and the user library. This was the picture in 1993 when the first version of Windows NT (3.1) was released. It was largely still the case in 1995 with the release of Windows 95. This is the era where this and other vulns (like the GDI metafile escape one) are from.

Problems start when the app passes along data from some outside untrusted source without understanding its content or validating it, like when a web browser passes an .ANI to user32.dll. Back when user32.dll was written for NT 3.1, the devs never conceived of an app implicitly loading a malicious .ANI (without validating it) from a third party. At the same time, the app would much rather treat those things as opaque blobs to pass on to libraries, implicitly expecting them to do the validation too. The libraries see the security boundary as being on the other side of the application, expecting the application to validate any data before processing. Both expect the other to validate data, but in some cases (like this one), neither do.

Right now, the trust assumption of many user libraries hasn't been fixed because there is a lot of code in that position and it would be a lot of work to go through it all. Managers hate fixing code issues like that because it takes a lot of time and money but doesn't result in anything tangible like pretty features. Applications already suffer enough code bloat without having to implement validation for all the data they come in contact with that gets passed right to support libraries-- managers don't want to spend time and money on validating things that should be someone else's responsibility. Microsoft has had this class of vulnerability on low priority for a long time, and it's been the source of A LOT of issues.

I'm not excusing Microsoft's behavior, just trying to explain it somewhat. Someone sure dropped the ball in not finding finding problems similar to the 2005 issue though.

This by reason of Microsoft's own self-stated bug hunting and code modification procedures.
Microsoft is a big company. Not every department is following the Security Development Lifecycle, as much as marketing may like to imply it. The main two examples that do are SQL Server 2005 and IIS6, both of which are doing very well. I haven't heard Microsoft say that all of Windows or the Win32-GUI core team were using SDL.

On top of all of that, this is yet another (of about three instances I have found so far), where it's clear that Vista is not "all new code" as MS likes to maintain it is.
Vista contains copious amounts of new code, but very little of it replaced old code. The sound system (the mixer mainly) was largely rewritten, the backup program got replaced with a POS from scratch, the logon GUI arch (i.e. msgina.dll replacements) got replaced... and I can't think of anything else that is new code to replace old code. I'd say that at least 75% of the Windows NT3.1 code base is still present in Vista.

Re:Incompetent Liars (1)

Antique Geekmeister (740220) | more than 7 years ago | (#18644717)

The new stuff is the extensive DRM, especially including the so-called "Trusted Computing" tools, and the remains of the attempts in insert WinFS, which turned out to be pretty unusable and wound up thrown out.

Copy & Paste (0)

Anonymous Coward | more than 7 years ago | (#18643085)

Haven't all you linux geeks discovered copy & paste?

Shit, it works for me...

Out of interest.... (5, Funny)

Anonymous Coward | more than 7 years ago | (#18640757)

How many other people clicked on the "teaser of nude Britney Spears pictures" link in the Slashdot story and were bitterly disappointed?

Re:Out of interest.... (5, Funny)

mattpointblank (936343) | more than 7 years ago | (#18640981)

You mean the link does go to nude pictures?

Re:Out of interest.... (0)

Anonymous Coward | more than 7 years ago | (#18641093)

Next week's poll?

Re:Out of interest.... (4, Funny)

Rakshasa Taisab (244699) | more than 7 years ago | (#18641135)

Do you mean; disappointed because they saw the pictures, or because they didn't?

Re:Out of interest.... (1)

ryanov (193048) | more than 7 years ago | (#18641407)

Sophos has certainly explained the vulnerability [sophos.com] very well, however. Kudos to Sophos!

Re:Out of interest.... (1)

failedlogic (627314) | more than 7 years ago | (#18641899)

Based on the way she is looking right now, if they've updated the picutres recently, I've no interest in clicking on the link. ;)

slownewsday (0)

harry666t (1062422) | more than 7 years ago | (#18640967)

slownewsday?

Fitting (1)

CODiNE (27417) | more than 7 years ago | (#18641649)

Denial about an unfixed security problem? Time for the "insecurity" tag.

Meh (1)

stratjakt (596332) | more than 7 years ago | (#18641791)

I wonder how many coders actually read slashdot.

I can see two seperate bugs causing the same result, I've dealt with it tons of times.

"the bug is back, you didn't fix it"

and I say, "no this one is different"

Meh

Who really fucking cares?

Re:Meh (1)

Antique Geekmeister (740220) | more than 7 years ago | (#18644705)

I do. When a known bug surfaces that affects a lot of people, it's basic security practice to check for other projects that use this chunk of code. In a well-built source control system, it's pretty obvious. With programmers who don't know or try to read how things work doing cut&paste programming, it's uncontrolled and unmanageable.

Guess what company famous for stealing software, lying about its security, famous for hiding "features" that deliberately break interoperability doesn't want to expose its code to review by outsiders or even by its own separate departments?

useless (2, Insightful)

digital bath (650895) | more than 7 years ago | (#18641837)

this is useless without pictures

Re:useless (1)

houghi (78078) | more than 7 years ago | (#18644137)

http://tinyurl.com/2r4rk4 [tinyurl.com]

There, hope that helps.

It would be nice to have real information on this (1)

frovingslosh (582462) | more than 7 years ago | (#18641893)

Does anyone have a link to any information that actually explains how thi exploit works? I've been reading about it for over a week, but can't find any susbtantial information Just warning that it can hit you from web page content or html e-mail reading. But what that has to do with animated cursors is not at all clear. I've never yet seen an html page that could change my user selected cursor, so how is it that this exploit actually affects the user's computer?

Re:It would be nice to have real information on th (2, Informative)

jwgoerlich (661687) | more than 7 years ago | (#18642131)

Does anyone have a link to any information that actually explains how thi exploit works?


Here you go: Analysis of ANI "anih" Header Stack Overflow Vulnerability [mnin.org]


Basically, an animated cursor is just one way to exploit a problem with Windows' GDI (graphical device interface) implementation. Windows runs this as part of the user's session and it is, in part, in kernel mode. Just like Jon Ellch and David Maynor showed with the Apple wireless driver exploit, if you can get access to the kernel, you can do pretty much anything you want. Any code you run will no longer be limited to the permissions of your user account.


J Wolfgang Goerlich



Re:It would be nice to have real information on th (0)

Anonymous Coward | more than 7 years ago | (#18642711)

Jesus Christ that is fucking ridiculous. They are reading a size field from an ANI file header, reading that number of bytes from the ANI file, and writing those bytes into a fixed size buffer WITHOUT checking to see if the buffer is big enough to hold all the bytes. I'm sorry, but that is just fucking idiotic. "DUR!!! A FILE COULD NEVER BE MALFORMED SO THIS CODE CAN'T LOSE!!!" If they could just take a year off to fix all these KINDERGARTEN mistakes a lot of these exploits would not exist. Fuck, I'll do it for FREE just as a public service!

BOOL OwnMachine(SOME_STRUCT* whatever)
{
    if(!whatever)
        return FALSE;
    BYTE buffer[32];
/* TODO: NOT GET pwn3d!!!
    if(whatever->size > 32)
        return FALSE;
*/
    memcpy(buffer, whatever->data, whatever->size);
    return TRUE;
}
God these fuckers are either incompetent or ... no, there is no other possibility.

Re:It would be nice to have real information on th (1)

frovingslosh (582462) | more than 7 years ago | (#18643207)

Thanks. This was very helpful, and also makes it very clear that this is much more serous than something that just deals with animated cursors. In fact, I'm at a loss to understand why the community is attaching the aminated cursor reference to it.

Re:It would be nice to have real information on th (1)

AaronLawrence (600990) | more than 7 years ago | (#18644065)

Interesting, thanks. Or not that interesting - just another buffer overflow exploit in code that doesn't validate it's input fully.

Observations: If DEP/the NX/XD bit was actually turned on on Vista or XP by default, this would have no effect.
Bit dissappointing that Firefox falls for this too. I REALLY DON'T WANT Firefox to support animated cursors....

Re:It would be nice to have real information on th (1)

jwgoerlich (661687) | more than 7 years ago | (#18645017)

If DEP/the NX/XD bit was actually turned on on Vista or XP by default, this would have no effect.

Would it? I am not so sure. DEP protects against execution from the stack. Instead, this exploit uses jmp (jump) to make calls against user32.dll. This is a different animal than what DEP is designed to catch.

J Wolfgang Goerlich

Re:It would be nice to have real information on th (2, Interesting)

mgiuca (1040724) | more than 7 years ago | (#18644729)

Basically, an animated cursor is just one way to exploit a problem with Windows' GDI (graphical device interface) implementation. Windows runs this as part of the user's session and it is, in part, in kernel mode.
This is why I've been saying this problem has NOT been caused by a mere "bug in the code". Bugs happen to everyone, and it's not about blaming people. It's an accident.

But this issue has not been caused by a mere bug. It's been caused by a catastrophic design flaw in Windows itself (which I personally believe is a side-effect of Microsoft's marketing strategy) - and that is that EVERYTHING is in the kernel. In UNIXes, the GUI is nowhere near the kernel. There is no hope in hell in a UNIX environment of a mouse cursor taking control of your computer. This is caused by the fact that the GUI in windows runs partly in kernel mode. It's the architecture's fault.

If you ask me, this goes right down to the name of the OS - "Windows". It says it all. "This operating system is based on the GUI". And it literally is. The side-effect is that the GUI itself (the windows) can attack your computer.

Re:It would be nice to have real information on th (1)

typicallyterrific (934202) | more than 7 years ago | (#18647333)

Not quite.

It kind of depends on your definition of "taking control of your computer". If you mean that exploiting a cursor library alone won't let you gain root, that is true as libraries don't run with that sort of privilege. However, if you were to define "control of your computer" as being able to delete all your data, set up a spambox or an irc/web/ftp server on your machine and so on, well that's quite possible, given that these libraries run with user privileges.

The problem is that, in practical terms, those two "levels of exploitation" are indistinguishable. Once an attacker possesses user privileges on your machine, she is then free to find and use exploits that would give her root on your box, upon which you're just as owned.

While the moral victory is nice, in that we UNIXy types don't worry as much, it's all irrelevant as in both cases the only really safe thing to do is wipe the machine clean and start fresh.

Re:It would be nice to have real information on th (2, Informative)

cnettel (836611) | more than 7 years ago | (#18645037)

The analysis you link to does not mention the kernel. It's true that some GDI is in kernel land, but a surprising amount of resource access, like this, is not. The exploit, in its current form, is firmly in the userland part, and constrained by the security tokens of the thread and process. That's often bad enough, though.

Re:It would be nice to have real information on th (0)

Anonymous Coward | more than 7 years ago | (#18642811)

I found a detailed description and code at http://www.lomont.org/Software/ANIExploit/ExploitA NI.pdf [lomont.org] . Some dude wrote an exploit in two days based on stuff found on the internet and detailed how he did it, including analysis of the flaw. It also has sample HTML that loads a cursor to show how to do it.

Re:It would be nice to have real information on th (1)

Locutus (9039) | more than 7 years ago | (#18646765)

nice work finding that, thanks.

You know, if Microsoft can pay a dozen people to make sure a reporter writes THEIR story and not his/her own, you'd think they'd be paying developers enough and putting enough "process" in place in order to make the product better. But here in 2007, it sure looks like they still suck at software engineering.

LoB

McAfee doesn't know what they're talking about (0)

Anonymous Coward | more than 7 years ago | (#18641915)

I wouldn't put much stock into anything uttered by an employee of McAfee. That company is just a truck load of morons making their money off of the research of third parties. Their software sucks and lets face it, they'll say anything to make themselves more money. You can't trust a company making money off security flaws to want to truly fix computer security problems.

ASUS website hacked (1)

sponga (739683) | more than 7 years ago | (#18642041)

thats right the website was hacked the other day and the .ANI exploit was stuck in there
http://www.infoworld.com/article/07/04/06/HNasuste ksitehack_1.html [infoworld.com]

Although I never visited the site because it was slow to begin with and had the worst download rates.

Netcraft says for the asus.com website that it was running Windows Server 2003 but other foregin ASUS sites were running a mix of Linux/BSD.

Re:ASUS website hacked (1)

Phil Urich (841393) | more than 7 years ago | (#18642673)

Netcraft says for the asus.com website that it was running Windows Server 2003 but other foregin ASUS sites were running a mix of Linux/BSD.


Aha!

I had always wondered why the non-US ASUS sites were so good but the "actual" .com was so buggy and annoying.

Re:ASUS website hacked (1)

Locutus (9039) | more than 7 years ago | (#18646881)

I wonder how many of those 700 hacked web servers are Microsoft Windows based?

Ask anybody about what OS was the base of an attack which makes the press and you get no answer...
I can only imagine that someone is very persuasive at keeping this quite since there is just too much consistency in how these requests are handled.

Atleast now we know ASUS was/is Microsoft Windows.

LoB

Re:ASUS website hacked (1)

Locutus (9039) | more than 7 years ago | (#18647059)

found that one site, dynamoo.com is Linux/Apache based.

LoB
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...