When Security Patches Go Wrong
Roy Schestowitz
This is not the first time this happens.
BearItAll
> http://news.zdnet.com/2100-1009_22-6047762.html
>
> This is not the first time this happens.
Isn't it amazing, two days after the release of the update that caused a
vulnerability, an attacker exploit was out. So, the code is released to the
servers where the millions of computers collect the updates from, then it
would take some amount of time for people to descover that they was any
problem at all, then more time to pass the word onto the Internet. We could
say that the hacker has already lost one day before he/she is aware of the
possibility of a vulnerability.
I find it hard to believe that people are sitting around studying every
update (dosen't MS get one every day?), the study by these hackers would
have to be so well done that in just two days they could discover the
problem, write the code and distribute it to make use of the exploit.
Doesn't that sound to you people to be much too professional for a typical
hacker?
I'm a programmer, I do less of it now than I once did, but spent many years
where my primary job was programming. But I am certain that I wouldn't have
the time to examine every MS update, every day and then come up with the
software for the hack. It has to be a team and it must be so disciplined
that it can't be kids (no offence to kids, but patience isn't really a
trait you have at a young age).
Call me Columbo if you like, but I can't help feeling that taking of
advantage of a bug at this pace would require prior knowledge of the bug.
Roy Schestowitz
Are you sure? Microsoft recently bragged about employing a 9-year-old girl. I
believe she had Microsoft certification, but I am not sure as it was months
ago.
> Call me Columbo if you like, but I can't help feeling that taking of
> advantage of a bug at this pace would require prior knowledge of the bug.
On this scenario as a whole: that's just what happens when you release
software with critical flaws. You need to update and test for various
versions at haste, so the outcome is broken software. Had Microsoft taken
security seriously (as if they could handle the 'beast'), all of this would
not have happened.
Here you have plenty of confused users with software that breaks after an
seemingly-innocent reboot... seen the same thing happen with network
components, which are far more critical. Users were no longer able to
connect to the world because they had been urged to patch their O/S. Then,
the recommended solution is to wipe. At least /that/ is a step which many
users are already familiar with, so it requires no involvement by
professionals. *smile*
Best wishes,
Roy
--
Roy S. Schestowitz | Software patents destroy innovation
http://Schestowitz.com | SuSE Linux | PGP-Key: 0x74572E8E
9:10am up 1 day 1:47, 8 users, load average: 0.01, 0.12, 0.23
http://iuron.com - next generation of search paradigms
Sinister Midget
In addition to the possible trouble with Windows Media Player,
Microsoft on Wednesday said a patch it released February last year
might cause trouble with a specific Web program known as an ActiveX
control. A fix for that problem is available from Microsoft, the
company said.
Proving the CSS company methods of pouring over the code in secrecy is
far superior to anything OSS could come up with.
You know, this wouldn't be so pathetic if it was a problem in some
third party thing. But they *own* ActiveX. It took them a year to find
a problem in their *own* fix that broke something else of theirs?
--
Esbot: Innovative Microsoft peer-to-peer software.
Brad
> http://news.zdnet.com/2100-1009_22-6047762.html
>
> This is not the first time this happens.
I doubt it will be the last. Just more reason for me to Luv Tux.
Brad
Roy Schestowitz
Don't get me wrong, but a SuSE/YaST update failed me once. When I men-
tioned this in the SuSE newsgroup, others were somewhat stunned because it
had never happened to anyone else.
To be specific, the only thing to have broken after the update was kdm. I
just needed to add a line or two to a dot file in my home directory, mere-
ly in order to escape TWM as the default windows manager. KDE was not bro-
ken, but the login screen was not polished. All the instructions were very
clear in the KDE handbook, so I mended it very quickly.
Best wishes,
Roy
--
Roy S. Schestowitz | Vista: Windows XP with bling-bling, nothing else
http://Schestowitz.com | SuSE Linux | PGP-Key: 0x74572E8E
1:30pm up 1 day 6:07, 7 users, load average: 0.77, 0.49, 0.31
http://iuron.com - help build a non-profit search engine
Ray Ingles
> I find it hard to believe that people are sitting around studying every
> update (dosen't MS get one every day?), the study by these hackers would
> have to be so well done that in just two days they could discover the
> problem, write the code and distribute it to make use of the exploit.
>
> Doesn't that sound to you people to be much too professional for a typical
> hacker?
That's because it's not "hackers in basements" doing this stuff.
Malware has a *business model* now. Once you compromise a machine, it
can be used to:
1. Relay spam.
2. Host throwaway websites for collecting money from orders generated
via spam.
3. Generate DOS attacks (extortion of websites is very common now)
4. Generate "click" traffic to get money from advertising
5. Keylog passwords to banks, auction sites, etc.
6. Redirect referral clicks
If you don't recognize this fact about malware you will critically
misunderstand the situation. It's not a hobby anymore, it's a job, and
pros are working on it.
> Call me Columbo if you like, but I can't help feeling that taking of
> advantage of a bug at this pace would require prior knowledge of the bug.
No, but it would require dedicated and high-level programmers. And they
do exist on the 'dark side'.
--
Sincerely,
Ray Ingles (313) 227-2317
"The function of laws to protect children cannot be to
force adults to act like them." - Irvu
Roy Schestowitz
Excellent points made, Ray.
You forget about (or intentionally neglected to mention) the business which
revolves around protecting the operating system from these flaws. Hackers
can be employed by the benefactors (albeit it's somewhat of a conspiracy
theory).
Microsoft will soon join to party with WanKer (sic), essentially benefitting
from its own flaws, financially-speaking.
Best wishes,
Roy
--
Roy S. Schestowitz | YaSTall SuSE to figure out the magic
http://Schestowitz.com | SuSE Linux | PGP-Key: 0x74572E8E
3:00pm up 1 day 7:37, 7 users, load average: 0.15, 0.32, 0.43
William Poaster
> __/ [ Brad ] on Thursday 09 March 2006 13:02 \__
>
>> On Thu, 09 Mar 2006 07:44:17 +0000, Roy Schestowitz wrote:
>>
>>> http://news.zdnet.com/2100-1009_22-6047762.html
>>>
>>> This is not the first time this happens.
>>
>> I doubt it will be the last. Just more reason for me to Luv Tux.
>>
>> Brad
>
> Don't get me wrong, but a SuSE/YaST update failed me once. When I men-
> tioned this in the SuSE newsgroup, others were somewhat stunned because it
> had never happened to anyone else.
I have had it once, & IIRC it was back when using SuSE 7.0 On the first
update of 7.0, YOU connected to suse's server but one
application hung for *ages*, the thing just froze IIRC. So I had to kill
YOU [Ctrl+Alt+Esc]. After that when YOU tried to connected to suse's
server for updates, it suddenly closed without any error message(s). A
check in /var/lib/YaST/patches/i386/update/7.0 revealed stale files. A
name change to /var/lib/YaST/patches/i386/update/7.0-old soon corrected
it. It didn't do it an any subsequent updates IIRC. But I have to say
that's the only problem I've had with YaST in the 10 years of using SuSE. :-)
> To be specific, the only thing to have broken after the update was kdm. I
> just needed to add a line or two to a dot file in my home directory, mere-
> ly in order to escape TWM as the default windows manager. KDE was not bro-
> ken, but the login screen was not polished. All the instructions were very
> clear in the KDE handbook, so I mended it very quickly.
>
> Best wishes,
>
> Roy
--
SuSE 10.1 OSS Beta3 (Agama Lizard)
Erik Funkenbusch
> http://news.zdnet.com/2100-1009_22-6047762.html
>
> This is not the first time this happens.
Of course this never happens with open source.
Roy Schestowitz
Published: October 11, 2001, 10:10 AM PDT
It took you 10 hours to reply. Were you using live.com again? Did it take
*that* long to find a suitable and rare reference that is 5 years old? I
guess that's just how long it takes Microsoft to crawl the Web to its
depths.
While on the subject of latency and pre-historic stories, I heard that
live.com has a nice image search facility, so I searched for 'funkenbusch'
and here is what I got.
funkenbusch
erik funkenbusch
http://krow.net/images/msdino.png
FUNKENBUSCH
Funkenbusch
The acnhor text buffering the above URL will bind your name with the photo in
the SE indices. *smile* Of course, it might take Microsoft a while to parse
this sequence, but not Google.
Erik Funkenbusch
> __/ [ Erik Funkenbusch ] on Thursday 09 March 2006 17:35 \__
>
>> On Thu, 09 Mar 2006 07:44:17 +0000, Roy Schestowitz wrote:
>>
>>> http://news.zdnet.com/2100-1009_22-6047762.html
>>>
>>> This is not the first time this happens.
>>
>> Of course this never happens with open source.
>>
>> http://news.com.com/2110-1001-274277.html
>
> Published: October 11, 2001, 10:10 AM PDT
>
> It took you 10 hours to reply. Were you using live.com again? Did it take
> *that* long to find a suitable and rare reference that is 5 years old? I
> guess that's just how long it takes Microsoft to crawl the Web to its
> depths.
I know it may shock you, but I don't live on the internet.
And I didn't use google at all, It was just the first one that i
remembered. I'm sure if I wanted to, I could find a lot more cases of this
happening, though it's only happened to the Linux kernel a few times.
> While on the subject of latency and pre-historic stories, I heard that
> live.com has a nice image search facility, so I searched for 'funkenbusch'
> and here is what I got.
>
> funkenbusch
> erik funkenbusch
>
> http://krow.net/images/msdino.png
>
> FUNKENBUSCH
> Funkenbusch
>
> The acnhor text buffering the above URL will bind your name with the photo in
> the SE indices. *smile* Of course, it might take Microsoft a while to parse
> this sequence, but not Google.
Nice way to show how dishonest you are, not that you haven't already proven
it in several ways.
By the way, I thought you didn't respond to me?
Mart van de Wege
And how is this the same?
This is Linus releasing a kernel that turns out to have a flaw, and
immediately releasing a fix.
Whereas the Microsoft story was about Microsoft releasing a security
patch that broke functionality.
Nice attempt at spin.
Mart
--
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.