Microsoft Security Bulletin MS02-022
![Jerry Bryant [MS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Jerry Bryant [MS]
Title: Unchecked Buffer in MSN Chat Control Can Lead to Code
Execution (Q321661)
Date: 08 May 2002
Software: MSN Chat, MSN Messenger, Exchange Instant Messenger
Impact: Run Code of Attacker's Choice
Max Risk: Critical
Bulletin: MS02-022
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-022.asp.
- ----------------------------------------------------------------------
Issue:
======
The MSN Chat control is an ActiveX control that allows groups of users to
gather in a single, virtual location online to engage in text messaging. The
control is offered for download as a single ActiveX control from a number of
MSN sites. In addition, it is included with MSN Messenger since version 4.5
and Exchange Instant Messenger. While the MSN Chat control is included with
these products it is not used to provide Instant Messaging functionality,
but rather to add chat functionality to those products.
An unchecked buffer exists in one of the functions that handles input
parameters in the MSN Chat control. A security vulnerability results because
it is possible for a malicious user to levy a buffer overrun attack and
attempt to exploit this flaw. A successful attack could allow code to run in
the user's context.
It would be possible for an attacker to attempt to exploit
this vulnerability either through a malicious web site or through HTML
email. However, Outlook Express 6.0 and the Outlook Email Security Update,
which is available for Outlook 98 and Outlook 2000, Outlook 2002 and can
thwart such attempts through their default security settings.
Mitigating Factors:
====================
- A successful attack would require that the user have installed
the MSN Chat control, MSN Messenger, or
Exchange Instant Messenger.
- The MSN Chat control does not install with any version of
Windows or Internet Explorer by default.
- Windows Messenger which ships with Windows XP does not
include the MSN Chat control. Windows XP users would be
vulnerable only if they have chosen to install the MSN Chat
control from MSN sites.
- The HTML email attack vector is blocked by the following
Microsoft mail products:
- Outlook 98 and Outlook 2000 with the
Outlook Email Security Update
- Outlook 2002
- Outlook Express.
This is because these products all open HTML email in the
Restricted Sites zone by default.
Risk Rating:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-022.asp
for information on obtaining this patch.
Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com)
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES
DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
Hector Santos
"Jerry Bryant [MS]" <jbr...@online.microsoft.com> wrote in message
news:O2FF2nu9BHA.1656@tkmsftngp07...
Kent W. England [MVP]
developing new code to go back through old code and check for obvious
programming errors like unchecked buffers. It only becomes ridiculous if
the unchecked buffer security updates don't tail off after a while and
if we continue to see unchecked buffer security updates after new code
is introduced.
--
Kent W. England, MS MVP for Windows XP
(Please respond only in the newsgroup)
Hector Santos <spam...@spamhole.com> posted the following:
> This is getting really ridiculous.
>
> "Jerry Bryant [MS]" <jbr...@online.microsoft.com> wrote in message
> news:O2FF2nu9BHA.1656@tkmsftngp07...
>> - -------------------------------------------------------------------
>> --- Title: Unchecked Buffer in MSN Chat Control Can Lead to Code
>> Execution (Q321661)
James
news:#dhq#339BHA.1868@tkmsftngp04...
> It's actually a good sign. Microsoft developers are taking time off from
> developing new code to go back through old code and check for obvious
> programming errors like unchecked buffers.
Really? Didn't you read the acknowledgement in the bulletin? Unless you
know something we don't, I'd say MS developers had nothing to do with the
discovery of this flaw.
http://www.microsoft.com/technet/security/bulletin/MS02-022.asp:
> "Microsoft thanks eEye Digital Security (http://www.eeye.com) for
reporting this issue to us and working with us to protect customers"
and from Jerry's original post:
> > Acknowledgment:
> > ===============
> > - eEye Digital Security (http://www.eeye.com)
> It only becomes ridiculous if
> the unchecked buffer security updates don't tail off after a while and
> if we continue to see unchecked buffer security updates after new code
> is introduced.
How about MS02-018 containing TEN vulnerabilities for IIS, of which
apparently only TWO were discovered by MS.
The whole "MS developers take time off to look for bugs in existing code"
story seems to have been mainly a media-spinning operation; which begs the
question: where are all the vulnerabilities that the developers actually
round during their time spent auditing code? OK, there were two in
MS02-018.... great.
James
Mark Strelecki, ACP
That whole campaign is for public relations (P. R.) and marketing only.
There is NO effort going on at MS to repair or redesign existing, available,
in-release products.
None.
ANY efforts, which might be underway, are for new versions that can be sold
as "better than the last ones", as has been the Redmond approach for a
number of years now.
Meanwhile, hundreds of millions of systems worldwide remain vulnerable and
open to attack, thanks to poor design, bad implementation, and a lack of
third party review of the processes and methods employed.
All are candidates for "the next big thing" from MS, however, so we won't
upset THAT apple cart.
P. R. , that's all the "Trustworthy Computing" program is, or ever was,
intended to be.
--
Mark Strelecki, ACP BE6.2600.011208c
Computing and Programming Since 1975 http://www.strelecki.com
Protect Your Rights -- Fight UCITA http://www.4cite.org
"James" <james...@reather.com> wrote in message
news:#$PTwD49BHA.1704@tkmsftngp07...
>
> Really? Didn't you read the acknowledgement in the bulletin? Unless you
> know something we don't, I'd say MS developers had nothing to do with the
> discovery of this flaw.
>
> http://www.microsoft.com/technet/security/bulletin/MS02-022.asp:
>
> and from Jerry's original post:
>
> How about MS02-018 containing TEN vulnerabilities for IIS, of which
Ray
![S. Pidgorny [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXxAi8EkKpsvBVCX43LUotqQQ7J-XwXioERlUixRM5IA0J5ux4=s40-c)
S. Pidgorny [MVP]
Do you think they actually need to redesign the products, or just fix code,
which doesn't require redesign?
--
Svyatoslav Pidgorny, MS MVP, MCSE
-= F1 is the key =-
" Mark Strelecki, ACP" <be6...@nospam.strelecki.com> wrote in message
news:OYm4sq59BHA.1916@tkmsftngp04...
David Dickinson [MVP]
> That whole campaign is for public relations (P. R.) and marketing
> only.
>
> There is NO effort going on at MS to repair or redesign existing,
> available, in-release products.
> None.
This would seem to be contradicted by the steady flow of patches/hotfixes
for security and bugs. There certainly are too many unresolved issues
(e.g., a web page's javascript still can call an executable, they're still
finding buffer overflows, etc.) and there does not seem to be a concerted
effort to discover or fix existing holes. However, a demand for redesign is
superfluous. That's what new versions are. Insisting on redesign and then
complaining about upgrading is self-contradictory.
Repair, on the other hand, certainly should be a much greater priority.
While the recent security initiative has resulted in new procedures for
developing new software, it seems that repair of existing installations does
not have nearly the same priority. I guess there's not much money to be
made in it.
However, Win2K SP3 may offer a surprise in the number of new security fixes
it contains. At least I hope so. But the "security initiative" seemed to
focus on internal education, auditing current development procedures, and
developing new ones.
Sadly, they still don't seem to have a SWAT team, although Michael Howard
has been cited by Brian Valentine (Windows VP) as "my key kind of security
penetration testing person within Microsoft"
(http://computerworld.com/securitytopics/security/story/0,10801,70905,00.htm
l). (His book, "Writing Secure Code", should be required reading for every
software developer.)
> ANY efforts, which might be underway, are for new versions that can
> be sold as "better than the last ones", as has been the Redmond
> approach for a number of years now.
>
> Meanwhile, hundreds of millions of systems worldwide remain
> vulnerable and open to attack, thanks to poor design, bad
> implementation, and a lack of third party review of the processes and
> methods employed.
All true. On the other hand, I don't want a third-party coming into /my/
shop to do inspections, either.
> All are candidates for "the next big thing" from MS, however, so we
> won't upset THAT apple cart.
>
> P. R. , that's all the "Trustworthy Computing" program is, or ever
> was, intended to be.
We'll see. There do appear to be some internal procedural changes at
Microsoft. Code ownership is a major improvement (they'll know the name of
the person who wrote any particular line of code). Now if they'll just fix
their organizational chart. At a minimum, it would be nice to see a VP for
Security with a lot of scheduling power and personel. It's an issue of
national security -- and world security -- and rates that kind of attention.
(But let's keep the government out of it. They can't even find the person
who used an unusual weapon like anthrax.)
--
David Dickinson, MVP
EveningStar Information Services
Las Cruces, NM USA
Summary of Microsoft Security Bulletins
http://www.zianet.com/bwd/securitybulletins.asp
James
news:ewY$E4B#BHA.1880@tkmsftngp04...
> Mark Strelecki, ACP wrote:
> > That whole campaign is for public relations (P. R.) and marketing
> > only.
> >
> > There is NO effort going on at MS to repair or redesign existing,
> > available, in-release products.
> > None.
>
> This would seem to be contradicted by the steady flow of patches/hotfixes
> for security and bugs.
Not sure I agree with you. The vast majority of the steady flow of
*security-related* patches/hotfixes deal with issues that were discovered by
third parties who notified MS of the problem, even since the "trustworthy
computing" campaign.
> There certainly are too many unresolved issues
> (e.g., a web page's javascript still can call an executable, they're still
> finding buffer overflows, etc.) and there does not seem to be a concerted
> effort to discover or fix existing holes.
OK, a question: There are several pages listing outstanding IE flaws. Is
there a public response from MS on these issues? Probably not, because they
don't want the negative publicity associated with acknowledging them flaws.
Many are not serious [yet], or are not readily exploitable [yet] - but
ignoring them isn't exactly "good behaviour".
> However, a demand for redesign is
> superfluous. That's what new versions are. Insisting on redesign and
then
> complaining about upgrading is self-contradictory.
How about roll-up patches issued with .msi files, on a far more regular
schedule, for easy group-policy driven deployment? How about putting some
serious effort into network hotfix deployment, instead of talking about
Corporate Windows Update (when will that happen?) How about not pulling SP7
for NT4 because "there's no demand for it". Except now the list of NT's
post-sp6a patches gets longer and longer until we all get so annoyed we
upgrade to W2k. Surely the lack of SP7 for NT4 shows the sales&marketing
team at work, not the "trustworthy computing" team?
> Repair, on the other hand, certainly should be a much greater priority.
> While the recent security initiative has resulted in new procedures for
> developing new software, it seems that repair of existing installations
does
> not have nearly the same priority.
> I guess there's not much money to be made in it. [snip]
Not quite right, but close: as far as MS is concerned, there's *NO* money to
be made in it.
James
Branimir Petrovic
neither to "msnews.microsoft.com" nor to "psnews.msn.com".
Let's see how far will it go if posted through Google's newsgroup:
"David Dickinson [MVP]" <eis.n...@softhome.net> wrote in message news:ewY$E4B#BHA.1880@tkmsftngp04...
> Mark Strelecki, ACP wrote:
> > That whole campaign is for public relations (P. R.) and marketing
> > only.
>
> However, a demand for redesign is superfluous. That's what new versions are.
> ...
> Repair, on the other hand, certainly should be a much greater priority.
>
> ... There do appear to be some internal procedural changes at
> Microsoft. Code ownership is a major improvement (they'll know the name of
> the person who wrote any particular line of code). Now if they'll just fix
> their organizational chart. At a minimum, it would be nice to see a VP for
> Security with a lot of scheduling power and personel. It's an issue of
> national security -- and world security -- and rates that kind of attention.
Is demand for redesign really superfluous? I'd say - why paying anew for
something that should not have been as badly and as fundamentally broken
in the first place?
I just do not see how any amount of "internal procedural changes" or
"ownership" shuffle will or can compensate for flawed foundations on which
the whole "house of cards" was built. While the statement that any piece
of software more complex than one liner "hello world" is and will be bug
prone, still - there is no reason or reasonable justification for:
(in no particular order)
- Integrating anything and everything (web browser, media player, messenger,
balls scratcher, etc) with OS kernel. More stuff that does not belong
there - the greater possibility for fatal "mistakes".
- Installing everything by default, enabling everything by default (IIS is
a good example of this type of approach).
- Damn scripting and hellish macros; all installed, all enabled by default!?
After all these years, I still haven't come across a single user or a
company that needs or knows what to do with macros, and yet all systems
with M$ products comes with "both guns blazin'" - ready to run anything
thrown at them.
- Damn COM (ActiveX)!!! Install any M$ application - you'll end up with
tons of components "visible" and "runnable" from anything you have on
your system. If that "anything" happens to be worm, all the better?!
- Disabling viewing of file name extensions by default???!
Not that I believe that for most people file extension carry much
meaning, but still - why diminishing Joe Sixpack's already slim
chances of not executing ILoveYou.vbs?
- No way for system administrator to define and enforce list of programs
(processes) that can be run (allowed to execute) on networked systems.
Anything not on the admin supplied list - must not and should not execute.
Period.
- No built in mechanism for incredibly robust, amazingly reliable and
fully automated distribution of software patches. Such a mechanism _must
come_ with robust and reliable "undo", must come as a part of OS, must be
bullet proof, rock solid and totally FREE (not requiring a penny to have
it/run it).
- No tools yet for _reliable_ and 100% accurate scanning/checking of
networked systems for missing patches and/or known vulnerabilities
(MBSA and hfnetchk both are _not_ complete or trustful solutions).
As long as M$ stubbornly refuses to acknowledge and/or address listed
issues (pretty sure - the the "list" can be made better), "trustworthy"
computing is and will remain only a PR stunt...
Branimir
hector santos
Hector Santos
Wildcat! Interactive Net Server
http://www.santronics.com
"Kent W. England [MVP]" <k...@mvps.org> wrote in message
news:#dhq#339BHA.1868@tkmsftngp04...
> It's actually a good sign. Microsoft developers are taking time off from
hector santos
> shop to do inspections, either.
Why not?
For a company the size of Microsoft, and a monopoly at that, may be forced
to do so because the "third party" today is the public. The burden is on
consumer and the cost is high for both sides. A new "security/anti-virus"
industry now has a reason to live, including you, I believe, with your
excellent consolidated resource. It is reached a point it is a natural
belief that software/product development is inherently flawed with security
issues. I'm sure like you, we deal with enough neophites that they TRULY
believe that a computer virus is a carbon-based entity that perpetuates on
its own. It is almost at a point, where I believe them and your only
choice is to accept what is. <g>
Nonetheless, I know people don't like to hear this, but in my view, this
will all end up in court. All it will take is hurting the wrong set of
people with deep pockets or a new inspiring Software Lawyer maverick who
wishes to make a name for himself (it wouldn't be hard to prove malpractice
and neglect).
Hence why, IMO, Microsoft will probably end up contracting "third-party"
teams to inspect their systems. I would not be surprise (and scratching my
head if they were not) if they contracted eEye to inspect their software.
In my view, it is Microsoft best interest to get external "certified
security" inspectors. They might be some legal issues to hammer out, but I
think it is inevitable. I can see the "Security Certified" logo on the
box!
> We'll see. There do appear to be some internal procedural changes at
> Microsoft. Code ownership is a major improvement (they'll know the name
of
> the person who wrote any particular line of code). Now if they'll just
fix
> their organizational chart. At a minimum, it would be nice to see a VP
for
> Security with a lot of scheduling power and personel. It's an issue of
> national security -- and world security -- and rates that kind of
attention.
Maybe Tom Ridge needs to be made more aware that "Microsoft Terrorism" is
real. <g>
> (But let's keep the government out of it. They can't even find the person
> who used an unusual weapon like anthrax.)
I disagree. As a monopoly, we need the government "watchdog" to be there.
MS can not be excluded from anti-trust laws. I am not sure if Microsoft
hurts you, but they do hurt many companies, including us. It happens and
rest assured it isn't funny when you have the swallow it.
Have you ever considered that maybe Microsoft has too many on their plate?
OS plus Applications?
hector santos
> there a public response from MS on these issues? Probably not, because
they
> don't want the negative publicity associated with acknowledging them
flaws.
> Many are not serious [yet], or are not readily exploitable [yet] - but
> ignoring them isn't exactly "good behaviour".
One would think that someone would atleast be looking at them, incognito.
But I agree, it should be a no-brainer.
> How about roll-up patches issued with .msi files, on a far more regular
> schedule, for easy group-policy driven deployment? How about putting some
> serious effort into network hotfix deployment, instead of talking about
> Corporate Windows Update (when will that happen?) How about not pulling
SP7
> for NT4 because "there's no demand for it". Except now the list of NT's
> post-sp6a patches gets longer and longer until we all get so annoyed we
> upgrade to W2k. Surely the lack of SP7 for NT4 shows the sales&marketing
> team at work, not the "trustworthy computing" team?
Good point.
> Not quite right, but close: as far as MS is concerned, there's *NO* money
to
> be made in it.
so it then all ends up in how most they can lose, unfortunately.
David Dickinson [MVP]
>> All true. On the other hand, I don't want a third-party coming into
>> /my/ shop to do inspections, either.
>
> Why not?
Because I value my privacy. Don't you value yours?
> Have you ever considered that maybe Microsoft has too many on their
> plate? OS plus Applications?
Of course I have. I've decided that it's a silly question that is not worth
further consideration, except that I'm going to keep a close eye on the
people who think that way. They might come after /me/ next.
hector santos
> >> All true. On the other hand, I don't want a third-party coming into
> >> /my/ shop to do inspections, either.
> >
> > Why not?
>
> Because I value my privacy. Don't you value yours?
And what does that have to do with the price of rice in china?
> > Have you ever considered that maybe Microsoft has too many on their
> > plate? OS plus Applications?
>
> Of course I have. I've decided that it's a silly question that is not
worth
> further consideration, except that I'm going to keep a close eye on the
> people who think that way. They might come after /me/ next.
I suggest to keep both eyes open. I'm sure the silly people will definitely
go after you.
Stephen L Nicoud
>
> hector santos wrote:
> >> All true. On the other hand, I don't want a third-party coming into
> >> /my/ shop to do inspections, either.
> >
> > Why not?
>
> Because I value my privacy. Don't you value yours?
>
> > Have you ever considered that maybe Microsoft has too many on their
> > plate? OS plus Applications?
>
> Of course I have. I've decided that it's a silly question that is not worth
> further consideration, except that I'm going to keep a close eye on the
> people who think that way. They might come after /me/ next.
We bring in 3rd party groups to evaluate and audit our systems and
software. This level of independent scrutiny helps to reduce the risk
of intentional and accidental exposure of our systems and data.
Confidentiality agreements with the auditors keep our proprietary
information safe.
--
Reply to the newsgroup.
David Dickinson [MVP]
"Stephen L Nicoud" <nic...@hotmail.com> wrote in message
news:3CDDA2CF...@hotmail.com...
> We bring in 3rd party groups to evaluate and audit our systems and
> software. This level of independent scrutiny helps to reduce the risk
> of intentional and accidental exposure of our systems and data.
> Confidentiality agreements with the auditors keep our proprietary
> information safe.
That is a good practice. We also contract for testing and evaluation. But
those are contracts which we negotiate (well, they're pretty much standard
by now, so there's not much actual negotiation anymore). But if what Mr.
Santos had in mind was less voluntary, then I would have to disagree
strongly. While I believe that there certainly are national security
implications for such widely distributed operating systems as Windows, Unix,
Linix, et al, and that the governent should carefully choose the OS's it
employs as well as monitor security breaches for public safety (that is why
we have government), I do not believe that having a government inspector
peaking over my shoulder as I (or anyone) punch keys or restricting the
software I (or anyone) can publish is a good thing.
If what Brian Valentine says is true
(http://computerworld.com/securitytopics/security/story/0,10801,70905,00.htm
l)
and Microsoft's testing program is as rigorous as it sounds (and should have
been for many years), then third-party "evaluation" and approval would not
be necessary (they can afford to hire a full time staff for the task -- I
can't). Right now, I'm willing to wait to see what .NET Server brings.
hector santos
But
> those are contracts which we negotiate (well, they're pretty much standard
> by now, so there's not much actual negotiation anymore). But if what Mr.
> Santos had in mind was less voluntary, then I would have to disagree
> strongly. While I believe that there certainly are national security
> implications for such widely distributed operating systems as Windows,
Unix,
> Linix, et al, and that the governent should carefully choose the OS's it
> employs as well as monitor security breaches for public safety (that is
why
> we have government), I do not believe that having a government inspector
> peaking over my shoulder as I (or anyone) punch keys or restricting the
> software I (or anyone) can publish is a good thing.
David. I had exactly in mind what was known to been done in many large
corporations. I cited nothing new. Microsoft is the one we were
questioning. Like I said, I would not be surprise if eEYE is under contract
and I would be scratching my head if they were not. After all, eEYE made a
big stink when they didn't get recognized for their efforts with their
codered "invention."
But sure, I wouldn't want any john, dick or sally come into my shop nor
would I probably accept a government entity. However, I would not object to
a federal certification program. We are kinda going thru this now with
HIPPA requirements.
Also I think Microsoft should probably extend its logo certification to
include security. For example, they might want to subsidized eEYE to do
security certification on 3rd party applications.
>
> If what Brian Valentine says is true
>
>
(http://computerworld.com/securitytopics/security/story/0,10801,70905,00.htm
> l)
>
> and Microsoft's testing program is as rigorous as it sounds (and should
have
> been for many years), then third-party "evaluation" and approval would not
> be necessary (they can afford to hire a full time staff for the task -- I
> can't). Right now, I'm willing to wait to see what .NET Server brings.
Fat and Cholestrol <g>
I agree. It sounds like Microsoft Q&A is for real. It is only going to
improve things. They also need to address/increase 3rd party test suites as
well. i.e, they need to stop BOPS (breaking other people's software).
James
"hector santos" <hec...@deletethispart.winserver.com> wrote in message
news:#8fcWsO#BHA.2040@tkmsftngp05...
> "Kent W. England [MVP]" <k...@mvps.org> wrote in message
> news:#dhq#339BHA.1868@tkmsftngp04...
>
> > It's actually a good sign. Microsoft developers are taking time off from
> > developing new code to go back through old code and check for obvious
> > programming errors like unchecked buffers. It only becomes ridiculous if
> > the unchecked buffer security updates don't tail off after a while and
> > if we continue to see unchecked buffer security updates after new code
> > is introduced.
>
Well Kent's point might be valid, if only MS developers had actually
discovered MS02-022. They didn't, eEye did.
James
Branimir Petrovic
thread. What I tried to say is visible (only) here:
http://groups.google.ca/groups?dq=&hl=en&selm=b11d1191.0205100949.7c393a80%40posting.google.com
Posted my response - only never to see the post. Tried and failed multiple
times both on "msnews.microsof.com" and on "psnews.msn.com" where the
newsgroup "microsoft.public.security" is hosted, while at the same time
other - not as critically oriented people posted with a success to the
"thread of my dreams"...
During the very same period - successfully posted a silly answer to even
sillier question on VBS ("microsoft.public.scripting.vbscript") newsgroup,
hosted on very same hosts as "security" newsgroup. Post was visible
on both hosts within minutes. "Go figure", or "just wow" - that is the
question now. Am I proposing yet another conspiracy theory worthy-of
"X Files"? You be the judge...
Yours trully,
Mox Folder
hector santos
> > > It's actually a good sign. Microsoft developers are taking time off
from
> > > developing new code to go back through old code and check for obvious
> > > programming errors like unchecked buffers. It only becomes ridiculous
if
> > > the unchecked buffer security updates don't tail off after a while and
> > > if we continue to see unchecked buffer security updates after new code
> > > is introduced.
> >
> > Good point Kent.
>
> Well Kent's point might be valid, if only MS developers had actually
> discovered MS02-022. They didn't, eEye did.
True, true, true. I was referring to his last sentence. I mean,
theoritically, he is correct <g>
I wonder if eEye is under a contract.
hector santos
don't see why it should be filtered.
I particularily liked the administrator control list of applications that
can run. Or atleast, microsoft should make it very easy to identify
applications that are running. How many times does one pop up the task list
and question "What is that program running?" I think microsoft should have
a way to:
- display the program full path, with date/time
- if it is part of a installed program, and/or sub-system
- and more importantly if it is a microsoft program
Hector Santos
Wildcat! Interactive Net Server
http://www.santronics.com
"Branimir Petrovic" <The...@NOSPAM.net> wrote in message
news:#w6vIJc#BHA.1680@tkmsftngp04...
Branimir Petrovic
"hector santos" <hec...@deletethispart.winserver.com> wrote in message news:eJUl2Pd#BHA.2552@tkmsftngp05...
> Branimir, I read your google post. You made some excellent points. I
> don't see why it should be filtered.
>
I am speculating that "filtering" has to do with political sensitivity
of the subject, and "sensitivity" is so sensitive mostly due to "price
tag" that otherwise would have been attached should M$ try to fix
some (any?) of most basic complaints from "the list".
Looks like M$ prefers to leave impression of doing something fundamental
for security, while in reality the only fundamental thing they really
care about is holding on to and enlarging that obese pile of billions of
$$$ they've amassed over the years of selling .* stuff they've been selling...
(I won't say the word, but feel free to insert some of your choice;)
Branimir (alias Mox Folder)