Report: Major Windows Security Update Foiled

ZDNet ^ | 1/28/05 | Robert Lemos

[1LongTimeLurker]

*

A Russian security company claims it found a way to beat a security measure in Microsoft's Windows XP Service Pack 2, a major update aimed at securing customers' PCs.

The SP2 measure, known as Data Execution Protection, is intended to prevent would-be attackers from inserting rogue code into a PC's memory and tricking Windows into running the program. However, in a paper published Friday, Moscow-based Positive Technologies said two minor mistakes in the implementation of the technology allow a knowledgeable programmer to sidestep the protection.

The company notified Microsoft of the problem Dec. 22, but it apparently decided not to wait for the software giant to patch the flaws.

Neither Microsoft nor Positive Technologies immediately responded to requests for comment Friday.

After several delays, Microsoft began rolling out SP2 in August of last year, at which time company Chairman Bill Gates called the update "a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks."

[Honcho Bongs]

"Exactamundo! These "Flaws", presented as inadvertent, unintentional bugs, are really back doors that were purposely engineered into the software for the benefit of MS and other Entities to use in tracking clients usage. IMO they deserve to have their A$$es sued off."

Your response is worthy of a DU conspiracy theory. Your fears are fantasies.

[polymuser]

I read a while back that MS will 'push' SP2 updates this spring. Exactly what will 'push' entail? Unrefusable downloads?

[polymuser]

Seems I read a while back that MS will 'push' SP2 updates this spring. True? Exactly what will 'push' entail? Unrefusable downloads?

[ChildOfThe60s]

drt1 wrote:
Exactamundo! These "Flaws", presented as inadvertent, unintentional bugs, are really back doors that were purposely engineered into the software for the benefit of MS and other Entities to use in tracking clients usage. IMO they deserve to have their A$$es sued off.

1FASTGLOCK45 wrote:
* Bullseye, i think you hit the nail right on the head.

*Don't look for diabolical conspiracies when simple incompetence will explain quite nicely. Keep in mind that MS is a HUGE bureaucracy and thus has all the same lovely qualities that government bureaucracies have.

[Izzy Dunne]

I've never had a virus. I just update whenever there is one

That must be hard given that there are 50,000 or 60,000 of them for Windoze.

[drt1]

"Your response is worthy of a DU conspiracy theory. Your fears are fantasies."

Huh??

[steve86]

My next machine will be either Linux based or a Mac, I'm tired of all the patches ,updates and BS that comes with a MS product.

You, know, I am a happy Linux/Unix user going on 10 years now but the key is not the absence of patches. It is actually the frequency of small, incremental patches that keeps surprises away. No software is published without errors. It is not unusual that two or three small patches will come out every day for a few of the hundreds of components that make up Linux. With thousands of non-bureaucratic people, each with his/her own pride and interest in a free product they put their name on, it isn't surprising that the patches are frequent and the quality is high.

Because I am a former System Administrator I think these are neat and apply them almost every day. "Normal" people might apply them once a month or less frequently. Either way it is no big deal and simply a matter of clicking by the patches you want. I'm not sure I remember the last time I had a problem with one, although I think one did occur a couple of years ago.

Microsoft takes the wrong road, IMO, working for years on a single monolithic patch and then flooding the user community with it. The changes are too great and the real risks of incompatibility are high. It is considerably better to supply the frequent patches and allow the user community the choice when to install them.

[steve86]

I also wanted to mention that I finally installed a (free) virus checking package for Linux. As expected, it didn't find any viruses on the Linux side. But it did find one on the Windows partition that McAfee had missed!

[upchuck]

Do you ever get the feeling that Microsoft doesn't know as much about it's own system and code than these hackers do? If they do know as much as the Hackers they have a serious quality control and supervisory problem. If they don't as much they need to hire these people to help them in securing their obviously porous software.

Absolutely spot on!!

As someone who has done some serious software QC in the past, I maintain MicroSloth's QC dept is a complete joke. I often time wonder if they have one at all. Mistake after screwup after blunder after foulup after...

If everybody would quit using IE, Outlook and Outlook Express, 95% of these problems would be instantly solved.

[Poser]

" That must be hard given that there are 50,000 or 60,000 of them for Windoze."

It's easy and automatic. Windows works great. If you are numb enough to to click on a virus you deserve what you get.

[steve86]

bttt

[1LongTimeLurker]

If you are numb enough to to click on a virus you deserve what you get.

If it were only that simple, unfortunately viruses like Slammer & MSBlast self-replicated and attacked vulnerable machines directly without requiring a user to do anything themselves.

[Poser]

"If it were only that simple, unfortunately viruses like Slammer & MSBlast self-replicated and attacked vulnerable machines directly without requiring a user to do anything themselves."

If you are numb enough to not have a firewall, you deserve what you get.