December 22, 2001
12:40 PM   Subscribe

LINUXLINUXLINUXLINUX
LINUXLINUXLINUXLINUX
LINUXLINUXLINUXLINUX
LINUXLINUXLINUXLINUX


Other than the horrible grammar in that article's title, one thing tickled my neurones: does that 'flaw' have anything to do with the wonderful 'feature' that allows Microsoft employees to remotely take control of your computer to help you deal with problems ? ...Thus, wasn't such a 'flaw' predictable, given the hack-prone nature of the 'feature' ?
posted by michel v at 1:18 PM on December 22, 2001

Is Metafilter now Slashdot?
posted by owillis at 1:22 PM on December 22, 2001

owillis, good call... hence my little AnonymousCoward-style LINUX flooding ;)
posted by michel v at 1:35 PM on December 22, 2001

michaelv - this problem was related to this universal plug and play thing they're pushing, where systems can discover other devices on a network automatically; unsurprisingly, there was a buffer overflow. Interestingly, eEye noted that they have a second paper which discusses general problems with UPNP, so I wouldn't expect this to be the last problem we hear about.

The effect sounds like the problem WinME had where it could automatically install a printer found on the network, which meant you could package your favorite trojan as a printer driver and it'd be installed shortly after you put a system on the network. Unfortunately, given the way the industry hasn't learned from a few decades of bad experiences with buffer overflows, I'd be amazed if the more complex issues we're just starting to see with services using mobile code don't produce some epic disasters - half the companies involved don't seem to understand why sandboxing isn't an optional feature.
posted by adamsc at 2:06 PM on December 22, 2001

Meh.
posted by holloway at 5:10 PM on December 22, 2001

My Macs and Linux boxes never have these problems...who is this company "Microsoft?" and why would any consumer use their products if they are so flawed and dangerous to use? Aren't there laws against this type of stuff?
posted by ayukna at 6:00 PM on December 22, 2001

OSXOSXOSXOSX

I really want a Mac...
posted by tomorama at 6:13 PM on December 22, 2001

Microsoft bashing on the internet just kills me. If it were not for Microsoft 85% of the people online wouldn't be here at all. Or even be computing.

If Linux or Apple had anywhere near as many users as Microsoft all the talk would all be reversed. Everyone would be lamenting the security holes in OSX or RedHat.

The real focus shouldn't be on saying 'Look another hole. Microsoft sucks'. It should be on examining security issues and responses.

Microsoft should get criticism for how it responds to security and virus problem. That criticism might lead them to respond better in future (maybe). No amount of criticism can possibly lead anyone to produce a perfectly secure system (one that can do anything that is- my VCR is immune to network attacks)

Vulnerabilities exist in all Operating Systems and if you think using Linux or OSX makes you immune you are kidding yourself. That's just security through being a minority.
posted by srboisvert at 6:45 PM on December 22, 2001

1. i love microsoft.
2. universal plug and play is an option. using advanced set-up you can opt out of installing it.
3. remote assistance can be turned off
start, control panel, system, remote, uncheck "allow remote assistance", apply. Fixed
posted by sadie01221975 at 6:50 PM on December 22, 2001

If it were not for Microsoft 85% of the people online wouldn't be here at all. Or even be computing.

And that's why we hate them.
posted by krisjohn at 7:15 PM on December 22, 2001

Actually, a bug in system V UNIX systems that permits a hostile user to get root privileges was announced Dec. 13th.

The attitude that security can be had simply by abandoning Microsoft operating systems is seriously delusional. All operating systems have bugs that permit a hostile party to take full control over your computer. The question is, who will find him first?
posted by KirkJobSluder at 7:50 PM on December 22, 2001

duh? of course all OS's are vunerable...but- the argument that one is more proned to attack because it is more dominant in a marketplace (due to illegal means) is completely moot. MS puts out a terrible product and has no motivation to improve their products because of their monopolastic tactics. This isn't MS bashing- it is pointing out an evil empire and the damage it knowingly does to unwitting consumers- consumers are not as tech savvy as "sadie01221975"- they don't know how to even turn off Javascript in their browsers...nor should that have to- their products should simply do as they are promised- just like a a simple pen or pencil- a consumer just wants it to work- and most don't care what brand their pencil is (MS, Apple, RedHat, whatever...)
The claim that most folks wouldn't be online if it wasn't for MS is bunk as well...it would certainly weed out a lot of bloat on the web in a very Darwinian way- but that was an admitted MS attack...anyway, it would be another company that we geeks would be bitching about, all the while, only contributing to wool being pulled over the collective consumers' eye pieces...wake up people and realize what is going on here- it is the screwing of the masses to make a small few all the richer...

the IT industry needs to look at it like a consumer- don't continue to use a company's product if it is flawed and not cost effective- especially if the company in question repeatedly exhibits a total lack of caring with each release of it's product- this should be a no-brainer....it is for me...
posted by ayukna at 8:26 PM on December 22, 2001

The effect sounds like the problem WinME had where it could automatically install a printer found on the network
Universal Plug and Play sux on ME, which i have now. i'm on a printer-network at my house, and i get all kind of pissy universal plug and play errors that like to crash my laptop which i never got back at college from using my one printer.
posted by jmd82 at 8:58 PM on December 22, 2001

2. universal plug and play is an option. using advanced set-up you can opt out of installing it.

3. remote assistance can be turned off

This is exactly the problem. Regardless of whether "most" people use Windows, it can be argued that "most" people using XP do not have the level of expertise (or even comfort) to be tweaking these options.

The bottom line is that "most" users will use Microsoft's default system configurations as handed down from Zion, no matter what they are, and if these defaults are dangerous then MS is responsible for that danger.

posted by dsandl at 9:01 PM on December 22, 2001

If it were not for Microsoft 85% of the people online wouldn't be here at all. Or even be computing.

Feh, that is absolute bullshit and a meritless argument for why we should tolerate Windows' security being so lax.

Microsoft played absolutely no part in the development of the computer, founding of the Internet, or the creation of the World Wide Web. If Microsoft hadn't produced Windows, any number of other companies would have produced a similarly viable product. In fact, many did and were summarily driven to (the brink of|utter) exctinction due, in part, to Microsoft's anti-competative practices. Microsoft didn't develop the first Web browser (or even the first popular Web browser.)

From their purchase of 86-DOS in 1980 to their purchase of Mosaic in the early 1990's to every product and company they've acquired along the way, Microsoft has been standing on the shoulders of others for much of their so-called "innovation". Yes, they have contributed to the world of computing and to the Internet (often in destructive ways), but to claim that it wouldn't have happened without them is patently absurd.
posted by Danelope at 9:21 PM on December 22, 2001

The attitude that security can be had simply by abandoning Microsoft operating systems is seriously delusional. All operating systems have bugs that permit a hostile party to take full control over your computer. The question is, who will find him first?

So, as bugs will happen, what type of response do think's best?
posted by holloway at 10:02 PM on December 22, 2001

MetaSlash
or
DotFilter?

As 'taking a slash' is slang for #2 in some parts of the world, I'm going for the first one. Poo jokes are always funny.

Carry on.
posted by stavrosthewonderchicken at 10:15 PM on December 22, 2001

Hmm, I've always understood "taking a slash" to mean a #1...
posted by esquilax at 5:44 AM on December 23, 2001

The bottom line is that "most" users will use Microsoft's default system configurations as handed down from Zion, no matter what they are, and if these defaults are dangerous then MS is responsible for that danger.

This is my irritation with the entire issue. From my memory, every major commercial version of Linux has shipped with major security holes enabled by default. If the average Joe user can't be expected to run Windows update or visit to Windows update web site once a month for an installation process that takes a total three mouse clicks why should I expect Joe user to manually edit multiple configuration files and compile a new kernel or glibc every time a new vulnerability is discovered?

It always amazes me how geeks simply cannot tolerate legitimate criticism of their pet objects of worship. The fact that just about every operating system contains major security holes out of the box was treated as a gospel when I was trained as a system administrator. The first thing you did when installing a system was download dozens of patches that had been published, and the second thing you did make sure that you were informed of new security updates as they were published.

Now certainly, I am a big admirer of Linux. I am working on building a secondary computer that will probably run Linux. I ran Linux exclusively for about four years. And for many applications I consider Linux to be superior to most versions of Windows (I am still evaluating Windows 2000 and XP). But I think the Linux community has a big problem when it oversells their product beyond its capabilities. For the Linux community to criticize Microsoft's security bugs while ignoring the gaping holes that commercial Linux distributions shipped on CDs is hypocritical in the extreme.
posted by KirkJobSluder at 9:08 AM on December 23, 2001

So now the FBI is handing out tech advise? Talk about overstepping your "strengths..."

Of course, this line from the end of the article raises my blood pressure:

"Microsoft also said it would not send e-mail reminders to XP customers detailing the importance of downloading the fix."

Gee, thanks Microsoft! As if we needed further proof that there is absolutely no benefits to users to follow your absurd forced authorization process!!!
posted by kasnj at 1:40 PM on December 23, 2001

I've actually defended Microsoft for a long time, now. Personally, I like their products, the ease of use, the wide variety of software that you can find for their platforms in any number of different areas, and so on. I was actually very hopeful that Win XP was going to be the secure OS that they were touting it to be. But you know what? My 400 MHz pentium with its 640 MB of RAM is performing just fine, for now, but in the next year or two, when I finally do buy myself my next personal computer, I'm going to go with a Mac, instead of a WinPC. Microsoft just doesn't seem like they're ever going to really improve on this stuff.

I've tried 3 different versions of Linux, but it's just not an OS that I feel like messing with, yet. Maybe in another 5 years or so someone will turn out a usable build, but until that time, let me say hello to all my fellow Mac heads.

"Hi!"
posted by lizardboy at 2:14 PM on December 23, 2001

Supposedly a memo went around M$ last friday, announcing that they will be starting a line by line code review for security purposes. No more hot-fixes, no more buffer-overruns, and all programmers will be sent to security training. How effective this all will be remains to be seen....if OpenBSD can put out a default install without holes, surely M$ can, if they try...right?
posted by nomisxid at 7:55 AM on December 24, 2001

"if OpenBSD can put out a default install without holes, surely M$ can, if they try...right?"

Yes.

Microsoft is one of the most motivated organizations on the planet, and they have an incredible resource pool in both money and talented people.

Can it be perfect? No. Nothing is. But it can be better... and no doubt ti will be. heck, Xp is already as secure as Linux so an openBSD target isn't an unreasonable next goal.
posted by soulhuntre at 10:56 AM on December 24, 2001

soulhuntre, you make me happy.
posted by holloway at 2:37 PM on December 26, 2001