Posted on 09/11/2002 1:40:24 PM PDT by HAL9000
Windows XP contains massive security hole
Install the Service Pack and, shush, don't tell anyone...
MICROSOFT'S RUSH to get Windows XP SP1 out and about may have been motivated by a desire to hide a vulnerability afflicting the operating system (cough) that allows hackers to delete files from a computer accessing a tweaked web page.
According to this Spanish-language site, a Googled translation of which is here, "a defect in Windows XP allows that anyone can erase archives of our computer if click becomes on a connection maliciously constructed, as much when visiting a malignant Web site, like a receiving a message with format HTML". Sorry about the language, but you get the picture.
A reader writes a little more clearly that this vulnerability allows the files contained in any specified directory on your system to be deleted if you click on a specially-formed URL. He points to Gibson Research here, where they warn, "This URL could appear anywhere: sent in malicious eMail, in a chat room, in a newsgroup posting, on a malicious web page, or even executed when your computer merely visits a malicious web page. It is likely to be widely exploited soon."
This is a critical vulnerability and one Microsoft has done its best to keep secret, it seems.
Another reader tells us he saw a report on TechTV, the background to which they give here where they state that Microsoft has known about the flaw for some 11 weeks but kept the lid on it because it is so easy to exploit.
Microsoft urges Windows XP users to download the Service Pack and install it as quickly as possible. You can find that here . It's a large file, though, and CD versions are only available on the US and Canada at the moment, according to Microsoft.
The advice from various sources for users unable to install the Service Pack is to find and rename the affected file uplddrvinfo.htm. µ
Charlotte is saying that the OS should provide ONLY a hardware interface, and TopQuark is saying that would cost millions, since they'd have to strip out all the applications MS currently piles on top.
In estimating costs, you are production-oriented and think only of what it would take to produce something, in this case a piece of code. This is a small portion of the cost, probably the smallest. When computing the price, one has to divide the total cost + proofit target by the customer base. What I said was that, the more specialized preferences are --- Charlotte's or someone else's --- the smaller the customer base and the higher the price.
Qeestion: What, are the "the applications MS currently piles on top?"
Question: What, are the "the applications MS currently piles on top?"
OK. I can live with your answer. I'm not sure I'd agree with it, but I understand your point of view.
The applications are virtually everything--IE, Windows Explorer, Disk defragmenter, calculator, the GUI itself, every program in the "programs" folder when you click the start button. Essentially, the applications that make it user-friendly. Those are applications--not OS.
To be fair, just about every "OS" piles applications on top of their product. But they are still applications. And they are still disparate from the OS itself.
Do you know what fsck means? Hint: it isn't an alternative way or writing any profanity.
DOMINATE HAIR: I see that the engines produced by MegaMotor have another earth shattering flaw! The MMXP will spontaneously combust when you put your key in the ignition!
BOOPSIE: That wouldn’t happen if you used a truck diesel engine. I use 12 different brands of diesels, all of which were free with three boxtops from PenguinClusters cereal.
SHRUB2000: That’s untrue Dominate! MM products are as pristine as the driven snow and are sure to solve the mid-east crisis any day now. The CEO, Bill Windows is my hero.
GENERAL-LY: Yeah, that’s what my talking points script says too.
PAL2001: I’ve been driving Banana cars using proprietary Banana engines since 1901, and I’ve never had one spontaneously combust. MM is run by Satan and is a monopoly; the courts said so. They are trying to corner the asphalt industry by using their influence with all the car manufacturers that are forced to use their engines.
SHRUB2000: That MM trial was a commie kangaroo court. All those smoking asphalt guns mean nothing. It was only about sex.
GENERAL-LY: Yeah, so there. Besides, Banana cars are only driven by faggots from Berzerkly. And they cost four million dollars apiece. You can get a MM car from Smell for 29 dollars and a cup of coffee.
DOMINATE HAIR: Untrue, Bananas cost only $5000 these days. And they come fully equipped with a diesel powered electric hybrid engine and leather seats. Smell cars have no seatbelts or brakes.
RDB482: $5000! I hand built my MM car from pocket lint and tin foil. I also have an onboard diesel in the trunk, for when the MM seizes up. I’ve never had a implosion or a fire burst. I only spend 92 hours a week tweaking it. This week I’m installing the nitrous oxide boosters.
DOMINATE HAIR: Geek!
SHRUB2000: Fanatic!
RDB482: Corporate stooge!
IF: bored THEN: exit
RETURN: top of thread
Just try think of these threads as a really elaborate dance, with all the moves and formalities familiar to all the players. Actually, that analogy works pretty well for a lot of threads around here - the drug threads, the evolution threads, the "moderators suck" threads, the fundraising threads...
Hmmmm - there's a thesis in there somewhere ;)
All characters in this thread reply are fictional. Characters may or may not represent a fictional conglomeration of actual persons or events. Any resemblance to any actual posters is unintentional. Your milage may vary. No animals were harmed in the writing of this post. ;)
Your point about Office macros is well taken--I have made similar points myself. Too many organizations that I have worked with in the past had someone in 1993 who could format a Word document with bold and italics, so therefore, "he's an expert, make him the CIO." But, deadlock avoidance is not writing a compiler, either. So where on the spectrum do you believe one does become qualified to criticize?
In fact, I believe that MS not only is not hurt by ignorance, I believe it thrives on it. Access is a case in point. Of the products out there, what possible reason for a real, large, complicated application would one choose that product?
I totally agree about the aggregation of talent at MS. It has to be fantastic. That is what is so perplexing to me. How can so much talent produce such mediocre (I know that term assumes an arguable point--I am talking of my perception) products? What products has MS produced that are not imitative, other than maybe NT and Excel for the Mac in the 1980's? I confess that I do not know (now THAT's a first for any poster on FR). Is it market exigencies? Surely to a degree. Only that could explain the release of Word97 with 7,500 known bugs. It would sound preposterous of me to say that the fundamental mindset at MS is flawed. But I have to also reject the syllogism that since MS has great programmers, the products are all great. Therefore, where IS the problem?
Since we cannot write a compiler, I don't know if we are qualifed, in your mind, to judge the OS. However, since we WERE qualified to earn the money to purchase it, we are qualified to spend it as we see fit. And, as you know, the disastrous sales of XP, no matter how it is spun, have shown that MS will grow or die on the judgement of millions who CANNOT write the complier or know anything about deadlocks.
I have you an analogy with a car. You earned the money to buy it and, when someone misrepresented its abilities to you, you should be upset with that seller. It is an altogether different thing to acquire out of ignorance an opinion that a better car was possible and was not given to you. If the premise is correct, one has the right to be angry with the manufacturer. But one has to make sure that it is, and most of those "angry" with MS do not. As I said earlier, most express the lack of basic knowledge and act, simply, like spoiled, self-centered brats that are offended at the mommy for buying them a less than perfect toy.
Can some one rightfully claim that the manufacturer is at fault, that the quality of the car is indeed unjustifiably poor? Of course. The key is "unjustifiably:" one has to (i) know enough about the state of the art, and (ii) then claim that the manufacturer has not delivered on feasible state of the art. One lacks such sophistication if one merely drives the car. This is were my references to compiler construction come from: most programmers, as I said, know nothing of computer science, much like most who drive cars know nothing of elementary physics and engineering. And, in order to ascertain that MS did not deliver one has to be a computer engineer and/or business manager. My original remarks were exactly that: anyone who studies software engineering would know about the impossibility of debugging a code of any reasonable size.
People do with MS what they do with their own managers: just by observing their bosses they conclude they know management. They can b--ch ad infinitum about all the shortfalls: they (the management) should have done this or that; "it was clear to me from the start that this was doomed to failure, but our stupid managers didn't even know..."
Well, lighting the cooking gas in the kitchen does not make you a chemical engineer: you want form engineering opinions, study engineering. Similarly here: you want know about product development and pricing, study marketing (which most people confuse with either advertising or sales). After just one course people like Charlotte on this thread would not make silly claims about too heavy user interfaces of Windows: the question is, who is the user? The composition and distribution of Windows is not a programming issue -- it is a managerial one. And, the reason corporations buy Windows is not how it is programmed either. Again, a reasonable introductory course in management would show that very quickly.
That is about it. To give you a courtesy of reply to specific points:
if someone doesn't know how to write a compiler (I couldn't), he cannot evaluate an operating system. HE can evaluate whether that system suits his needs. He is unable, indeed, to judge whether a better one could be produced. One needs education for that.
But, deadlock avoidance is not writing a compiler, either. So where on the spectrum do you believe one does become qualified to criticize? I was not making a list of necessities: I was giving examples of what one acquires from education rather than practice. One does not learn deadlock avoidance/preventions, re-etrance of code, compiler construction, balanced binary trees, and memory clean up by writing software for clients: the time for that has passed long ago. If one does know these things, he or she has acquired them by education (after which one could also write such programs at MS or Oracle).
Of the products out there, what possible reason for a real, large, complicated application would one choose that product? There are five or six features that (i) are common to professional buying and (ii) differentiate it from non-professional consumer buying. Here, too, people routinely project their own, consumer experience onto corporate and other organizations. Consult a marketing text for details.
Is it market exigencies? Surely to a degree. This goes back to corporate buying, which is the main market for MS.
Only that could explain the release of Word97 with 7,500 known bugs. I do what I preach: not knowing the managerial details of that project, I do not even have an opinion on the matter. It is quite likely, given the experience with other products, that this was indeed a blunder. But, again, I do not know: all I could see the programming mistakes; I did not and do not know what timing constraints the project managers had at the time.
But I have to also reject the syllogism that since MS has great programmers, the products are all great. Again, it is you who speaks of programmers: I spoke of talent in general. What makes MS great is not so much the programming talent but the fact that they managed to combine it with great managerial talent as well. This is where I am pushing your thinking: even subconsciously, you view everything from the standpoint of programming. Yet most of the issues you raised are not: they have to do with management and organizational behavior.
Therefore, where IS the problem? Which problem?
I do not think they have a problem. It is the consumers that grew to take MS products for granted that have a problem. It is our country that has raised a couple of generations of whining, self-centered brats that had it good for a long, long time --- that is who may have a problem. MS is doing fine, the last time I checked on it.
MS will grow or die on the judgment of millions who CANNOT write the complier or know anything about deadlocks. Look, you can stop patronizing a particular restaurant, and it will go bankrupt, I agree. It is your money, and you can say that you were displeased with the quality of food or ambiance. As you are causing the demise of that restaurant, you should not make judgments the restaurant' managers, unless you know both management in general and the specific circumstance in particular. To put it simply, as you leave the restaurant, say that you did not like it and that it did not suit your needs; but unless you have reasonable expertise in this area, do not say that the restaurant itself did not make any sense as a product/venture.
I have tried to show you, respectfully, that you and I impute different meanings to the words here. Most of the words and opinions you raise have managerial aspects to them. I have no reason to disrespect your programming or business acumen, but if you want to claim managerial blunders on the part of MS, then please speak from that standpoint.
I enjoyed our conversation, but will not bee able to contribute to it more than I already did. Thanks for writing,
TQ.
There's so many of these MS issues -- over 50 this year alone -- that there's no point in posting a new thread on each one.
So I'm just adding them here, for anyone interested:
To prove that no security bug is truly harmless, a security group has stitched together two minor flaws in Microsoft's Internet Explorer 6.0 browser with a small glitch in Windows Media Player to create one seriously powerful attack.
By coaxing IE users to view a Web page containing the special code, an attacker can silently force Windows 98, Windows 2000, or Windows XP users to run a malicious program of the attacker's choice.
Using a rarely used feature called 'message fragmentation and re-assembly' (MFR), an attacker can send emails that will "bypass most SMTP filtering engines", Beyond Security reports.
This MFR feature, which allows Internet users to split up sent messages, helping surfers with slow connections to send smaller segments of a larger email in multiple emails, is supported by Internet standards (RFC 2046) but easily enabled on only one client - Outlook Express.
On Outlook Express the re-assembly feature is enabled by default, while the fragmentation feature can be enabled from a drop down menu.
This is a horribly nasty and childishly easy exploit and Microsoft can't patch it a moment too soon. The fact that the feature exists at all is ample illustration that Microsoft places usability (users don't want to click on dialogue boxes) over security.
Has anyone done this? Is there any impact elsewhere on the system or browser. XP is the best MS system I've used, and I don't want to screw it up with a "patch".
Microsoft Word flaw may allow file theft
I find it very interesting that Microsoft is only going to fix Office 2000 and Office XP.
The millions of users still using Office 97 are screwed. The only fix for those people is to send a check to Redmond.
Let's see:
"Yo. You gotta problem. Either you pay us or your business might be broken into and your stuff stolen.
is different from:
"Security Problem! Either you pay us or your business might be broken into and your stuff stolen."
how?
I love the tech industry. Where else can you commit extortion right out in the open and people will fall all over themselves to point out that it's all the victim's fault?
That was the 3rd one on my list, by the by.
Yes, what a way to force an upgrade.
My mother bought a cedar chest back in the '60s, and still has it today. About 2 years ago, that company issued a recall on the chests because the *lock* sometimes jammed. She took it to a local place, and they replaced the lock.
Thank god MS doesn't have to stand behind their products like that . . . it could destroy their company/the entire computer industry/our entire economy/the entire universe as we know it!
MS is the 'McDonalds' of software. It's good enough, when your needs are few and simple, altho there are better flavors out there.
Altho I've never heard of professional caterers offering only McDonalds to it's clients . . . or anyone argue that since McDonalds sells the most burgers, that makes them the best restaraunt in America.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.