Comments on: Microsoft to patch zero-day DNS flaw

Seven security bulletins planned for release on Patch Tuesday, including "critical" fixes for Windows, Office, Exchange and BizTalk.

[n3td3v]

very little if any

"very little if any action"

what does this mean joris evers? more details please. poor story effort and research or you just decided not to be more specific.

[fred dunn]

Specifics, Critical = Wormable (sometimes)

His quote "very little if any action" is by the user, not the hacker.
If you have an issue that results in a buffer, heap, stack, etc overflow then you can craft a hack to overflow the memory region and gain access to the system pointer, at which time you can point to your own code and execute it without the end-user's consent and/or knowledge.

Sometimes things are inherently explained unless you don't have the skillset to understand them.
since you don't seem to understand IT security I recommend you start with a book called:
"Inside Internet Security / What Hackers don't want you to know" by Crume and published by Addison-Wesley.
You're either a newbie or an antagonist, either way you could have emailed him with this if you were serious.

[bobbydi]

Same old bull

Always the same line to gain an download into somebody's pc, which usually results in more trouble for the consumer. Like the old story about the boy who cried wolf too many times- now the real wolf is Microsoft.

[MacHeads]

I love Microsoft.

Well another day another major flaw in Microsoft's OS ... well i
cant say that out loud too much ,but i am starting to encourage
people that cant or wont buy a mac to look into Ubuntu ... The
flaws inside Microsoft's code are getting too much to bear for
some users that just want a computer to read emails , browse
the internet with a reasonable level of safety , what Microsoft
promised to deliver for years and certainly cant because they
dont want to reconsider the vailidity of the LEGACY code they
will probably carry for the next 10 years ... Apple delivers
systems to a public that are solid with a little know how .
Microsoft while only delivering software delivers headaches to
no end to their end users ... Time for people to call the OS what
it is.

[WillyWiggler]

OSX has more vulnerabilities than XP

According to a simple query against the National Vulnerability Database, Windows XP has 252 reported vulnerabilities, while Mac OSX has 343 reported vulnerabilities.

This means Windows XP has 27% less vulnerabilities than Mac OSX. This is verifiable information. You can look it up yourself: http://nvd.nist.gov/nvd.cfm?advancedsearch

Given this, why is it that whenever Microsoft announces they are releasing patches, a bunch of on cnet people start these anti-microsoft rants? I really don't understand this at all.

[MacHeads]

Vulnérabilties are not Exploits

I have looked up your databases and while many of the
problems reported there are corrected AND most of them are
3rd party as well if you look closely. True mac os X server takes
some configuring to get right . Out of the box you have some
corrections to make. A lot of the vulnerabilities listed here point
to ActiveX and Microsoft Office ... Weird you can turn active X off
you know in Office for mac. I see as well listing holds loads of
stuff on RPC no one in their right minds would use ... to be
precise it is not only deactivated by default in Mac os X but it is
highly recommanded to avoid installing it at all unless you need
to be compatible with a standard even SUN dropped the use of .
Everyone in their right minds turns off SSH except when
connecting to hosts you can trust.

You can isolate your admins from SU capabilities if you wish , all
it takes is modifying the sudoers files in /etc this is just a
misconfiguration.

Most of the attacks mentionned in the database require at least
local user or admin accounts , most of what is listed for windows
Xp does not even require such privileges , just a internet
connection.

Not to mention vulnerability database mentions vulns dating
back to 10.3 and earlier. The problem with your query was as
you mentionned it simple , not expansive. Some of what is listed
here dates back to 10.0.3. Side note there are many more
exploits in the wild for windows than there would be for mac os
X market share argument not being valid since mac os X is the
hacker's holy grail.

But i have to give you the database is a good example of how
improperly configured services can lead to vulnerabilities.

[chrisw63]

Buzz word overload? or exploitation?

It seems to me the term 'zero-day' is being a bit over used, perhaps from ignorance, but I believe its more trying to draw eyes to the story. In other words, phrase exploitation.

The definition of 'zero-day' doesn't seem to apply to the DNS flaw in the story. Vista has been out for months now, and I seriously doubt any revamp was done to the DNS system anyway. Zero-day flaws typically have to be leaked by the developers, or a beta tester, before official release to be called 'Zero-day'. Whoever started this just wants attention.