January 28, 2005 4:50 PM PST
Report: Major Windows security update foiled
- Related Stories
-
Flaw finders go their own way
January 26, 2005 -
Trojan horse threatens latest Windows XP
December 29, 2004 -
After delays, Windows security update ready to go
August 6, 2004
The SP2 measure, known as Data Execution Protection, is intended to prevent would-be attackers from inserting rogue code into a PC's memory and tricking Windows into running the program. However, in a paper published Friday, Moscow-based Positive Technologies said two minor mistakes in the implementation of the technology allow a knowledgeable programmer to sidestep the protection.
The company notified Microsoft of the problem Dec. 22, but it apparently decided not to wait for the software giant to patch the flaws.
Neither Microsoft nor Positive Technologies immediately responded to requests for comment Friday.
After several delays, Microsoft began rolling out SP2 in August of last year, at which time company Chairman Bill Gates called the update "a significant step in delivering on our goal to help customers make their PCs better isolated and more resilient in the face of increasingly sophisticated attacks."
See more CNET content tagged:
Positive Technologies,
Service Pack 2,
Microsoft Windows XP Service Pack,
Microsoft Windows XP Service Pack 2,
security
Basically, anyone who hacks anybody's software these days for the express purpose of *getting around* its security code in some fashion to misuse and abuse said software can proclaim himself an "expert" and receive immediate acclaim by a media which often doesn't seem to have a clue.
Take this story, for instance. Instead of analyzing the "paper" released as to whether or not the self-proclaimed experts actually have something to talk about besides themselves, the story simply assumes that what the experts have said is true without a doubt. Yet, it does not appear that the reporters filing the story have the ability to determine whether the "paper" has anything worthwhile to say, or whether it's full of pompous, meaningless hot air (I say this because the details comprising many so-called "flaws" which the media trumpets are so unlikely to occur as a set of common, simultaneous conditions a hacker might deem suitable for exploitation that the chance of such flaws being used against a given target are much less than the odds of the target being struck and killed by a bolt of lightning while using his keyboard.)
Rare indeed it is when the media ever bothers to investigate the "expert" status of the groups and individuals it quotes with pomposity, and rarer still is the media outlet which investigates the veracity and probity of the actual "flaws" such groups make loud noises about (I say "groups" but the truth is that many so-called "expert firms" sitting behind such claims consist of a single, unincorporated individual--and the terms "expert" and "firm" are often used by the media to enhance the credibility of such people, and thus the credibility of the stories the media write which use such individuals as their primary basis.)
Wouldn't it be nice to once in awhile read a story like this which examined the claims made--instead of the all too familiar format of simply writing stories that do nothing except mindlessly parrot the "experts" making such claims?
Basically, anyone who hacks anybody's software these days for the express purpose of *getting around* its security code in some fashion to misuse and abuse said software can proclaim himself an "expert" and receive immediate acclaim by a media which often doesn't seem to have a clue.
Take this story, for instance. Instead of analyzing the "paper" released as to whether or not the self-proclaimed experts actually have something to talk about besides themselves, the story simply assumes that what the experts have said is true without a doubt. Yet, it does not appear that the reporters filing the story have the ability to determine whether the "paper" has anything worthwhile to say, or whether it's full of pompous, meaningless hot air (I say this because the details comprising many so-called "flaws" which the media trumpets are so unlikely to occur as a set of common, simultaneous conditions a hacker might deem suitable for exploitation that the chance of such flaws being used against a given target are much less than the odds of the target being struck and killed by a bolt of lightning while using his keyboard.)
Rare indeed it is when the media ever bothers to investigate the "expert" status of the groups and individuals it quotes with pomposity, and rarer still is the media outlet which investigates the veracity and probity of the actual "flaws" such groups make loud noises about (I say "groups" but the truth is that many so-called "expert firms" sitting behind such claims consist of a single, unincorporated individual--and the terms "expert" and "firm" are often used by the media to enhance the credibility of such people, and thus the credibility of the stories the media write which use such individuals as their primary basis.)
Wouldn't it be nice to once in awhile read a story like this which examined the claims made--instead of the all too familiar format of simply writing stories that do nothing except mindlessly parrot the "experts" making such claims?
It's been generally accepted that 90 days is an acceptable time to wait for a major corporation to present a viable solution to a security threat, so thirty days *is* sort of pushing a bit too hard. Indeed, I *believe* that laws have been passed to that effect? Giving the flaw-finder a limited form of immunity to prosecution by over-zealous corporations trying to protect their baby with massive firepower?
Again, IANAL, but I also recall-from the dim, cobwebbed recesses of my brain-that when served with such a notice, said corporation should provide some sort of official response to the ones presenting them the info that yes, they *ARE* going to initiate a trouble-call (sic) and will be working towards a viable solution to the problem.
It's a polite way to notify the corp that their software is vulnerable and not get sued for meddling with the code. At the same time, this puts the meddlers under a contract to keep their mouths shut for 90 days, giving the developer a chance to present a solution, or at least notify the public of the vulnerablility. If they blab before the 90 days are up, they *could* get in trouble.
Still digging in my brain, I *believe* that if the ones who discovered the flaw do not receive any form of official contact from the developer, saying, "Thanks for the info, we're looking into the problem, now please keep it mum for now,", then they should wait 30 days before blabbing it to the world at large.
So...what's the poop?
Are my brain-scrapings accurate? Did the Russian group give MS enough time to formulate a proper response? Did MS even *respond*? I'm left wondering if MS didn't back-slide into it's old habits of security through obscurity; hear-no-evil, see-no-evil, speak-no-evil?
It's been generally accepted that 90 days is an acceptable time to wait for a major corporation to present a viable solution to a security threat, so thirty days *is* sort of pushing a bit too hard. Indeed, I *believe* that laws have been passed to that effect? Giving the flaw-finder a limited form of immunity to prosecution by over-zealous corporations trying to protect their baby with massive firepower?
Again, IANAL, but I also recall-from the dim, cobwebbed recesses of my brain-that when served with such a notice, said corporation should provide some sort of official response to the ones presenting them the info that yes, they *ARE* going to initiate a trouble-call (sic) and will be working towards a viable solution to the problem.
It's a polite way to notify the corp that their software is vulnerable and not get sued for meddling with the code. At the same time, this puts the meddlers under a contract to keep their mouths shut for 90 days, giving the developer a chance to present a solution, or at least notify the public of the vulnerablility. If they blab before the 90 days are up, they *could* get in trouble.
Still digging in my brain, I *believe* that if the ones who discovered the flaw do not receive any form of official contact from the developer, saying, "Thanks for the info, we're looking into the problem, now please keep it mum for now,", then they should wait 30 days before blabbing it to the world at large.
So...what's the poop?
Are my brain-scrapings accurate? Did the Russian group give MS enough time to formulate a proper response? Did MS even *respond*? I'm left wondering if MS didn't back-slide into it's old habits of security through obscurity; hear-no-evil, see-no-evil, speak-no-evil?
http://www.razormuscle.com
The site has no popups or ads, and you can check out the preview trailer.
Posted @ 05:02:43
http://www.razormuscle.com
The site has no popups or ads, and you can check out the preview trailer.
Posted @ 05:02:43
- keep crashing my system
-
by ca_forums
May 11, 2007 7:39 PM PDT
- http://www.analogstereo.com/hyundai_azera_owners_manual.htm
-
Reply to this comment
-
-
See all 26 Comments >>