Microsoft has explained why it took seven years to patch a known vulnerability. Fixing the bug earlier would have taken out network applications and potential exploits alike, it explained. Security bulletin MS08-068 fixed a flaw in the SMB (Server Message Block) component of Windows, first demonstrated by Sir Dystic of Cult of …
What I want to know...
...is how big a threat was this in reality. Have there been any major exploits using this in the last 7 years?
Meh! (Hurrah - Meh is in the dictionary!) Surely the patch to allow stable LAN games of C&C Generals has been a lot longer coming, affects more people, and is far more annoying!
/Me back to Supreme Commander
Isn't that an IPX / EA Games shitty coding problem instead of MS?
Hah! Microsoft "operating systems"
When they work they're not safe and when they're safe they don't work.
Now I'm sure there's an awfully good reason why, but couldn't they have just patched the client programs at the same time as they patched the server? Cos, you know, Outlook and Exchange are both Microsoft programs too, innit?
I reckon that the SMB code is such a mess of hack piled upon hack that it took them 7 years to refactor a 21,768 branch if..then..else statement and isolate the problem.
I have real respect for the samba crew who have to reverse engineer the shite of CIFS.
Oh bullshit! They're just pencil-whipping it to be able to issue an explanation. The reality is they have no explanation, they're just Microsoft and all of a sudden in a declining economy they feel they need to mend fences admid fears of declining profits.
Microsoft didnt know what was wrong
I bet it probably took the Samba team - the only ones who understand the thing now - 7 years to find it so MS could fix it.
And to think there are people who spend a lot of money on software from such shaky sources... I'd rather be unsafe for free, if that's how it works.
Insecure by Design (TM)
"Fixing the bug earlier would have taken out network applications and potential exploits alike"
this what I've known
IF MS were to make the o/s as solid as possible it would break lot`s of stuff. It would piss off vendors. Well then they would have to code right and stop sloppy programing.
Remember when vista was in beta and MS deiced that no program should be allowed to modify the kernel. AV guys cried foul.
Never attempted to fix?
I was working in the industry back then, and what I remember was monthly patches to the SMB library.
Month after month there was new hotfixes to this library until one day, over a year later, it was mysteriously replaced with the original SMB library and everyone forgot about the flaw.
Imagine my surprise when it became an issue once more!
How long has this guy been working for m$?
Oh for crying out loud.....
BIG WOW, I bet at least 50% of us still end up signing off purchase orders for Microsoft software at some point this week...
See you love it really! Because that's face it, would you rather run Novell? *eeeeek*
"The patch does NOT address the case where the attacker relays the connection to a third-party host that the victim has access to," Metasploit said."
So, first they need 7 years to fix the issue, probably with the help of the Samba team, which MS embraced not too long ago, but still manage not to fix the issue completely.
Wanted to say "I told you so", but somehow can't seem to bother. Which is actually a good tactic often employed by politicians as well. Fsck thing's up and continue on that path until the people affected just don't care any more...
The apps are used by corporations mostly
So not only does MS not give 2 craps about using the end users to beta test their crappy software, but apparently corporate secrets are worth less to companies than flashy programs. No wonder the economy is spiraling out of control. The decision makers in the companies are mostly a bunch of dumb asses, who got their positions becuase they were braggarts with nothing to back up the hype (sounds kinda like the people who run MS too, and every large company I've worked for, and some small "big company" wanna-be's who make their decisions by asking, what would the big companies do?). The a big idiot circle jerk where the heads would sooner see the companies implode than be blamed for their extremely poor decisions. If they knew anything about the potential security risks, IT wouldn't require MS certifications, it would just require general IT knowledge and maybe some kind of degree, but I know at this time this is only a fantasy of mine, and reality is apparently more expensive than keeping a company from slowly imploding.
Imagine what MS Live Search must be doing with sensitive corporate info by shooting almost everything a social engineer would need right out to the network/internet. I was actually employed when they "forced" us to use that crappy piece of crap at Bausch and Lomb. Their so digital now they can barely get anything done that used to be done on paper, 8-O <- that's my surprised face, I mean, who could have known? All the kiss-asses that get to give advice to ass-management don't know ANYTHING unless it beeps and sparkles when you click on it and can be put into an awesome power point presentation! The insane thing? Every big company has gone past this point of no return, becuase they have already fired the people who knew how to do it right.
But what the hell do I know? Bastards!
7 years to fix a documented security flaw?
Ha ha ha ha ha ha ha ha ha ha!
I'm not sure whether this is a record or not but it's certainly another reason why no-one with any other viable option should buy anything from MS.
As for the fix breaking network apps. If the apps are reliant upon an undocumented bug which is affecting the security of the OS then the application writers need to be taken out and kicked in the groin for not writing according to published standards. Wait a minute, MS publishing standards? Outlook, Excel... who wrote those again?
"Farce" is the best word I can think of to describe this one.
Paris - because unlike some, the expliots that would have worked on her 7 years ago are no longer viable.
"See you love it really! Because that's face it, would you rather run Novell? *eeeeek*"
No, I'd rather run Samba on a Linux server.