Proof of concept code
or it didn't happen. Something to be said for full disclosure after all?
A new Windows-based denial of service attacks reportedly exploits a 10-year old OS flaw to crash vulnerable systems. Independent security experts downplay the likely impact of the bug even though 2X Software, the virtual computing firm that discovered the bug, is talking up its supposed seriousness. Versions of Windows from the …
or it didn't happen. Something to be said for full disclosure after all?
I always thought that was a feature.
You need to run code to do this? Surely it would be more effective to make use of that thingy that updates in-use files on the next update to write junk files over top of important files, try deleting every other entry in the registry...
This is not vulnerability, it is just an app abusing trust.
Like "vulnerabilities" in the API. WTF do they think "Behaviour is undefined if..." means? It means follow the damn API and don't pass other data/values to see if anything interesting happens!
FAIL, nay, EPIC FAIL, because the most serious Windows security issues "in years" are the ones we have patch-Tuesdays for, and anything Adobeware...
"Behavior is undefined if..." is fine in API specs, most programming languages have a few. And yes, people should follow the specs, otherwise the results are unpredictable. For API implementers, it means they aren't told what should happen and can make it do whatever they want. But there's also an obligation to handle such input safely and not let it crash the system or create security problems.
"This is not vulnerability, it is just an app abusing trust."
The article does not say anything about trust. It is pretty bad if a non-administrator is able to cause a BSOD by simply fudging a few API calls. There are many reasons why most users should never be allowed near the admin account.
If OTOH this vulnerability requires admin-priviligies to blossom, then it is a big no-event.
I think there is an EXPECTATION on our part that undefined inputs should be gracefully handled, which is not necessarily the same as an OBLIGATION; for if it was an obligation as such that bogus inputs be discarded, that could easily be documented and there would be no undefined behaviour...
A good example here is the NMOS 6502, and the bewildering array of (sometimes bizarre) things available through undefined opcodes. In the CMOS incarnation, it was widely documented that all these instructions became NOPs but this was potentially even more broken because they were not NOPs but rather instructions that had no effect. To understand the difference, a NOP is a one byte instruction that takes two cycles. As opposed to the previously-undefined instructions that took between one and three bytes and up to five (six?) cycles. And that's just an example for an 8bit CPU with 256 possible instructions, not an API for something as complex as Windows.
It might to worth also considering the overheads of pre-sanitising input. This is one of the arguments often used for why C does not bother with bounds checking. It is placing an obligation on US (as programmers) to use the documented API as, erm, documented.
Point taken, however, about an API call not being able to BSOD the system. That's just poor, even if running as an administator...
"Versions of Windows from the latest Windows 7/Server 2008 versions down to Windows 2000/Server 2003 are affected by the flaw, according to 2X."
But wasn't XP completely rewritten and designed from the ground up with security in mind and not based on previous faulty code? Or was that Vista? Or WIndows 7? I forget which version MS claimed that about, but clearly it can't be true unless they made the same mistakes again.
That was supposed to be Vista. Except of course no-one from Microsoft actually said it - it was a rumour started by Internet retards.
If Microsoft had really decided to make Vista a rewrite of Windows, we would still be waiting another seven years for it to come out. Besides, if a group of people were to wake up tomorrow and decide to write a new operating system from scratch, it wouldn't be like Windows (or Unix and its stepchildren for that matter). All current general purposes OSes you care to mention suffer to varying degrees from clunky, outdated core design from the era in which they were first conceived.
No, it was Windows Phone 7. The most secure version of Windows Phone to date.
/Mines the one with the Android phone in the pocket.
Calling someone a retard says more about you than them.
However, "What distinguishes "Longhorn" is that it was developed from the ground up".
A quote taken from http://msdn.microsoft.com/en-us/library/ms993768.aspx
So perhaps on reflection, I agree with you. It was a rumour started by retards.
. . . I await the stampede of froth-mouthed penguinistas stumbling over one another to deride Microsoft and Windows.
/me grabs your troll icon and runs off
You are waiting for a 'penguinista' to froth a mouth at you??
You have punishment enough running windows... thinking it is heaven.
and believing what they tell you about all their 'enhancements'...
Why punish those that will never learn...
More fun to watch them stumble all over themselves in their own froth.
I bear you no malice.
No-one needs to deride Windoze - it gives itself enough bad PR by being a bloated, buggy bag of sh1te.
Security firm finds (apparently) a flaw and advertises it as the most serious threat since Nazi Germany's invasion of Poland. Who'd have thought?
Are they talking about this one??? http://www.securityfocus.com/bid/38044/exploit
So, if you allow an attacker to run their malicious application they can crash your PC?
Well, that's boring. Most trojans do far more hurtful things, like stealing data or being part of botnets.
With just a few lines of code I can crash your graphics card - that's pretty nasty, but it's still not a vulnerability as you must choose to run my app. (I found this by making a silly mistake in a shader - very fun, as Windows was still running but couldn't display anything - I still don't actually know if the application crashed or not as the debugger couldn't have been displayed.)
That makes two this week!! (only)
1) The 'Firefox' blamed, Windows problem (since it ONLY HAPPENS ON WINDOWS)
2) And since it bears credence to my previous statements that Microsoft has some problems over 10 years old (something diners at the micro-soft diners rarely mention in their articles)...
Gee... Love them reasons (in part) for why I use Linux (Ubuntu) and Firefox...
BTW... The LOUD promulgating of Firefox and Linux problems by the m/s diners...
Does not seem to be reflected in the flaw here described.
I hope they can (finally) fix these problem (One is way over 10 years old.)
And, for all that will flame me....
I told you so. (oops.. that slipped out. It is a 'windows' key keyboard. forgive me??)
Because apparently your clock isnt working....its Thursday.
"Because apparently your clock isnt [sic] working....its [sic] Thursday."
Depends where he is, dunnit?
"Depends where he is, dunnit[sic]?"
See how annoying that is?
So 2X goes hysterical because its shoddy programmers screwed up an API call and crashed a server?
Mines the one with a Windows API reference guide in the pocket
I'm curious. How do these Security companies generate revenue?
Do they simply use all their resources trying to find a bug, and then get paid by Microsoft? Or is finding bugs and subsequent "fame" simply a geekish attempt at marketing their specialist consulting services?
Microsoft launches a class room Terminal Server. http://www.channelregister.co.uk/2010/02/24/microsoft_multipoint_server/
Sending invalid parameters to an API function shouldn't CRASH THE SYSTEM.
There's no need for anyone to flame YOU, or Linux in general, it, and YOU speak for all the Windows users out there.
Quite the contrary.
I only speak for myself...
(Am not a ventriloquist, you know... I leave that to the media and their 'Wonderland'.)
I used to use Windows, and found that it was a security hell hole (my opinion, and that of all the blackhats who are still doing things to it, and who sometimes complain that it is no longer fun, since it is too easy.)
I am neither a hacker (white hat) nor a cracker (black hat)... I am just a simple, undereducated old rang.
But, I did not start off by slavering in the forum about 'froth mouthed penguinistas.'
That type of post seems to come quite easily from both sides (and I am quite adept at being able). I simple replied to the 'side that did start'...
After being in and around computing for only about 50 years. I know little about bugs, errors and such. I worked, for a time, looking at black hat sites (you might never imagine what is not known by the masses about what IS going on with the black hats... nor with the UBER BLACK hats... of whom you probably know naught)
As such I am only an ignorant and under educated, no-longer-window user, a tired old rang....
Not a froth mouthed windows user who loves the most attacked software (which most of windows is written with)...Active X....
Cheers... and I am not in the same time zone as Britain...
And some less experience, don't know from whence the time stamp comes.
Might be a Windows user that said that....
But, that is an opinion of only a poor, uneducated, old rang...
that they have fixed their problems with in days of an event and that they tend to be solutions to the stated problems makes it a world of difference compared to windows record of wait till later to fix known problems.