09-11-2002, 02:18 AM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Security hole in XP that requires SP1?
http://grc.com/default.htm
Steve Gibson has posted an alert on his web site about a very serious security hole in Windows XP (Home and Pro) that is apparently pretty easy to exploit. Tech TV's The ScreenSavers discussed it last night and posted some additional information.
Is your computer open?
Apparently, Microsoft has known about this for months according to The ScreenSaver's site but has not provided a hotfix. It has however been fixed in SP1. The ScreenSaver's posted enough information to allow you to quickly fix the issue until you can download the massive service pack, which is approximately 30MB if you use the express install (depending on services and options installed) and 133MB for the full meal deal. I am downloading it now and it is going very slowly over my DSL connection. I supposed MS's servers are a bit strained between XP SP1 and IE6 SP1 being released this week. In doing so, The ScreenSavers may have given enough information to give a script kiddie enough info to exploit the hole.
So, any XP or HTML gurus here that know any more about this situation and how valid the alert is?
|
| |
|
|
|
09-11-2002, 02:47 AM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Think this isn't valid? I wonder why Google removed all reverences to this file name from its search engine prior to the release of SP1?
|
| |
|
|
|
09-11-2002, 02:52 AM
|
|
Thinker
Join Date: Aug 2006
Posts: 319
|
|
Re: Security hole in XP that requires SP1?
Quote:
|
Originally Posted by Ed Hansberry
In doing so, The ScreenSavers may have given enough information to give a script kiddie enough info to exploit the hole.
|
Screensavers was not the first to make this public. Here is a report that gave all the details on August 15. The alert is definitely valid.
http://security-archive.merton.ox.ac...0208/0223.html
|
| |
|
|
|
09-11-2002, 02:59 AM
|
|
Sage
Join Date: Feb 2002
Posts: 725
|
|
Re: Security hole in XP that requires SP1?
Quote:
|
Originally Posted by msprague
Quote:
|
Originally Posted by Ed Hansberry
In doing so, The ScreenSavers may have given enough information to give a script kiddie enough info to exploit the hole.
|
Screensavers was not the first to make this public. Here is a report that gave all the details on August 15. The alert is definitely valid.
http://security-archive.merton.ox.ac...0208/0223.html |
You know, for a company that has supposedly focused itself on security and stability, they aren't doing the best job so far (You would think a company that valued these things would manage to post a hot fix within a few days not a couple months).
|
| |
|
|
|
09-11-2002, 02:59 AM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Wow. Thanks msprague. This seems very nasty. Well, still downloading. :sleeping:
|
| |
|
|
|
09-11-2002, 03:02 AM
|
|
Ponderer
Join Date: Jul 2002
Posts: 72
|
|
Not touching on the validity of this particular alert, but Steve Gibson is a damn panic monger.
|
| |
|
|
|
09-11-2002, 03:04 AM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
At least it's not a buffer overflow. This is more of a "misfeature". In my opinion, network code that trips a buffer overflow should have the originating programmer (or organization, if marketing/management didn't let a proper design go through) shot. There's no excuse for using unbounded string-handling functions nowadays.
In any case, Microsoft definitely has bright engineers, but the company's relentless feature-adding makes it difficult for them to keep up security. Their focus on integration stems from pre-Internet days; UNIX, on the other hand, tends to be a looser federation of services, with more explicit user separation, and as a result tends to be less vulnerable to exploits like this.
Let's just hope that MS, given time, will evolve as UNIX platforms did through their tough times and make more secure products. Since neither platform is going anywhere, it's all in our best interest to see a greater emphasis on security.
I'm glad I downloaded the network install of XP SP1 yesterday, when it came out  Time to start the install rounds tomorrow... oh, by the way, those of you who have pirated copies of XP won't be able to install SP1--it checks for illegal keys and such. (Of course, I'm sure crackers are hard at work on "fixing" this.)
--bdj
|
| |
|
|
|
09-11-2002, 03:05 AM
|
|
Contributing Editor Emeritus
Join Date: Aug 2006
Posts: 8,228
|
|
Quote:
|
Originally Posted by splintercell
Not touching on the validity of this particular alert, but Steve Gibson is a damn panic monger.
|
Which is why I was leery of posting this. I've since talked to a few people in the know on this and this is valid and scary, and relatively easy to exploit if you know scripting.
|
| |
|
|
|
09-11-2002, 03:05 AM
|
|
Intellectual
Join Date: Feb 2002
Posts: 200
|
|
Quote:
|
Originally Posted by splintercell
Not touching on the validity of this particular alert, but Steve Gibson is a damn panic monger.
|
Agreed. He can regurgitate and rant and rave at Microsoft and cause paranoia, but that's about it - he's not a security expert.
|
| |
|
|
|
09-11-2002, 03:06 AM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Quote:
|
Originally Posted by Rob Borek
Agreed. He can regurgitate and rant and rave at Microsoft and cause paranoia, but that's about it - he's not a security expert.
|
He's not a total security novice - he's actually a pretty damned competent programmer and has done some really cool work - but he is definitely the Chicken Little of the security industry. :lol:
--bdj
|
| |
|
|
|
|
|
Linear Mode
