Ten SP2 flaws leave XP users open to hackers

Discussion in 'other security issues & news' started by ronjor, Nov 11, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,751
    Location:
    Texas
    vnunet
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,751
    Location:
    Texas
    XP SP2 Flaw Warning Sparks Debate on Disclosure
    eweek
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Take this remark as one wishes because I am neither a M$ hater or lover....but I'll stand with any Company or an individual that requests nothing more than responsible disclosure.

    For me....organazations like Secunia act responsibly.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,751
    Location:
    Texas
    I couldn't agree more.
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Ten SP2 flaws leave XP users open to hackers...
    Now that does not sound good to me... :(
     
  6. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    MS denies it publicly but has taken steps to investigate the alleged flaws. I am for responsible disclosure as well, but I think the key operative word here is "responsible". I don't see anything in their actions that can be construed as "irresponsible" except for the expected denial. On the other hand, premature disclosure can be more disastrous. Now every hacker is onto these flaws....
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Perhaps we are on the same page....but the "irresponsible" party I'm speaking of is Finjan's Malicious Code Research Center
     
  8. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    Hey Kids:

    I'm usually not the betting sort, but I'd put some change down on the fact that a portion of these as yet undisclosed vulnerabilities with SP2, in light of my own hassles since its install, might just explain a bit of the anomalies I've faced recently, and recounted in

    http:\\www.wilderssecurity.com/showthread.php?t=5328 o_O

    I mean I want to believe, still, it's all been config or conflict stuff- but now I'm beginning to wonder again! :doubt:
     
  9. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Ohh.... My apologies then for the misinterpretation... my mistake.
     
    Last edited: Nov 11, 2004
  10. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Not again please....! i've had enough of Houdini, 666 and Santa Claus for one day...!

    galcoolest, your case was definitely different! If you put your money where your keyboard is, you'd lose!
     
  11. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    gal,

    As I advised you in the thread you posted above, it is easier to check for system conflicts by downloading TUT from (http://www.answersthatwork.com/TUT_pages/TUT_information.htm).
    I am sorry but this is the only app I use to determine/resolve system conflicts. Perhaps other members have better suggestions. In lieu of TUT, you could also run your Event Viewer and see if your monitor does not light up with warnings & errors as I suspect it will. :rolleyes:
     
  12. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    I'm not exactly sure, but most of these "flaws" sound like the same issues that have been discussed since late September. One issue that I have with the way the majority of writers discuss these problems, is in their almost universal characterization of them as operating system flaws. It may be an overly-nuanced point, but personally I view the IE Zone exploit issue, SP2 downloaded code notification bypass issue, and the like as user mode code exploits and not as operating system exploits. The difference being that none of them truly broach the kernel mode operating system's object security and access rights restrictions. For example, as far as I understand each of these issues, none of them can elevate your privileges beyond that in which you are running IE and/or Windows Explorer. If you are surfing the web in an account with Admin privileges then, yes, these exploits can in turn cause you Admin level troubles... however, if you are surfing the web with IE in a normal, restricted user account then the exploits are also limited to the same normal, restricted user account rights.

    @Bubba: Perhaps I'm totally missing your point, but why did you say that Finjan's is acting irresponsible? According to the article: "Finjan's Malicious Code Research Center, which claims to have identified the flaws, has provided Microsoft with full technical details and has been assisting the software giant to patch the holes." Followed by: "Although it warned users about the alleged flaws, the security firm refused to provide specific details." That all sounds reasonable enough to me.
     
  13. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    I am not answering in behalf of Bubba but read this quote carefully:
    IMO, it is not so much the veracity of the allegation (as I'm sure they have a basis for it) but rather the timing that makes it irresponsible. And self-serving....

    :rolleyes:
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Yeah, just goes to show how much you NEED SurfinGuard, eh? I'm sure they could have brought this up to MS without the fanfare. It would at least have been nice to offer users something about whether setting IEs security settings to "high" would help or not (if not a specific setting.)
     
  15. Siro

    Siro Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    92
    Microsoft doesnt seem to accept initially that their softwares have flaws and then a few days later come up with a plethora of patches to install and making life miserable for the end user.They need to hire these independent researchers to do the work of finding out vulnerabilities instead of the ones sitting in Redmond.
    Its got to a point which is really mind boggling.Windows Xp has been patched so many times in the past loads and loads of patches its so scarred it wont be able to be repaired in the real world if it was alive.Ah well i hope these 10 new vulnerabilities are fixed as soon as possible.
     
  16. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    IMO I am certain that MS is aware of the potential flaws in their OS prior to their release.... but as the saying goes "The Show must go on...." Release dates have to be met, the competition is banging at the gates, the stockholders have to be kept happy, etc,etc....

    MS wants XP to be everything to everybody. This perhaps, is the biggest flaw in XP. For you guys who can't seem to appreciate the wonders of XP, try Win 3.1. The point is, XP has come a long way. It is still at SP2 and all I read about are criticisms on the mind-boggling number of patches. NT 4 Enterprise had at least 6 patches (I stopped counting at SP6a) but I didn't read of too many complaints against this wonderful OS. Why? Simply because
    it was not made readily available to ordinary folks like you and me.

    Now, along comes XP. Based on that same NT technology, but adapted to the average user's wants, a user who would probably call MS Support the moment a warning message appears on his screen, a user who hasn't learned what the F1 key is for... then we have the perfect recipe to clog up MS's switchboard... 100,000,000 users calling MS about how to install this or install that.

    To avoid this, a bright guy sitting in Redmond comes up with the idea of, nevertheless,putting in all the features of an OS that can be "everything to everyone" , but setting the defaults as "ON". (Since mom wants to use dad's printer, they share it. While they're at it, they share files as well...) Nice set up but it provides the very infrastructure needed by a hacker to access everyone's files in their nice cozy home network!

    Now, consider the alternative. If MS does not leave every default as "on", what would the average user do? Call support or get a Mac, right?

    You got what you wanted! So stop bitching and just turn off all the features you can live without. :rolleyes:
     
  17. True Orient

    True Orient Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    88
    Awww...! Shucks! Must I really go back to Windows 3.1? :D
     
Loading...
Thread Status:
Not open for further replies.