New Windows Vulnerability In Help System

[borfast]

From a Slashdot.org article:

CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one.

Edited April 9, 2004 by TCH-Raul

[kaseytraeger]

Thanks for posting this, Raul. I hope they come up with a patch real soon...

 

I'm getting real tired of all these vulnerabilities in the Windows OS. If I wasn't such a scaredy cat about installing new OS on my computer, I'd seriously consider one of the other available OSs.

[Head Guru]

I have the best patch available.

 

It is called the "Alternate OS Patch"

 

[TCH-Rob]

I got that patch about a month ago Bill. Best patch I have ever gotten. Thumbs Up

[TCH-Bruce]

And now that they have reported this it is inevitable that it will be exploited.

[kaseytraeger]

And now that they have reported this it is inevitable that it will be exploited.

It most certainly will be. I think they should come up with patches *before* announcing that there was a problem. This just gives hackers more time to perpetrate their machinations.

[Deverill]

I don't know about this one but I can remember several instances where honest folk found such vulnerabilities and reported it to Microsoft. After 2 weeks of no patches they decided to release their findings to the public to force MS to do something about it. It's a shame they have to resort to that but perhaps there is such a track record that they don't even try to let MS do somethng first?

[Bunni]

Am I protected with my HRT patch????

[HCSuperStores]

I like the "alerternative OS" patch myself. Not only that, but there's a certain "blue" screen that I haven't seen for a while. It's solved many of my OS related issues.

[borfast]

I have the best patch available.

 

It is called the "Alternate OS Patch"

 

LOL

 

Yep, I got that patch a long time ago, too!

 

And Bruce is right, the big problem is that the people who discover the vulnerabilities usually warn MS about it and after weeks with no response, they release the vulnerability to the public. It is indeed a shame that they come to this.

 

I think there should be a law that would force software makers to release patches as soon as possible, once someone reports a vulnerability to them. That way, when someone would find a hole, they'd report it both to MS and to the authorities. If MS wouldn't release a patch in X days from that date, they'd be punished. Otherwise, this will never change

 

And of course, there are also those who like to release their findings to the public even without contacting MS about it first. Not sure which one's worst.

 

Anyway, when I saw that, I thought I'd post it here, so folks would be warned and keep an eye out for updates.

[DarqFlare]

There shouldn't be a law requiring patch fixes once known... Holding Microsoft responsible is wrong, because they didn't exploit the problem, someone else did.

 

I know it sucks that M$ created a ubiquitous operating system that causes problems when people hack it, but come on...

 

This, IMO, is what a potential law should be:

 

The software maker has X days to patch up the software flaw. Say they get it patched 3 says after X days passes. Then they are held responsible for the amount of "damages" caused in those 3 days. That's it.

[borfast]

Robert, that's exactly what I meant.

 

I wasn't saying MS should be held responsible for the acts of those who take advantage of the security holes in their OS but they should be held responsible for correcting the flaws as fast as possible, once they know about them.

[Madmanmcp]

Patching a hole in software is not as simple as patching a hole in the wall and placing a time deadline on it. They have to identify the hole and what pieces of the software are affected. They then need to come up with a "fix". Then they need to throughly test the software to see if it works and that nothing else was broken because of this "fix".

 

The fix may take days or months and the testing phase even longer. If you place a time deadline on it they will be forced to rush out a fix to avoid missing the deadline...AND it may cause other problems or not be a complete fix.

[Madmanmcp]

I don't know about this one but I can remember several instances where honest folk found such vulnerabilities and reported it to Microsoft. After 2 weeks of no patches they decided to release their findings to the public to force MS to do something about it.

 

This makes them "honest"?

 

I know where my neighbor keeps the spare keys to his house. Since he doesn't change this because I told him it was unsafe, am I an "honest folk" if I post this information in the Local paper?

[TCH-Rob]

Madman,

 

What if that key was the same key to every house in your town. Say some "dishonest folk" found the rock that it was hiding under and started looting every house in town with it. Letting everyone including your neighbor know what is happening may get enough people angry to make your neighbor change where he hides the key.

[Madmanmcp]

Rob, either one house or the whole block or "honest" person or otherwise, I still say its not right to make it public knowlege. It is also not right for my neighbor to make the key readily available, but I said thats why I originally told him about it.

 

You tell the one responsible for the problem and let them handle it. If they don't act and If you decide to force the issue by making it public knowlege then you are to blame also. You are now an accessory to the crime.

[TCH-Rob]

I see what you are saying, I dont like it though. Lets do this with one of the various IIS worms out there. Lets say I am an intremediate user and installed the OS with all of the bells and whistles because it came that way, or the machine came to me with it turned on. Who knows, I may want to serve a web page someday, could be fun. Now, somebody finds an exploit for IIS and lets MS know about it. Months pass and nothing gets done about it so the guy that has found it ponders about going public but decides against it for not wanting to open a can of worms.

 

About the same time a "code worker" finds the same "feature" yet isnt honest and knows the name he can make for himself. Next thing you know, hundreds of thousand machines are getting infected, mine included. The initial finder of the feature comes forward and states he knew about it and notified MS but nothing was done. He states he could have let the world know about it but how many people know to turn IIS off or need it running or would even read there was an issue and then someone would exploit it.

 

Someone is going to exploit it now or a month from now. If I am going to be bent over I would at least like to know about it before hand.

[Madmanmcp]

Rob, I also see your point, we just have different opinions on how to handle the problem .

 

I agree that yes there is a chance that one of the "bad guys" will also find the IIS exploit...but this maybe not happen for a long time. This may also give MS enough time to fix it and get a patch out before he finds it.

 

There are only two things for sure if the exploit is leaked to the public. The bad guys WILL know about before its fixed and be able to use it. AND, MS will now have to fix it ASAP.

 

The latter is the intended result and the former is the unintended side effect. I just feel the cure is not worth the harm it will obviously create.

[TCH-Rob]

Bob,

 

Your opinion is not allowed to differ from mine.