Full Disclosure mailing list archives
Re: Microsoft takes 7 years to 'solve' a problem?!
From: Valdis.Kletnieks () vt edu
Date: Tue, 25 Nov 2008 04:11:01 -0500
On Tue, 25 Nov 2008 03:07:49 EST, "Randal T. Rioux" said:
On Tue, November 25, 2008 1:44 am, Memisyazici, Aras wrote: <SSNNIIPP>OK... Maybe I'm going a bit extreme, but WTH?! Am I the only one who is interpreting this, this way? Really? When has releasing a solution to a problem 7 years later ever been acceptable?May not be acceptable, but it is standard practice with some "software" companies.
That, plus Russ didn't even bother to read the fine article: "And to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable. For instance, an Outlook 2000 client wouldn't have been able to communicate with an Exchange 2000 server. I know the users Russ supports - we'd have needed a body bag for him if he had chosen that route rather than "not cause a significant impact". This wasn't a buffer overflow, the problem was that the NTLM protocol was screwed up by design - and fixing a protocol bug is usually a *lot* more painful. If you read between the lines of the article, it appears that MS added support for a fixed protocol back in XP SP2, and has decided that the number of pre-SP2 systems out there talking to updated systems has grown small enough that it's finally practical to flip the switch. That's pretty much the only way to change a protocol without a flag-day cutover - ship dual-stack during a transition, and then flip the switch when few enough old-style machines are left. Let's face it - the number of systems that have gotten compromised via SMBRelay attacks is *far* smaller than the number of boxes pwned just because they have IE installed and a user at the keyboard. The number of systems pwned via SMBRelay is *also* a lot smaller than the number of boxes that would have broken if Microsoft had "fixed" things the way Russ apparently wanted them to.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft takes 7 years to 'solve' a problem?! Memisyazici, Aras (Nov 24)
- Re: Microsoft takes 7 years to 'solve' a problem?! Randal T. Rioux (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Valdis . Kletnieks (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! James Matthews (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Valdis . Kletnieks (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! James Matthews (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Valdis . Kletnieks (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Randal T. Rioux (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 26)
- <Possible follow-ups>
- Re: Microsoft takes 7 years to 'solve' a problem?! Memisyazici, Aras (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Charles Morris (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Kurt Grutzmacher (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Charles Morris (Nov 25)