Full Disclosure mailing list archives
Re: Microsoft takes 7 years to 'solve' a problem?!
From: Paul Schmehl <pschmehl () tx rr com>
Date: Tue, 25 Nov 2008 12:17:56 -0600
--On Tuesday, November 25, 2008 03:11:01 -0600 Valdis.Kletnieks () vt edu wrote:
That, plus Russ didn't even bother to read the fine article: "And to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable. For instance, an Outlook 2000 client wouldn't have been able to communicate with an Exchange 2000 server. I know the users Russ supports - we'd have needed a body bag for him if he had chosen that route rather than "not cause a significant impact". This wasn't a buffer overflow, the problem was that the NTLM protocol was screwed up by design - and fixing a protocol bug is usually a *lot* more painful. If you read between the lines of the article, it appears that MS added support for a fixed protocol back in XP SP2, and has decided that the number of pre-SP2 systems out there talking to updated systems has grown small enough that it's finally practical to flip the switch. That's pretty much the only way to change a protocol without a flag-day cutover - ship dual-stack during a transition, and then flip the switch when few enough old-style machines are left. Let's face it - the number of systems that have gotten compromised via SMBRelay attacks is *far* smaller than the number of boxes pwned just because they have IE installed and a user at the keyboard. The number of systems pwned via SMBRelay is *also* a lot smaller than the number of boxes that would have broken if Microsoft had "fixed" things the way Russ apparently wanted them to.
Weird. We were the ones that reported this issue to Microsoft back in 1998 or 9 (don't recall exactly when now) or at least a part of the issue. Very strange to see it pop up after all these years. Of course they essentially told us the same thing that you describe - can't break everything to fix that one thing - wait for the next release. And you're right - it wasn't a great risk unless you were already in the network in a serious way. -- Paul Schmehl pschmehl () tx rr com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft takes 7 years to 'solve' a problem?! Memisyazici, Aras (Nov 24)
- Re: Microsoft takes 7 years to 'solve' a problem?! Randal T. Rioux (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Valdis . Kletnieks (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! James Matthews (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Valdis . Kletnieks (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! James Matthews (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Valdis . Kletnieks (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Randal T. Rioux (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 26)
- <Possible follow-ups>
- Re: Microsoft takes 7 years to 'solve' a problem?! Memisyazici, Aras (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Charles Morris (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Kurt Grutzmacher (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Mike C (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Charles Morris (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Elazar Broad (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Eric Rachner (Nov 27)
- Re: Microsoft takes 7 years to 'solve' a problem?! Eric Rachner (Nov 27)