![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thorfinnMicrosoft .NET Remote Code Execution exploit
Similar class of problem as last time with the TCP/IP thing:
From: http://www.auscert.org.au/render.html?it=11798&template=1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1410.2
Vulnerabilities in the Microsoft .NET Common Language
Runtime Could Allow Remote Code Execution
15 October 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft .NET Framework
Microsoft Silverlight
Publisher: Microsoft
Operating System: Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-2497 CVE-2009-0091 CVE-2009-0090
Original Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
That list of Operating System: entries? That's every single supported version of Windows, from XP (which should be end-of-life but isn't), to Windows 7 (the supposedly new "much more secure" shiny thing). They forgot to put Mac OS in the list - if you have Silverlight installed on a Mac somehow (I don't know who uses it), then it's vulnerable too.
Seriously, if you are a normal person, or even a small business with no ability to pay serious tech-support (and I'm talking about a real network and systems administrator, worth at absolute minimum AUD90k p/a, or a regular contractor worth at least AUD90 per hour for at least a day every week) to make sure you're safe and securely firewalled and patched 100% of the time, don't run Windows, and don't run any Microsoft products if you can help it.
Unless, of course, you don't value about your personal information, anyone else's personal information you might have, your bandwidth, your sales data, your netbanking, and anything else that you might use your computer to access. No worries, have fun with that.
Microsoft Danger Sidekick: All your data are belong to bitbucket
For more fun in that space, late last week, Microsoft managed to blow away all the storage for all Sidekick mobile customers. As in, boom, gone, no backups, kiss all your contacts and anything else supposedly securely backed on their "cloud service" goodbye, unless you were sensible and had your own offline backup (which isn't an officially supported thing on that platform).
See:
T-Mobile Sidekick Disaster: Danger’s Servers Crashed, And They Don’t Have A Backup. There's a rumour today that
Microsoft May Be Able To Restore All Of The Lost Sidekick Data, After All, but so far it's a rumour.
Even if they manage to recover some of the lost data, that's going to be due to heroic manual data recovery of the SAN disks, rather than routine backup restoration. And when I say "routine", I mean - everyone involved in Systems Administration at any serious level knows full well that you have to have a full backup of all data with a regularly tested and validated restore process before you commence any kind of important upgrade.
That is industry standard procedure, and has been industry standard procedure for many decades. Which Microsoft Danger obviously wasn't following. Of course you can play the "blame the subsidiary" card - but they've been a M$ owned company for long enough, with a high profile M$ exec moved in to be in charge for long enough, that basic disaster recovery processes should be in place. There isn't any valid excuse for that kind of data loss by a corporation. None.
ETA: Looks like there has been successful data recovery. Microsoft Confirms Data Recovery for Sidekick Users.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
Snow Leopard issue
Date: 2009-10-15 06:50 (UTC)I figure you should be at least impartial when reporting OS issues!
Re: Snow Leopard issue
Date: 2009-10-15 07:14 (UTC)Re: Snow Leopard issue
Date: 2009-10-15 12:04 (UTC)Re: Snow Leopard issue
Date: 2009-10-15 07:43 (UTC)Security holes are certainly bad, but, Apple's apparently not even bothering put the money and effort into the Mac platform these days. Too much iPhone/iPod shiny, I suspect.
Such a pity and a wasted opportunity (for Apple, Linux and ReactOS), as the Windows Vista era left such a gaping vacuum for them to exploit. It's like Microsoft choosing not to take over the spreadsheet market when Lotus 123 dropped the ball. Apple would have cleaned up the market with a sensible value entry-level desktop machine (the Mini's underpowered and overpriced) and a mid-level user-serviceable desktop (ie, a cheaper Mac Pro-like box for home offices). People have been screaming out for those options, but, Apple seems to have stopped listening to their customers. Always a bad sign.
Re: Snow Leopard issue
Date: 2009-10-15 12:17 (UTC)Snow Leopard is actually major setup for something, because it's a massive amount of under the hood cleanup. SL server is in free beta in .us right now... Non existent iTablet is probably still sucking resources...
You're right that iPod is eating a lot of their time. I also suspect that they're cashing in whilst the sun shines. PC hardware margins suck - phone margins don't.
Re: Snow Leopard issue
Date: 2009-10-15 12:30 (UTC)(morgan without an openid / dw acc yet)
Re: Snow Leopard issue
Date: 2009-10-15 16:46 (UTC)Heh. History's littered with companies who ignored their customers wants until a competitor came through and ate their lunch. Just ask Lotus.
Apple succeeds despite their overpriced and underpowered hardware only because of the perceived worth of their OS software. If they manage to chuck that advantage away, they're completely and utterly stuffed — in the computer industry anyway.
Re: Snow Leopard issue
Date: 2009-10-15 21:59 (UTC)Snow Leopard is Apple setting up what their customers need. Not want.
And I guarantee you, despite a few minor issues here and there, the outcome of it is a massively more stable codebase to build on, and many many little but significant usability, reliability, performance and security enhancements.
They're going somewhere with it - they just aren't saying where yet.
Design by loudest yelling mob is bad design.
Re: Snow Leopard issue
Date: 2009-10-21 15:44 (UTC)Boom, massive price drops across the board and new revs of practically the whole Mac line, just in time for Windows 7 release and Xmas.
Timing is everything... No reason to do that hardware rev whilst the competition was as bad as Vista was. Plenty of reason to give themselves a massive hardware price point boost to leap ahead of Windows 7.
Smart business - even though no doubt many of their customers are cursing the previous prices as gouging. :-)
Re: Snow Leopard issue
Date: 2009-10-15 12:02 (UTC)Remote code exploits just aren't supposed to exist any more, and they mean your computer can be compromised any time you go touch something on the Internet.
Re: Snow Leopard issue
Date: 2009-10-15 22:24 (UTC)DID WINDOWS TOUCH YOU IN THE SWIMSUIT AREA?
Re: Snow Leopard issue
Date: 2009-10-15 23:00 (UTC)But I get his point of scale. One you can fix with backups and a workaround the other... erm... yeah... oops bye bye secure data.
And the other issue is how many people have .net installed? Farkin' everyone with a windows box which is a LARGE section of the marketplace.
Microsoft still suffers from "people like fucking with MS products" so any tiny hole in their products gets clawed at until it is a gigantic gaping issue. Apple simply doesnt have that culture or marketshare.
*shrug*
I still advocate horses for courses, and there is a good reason I do all my secure internet transactions on my mactop as much as possible and not on my desktop PC or work PC.
Re: Snow Leopard issue
Date: 2009-10-16 00:12 (UTC)If I reported every time some vanishingly <1% percentage of the M$ install base had a problem (which is the scale of the bug you're talking about), I'd never be doing anything else.
That's not bias, that's picking the scale of reporting.
Seriously - remote code exploits have been known about for decades now, and how to ELIMINATE THEM COMPLETELY has been known about for decades. There actually is genuinely no excuse to have them in any code written by software engineers working for a large company, that can absolutely afford the resources to fix the problem.
It should take any competent toolsmith about a week to write a utility to identify *every single line of code* that might be a remote code exploit possibility. Give them a few months and they should be able to enhance the heuristics to suit the specific codebase, and even potentially make changes in a semi-automated fashion.
There is no excuse for not doing that. Really. None.
Re: Snow Leopard issue
Date: 2009-10-16 00:38 (UTC)http://www.securityfocus.com/bid/10356/discussion/
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=216401181
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=21139
Re: Snow Leopard issue
Date: 2009-10-16 01:57 (UTC)Link two, yes, 10.5.6 (Leopard), march this year, but no actual remote code exploit present. Yes, potential for one in Appletalk though. That sort of thing is why one should not turn sharing type stuff on anywhere except inside a nice firewalled area, regardless of your OS.
Link three? Mac OS 10.3 again, and the same issue as Link One.
Re: Snow Leopard issue
Date: 2009-10-16 02:14 (UTC)However, while it is fair enough to inform everyone of the gaping arseholes of Windows, you do seem to relish the job.
Re: Snow Leopard issue
Date: 2009-10-16 02:41 (UTC)It's not like this (and the previous) MS vulnerabilities haven't been fixed - if you run your software update, you'll get the patch that fixes it, and MS will even helpfully force reboot your machine for you so you get the patch whether you like it or not. And those Leopard issues have long been fixed too.
The point is that this kind of thing should have been fixed inside MS years and years ago, and it hasn't been. Apple at least have a pretty serious focus internally on their engineering processes. They don't always get it right, and I'd be surprised if anyone got it right 100% of the time. Hell, even Google don't, and they've got probably the smartest set of bodies on deck as far as software and systems engineering goes. It's a question of whether there's process that encourages improvement or not, and whether you actually try to fix these issues, or whether you just ignore them and shrug.
As far as it goes, yes, I do enjoy putting the boot in - because this space (software and systems reliability engineering) is an awful lot of what I do professionally. I know exactly how possible it is to get this stuff right - and there really isn't an excuse for not doing it right, or at least close to right, most of the time.
Not doing so is a major sign of either huge internal structural issues, or sheer "don't care about your customers" laziness, or possibly some of both.
Re: Snow Leopard issue
Date: 2009-10-16 02:48 (UTC)It's going to RULE THE WORLD
Re: Snow Leopard issue
Date: 2009-10-16 02:52 (UTC)I for one welcome our new Zune overlords?
*dons bugsuit*
Re: Snow Leopard issue
Date: 2009-10-16 02:52 (UTC)Vista and Win 7 actually have similar functionality... if you buy the business version. Why the business version only? Price gouging. It could be in the consumer version... It isn't.
Re: Snow Leopard issue
Date: 2009-10-16 02:47 (UTC)-whitebird/Marshall
Re: Snow Leopard issue
Date: 2009-10-16 04:30 (UTC)(no subject)
Date: 2009-10-15 08:02 (UTC)I've already torn into the Sidekick screwup on my blog - it certainly serves as a timely reminder for those trusting their data to online services (or, "the cloud", to be fashionable).
And sticking it to Microsoft for a hosted service subsidiary screwup? Hardly fair. That'd be like saying Apple couldn't handle an operating system because of the mobile.me outages, HP-UX is worthless because EDS make mistakes, AIX is bug soup because IBM GSA are a pile of loonies -- if you fault the parent company's products for every services screwup, you're left only with platforms too small to have a professional services department.
Erk. I'm posting something that could be construed as being in defence of Microsoft. Lordy.
(no subject)
Date: 2009-10-15 08:08 (UTC)I don't know to what extent the suspicion about firmware upgrades on a SAN are actually correct, but...
(no subject)
Date: 2009-10-15 12:08 (UTC)w.r.t. the Danger disaster ...
Date: 2009-10-16 01:22 (UTC)a) are playing catchup to the established players (ie Google, Amazon)
b) have almost no skin in the game (what %ge of business relies on it)
c) can't get it right at this level when they control all the pieces
credibility? nada.