thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
[personal profile] thorfinn

Microsoft .NET Remote Code Execution exploit



Similar class of problem as last time with the TCP/IP thing:

From: http://www.auscert.org.au/render.html?it=11798&template=1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2009.1410.2
           Vulnerabilities in the Microsoft .NET Common Language
                 Runtime Could Allow Remote Code Execution
                              15 October 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft .NET Framework
                   Microsoft Silverlight
Publisher:         Microsoft
Operating System:  Windows 2000
                   Windows XP
                   Windows Server 2003
                   Windows Vista
                   Windows Server 2008
                   Windows 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-2497 CVE-2009-0091 CVE-2009-0090

Original Bulletin: 
   http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx


That list of Operating System: entries? That's every single supported version of Windows, from XP (which should be end-of-life but isn't), to Windows 7 (the supposedly new "much more secure" shiny thing). They forgot to put Mac OS in the list - if you have Silverlight installed on a Mac somehow (I don't know who uses it), then it's vulnerable too.

Seriously, if you are a normal person, or even a small business with no ability to pay serious tech-support (and I'm talking about a real network and systems administrator, worth at absolute minimum AUD90k p/a, or a regular contractor worth at least AUD90 per hour for at least a day every week) to make sure you're safe and securely firewalled and patched 100% of the time, don't run Windows, and don't run any Microsoft products if you can help it.

Unless, of course, you don't value about your personal information, anyone else's personal information you might have, your bandwidth, your sales data, your netbanking, and anything else that you might use your computer to access. No worries, have fun with that.




Microsoft Danger Sidekick: All your data are belong to bitbucket



For more fun in that space, late last week, Microsoft managed to blow away all the storage for all Sidekick mobile customers. As in, boom, gone, no backups, kiss all your contacts and anything else supposedly securely backed on their "cloud service" goodbye, unless you were sensible and had your own offline backup (which isn't an officially supported thing on that platform).

See:
T-Mobile Sidekick Disaster: Danger’s Servers Crashed, And They Don’t Have A Backup. There's a rumour today that
Microsoft May Be Able To Restore All Of The Lost Sidekick Data, After All, but so far it's a rumour.

Even if they manage to recover some of the lost data, that's going to be due to heroic manual data recovery of the SAN disks, rather than routine backup restoration. And when I say "routine", I mean - everyone involved in Systems Administration at any serious level knows full well that you have to have a full backup of all data with a regularly tested and validated restore process before you commence any kind of important upgrade.

That is industry standard procedure, and has been industry standard procedure for many decades. Which Microsoft Danger obviously wasn't following. Of course you can play the "blame the subsidiary" card - but they've been a M$ owned company for long enough, with a high profile M$ exec moved in to be in charge for long enough, that basic disaster recovery processes should be in place. There isn't any valid excuse for that kind of data loss by a corporation. None.

ETA: Looks like there has been successful data recovery. Microsoft Confirms Data Recovery for Sidekick Users.

Snow Leopard issue

Date: 2009-10-15 06:50 (UTC)
From: [identity profile] drwally.livejournal.com
Hey, you hear about that Snow Leopard bug - where if you log in under a guest account it deletes all your data?

I figure you should be at least impartial when reporting OS issues!

Re: Snow Leopard issue

Date: 2009-10-15 07:14 (UTC)
tyggerjai: (Default)
From: [personal profile] tyggerjai
Oh, it doesn't delete the *guest* data, though - that would be expected behaviour. No, it goes ahead and deletes *admin* account data....

Re: Snow Leopard issue

Date: 2009-10-15 07:43 (UTC)
From: [identity profile] zey.livejournal.com
Was just about to post that one :). Some more info here (http://www.engadget.com/2009/10/12/snow-leopard-guest-account-bug-deleting-user-files-terrorizin/),here (http://www.appleinsider.com/articles/09/10/12/snow_leopard_guest_account_bug_deletes_user_data.html) and here (http://www.macworld.com/article/143286/2009/10/sldataloss.html).

Security holes are certainly bad, but, Apple's apparently not even bothering put the money and effort into the Mac platform these days. Too much iPhone/iPod shiny, I suspect.

Such a pity and a wasted opportunity (for Apple, Linux and ReactOS), as the Windows Vista era left such a gaping vacuum for them to exploit. It's like Microsoft choosing not to take over the spreadsheet market when Lotus 123 dropped the ball. Apple would have cleaned up the market with a sensible value entry-level desktop machine (the Mini's underpowered and overpriced) and a mid-level user-serviceable desktop (ie, a cheaper Mac Pro-like box for home offices). People have been screaming out for those options, but, Apple seems to have stopped listening to their customers. Always a bad sign.

Re: Snow Leopard issue

Date: 2009-10-15 12:30 (UTC)
From: (Anonymous)
Apple's customers have been complaining they're not being listened to since the late 80's. Probably earlier. I'd argue vociferously and at length that the strength of Apple (along with several other A-list companies, most notably Blizzard) is precisely that they don't listen to their customers. Customers are dumb when it comes to telling you what they want - and they often want things that are bad for them.

(morgan without an openid / dw acc yet)

Re: Snow Leopard issue

Date: 2009-10-15 16:46 (UTC)
From: [identity profile] zey.livejournal.com
I'd argue vociferously and at length that the strength of Apple (along with several other A-list companies, most notably Blizzard) is precisely that they don't listen to their customers.

Heh. History's littered with companies who ignored their customers wants until a competitor came through and ate their lunch. Just ask Lotus.

Apple succeeds despite their overpriced and underpowered hardware only because of the perceived worth of their OS software. If they manage to chuck that advantage away, they're completely and utterly stuffed — in the computer industry anyway.

Re: Snow Leopard issue

Date: 2009-10-15 22:24 (UTC)
From: [identity profile] drwally.livejournal.com
Okay big fella, but while you happily lay the boot into MS you were noticeably silent on this one, which smells a little like bias.

DID WINDOWS TOUCH YOU IN THE SWIMSUIT AREA?

Re: Snow Leopard issue

Date: 2009-10-15 23:00 (UTC)
kowari: (Default)
From: [personal profile] kowari
Probably :P but knowing thorf, he probably liked it.

But I get his point of scale. One you can fix with backups and a workaround the other... erm... yeah... oops bye bye secure data.

And the other issue is how many people have .net installed? Farkin' everyone with a windows box which is a LARGE section of the marketplace.

Microsoft still suffers from "people like fucking with MS products" so any tiny hole in their products gets clawed at until it is a gigantic gaping issue. Apple simply doesnt have that culture or marketshare.

*shrug*

I still advocate horses for courses, and there is a good reason I do all my secure internet transactions on my mactop as much as possible and not on my desktop PC or work PC.

Re: Snow Leopard issue

Date: 2009-10-16 00:38 (UTC)
From: [identity profile] drwally.livejournal.com
Is this the kind of thing you're talking about?

http://www.securityfocus.com/bid/10356/discussion/

http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=216401181

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=21139

Re: Snow Leopard issue

Date: 2009-10-16 02:14 (UTC)
From: [identity profile] drwally.livejournal.com
Assuming everyone has the latest OS is a bit of a stretch - or that everyone has time machine or an external drive.

However, while it is fair enough to inform everyone of the gaping arseholes of Windows, you do seem to relish the job.

Re: Snow Leopard issue

Date: 2009-10-16 02:48 (UTC)
From: [identity profile] drwally.livejournal.com
My goodness man, how can you expect MS to fix bugs when they are busy making a new Zune?

It's going to RULE THE WORLD

Re: Snow Leopard issue

Date: 2009-10-16 02:47 (UTC)
From: (Anonymous)
It's even rarer than most people think. It requires that one have enabled guest user access in OS X 10.5 and then upgraded to OS X 10.6 and then used guest access again.

-whitebird/Marshall

Re: Snow Leopard issue

Date: 2009-10-16 04:30 (UTC)
tyggerjai: (Default)
From: [personal profile] tyggerjai
Not only - AFAIK it also requires that the guest session was "forcefully terminated" (i.e. hard reboot/crash), and the next login was with the admin account. If you terminate the guest session by logging out, no problem. If you have a hard reboot and then login as guest, or a non-admin account, also no problem, I gather.

(no subject)

Date: 2009-10-15 08:02 (UTC)
From: [personal profile] ltempt
To be fair, other platforms have had their fair share of wierd library bugs causing security problems. For some reason, graphics libraries (I seem to recall libjpg and libtiff being recent offenders) seem to be regular culprits for this sort of thing.

I've already torn into the Sidekick screwup on my blog - it certainly serves as a timely reminder for those trusting their data to online services (or, "the cloud", to be fashionable).

And sticking it to Microsoft for a hosted service subsidiary screwup? Hardly fair. That'd be like saying Apple couldn't handle an operating system because of the mobile.me outages, HP-UX is worthless because EDS make mistakes, AIX is bug soup because IBM GSA are a pile of loonies -- if you fault the parent company's products for every services screwup, you're left only with platforms too small to have a professional services department.

Erk. I'm posting something that could be construed as being in defence of Microsoft. Lordy.

(no subject)

Date: 2009-10-15 08:08 (UTC)
vatine: Generated with some CL code and a hand-designed blackletter font (Default)
From: [personal profile] vatine
The Sidekick servers were (as far as I can tell) owned and administered by Microsoft employees. This seems to indicate so, at least. In short, "MS buys Danger, shift ALL the staff to another project. Eventually, the servers fail, chaos ensues."

I don't know to what extent the suspicion about firmware upgrades on a SAN are actually correct, but...

w.r.t. the Danger disaster ...

Date: 2009-10-16 01:22 (UTC)
From: [personal profile] subtle_eye
it's more Microsoft are attempting to establish themselves in "the cloud" space with their Azure Service Platform when they:
a) are playing catchup to the established players (ie Google, Amazon)
b) have almost no skin in the game (what %ge of business relies on it)
c) can't get it right at this level when they control all the pieces

credibility? nada.

April 2015

S M T W T F S
   1234
567891011
12131415 161718
19202122232425
2627282930  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags