![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thorfinnMicrosoft .NET Remote Code Execution exploit
Similar class of problem as last time with the TCP/IP thing:
From: http://www.auscert.org.au/render.html?it=11798&template=1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1410.2
Vulnerabilities in the Microsoft .NET Common Language
Runtime Could Allow Remote Code Execution
15 October 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft .NET Framework
Microsoft Silverlight
Publisher: Microsoft
Operating System: Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-2497 CVE-2009-0091 CVE-2009-0090
Original Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
That list of Operating System: entries? That's every single supported version of Windows, from XP (which should be end-of-life but isn't), to Windows 7 (the supposedly new "much more secure" shiny thing). They forgot to put Mac OS in the list - if you have Silverlight installed on a Mac somehow (I don't know who uses it), then it's vulnerable too.
Seriously, if you are a normal person, or even a small business with no ability to pay serious tech-support (and I'm talking about a real network and systems administrator, worth at absolute minimum AUD90k p/a, or a regular contractor worth at least AUD90 per hour for at least a day every week) to make sure you're safe and securely firewalled and patched 100% of the time, don't run Windows, and don't run any Microsoft products if you can help it.
Unless, of course, you don't value about your personal information, anyone else's personal information you might have, your bandwidth, your sales data, your netbanking, and anything else that you might use your computer to access. No worries, have fun with that.
Microsoft Danger Sidekick: All your data are belong to bitbucket
For more fun in that space, late last week, Microsoft managed to blow away all the storage for all Sidekick mobile customers. As in, boom, gone, no backups, kiss all your contacts and anything else supposedly securely backed on their "cloud service" goodbye, unless you were sensible and had your own offline backup (which isn't an officially supported thing on that platform).
See:
T-Mobile Sidekick Disaster: Danger’s Servers Crashed, And They Don’t Have A Backup. There's a rumour today that
Microsoft May Be Able To Restore All Of The Lost Sidekick Data, After All, but so far it's a rumour.
Even if they manage to recover some of the lost data, that's going to be due to heroic manual data recovery of the SAN disks, rather than routine backup restoration. And when I say "routine", I mean - everyone involved in Systems Administration at any serious level knows full well that you have to have a full backup of all data with a regularly tested and validated restore process before you commence any kind of important upgrade.
That is industry standard procedure, and has been industry standard procedure for many decades. Which Microsoft Danger obviously wasn't following. Of course you can play the "blame the subsidiary" card - but they've been a M$ owned company for long enough, with a high profile M$ exec moved in to be in charge for long enough, that basic disaster recovery processes should be in place. There isn't any valid excuse for that kind of data loss by a corporation. None.
ETA: Looks like there has been successful data recovery. Microsoft Confirms Data Recovery for Sidekick Users.
Re: Snow Leopard issue
Date: 2009-10-15 12:02 (UTC)Remote code exploits just aren't supposed to exist any more, and they mean your computer can be compromised any time you go touch something on the Internet.
Re: Snow Leopard issue
Date: 2009-10-15 22:24 (UTC)DID WINDOWS TOUCH YOU IN THE SWIMSUIT AREA?
Re: Snow Leopard issue
Date: 2009-10-15 23:00 (UTC)But I get his point of scale. One you can fix with backups and a workaround the other... erm... yeah... oops bye bye secure data.
And the other issue is how many people have .net installed? Farkin' everyone with a windows box which is a LARGE section of the marketplace.
Microsoft still suffers from "people like fucking with MS products" so any tiny hole in their products gets clawed at until it is a gigantic gaping issue. Apple simply doesnt have that culture or marketshare.
*shrug*
I still advocate horses for courses, and there is a good reason I do all my secure internet transactions on my mactop as much as possible and not on my desktop PC or work PC.
Re: Snow Leopard issue
Date: 2009-10-16 00:12 (UTC)If I reported every time some vanishingly <1% percentage of the M$ install base had a problem (which is the scale of the bug you're talking about), I'd never be doing anything else.
That's not bias, that's picking the scale of reporting.
Seriously - remote code exploits have been known about for decades now, and how to ELIMINATE THEM COMPLETELY has been known about for decades. There actually is genuinely no excuse to have them in any code written by software engineers working for a large company, that can absolutely afford the resources to fix the problem.
It should take any competent toolsmith about a week to write a utility to identify *every single line of code* that might be a remote code exploit possibility. Give them a few months and they should be able to enhance the heuristics to suit the specific codebase, and even potentially make changes in a semi-automated fashion.
There is no excuse for not doing that. Really. None.
Re: Snow Leopard issue
Date: 2009-10-16 00:38 (UTC)http://www.securityfocus.com/bid/10356/discussion/
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=216401181
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=21139
Re: Snow Leopard issue
Date: 2009-10-16 01:57 (UTC)Link two, yes, 10.5.6 (Leopard), march this year, but no actual remote code exploit present. Yes, potential for one in Appletalk though. That sort of thing is why one should not turn sharing type stuff on anywhere except inside a nice firewalled area, regardless of your OS.
Link three? Mac OS 10.3 again, and the same issue as Link One.
Re: Snow Leopard issue
Date: 2009-10-16 02:14 (UTC)However, while it is fair enough to inform everyone of the gaping arseholes of Windows, you do seem to relish the job.
Re: Snow Leopard issue
Date: 2009-10-16 02:41 (UTC)It's not like this (and the previous) MS vulnerabilities haven't been fixed - if you run your software update, you'll get the patch that fixes it, and MS will even helpfully force reboot your machine for you so you get the patch whether you like it or not. And those Leopard issues have long been fixed too.
The point is that this kind of thing should have been fixed inside MS years and years ago, and it hasn't been. Apple at least have a pretty serious focus internally on their engineering processes. They don't always get it right, and I'd be surprised if anyone got it right 100% of the time. Hell, even Google don't, and they've got probably the smartest set of bodies on deck as far as software and systems engineering goes. It's a question of whether there's process that encourages improvement or not, and whether you actually try to fix these issues, or whether you just ignore them and shrug.
As far as it goes, yes, I do enjoy putting the boot in - because this space (software and systems reliability engineering) is an awful lot of what I do professionally. I know exactly how possible it is to get this stuff right - and there really isn't an excuse for not doing it right, or at least close to right, most of the time.
Not doing so is a major sign of either huge internal structural issues, or sheer "don't care about your customers" laziness, or possibly some of both.
Re: Snow Leopard issue
Date: 2009-10-16 02:48 (UTC)It's going to RULE THE WORLD
Re: Snow Leopard issue
Date: 2009-10-16 02:52 (UTC)I for one welcome our new Zune overlords?
*dons bugsuit*
Re: Snow Leopard issue
Date: 2009-10-16 02:52 (UTC)Vista and Win 7 actually have similar functionality... if you buy the business version. Why the business version only? Price gouging. It could be in the consumer version... It isn't.
Re: Snow Leopard issue
Date: 2009-10-16 02:47 (UTC)-whitebird/Marshall
Re: Snow Leopard issue
Date: 2009-10-16 04:30 (UTC)