Windows "Security/Reliability". Seriously, stop paying for Microsoft stuff already.

[thorfinn]

Microsoft .NET Remote Code Execution exploit

Similar class of problem as last time with the TCP/IP thing:

From: http://www.auscert.org.au/render.html?it=11798&template=1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2009.1410.2
           Vulnerabilities in the Microsoft .NET Common Language
                 Runtime Could Allow Remote Code Execution
                              15 October 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft .NET Framework
                   Microsoft Silverlight
Publisher:         Microsoft
Operating System:  Windows 2000
                   Windows XP
                   Windows Server 2003
                   Windows Vista
                   Windows Server 2008
                   Windows 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2009-2497 CVE-2009-0091 CVE-2009-0090

Original Bulletin: 
   http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx

That list of Operating System: entries? That's every single supported version of Windows, from XP (which should be end-of-life but isn't), to Windows 7 (the supposedly new "much more secure" shiny thing). They forgot to put Mac OS in the list - if you have Silverlight installed on a Mac somehow (I don't know who uses it), then it's vulnerable too.

Seriously, if you are a normal person, or even a small business with no ability to pay serious tech-support (and I'm talking about a real network and systems administrator, worth at absolute minimum AUD90k p/a, or a regular contractor worth at least AUD90 per hour for at least a day every week) to make sure you're safe and securely firewalled and patched 100% of the time, don't run Windows, and don't run any Microsoft products if you can help it.

Unless, of course, you don't value about your personal information, anyone else's personal information you might have, your bandwidth, your sales data, your netbanking, and anything else that you might use your computer to access. No worries, have fun with that.

---

Microsoft Danger Sidekick: All your data are belong to bitbucket

For more fun in that space, late last week, Microsoft managed to blow away all the storage for all Sidekick mobile customers. As in, boom, gone, no backups, kiss all your contacts and anything else supposedly securely backed on their "cloud service" goodbye, unless you were sensible and had your own offline backup (which isn't an officially supported thing on that platform).

See:
T-Mobile Sidekick Disaster: Danger’s Servers Crashed, And They Don’t Have A Backup. There's a rumour today that
Microsoft May Be Able To Restore All Of The Lost Sidekick Data, After All, but so far it's a rumour.

Even if they manage to recover some of the lost data, that's going to be due to heroic manual data recovery of the SAN disks, rather than routine backup restoration. And when I say "routine", I mean - everyone involved in Systems Administration at any serious level knows full well that you have to have a full backup of all data with a regularly tested and validated restore process before you commence any kind of important upgrade.

That is industry standard procedure, and has been industry standard procedure for many decades. Which Microsoft Danger obviously wasn't following. Of course you can play the "blame the subsidiary" card - but they've been a M$ owned company for long enough, with a high profile M$ exec moved in to be in charge for long enough, that basic disaster recovery processes should be in place. There isn't any valid excuse for that kind of data loss by a corporation. None.

ETA: Looks like there has been successful data recovery. Microsoft Confirms Data Recovery for Sidekick Users.

Comments

Re: Snow Leopard issue

[drwally.livejournal.com]

Is this the kind of thing you're talking about?

http://www.securityfocus.com/bid/10356/discussion/

http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=216401181

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=21139

Re: Snow Leopard issue

[thorfinn]

Link one? Mac OS 10.3... that's Panther, 3 major versions ago.

Link two, yes, 10.5.6 (Leopard), march this year, but no actual remote code exploit present. Yes, potential for one in Appletalk though. That sort of thing is why one should not turn sharing type stuff on anywhere except inside a nice firewalled area, regardless of your OS.

Link three? Mac OS 10.3 again, and the same issue as Link One.

Re: Snow Leopard issue

[drwally.livejournal.com]

Assuming everyone has the latest OS is a bit of a stretch - or that everyone has time machine or an external drive.

However, while it is fair enough to inform everyone of the gaping arseholes of Windows, you do seem to relish the job.

Re: Snow Leopard issue

[thorfinn]

I don't think anyone is running Panther any more... I'm pretty sure that's G3 Macs and earlier, and all those machines are years past end-of-life. Anybody running that is in the same boat as people running Windows98. Hilarious retro fun, but don't expect new patches.

It's not like this (and the previous) MS vulnerabilities haven't been fixed - if you run your software update, you'll get the patch that fixes it, and MS will even helpfully force reboot your machine for you so you get the patch whether you like it or not. And those Leopard issues have long been fixed too.

The point is that this kind of thing should have been fixed inside MS years and years ago, and it hasn't been. Apple at least have a pretty serious focus internally on their engineering processes. They don't always get it right, and I'd be surprised if anyone got it right 100% of the time. Hell, even Google don't, and they've got probably the smartest set of bodies on deck as far as software and systems engineering goes. It's a question of whether there's process that encourages improvement or not, and whether you actually try to fix these issues, or whether you just ignore them and shrug.

As far as it goes, yes, I do enjoy putting the boot in - because this space (software and systems reliability engineering) is an awful lot of what I do professionally. I know exactly how possible it is to get this stuff right - and there really isn't an excuse for not doing it right, or at least close to right, most of the time.

Not doing so is a major sign of either huge internal structural issues, or sheer "don't care about your customers" laziness, or possibly some of both.

Re: Snow Leopard issue

[drwally.livejournal.com]

My goodness man, how can you expect MS to fix bugs when they are busy making a new Zune?

It's going to RULE THE WORLD

Re: Snow Leopard issue

[thorfinn]

*chuckle*

I for one welcome our new Zune overlords?

*dons bugsuit*

Re: Snow Leopard issue

[thorfinn]

As for Time Machine and external drive? That's been standard highly encouraged behaviour on new apple gear since Leopard came out a few years back. And it is that easy - buy an external disk, plug it in, Time Machine Just Works, you have a good set of backups.

Vista and Win 7 actually have similar functionality... if you buy the business version. Why the business version only? Price gouging. It could be in the consumer version... It isn't.