| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Nov 2008 12:17:56 -0600 From: Paul Schmehl <pschmehl@...rr.com> To: Valdis.Kletnieks@...edu, full-disclosure@...ts.grok.org.uk Subject: Re: Microsoft takes 7 years to 'solve' a problem?! --On Tuesday, November 25, 2008 03:11:01 -0600 Valdis.Kletnieks@...edu wrote: > > That, plus Russ didn't even bother to read the fine article: > > "And to be clear, the impact would have been to render many (or nearly all) > customers' network-based applications then inoperable. For instance, an > Outlook > 2000 client wouldn't have been able to communicate with an Exchange 2000 > server. > > I know the users Russ supports - we'd have needed a body bag for him if > he had chosen that route rather than "not cause a significant impact". > > This wasn't a buffer overflow, the problem was that the NTLM protocol was > screwed up by design - and fixing a protocol bug is usually a *lot* more > painful. If you read between the lines of the article, it appears that MS > added support for a fixed protocol back in XP SP2, and has decided that the > number of pre-SP2 systems out there talking to updated systems has grown small > enough that it's finally practical to flip the switch. That's pretty much the > only way to change a protocol without a flag-day cutover - ship dual-stack > during a transition, and then flip the switch when few enough old-style > machines are left. > > Let's face it - the number of systems that have gotten compromised via > SMBRelay attacks is *far* smaller than the number of boxes pwned just > because they have IE installed and a user at the keyboard. The number of > systems pwned via SMBRelay is *also* a lot smaller than the number of > boxes that would have broken if Microsoft had "fixed" things the way Russ > apparently wanted them to. Weird. We were the ones that reported this issue to Microsoft back in 1998 or 9 (don't recall exactly when now) or at least a part of the issue. Very strange to see it pop up after all these years. Of course they essentially told us the same thing that you describe - can't break everything to fix that one thing - wait for the next release. And you're right - it wasn't a great risk unless you were already in the network in a serious way. -- Paul Schmehl pschmehl@...rr.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists