lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 25 Nov 2008 04:11:01 -0500
From: Valdis.Kletnieks@...edu
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft takes 7 years to 'solve' a problem?!

On Tue, 25 Nov 2008 03:07:49 EST, "Randal T. Rioux" said:
> On Tue, November 25, 2008 1:44 am, Memisyazici, Aras wrote:
> <SSNNIIPP>
> > OK... Maybe I'm going a bit extreme, but WTH?! Am I the only one who is
> > interpreting this, this way? Really? When has releasing a solution to a
> > problem 7 years later ever been acceptable?
> 
> May not be acceptable, but it is standard practice with some "software"
> companies.

That, plus Russ didn't even bother to read the fine article:

"And to be clear, the impact would have been to render many (or nearly all)
customers' network-based applications then inoperable. For instance, an Outlook
2000 client wouldn't have been able to communicate with an Exchange 2000 server.

I know the users Russ supports - we'd have needed a body bag for him if
he had chosen that route rather than "not cause a significant impact".

This wasn't a buffer overflow, the problem was that the NTLM protocol was
screwed up by design - and fixing a protocol bug is usually a *lot* more
painful.  If you read between the lines of the article, it appears that MS
added support for a fixed protocol back in XP SP2, and has decided that the
number of pre-SP2 systems out there talking to updated systems has grown small
enough that it's finally practical to flip the switch.  That's pretty much the
only way to change a protocol without a flag-day cutover - ship dual-stack
during a transition, and then flip the switch when few enough old-style
machines are left.

Let's face it - the number of systems that have gotten compromised via
SMBRelay attacks is *far* smaller than the number of boxes pwned just
because they have IE installed and a user at the keyboard. The number of
systems pwned via SMBRelay is *also* a lot smaller than the number of
boxes that would have broken if Microsoft had "fixed" things the way Russ
apparently wanted them to.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ