[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8a6b8e350811250448s24381bd0wcd55e12a21fdd848@mail.gmail.com>
Date: Tue, 25 Nov 2008 14:48:34 +0200
From: "James Matthews" <nytrokiss@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft takes 7 years to 'solve' a problem?!
I think in that effect they didn't feel they had to put the resources in to
fix it because it wasn't worth the money.
On Tue, Nov 25, 2008 at 11:11 AM, <Valdis.Kletnieks@...edu> wrote:
> On Tue, 25 Nov 2008 03:07:49 EST, "Randal T. Rioux" said:
> > On Tue, November 25, 2008 1:44 am, Memisyazici, Aras wrote:
> > <SSNNIIPP>
> > > OK... Maybe I'm going a bit extreme, but WTH?! Am I the only one who is
> > > interpreting this, this way? Really? When has releasing a solution to a
> > > problem 7 years later ever been acceptable?
> >
> > May not be acceptable, but it is standard practice with some "software"
> > companies.
>
> That, plus Russ didn't even bother to read the fine article:
>
> "And to be clear, the impact would have been to render many (or nearly all)
> customers' network-based applications then inoperable. For instance, an
> Outlook
> 2000 client wouldn't have been able to communicate with an Exchange 2000
> server.
>
> I know the users Russ supports - we'd have needed a body bag for him if
> he had chosen that route rather than "not cause a significant impact".
>
> This wasn't a buffer overflow, the problem was that the NTLM protocol was
> screwed up by design - and fixing a protocol bug is usually a *lot* more
> painful. If you read between the lines of the article, it appears that MS
> added support for a fixed protocol back in XP SP2, and has decided that the
> number of pre-SP2 systems out there talking to updated systems has grown
> small
> enough that it's finally practical to flip the switch. That's pretty much
> the
> only way to change a protocol without a flag-day cutover - ship dual-stack
> during a transition, and then flip the switch when few enough old-style
> machines are left.
>
> Let's face it - the number of systems that have gotten compromised via
> SMBRelay attacks is *far* smaller than the number of boxes pwned just
> because they have IE installed and a user at the keyboard. The number of
> systems pwned via SMBRelay is *also* a lot smaller than the number of
> boxes that would have broken if Microsoft had "fixed" things the way Russ
> apparently wanted them to.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
http://www.goldwatches.com/
http://www.jewelerslounge.com/luxury-watch-safe
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists