1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News MS investigates SharePoint zero-day

Discussion in 'Article Discussion' started by CardJoe, 30 Apr 2010.

  1. CardJoe

    CardJoe Freelance Journalist

    Joined:
    3 Apr 2007
    Posts:
    11,346
    Likes Received:
    316
  2. Andy Mc

    Andy Mc Modder

    Joined:
    23 May 2002
    Posts:
    1,743
    Likes Received:
    133
    If High-Tech Bridge had not done this I think M$ would have dragged their feet in patching the exploit. Now they have been forced to look into the problem and address the hole.
     
  3. Javerh

    Javerh Topiary Golem

    Joined:
    5 Sep 2006
    Posts:
    1,045
    Likes Received:
    26
    "We're sorry that we had to kick you in the face to show you how easy it is to kick you in the face."
     
  4. RichCreedy

    RichCreedy Hey What Who

    Joined:
    24 Apr 2009
    Posts:
    4,698
    Likes Received:
    172
    they perhaps shouldn't have released proof of concept exploit code
     
  5. Andy Mc

    Andy Mc Modder

    Joined:
    23 May 2002
    Posts:
    1,743
    Likes Received:
    133
    To be honest I don't think it would have made any differance if the code was not released. As the disclosure would have detailed the issue and any professional hacker would have been able to write their own working code from it.
     
  6. ev1lm1nd666

    ev1lm1nd666 What's a Dremel?

    Joined:
    23 Apr 2009
    Posts:
    118
    Likes Received:
    1
    +1 couldn't have said it better my self
     
  7. eddtox

    eddtox Homo Interneticus

    Joined:
    7 Jan 2006
    Posts:
    1,296
    Likes Received:
    15
    Meh, two weeks is a long time on the internet. With something this severe, ms should have been much quicker off the block.
     
  8. aussiebear

    aussiebear What's a Dremel?

    Joined:
    13 Nov 2008
    Posts:
    36
    Likes Received:
    8
    You give 6 months for the developer to address the issue. Its common courtesy.

    On the other hand, if you do NOT force Microsoft's hand; they tend to conveniently leave such reports on the shelf for over several months. (Even years.)

    Its commonly known that Microsoft doesn't address security problems unless you force their hand. The problem is the internal structure and politics of the company. (It results in them in being slow to respond to anything.)

    Many end-users think its the hackers and security researchers being the problem. Understand that they are the ones that have time and time again showed that there is something wrong with MS solutions. They are broadcasting an obvious signal...The problem is: No one is listening to the obvious!

    Few have actually realised computer security sloppiness for the average consumer is because of the way Microsoft has done things.

    Think about it...

    (1) They are willing to compromise security for usability...Then cover a flawed implementation with market spinning.

    eg: Windows 7's UAC default setting is flawed. It automatically allows one to run code embedded in a DLL with FULL admin privileges. As the setting auto-trusts rundll32.exe without warning the user...It means I can write malware and you won't be notified when the malware uses admin privileges to execute code...You need to set it to "Always Notify". But then, this behaves exactly like it did in Vista!

    To cover this up: MS marketing has said Windows 7's UAC isn't a "security boundary". That's BS. They know it. They just won't admit they f**ked up with the design because it will potentially kill their Windows 7 sales. (Windows 7 is what's really making MS money; while they burn a truck load of cash on their Bing in order to compete with Google...Check their recent financial reports; you'll see this.)

    (2) Their implementations are sloppy in security.

    Here's what I mean: At a fundamental level, the way they do things sound nice on paper and marketing. But when it comes to actually implementing things or testing them on the real battlefield that is the Internet; its a bit of a joke.

    All those mechanisms like ASLR, DEP, Protected Mode, etc sound great for marketing security for Windows.

    In reality? Every competent hacker or "security researcher" knows how to circumvent them. They do nothing when the code itself is flawed. (This is why IE loses in the annual Pwn2Own competition...IE needs to be re-written completely. This isn't going to happen as it costs time, money, and resources.)

    (3) Poor default settings.

    The way they offer things by default is like giving a teenager free access to a can of petrol and some matches...Then letting them lose.

    Windows is an "Allow by default" system. The reason for this is because they want it to be as easiest as possible...The way they go about it is flawed from a security perspective.

    Then to compensate for this flaw; people are led to believe security can be achieved by installing anti-malware applications. These actually fail miserably in the real world. AV approach doesn't work against serious threats. It is a reaction. It will always be behind...And AV companies cannot keep up with the sheer number and variants of crap out there.

    The hard reality is that people need to change their approach to computing. ie: "Deny by default".

    It means only installing known clean/legit apps and denying stupid behaviour.

    I did this for a company: Employees complain how they can't do this and that...

    We respond by: "You aren't paid to play, view porn, social network, or install programs at your leisure. You're here to do a job you're being paid for. We've provided the applications you need for that job. If you want do all that other stuff; do it on your own time and your own systems."

    Result? Malware issues no longer exist. We have more problems with flakey quality hardware.


    My overall point is this:

    Without hackers and other talented individuals; companies like Microsoft, Apple, Adobe, etc wouldn't care about security. The end-user or consumer would be completely oblivious of how flaky things are being implemented. (Why would they care if the money keeps rolling in?)

    As a paying customer of Microsoft products; you folks must demand more from them.

    ...Because the software you're getting isn't worth what they're asking for.

    ie: For every dollar you are spending on software that bombs, has security issues, requires endless patching, etc; you're getting 59 cents worth of value.

    That's from a guy I know who designs/implements highly reliable software...The kind of software that you can bet your life on; that regularly passes US's NSA scrutiny; and where the only bugs found, are due to typos in the documentation.
     
  9. thehippoz

    thehippoz What's a Dremel?

    Joined:
    19 Dec 2008
    Posts:
    5,780
    Likes Received:
    174
    good post aussiebear.. couldn't have said it better

    they are getting the failed mohave experiment to roll in some money

    the uac has bothered me in 7 since it released.. really it's a joke to have it ship on that setting- not to mention whitelist a number of set apps like notepad.exe

    guys were getting elevated without any warnings during rc.. but to credit them- a lot of people were running with the uac off in vista anyways (basically they didn't know how to use the task scheduler to run elevated)

    it is a bit more user friendly and they did a lot of the tweaks needed right out of the box.. far as sharepoint- doesn't surprise anyone really

    when you look at proprietary software.. this will always happen- it's a small group of programmers
     
  10. MSHunter

    MSHunter Minimodder

    Joined:
    24 Apr 2009
    Posts:
    2,467
    Likes Received:
    55
    just use Linux and run windows in sandbox when u need it. Never run in SU and you will notice that you no longer need AV because you have to in put SU password to install software, which gives you a moment to go... hhmmm?? do I think this is a safe piece of software from a reputable source?

    Though I guess This does pre-suppose a certain level of "PC know how"
    (there goes a big percentage of users). >Some times I forget how little the average Joe knows about PCs and windows

    "that thing that keeps my feet warm at work" (from a service line call)

    I will never forget that one......
     
  11. knutjb

    knutjb What's a Dremel?

    Joined:
    9 Mar 2009
    Posts:
    62
    Likes Received:
    0
    So easy to slam MS. What is missing is that ALL companies have to evaluate the severity of a flaw, risk management. Maybe this particular vulnerability is likely to be accessed under certain conditions. Or it could be this code could have significant consequences on certain hardware or other software configurations. Any fix must be validated to ensure the fix doesn't become a bigger problem than the original flaw. I don't have first hand exp with MS but this knee-jerk reaction happens every time someone finds a flaw.

    What is the motivation of High-Tech Bridge? Is it genuine or are they drumming up business? No, I am not implying that they are but merely suggesting that such questions need to be asked. If it is so easy to slam MS, don't forget to look at who is crying foul and why.

    To those who love pointing out Linux is so secure, or that Apple is so safe, it is only because they are small, proprietary, and MS is so big. If MS falls by the way side hackers will focus their attention on Linux, Apple, or whoever were to fill the void. It's the nature of the beast.

    Sounds like I am defending MS, no. Just that perpetual, one-sided, knee-jerks that follow every announcement like this are long on critique, short on overall system management process understanding, sound naive to me.
     
Tags: Add Tags

Share This Page