Author Topic: Info on Windows' WMF Vulnerability  (Read 20820 times)

0 Members and 1 Guest are viewing this topic.

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #30 on: January 08, 2006, 02:17:26 pm »
Well yea they but they take into account the other languages, other factors which may affect the result, best way to fix it, what the repercussions will be (What functionality will they lose), etc..
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Info on Windows' WMF Vulnerability
« Reply #31 on: January 08, 2006, 02:43:47 pm »
And, why don't they test that?

If I was them, I'd have a test bed server that runs every imaginable variation, and tests them all, with the repercussions, all at once. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Info on Windows' WMF Vulnerability
« Reply #32 on: January 08, 2006, 02:47:43 pm »
Yeah, I really doubt testing takes that long if they make it top priority... just look at how many programmers they have!

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #33 on: January 08, 2006, 06:26:23 pm »
It isn't a matter of testing, it's a matter of analyzing what functionality they lose out of what they patch to restrict the exploit from happening. I'd want to compare that and if it isn't worth it find another way to fix the exploit. Things like that they need to consider.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Info on Windows' WMF Vulnerability
« Reply #34 on: January 08, 2006, 06:29:51 pm »
It isn't a matter of testing, it's a matter of analyzing what functionality they lose out of what they patch to restrict the exploit from happening. I'd want to compare that and if it isn't worth it find another way to fix the exploit. Things like that they need to consider.

Seems like a perfectly valid definition and entailment of testing to me. :)

With something this potentially devastating, they need to get a patch out that prevents people from taking advantage of the exploit and THEN figure out what its negative affects are.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Info on Windows' WMF Vulnerability
« Reply #35 on: January 08, 2006, 10:29:00 pm »
It isn't a matter of testing, it's a matter of analyzing what functionality they lose out of what they patch to restrict the exploit from happening. I'd want to compare that and if it isn't worth it find another way to fix the exploit. Things like that they need to consider.

Yeah, and yet again, I'll say: why can't that be automated?

Offline igimo1

  • Full Member
  • ***
  • Posts: 420
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #36 on: January 09, 2006, 01:58:29 am »
Innumerable variables in the testing, of course!

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #37 on: January 09, 2006, 02:12:19 am »
You want something to automate something as crucial as that? PCs make mistakes and when automated are assumed to be correct. User made mistakes may be found easily plus save them the embarassment of releasing a bad patch. The entire world isn't a bunch of Linux fanboys sitting around open source, Microsoft is a corperation which needs to satisfy all of it's customers and it makes the best decisions availible buisness wise. I doubt they are going to sacrafice the way they test for a few days (yes a few) of an earlier release. It's not like the patch times between the guy and Microsoft was that incredibly omg off the wall hold the phone long.

@Sidoh: Again, they think for ALL of thier customers and arn't going to potentially make software lose some functionality to again gain a few days of an earlier release.

Like I said it was patched in a timely manner and in an efficient manner. I downloaded and installed the patch and so did the entire hundred zillionjillion that uses Windows. Life goes on.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Info on Windows' WMF Vulnerability
« Reply #38 on: January 09, 2006, 02:27:38 am »
You want something to automate something as crucial as that? PCs make mistakes and when automated are assumed to be correct. User made mistakes may be found easily plus save them the embarassment of releasing a bad patch. The entire world isn't a bunch of Linux fanboys sitting around open source, Microsoft is a corperation which needs to satisfy all of it's customers and it makes the best decisions availible buisness wise. I doubt they are going to sacrafice the way they test for a few days (yes a few) of an earlier release. It's not like the patch times between the guy and Microsoft was that incredibly omg off the wall hold the phone long.
I'd trust a computer to test every possibility much sooner than I'd trust a human.  You're right, the world ISN'T a bunch of Linux fanboys sitting around, and humans WON'T find every bug, which is why every path should be exercised, and the only way that's going to happen is with a computer doing it.  As you said, there are dozens of versions, and hundreds of paths involving that code, so do you really expect a human to be able to enumerate all of those better than a computer?  I doubt it. 

Like I said it was patched in a timely manner and in an efficient manner. I downloaded and installed the patch and so did the entire hundred zillionjillion that uses Windows. Life goes on.
Except for the people whose computers got screwed up in the 2 week gap because of Viruses.  And the companies that lost money because their computers were down due to this.  Except people who had information stolen or otherwise abused by malicious hackers with the exploit code.  In the 2 weeks while there was no patch, everybody in the world was a sitting duck.  While Microsoft was waiting for their patch cycle (Microsoft employees had a patch for it a week before they actually released it), people were being exploited and infected because Microsoft doesn't want to make it look like they release too many patches.  God forbid they keep their customers SAFE. 

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #39 on: January 09, 2006, 05:01:04 pm »
Since Humans won't find all bugs I would have a bug nested in the bug testing software which automates the testing. I'm sure however they did use some automation in some areas but leaving it to something to automate the testing is pretty silly.

The information about the patch was fully disclosed and Microsoft patched it within two weeks and ahead of schedule which is a lot to say for the severity of the exploit as explained before. Like with every exploit, people are going to get hurt by it there is nothing stopping that. That guy released a patch along with some other companies, I disagree with Microsoft discouraging the use of them. They work until Microsoft officially released thier patch in which case those applied patches should be uninstalled.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Info on Windows' WMF Vulnerability
« Reply #40 on: January 09, 2006, 06:36:54 pm »
Quote
I disagree with Microsoft discouraging the use of them.
I don't necessarily agree or disagree with whether they should have discouraged it, but its not like its MS being evil, just about any non company that is out for a profit will say the same thing for CYA.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Info on Windows' WMF Vulnerability
« Reply #41 on: January 09, 2006, 07:34:21 pm »
Since Humans won't find all bugs I would have a bug nested in the bug testing software which automates the testing. I'm sure however they did use some automation in some areas but leaving it to something to automate the testing is pretty silly.

The information about the patch was fully disclosed and Microsoft patched it within two weeks and ahead of schedule which is a lot to say for the severity of the exploit as explained before. Like with every exploit, people are going to get hurt by it there is nothing stopping that. That guy released a patch along with some other companies, I disagree with Microsoft discouraging the use of them. They work until Microsoft officially released thier patch in which case those applied patches should be uninstalled.

Because the testing software would probably be a few hundred lines, maybe a couple thousand, and Windows NT is 40,000,000 lines.  I think I'd trust the testing program to test 40 million lines before I'd trust a human to check 40 million. 

Microsoft left their users vulnerable for 2 weeks to test a 1-line patch.  I stand by the fact that there's no way it should have taken that long, unless they're trying each and every version of Windows individually, which would be dumb, as I already said. 

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #42 on: January 10, 2006, 05:37:29 am »
It isn't checked all at once after it's done (Windows NT) it is tested component by component as it is written. Divide+Conquer type thing.

Now I think thier patch was a little bit more elaborate than one line since it was stated that there were differences between that guy's and Microsoft's which required the user to uninstall that and install the official one since they did some things differently. Of course they didn't test on all platforms one after the other, rather all at once using different teams. Once they saw the situation was getting out of hand and thier own patch leaked, they released it ahead of time.

Do you think Microsoft reads the security sites where information is disclosed? I doubt it the find the source of it themsevles THEN patch it which I would be able to see why there was a 2 week window in the development and release.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Info on Windows' WMF Vulnerability
« Reply #43 on: January 10, 2006, 11:07:55 am »
It should be checked all at once, that's what I've been saying this whole thread.  If it's not, then they're dumb. 

Yes, of course they read security sites.  If they don't, they're dumb.

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology