[OT] Microsoft to patch 17-year-old computer bug

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Fri Feb 5 15:01:58 UTC 2010


| From: Stephen <stephen-d-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org>

| http://news.bbc.co.uk/2/hi/technology/8499859.stm
| 
| Now they can start working on the 16 year old bugs.

I inferred from the BBC article that Microsoft just learned of the
problem and will fix it soon.

	"The ancient bug was discovered by Google security researcher
	Tavis Ormandy in January 2010 and involves a utility that
	allows newer versions of Windows to run programs that date
	from the DOS era."

In fact, Ormandy says:

	"Microsoft was informed about this vulnerability on 12-Jun-2009, and
	they confirmed receipt of my report on 22-Jun-2009."
See
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
(Perhaps it was only a 16 year old bug then.)

See that article anyway.  It shows how intricate the flaw is.  It has
nothing to do with "a utility" as far as I can see.

I seem to remember that the DOS support is not in 64-bit Vista and 7
so they may not have this weakness.

Lessons:

- complicated interfaces are hard to secure and it is hard to be confident 
  of their security

- news reports, even from the BBC, are often inaccurate. 

- The inaccuraccies have random effects.  In this case, one makes MS
  look better (supresses the fact that they have known about the bug
  for 6 months), even though the net effect of the article is to make
  MS look worse than I feel is warranted.

- obscure bugs matter a lot when they hit the front pages (think
  Toyota perhaps -- hard to tell that one)
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list