Welcome to WebmasterWorld Guest from 54.163.23.73

Forum Moderators: bill

Message Too Old, No Replies

Microsoft Security Update To Patch DOS Bug, and 25 Other Holes

     

engine

2:58 pm on Feb 5, 2010 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



Microsoft Security Update To Patch DOS Bug, and 25 Other Holes [news.bbc.co.uk]
A 17-year-old bug in Windows will be patched by Microsoft in its latest security update.

The February update for Windows will close the loophole that involves the venerable DOS operating system.

First appearing in Windows NT 3.1, the vulnerability has been carried over into almost every version of Windows that has appeared since.

The monthly security update will also tackle a further 25 holes in Windows, five of which are rated as "critical".

rollinj

6:30 pm on Feb 5, 2010 (gmt 0)

5+ Year Member



I don't get it... does MS really not care about security? Is it in their best interest to keep their OS unsafe?

This vulnerability was no doubt floating around "for sale" in one of those other reputable online forums... MS has billions of dollars, go buy them up!

Maybe they're already doing this and I have no idea what I'm talking about?

scotland

6:32 pm on Feb 5, 2010 (gmt 0)

5+ Year Member



It is crazy that many web and computer users in the world will not even know what DOS is, and there is a security flaw that can affect most of their computers.

I used to love (well maybe too strong a word) using DOS, then came the graphical user interface to file management and that just seemed so easy to use.

physics

6:58 pm on Feb 5, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Wow, a bug that's older than many users of Windows.

Windows is not insecure just because it's the most popular OS. All OS's are not created equal. Just like all cars are not created equal and you wouldn't expect a pinto to be as safe as a Volvo.
It's insecure because it was fundamentally never designed to be a 'network' OS - it was designed as a desktop OS. Compare this to Linux and, yes Mac OS X which were always designed with security and networking in mind. And clearly there's been no push to re-work the kernel of Windows to be more secure. And this is not impossible - Apple did it when they completely reworked their OS to be based on FreeBSD (an open source UNIX variant [apple.com...] [apple.com...] ).
This DOS bug is a perfect example of how a closed-source desktop-centric OS like Windows/DOS is bound to be less secure than an open-source network-focused OS like Linux or Mac OS X. Do you really think a security hole would stick around this long in an open source OS?

trillianjedi

8:02 pm on Feb 5, 2010 (gmt 0)

WebmasterWorld Senior Member trillianjedi is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Apple did it when they completely reworked their OS to be based on FreeBSD


They didn't re-work anything, they just bought NeXT ;)

It turned out to be a shrewd move as the original Apple OS was also developed originally as a desktop OS.

MS doesn't have the experience in networking that it really needs, at it's core.

I think it would be a highly shrewd move for MS to purchase a UNIX like variant from which to base future releases.

Lot's of upfront pain, but in the long term I really believe they'll need it.

Ocean10000

9:20 pm on Feb 5, 2010 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



<rant>
If any of you noticed this isn't talking about DOS based OS's. It actually talking about Windows NT based OS's, which was a ground up rebuild with more security in mind.
</rant>

The problems being patched (at least my understanding) are in how Microsoft maintain compatibility with some older applications, thus making themselves vulnerable to attack. This older applications had bugs in them, but instead of Microsoft making them release fixes, they built a compatibility layer to work around these bugs.

Seb7

11:56 pm on Feb 5, 2010 (gmt 0)

5+ Year Member



ground up rebuild

They said this, and we believed it. But somehow some of the old bugs from the previous versions still appeared. (I noticed a few bugs from old, myself.)

KenB

1:21 am on Feb 6, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



If any of you noticed this isn't talking about DOS based OS's. It actually talking about Windows NT based OS's,

Good point that bears repeating.

On Win9x OS, Windows ran on top of DOS. On WinNT based OSes, Everything from WinNT4 & Win2K on DOS runs as an emulator within Windows. I don't remember which way WinNT3.51 ran, but based on this bug I'd guess DOS was emulated.

JS_Harris

7:25 am on Feb 6, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I had an adobe patch try to install today, I knew a windows patch was coming. I wonder what new monitoring techniques are incorporated into this round of patches.

kaled

1:36 pm on Feb 6, 2010 (gmt 0)

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Are there any details anywhere about what this bug permitted?
Presumably, it somehow allowed limited-access users to make unauthorised changes - this suggests that DOS shells run at a higher privilege than the user or some serious code hacks are required to make it work. And if those code hacks worked for DOS emulation, might they still work elsewhere?

On Win9x OS, Windows ran on top of DOS.
I'm afraid this is one of those myths that every computer-magazine guru on the planet repeated. 16bit DOS merely bootstrapped 32bit Windows. DOS programs ran in emulation on Win 9x (unless running in DOS mode). Although Win9x supported use of some 16bit drivers (mainly to allow old hardware such as printers to be used) other drivers were 32bit meaning that IO calls, etc were not passed to an underlying 16bit DOS layer.

Kaled.

KenB

2:32 pm on Feb 6, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'm afraid this is one of those myths that every computer-magazine guru on the planet repeated. 16bit DOS merely bootstrapped 32bit Windows. DOS programs ran in emulation on Win 9x (unless running in DOS mode). Although Win9x supported use of some 16bit drivers (mainly to allow old hardware such as printers to be used) other drivers were 32bit meaning that IO calls, etc were not passed to an underlying 16bit DOS layer.

Very interesting. This just proves that a lie repeated often enough becomes a commonly known "fact".

So the big difference between the WinNT branch and the Win9x branch is that on Win9x DOS still existed but that once it initiated Windows its job was done. On WinNT Windows booted itself. Am I understanding this correctly?

kaled

4:55 pm on Feb 6, 2010 (gmt 0)

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member



That's about the gist of it, but a full implementation of DOS 7 (I think) was included with Windows 95 to allow DOS Mode to work.

Another myth, that every computer-magazine guru on the planet repeated was that CD drives had to be installed on a different IDE channel otherwise performance would be seriously compromised - I believe this started because very early IDE drives could be synchronised and would run at the speed of the slower drive!

Kaled.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month