Controversial Microsoft Security Fixes Have Company on Security Defensive

If you go to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/Bulletin/MS04-007.asp and expand "Security Update Information", and then expand the areas underneath that, you'll find dates on the dlls for different platforms.

Windows 2003 - Oct 23
Windows 2003 64 - Oct 23
Windows XP - Sep 19
Windows XP 64 - Oct 23
Windows 2000 - Sep 19
Windows NT - Sep 21

It looks to me like Microsoft had the patches written in short order, but then wanted to do extensive regression testing against everything that uses msasn1.dll.

"Microsoft Chairman and Chief Software Architect Bill Gates recently alleged that Windows is more secure than any OS alternatives because the system has been so thoroughly tested in the real world through constant attacks;"

Nice one Bill! I assume the testing is still ongoing then?

"So why did Microsoft take so long to fix the flaw, leaving Windows users open to potentially devastating electronic attacks?"

Perhaps because the flaw touched very large portions of Windows, and perhaps other Microsoft apps. It would take some time to figure out what needed to be changed, and then to test it and make sure nothing bad happened. Windows is so modular you know?

"The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks--pretty much any system."

Nice one. So all of that security in Windows can be bypassed completely? Nice to know. This seems to go right to the heart of Windows here as well.

"Microsoft defends the whopping 7 months it took to fix the flaws as necessary because the company needed to ensure that a patch to such central Windows components didn't break software or cause other problems."

I believe them here. This seemed to affect a lot of things.

"Interestingly, attackers can compromise the flaw with a simple buffer-overrun attack, a common type of attack that Microsoft has wrestled with since its Trustworthy Computing code review 2 years ago."

Nothing is immune to buffer-overuns, but it seems that someone can always get to the vital parts of the Windows system with these attacks.

"Both XP Service Pack 2 (SP2), due midyear, and Windows 2003 SP1, due in late 2004, will include new memory-protection features designed to thwart most buffer-overrun attacks."

Sounds rather like chroot. Nice one.

Actually the worst thing you can do is use Microsoft's "Automatic Update Service."

1) Some of the patchs contain changes to the Windows EULA which take away some of the original rights you were given, and increase Microsoft's rights.

2) Microsoft has had many problems with patches, i.e. systems stop working, software is now broken, etc.

I run 3 Win98, 1 Win95, and one WinXP computer at home. None are patched, all are extremly secure. There are five simple steps to secure a Windows computer.

1) Install another browser such as Mozilla. Never use IE. If you can uninstall IE (Win98 and later will not allow this thought there are third party tools which will help you do it)

2) Install another email client (and uninstall Outlook Express). Mozilla has a decent email client.

3) Install a hardware firewall - Linksys makes excellant units.

4) Install Zonealarm (Especially on WinXP computers). When you set it up if any program trys to access the net AND YOU DIDN"T START IT tell Zonealarm to block it. Zonealarm is free for personal use.

5) Install OpenOffice, StarOffice, or Easy Office instead of Microsoft Office. All are more secure than the Microsoft Product, and far cheaper. You can pay for the router and extra network cabling from the savings.

Wayne

If you go to Cert, you will find that ASN.1 vulnerabilities hit every OS possible, including Apple OS X, via OpenSSL which ships on most OS's these days, including Cisco routers.

http://www.securityfocus.com/bid/8732/info/

This article sounds like an article written by someone who don't have anything to write about. They fixed the damn thing so get over it. Move on