Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Zero-day holiday
Kelly Martin, 2006-01-04

A few hundred million Windows XP machines lay vulnerable on the Web today, a week after a zero-day exploit was discovered. Meanwhile, new approaches and ideas from the academic world - that focus exclusively on children - may give us hope for the future after all.

Comments Mode:
Zero-day holiday 2006-01-04
Anonymous (2 replies)
"there will be no major security issues exploited on those systems." ... "Instead, I have to believe that a community of children could not possibly be researched, exploited and attacked by nefarious computer researchers or even criminals."

Take of the pink sunglasses, dude. Do you even think fo...

[ more ]  [ reply ]
Re: Zero-day holiday 2006-01-05
Kelly Martin (4 replies)
In fact, MIT has stated that the machines may, at some point, be sold to consumers at a higher price. It would be ridiculous to suggest that adults would not have access to them in any case. I am not sure if you read the article completely. Please consider what you are suggesting a little more caref...

[ more ]  [ reply ]
Re: Re: Zero-day holiday 2006-01-05
Jack
"but socially it's amoral and irresponsible - and perhaps downright evil"

Those are precisely the characteristics I associate with the botnet builders, script-kiddie vandals and spammers out there....

[ more ]  [ reply ]
Re: Re: Zero-day holiday 2006-01-05
assurbanipal
I'd like to share your view, but it really seems too simplistic.
As if there is some sort of morality in the action of hackers, script kiddies and the like.
One day, some curious researcher will fiddle with these systems, find a vulnerability and post the details, maybe with exploit code. It may e...

[ more ]  [ reply ]
Immoral, etc. 2006-01-05
Andrew Jones
There are LOTS of people in this world who do not have morals and really couldn't care less whose machine they are hacking. I'm sure there are many who would even get a thrill out of hacking a poor kid's computer. They would find it funny. As an added irony, maybe they would even use it to store the...

[ more ]  [ reply ]
Re: Re: Zero-day holiday 2006-01-06
Anonymous
I'm sorry, but to state that the laptops of 3rd world children won't be attacked just because they belong to 3rd world children is unbelievably naive. Are you aware of the existence and worldwide reach of child porn networks? There are people who think nothing of baiting/kidnapping/buying children...

[ more ]  [ reply ]
Re: Zero-day holiday 2006-01-05
Anonymous
With child porn rampant and frequent scams/viruses exploiting things like Katrina/Tsunami victims, "borrowing" cycles from a poor kids computer seems pretty tame to me. ...

[ more ]  [ reply ]
Zero-day holiday 2006-01-04
Nick
"Microsoft needs help from the security community. The community needs to help Microsoft and Microsoft customers now more than ever..."

Absurd! how much more help do you think we should give them? There were many people in the security community working their asses off all weekend testing and dev...

[ more ]  [ reply ]
Zero-day holiday 2006-01-04
Anonymous
I really don't understand why folks are saying this vulnerability is bigger than the RPC vuln that led to Blaster - or the issue that led to Sasser. The WMF bug cannot propagate by itself. No amount of social engineering is going to cause an infection rate as high (or propagation as swift) as a bug ...

[ more ]  [ reply ]
Zero-day holiday 2006-01-05
Matthew Murphy (1 replies)
This week, I've read a lot of out-of-control FUD on the web about this WMF vulnerability. This is, hands down, the worst piece of tech journalism I have ever seen.

Contrary to popular opinion, millions aren't compromised, because a good majority of non-critical assets had nobody sitting at them ...

[ more ]  [ reply ]
incorrect 2006-01-05
Kelly Martin (2 replies)
We allow comments such as the above because everyone is entitled to an opinion.

There is somewhere in the neighbourhood of 400 Million machines running Microsoft Windows. Some estimates suggest up to half of those are now Windows XP. That's 200 Million machines, give or take.

If just 1% of the...

[ more ]  [ reply ]
Re: incorrect 2006-01-05
Not the original poster
There's one important point that you seem to be deliberately ignoring here; Blaster was a self propagating worm. What we're talking about here is a vulnerability with little/no scope for automatic propagation. User interaction is required for almost every infection vector.

Once a user's PC is com...

[ more ]  [ reply ]
Re: incorrect 2006-01-07
Matthew Murphy (1 replies)
"We allow comments such as the above because everyone is entitled to an opinion."

Sorry about the delay in responding. I have to confess I'm mildly surprised by that. I'll commend you on that, as I know some of your colleagues in various positions at SF would have hit the Reject button.

I'll...

[ more ]  [ reply ]
thanks 2006-01-12
Kelly Martin
> I'll grant your numbers, with the exception of
> 1%. 200 million Windows XP systems makes it a
> mathematical impossibility by my idea of the
> word "few" for there to be a few hundred million
> vulnerable XP boxen.

I actually wish I had more accurate marketshare statistics on XP versus ...

[ more ]  [ reply ]
Zero-day holiday 2006-01-05
Anonymous
"Not only did Gates? great vision make him the world?s richest man in the process, it also made him one the most generous - with an incredible $28.8 billion dollars in the Bill & Melinda Gates charitable foundation, here is a man who truly makes a difference in our world."

We should all consider...

[ more ]  [ reply ]
Zero-day holiday 2006-01-05
hhhobbit
Fix #1:
=======
http://www.f-secure.com/weblog/archives/archive-122005.html

Click Start, then select run...

to block reading WMF files:
---------------------------
regsvr32 -u %windir%\system32\shimgvw.dll

to restore reading of WMF files:
--------------------------------
regsvr32 %win...

[ more ]  [ reply ]
Zero-day holiday 2006-01-05
horror_vacui
Microsoft needs help by the community now? Well, for how long? Isn't paying for their products support enough? Over the years, we have collectively paid them enough to hire the best of the world's best coders, the best of world's best QA people, and the best of the best software developement managem...

[ more ]  [ reply ]
Zero-day holiday 2006-01-05
Anonymous
I am curious if it is possible if someone belongs to an msn or yahoo group and if their e-mail address is showing publically in the group directory if a hacker can get into the said group to do any damage to either the group or the e-mail directory...I guess I am asking if it is safe to have my e-ma...

[ more ]  [ reply ]
Zero-day holiday 2006-01-05
M. Amos
I don't often read such broad, well written and well considered pieces in technology publications.

Pointing out the contrasts between Microsoft and MIT, Bill Gates and Nicholas Negroponte, Gates' philanthropy and his buggy software - all very nicely done. The world is not a black and white pla...

[ more ]  [ reply ]
Zero-day holiday 2006-01-05
Anonymous
"Let us hope that law enforcement and politicians take note of this situation in the weeks and months that follow, and craft (or enforce) legislation and risk management that might help. Now, onto more positive things."

If you're suggesting that throwing government legislation into the mix will m...

[ more ]  [ reply ]
Zero-day holiday 2006-01-05
Anonymous
This is just another "expert" parroting Negroponte's press releases. There's far MORe to this story that the writer can imagine. Hint: Negroponte has NEVER produced a WORKING prototype of this device and most of the "facts" are coming EXCLUSIVELY from Negroponte's own press releases....

[ more ]  [ reply ]
Not a real solution 2006-01-05
Mike Warot (1 replies)
The thiefs and pirates don't care about who owns the computer, just the fact that it's a networked resource to be stolen. There's nothing in your article about the Capability Security Model, which actually will help once it moves out of academia.
--Mike--...

[ more ]  [ reply ]
Re: Not a real solution 2006-01-06
Khem C (1 replies)
I agree with you , Mike. They don't care about who they are hacked or stolen the resource. If this project become true for the poor children , I would like to see the better protection on internet better than now. I mean in term of content access. There are a lot of improper content for kid on inter...

[ more ]  [ reply ]
Re: Re: Not a real solution 2006-01-07
Anonymous
You mean improper content like independent information about goverments runing their countries ? Or you have some ping glasses and think that this won't be the first content which will be blocked, if technology will be available ? Look at China ...

Internet must be free. Some children seeing wha...

[ more ]  [ reply ]
Zero-day holiday 2006-01-12
Nicolas Falliere
I particularly enjoyed your column this month. It was very well-written and constructed. Though I don't know if the $100 computer will be a success (I hope so), the comparison with Bill Gates' empire and the omnipresence of Windows was highly interesting. ...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus