Just in time for the Chinese Hackers' spring offensive...

Jose G. Perez jgperez at SPAMnetzero.net
Thu May 3 07:23:21 MDT 2001


[From PC World.com, another example of the leading capitalist software
house's coding practices. See the article below, then come back here.

[The flaw in Microsoft's premiere Windows 2000 was caused by an "unchecked
buffer." A "buffer" is simply a little area of memory that accepts an input
from a user ort other device or program. The buffer security vulnerability
works like this. Suppose there are 20 letters or numbers set aside for the
buffer storage. If the program does not prevent it, someone can write any
number of characters into that buffer, and once they get past 20, they start
overwriting whatever came after the buffer in the memory. If you can figure
out where in memory the next programming instructions will execute from
relative to your buffer, when you get to that point you simply put in
whatever instructions you want the computer to carry out, and it does.

[Now, this vulnerability has been well known, documented and thoroughly
understood ever since the days when most of us old enough to do so were
using typewriters. There's no mystery about it, no tricky unforeseen result
of unexpected circumstances, no new discovery in the Black Arts of digital
incantations. This is Old News, something well known to every script kiddy
and first-year programming student.

[Securing against it is baby simple, also. It involves nothing more
complicated than kindergarten-level counting, i.e., 1 + 1 = 2; 2 + 1 = 3; 3
+ 1 = 4 ... The computer does that for every character sent to the buffer,
and when the number of characters received equals the space available in the
buffer, it stops accepting more characters. It is the programming equivalent
of locking the door when you walk out of your apartment or house. If you
habitually leave the door open, do not be surprised to come back one day and
find out someone has been inside.

[One wonders when Bill Gates & Co. will be indicted for violating the U.S.
Congress's Digital Millenium Copyright Act. This Act makes it illegal to
create a device that circumvents security measures to prevent copying of
digital files. The "device" has been interpreted by the courts and the
creators of the DMCA, the media monopoly mafia, to include everything from
linking to articles and code freely available on the internet to presenting
a paper at an academic conference. Certainly, creating an open door on a
supposedly secure server that allows someone more clever than Microsoft to
walk out with anything and everything on a computer must be considered a
"device" by this standard. The penalties under the act are especially severe
if you do this sort of thing for commercial gain. --Jose]


Microsoft Warns of Serious Windows 2000 Hole

Flaw could allow hackers to gain complete control of servers, software giant
says

Sam Costello and Jennifer DiSabatino, Computerworld online
Wednesday, May 02, 2001

Microsoft on Tuesday disclosed that an "extremely serious" flaw in an
extension included in Windows 2000 could allow a malicious hacker to gain
complete control of any computer running the Internet Information Services
(IIS) 5.0 software built into that operating system.

In a bulletin posted on its Web site, Microsoft says the vulnerability is
caused by an unchecked buffer in an extension that provides native support
for Internet printing capabilities within Windows 2000. The software vendor
"strongly" urged all IIS 5.0 users to install a new patch that's supposed to
fix the problem.

Scott Culp, a program manager at Microsoft's security response center, went
even further in an interview, saying it's "imperative" that anyone running
IIS 5.0 apply the patch. The hole is especially serious because it could
enable an attacker to run code that would give him complete control of
Windows 2000 on a vulnerable server. "There is literally nothing [an
attacker] could not do," Culp says.

<snip>.








More information about the Marxism mailing list