Source Code

<sigh>

Here we go again. That source code leaked over 4 years ago and it wasn't

the entire code base. If there were going to be exploits based on the

leaked source code we would have seen them a long, long time ago.

On the other hand, in a lot of your long rambling, off-topic rants you tout

the wonders and virtues of open source. Which is it Dan?

You also complain that "tired out" source code is responsible for "so many

security problems" yet you continue with your ludicrous suggestion that

Windows 98 is inherently more secure than is Vista. Yet you can't see the

contradiction in the statements you make.

You wonder why I respond in the negative to most of your posts? It is

because they don't make any logical sense and the positions you espouse are

irresponsible, dangerous, and should not be followed by anyone.

--

Paul Adare

MVP - Identity Lifecycle Manager

> http://news.bbc.co.uk/1/hi/technology/3485545.stm

fortune: No such file or directory

August 29, 2008

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:22B13749-E86E-4E83-B1DC-AA66C4D11131@microsoft.com...

> Here is an article about how the NT source code was leaked and apparently

> even DOS source code was leaked back in the day but no one cared because

> it

> was so old. I now ask Microsoft how long will it be before Microsoft has

> new

> operating systems with new source code. Wikipedia mentions Windows 7 will

> use the Windows NT source code much to my dismay. How about the successor

> to

> Windows 7 will people finally get an operating system with new source code

> that will be a relief from the tired out code that has caused so many

> security problems.

>

>

> > http://news.bbc.co.uk/1/hi/technology/3485545.stm

>

>

Dan,

Do you not understand that anyone that could shed some info toward what

you sometimes indicate in your questions would not provide that info even

in a private discussion?

You seem to feel that the current source, which obviously would be the

basis of a next generation of the source tree, is tired old error filled

code.

Yet obviously you do not have the basis on which to make that assessment

(i.,e. you are without access to the codetree). So how can you believe in

what you say? Don't you recognize that the large majority of patches that

get released are for software that sits way high on the architecture stack,

up above the kernel/executive and ever for the most part core services?

Can you actually believe that Windows server could have been transformed

to versions factored such as core server without significant investment in

reworking the source? Or that the transformation from the Win32 Api to

the .Net framework at the upper levels without significant new code?

I see your posts repeatedly attempting to get at info about what MS is

doing with Windows development, but the implications of what you say

and claim as fact just don't make much sense. For example, look at the

history of sendmail in the nix variants. This has been the source of

endless security flaws over the decades, but has it undergone a complete

or even majoritive rewrite ever? How many times have the codes for

the kernel and core of Linux seen systemic rewrites? Think about it.

Things just don't happen that way you seem to advocate, not anywhere,

except perhaps when there is a new OS development ex novo.

Roger

August 29, 2008

The only true solution is a combination of open source and closed source

codes including 9x, NT and Unix/Linux within a defense network structure.

Some computers would be off-line, some computers would be behind reinforced

steel doors with limited access and information would not be available to

people only on a need to know basis. We are not there yet but Microsoft is

secretly working on a new source code, Paul and it will just take time and

patience on everyone's part especially myself. Thank you for your viewpoint.

Have a nice day and thank you with bearing with me with my long rambling

posts --- you are a good guy. <smile>

"Paul Adare - MVP" wrote:

> On Fri, 29 Aug 2008 04:38:01 -0700, Dan wrote:

>

> > Here is an article about how the NT source code was leaked and apparently

> > even DOS source code was leaked back in the day but no one cared because it

> > was so old. I now ask Microsoft how long will it be before Microsoft has new

> > operating systems with new source code. Wikipedia mentions Windows 7 will

> > use the Windows NT source code much to my dismay. How about the successor to

> > Windows 7 will people finally get an operating system with new source code

> > that will be a relief from the tired out code that has caused so many

> > security problems.

> >

> >

>

> <sigh>

>

> Here we go again. That source code leaked over 4 years ago and it wasn't

> the entire code base. If there were going to be exploits based on the

> leaked source code we would have seen them a long, long time ago.

> On the other hand, in a lot of your long rambling, off-topic rants you tout

> the wonders and virtues of open source. Which is it Dan?

>

> You also complain that "tired out" source code is responsible for "so many

> security problems" yet you continue with your ludicrous suggestion that

> Windows 98 is inherently more secure than is Vista. Yet you can't see the

> contradiction in the statements you make.

>

> You wonder why I respond in the negative to most of your posts? It is

> because they don't make any logical sense and the positions you espouse are

> irresponsible, dangerous, and should not be followed by anyone.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> fortune: No such file or directory

>

August 29, 2008

On Fri, 29 Aug 2008 10:48:11 -0700, Dan wrote:

> The only true solution is a combination of open source and closed source

> codes including 9x, NT and Unix/Linux within a defense network structure.

According to whom exactly? Dan, the super-duper security expert? Simply

making a statement doesn't make it true. You've offered no reasoning behind

your opinions because you don't understand the issues here.

> Some computers would be off-line, some computers would be behind reinforced

> steel doors with limited access and information would not be available to

> people only on a need to know basis.

Again, simply some off the cuff statements with no real understanding of

the issues at hand.

> We are not there yet but Microsoft is

> secretly working on a new source code, Paul and it will just take time and

> patience on everyone's part especially myself. Thank you for your viewpoint.

> Have a nice day and thank you with bearing with me with my long rambling

> posts --- you are a good guy. <smile>

And you're attempting to pass yourself off as some kind of security expert

with general statements that don't mean anything at all, with no solid

understanding of how computer security even works, and worse, you're stuck

on the absurd notion that since Windows 98 runs on MS-DOS that it is

inherently more secure than XP or Vista. Ridiculous.

--

Paul Adare

MVP - Identity Lifecycle Manager

> http://news.bbc.co.uk/1/hi/technology/3485545.stm

You have a tendency to feel you are superior to most computers.

August 30, 2008

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:22B13749-E86E-4E83-B1DC-AA66C4D11131@microsoft.com...

> Here is an article about how the NT source code was leaked and apparently

> even DOS source code was leaked back in the day but no one cared because

> it

> was so old.

Who cares?

Many OSes are "open source" - anybody can see the source

code - it doesn't make any difference. This 'secrecy' isn't an

issue and neither is the leak.

Look for "security through obscurity" and see what experts

have to say about it.

> I now ask Microsoft how long will it be before Microsoft has new

> operating systems with new source code. Wikipedia mentions Windows 7 will

> use the Windows NT source code much to my dismay. How about the successor

> to

> Windows 7 will people finally get an operating system with new source code

> that will be a relief from the tired out code that has caused so many

> security problems.

>

>

http://en.wikipedia.org/wiki/Security_through_obscurity

August 30, 2008

http://slashdot.org/features/980720/0819202.shtml

I see the slashdot article does not think it is a good idea but why not have

a multi-layered safety and security structure --- eg.

Vista --- external defense of NT

Windows 98 Second Edition --- internal safety of 9x and DOS -- reason being

less services, no or at least limited remote access --- meant to stand-a-lone

and not be networked with everything else ---- just an approach for now until

Microsoft has developed a true and good replacement to the NT source code --

now companies want to have backups of course --- just check out secunia.com

and see all the active vulnerabilities against Windows XP Home and

Professional and Windows 2000 Professional and even some coming against

Windows Vista -- remember Windows 98 Second Edition was supported from 1999

all the way until July 11, 2006 and that is certainly a long time to help

harden the operating system --- it has the life and time to prove that it is

strong

Mozilla Firefox --- supports 256 bit AES cipher strength -- not supported in

IE until Windows Vista

Use open source technologies like Spywareblaster to help prevent baddies

from getting on to your machine

practice safe web surfing methods --- reading in plain text, not using

flash, blocking remote code

keep all software updated

have important computers locked securely in internal rooms with limited access

information only given in companies and technology to their workers on an as

needed basis

workers provided access only with what they need and granted additional

access as trust and skills are built --- give the workers less then they need

and slowly build it up -- although frustrated workers --- safer network and

less likely the company secrets will disappear

treat intranet carefully --and have special dedicated computers for a

minority of workers who need to use VPN to access the company's intranet---

have customized settings and numerous honeypots within the company's

intranet and other methods to catch hackers and deal with attack as needed

and report to proper authorities --- asap --- eg. letting us-cert.gov be

priority number 1

need to implement old-school technologies like wired phones with filters and

treat all information as already compromised because then we can see what has

been compromised and remember without wires the information is freely flowing

through the air and can easily be picked up and sometimes deciphered even if

encrypted if a strong enough encryption has not been used --- what about

someone stealing a session cookie and using it to access the user's email

account?

work backwards like everything has been compromised at the company and then

study our history to see what methods were effective in the past and not

being used today -- for example certain hardware technologies that were great

and laid by the wayside for only a software only or a software primarily

approach method --- we need to use it all and quickly and have stop-gap

methods while better methods can be developed in the future to help safeguard

everyone

these are just ideas and open to discussion and interpretation and I know I

do not know networking like many of the experts do but at least my small

voice may help others use their brains more to help develop better

information security and safety methods for the future

"FromTheRafters" wrote:

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:22B13749-E86E-4E83-B1DC-AA66C4D11131@microsoft.com...

> > Here is an article about how the NT source code was leaked and apparently

> > even DOS source code was leaked back in the day but no one cared because

> > it

> > was so old.

>

> Who cares?

>

> Many OSes are "open source" - anybody can see the source

> code - it doesn't make any difference. This 'secrecy' isn't an

> issue and neither is the leak.

>

> Look for "security through obscurity" and see what experts

> have to say about it.

>

> > I now ask Microsoft how long will it be before Microsoft has new

> > operating systems with new source code. Wikipedia mentions Windows 7 will

> > use the Windows NT source code much to my dismay. How about the successor

> > to

> > Windows 7 will people finally get an operating system with new source code

> > that will be a relief from the tired out code that has caused so many

> > security problems.

> >

> > http://news.bbc.co.uk/1/hi/technology/3485545.stm

> >

> http://news.bbc.co.uk/1/hi/technology/3485545.stm

>

>

August 30, 2008

The fundamental issue with the NT vulnerabilities is not strictly the fault

of Microsoft coders, but is with the preceding code on which NT was based,

which contained numerous unchecked buffers. It's a failing of the C language

with its lack of any checks on variable bounds, and which therefore requires

the coder to perform the near-impossible task of setting traps for every way

in which the program could be presented with oversize data. The majority of

NT exploits operate on the crude principle of over-filling a data buffer to

the point where the data over-writes an adjacent piece of machine-code in

memory. The next time this code runs, your Trojan gets launched. The failing

here is in the programming-language itself not providing any protection

against this kind of exploit.

It is also perfectly true that Windows 9x is a far more secure OS. In fact,

its main weakness is in having Internet Explorer built-in. Without that

attack-vector it is surprisingly hard to exploit.

"Dan" wrote:

> Here is an article about how the NT source code was leaked and apparently

> even DOS source code was leaked back in the day but no one cared because it

> was so old. I now ask Microsoft how long will it be before Microsoft has new

> operating systems with new source code. Wikipedia mentions Windows 7 will

> use the Windows NT source code much to my dismay. How about the successor to

> Windows 7 will people finally get an operating system with new source code

> that will be a relief from the tired out code that has caused so many

> security problems.

>

>

http://www.aumha.org/win4/a/memmgmt.php

>

>

August 30, 2008

Exactly, Anteaus. Thank you, Thank you, Thank you! Thus, the user can use

Mozilla Firefox instead while having Internet Explorer installed. Heck, I am

posting using Windows 98 Second Edition and have Mozilla Firefox 2.0.0.16

installed and it works great. You just add in SpywareBlaster and a few other

programs to your security and safety mix and customize your settings and

Windows 98 Second Edition runs like a champ. My only major issue was with

the memory which I downgraded from 2 gigabytes in my multi-boot and

multi-hard drive machine to 512 megabytes and using the memory management

settings it now works like a champ. The majority of problems I had with

Windows 98 Second Edition had to do with poorly written software drivers in

the past by 3rd party companies and that is what led to so many blue screens

of death. Please see secunia.com for confirmation of this:

http://msdn.microsoft.com/en-us/library/aa366525(VS.85).aspx (memory stuff)

http://secunia.com/product/13/?task=advisories (for Windows 98 Second Edition)

{highest rated unpatched is less critical}

http://secunia.com/product/22/?task=advisories (for Windows XP Professional)

{highest rated unpatched is moderately critical}

http://secunia.com/product/13223/?task=advisories {for Windows Vista}

{highest rated is less critical but I find this one that targets XP Pro and

Vista disturbing}

http://secunia.com/advisories/29867/

Solution:

Microsoft recommends specifying a WPI (Worker Process Identity) for an

application pool (please see the Microsoft advisory for details).

Provided and/or discovered by:

Reported by the vendor.

Original Advisory:

Microsoft (KB951306):

http://www.microsoft.com/technet/security/...ory/951306.mspx

Now as you can see, we all have some work to do on fixing these bugs so you

can all continue to trash me as most of you have seen fit to do but since

this involves the world and computing, I suggest we get answers to these

problems and work on developing fixes so all our computers are not hacked too

easily by hackers.

"Anteaus" wrote:

>

> The fundamental issue with the NT vulnerabilities is not strictly the fault

> of Microsoft coders, but is with the preceding code on which NT was based,

> which contained numerous unchecked buffers. It's a failing of the C language

> with its lack of any checks on variable bounds, and which therefore requires

> the coder to perform the near-impossible task of setting traps for every way

> in which the program could be presented with oversize data. The majority of

> NT exploits operate on the crude principle of over-filling a data buffer to

> the point where the data over-writes an adjacent piece of machine-code in

> memory. The next time this code runs, your Trojan gets launched. The failing

> here is in the programming-language itself not providing any protection

> against this kind of exploit.

>

> It is also perfectly true that Windows 9x is a far more secure OS. In fact,

> its main weakness is in having Internet Explorer built-in. Without that

> attack-vector it is surprisingly hard to exploit.

>

> "Dan" wrote:

>

> > Here is an article about how the NT source code was leaked and apparently

> > even DOS source code was leaked back in the day but no one cared because it

> > was so old. I now ask Microsoft how long will it be before Microsoft has new

> > operating systems with new source code. Wikipedia mentions Windows 7 will

> > use the Windows NT source code much to my dismay. How about the successor to

> > Windows 7 will people finally get an operating system with new source code

> > that will be a relief from the tired out code that has caused so many

> > security problems.

> >

> > http://news.bbc.co.uk/1/hi/technology/3485545.stm

> >

http://en.wikipedia.org/wiki/Type_safety

> >

> >

August 31, 2008

"Anteaus" <Anteaus@discussions.microsoft.com> wrote in message

news:72493273-1D86-4C0F-A43B-DC859EF96246@microsoft.com...

> The fundamental issue with the NT vulnerabilities is not strictly the

> fault

> of Microsoft coders, but is with the preceding code on which NT was based,

> which contained numerous unchecked buffers. It's a failing of the C

> language

> with its lack of any checks on variable bounds, and which therefore

> requires

> the coder to perform the near-impossible task of setting traps for every

> way

> in which the program could be presented with oversize data. The majority

> of

> NT exploits operate on the crude principle of over-filling a data buffer

> to

> the point where the data over-writes an adjacent piece of machine-code in

> memory. The next time this code runs, your Trojan gets launched. The

> failing

> here is in the programming-language itself not providing any protection

> against this kind of exploit.

No, it's in the programmers and designers who used this programming language

for networked applications without taking appropriate protections.

I've said it before, and I'll repeat it once more:

Writing network code is hard, because you only get to write one half of the

application. And the guy writing the other half may very well be a lunatic

who's out to abuse your code, or he may simply be an idiot who didn't

understand the specifications the same way you did.

Either way, you have to write network-capable code differently from

standalone code.

Of course, the same should be said of any code that takes input from any

source other than itself, whether that's through reading files on the hard

drive, reading key-strokes from the user or mouse movements.

> It is also perfectly true that Windows 9x is a far more secure OS. In

> fact,

> its main weakness is in having Internet Explorer built-in. Without that

> attack-vector it is surprisingly hard to exploit.

That's an astonishing claim, and I'd really like to see you back it up.

While it is certainly true that Windows 95, 98 and ME were running fewer

servers / services, there are other factors working against it:

1. Much of the underlying code was written with the understanding that it

was not going to be networked - NT code was written with networking in mind

from day one, so it considered the concept that unwanted data might be

coming in.

2. Windows 9x used FAT as the underlying file system, which has very weak

protection - the most you can do is mark a file read-only, hidden, or

system, and even then, every user on the system has complete access to

remove that marking. NT had the concept of users and groups built into its

file system, NTFS, allowing you to mark system files and important

applications or data such that only authorised user accounts can access

them.

3. Any user can install a driver or an application in Windows 9x; in NT,

only an administrator can do so.

Applying new source code blindly is not going to solve the problems.

Improving the source code based on the lessons learned from old mistakes -

that's what will fix things, whether it's done through completely new code,

or a rewrite or modification of the old code.

Alun.

~~~~

--

Texas Imperial Software | Web: http://www.wftpd.com/

23921 57th Ave SE | Blog: http://msmvps.com/alunj/

Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

August 31, 2008

"Anteaus" <Anteaus@discussions.microsoft.com> wrote in message

news:72493273-1D86-4C0F-A43B-DC859EF96246@microsoft.com...

>

> The fundamental issue with the NT vulnerabilities is not strictly the

> fault

> of Microsoft coders, but is with the preceding code on which NT was based,

> which contained numerous unchecked buffers.

Due to poorly written source code, or faults in the compiler

used for the translation.

> It's a failing of the C language with its lack of any checks on variable

> bounds,

> and which therefore requires the coder to perform the near-impossible task

> of setting traps for every way in which the program could be presented

> with

> oversize data.

Not too difficult, really. Input subroutines that truncate the data

to fit the buffer.

> The majority of NT exploits operate on the crude principle of over-filling

> a data buffer to the point where the data over-writes an adjacent piece of

> machine-code in memory. The next time this code runs, your Trojan gets

> launched.

Something like that.

> The failing here is in the programming-language itself not providing any

> protection against this kind of exploit.

This is somewhat backward. Type safety attempts to avoid errors

the programmer is likely to make - it is not the language at fault

it is the error prone human, or sometimes the compiler itself can

introduce flaws.

http://www.cigital.com/news/index.php?pg=art&artid=70

> It is also perfectly true that Windows 9x is a far more secure OS.

Wrong, compared to modern OSes Win9x had no security at all.

In fact, even compared to its contemporaries it had no security.

> In fact, its main weakness is in having Internet Explorer built-in.

> Without that attack-vector it is surprisingly hard to exploit.

This is just wrong. Although IE was a major vector of attack, the

result of successfully attacking IE's low hanging fruit was often

complete control of the machine - a fault of the OS's security

model.

> "Dan" wrote:

Something...using the words, but not speaking the language.

[snipped]

September 1, 2008

Warning: this is a super-long post and may contain some repetition because of

the hour that it was composed -- thank you so much for your kindness and

support

Here is more evidence --- Note copy and copy so code is contained in post

http://secunia.com/product/1/?task=advisories

http://secunia.com/advisories/7793/

Secunia Advisory: SA7793

Release Date: 2002-12-30

Last Update: 2003-01-27

Critical:

Moderately critical

Impact: System access

Where: From remote

Solution Status: Unpatched

OS: Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Server

Microsoft Windows 95

Microsoft Windows XP Home Edition

Microsoft Windows XP Professional

This advisory is currently marked as unpatched!

- Companies can be alerted when a patch is released!

Description:

Microsoft Windows is flawed in the way it trusts certificates. Microsoft

Windows File Protection will automatically trust software that has been

digitally signed with certificates rooted in any of the Trusted Root

Certification Authorities.

This can be abused by malicious persons to sign any maliciously designed

code and install it on systems without alerting the user, because Windows

"trusts" root certificates even if they should only be used for signing SSL

certificates and not signing code. This could be done anonymously by using:

http://www.freessl.com/

Also Windows is designed to trust every version of previously published code

from .CAT files, this allows malicious persons to replace new code with old

buggy and vulnerable code.

This problem exists even if you have applied MS02-050 to prevent ID spoofing

with digital signatures.

Solution:

In our opinion no operating system or software should trust the source or

origin of software or digital signatures by default. This should always be

verified by a system administrator or other capable person. We recommend that

you configure your Windows systems to trust as few root certificates as

possible and instruct your users about the consequences (ie. they are

prompted each time they enter an SSL site).

In addition you should change the security settings in Internet Explorer so

that normal users cannot accept additional ActiveX components.

Required root certificates:

http://support.microsoft.com/default.aspx?...B;en-us;293781&

How to remove "trusted" root certificates:

http://support.microsoft.com/default.aspx?...kb;EN-US;293819

Windows File Protection may not start:

http://support.microsoft.com/default.aspx?...kb;EN-US;296241

Provided and/or discovered by:

Forensics.org

Changelog:

20/01-2003 It has been reported that systems with this patch still may be

fooled, if the certificate has expired, as the user will be warned about the

certificate being expired but not that it is spoofed.

hmm, certainly sounds serious and notice how Windows 98 Second Edition is

not on the list but Windows 95, Windows 2000 and Windows XP are. In

addition, let us see more examples and remember I am ignoring just priveledge

escalations and denial of service errors because I don't see those as too

critical to operations.

Now this next one has only been partially fixed and it even makes one wonder

whether it could be properly executed on Windows Vista and it is highly

critical and includes system access and it even hits Windows 98 Second

Edition as well as all the way back to Windows NT and this should be priority

number one for Microsoft to patch, imo.

http://secunia.com/advisories/13645/

Secunia Advisory: SA13645

Release Date: 2004-12-25

Last Update: 2005-11-21

Critical:

Highly critical

Impact: DoS

System access

Where: From remote

Solution Status: Partial Fix (only a partial fix --- what gives Microsoft

--?)

OS: Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Datacenter Server

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Server

Microsoft Windows 98

Microsoft Windows 98 Second Edition

Microsoft Windows Millenium

Microsoft Windows NT 4.0 Server

Microsoft Windows NT 4.0 Server, Terminal Server Edition

Microsoft Windows NT 4.0 Workstation

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Embedded

Microsoft Windows XP Home Edition

Microsoft Windows XP Professional

CVE reference: CVE-2004-1049 (Secunia mirror)

CVE-2004-1305 (Secunia mirror)

CVE-2004-1306 (Secunia mirror)

CVE-2004-1361 (Secunia mirror)

Description:

Flashsky has reported some vulnerabilities in Microsoft Windows, allowing

malicious people to compromise a vulnerable system or cause a DoS (Denial of

Service).

1) The vulnerability is caused due to an integer overflow in the LoadImage

API which can be exploited to cause a heap based buffer overflow. This can be

exploited through a website by using maliciously crafted icon, cursor,

animated cursor, or bitmap files.

Successful exploitation allows execution of arbitrary code.

2) Some errors in the Windows Kernel when parsing ANI files may cause the

system to crash. This can be exploited through specially crafted ANI files.

3) The vulnerability is caused due to a heap overflow and an integer

overflow in "winhlp32.exe" when handling HLP files. This can be exploited

through specially crafted HLP files.

All versions of Microsoft Windows are affected except Microsoft Windows XP

with Service Pack 2.

Solution:

3) Do not visit untrusted web sites and don't open documents from untrusted

sources.

1+2) Microsoft has issued patches.

Microsoft Windows NT Server 4.0 (requires Service Pack 6a):

http://www.microsoft.com/downloads/de...=4...B1-BEE44EEA588C

Microsoft Windows NT Server 4.0 Terminal Server Edition (requires Service

Pack 6):

http://www.microsoft.com/downloads/de...=9...80-068C30476E6F

Microsoft Windows 2000 (requires Service Pack 3 or Service Pack 4):

http://www.microsoft.com/downloads/de...=7...B7-D4612A785E78

Microsoft Windows XP (requires Service Pack 1):

http://www.microsoft.com/downloads/de...=8...A1-1CCF6085A057

Microsoft Windows XP 64-Bit Edition (requires Service Pack 1):

http://www.microsoft.com/downloads/de...=2...78-BCFF469B8061

Microsoft Windows XP 64-Bit Edition Version 2003:

http://www.microsoft.com/downloads/de...=1...29-2B26CB0961AF

Microsoft Windows XP Embedded SP1:

http://www.microsoft.com/downloads/de...=a...27-92b539e56f0a

Microsoft Windows Server 2003:

http://www.microsoft.com/downloads/de...=C...7D-4087A6E6C1C2

Microsoft Windows Server 2003 64-Bit Edition:

http://www.microsoft.com/downloads/de...=1...29-2B26CB0961AF

Microsoft Windows 98, Microsoft Windows 98 SE, and Microsoft Windows ME:

An update is available via Windows Update.

Updates for the Slovenian, Slovakian, and Thai versions of Windows 98 and

Windows 98 SE are also available:

Slovenian:

http://www.microsoft.com/downloads/de...-8...&displaylang=sl

Slovakian:

http://www.microsoft.com/downloads/de...-8...&displaylang=sk

Thai:

http://www.microsoft.com/downloads/de...-8...&displaylang=th

Provided and/or discovered by:

1) Discovered independently by:

Flashsky

eEye Digital Security

2) Flashsky (Microsoft credits Sylvain Bruyere).

3) Keji

Changelog:

2005-01-07: Added links to US-CERT vulnerability note.

2005-01-11: Updated solution. Microsoft has issued patches.

2005-01-12: Added link to eEye Digital Security advisory.

2005-01-19: Added CVE reference.

2005-03-07: Updated advisory.

2005-03-09: Vendor issues updates for Windows 98, Windows 98 SE, and Windows

ME.

2005-11-21: Added patch information for Windows XP Embedded.

Original Advisory:

MS05-002 (KB891711):

http://www.microsoft.com/technet/security/...n/MS05-002.mspx

Flashsky:

http://www.xfocus.net/flashsky/icoExp/

eEye Digital Security:

http://www.eeye.com/html/research/advisories/AD20050111.html

Other References:

US-CERT VU#625856:

http://www.kb.cert.org/vuls/id/625856

US-CERT VU#697136:

http://www.kb.cert.org/vuls/id/697136

US-CERT VU#177584:

http://www.kb.cert.org/vuls/id/177584

Here is another one but since it does not have remote access to allow the

malicious user to hack the os then I am not too interested in it because I am

interested in errors that rely on remote hacking and allow system access via

remote hacking of the operating system:

http://secunia.com/advisories/16210/

this one affects Windows 98 Second Edition as well as 2000, XP, Server 2000

and 2003 so it may be of interest to some people

Here is another vulnerability that does not include Windows 98 Second

Edition but is confirmed on Windows 2000 Professional as well as Windows 2000

Server as well as on Windows XP Home and Professional

http://secunia.com/advisories/20061/

Secunia Advisory: SA20061

Release Date: 2006-05-10

Last Update: 2006-05-11

Critical:

Less critical

Impact: System access

Where: From remote

Solution Status: Unpatched

OS: Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Datacenter Server

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Server

Microsoft Windows XP Home Edition

Microsoft Windows XP Professional

CVE reference: CVE-2006-2297 (Secunia mirror)

This advisory is currently marked as unpatched!

- Companies can be alerted when a patch is released!

Description:

RubÃƒÂ©n Santamarta has discovered a vulnerability in Microsoft Windows, which

potentially can be exploited by malicious people to compromise a user's

system.

The vulnerability is caused due to a boundary error in the Infotech Storage

System Library (itss.dll) when reading a ".CHM" file. This can be exploited

to cause heap corruption and may allow arbitrary code execution via a

specially crafted ".CHM" file.

Successful exploitation requires that the user is e.g. tricked in opening or

decompiling a malicious ".CHM" file using "hh.exe".

The vulnerability has been confirmed in Windows XP SP2 (fully patched) and

also reported in Windows 2000 SP4. Other versions may also be affected.

NOTE: The CHM file format should be considered insecure and treated similar

to an executable file. However, this vulnerability is triggered even when the

user decompiles the file without opening it.

Solution:

The vulnerability will reportedly be fixed in the next Service Pack.

Do not open or decompile untrusted ".CHM" files.

Provided and/or discovered by:

RubÃƒÂ©n Santamarta

Changelog:

2006-05-11: Added CVE reference.

Original Advisory:

http://reversemode.com/index.php?opti...&t...&id=11&Itemid=1

Vendor Microsoft

Product Link View Here (Link to external site)

Affected By 182 Secunia advisories

Unpatched 12% (21 of 182 Secunia advisories)

Most Critical Unpatched

The most severe unpatched Secunia advisory affecting Microsoft Windows 2000

Professional, with all vendor patches applied, is rated Moderately critical

http://secunia.com/product/22/?task=advisories

Vendor Microsoft

Product Link N/A

Affected By 218 Secunia advisories

Unpatched 14% (30 of 218 Secunia advisories)

Most Critical Unpatched

The most severe unpatched Secunia advisory affecting Microsoft Windows XP

Professional, with all vendor patches applied, is rated Moderately critical

Now that we have seen overall vulnerabilities in XP Professional and 2000

Professional as well as others let us compare Windows Vista to Windows 98

Second Edition:

http://secunia.com/product/13223/

http://secunia.com/advisories/29867/

Microsoft Windows Privilege Escalation Vulnerability

Secunia Advisory: SA29867

Release Date: 2008-04-18

Critical:

Less critical

Impact: Privilege escalation

System access

Where: From remote

Solution Status: Unpatched

OS: Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Web Edition

Microsoft Windows Server 2008

Microsoft Windows Storage Server 2003

Microsoft Windows Vista

Microsoft Windows XP Professional

CVE reference: CVE-2008-1436 (Secunia mirror)

This advisory is currently marked as unpatched!

- Companies can be alerted when a patch is released!

Description:

A vulnerability has been reported in Microsoft Windows, which can be

exploited by malicious users to compromise a vulnerable system.

The vulnerability is caused due to an error allowing code running in the

context of NetworkService and LocalService accounts to access resources in

other processes running with the same privileges, but with the ability to

elevate their privileges to LocalSystem.

Successful exploitation allows execution of arbitrary code with LocalSystem

privileges, but requires the ability to run code in an authenticated context

e.g via IIS (when ASP.NET code runs in full trust or via ISAPI

extensions/filters) and SQL Server (when having administrative privileges to

load and run code).

Solution:

Microsoft recommends specifying a WPI (Worker Process Identity) for an

application pool (please see the Microsoft advisory for details).

Provided and/or discovered by:

Reported by the vendor.

Original Advisory:

Microsoft (KB951306):

http://www.microsoft.com/technet/security/...ory/951306.mspx

Now, why this has not been patched yet is beyond me since the information

was released on April 18, 2008 and we are now on September 1, 2008 so that is

over 4 months old. The question I must ask everyone is what is going on over

at Microsoft currently with it taking so long for Microsoft to release

patches and now that Microsoft os's has been fully examined let us see the

difference between IE and Mozilla Firefox shall we:

http://secunia.com/product/12366/?task=advisories

http://secunia.com/advisories/30141/

and here is yet another system access from IE 6 and IE 7 fully patched

Secunia Advisory: SA30141

Release Date: 2008-05-14

Last Update: 2008-05-22

Critical:

Less critical

Impact: System access

Where: From remote

Solution Status: Unpatched

Software: Microsoft Internet Explorer 6.x

Microsoft Internet Explorer 7.x

CVE reference: CVE-2008-2281 (Secunia mirror)

This advisory is currently marked as unpatched!

- Companies can be alerted when a patch is released!

Description:

Aviv Raff has discovered a vulnerability in Internet Explorer, which can be

exploited by malicious people to compromise a user's system.

Input passed via links within an HTML file is not being properly sanitised

before being used to generate a printable HTML file. This can be exploited to

inject arbitrary script code, which is executed in local context when a user

is enticed to print a specially crafted HTML document with the "Print table

of links" option enabled.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in Internet Explorer 6 and 7 on a fully

patched Windows XP SP2. Other versions may also be affected.

Solution:

Do not print HTML files from untrusted sources with the "Print table of

links" option.

Provided and/or discovered by:

Aviv Raff

Changelog:

2008-05-22: Added CVE reference.

Original Advisory:

http://aviv.raffon.net/2008/05/14/Int...tC...nerability.aspx

Are we starting to see a pattern, boys and girls and now let us see Mozilla

Firefox

http://secunia.com/product/12434/?task=advisories

Vendor Mozilla Organization

Product Link View Here (Link to external site)

Affected By 26 Secunia advisories

Unpatched 12% (3 of 26 Secunia advisories)

Most Critical Unpatched

The most severe unpatched Secunia advisory affecting Mozilla Firefox 2.0.x,

with all vendor patches applied, is rated Less critical

http://secunia.com/advisories/27907/

the worst I could find is cross-site scripting but thankfully no system

access and now let us see Opera that people say is so great and it is okay

but does not provide users with 256 bit AES encryption and as far as I know

has only a maximum cipher strength of 128 bit and this is the same with

Apple's Safarii as well

http://secunia.com/product/10615/ --- no current vulnerabilities but if

adopted as much as Mozilla Firefox and IE then there will be most likely some

found by hackers

http://secunia.com/product/17989/?task=advisories

the "so called" great Apple has vulnerabilities too in its web browser --

shocked not me --- I am not an Apple fan boy or girl and only use software I

see that is not vulnerable or at least has minimal vulnerabilities

http://secunia.com/product/96/?task=advisories

http://secunia.com/advisories/18963/ (this one is extremely critical and

only has a partial fix by Apple which puts Apple in worse shape than

Microsoft's highly critical vulnerability that only has a partial fix)

Mac OS X File Association Meta Data Shell Script Execution

Secunia Advisory: SA18963

Release Date: 2006-02-21

Last Update: 2006-03-14

Critical:

Extremely critical

Impact: System access

Where: From remote

Solution Status: Partial Fix

OS: Apple Macintosh OS X

CVE reference: CVE-2006-0848 (Secunia mirror)

Description:

Michael Lehn has discovered a vulnerability in Mac OS X, which can be

exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the processing of file

association meta data in ZIP archives (stored in the "__MACOSX" folder) and

mail messages (defined via the AppleDouble MIME format). This can be

exploited to trick users into executing a malicious shell script renamed to a

safe file extension stored in a ZIP archive or in a mail attachment.

This can also be exploited automatically via the Safari browser when

visiting a malicious web site.

Secunia has constructed a test, which can be used to check if your system is

affected by this issue:

http://secunia.com/mac_os_x_command_execut...erability_test/

The vulnerability has been confirmed on a fully patched system with Safari

2.0.3 (417.8), Mail 2.0.5 (746/746.2), and Mac OS X 10.4.5.

Solution:

Apply Security Update 2006-002.

NOTE: The update does not completely fix the vulnerability as it is still

possible to trick users into opening malicious shell scripts (masqueraded as

a safe file type) in ZIP archives. Do not open files in untrusted archives.

Provided and/or discovered by:

Michael Lehn

Changelog:

2006-02-22: Added link to US-CERT vulnerability note, and updated

"Description" and "Solution" sections.

2006-02-27: Added CVE reference.

2006-03-02: Updated "Solution" section.

2006-03-03: Updated "Solution" section.

2006-03-14: Vendor issues Security Update 2006-002. Updated "Solution"

section.

Other References:

US-CERT VU#999708:

http://www.kb.cert.org/vuls/id/999708

Thus, you that say that I will just go with Apple and be safe and secure you

can just Dream On because that is Just Not The Case

Now, the real software to use is Ubuntu Linux because see this:

http://secunia.com/product/18611/?task=advisories

Vulnerability Report: Ubuntu Linux 8.04

Vendor Canonical Ltd.

Product Link View Here (Link to external site)

Affected By 30 Secunia advisories

Unpatched 0% (0 of 30 Secunia advisories)

Most Critical Unpatched

There are no unpatched Secunia advisories affecting this product, when all

vendor patches are applied.

Now, I know Fat 32 is not as secure as the NTFS file system but it does

indeed lack the internal safety of disk operating system and makes it harder

to recover from a hit because the system administrator can only go into a

recovery console and or command.com prompt but no true maintenance operating

system. Thus we return to my original argument about software being fully

externally secure with NT source code of Vista, XP, 2000, NT, etc. and

internally safe with Windows 9x kernal and disk operating system technology

while using open source software within this closed source software to

provide the ultimate software solution. The combination of closed source

technologies and open source technologies will be the wave of the future.

Heck, does anyone else understand yet that in my case I use Windows 98 Second

Edition fully patched but containing drivers from Windows ME for my graphics

card and drivers from Windows 2000 for my printer and use Mozilla Firefox 2.x

fully updated for my browsing except when it is needed to use Internet

Explorer and I just happily browse, surf and email to my heart's content

while of course practing safe browsing methods such as reading email in plain

text, not allowing Windows Script Automation because I don't have Windows

Scripting Host Installed because I specifically want everything to be manual.

In addition, I notice that I no longer have Blue Screens of Death because

apparently all of these were from poorly written software drivers from 3rd

parties like Creative that did not understand at first how to program the

driver's correctly. The next big challenge I see for Windows 98 Second

Edition is the end of 2008 when Mozilla supposedly will stop supporting

Mozilla Firefox 2.x which will be the final web browser for Windows 98 Second

Edition. Mozilla Firefox 3.x does not yet support too many extensions so I

don't use it and also while supposedly being more secure is too new in my

opinion to have proved itself because like I have mentioned before I am old

school and like Gary S. Terhune, mvp do not like things to be automatically

done for me and how great a thrill it is to go into the registry after having

a registry backup of course and manually edit it because how many of you

really trust a automatic tool to do what your brain will allow you to do with

the proper study.

Thank you all and to all a great night.

Secunia collects, validates, and verifies all vulnerability reports issued

by security research groups, vendors, and others.

"Alun Jones" wrote:

> "Anteaus" <Anteaus@discussions.microsoft.com> wrote in message

> news:72493273-1D86-4C0F-A43B-DC859EF96246@microsoft.com...

> > The fundamental issue with the NT vulnerabilities is not strictly the

> > fault

> > of Microsoft coders, but is with the preceding code on which NT was based,

> > which contained numerous unchecked buffers. It's a failing of the C

> > language

> > with its lack of any checks on variable bounds, and which therefore

> > requires

> > the coder to perform the near-impossible task of setting traps for every

> > way

> > in which the program could be presented with oversize data. The majority

> > of

> > NT exploits operate on the crude principle of over-filling a data buffer

> > to

> > the point where the data over-writes an adjacent piece of machine-code in

> > memory. The next time this code runs, your Trojan gets launched. The

> > failing

> > here is in the programming-language itself not providing any protection

> > against this kind of exploit.

>

> No, it's in the programmers and designers who used this programming language

> for networked applications without taking appropriate protections.

>

> I've said it before, and I'll repeat it once more:

>

> Writing network code is hard, because you only get to write one half of the

> application. And the guy writing the other half may very well be a lunatic

> who's out to abuse your code, or he may simply be an idiot who didn't

> understand the specifications the same way you did.

>

> Either way, you have to write network-capable code differently from

> standalone code.

>

> Of course, the same should be said of any code that takes input from any

> source other than itself, whether that's through reading files on the hard

> drive, reading key-strokes from the user or mouse movements.

>

> > It is also perfectly true that Windows 9x is a far more secure OS. In

> > fact,

> > its main weakness is in having Internet Explorer built-in. Without that

> > attack-vector it is surprisingly hard to exploit.

>

> That's an astonishing claim, and I'd really like to see you back it up.

>

> While it is certainly true that Windows 95, 98 and ME were running fewer

> servers / services, there are other factors working against it:

> 1. Much of the underlying code was written with the understanding that it

> was not going to be networked - NT code was written with networking in mind

> from day one, so it considered the concept that unwanted data might be

> coming in.

> 2. Windows 9x used FAT as the underlying file system, which has very weak

> protection - the most you can do is mark a file read-only, hidden, or

> system, and even then, every user on the system has complete access to

> remove that marking. NT had the concept of users and groups built into its

> file system, NTFS, allowing you to mark system files and important

> applications or data such that only authorised user accounts can access

> them.

> 3. Any user can install a driver or an application in Windows 9x; in NT,

> only an administrator can do so.

>

> Applying new source code blindly is not going to solve the problems.

> Improving the source code based on the lessons learned from old mistakes -

> that's what will fix things, whether it's done through completely new code,

> or a rewrite or modification of the old code.

>

> Alun.

> ~~~~

> --

> Texas Imperial Software | Web: http://www.wftpd.com/

> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/

> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

>

>

September 1, 2008

On Mon, 1 Sep 2008 03:44:01 -0700, Dan wrote:

> Warning: this is a super-long post and may contain some repetition because of

> the hour that it was composed -- thank you so much for your kindness and

> support

>

> Here is more evidence --- Note copy and copy so code is contained in post

You really don't get it do you? Posting 5 year security advisories is

pointless and I can find a ton of really old security advisories that apply

to Windows 98 that don't apply to XP, Windows 2000 (which is pointless

anyway given its age) or Vista.

You're not proving anything to anyone here sport. If you want to use an

old, unsupported OS, go right ahead, be my guest, but do not presume to

come into this news group, which is frequented by a bunch of real security

experts who have forgotten more about computer security than you'll ever

learn and try to make the case that 98 is more secure than XP, Vista,

Server 2003 or 2008.

Why don't you just go away?

--

Paul Adare

MVP - Identity Lifecycle Manager

Never trust a computer you can't lift. -- Stan Masor

September 1, 2008

No thanks but thanks for your opinion anyway, Paul

"Paul Adare - MVP" wrote:

> On Mon, 1 Sep 2008 03:44:01 -0700, Dan wrote:

>

> > Warning: this is a super-long post and may contain some repetition because of

> > the hour that it was composed -- thank you so much for your kindness and

> > support

> >

> > Here is more evidence --- Note copy and copy so code is contained in post

>

> You really don't get it do you? Posting 5 year security advisories is

> pointless and I can find a ton of really old security advisories that apply

> to Windows 98 that don't apply to XP, Windows 2000 (which is pointless

> anyway given its age) or Vista.

> You're not proving anything to anyone here sport. If you want to use an

> old, unsupported OS, go right ahead, be my guest, but do not presume to

> come into this news group, which is frequented by a bunch of real security

> experts who have forgotten more about computer security than you'll ever

> learn and try to make the case that 98 is more secure than XP, Vista,

> Server 2003 or 2008.

> Why don't you just go away?

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> Never trust a computer you can't lift. -- Stan Masor

>

September 1, 2008

On Mon, 1 Sep 2008 05:46:00 -0700, Dan wrote:

> No thanks but thanks for your opinion anyway, Paul

Then I guess I'll just have to keep on pointing out how ridiculous your

position is and how little you really know.

I can't believe you were cc'ing US-Cert on every email you sent to Steve

Riley. I can just picture the scene in their office when one of your emails

comes in. "Hey, everyone gather around for a laugh, we got another email

from Dan." Followed by uproarious laughter and head shaking.

--

Paul Adare

MVP - Identity Lifecycle Manager

> http://en.wikipedia.org/wiki/Type_safety

The world is coming to an end... SAVE YOUR BUFFERS!!

September 1, 2008

:-) --- just you wait and see the future, Paul . . . :-o

"Paul Adare - MVP" wrote:

> On Mon, 1 Sep 2008 05:46:00 -0700, Dan wrote:

>

> > No thanks but thanks for your opinion anyway, Paul

>

> Then I guess I'll just have to keep on pointing out how ridiculous your

> position is and how little you really know.

> I can't believe you were cc'ing US-Cert on every email you sent to Steve

> Riley. I can just picture the scene in their office when one of your emails

> comes in. "Hey, everyone gather around for a laugh, we got another email

> from Dan." Followed by uproarious laughter and head shaking.

>

> --

> Paul Adare

> MVP - Identity Lifecycle Manager

> http://www.identit.ca

> The world is coming to an end... SAVE YOUR BUFFERS!!

>

September 1, 2008

I'll be safe with my rock-solid WFW311 - haven't seen an

advisory or attack against it for years now. style_emoticons/D

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:D733AA08-94AB-4669-AE96-6B943A845909@microsoft.com...

> :-) --- just you wait and see the future, Paul . . . :-o

>

> "Paul Adare - MVP" wrote:

>

>> On Mon, 1 Sep 2008 05:46:00 -0700, Dan wrote:

>>

>> > No thanks but thanks for your opinion anyway, Paul

>>

>> Then I guess I'll just have to keep on pointing out how ridiculous your

>> position is and how little you really know.

>> I can't believe you were cc'ing US-Cert on every email you sent to Steve

>> Riley. I can just picture the scene in their office when one of your

>> emails

>> comes in. "Hey, everyone gather around for a laugh, we got another email

>> from Dan." Followed by uproarious laughter and head shaking.

>>

>> --

>> Paul Adare

>> MVP - Identity Lifecycle Manager

>> http://www.identit.ca

>> The world is coming to an end... SAVE YOUR BUFFERS!!

>>

September 2, 2008

So, you disagree with Chris Quirke, mvp's argument about the internal safety

of 9x and how in my own experience the internal safety of Windows 98 Second

Edition prevented the hacker from accessing Windows 98 Second Edition after

the hacker had broken through the APS Intranet, fully hacked XP Professional

SP 2 fully updated in September 2007 but could only cause a Denial of Service

error in Windows 98 Second Edition. Chris Quirke's argument is right about

XP and Vista having external security compared to the 9x's intrernal safety

due to having less services, not being made to be remotely connected to the

outside world and being made for consumers as a stand-alone operating system.

Dan W.

Note: all the external security in the world will not fix the underlying

source code and programming language of a foundation that is not built upon

the rock but built upon the sand and so when the storms (internet attacks)

come go ahead and do a test and put in unpatched Windows XP Professional

computer and an unpatched Windows 98 Second Edition computer and see which

lasts longer and then put both computers fully patched and try to allow them

to be remotely broken into without any firewalls enabled and see which one is

truly the better operating system. ---- Food For Thought to get People's

Minds Thinking again

"FromTheRafters" wrote:

> "Anteaus" <Anteaus@discussions.microsoft.com> wrote in message

> news:72493273-1D86-4C0F-A43B-DC859EF96246@microsoft.com...

> >

> > The fundamental issue with the NT vulnerabilities is not strictly the

> > fault

> > of Microsoft coders, but is with the preceding code on which NT was based,

> > which contained numerous unchecked buffers.

>

> Due to poorly written source code, or faults in the compiler

> used for the translation.

>

> > It's a failing of the C language with its lack of any checks on variable

> > bounds,

> > and which therefore requires the coder to perform the near-impossible task

> > of setting traps for every way in which the program could be presented

> > with

> > oversize data.

>

> Not too difficult, really. Input subroutines that truncate the data

> to fit the buffer.

>

> > The majority of NT exploits operate on the crude principle of over-filling

> > a data buffer to the point where the data over-writes an adjacent piece of

> > machine-code in memory. The next time this code runs, your Trojan gets

> > launched.

>

> Something like that.

>

> > The failing here is in the programming-language itself not providing any

> > protection against this kind of exploit.

>

>

> This is somewhat backward. Type safety attempts to avoid errors

> the programmer is likely to make - it is not the language at fault

> it is the error prone human, or sometimes the compiler itself can

> introduce flaws.

>

> http://www.cigital.com/news/index.php?pg=art&artid=70

>

> > It is also perfectly true that Windows 9x is a far more secure OS.

>

> Wrong, compared to modern OSes Win9x had no security at all.

> In fact, even compared to its contemporaries it had no security.

>

> > In fact, its main weakness is in having Internet Explorer built-in.

> > Without that attack-vector it is surprisingly hard to exploit.

>

> This is just wrong. Although IE was a major vector of attack, the

> result of successfully attacking IE's low hanging fruit was often

> complete control of the machine - a fault of the OS's security

> model.

>

> > "Dan" wrote:

>

> Something...using the words, but not speaking the language.

>

> [snipped]

>

>

September 2, 2008

:-)

"FromTheRafters" wrote:

> I'll be safe with my rock-solid WFW311 - haven't seen an

> advisory or attack against it for years now. style_emoticons/D

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:D733AA08-94AB-4669-AE96-6B943A845909@microsoft.com...

> > :-) --- just you wait and see the future, Paul . . . :-o

> >

> > "Paul Adare - MVP" wrote:

> >

> >> On Mon, 1 Sep 2008 05:46:00 -0700, Dan wrote:

> >>

> >> > No thanks but thanks for your opinion anyway, Paul

> >>

> >> Then I guess I'll just have to keep on pointing out how ridiculous your

> >> position is and how little you really know.

> >> I can't believe you were cc'ing US-Cert on every email you sent to Steve

> >> Riley. I can just picture the scene in their office when one of your

> >> emails

> >> comes in. "Hey, everyone gather around for a laugh, we got another email

> >> from Dan." Followed by uproarious laughter and head shaking.

> >>

> >> --

> >> Paul Adare

> >> MVP - Identity Lifecycle Manager

> >> http://www.identit.ca

> >> The world is coming to an end... SAVE YOUR BUFFERS!!

> >>

>

>

September 2, 2008

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:7BD91B82-79F9-4332-9CD5-C7AF0A387746@microsoft.com...

> So, you disagree with Chris Quirke, mvp's argument about the internal

> safety

> of 9x

I would have to read it first, and then perhaps I might disagree

with Chris (I have in the past) - but more likely I would find his

opinion to be sound and only your interpretation of his opinion

to be unsound.

> and how in my own experience the internal safety of Windows 98 Second

> Edition prevented the hacker from accessing Windows 98 Second Edition

> after

> the hacker had broken through the APS Intranet, fully hacked XP

> Professional

> SP 2 fully updated in September 2007 but could only cause a Denial of

> Service

> error in Windows 98 Second Edition.

Could be merely a worm assisted hack, and the worm wasn't

written for Win98SE. It doesn't mean Win98SE is or was more

secure than XP Pro SP2

> Chris Quirke's argument is right about

> XP and Vista having external security compared to the 9x's intrernal

> safety

> due to having less services, not being made to be remotely connected to

> the

> outside world and being made for consumers as a stand-alone operating

> system.

Absolutely, isolationism improves security. You can isolate any

OS and attain the same level of security. Strictly speaking, most

of these things are external to the operating system. I think Chris'

main gripe about MS OSes since Win98 is the lack of what he

calls a "Maintenance Operating System". At least with Win9x

you could use DOS to fully access the file system, while the

"Recovery Console" left much to be desired in functionality.

I understand that Vista's replacement for the "Recovery Console"

has more functionality than the ones in the previous OSes.

I use PE disks anyway, so I haven't played around with Vista's

new tool.

[snip]

September 3, 2008

Thank you for your feedback and yes you do make some good points. It makes

one wonder if all that Windows 7 will have is another recovery console and

not a maintenance operating system like DOS in Windows 98 Second Edition. I

think we may all indeed have to wait for the operating system after Windows 7

in order for their to be a true breakthrough. It seems to me that Windows 7

will offer some nice new features but nothing extradinary yet. I hope

Microsoft can prove me wrong on Windows 7.

"FromTheRafters" wrote:

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:7BD91B82-79F9-4332-9CD5-C7AF0A387746@microsoft.com...

> > So, you disagree with Chris Quirke, mvp's argument about the internal

> > safety

> > of 9x

>

> I would have to read it first, and then perhaps I might disagree

> with Chris (I have in the past) - but more likely I would find his

> opinion to be sound and only your interpretation of his opinion

> to be unsound.

>

> > and how in my own experience the internal safety of Windows 98 Second

> > Edition prevented the hacker from accessing Windows 98 Second Edition

> > after

> > the hacker had broken through the APS Intranet, fully hacked XP

> > Professional

> > SP 2 fully updated in September 2007 but could only cause a Denial of

> > Service

> > error in Windows 98 Second Edition.

>

> Could be merely a worm assisted hack, and the worm wasn't

> written for Win98SE. It doesn't mean Win98SE is or was more

> secure than XP Pro SP2

>

> > Chris Quirke's argument is right about

> > XP and Vista having external security compared to the 9x's intrernal

> > safety

> > due to having less services, not being made to be remotely connected to

> > the

> > outside world and being made for consumers as a stand-alone operating

> > system.

>

> Absolutely, isolationism improves security. You can isolate any

> OS and attain the same level of security. Strictly speaking, most

> of these things are external to the operating system. I think Chris'

> main gripe about MS OSes since Win98 is the lack of what he

> calls a "Maintenance Operating System". At least with Win9x

> you could use DOS to fully access the file system, while the

> "Recovery Console" left much to be desired in functionality.

> I understand that Vista's replacement for the "Recovery Console"

> has more functionality than the ones in the previous OSes.

> I use PE disks anyway, so I haven't played around with Vista's

> new tool.

>

> [snip]

>

>

September 4, 2008

Your first incorrect assumption is that Wikipedia is a complete and correct

source of information. Wiki is only as good as those that control the

editing and in some places it is extremely bias.

I am sure there are code segments plagerized from the original NT codebase.

But... to support Vista's 32/64 bit variants and the new security models,

all of that plagerized code has been modified to possibly something

unrecognizable from the original. Just because it is written down or in the

newspaper does not make it true.

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:22B13749-E86E-4E83-B1DC-AA66C4D11131@microsoft.com...

> Here is an article about how the NT source code was leaked and apparently

> even DOS source code was leaked back in the day but no one cared because

> it

> was so old. I now ask Microsoft how long will it be before Microsoft has

> new

> operating systems with new source code. Wikipedia mentions Windows 7 will

> use the Windows NT source code much to my dismay. How about the successor

> to

> Windows 7 will people finally get an operating system with new source code

> that will be a relief from the tired out code that has caused so many

> security problems.

>

> http://news.bbc.co.uk/1/hi/technology/3485545.stm

>

> > http://news.bbc.co.uk/1/hi/technology/3485545.stm

>

>

September 5, 2008

Thank you George for your feedback. Now, at Microsoft wasn't there some

project that is being kept under wraps in a separate department that is

quietly at work developing a new source code because I thought I read

something about it back in July of 2008 but there was only a small amount of

data on the topic and I have even forgotten the name of the new source code.

Can anyone please refresh my memory?

"George Ellis" wrote:

> Your first incorrect assumption is that Wikipedia is a complete and correct

> source of information. Wiki is only as good as those that control the

> editing and in some places it is extremely bias.

>

> I am sure there are code segments plagerized from the original NT codebase.

> But... to support Vista's 32/64 bit variants and the new security models,

> all of that plagerized code has been modified to possibly something

> unrecognizable from the original. Just because it is written down or in the

> newspaper does not make it true.

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:22B13749-E86E-4E83-B1DC-AA66C4D11131@microsoft.com...

> > Here is an article about how the NT source code was leaked and apparently

> > even DOS source code was leaked back in the day but no one cared because

> > it

> > was so old. I now ask Microsoft how long will it be before Microsoft has

> > new

> > operating systems with new source code. Wikipedia mentions Windows 7 will

> > use the Windows NT source code much to my dismay. How about the successor

> > to

> > Windows 7 will people finally get an operating system with new source code

> > that will be a relief from the tired out code that has caused so many

> > security problems.

> >

> >