On Tue, 25 Nov 2008 03:07:49 EST, "Randal T. Rioux" said: > On Tue, November 25, 2008 1:44 am, Memisyazici, Aras wrote: > <SSNNIIPP> > > OK... Maybe I'm going a bit extreme, but WTH?! Am I the only one who is > > interpreting this, this way? Really? When has releasing a solution to a > > problem 7 years later ever been acceptable? > > May not be acceptable, but it is standard practice with some "software" > companies. That, plus Russ didn't even bother to read the fine article: "And to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable. For instance, an Outlook 2000 client wouldn't have been able to communicate with an Exchange 2000 server. I know the users Russ supports - we'd have needed a body bag for him if he had chosen that route rather than "not cause a significant impact". This wasn't a buffer overflow, the problem was that the NTLM protocol was screwed up by design - and fixing a protocol bug is usually a *lot* more painful. If you read between the lines of the article, it appears that MS added support for a fixed protocol back in XP SP2, and has decided that the number of pre-SP2 systems out there talking to updated systems has grown small enough that it's finally practical to flip the switch. That's pretty much the only way to change a protocol without a flag-day cutover - ship dual-stack during a transition, and then flip the switch when few enough old-style machines are left. Let's face it - the number of systems that have gotten compromised via SMBRelay attacks is *far* smaller than the number of boxes pwned just because they have IE installed and a user at the keyboard. The number of systems pwned via SMBRelay is *also* a lot smaller than the number of boxes that would have broken if Microsoft had "fixed" things the way Russ apparently wanted them to.
Attachment:
pgpOzxuGt6_Wk.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/