Today an extremely serious vulnerability in Windows was announced. ALL Windows XP users should apply this patch immediately. Anyone using Windows ME or Windows 98 that has installed the Universal Plug and Play service or is using Internet Connection Sharing should also install this patch immediately.

Microsoft classifies this vulnerability as "critical" and states that it's the worst vulnerability ever discovered for Windows. A remote attacker can obtain complete control over the victim's computer without having to use a password or any type of access method.

The vulnerability does not affect Windows 2000.

Detailed info: http://www.eeye.com/html/Research/Advisories/AD20011220.html
MS's Info and link to patch: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/MS01-059.asp

Sean

The vulnerability does not affect Windows 2000.

But yet 2000 does have uPnP support. I have two theories on this one. Either there is a glitch, and they just havn't patched and announced it yet, or the crappy 98 team did a good portion of XP. If it's the second reason, it's why I will stick with 2000.

If I understand the issue correctly, the bug only exists in the XP version of UPNP. For instance, it's only a problem on 98 if you have installed the UPNP drivers from the XP disc. I could be wrong about this, but that was the impression I got from a quick skim of the article.

You know, all these unchecked buffer vulnerabilities piss me off. If C had originally been designed with a proper String data type to begin with, then none of these bugs would have ever happened.

the bug only exists in the XP version of UPNP.

Customers using Microsoft® Windows® ME or XP, or who have installed the Windows XP Internet Connection Sharing client on Windows 98 or 98SE.

From the above quote from Microsoft (and looking at their technical details), it sounds like it's part of the ICS, and uPnP is part of it. For some reason it only affects 98 if the ICS client was installed from an XP server. SE did ship with ICS, so aparently whatever changes were made to it when it went to ME is where the problem occured. ME shipped by default with nothing on that would use it, but XP does.

2000's ICS was completly different in that it was more NAT based compaired to the 98/ME/XP solutions.

If C had originally been designed with a proper String data type to begin with, then none of these bugs would have ever happened.

I think that's placing the blame with the hammer instead of with the carpenter. There are functions in the standard C libraries that deal correctly with buffer overflows for almost all of the ``standard'' string functions, but programmers are either too lazy to use them or too lazy to know that they're there.

Besides, isn't MS Windows' system language C++, anyway? There is a standard string data type in C++.

I think that's placing the blame with the hammer instead of with the carpenter.

True. But the problem with C programming is that there's no easy way to tell the bad carpenters from the good ones. If C had been designed with bounds-checked strings from the beginning, it would have protected us from a lot of collapsed buildings. There's the old saying: If architects made buildings the way programmers write software, the first termite would have destroyed civilization.

I can't count the number of protections faults I've seen in Windows that can be traced down to bad string handling in a sloppy piece of C code. I'm even responsible for some of those instances. I understand why programmers sometimes get sloppy in that area, because I've been in that situation myself.

If C had originally been designed with a proper String data type to begin with, then none of these bugs would have ever happened

Baah. That is like saying assembly should have a proper string data type. Different languages are designed for different situations and types of programmers. If a programmer can't deal with their buffers properly they should be programming in a language that handles those details for them (java for example). This bug should be blamed on the appropriate party, MS. You can't blame the language for bad programming or bad QA. C is meant to be relatively lightweight and fast, if MS can't handle the tradeoffs of speed vs ease of programming that is their problem not the language designers.

-Mike

Besides, isn't MS Windows' system language C++, anyway?

No. Parts of GDI (the graphics primitives) are written in C++. The bulk of WinNT is still written in C.

The odd thing is that, at least to me, almost everything you said in that reply supports my assertion that it's the programmer's fault.