backtop


Print 17 comment(s) - last by Flunk.. on Jan 2 at 2:10 PM

Patch will fix a security hole in the OS's messaging hub that can brick Windows Phones

While no known exploits are currently in the wild, Microsoft Corp.'s (MSFT) smartphone OS du jour, Windows Phone, reportedly has a whopper of a security flaw in its messaging hub application.  The flaw allows a malicious attacker to use malformed messages to not only brick the phone, but to semi-permanently kill the messaging hub, even in a salvage scenario.

Microsoft was pretty proactive on this one, it appears.  Within days of the story hitting the press, it had contacted the hacker/security-expert who discovered the flaw --  Khaled Salameh -- and set to work determining the extent of the problem and diagnosing it.  

Now Mr. Salameh reports via Twitter that Microsoft let him know that they feel they have the problem fully understood and are testing a patch.  By the sound of it, that patch could be just days away from going live.


 
It's nice to see Microsoft taking such a proactive approach, particularly for an exploit that's not even being actively attacked in the wild yet.  But that's not exactly surprising -- unlike some companies that try to dupe their customers into a false sense of security, Microsoft has been leading the way in terms of pushing hard to respond quickly to threats and be honest in its threat disclosure policy.

Source: Twitter (Khaled Salameh)



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Excuse me?
By Articuno on 12/29/11, Rating: -1
RE: Excuse me?
By x10Unit1 on 12/29/2011 5:59:07 PM , Rating: 2
Have you ever done any sort of programming before? It is not as easy as you think.


RE: Excuse me?
By mcnabney on 12/30/11, Rating: 0
RE: Excuse me?
By spread on 12/31/2011 11:38:09 AM , Rating: 2
More people doesn't mean faster work. For a tiny fix like this one person needs to look over the code and find the mess. Then once they do, they fix it and send it over to testing and retesting and retesting to make sure it's stable.

Tell me, if you had all the money and all the people can YOU get this fixed in a day? No. Some things take time because they can't be worked in parallel. Can't put a roof on the house until the foundation dries.


RE: Excuse me?
By mcnabney on 12/31/2011 12:44:48 PM , Rating: 1
The FIX itself can be made in an hour. What takes time is TESTING, and having tons of people and money to blast through it is the one thing in software that having the staff and money does speed things up considerably.


RE: Excuse me?
By Flunk on 1/2/2012 2:10:10 PM , Rating: 2
Actually not quite, you missed the first step. You have to find out why it's happening first, that could take days. Emergent behaviour is often difficult to find the cause for. It's not like they designed it to do this and can just go to that section of code and turn it off.

You clearly don't know very much about software engineering.


RE: Excuse me?
By ICBM on 12/29/2011 6:02:48 PM , Rating: 5
I think you missed the point, and that is another well known, leading manufacturer ignores these threats, kicks people that find them out of their developer programs, and then proceeds to sue them for finding the problem. Where Microsoft may have taken 2 weeks, they have acknowledged the issue and are working on a fix.

Yes it is expected. Thank you Microsoft for meeting our expectations.


RE: Excuse me?
By Adam M on 12/29/2011 7:25:33 PM , Rating: 2
Having used various Microsoft products for years, I know to expect any number of issues, some large security issues included. Of course they have always been pretty on top of patching those exploits. I am glad to see that they not only accept fault but they are proactive in finding a solution. In this case the flaw may not be in the wild but they are still moving to correct it. It seems more companies need to be just as willing to acknowledge their issues and willing to correct it as well.


RE: Excuse me?
By spread on 12/29/2011 6:14:24 PM , Rating: 2
quote:
The fact that it took more than two weeks for them to acknowledge the flaw even exists is disgusting.


Complains about people not working during Christmas vacation. Why aren't you at work? WORK HARDER. THIS IS NO TIME FOR HOLIDAY Articuno.


RE: Excuse me?
By Samus on 12/30/2011 1:55:21 AM , Rating: 2
Bill Gates said 10 years ago when Windows XP came out that it would be the most continually updated operating system to date. He was right. Over 900 patches and hotfixes were released for it across three huge service packs, all free. Apple simply charges you to upgrade OSX through every version, each of which receives under 10 updates.

OSX is inherently secure because of its *nix roots, but as it becomes more mainstream, it will become more targetted, and Apple needs to change their internal security policies to reflect that before it blows up in their face.


RE: Excuse me?
By TakinYourPoints on 12/30/2011 6:09:38 AM , Rating: 1
OS X doesn't have security updates as often simply because it isn't nearly as big a target as Windows. That said, security updates do happen much more often than the ten per major OS updates For example, if there is a major security issue then there will be a separate security update in between 10.6.2 and 10.6.3. Security updates aren't just limited to the major point updates.

Having gone through Windows updates since 2.0 and OS X updates since only 10.2, I can say that the paid-for OS X updates are just as significant or sometimes larger than what I've done with Windows. The move from 10.3 to 10.4 for example was more significant then the move from XP to Vista. The significance (or the lack thereof) of OS X updates is a separate point, but a common and false one that your post was inferring.

You are absolutely correct that their security updates will have to be more frequent, Mac Defender was proof of that.


RE: Excuse me?
By Reclaimer77 on 12/30/2011 1:06:55 PM , Rating: 2
Curious, Takin, that you haven't posted about the issue with Windows phone and the fact that it can become bricked through a serious flaw. You're always singing the praises of WP7 and claiming Android is "garbage". Care to show some accountability and impartiality and comment on this article?


RE: Excuse me?
By Alexvrb on 12/30/2011 8:25:15 PM , Rating: 2
I know where you're coming from, but for what it's worth:

They acknowledged the flaw, reproduced it, and are working to release a fix as soon as possible. Pushing out phone updates isn't quite as easy as it is for a desktop OS. But they still got on it immediately, despite the fact that this is NOT a flaw in the wild. They didn't wait for the flaw to become a widely known exploit, they didn't throw the guy out of their developer community. In fact they have remained in touch with him and have kept him posted.

I'm not sure how they could have handled this any better. But I'm sure that as a Level 10 Master of Impartial Accountability you could have done better. ;-)


RE: Excuse me?
By Reclaimer77 on 12/31/2011 11:26:40 PM , Rating: 2
What's with the reading comprehension around here lately? I'm not criticizing Microsoft at all. You show me an utterly perfect hardware/software combination, and I have some ocean front property with a bridge to sell you.

My point is simply Takin and his willingness to gloss over Windows phone and iOS issues, while attempting to tar and feather Android for the same thing. If this article were exactly the same, except it being about an Android flaw, he would be standing on his milk carton screaming about what a "garbage" platform the OS is.


RE: Excuse me?
By Cheesew1z69 on 1/1/2012 11:02:12 AM , Rating: 2
quote:
If this article were exactly the same, except it being about an Android flaw, he would be standing on his milk carton screaming about what a "garbage" platform the OS is.
Truth


RE: Excuse me?
By TakinYourPoints on 12/30/2011 8:38:31 PM , Rating: 2
There is an issue with Windows Phone 7 that is being addressed, how dare it wasn't perfect in the first place!

You crack me up


RE: Excuse me?
By Reclaimer77 on 12/31/2011 10:08:03 AM , Rating: 2
I'm not flaming Windows phone for having issues. I'm well aware that these things can and do happen.

You've totally deflected my point, however. In that every software issue with Android is more proof of it's "garbage" status in your mind, while Microsoft and Apple get a free pass.

That's how you post. Sorry if the truth hurts, but you have a serious double standard.


"This is about the Internet.  Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki