I think in that effect they didn't feel they had to put the resources in to fix it because it wasn't worth the money.
On Tue, Nov 25, 2008 at 11:11 AM, <[EMAIL PROTECTED]> wrote: > On Tue, 25 Nov 2008 03:07:49 EST, "Randal T. Rioux" said: > > On Tue, November 25, 2008 1:44 am, Memisyazici, Aras wrote: > > <SSNNIIPP> > > > OK... Maybe I'm going a bit extreme, but WTH?! Am I the only one who is > > > interpreting this, this way? Really? When has releasing a solution to a > > > problem 7 years later ever been acceptable? > > > > May not be acceptable, but it is standard practice with some "software" > > companies. > > That, plus Russ didn't even bother to read the fine article: > > "And to be clear, the impact would have been to render many (or nearly all) > customers' network-based applications then inoperable. For instance, an > Outlook > 2000 client wouldn't have been able to communicate with an Exchange 2000 > server. > > I know the users Russ supports - we'd have needed a body bag for him if > he had chosen that route rather than "not cause a significant impact". > > This wasn't a buffer overflow, the problem was that the NTLM protocol was > screwed up by design - and fixing a protocol bug is usually a *lot* more > painful. If you read between the lines of the article, it appears that MS > added support for a fixed protocol back in XP SP2, and has decided that the > number of pre-SP2 systems out there talking to updated systems has grown > small > enough that it's finally practical to flip the switch. That's pretty much > the > only way to change a protocol without a flag-day cutover - ship dual-stack > during a transition, and then flip the switch when few enough old-style > machines are left. > > Let's face it - the number of systems that have gotten compromised via > SMBRelay attacks is *far* smaller than the number of boxes pwned just > because they have IE installed and a user at the keyboard. The number of > systems pwned via SMBRelay is *also* a lot smaller than the number of > boxes that would have broken if Microsoft had "fixed" things the way Russ > apparently wanted them to. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com/ http://www.jewelerslounge.com/luxury-watch-safe
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
