<!--QuoteBegin-MonsieurEvil+Feb 14 2004, 04:19 AM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (MonsieurEvil @ Feb 14 2004, 04:19 AM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Secondly, Windows does have a pile of security flaws, as shown by Microsoft's continuing list of patches and updates that I download on a nigh weekly basis<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> So do all OS's, which you are not using and thusly are ignorant of. All OS's have tons of patches, and all download on a weekly basis. ALL. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> All of 'em?
Oh dear. I suppose I better get round to downloading the latest patches for my Atari ST. I'm not aware of any out-of-the-box remote exploits, but that might be more to do with it not being able to do TCP/IP (or any kind of networking) without additional software... <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html//emoticons/wink.gif' border='0' style='vertical-align:middle' alt='wink.gif' /><!--endemo-->
<!--QuoteBegin-Hand Me The Gun And Ask Me Again+Feb 14 2004, 12:16 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Hand Me The Gun And Ask Me Again @ Feb 14 2004, 12:16 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> All of 'em?
Oh dear. I suppose I better get round to downloading the latest patches for my Atari ST. I'm not aware of any out-of-the-box remote exploits, but that might be more to do with it not being able to do TCP/IP (or any kind of networking) without additional software... <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html//emoticons/wink.gif' border='0' style='vertical-align:middle' alt='wink.gif' /><!--endemo--> <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> Point taken - how about 'all supported OS's'? <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html//emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif' /><!--endemo-->
/me goes back to writing an IPX stack for his TRS-80 Model III. <!--emo&::nerdy::--><img src='http://www.unknownworlds.com/forums/html//emoticons/nerd.gif' border='0' style='vertical-align:middle' alt='nerd.gif' /><!--endemo-->
moultanoCreator of ns_shiva.Join Date: 2002-12-14Member: 10806Members, NS1 Playtester, Contributor, Constellation, NS2 Playtester, Squad Five Blue, Reinforced - Shadow, WC 2013 - Gold, NS2 Community Developer, Pistachionauts
edited February 2004
<!--QuoteBegin-MonsieurEvil+Feb 13 2004, 11:19 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (MonsieurEvil @ Feb 13 2004, 11:19 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> Go back and read what I said here first though: Linux constantly says that to be secure, you must reveal your source. They say that MS is less secure because the source is closed. Hence, if the 2000 source were to be released and all the holes seen, it would thusly become more secure, according to the linux devout. Either way you slice it, the linux guys have nothing to add here without defeating the entire purpose of the open source movement. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> That's not a very good argument. No one can download the leaked source without breaking the law, so the only people who will be reading the source are those who are willing to break the law. That's going to translate better into new worms than new security fixes.
I don't know how you can seriously contend that having leaked source is functionally the same as having open source. Now if they had actually opened the 2000 source to the public, I'm completely certain the code would be improved.
moultanoCreator of ns_shiva.Join Date: 2002-12-14Member: 10806Members, NS1 Playtester, Contributor, Constellation, NS2 Playtester, Squad Five Blue, Reinforced - Shadow, WC 2013 - Gold, NS2 Community Developer, Pistachionauts
<!--QuoteBegin-othell+Feb 15 2004, 01:48 AM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (othell @ Feb 15 2004, 01:48 AM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> You also imply that everyone that downloads linux is good and has no desire to cause harm to systems with it installed. Do you honestly believe that? <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> Where on earth did I imply that?
<!--QuoteBegin-moultano+Feb 15 2004, 12:28 AM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (moultano @ Feb 15 2004, 12:28 AM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> I don't know how you can seriously contend that having leaked source is functionally the same as having open source. Now if they had actually opened the 2000 source to the public, I'm completely certain the code would be improved. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> I don't know how you can seriously contend that it's not, based on the OSS movement doctrine. Nor have you yet tried to. Yet somehow the source will be improved if it was on purpose. Ehhhh, wha?
I think he means that the people of the OSS movement cannot help MS without fear of being legally pwned. On the other hand, theres no copyrights thats going to stop you from working on Linux. This means that MS's copyrights will stop the 'good' coders from reading their code and fixing em, while the 'crackers' will take full advantage of the leaked portions to wreck havoc. Linux has its source open for both parties to poke around in.
So you honestly think that if someone looks at the windows source code then posts a vulnerability alert on Bugtraq, MS will have them arrested and ignore the bug? Not to mention that the code in question is dated from 1998, and about as likely to have remained static as my hairline. <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html//emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo--> Can you imagine looking for bugs in 6 year old code that has been through 4 service packs and about 60 hotfixes, and how close it is to the current?
On a related topic, I have this bridge for sale in Brooklyn, a real deal!
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->So you honestly think that if someone looks at the windows source code then posts a vulnerability alert on Bugtraq, MS will have them arrested and ignore the bug?<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Well, probably not the latter but I wouldn't put the former past them. Especially since they usually make sucha big deal about it when people post the vulnerability online before giving them a head start.
<!--QuoteBegin-SkulkBait+Feb 15 2004, 07:15 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (SkulkBait @ Feb 15 2004, 07:15 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> Especially since they usually make sucha big deal about it when people post the vulnerability online before giving them head start. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> I would make a big deal out of it also.
i read in saturdays independant (uk broadsheet) that MS are looking for a mole who leaked 650 megs of NT/2000 source out of 40 gig total in source form. Mcafee said it wasnt gonna have a major affect as people are able to produce viruses and hack anyway, but it was more of an embarressment about their security. it aslo said that hackers mostly look at the pactches and work backwards to see what hole is being fixed.
yea, I havent yet read about the 6 year ago thing that MonsE said, but the 650mb out of 40 gigs...thats just pitiful <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html//emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo-->
<!--QuoteBegin-othell+Feb 15 2004, 09:38 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (othell @ Feb 15 2004, 09:38 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin-SkulkBait+Feb 15 2004, 07:15 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (SkulkBait @ Feb 15 2004, 07:15 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> Especially since they usually make sucha big deal about it when people post the vulnerability online before giving them head start. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> I would make a big deal out of it also. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> That the point though really. If suddnely there was a post on bugtraq that described a vulnerability, and its cure (with relevant snippets of code... hell, maybe just a filename and line number). Would you trust microsoft not to sue him? I mean, they already hate it when people do that kind of thing, and this guy obviously has access to the source, and they're a corporation, and a fairly litigious one at that...
moultanoCreator of ns_shiva.Join Date: 2002-12-14Member: 10806Members, NS1 Playtester, Contributor, Constellation, NS2 Playtester, Squad Five Blue, Reinforced - Shadow, WC 2013 - Gold, NS2 Community Developer, Pistachionauts
<!--QuoteBegin-MonsieurEvil+Feb 15 2004, 02:37 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (MonsieurEvil @ Feb 15 2004, 02:37 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> So you honestly think that if someone looks at the windows source code then posts a vulnerability alert on Bugtraq, MS will have them arrested and ignore the bug? <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> They probably wouldn't, but no one is going to take the chance. If you found one would you post it? I probably wouldn't. It's just not worth the risk. (of course I'm also not going to get within a mile of the code period so it's a mute point).
<!--QuoteBegin-SkulkBait+Feb 15 2004, 11:40 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (SkulkBait @ Feb 15 2004, 11:40 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> That the point though really. If suddnely there was a post on bugtraq that described a vulnerability, and its cure (with relevant snippets of code... hell, maybe just a filename and line number). Would you trust microsoft not to sue him? I mean, they already hate it when people do that kind of thing, and this guy obviously has access to the source, and they're a corporation, and a fairly litigious one at that... <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> What gives that individual the right to post the actual code? What gives that individual the right to say how to take advantage of the exploit? What gives that individual the right to even look at the code?
Now, assuming this individual does have the source, and has found an exploit... He should contact MS and only MS. He should not release any information about the exploit to the public.
Should MS sue someone that posts an exploit, with the actual code ( or at least a reference to it ), and how to take advantage of it? Yes. Absolutely.
Just because there is some source now availabe does not make it any less MS's or any more part of the public domain.
<!--QuoteBegin-moultano+Feb 16 2004, 02:05 AM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (moultano @ Feb 16 2004, 02:05 AM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin-MonsieurEvil+Feb 15 2004, 02:37 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (MonsieurEvil @ Feb 15 2004, 02:37 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> So you honestly think that if someone looks at the windows source code then posts a vulnerability alert on Bugtraq, MS will have them arrested and ignore the bug? <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> They probably wouldn't, but no one is going to take the chance. If you found one would you post it? I probably wouldn't. It's just not worth the risk. (of course I'm also not going to get within a mile of the code period so it's a mute point). <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> You and skulk are talking about two different things - if someone posted a bug to securityfocus, bugtraq, or @stake, based on errors found in the source code, I'm sure they would not be prosecuted - why would MS open themselves willingly to the PR nightmare if they went after them, not to mention that they have encouraged such bug postings previously at great length.
Now, if someone posted an exploit, sample code of how to use it to attack networks, and did it on a non-industry standard bug website than those I listed, people would probably go after them. But if they did that *without* access to the source code (as people do all the time right now), they'd be gone after too. It's all about intent. Your theories do not bear out in practical experience.
moultanoCreator of ns_shiva.Join Date: 2002-12-14Member: 10806Members, NS1 Playtester, Contributor, Constellation, NS2 Playtester, Squad Five Blue, Reinforced - Shadow, WC 2013 - Gold, NS2 Community Developer, Pistachionauts
<!--QuoteBegin-MonsieurEvil+Feb 16 2004, 08:31 AM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (MonsieurEvil @ Feb 16 2004, 08:31 AM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> I'm sure they would not be prosecuted - why would MS open themselves willingly to the PR nightmare if they went after them, not to mention that they have encouraged such bug postings previously at great length. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> I certainly wouldn't stake my financial future on it. I never want to be in a situation in which microsoft has the legal justification to sue me into oblivion.
Regardless of what microsoft would actually realistically do, there are a lot of people who think like me and skulkbait. There are going to be a lot more people looking through this for things to exploit than people looking through this with the intent of fixing it, which is the opposite of the situation when something is actually released as open source.
I will be very surprised if you're right - and odds are, we will find out in the next couple months. I know it's popular on the intarweb to think of MS as morons, but they are certainly not. They don't own the OS, database, groupware, desktop productivity, and database markets because they are dumb - ruthless and adaptive (maybe even borglike), but not dumb. <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html//emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif' /><!--endemo-->
<!--QuoteBegin-MonsieurEvil+Feb 16 2004, 01:31 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (MonsieurEvil @ Feb 16 2004, 01:31 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Now, if someone posted an exploit, sample code of how to use it to attack networks, and did it on a non-industry standard bug website than those I listed, people would probably go after them. But if they did that *without* access to the source code (as people do all the time right now), they'd be gone after too. It's all about intent. Your theories do not bear out in practical experience.<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> <a href='http://www.securitytracker.com/alerts/2004/Feb/1009067.html' target='_blank'>Like this?</a>
If you're using Internet Explorer 5, it's a biggie. Stupidly big. Browser-views-a-picture-and-computer-executes-arbitrary-code big. All done thanks to the Windows source code being available.
Very interesting - now we can see if Moultano and Skulkbait are right - if they are, this guy will be headline news on Slashdot when he's sued or arrested, right? Let's put down $5 right now on whether they offer a retraction when it doesn't happen - I'll stake the same, of course. <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html//emoticons/wink.gif' border='0' style='vertical-align:middle' alt='wink.gif' /><!--endemo-->
As for the app, since MS considers IE6 to be a critical update and that IE5 is no longer a fully-supported product, I guess they can tap dance around it. Not that I agree.
AsranielJoin Date: 2002-06-03Member: 724Members, Playtest Lead, Forum Moderators, NS2 Playtester, Squad Five Blue, Reinforced - Shadow, WC 2013 - Shadow, Subnautica Playtester, Retired Community Developer
The exploit also works on the newest OE.... just to inform you... HIGH probability of a NASTY virus.. only previewing the email is enough too infect you
What is actually in the leaked code. Dont worry, only thing there thats from the actual code are the comments...quite humorous ones at that <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html//emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif' /><!--endemo-->
What is actually in the leaked code. Dont worry, only thing there thats from the actual code are the comments...quite humorous ones at that <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html//emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif' /><!--endemo--> <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> Damn you, I was going to post that...
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> What gives that individual the right to post the actual code? What gives that individual the right to say how to take advantage of the exploit? What gives that individual the right to even look at the code?<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
This is all entirely beside the point. I was mearly trying to point out why this code leak is not analogous to open source.
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Now, assuming this individual does have the source, and has found an exploit... He should contact MS and only MS. He should not release any information about the exploit to the public.<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Why should he do that? MS might take a long time to fix, meanwhile people should know about it so they don't get screwed.
A very very interesting read - excellent link. The best part is:
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Conclusions The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now. Microsoft's fears that this code will be pirated by its competitors also seem largely unfounded. With application code this would be a risk, but it's hard to see Microsoft's operating system competitors taking advantage of it. Neither Apple nor Linux are in a much of position to steal code and get away with it, even if it was useful to them.
In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Comments
What the hell? Lmao!!!
Well that's the last time I listen to Linux users. Sorry for not reading the material posted earlier. I'll be on my way.
i should have quoted it. It would be the same if i would say all windows users are liers
So do all OS's, which you are not using and thusly are ignorant of. All OS's have tons of patches, and all download on a weekly basis. ALL. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
All of 'em?
Oh dear. I suppose I better get round to downloading the latest patches for my Atari ST. I'm not aware of any out-of-the-box remote exploits, but that might be more to do with it not being able to do TCP/IP (or any kind of networking) without additional software... <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html//emoticons/wink.gif' border='0' style='vertical-align:middle' alt='wink.gif' /><!--endemo-->
Oh dear. I suppose I better get round to downloading the latest patches for my Atari ST. I'm not aware of any out-of-the-box remote exploits, but that might be more to do with it not being able to do TCP/IP (or any kind of networking) without additional software... <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html//emoticons/wink.gif' border='0' style='vertical-align:middle' alt='wink.gif' /><!--endemo--> <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
Point taken - how about 'all supported OS's'? <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html//emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif' /><!--endemo-->
/me goes back to writing an IPX stack for his TRS-80 Model III. <!--emo&::nerdy::--><img src='http://www.unknownworlds.com/forums/html//emoticons/nerd.gif' border='0' style='vertical-align:middle' alt='nerd.gif' /><!--endemo-->
The US military.
USS Yorktown anyone?
That's not a very good argument. No one can download the leaked source without breaking the law, so the only people who will be reading the source are those who are willing to break the law. That's going to translate better into new worms than new security fixes.
I don't know how you can seriously contend that having leaked source is functionally the same as having open source. Now if they had actually opened the 2000 source to the public, I'm completely certain the code would be improved.
You also imply that everyone that downloads linux is good and has no desire to cause harm to systems with it installed. Do you honestly believe that?
Where on earth did I imply that?
I don't know how you can seriously contend that it's not, based on the OSS movement doctrine. Nor have you yet tried to. Yet somehow the source will be improved if it was on purpose. Ehhhh, wha?
On a related topic, I have this bridge for sale in Brooklyn, a real deal!
Watch out for the hackers man...
Well, probably not the latter but I wouldn't put the former past them. Especially since they usually make sucha big deal about it when people post the vulnerability online before giving them a head start.
I would make a big deal out of it also.
I would make a big deal out of it also. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
That the point though really. If suddnely there was a post on bugtraq that described a vulnerability, and its cure (with relevant snippets of code... hell, maybe just a filename and line number). Would you trust microsoft not to sue him? I mean, they already hate it when people do that kind of thing, and this guy obviously has access to the source, and they're a corporation, and a fairly litigious one at that...
They probably wouldn't, but no one is going to take the chance. If you found one would you post it? I probably wouldn't. It's just not worth the risk. (of course I'm also not going to get within a mile of the code period so it's a mute point).
What gives that individual the right to post the actual code? What gives that individual the right to say how to take advantage of the exploit? What gives that individual the right to even look at the code?
Now, assuming this individual does have the source, and has found an exploit... He should contact MS and only MS. He should not release any information about the exploit to the public.
Should MS sue someone that posts an exploit, with the actual code ( or at least a reference to it ), and how to take advantage of it? Yes. Absolutely.
Just because there is some source now availabe does not make it any less MS's or any more part of the public domain.
They probably wouldn't, but no one is going to take the chance. If you found one would you post it? I probably wouldn't. It's just not worth the risk. (of course I'm also not going to get within a mile of the code period so it's a mute point). <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
You and skulk are talking about two different things - if someone posted a bug to securityfocus, bugtraq, or @stake, based on errors found in the source code, I'm sure they would not be prosecuted - why would MS open themselves willingly to the PR nightmare if they went after them, not to mention that they have encouraged such bug postings previously at great length.
Now, if someone posted an exploit, sample code of how to use it to attack networks, and did it on a non-industry standard bug website than those I listed, people would probably go after them. But if they did that *without* access to the source code (as people do all the time right now), they'd be gone after too. It's all about intent. Your theories do not bear out in practical experience.
I certainly wouldn't stake my financial future on it. I never want to be in a situation in which microsoft has the legal justification to sue me into oblivion.
Regardless of what microsoft would actually realistically do, there are a lot of people who think like me and skulkbait. There are going to be a lot more people looking through this for things to exploit than people looking through this with the intent of fixing it, which is the opposite of the situation when something is actually released as open source.
<a href='http://www.securitytracker.com/alerts/2004/Feb/1009067.html' target='_blank'>Like this?</a>
If you're using Internet Explorer 5, it's a biggie. Stupidly big. Browser-views-a-picture-and-computer-executes-arbitrary-code big. All done thanks to the Windows source code being available.
Better double-check those avatars, right?
As for the app, since MS considers IE6 to be a critical update and that IE5 is no longer a fully-supported product, I guess they can tap dance around it. Not that I agree.
I hope we wont see one
What is actually in the leaked code. Dont worry, only thing there thats from the actual code are the comments...quite humorous ones at that <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html//emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif' /><!--endemo-->
What is actually in the leaked code. Dont worry, only thing there thats from the actual code are the comments...quite humorous ones at that <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html//emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif' /><!--endemo--> <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
Damn you, I was going to post that...
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> What gives that individual the right to post the actual code? What gives that individual the right to say how to take advantage of the exploit? What gives that individual the right to even look at the code?<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
This is all entirely beside the point. I was mearly trying to point out why this code leak is not analogous to open source.
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Now, assuming this individual does have the source, and has found an exploit... He should contact MS and only MS. He should not release any information about the exploit to the public.<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Why should he do that? MS might take a long time to fix, meanwhile people should know about it so they don't get screwed.
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Conclusions
The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now.
Microsoft's fears that this code will be pirated by its competitors also seem largely unfounded. With application code this would be a risk, but it's hard to see Microsoft's operating system competitors taking advantage of it. Neither Apple nor Linux are in a much of position to steal code and get away with it, even if it was useful to them.
In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility.
<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->