What is it about Windows that everybody likes? (A rant)

[Skaendo]

Last I knew the turnaround time once found was quite fast (and faster than the responses for the Linux Kernel - and heaven forbid you need to wait for a new kernel version to hit your distro...) One might add Microsoft didn't have the SSL bug, and Heartbleed took what, 2-3 years to be found?

In fact:
'The discovery of "Poodle," which stands for Padding Oracle On Downloaded Legacy Encryption, prompted makers of web browsers and server software to advise users on Tuesday to disable use of the source of the security bug: an 18-year old encryption standard known as SSL 3.0.'

'Ivan Ristic, director of application security research with Qualys, said "Poodle" was not as serious as the previous threats because the attack was "quite complicated," requiring hackers to have privileged access to networks.'

'Microsoft Corp issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.'

How does this not apply to Microsoft Windows?

Source:
http://www.huffingtonpost.com/2014/10/14/google-ssl_n_5986104.html

 

[RampantAndroid]

In fact:
'The discovery of "Poodle," which stands for Padding Oracle On Downloaded Legacy Encryption, prompted makers of web browsers and server software to advise users on Tuesday to disable use of the source of the security bug: an 18-year old encryption standard known as SSL 3.0.'

'Ivan Ristic, director of application security research with Qualys, said "Poodle" was not as serious as the previous threats because the attack was "quite complicated," requiring hackers to have privileged access to networks.'

'Microsoft Corp issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.'

How does this not apply to Microsoft Windows?

Source:
http://www.huffingtonpost.com/2014/10/14/google-ssl_n_5986104.html

It's a bug in the actual spec for SSL3/RC4 (well, an issue with an ancient cipher dating back to 1987), not a bug in Microsoft's implementation. Point in fact, Microsoft advised system admins to stop using RC4 a year ago. Additionally, MS has been supporting TLS for a while now, and has been working to kill SHA1 off.

I suggest you not get tech news from huffpo.

 

[Skaendo]

https://technet.microsoft.com/library/security/ms12-006

Microsoft knew about this in January 2010.

*https://technet.microsoft.com/en-us/library/security/3009008.aspx

 

[Cerb]

https://technet.microsoft.com/library/security/ms12-006

Microsoft knew about this in January 2010.

*https://technet.microsoft.com/en-us/library/security/3009008.aspx

Even better: setting FF to disallow < TLS 1.1 causes the connection to fail, while allowing TLS 1.0, which they recommend not doing, allows a connection to the site. So, by following the recommendations of their own KB article, I can't read the KB article .

 

[RampantAndroid]

https://technet.microsoft.com/library/security/ms12-006

Microsoft knew about this in January 2010.

*https://technet.microsoft.com/en-us/library/security/3009008.aspx

And your point is...what? That Microsoft forcibly turn off the RC4 cipher? It isn't their code, and it isn't in their hands. Heartbleed was not a vulnerability in the cipher or the spec, it was a bug in the implementation allowing memory to leak, and random chunks of memory to be returned. These aren't in any way the same type of issue. It'd be like blaming MS for rainbow tables...

 

[Skaendo]

Point is that it affects not the OS, but every OS is affected because it is a browser issue. And yes, even IE is affected, by the browser can revert back to SSLv3 if it's not disabled.
Not what you said here:

One might add Microsoft didn't have the SSL bug

In actuality MS says themselves that it affects every version of Windows.

 

[RampantAndroid]

Point is that it affects not the OS, but every OS is affected because it is a browser issue. And yes, even IE is affected, by the browser can revert back to SSLv3 if it's not disabled.
Not what you said here:

In actuality MS says themselves that it affects every version of Windows.

Then you missed the point. I was responding to your assertion that Linux (and by extension, open source code) gets fixed faster. My response was that the checkin that caused Heartbleed happened something like two years prior to the public disclosure/discover and fix of the heartbleed bug.

The comment of this not affecting MS was that their implementation of SSL did not have the same heartbeat/heartbleed bug; that's a fact. Anyone using MS' implementation of SSL was NOT at risk to be exploited by Heartbleed (and if you were tracking that back when it happened, you realized a lot of banks were thankfully NOT using OpenSSL.)

My point stands; your issue is a bug in SSL itself and is totally unrelated to my point. I even mentioned heartbleed in my post...