You know Mike I would love to rant on about some of the really un-educated/experienced remarks you have made but I'm tired of this and screw this it's Friday, I want a day off dag nabbit.

This flaw is being exploited as we speak... also the main reason why Windows is in the title because Microsoft seems to be the only one left that hasn't patched this flaw. Everyone else has this patched as early as late October and almost everyone well of course except Microsoft had their systems patched up by December.

Hence almost 3 months later Microsoft has finally got around to patching their stuff.

Unless you really understand computer security I would not comment on it. FYI I have worked for the Canadian CERT so I kinda am in the know and have read about this SSL/TLS flaw... it is being exploited and has been for a while. No vendor of any product will ever say "Yes there are people exploiting it all the time" and for the things that a vendor will admit is because it is blatantly obvious that people will exploit it. SSL/TLS is a much harder thing to prove then for example MS's most recent MS Office patch where MS stated that PowerPoint has a high probability of being exploited.

As for the comments on Mac well I do have to agree they often are the biggest generators of id10t errors. When it comes to Linux your right about the config part but you forget that in Linux the security mechanism used is more of what protects them. Linux uses a white list approach (everything is disabled unless otherwise specified) unlike Mac and Windows, also with linux the default out-of-the-box config is generally very secure and iptables is enabled by default on most distros these days. Your also right about why computer security exists but even in the comsec domain there is still many that have lots to learn about vectors of infiltration.

PS: MAC all in caps to me means Media Access Control address and not Apple's Mac OS. For future comments please just use Mac instead it shows you know a little more of what your talking about. Often people will disregard you without even reading what you have to say.

If it's only one flaw today, it's a good day at Microsucks.

Thanks, Bill.

I figured I would throw this out there because its just funny to me and it makes sense when you take a step back drop your arrogance and think about it.

MAC's are becoming the biggest target of hackers because MAC users dont think they need security software and dont pay attention to security because the majority dont believe they need it. They parade them around coffee shops and brag about them like a Mercedes parked in the driveway putting a bullseye on themselves. Ask any MAC user how do you check to see if your computer has been hacked? They dont know and they tell you they cant be.

As one hacker put it they specifically look for MAC's because its like they left the keys in the door of their home and no one is questioning you walking in and looking around. They dont even know you were there because they aren't looking for you. Its a hackers paradise and it gets better as more people buy them and share the same mentality. Apple is a great company for this because they hide their flaws. How about exploding iPods, yellow screes, laptop hard drive problem, nvidia bump gate. Apple buries the truth about problems. Mac's aren't everywhere but there is enough of them and they are easy to find especially when the owners parade them around.

With a PC because of the paranoia security is everywhere. Spyware, Malware, viruses, port blockers etc. They are the biggest target but most people are running something to keep you out and if anything unusual is found its removed quickly. The users get warnings when something is unusual or out of place or even when something like a worm/bot is hitting their machine even though its done no damage. Many AV product do this so you buy their product the following year. Hey that software protected me. I know its working it tells me all the time. Boy my PC is under attack all the time.

Linux the people have a lot more knowledge about PC's but most of them dont have any security in place either they rely on their configuration to protect them. Similar type of arrogance to MAC because they have the ego of knowing more about their PC. Generally they dont really know how to fully secure it. This is why there are jobs called IT security in companies because not everyone is a security expert. Because you use Linux doesn't mean your a security expert it probably means you know more about technology.

Take that info whatever way you want if you still think your MAC is secure please parade it around your local coffee shop.

As someone who has seen this plenty of times on every OS and still never had their Windows based PC exploited by any of these warning. Im ok with it and trust Microsoft to address the issue way before there are any problems.

Seriously dont know what you people complain about. There is nothing in the wild to expose it but you run around like your heads were just cut off as if you were compromised and all your personal info is now on the web for everyone to see. Same people do this every time. The sky is falling the sky is falling with the same moronic banter every time. I bet a few of you switched to MAC but never had an infection on your Windows Machine to cause you to switch you just heard windows machines weren't secure and scared yourself over to another OS.

Stop complaining about Windows and get a MAC. Lets see how long you last before you install Windows 7 on it. Please explore the grass of the other side.

there was a flaw in SSL and SANS. Everyone else fixed it.
It was a protocol flaw but for the last 6 months it was indeed a Windows security flaw.
Nothing to do with MS having 90% market share, just their 90% arrogance and incompetence share.

According to SANS comments this was known about 6 months ago and has been fixed already in OpenSSL.I've not had time to dig but I certainly remember a patch for OpenSUSE for OpenSSL

Remind us again as you always do about the Windows market share. Go ahead and tell us that it is 90%.

So indeed it means that 90% of the machines affected by this flaw are Windows.

Yes indeed it becomes a flaw at the precise moment that the new specification was ratified.

And the race is on to see who pushes the fix patch. My bet is on Microsoft to come in last place. It's a safe bet.

To: "Dumb Ass Indeed"

Re: Where oh where

Did you glance at the title? "Windows security flaw" directly implies a security flaw exclusive to the windows operating system.

The title wasn't "Protocol security flaw" now was it?

Where oh where in the article does it say that it's Microsoft's fault?

You visit this site to leave asinine remarks to entertain the rest of us.

This is something that affects way more than just Windows.
----
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Oxymoron of the day?
Sorry.. last 20 years!