Slashdot Mirror
Win2k Security holes found
According to a story posted by ZDNN, two security holes have been found on Windows 2000, and that's even before the official release of Windows 2000! Administrators who rush to incorporate the patch from MS beware - according to one of the talkback posts on ZDNN, the patch creates a new problem with Windows 2000 news server service.
Of course, had this been a development linux kernel, everyone would rush to the defense with screams of "It's not ready for primetime, developers only!", etc. I don't care so much when people reply with remarks such as those made in the story, but I prefer to have un-biased story posters.
------------------
I could go on like other posters and just bash Microsoft for the "inferior" product, but I think that tone is starting to get lame.
But I want to mention something about Microsoft that really irks me and should irk their customers to. And that is the following statement:
Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure
I'm sorry, but I don't buy their statement about having tighter defaults. Almost all problems with Windows has been because of defaults. It seems to me that they should default everything off, and let the user have to go and turn what they need on.
Of course I don't like the way Red Hat does this too. I had to spend a few hours trying to figure out what Red Hat had default on. I forgot to turn off the "finger" utility until I noticed in my logs that someone was using it on my firewall. Now I do my security like I do my installs: Customize, turn everything off, then when I find something I need, I install/turn-on that service.
Steven Rostedt
Steven Rostedt
-- Nevermind
Customer: "My security has been breeched!"
Consultant: "Well, it might appear to be a problem, but it's not really since Linux is never considered to have a stable release."
Customer: "What???"
Consultant: "No! No! You're not looking at it the right way. Linux is in perpetual beta, so it's not really a problem you're experiencing, it's just feedback in the beta cycle!
--
Well, if coding for Win2k is anything like coding for Win98, it'll be more along the lines of:
*pop*
*whack*
*pop*
*pop*
*whack*
*pop*
*pop*
*pop*
*pop**whack*
*pop**pop**pop**pop**pop**pop**pop**pop**pop*
*install linux*
25% Funny, 25% Insightful, 25% Informative, 25% Troll
I'm aware of the criticisms of your observations elsewhere in this thread. However, I will grant you (and Microsoft) one important thing: there is no longer a
/.) could so easily point to OSS products being fixed in days rather than months.[1] Let's hope MS is truly reformed on this issue, regardless of what pressures brought it about.
2.b) security hole ignored after reported, until the media hears about it
2.c) security hole denied for 3-6 months after it is common enough knowledge for the media to know about it.
In those regards, Microsoft has (apparently) come a long way in the last 9 months or so. I presume, without evidence, that it's because of the extremely bad rap the press was giving them over it, especially since the press (and influential sites like
[1] Yes, I'm aware of the recent article that compared various companies and found that MS only takes about 50% longer (IIRC) to deliver a patch than (say) Red Hat does. However, that article seems to be based on recent data, i.e. the post-reformation MS. Things were different not long ago. I remember seeing an article in the tech media last summer, titled "Same Hole, New Exploit". The author said in the first paragraph that the hole had been publicized over a year earlier, but no patch was yet available because MS was in denial mode.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
There was a CNET article here.
Not a direct MS quote though, just the CNet reporter paraphrasing Brian Valentine, senior vice president of the Windows Division. Saying that "the first version of the operating system will not need service packs or bug fixes like other software releases". Probably a case of sloppy journalism.
Q.
I think I've figured it out. All the analysts have been advising people for years to hold off buying W2k at least until the first service pack is released. So MS is going to release their first service pack right along with W2k, just so nobody will have an excuse not to buy.
:)
Makes sense to me
--
For every post, there is an equal and opposite re-post.
640 thousand service packs should be enough for everybody!
--
Bill Gates
_________________________
The size of Win2K is not a mitigating circumstance ("Let's give MS a break since this job is so big"), it's an aggrievating circumstance ("What the hell were they thinking?!")
It is an undisputed fact that the increase in your bug count climbs far faster than the increase in your LOC count. Sometimes far faster, depending upon how "tightly integrated" you want to make the system. It's a simple matter of combinatorical explosion - 2N objects can interact in (2N)! - N! more ways than N objects can interact.
That's why everyone on the planet... with one notable exception... has tried to maintain firm barricades between subsystems. At first glance it isn't as "user friendly," but many of us feel that nothing is more user-hostile than programs ridden by an interminal series of bugs and general flakiness.
Many critics have publically stated they doubt that Win2K will *ever* be stable. The sheer size of the code base means it's impossible for any one person to really understand what's going on, and that means it will be extremely difficult to avoid breaking Peter to fix Paul. That's why the reports that one of the two bug fixes introduced a third bug are so disturbing - this is exactly what you would expect to see from software that is simply too large to maintain.
It's still early in the game, but it looks like the critics won the first round. The real test in the next few months isn't the total number of bugs announced, it's the percentage of bug fixes which break something else. NT4 was notorious for requiring service packs to fix prior service packs, and there's now evidence (however thin) that Win2K will be far worse.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
First things first. The reason that this is embarrasing for Microsoft is that they've been touting Win2K from the hilltops as being the "Most secure Microsoft offering ever...". So a security hole before the retail date _has_ to hurt!
:-) Just thought I'd throw it in...
On a broader note, I see a lot of messages saying that it is the fault of distributions etc that people get bitten by security holes. I disagree. If you have an active system administrator, it's his job to keep up to speed on these things. It's his job to know that he shouldn't run finger and wu-ftpd if the machine is just going to be a mail server. It's his job to evaluate what is on the machine and to run regular penetration tests. Saying it's the distributions fault is wrong. I don't blame car manufacturers because in the default setting the steering will drive me straight into a wall.... I learn to drive rather.
One of the largest problems facing the growing Internet market is that amount of unexperienced sysadmins coming into the game. However, sysadmining is filled with a lot of chicken-and-egg situations. You can't get the experience of how to deal with situations without working, and you're dangerous in a work environment until you have this work experience. Tough one to solve
And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.
Warning: I am a rational IT professional. Not only that, but I worked in QA for a few years (first with Sir-Tech Software, then with MCI-WorldCom).
I could talk at great length about rational versus irrational QA policies. (There should be an "Ask Slashdot" about how to properly QA a product...) But that's really not the issue here; good QA, bad QA, it all boils down to the same thing in the end.
At the end of QA, the QA Lead signs off on the project. What the QA Lead signs off on becomes the first version released to the consumer.
Period, end of discussion.
The fact that Win2K went gold means that the QA Lead signed off on it. The pre-release development cycle ended the instant the QA Lead signed off on it. Everything after the moment his/her pen left the paper is part of the maintenance cycle, not the development cycle.
In short, the exploit was found in a consumer release of Win2K. It doesn't matter if it was on the store shelves or not; when the QA Lead signed off on it, it became a final product.
Everything clear?
Maybe MS will one day learn that rushing themselves into releasing a product might cause problems. This is 2 bugs that are out before win2k is out. And let's not forget that MS isn't open source so if there are more bugs (garunteed) that someone finds then they're will be more exploits and the only one to rely on for bug patches will be MS themselves. Guess is yet another push for the linux community.
Ignore the "p2p is theft" trolls, they're just uninformed
Microsoft Win2K security holes:
:-)
*pop*
*whack*
*pop*
*whack*
*pop*
*whack*
Problem is most mole-whackers don't even know where to find the mallet,much less how to use it
If you can't figure out how to mail me, don't.
For linux tips: http://www.linuxtipsblog.com
Draw what conclusions you like from this episode, but I'm looking at the facts of particular case:
1) security hole found prior to ship
2) security hole reported to MS on Jan 17th
3) tested patch issued and publicized Jan 28th
That sounds pretty decent to me.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
Why aren't the security holes in Linux (e.g. in Red Hat 6.1) reported on slashdot? Do most slashdot users use Windows instead of Linux, or is slashdot backed by the multi-billion dollar Linux companies to spread FUD??
All new software has problems. The bigger the evolutionary step, the bigger the problems. Expect more. But don't be rectal about it. No OS is immune. How long has RH 6.1 been out? Couple months? And yet there's a list of 9 or 10 security fixes (that include several remote root exploits) up on RedHat's web site.
And regardless of people arguing that this is supposed to be ready for "prime time" the fact is, it's not shipping and any rational IT professional will recognize that that means *BETA*.
There's a significant difference. One is about to be released as a "final commercial version". Linux is a perpetual beta.
I never asked for 90% of the things that Office purports to do. Am I being unreasonable to want software that doesn't tip over five times a day?
Office is the only software that Microsoft produces which caters to 10% of its target market all of the time - rather than putting in features for the 90% case.
Why?
Because it's the only product they make where everyone in their target market requires a completely different set of features - any given person will probably only use 10% of the functionality available. However, take any of it out, and they're cutting out a massive chunk of the market.
Also, with the new installer, things should be more stable - because it forces better encapsulation of the underlying code (because you can install it in nice feature-sized chunks).
As for tipping over over five times a day? What the hell are you doing to that poor thing? I've never seen Office crash once never mind five times in a single day!
Simon
Coming soon - pyrogyra
...now this is something I won't do too often.
But in the comments here you're probably going to find a zillion people saying the equivalent of "MICROSOFT IS EVIL! You won't find this in Linux/Unix/*BSD!".
And I'm here to say that MS has done a good job. It's a huge OS, people. The fact that the damn thing *runs* amazes me =) as well as the fact that it is (according to all accounts) pretty stable (as compared to typical Windows stability). Expect bugs, expect lots of bugs, because there is no way that you can test such a behemoth properly. I myself will not install it until perhaps Service Pack 3+ has come out, because it's prudent.
Of course, Linux, *BSD, etc, all have bugs, it's just that they're fixed sooner and I think we all have more tolerance for bugs found on free systems. And we all have unreasonably high expectations of MS, because they're a bunch of corporate bastards (look at their history!) and because most of us probably support alternate OSes.
Of course, the thing that *really* worries me about this article is the fact that one of the bugs was apparently known for weeks before MS even admitted it existed; now that kind of thing is sloppy, and they deserve whatever criticism they get for it.
I just went to the Microsoft update site from my Win2K box (legal off of the Select CD's) and only found a couple of multi media type apps. No critical updates, no general updates, nothing. Now since they are probably going to do this the same way that they did 98 (making it a royal pain to get updates without the web site) this could be very annoying on servers. "What do you mean I have to launce IE5 on all of my servers independently to get SP78?" Can't wait 'till we're told to roll this out all over the company :) Les Weinmunson
Although it Slashdot likes to say that there are security hazard with windows it's really an exageration.
I read an article about Unix permisions helping stop viruses but with Windows we have something far more powerfull.
Microsoft format is graphical where Linux does not have a graphical user interface [GUI]. This makes hacking a W2k more secure becuase things are not stored in plain text. Instead MicroSoft stores things in fancy graphical text. This makes it harder for hackers to read.
Linux should really work on making a [GUI] then they will be ready for "prime time." They will even be able to have advertisements on TV if they had a GUI. Also Linux would be able to handle "real time" applications. And do many other marvelous things like "enterprize readiness" and "intuitive network applications" and "erp" that Windows does.
Just my 2 shillings.
If there is any non-bias at /. then this post will not be moderated away. No flamebait or trolling just wanna clear a couple of points up ALL using the provided story URL.
/. wants users to perceive it. That's not accurate or fair.
.htw files until the patch can be applied.
#1: The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services).
As you can clearly see, these bugs affect an *add-on* product present in NT4 which became built-in to Windows 2000. This is not a W2K only bug which is how
#2 The bug was discovered AFTER W2K went gold. They have released a patch for NT4 and W2K both that works right now for both. So, before W2K is released there is a fix. I don't know about you but as soon as I finish installing Windows I rush to Windows Update to bring me up to date fully (CDs get old fast). ANYONE installing W2K would/should run Windows Update and will be covered.
#3) You have to know the names of the files on the remote system before they can be viewed if the exploit existed. That's not exactly getting root here ya know?! Let's not overinflate the damage potential.
#4) The exploit itself was reported to MS promptly and fixed quick. The exploit is on the finders website and includes how to prevent the exploit from working. #1) you left the IISAMPLES directoy in place - stupid admin trick #323, delete or rename them before making the machine public and #2) you just disassocate
Why don't we get a weekly update on Linux exploits and only bias pieces about MS problems?
This isn't a development kernel or an "release candidate" system, it's the official Win2K software that will hit the stores in a few weeks. OEMs got it early so they can get their systems ready for "first-day" sales of systems preloaded with the software. Even if MS had sat on the software until the 17th, these holes would have been discovered within days.
Meanwhile, you grossly misstate the maturity of our community. The 2.2.0 kernel had a significant bug in it, and everyone laughed because it we remembered the long fights between those who insisted the 2.2.0.pre-X kernel was ready and those who wanted just a bit more testing. Linus had to make a choice, and he jumped just a hair too soon. C'est la vive!
However, as I recall Linus never made a big deal out of how Linux 2.2.0 was going to finally start taking security seriously. In contrast, I've seen a lot of press recently about how MS is finally taking security seriously. That makes the discovery of *two* security bugs so quickly quite amusing.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The point is that this is a security hole - in an operating system that was promised to be secure. Further exacerbating the problem is that this software Is Not Beta. It is a GM release, and there is supposed to be a world of difference between a beta and a GM product.
Were this software a real beta, then it wouldn't require a downloadable patch when it finally hits store shelves. Win2k will - unless, of course, Microsoft is planning to destroy all existing shrinkwrap copies before they hit the shelves and issue a brand new GM, one which incorporates the patch. Instead, anyone who purchases Win2k will have to go download an upgrade.
There's a huge difference between beta and GM, and that difference is called "proper testing". Learn it. Live by it. Unless, of course, you make a practice of considering improperly tested, thoroughly buggy software to be of release quality. In which case, I wish you all the luck in the world. You're going to need it.
Chris Tembreull
Web Developer, NEC Systems, Inc.
My opinions are my own, and nobody else's.
Chris Tembreull
"My karma just ran over your dogma."
Note that not every Microsoft security vulnerability out there is listed, either. Do a search on vunlerabilities by vendor for Microsoft at Security Focus, which is at http://www.securityfocus.com to see all 235 vulnerabilities listed, most of which Slashdot missed.
Good resources for Linux security news, specifically, are Linux Weekly News at http://lwn.net/ and its continually updated Daily Edition at http://lwn.net/daily/ For additional resources you can visit Linux.Com's security section at http://www.linux.com/security
Oh, wait, I'm sorry. There are Microsoft people on the BugTraq/CERT lists. Well, then how could they not know about the holes? ...
[ fade to a daughter sitting in her father's lap while he reads a story to her: ]
"Cause there's 40 different shades of black, so many fortresses and ways to attack, so why you complainin'?"