Slashdot Mirror
Microsoft News Update
Microsoft news of the past few days: Media Player 9 is the subject of a few articles, including one on its integrated digital restrictions and one on changes in its privacy options. Microsoft is releasing certain API's, and is releasing a service pack for Windows XP, under the requirements of its antitrust settlement with the Federal Gov't. On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net, and there's been more publicity of the vulnerabilities in Microsoft IIS/SSL.
I mean come on... We've been nuking win95 machines since '96... It's time to find a new protocol!
I apparently forgot that sig != uptime...
On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net
Well, one good way to help the propagation along would be to post a link to it on slashdot so thousands of script kiddies can get ahold of it... oh wait..
According to this article anyone using cracked WPA activation or certain serial numbers will not be allowed to use windows update or install SP1. This will apparently not affect the OEM copies that have been floating around for month before the windows XP release date.
By that logic, is this part of Microsoft's plan? Since Linux is seen as good by the general public for, amongst other reasons, giving away the source code, is Microsoft trying to make the (erroneous) impression that they're giving away source code as well?
All you have to do is winess the general confusion when a game maker releases some source code ("The RtCW Source Code has been released! This means the game is free!") to see that the general public still doesn't "get" this idea.
Schnapple
One article says Media Player 9 will allow the user to select how much information is set to content providers. But the other goes into detail about the new DRM featurs of MP9. One of the biggest is a 3rd party clearing house for certificate athentication and authorization.
So you get a DRM enabled media file. When you play it, Media Player has to contact this server to find out if you are allowed to play it. They can track every time you play this file.
Maybe you'll have a feature that protects your privacy, but if you don't let the player contact the clearing house, you can't play the files.
Also, I'm sure everyone saw it coming. The reason Microsoft changed their EULA is because of this new DRM crack down. They want any program that can open a DRMed file to have to be authenticated, and they want to be able to disable any program that will attempt to get around these restrictions, and they don't want to get in trouble for messing up software you have installed.
Good thing I use a free and open OS. But if this type of thing continues, all media produced will be encrypted and you'll have to contact the DRM server to view it. So it won't matter. Just wait until router manufacturers are convinced to not all their producted to transmit any packets that haven't been DRMified properly.
Well, im not sure about everyone else.. But I know us developers at the WINE project have found the new APIs (documented here) to be anything but useful..
Well, the register does say "what Microsoft has got in there is a grotesque, badly-documented pile of poo it doesn't fully understand itself." (in regards to the fact that the few new APIs microsoft released doco's on are other useless or all together wrong!.)
David.
stuff
Maybe it's not too smart, but neither is running a Windows box with SMB/CIFS enabled on the public Internet, which is what the program requires. SMB is a bit like having an open mail relay; a quick and easy solution which is fine on a private network, but try it on the Internet and you are probably going to get shafted sooner rather than later.
UNIX? They're not even circumcised! Savages!
- A new feature will enable computer manufacturers to selectively hide and display Microsoft's integrated programs displayed on the start menu of the operating system, including Microsoft's Internet Explorer Web browser, Windows Media Player and Windows Messenger programs.
Isn't this tantamount to purjury? Their claim that it would criple the system and that it couldn't be removed was obviously false, if all that was necessary to satisfy the courts was to remove the icon from the desktop. Sure, MS is allowed to spin things a bit in the media, but in the courtroom, nearly explicit lies are illegal, no?During the federal antitrust trial, Microsoft argued that such a change would cripple the Windows program.
The change will make it possible for hardware vendors to customize their systems by striking business deals to include alternative programs from companies like America Online and RealNetworks.
It will also permit computer users to reselect the hidden Microsoft programs if they choose.
However he has now topped himself by linking to a script kiddie tool to what may be an unpatched bug on a website that gets hundreds of thousands of hits a day. What the fuck? Do you see MSNBC or C|Net linking to r00tkits whenever a Linux vulnerability is released?
Roblimo as Editor-in-Chief, you are responsible for his work and quite frankly he is the worst part of the Slashdot experience (now that I've upped my threshold to 4).
Oh yeah, god knows nobody on slashdot can do a simple google search...
Are we talking about MS02-045 ? If you really MUST supply a link to the attack tool you should AT LEAST supply a link to the fix as well!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
From the article:
"Welcome to Windows Media Player 9 Series," the opening screen of the Privacy Options panel reads. "Microsoft is committed to protecting your personal privacy. To enhance your experience with features including album art and pay-per-view-services, data must be sent and received over the Internet and/or saved on your PC. The options below enable you to customize these privacy settings."
OK, so right from the get-go users are presented with the issue of sending information from their computer. Certainly this is an enhancement feature, if done correctly and the user really has control over what is going on. In the long run, the real power and benefit of computers and networks comes with sharing information, and as people become more comfortable with it, software that includes network features will be more powerful and more popular. For example, see the popularity of the CDDB in CD players.
However, how do you really know what sort of information your software is sending over the network? As we start to take advantage of network features, it will become impossible to rely on personal firewalls to curb outbound traffic - you want your CD player to send some ID to the CDDB so it can retrief the correct tracklisting for the CD you're playing, so you have to tell your personal firewall to allow your CD player to connect to the net. After that point, you are trusting the CD player to behave properly and not betray you.
The article acknowledges this:
"As more applications become Web-aware in order to provide services and information back to the user, consumers need to be aware of the quid pro quo that's taking place and exactly what information is being provided to the vendors," Gartenberg said. "What Microsoft appears to have done here looks like a step in the right direction, if it makes it into the final product."
So the issue boils down to trust. Do you trust Microsoft? I'm sorry, but I do not. No matter what they put in their GUI as far as options go, you can never quite be sure about what their software is sending back to them.
With open source, at the very least you're allowed to look at the code and see what your software is really doing...
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-045.asp
But I assume it's 'better' to let people suffer instead of helping them out, is it? You dont have to post links to security bulletins, but if you post a link to a DoS tool, why not supply the link to the patch as well, to let the reader decide if he/she wants to be vulnerable or not.
(good system administrators have already disabled TCP/IP over Netbios (disable Tcp/IP over NetBios helper service) of course and stopped the server service as well, on online systems, among other netbios related crap which is not needed on the internet (NetBios package: "whohoo a router, what's that!")
Never underestimate the relief of true separation of Religion and State.
All software is inherently flawed, I have yet to see ANY software put out by ANYONE that is bug free. Just because 90% of the computers in the world run a certain piece of software thus giving any bug more exposure that doesn't make microsoft products any worse than any other product out there.
Maybe I'm wrong about this, but I'd like to see proof if there's any *nix distrobution that is 100% bug free or has absolutely no security vulnerabilities.
Honestly, if windows is so bad, so full of bugs, why does it keep selling? Lack of alternative? I think not, according to the slashdot community, linux is a more than viable alternative. People are stupid? Well I can see a point there but if you get down to it, it hasn't been as horrible as the slashdot community makes it out to be since it keeps selling.
My main problem with microsoft is that they keep selling updates as new operating systems (Windows ME as my case in point).
I'm just tired of seeing a bunch of posts on slashdot everytime microsoft relesases a bugfix about how horrible microsoft is.
According to the Microsoft whitepaper found here, there are 11 components of XP that automatically download material from the Internet. If you've ever clicked the "always trust Microsoft" box (something unlikely here, I realize, but many have), then things like Media Player will download and install new media codecs without any notice, for example. Another thing that we're all concerned with relate to DRM: a built in feature of XP will silently download and install "revocation lists", which list programs that are not allowed to play DRM-encoded content.
You mean like the fix that was out August 22nd?
Objects in the blog are closer then they ap
From Russ at BugTraq:
Before too many more messages;
1. SMBDie = RedButton = Wow, incredibly talented programmer. This sure was a tool we needed.
2. If RestrictAnonymous is set, non-authenticated users can't use it, any authenticated user can.
3. If you're in an environment where any old computer connected to your network can use TCP139/TCP445, set up a sniffer (Network Monitor works) and watch for the source of the traffic. Then beat that person over the head with their PC. Do that either before or after you patch your systems with MS02-045. If more testing of the patch is required, beat them a little every day until your testing is complete.
4. If you're in an environment where you have TCP139/TCP445 open to the Internet, you don't need NTBugtraq, you need Dr. Phil. Buy a $50 Linksys router and put it in front of your machine and use it to block all but those few you really want open (which doesn't include those two).
5. Randy Hinders suggests that disabling NetBIOS over TCPIP works, I'm not yet 100% convinced. Either way, it should be easier to apply the patch than disabling NetBIOS over TCPIP.
The MS Security Bulletin honestly did do a great job of explaining all of this, more people should read it more carefully.
Cheers,
Russ - NTBugtraq Editor
What's this "think" you're talking about? Can you eat that?
"all you ever do with respect to MS is sneer at them and post negative shit. cunts."
Not the most elegant way of putting it, but he's got a point. If that's not bad enough, the tone of the guy posting the article is pretty much judge/jury/executioner.
I'm getting really sick and tired of reading through the articles to find out things aren't near as bad as they're made out to be. If somebody wants my attention regarding norti shenanigans that MS is pulling, try to sound more objective. I feel like I'm watching commercials for Jerry Springer.
And MS plans (apparently) to "bomb" any cracked installations of XP. (I gather some sort of cracked DLL or file monkeyed with the WPA and allowed for pseudo-activation.)
MS is still not clear about this. But I'm curious if MS finally got the hint and is now planning to keep a database of all "authentic" Windows XP keys. If this is the case, then I assume the various keygens won't work. (Or they'll work, but when it comes time to activate, you'll find that you don't actually have an "authentic" key.)
Slightly OT, but I thought I'd share my own XP activation experience. It happened last night and it bascially stumped Microsoft.
The short story goes something like this: I'm an MSDN subscriber. My MSDN subscription entitles me to Windows XP keys that will activate up to 10 pcs. So far so good.
Anyway, I go to the MSDN site, log in with my usual username and password. Generate my keys. Get my "10 activation" key for Office XP, Pro XP, Home XP.
Now, according to the license, these generated keys will activate 10 pcs for each application. (In other words, I can put WinXP Pro on my workstation at work and my workstation at home. This counts as two "activations" on two different PCs and is completely within the terms of the license. Each computer, of course, has to be for "development" purposes -- which, oddly enough, they are. My computer at home is actually a computer I use when I telecommute. And I develop on it. So, again, I'm completely within the terms of license agreement.)
Okay, so that's the background. Here's the good part: I install WinXP Pro on my home "work" workstation using the MSDN supplied key. (The copy of WinXP Pro I'm installing, BTW, is the ISO I downloaded from the MSDN site. The copy of Windows XP I'm legally entitled to according to the terms of my MSDN unverisal subscription.)
The MSDN issued key passes the first XP keycheck -- the check that appears before it actually installs. No complaints, install goes smoothly. I boot to the desktop. All's fine. Looks like it installed perfectly.
Except Windows tells me my key is no good.
But wait! It *took* the key when it asked for it, right? Yes. It took it.
I re-enter the key. (And, yes, I'm using the MSDN supplied key on the MSDN ISO -- not the volume license CD, the actual ISO downloaded from the MSDN site.)
Still says my key is no good. It then generates an installation ID -- an obscenely long number -- and tells me that I have to call the 1-888 toll-free activation center.
I call. I give my installation ID. Wait, I'm told, that's not the right installation ID. Generate another one.
I generate another installation ID. (There's a button that can do this when you install XP.)
I read it back. It's still not a valid installation ID.
The activation center guy said he never saw this happen before. Am I reading the correct ID? Did I transpose any digits?
Nope. It's all correct. Read it from right to left, he tells me. I do. Read it from left to right, he tells me. I do.
Wow, he says. I've never seen this before. You have a valid key, he tells me, but Windows is generating an *incorrect* installation ID.
I say, well, I don't care what's going on, I want this thing activated.
Pause. Sir? Can you read me the ID again?
I do. This is the sixth or seventh time I read the ID. Nope, he tells me. Still no good. He puts me on hold. I stay on hold. Sir, he tells me. I'm sorry. Sorry? We can't do anything. You what?
We've never seen this before.
You're kidding.
If you have a correct key, you should get a correct installation ID.
Yes, I say.
Can you read me your key?
I read it. Read it again. And again.
Sir?
Yes?
The key is correct.
I know the key is correct.
Can I put you on hold again?
So I sit and wait. And wait. All told, I've been "activating" for 30 minutes by this time.
Guy comes back on the phone. Sir? We can't do anything.
You're kidding.
He apologizes. He tells me again that he's never seen this happen. You're sure you're using a legit copy?
I explain my MSDN subscription (active, BTW), my MSDN key, my MSDN ISO download.
I'm sorry, he tells me. Try MSDN.
I call MSDN.
Go through the same thing.
Wow, the MSDN tech support guy says. I've never seen this before.
What now?
Good question, he tells me.
He puts me on hold. Consults with a manager.
Sir? There's nothing we can do.
Give me another key.
I can't. I don't have authorization.
Give me someone who has authorization.
We can't generate another key until the morning.
You're kidding. I'm stuck?
I'm afraid so. I've never seen this before, he says.
By this time I'm furious. I want this motherfucker activated.
Finally, the guy puts me on hold.
Sir? I've got a brand new copy of Windows Pro Retail. In my hands. I'm going to read you the key. But you didn't get this from me.
You're giving me another key?
You didn't get this from me, he repeats.
He reads the key. I read it back. That's all I can do, sir, he tells me.
I appreciate it. (Trying to stay calm.) Thank you.
I'm only doing this because you've got a problem we can't fix. You have a valid key, but it's not generating a valid installation ID.
By this time, over an hour has passed. I'm still trying to activate.
He has me enter the new key. I enter it. Try to activate. Comes up with a message: "This key has no more activations."
I wig out. You're fucking shitting me, I tell me. You're fucking shitting me.
Okay, he says. He explains that we'll have to wait until tomorrow morning to get the key re-activated. He'll make sure it gets re-activated first thing. But that's all we can do, he says. I can't do any more tonight.
I tell him that this -- my situation -- is why people pirate software. It's quicker to get a keygen and generate a phony key than to go through this, waste my time and waste my money.
He's sympathetic. I understand, he says. But we'll get this fixed.
Then: Sir?
Yes?
You didn't get that key from me.
Flash forward: right now. It's the next morning. I'm at my desk. I'm reading Slashdot. I'm on hold with Microsoft tech support. I've called three different tech supoort numbers this morning.
They cannot get my copy of Windows XP Pro activated. They cannot re-activate the "mystery" key that my friend last night gave me.
This is the first time they've seen this problem.
Can we get some more specifics? they ask me.
New hard drive, new CDROM, new motherboard. Everything is new.
They're mystified.
I'm still on hold. I'm reading Slashdot while I'm on hold.
A moment ago: Sir? Can you read your key?
I read it.
Yep, they tell me. That's a valid key. Wow. I've never seen this before.
But to link directly to the crash-windows-in-one-easy-step binary? That's just plain irresponsible.
Are you one of those grade school kids or MCSE who don't grasp a clue to the reality?
I just need it in the security audit meeting this afternoon.
One working tool worths a thousand words. We might have to find our way to prove the validity of a security alert if we are not given a tool nevertheless. Now it helps saving lots of man hours, and helps to protect our company from security hazard at early stage.
So you think IT secuirty's jobs is just repeating security updates/news/alerts? We'd be happy to get that $70,000+ salary for doing that.
Oh goodie, it runs under WINE.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
In the era of security conscious people, running someone else's .exe file is really stupid, even if you think it might be funny.
And this tool got front-paged on Slashdot. How stupid can you possibly get?
HMM... as if script kiddies don't have it easy enough, lets put a link to a 'crash' script on the front page of slashdot... Do the editors on slashdot ever think before they post links?
/. editors are bastards! Do they understand kids nowaday?! Give them knives they'll kill; give them games they'll not go to school; give them money they'll spend on drugs. Do they ever think of the children? Do they really want our kids sending us back to dark age with these tool?! I want my kids become a MCSE, not some kind of script kiddies!
You are absolutely right!
Why?
Why is Slashdot responsible for the vulnerability that allows this?
Why is Slashdot responsible for the actions of users that choose to download and try this out?
You seem to have a very strange understanding of responsibility, albeit one that's rather popular in Redmond and Washington at the moment.
If you were blocking sigs, you wouldn't have to read this.
About posting a link to an exploit tool?
How many of you posting or modding this up also support the free exchange of ideas, including how to back up or media shift a DVD, or extract a portion for review?
You think there's a difference? Bullshit. Your argument is "raise the cost of entry to put off casual abusers". How is that different from the argument that (e.g.) librarians or teachers can gain access to knowledge to let them make copies or extracts from a DVD, if they know exactly who to ask and how to ask them?
That's the trouble with the free exchange of ideas. It's easy to pay lip service until you see something that you don't like being made freely available, at which point the prissy voice gets put on and cries of "Well, that's just irresponsible!" get made. One more step down that line, and you'll be exhorting us to think of the children.
One issue, one standard. The issue here is the free and frank and convenient exchange of knowledge, including knowledge that you don't want people to have. Pick a position.
If you were blocking sigs, you wouldn't have to read this.
Windows needs it so they ship it with Windows already. IE the application can be removed. IE the underlying HTML rendering engine is intertwined with Windows and third party applications such that its removal would break applcations. The nine states are using the courts to dictate tehcnology Microsoft's competitors don't agree with. There is nothing that preculdes me from using Mozilla on my Windows XP system and completely ignore the existence of IE.
<duck>
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
I was already patched days before this was posted here thanks to Windows' Critical Update Notification. I mean, if the sky is falling with all of these exploits like /. would like you to think, how come script kiddies don't take down Microsoft.com, Dell.com, or any other major IIS site?
P.S. Awesome Sig.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
I just installed a fresh w2k last night, after not being able to get my ATI All in Wonder Radeon 7500 to work with XF86 (what's with that? btw... tried RH7.3, Mdk8.2, and Lycoris to no avail, although they all recognized the card). The only things installed thus far are the OS and the ATI drivers/apps (for running the USB remote and such). I can assure you that this binary took the box out as quick as I could hit enter.
put the what in the where?
NetBIOS (I admit that the name has meant a few different things as it evolved) is not the same as NetBEUI. NetBEUI is a layer 2 protocol, and is not propogated by most routers. (unless the "router" is really an ethernet bridge in disguise)
NetBIOS is a programming interface implemented as a bunch of packet types which can be sent out either over NetBEUI or over IP. (sitting mostly on top of TCP, though I think some packets are sent out with UDP). IP is extremely routable.
If you let FTP traffic through. malicious code will get in through there. If you leave port 80 open, malicious code will get through there. If you leave port 23 open, malicious code will get in through there. If you let e-mail in, even if you virus-scan it, malicious code will get in. If there is a single floppy disk drive on your network, malicious code will get in. Same for CD-ROM drives.
Firewalls can make things inconvenient for people (users as well as crackers), but there is always a balance that must be met between how much inconvencience the users can tolerate and how important it is to inconvenience crackers. That balance is never going to lean very far towards the 'inconveniencing crackers' side.