Microsoft News Update

Microsoft news of the past few days: Media Player 9 is the subject of a few articles, including one on its integrated digital restrictions and one on changes in its privacy options. Microsoft is releasing certain API's, and is releasing a service pack for Windows XP, under the requirements of its antitrust settlement with the Federal Gov't. On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net, and there's been more publicity of the vulnerabilities in Microsoft IIS/SSL.

Well...

[graphicartist82]

On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net

Well, one good way to help the propagation along would be to post a link to it on slashdot so thousands of script kiddies can get ahold of it... oh wait..

Also

[asv108]

According to this article anyone using cracked WPA activation or certain serial numbers will not be allowed to use windows update or install SP1. This will apparently not affect the OEM copies that have been floating around for month before the windows XP release date.

Release of API

[crazney]

Well, im not sure about everyone else.. But I know us developers at the WINE project have found the new APIs (documented here) to be anything but useful..
Well, the register does say "what Microsoft has got in there is a grotesque, badly-documented pile of poo it doesn't fully understand itself." (in regards to the fact that the few new APIs microsoft released doco's on are other useless or all together wrong!.)

David.

MS02-045, patch available?

[edgrale]

Are we talking about MS02-045 ? If you really MUST supply a link to the attack tool you should AT LEAST supply a link to the fix as well!

WMP9: it still comes down to trust

[Damek]

From the article:

"Welcome to Windows Media Player 9 Series," the opening screen of the Privacy Options panel reads. "Microsoft is committed to protecting your personal privacy. To enhance your experience with features including album art and pay-per-view-services, data must be sent and received over the Internet and/or saved on your PC. The options below enable you to customize these privacy settings."

OK, so right from the get-go users are presented with the issue of sending information from their computer. Certainly this is an enhancement feature, if done correctly and the user really has control over what is going on. In the long run, the real power and benefit of computers and networks comes with sharing information, and as people become more comfortable with it, software that includes network features will be more powerful and more popular. For example, see the popularity of the CDDB in CD players.

However, how do you really know what sort of information your software is sending over the network? As we start to take advantage of network features, it will become impossible to rely on personal firewalls to curb outbound traffic - you want your CD player to send some ID to the CDDB so it can retrief the correct tracklisting for the CD you're playing, so you have to tell your personal firewall to allow your CD player to connect to the net. After that point, you are trusting the CD player to behave properly and not betray you.

The article acknowledges this:

"As more applications become Web-aware in order to provide services and information back to the user, consumers need to be aware of the quid pro quo that's taking place and exactly what information is being provided to the vendors," Gartenberg said. "What Microsoft appears to have done here looks like a step in the right direction, if it makes it into the final product."

So the issue boils down to trust. Do you trust Microsoft? I'm sorry, but I do not. No matter what they put in their GUI as far as options go, you can never quite be sure about what their software is sending back to them.

With open source, at the very least you're allowed to look at the code and see what your software is really doing...

Why not add a link to the patch as well, Slashdot?

[Otis_INF]

http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-045.asp

But I assume it's 'better' to let people suffer instead of helping them out, is it? You dont have to post links to security bulletins, but if you post a link to a DoS tool, why not supply the link to the patch as well, to let the reader decide if he/she wants to be vulnerable or not.

(good system administrators have already disabled TCP/IP over Netbios (disable Tcp/IP over NetBios helper service) of course and stopped the server service as well, on online systems, among other netbios related crap which is not needed on the internet (NetBios package: "whohoo a router, what's that!")

About that NetBIOS over IP exploit

From Russ at BugTraq:

Before too many more messages;

1. SMBDie = RedButton = Wow, incredibly talented programmer. This sure was a tool we needed.

2. If RestrictAnonymous is set, non-authenticated users can't use it, any authenticated user can.

3. If you're in an environment where any old computer connected to your network can use TCP139/TCP445, set up a sniffer (Network Monitor works) and watch for the source of the traffic. Then beat that person over the head with their PC. Do that either before or after you patch your systems with MS02-045. If more testing of the patch is required, beat them a little every day until your testing is complete.

4. If you're in an environment where you have TCP139/TCP445 open to the Internet, you don't need NTBugtraq, you need Dr. Phil. Buy a $50 Linksys router and put it in front of your machine and use it to block all but those few you really want open (which doesn't include those two).

5. Randy Hinders suggests that disabling NetBIOS over TCPIP works, I'm not yet 100% convinced. Either way, it should be easier to apply the patch than disabling NetBIOS over TCPIP.

The MS Security Bulletin honestly did do a great job of explaining all of this, more people should read it more carefully.

Cheers,
Russ - NTBugtraq Editor

My MS Activation Story: True Story.

[KelsoLundeen]

And MS plans (apparently) to "bomb" any cracked installations of XP. (I gather some sort of cracked DLL or file monkeyed with the WPA and allowed for pseudo-activation.)

MS is still not clear about this. But I'm curious if MS finally got the hint and is now planning to keep a database of all "authentic" Windows XP keys. If this is the case, then I assume the various keygens won't work. (Or they'll work, but when it comes time to activate, you'll find that you don't actually have an "authentic" key.)

Slightly OT, but I thought I'd share my own XP activation experience. It happened last night and it bascially stumped Microsoft.

The short story goes something like this: I'm an MSDN subscriber. My MSDN subscription entitles me to Windows XP keys that will activate up to 10 pcs. So far so good.

Anyway, I go to the MSDN site, log in with my usual username and password. Generate my keys. Get my "10 activation" key for Office XP, Pro XP, Home XP.

Now, according to the license, these generated keys will activate 10 pcs for each application. (In other words, I can put WinXP Pro on my workstation at work and my workstation at home. This counts as two "activations" on two different PCs and is completely within the terms of the license. Each computer, of course, has to be for "development" purposes -- which, oddly enough, they are. My computer at home is actually a computer I use when I telecommute. And I develop on it. So, again, I'm completely within the terms of license agreement.)

Okay, so that's the background. Here's the good part: I install WinXP Pro on my home "work" workstation using the MSDN supplied key. (The copy of WinXP Pro I'm installing, BTW, is the ISO I downloaded from the MSDN site. The copy of Windows XP I'm legally entitled to according to the terms of my MSDN unverisal subscription.)

The MSDN issued key passes the first XP keycheck -- the check that appears before it actually installs. No complaints, install goes smoothly. I boot to the desktop. All's fine. Looks like it installed perfectly.

Except Windows tells me my key is no good.

But wait! It *took* the key when it asked for it, right? Yes. It took it.

I re-enter the key. (And, yes, I'm using the MSDN supplied key on the MSDN ISO -- not the volume license CD, the actual ISO downloaded from the MSDN site.)

Still says my key is no good. It then generates an installation ID -- an obscenely long number -- and tells me that I have to call the 1-888 toll-free activation center.

I call. I give my installation ID. Wait, I'm told, that's not the right installation ID. Generate another one.

I generate another installation ID. (There's a button that can do this when you install XP.)

I read it back. It's still not a valid installation ID.

The activation center guy said he never saw this happen before. Am I reading the correct ID? Did I transpose any digits?

Nope. It's all correct. Read it from right to left, he tells me. I do. Read it from left to right, he tells me. I do.

Wow, he says. I've never seen this before. You have a valid key, he tells me, but Windows is generating an *incorrect* installation ID.

I say, well, I don't care what's going on, I want this thing activated.

Pause. Sir? Can you read me the ID again?

I do. This is the sixth or seventh time I read the ID. Nope, he tells me. Still no good. He puts me on hold. I stay on hold. Sir, he tells me. I'm sorry. Sorry? We can't do anything. You what?

We've never seen this before.

You're kidding.

If you have a correct key, you should get a correct installation ID.

Yes, I say.

Can you read me your key?

I read it. Read it again. And again.

Sir?

Yes?

The key is correct.

I know the key is correct.

Can I put you on hold again?

So I sit and wait. And wait. All told, I've been "activating" for 30 minutes by this time.

Guy comes back on the phone. Sir? We can't do anything.

You're kidding.

He apologizes. He tells me again that he's never seen this happen. You're sure you're using a legit copy?

I explain my MSDN subscription (active, BTW), my MSDN key, my MSDN ISO download.

I'm sorry, he tells me. Try MSDN.

I call MSDN.

Go through the same thing.

Wow, the MSDN tech support guy says. I've never seen this before.

What now?

Good question, he tells me.

He puts me on hold. Consults with a manager.

Sir? There's nothing we can do.

Give me another key.

I can't. I don't have authorization.

Give me someone who has authorization.

We can't generate another key until the morning.

You're kidding. I'm stuck?

I'm afraid so. I've never seen this before, he says.

By this time I'm furious. I want this motherfucker activated.

Finally, the guy puts me on hold.

Sir? I've got a brand new copy of Windows Pro Retail. In my hands. I'm going to read you the key. But you didn't get this from me.

You're giving me another key?

You didn't get this from me, he repeats.

He reads the key. I read it back. That's all I can do, sir, he tells me.

I appreciate it. (Trying to stay calm.) Thank you.

I'm only doing this because you've got a problem we can't fix. You have a valid key, but it's not generating a valid installation ID.

By this time, over an hour has passed. I'm still trying to activate.

He has me enter the new key. I enter it. Try to activate. Comes up with a message: "This key has no more activations."

I wig out. You're fucking shitting me, I tell me. You're fucking shitting me.

Okay, he says. He explains that we'll have to wait until tomorrow morning to get the key re-activated. He'll make sure it gets re-activated first thing. But that's all we can do, he says. I can't do any more tonight.

I tell him that this -- my situation -- is why people pirate software. It's quicker to get a keygen and generate a phony key than to go through this, waste my time and waste my money.

He's sympathetic. I understand, he says. But we'll get this fixed.

Then: Sir?

Yes?

You didn't get that key from me.

Flash forward: right now. It's the next morning. I'm at my desk. I'm reading Slashdot. I'm on hold with Microsoft tech support. I've called three different tech supoort numbers this morning.

They cannot get my copy of Windows XP Pro activated. They cannot re-activate the "mystery" key that my friend last night gave me.

This is the first time they've seen this problem.

Can we get some more specifics? they ask me.

New hard drive, new CDROM, new motherboard. Everything is new.

They're mystified.

I'm still on hold. I'm reading Slashdot while I'm on hold.

A moment ago: Sir? Can you read your key?

I read it.

Yep, they tell me. That's a valid key. Wow. I've never seen this before.

Re:My MS Activation Story: True Story.

[rseuhs]

Why should Microsoft care as long as you keep sinking in your money?

The main point of this story is not how incompetent Microsoft is. - The main point (IMO) is that this is yet another story about yet another Windows-user that will go to hell and back to use Windows but will not even look at alternatives because Microsoft has successfully implanted the delusion that only Microsoft can solve their problems.

In a free market customers do not put up with crap like this.

I don't feel the slightest pity for you. If you chain yourself to a single vendor with no way out you are asking for being raped. And it's irrelevant if that single vendor is called Microsoft, Apple or Sun.

And you know what the message for Microsoft is?

The message is "If they are willing to spend 10 hours on the phone, they are also willing to pay 200$ more"

Re:Roblimo I Am Calling You Out

[Sludge]

I have to second this. I've been reading slash since 1997 (user ID underscores the fact that I recall the day users were added), and Michael is the reason that I've started paying attention to the fact that slashdot has different editors at all (with the exception of Katz, whom I appreciate from time to time).

How ironic

[hacker]

Does anyone else find it funny that the SMBdie script that is used to supposedly crash Windows machines by sending a specifically-crafted SMB packet... is a Windows executable?

In the era of security conscious people, running someone else's .exe file is really stupid, even if you think it might be funny.

And this tool got front-paged on Slashdot. How stupid can you possibly get?