Windows Security Holes Go Mostly Unexploited

murky.waters writes "Wired News has an article with a decidedly different take on security holes in Microsoft Windows: Despite the thousands of known exploits and virii, most MS users aren't target of much harm, and the big guns such as Klez have had almost no effect on home users. An interesting read that, if true, challenges some common arguments."

Opaserv exploited one

[helix400]

Funny, the Opaserv worm is currently exploiting one flaw with great success. The newest variant destroys a hard drive

Its so bad, that if you install win98 on a fresh machine, password protect and share the C drive, and connect to the internet, you can get this variant within 5 minutes. Opaserv exploits a shared drive password flaw, and has full access to the machine. Then it will ruin the CMOS and main hard drive partitions.

From my tech support experience, this year has been the worst for exploits.

What a load of horse feces

[antis0c]

My girlfriend's Windows 2000 machine was hacked about a month ago by script kiddies exploiting one of the recent exploits in a Microsoft product. They then installed 2 apps, a ghosting app that hides any application from the Taskbar and Tasklist, and mIRC with hacked up startup scripts to allow remote control when connected. They used the ghost app to hide itself and mIRC. Whenever she turned on her computer, it would load mIRC, hide it, then connect to EFNet. Then shortly after someone who would see it connect, would use it to mass-ping hosts in an attempt to DoS someone.

Needless to say, for the week this was going on, I noticed serious network problems at home. And pinpointed them to every time she turned on her computer, the network would lag to a stop. Finally after researching it I discovered what was going on.. I found the channel these guys hung out in, and she wasn't the only victim. They had a few hundred hacked users they could control.

So when I see reports like this, I suddenly get a whiff of steaming horse shit.

Re:What a load of horse feces

[AnimeFreak]

It gets really funny when you find one of these things lying around someone's computer and you discover what IRC channel they're in.

Over the summer my sister decided to run some P2P software on my main workstation while I wasn't home. I get home the next day and noticed my LAN lights on my hub going nuts from my main workstation. So I yanked the cord from the hub and decided to see what processes were running.

Low and behold I discovered what was causing it. My sister downloaded a keygen off the network that turned out not to be a keygen but a trojan instead that was connecting to an IRC server and was DoS'n someone.

Using an IRC daemon, some IRC monitoring software, and a small edit of my hosts file, I discovered where this thing was connecting, what channel it was joining, and the password required for the channel. I fired up another IRC connection from my machine and decided to talk to the kiddies.

The kids were acting like they didn't know anything and subsequently kicked me out. Didn't do anything beyond there but they had a massive collection of bots going.

They must not be herding my patrons

[jmorris42]

I'm sysadmin at a public library with public dialup access. They get Klez by the dozens every month so I wonder where the writer is looking for 'typical users'? I'm sitting in a rural parish (county for the rest of the US) in LA and have a pretty typical bunch of 'end users' in our population with the one exception that I try as hard as I can to educate them as to the evils of Outlook (which falls on deaf ears) and pass out CD-ROMS and setup manuals documenting Netscape for web & E-Mail (which they ignore, whining about having problems getting Outlook Expresss configured.). The only concession to unsafe computing is that I do give detailed configuration steps on getting IE past our federally mandated filtering system because I know that a lot of sites and third party software depends on IE.

The biggest issue I have with Klez is the forging

[weave]

My addresses show up on a lot of web pages and others' addressbooks, so not only do I get a lot of Klez messages, I get a lot of them sent out to others in my name.

I am then subjected to dozens of e-mail scanning auto-responders telling me I have a virus, auto replies from people I've never heard of, and the occasional jerk who thinks they know everything screaming at me in e-mail telling me I am stupid for letting myself get infected.

The fact I am also the postmaster admin to 13,000 users means I get users contacting me in a panic thinking they have a virus because one of the three above things happens to them. This, despite a faq and notices on intranet etc etc that this thing is out there.

Klez is probably the primary reason I am starting to hate Microsoft. It doesn't matter if my computer and all computers I am responsible for are completely patched and that my mail gateway blocks it, I still get to be a victim indirectly, and I doubt we'll ever see the entire planet fully patched.

Re:There is a reson for this

[JohnFluxx]

Actually hacking home users is a good place for a newbie-hacker (or script-kiddie or whatever) to learn. Much less chance of being caught, and if you screw up you can just wipe the machine since most likely there aren't backup logs.

Mitigating factors...

[MonTemplar]

I subscribe to the Microsoft Security Bulletins at work, and on every security notice there is a section marked Mitigating Factors which details the particulars that are required for an exploit to be performed. These break down into the following types :

• Software set to the defaults, not the settings recommended by Microsoft (eg. Outlook (Express) setting for Security Zone to use when viewing messages)
  
• A particular combination of software and settings (eg. IIS, SQL Server, Exchange)
  
• Vectors than can be used to exploit the hole - some will require physical access to the machine, or to a machine on the same local network, or particular user access.
  
• The window of opportunity that can be afforded by exploiting the hole - how much code you could inject, how far you could elevate your privileges on the system, how much access you gain to the system, etc.
  

A lot of the potential exploits would fall at the first two hurdles above. For instance, by setting Outlook (Express) to use the Restricted Zone, you've already plugged several holes.

This is not to excuse Microsoft for creating the holes in the first place. Particularly odious are those related to allowing scripting to be performed in places where it makes no sense whatsoever, eg. Windows Media files. That is not a case of sloppy coding, that is bad design from the get-go.

Sad to say, even if Microsoft fixed all the outstanding holes tomorrow, you will still need to have a firewall and anti-virus software, because the malware will continue regardless, until such time as we all move to a platform that is secure by design. (And, no, in truth that platform doesn't exist yet)

I think it's better preparation and response...

[sheldon]

Most companies were taken off guard by several of the major viruses and worms over the past 4-5 years. ILoveYou, Nimda, CodeRed, etc. But after each major hit things were done not just reactively, but also proactively.

Virus scan engines were updated, email servers had attachment blocking filters installed, patches were installed, etc.

There has been a slew of updates made available to applications like Outloook, Outlook Express, IIS and so forth which disable many of the features that these exploits took advantage of. The Outlook 2k security update, default permissions in OE 6.0, IIS Lockdown wizard, URLScan, etc.

Then you have a whole slew of administrative utilities such as HFNetChk from Microsoft/Shavlik to test systems for patches and various tools(HFNetChk Pro) to do reports on large numbers of machines and push out patches.

I do agree that the security finders tend to overstate the impact, but it's still important to react to the issues. The conclusion that wired really should be making is that we've learned lessons and learned how to better prepare and respond. That's why their are fewer major problems.

Re:Maybe I'm an exception, but...

[Znork]

Sounds like you've gotten so 0wn3zd your're not even getting the logs anymore. Probably fairly soon after those first portscans you saw. Or maybe your ISP is running a firewall for you? But if I was suddenly seeing less than a dozen attacks per day, frankly, I'd be pretty sure I wasnt seeing the real picture.

suburban logic? It won't happen to me.

[Vodak]

So I guess under this logic it would be perfectly fine to install doors and windows in your house with no locks at all because your neighborhood doesn't have home break-ins or invasions?

Actually, there was ONE known Mac exploit

[phillymjs]

Waaaaay back in 1997, there was a problem with a version of Lasso (a 3rd-party database-access CGI) that could be exploited. I believe it was discovered during a 'hack this Mac web server and get $10,000' sort of contest-- it was so long ago, I don't really remember the details, but it has been done. This hole was closed very quickly with an update to Lasso.

People just using the web service built into the Mac OS, however, have never had anything to fear. Unlike IIS, Personal Web Sharing and the AppleShare IP Web Service were always airtight.

~Philly

I think Apple has an anti-tamper system in OS X

[2nd+Post!]

Every thing that accesses the keychain at least does.

If Mail has been changed or tampered with, if AIM or ICQ or iChat, etc, etc, it asks me 'should I allow this program access to the keychain'?

Of course I dunno if this is robust or reliable, but it seems to exist.

Klez

[BrookHarty]

At work we have to disable some users accounts on the wireless data networks who have viruses. They consume too much bandwidth, resource hogs. We run reports, and every day anyone who displays virus/trojan behavior, we shut them off.

We can tell from the users profile if its a p2p network program, or a virus, viruses dont portscan your entire network, or spam your smtp servers.

Many users have found things such as back orafice, or other remote programs. Lucky its easier to watch for this when you own the entire network, for an ISP, it would be much harder.

YMMV.

Sad but true.

[billstewart]

Unfortunately, Windows is way too big to fix, as are too many of the major applications that run on it, and security isn't something you can just patch on after the fact. Some of the newer versions, such as XP, don't crash anywhere near as often, which suggests that maybe enough major parts have been rewritten that many of the old bugs have been discarded and replaced with a smaller number of newer bugs.

One of the things that annoys me the most is the number of reported holes that are caused by buffer overflows. There's simply no excuse for them this decade! If you don't have a good enough quality control process to test for them all, and MS doesn't, you shouldn't let your people write code in C! Don't get me wrong - I really *like* C, and I've been using it for over 20 years. It's a great language for a lot of things, including compact, efficient, clean, obvious code, and it does let you shoot yourself in the foot. But if you can't keep your people from shooting, and can't tell where the holes are, and can't tell whether all your feet are intact, it's not the language for you. And if you want to use C++ or C-- or C-sharp or C-dull, and you don't enforce the use of safe I/O and copying methods, don't do that either. (By the way, this rant applies to Linux as well.)

Esther Dyson has her signature-line about "Always make new mistakes". Buffer overflows and testing for maliciously formatted input aren't new mistakes, folks! They're CS100 material, the first thing you should be learning after you learn how to do arrays and input functions. (And I learned my programming in PL/I, an language that won't let you overflow buffers.) At least make the bugs interesting, like race conditions or something! Accepting input that abuses ..s in directory paths when they shouldn't be there isn't a new mistake, and it's one of the most common bug reports I see that aren't memory-related.