Slashdot Mirror
SecurityFocus On MS Security "Hole"
friday2k writes "There is an interesting writeup at SecurityFocus that puts the latest security 'hole' in XP into perspective. It is a worthy read and should remind us all of the real issues out there." And it collects into one place much of the flak I caught after posting about the claimed security hole opened by the XP Recovery Console.
.. but he is right about the physical security. Not long ago I walked a client several hundred km away through an OpenBSD boot via floppy so he could change his forgotten root password. I don't hear the masses screaming for Theo's head because this is possible.
Trolling is a art,
Once the general populace knows about a problem, the media has to say something, because how would it look if they didn't report on a new trend? Suddenly everybody "knows" about the problem, even though it does not exist.
I can't say that I don't give a fuck. I've just run out of fuck to give.
[I posted this on SecurityFocus.]
Actually, it is CRITICAL in one aspect.
If Avaya's security consultant Ken Pfeil is correct when he said:
"If the system is a member of a workgroup and not a domain, you can just change the user's password that the file was encrypted under," Pfeil said. "Then you can log on as that user having access to the encrypted file."
Then EFS is useless in the standard configuration for protecting hard drives. Specifically, hard drives on LAPTOPS, which frequently get stolen.
Most likely this is an IMPLEMENTATION issue, though, and NOT a "hole" in XP. It sounds like the certificate/key used for EFS is stored on the drive, and the password for it is tied to the Workgroup/Domain password. The certificate/key really needs to be stored on a USB key or other removable media, so it can be kept separate from the system.
Encrypting files/folders/partitions on hard drives is supposed to guard against exposure EVEN WHEN CONTROL OF THE SYSTEM IS COMPROMISED!
Case in point -- laptops. What is the point encrypting data on the drives if when stolen, the machine can be consoled and the password changed, opening all the files?
I do not know if you can move the certificate/key off to removable media. If you can, like I suspect, then it is an implementation issue and not a "hole". If not...
You are right in that it was overplayed as a major catastrophy, though. For almost all other cases, if you've lost control of the hardware, you're screwed.
-Charles Hill
Learning HOW to think is more important than learning WHAT to think.
I'm with the author on this one. I dislike MS as much as the next guy, but I'd WANT a recovery disc to dump me at a prompt if the data files were corrupt. If the files on the drive are THAT important, they should have been encrypted anyway...and if I was the admin of the box, they would already be encrypted.
I have nothing to worry about.
Tim Mullen is probably the most notorious apologist for Microsoft in the security community. He is known far and wide for his articles (accompanying every notable security problem with a Microsoft product) which attempt to downplay exposure and combat anti-Microsoft hype.
In this particular case (as per his MO), Mr. Mullen attempts to downplay the threat involved in this situation by first declaring that it is desired behavior (it's a feature, not a bug), and then addressing the most poorly researched articles from a press that we all recognize can't get it's facts straight.
Sure. The press is often whack on this stuff. Sure, the Recovery Console is doing what it's intended to do. However, is what it's intended to do unacceptable? Is it still unacceptable, even though the press doesn't understand it?
Mullen's logic seems to be, "Hey, it's not a 10 on the panic scale, like some say it is, so it must not be on the panic scale at all."
Seventh graders in debate club recognize this logic as faulty.
Paper Pusher
News flash: this is expected, and desirable, behavior. The Win2k RC can't read the XP registry, so it thinks it is a corrupted Win2k installation. When it can't verify the SAM, it bails out to the console. Administrators want this behavior. If you have an installation on which some third-party driver has hosed the registry, the Recovery Console will allow you to attempt to fix it. That's what "Recovery Console" means.
No recovery console does not mean to bypass the password set by the administrator. It means to recover data that has been lost due to reason "foo".
While I don't see it as being that big of a deal, you could do it w/any OSs bootdisk I suppose (or even a LILO prompt on a Linux machine) I think it is an odd bit of information that should be known.
Media organizations know they get eyeballs when their audience is afraid.
Ignorant and afraid of terrorists? Watch Fox News.
Ignorant and afraid of hackers? Read Wired, or WinInformant.
Maybe we should be afraid of ignorance, instead.
Laugh at my Lisp and I keeell you.
"Instead of wasting space on functions that are not even vulnerabilities, they should be covering issues like Oracle's "unbreakable" applications having yet another series of remote buffer overflows that took six months to fix. They should be covering the fact that in order to get the patches for Oracle, you have to pay for them under a service contract. If Microsoft tried something like that, angry mobs of protesters would pull Bill Gates from his own home like a group of crazed Colombian soccer fans and bind him to a whipping post. "
Although the last part about whipping arouses me in a peculiar way, I'd much rather see Larry Ellison's claims being dissected and put into context. Sure they are a marginal player in most markets, but in the enterprise application business they really advertise aggressively and not so truthfully.
Seeing the tech press just relaying a story like this only confirms the notion that there are no journalists that understand tech, and no techies that understand journalism.
Oh, I can't help quoting you because everything that you said rings true
In contrast, I know SQL Slammer was reported day-of. In this case, a free patch was available six months prior to the worm. And let's face it: if the patch is available but not applied, it's not Microsoft's, Oracle's, Linus's, or any other vendor's fault--only the SysAdmin in question.
One major difference was that SQL Slammer took out several networks, where Oracle did not have such impact.
To \.'s credit (and I'm going mostly off memory), but big critique was on the DB admins, not on Microsoft.
I totally agree on this - I've been doing Win2k installs for a few years now, and I'd have had to totally scrap god knows how many systems if it weren't for the recovery console.
And the fact that you can use the Win2k boot CD to log in without a password isn't a bug, or even a security hole, it's simply the fact that MS didn't require a password to use the Console in Win2k.
What do the critics want MS to do? Recall and patch every single Win2k boot CD?
sig:- (wit >= sarcasm)
People forget passwords.
Especially if they're 'smart users', and never run in root. Sure, they should have it written down, but that piece of paper can get lost, and might not be able to be kept reasonably secure.
Thus, would you rather having a box marginally more secure, or would you like to be able to log in if that little piece of paper gets lost?
Physical security is a no-brainer. If you find that you have to sit down and think about it now, you've been doing something seriously wrong for however long it is you've been running a computer.
Overrated Moderation: This posts sucks... because.
Whether or not, in this particular case, the reported exploit is not the vulnerability described, there have been so many valid, exploitable, preventable, denied by Microsoft, bugs/cracks/flaws/exploits/holes that Microsoft is presumed guilty from the get go. And considering their programming and their behavior following, this is to be expected. They've created an atmosphere where the logical, understandable response is to mistrust them. That's their doing, and they're the ones to fix it (if at all possible).
Whoopty do. Pop in a linux boot floppy with ntfs support and do the same thing
I thought that one point that was made was that you could use the win2k recovery console on XP without having to reboot it. That is at least slightly different.
If any user was in possession of this recovery console, he or she could defeat the XP's multi-user environment while XP is still running. Moreover, it proves that it is possible for someone to design a tool that effectively bypasses XP's multi-user security *without* having to boot into a different OS and mount partitions from there.
Obviously, the risk is not as bad as some articles depicted, but it's not a non-issue either.
PHYSICAL SECURITY. This is the first tenet of network security. Prevent the box from being accessed by those who should have no access. This tenet, however well implemented, is absolutely useless if the baddies that mean your network harm are INDSIDE the network, which in 75% of cases is true. It's a sad-assed day indeed when your own employees are the evil that is supposedly lurking outside the firewall.
Seriously. Yea a stupid error was made and several sites reported on it. I am supposed to feel bad to bill or do what Tim Mullen says and "Give Bill a Break"?
No I won't be giving Bill G. a break. I'll continue to point out that of the billions of dollars in virus damage are done every year and MS is responsilbe in the vast majority of the cases. If MS has the occasionally mud kicked in their face well too bad for them. If there is such a thing as karma then MS has a lot more of this coming. I for one don't pity them based on the dirty illegal tactics they've been using for a decade now.
MS doesn't get nearly enough flack for the amount of damage their poorly coded software causes. Maybe if more articles are written which say how bad MS software is MS might actually have to be accountable one day. For me that day can't come soon enough.
If you wanna get rich, you know that payback is a bitch
Seems to me this whole issue is a direct result of MS's tarnished brand. Why bother doing research to find out if this weeks security hole is bogus or not? Microsoft's brand is so coupled with "security compromise" you don't need to prove the case anymore to attain public credibility.
I have a second sig, I call it sig#2.
Indeed, if a particular system were more vulnerable than Windows then crackers would scan for that system and attack it. Opportunists go for the easy prey, not necessarily the most common thing. You can find non-MS nodes on the internet if you look - that's not a problem.
Indeed. And not only featureset but usability and user-friendliness factor are also placed above security issues. :)
As a result we have a dominant OS that's insecure and a secure OS that's mostly unusable by anyone who is not a third generation sysadmin. In all that rush no one had the time to write an OS that's is BOTH secure and user-friendly. Flame away
well, I'll let you pick which end
/. that server.......
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
I wonder if we could
Why? Because SUCH a small percentage of people honestly work with the source. Im sure that less than 1% of linux users know how to do anything more than run the code thru the compiler, and the majority cant even do that.
As I constantly point out, every slashdot user is not helping write the kernel of Linux.
The reason MS is getting probed is twofold. 1) Hackers have a bug up their ass about MS (no pun intended), and 2) Security firms are hunting for obsure exploits due to the notariety they get in being credited with finding the bug/exploit. If you are a security firm and can tell your clients you found five exploits in the last year, that equates to money.
And dont believe that Linux users are any more computer savy than Mac users. Thats like saying brown eyed people are smarter than blue eyed people. A lot of people learned Unix while they were in college. Those skills can easily transfer over to Linux. Thus, its mearly a comfort thing than a tech savy thing.
Also, the Apache vs. IIS thing. I would account for the market share and the security issues just by maturity of the product. How long was Apache web server out before IIS came out? Quite a while. Unless MS sawed down and copied Apache, it would be hard to make a product w/o making a few mistakes. NOTHING is perfect the first time. How secure was the first version of Linux?
Also, Im sorry, but Apache still gets hacked. I remember before IIS was out pages were getting hacked all over the place. Free Kevin, anyone?
Im not slamming what you are saying, really, because I dont get the feeling you are one way or the other on this. I am just expressing a point of view. But there is definitely a lot of anti-MS FUD expressed here, and strangely enough, MS got quite a bit of /. lovin today.
Hopefully this will be the start of a trend. Not pro-MS, but pro-rational article.
Manipulate the moderator system! Mod someone as "overrated" today.
That every desktop user in the world should move over the FreeBSD, and learn a whole new environment? We'll ignore the fact that Linux (in any of it's variations) is infinitely more difficult for the end-user.
Why is it people like you always miss the point - it's not about brand names or vendors. It's about a bloody tool. A PC is just another tool, and if it can't be used by the people who need it, it's not good enough. Sure, security is important, but what good is a secure computer that only 10% of the population can figure out how to log into?
I'll happily move over to a better OS if it comes along, provided it's actually going to help me do my job in a better way! Until then, forget Linux - it's 5 years behind MS, and probably 10 behind MacOS (and yes, I'm aware OSX is based on BSD, blah blah blah).
Ok, being a sysadmin for both apache systems and IIS systems, I would love to know what you think IIS can do that apache cannot. ISAPIs in IIS can be loaded as modules in apache. So I am really interested to know if you have anything in mind or if you are just blowing smoke.
I had mod points and was going to use them in this forum... but I just couldn't resist replying to your post because there just simply isn't any foundation to your claims.
The only thing that Apache lacks (and it doesn't anymore) is a good GUI configuration tool. Personally though, I always liked the direct editing of the config file anyway. I still do that even though the GUI is a very nice addon. I am not saying that IIS sucks and I am not saying that Apache is the coolest thing since sliced bread... all I am asking is for you to back up claims like that with real facts.
On another note. You might want to consider adding <br> tags to your posts when you want a new line. Makes it easier to read.